The Vision

The ambition of the Xr0 project is to make it possible to work in C, i.e. vanilla C with no changes to the executed code, while being certain of the safety of one’s code.

We think there are two basic safety issues in C, though undefined behaviour is an extremely multifaceted issue:

When Xr0 is complete, it will reject all undefined behaviour, as well as render memory leaks impossible.

The Roadmap

The latest version of Xr0 is already able to eliminate use-after-frees, double frees, null pointer dereferences, the use of uninitialised memory and memory leaks from a limited subset of C89. Beneath is a non-committal1 listing of the milestones we intend to hit, to the best of our current knowledge:

  1. Buffer overflow and underflow protection. Expected in the next 1–3 months.

  2. Formalise error handling.

  3. Loop verification that’s good enough for most programs.

  4. Support for calloc and realloc.

  5. Recursion verification that’s good enough for most programs.

  6. Support for most of C89 syntax. The possibly-envisioned exclusion here is goto.

  7. Complete annotations for Standard library (libx).

  8. Release Xr0 1.0.0.

If you’re interested in understanding why we think these problems are solvable, the best way to grasp our approach is to dive into the tutorial.


  1. Having worked on Xr0 for the past few months, we can see that the timelines we put in our initial roadmap were far too committal. ↩︎