A lot of existing code is already safe. You can't prove all (or even most) existing code safe automatically. This is also true for Rust if you do not narrowly define safe as memory safe. You could transform a lot of C code to be memory safe by adding annotations and do some light refactoring and maybe pushing some residual pieces to "unsafe" blocks. This would be very similar to Rust.

> A lot of existing code is already safe.

Again, I am not trying to argue either way. The point I was making was about how you can't define away all UB in the C standard without needing to modify the language in a breaking way.

> You can't prove all (or even most) existing code safe automatically.

No but rust provides a proper type system which goes a long way to being able to prove and enforce a lot more about program behavior at compile time.

> You could transform a lot of C code to be memory safe by adding annotations and do some light refactoring and maybe pushing some residual pieces to "unsafe" blocks. This would be very similar to Rust.

It would only be somewhat similar to super basic entry level rust which ignores all the opportunities for type checking.

> > A lot of existing code is already safe.

> Again, I am not trying to argue either way. The point I was making was about how you can't define away all UB in the C standard without needing to modify the language in a breaking way.

This depends on how you define "breaking". I think one can add annotations and transform a lot of C code to memory safe C with slight refactoring without introducing changes into the language that would break any existing code. You can not simply switch on a flag make existing code safe ... except you can do this too ... it just then comes with a high run-time cost for checking.

> > > No but rust provides a proper type system which goes a long way to being able to prove and enforce a lot more about program behavior at compile time.

> > You could transform a lot of C code to be memory safe by adding annotations and do some light refactoring and maybe pushing some residual pieces to "unsafe" blocks. This would be very similar to Rust.

> It would only be somewhat similar to super basic entry level rust which ignores all the opportunities for type checking.

I do not believe you can solve a lot more issues with strong typing than you can already solve in C simply by building good abstractions.

> You can not simply switch on a flag make existing code safe ... except you can do this too ... it just then comes with a high run-time cost for checking.

I don't think you can reasonably implement this even at a high runtime cost without breaking programs. Either way, you've managed to re-state the crux of my argument.

> I do not believe you can solve a lot more issues with strong typing than you can already solve in C simply by building good abstractions.

Then I don't think you have much familiarity with strong typing or are underestimating the performance impact of equivalently "safe" (in a broader sense than what rust uses the term for) abstractions in C.

The only way to get equivalent performance while maintaining the same level of guarantees in C is to generate C code, at which point you're definitely better off using another programming language.