<snip>
P.S. To be clear, as I am still being a bit quick: I do not also mean
"public destructors" should take a const pointer in input, i.e. apply as
appropriate...

And here is what my construction/destruction code is looking like at the
moment, which should also make clear what I meant by "a private method
implementing a public interface" and why:

```c
static AvlTree_t const *AvlTree_node(
void const *pk, AvlTree_t const *pL, AvlTree_t const *pR
) {
AvlTree_t *pT;

pT = malloc(sizeof(AvlTree_t));

if (!pT) {
return NULL;
}

pT->pk = pk;
pT->pL = pL;
pT->pR = pR;

return pT;
}

static int AvlTree_free_(AvlTree_t const *pT) {
assert(pT);

free((AvlTree_t *)pT);

return 0;
}

AvlTree_t const *AvlTree_create(void const *pk) {
return AvlTree_node(pk, NULL, NULL);
}

void AvlTree_destroy(AvlTree_t *pT) {
AvlTree_visitPost(AvlTree_free_, pT);
}
```

-Julio

...
The standard makes no distinction between heap and stack memory. Those
are merely implementation details, outside the scope of the standard. C
can be implemented on hardware that provides no support for either a
heap or a stack.
Objects can have any one of four different storage durations: static,
thread, automatic, and allocated. On implementations with a stack,
objects with static or automatic storage can be implemented using the
stack. On implementations with a heap, objects with allocated storage
duration can be implemented using the heap. I'm not sufficiently
familiar with multi-threaded programming to comment on how objects with
thread storage duration may be implemented.

The key issue that's connected to your questions is the fact that the
relevant rule is about objects that are defined as being 'const'.
Objects with automatic storage duration are never defined, so they
cannot be defined to be 'const'. You can only obtain a void* value that
points at such objects by calling one of the memory allocation functions
(aligned_alloc, malloc, calloc, or realloc). You can convert that value
into a pointer to non-const object type and then use that pointer to
write an object of that type into that memory. Unless the object type is
a character type, doing so will give that memory that type. You can also
convert that value into a pointer to a const-qualified type, but that
doesn't make the object it points at const.

Julio Di Egidio <***@diegidio.name> writes:

[...]
A better choice is to put the AVL code in a separate .c file,
and give out only opaque types to clients. For example (disclaimer:
not compiled):

// in "avl.h"
typedef struct avl_node_s *AVLTree;
// note that the struct contents are not defined in the .h file

... declare interfaces that accept and return AVLTree values ...



// in "avl.c"
#include "avl.h"
struct avl_node_s {
// whatever members are needed
};

... implementation of public interfaces and any supporting
... functions needed


I might mention that some people don't like declaring a type name
that includes the pointerness ('*') as part of the type. I think
doing that is okay (and in fact more than just okay; better) in the
specific case where the type name is being offered as an opaque
type.

Of course you could also make the opaque type be a pointer to a
'const' struct type, if you wanted to, but the extra "protection" of
const-ness doesn't add much, and might actually cost more than it
buys you because of the additional casting that would be needed.

Off topic, but for some reason you are making me think of the mutable
keyword in C++:

https://en.cppreference.com/w/cpp/language/cv

;^)

That's what an object is in all cases.
See Tim's reply -- the best way to implement "sealed" instances is to
use an opaque type where the "user code" simply can't see anything but a
pointer to an otherwise unknown struct.

A slight variation to what Tim was suggesting would be to take the
pointer out of the typedef because that can allow you to define an
interface with pointers to const and to non-const AVLtree objects:

typedef struct AVLtree AVLtree;

AVLtree *avl_create(void);
void avl_add(AVLtree *tree, ...);
void *avl_lookup(const AVLtree *tree, ...);

and so on. Of course, if you use a more function style as Tim was
suggesting there is no value in having this distinction.

[I must say it's great to have a discussion about C programming for a
change instead of endless threads about how awful C is and how this or
that feature should be added to make it more like Rust/C++/Whatever.]

Yes, good point. There is also the case of

volatile const int x;

which the compiler can't assume won't change even though the program
can't change it directly.

OK. Small-systems embedded programming is quite a bit different from
"big" systems programming.
No problem. I'm glad you think it looks like it is worth reading!

Which parts of the C99 standard support this assertion?

Phillip <***@fulltermprivacy.com> writes:
[...]
There were no changes in the sizes of the integer types from C89/C90 to
C99, aside from the addition of long long. (And an implementation with
8-bit int would be non-conforming under any edition of the standard,
though it might be useful.)

Perhaps some C89/C90 implementations are better for 8-bit systems than
some C90 implementations?

There are very few new versions of 8-bit CISC microcontrollers being
developed - the rate has been dropping steadily since the Cortex M
family rose to dominance. The decay is probably approximately
exponential, in terms of development of new devices, production and sale
of existing devices, and development of new products using these
devices. They are not /all/ gone - but you need /very/ good reason for
considering them for anything new, whether it is software or hardware.

The only 8-bit core that can be viewed as "alive and well", is the AVR.
It is a RISC design and a good deal more C and general software friendly
than these other devices. The most common toolchain for the AVR is gcc,
and you can use normal standard C with it. You do have to consider some
of its idiosyncrasies if you want efficient results, but you /can/ write
normal C code for it.
The 6502 is one of the better 8-bit cpu cores - you can get reasonable
code with mostly standard C (C99 if you like) using a compiler like
SDCC. You don't /need/ as many extra target-specific keywords and
extensions to deal with multiple memory banks, independent address
spaces for ram and constant data, long and short pointers, non-recursive
functions, and so on, as you need for useable results on an 8051 or PIC.
But you probably still use some of these to get efficient results,
such as choosing which variables go in the fast zero page area.

Also note that there is a huge difference between being able to write
significant parts of the code for a microcontroller using only standard
C, and being able to use a significant fraction of the standard C
language and library (at least the "freestanding" part) in your code.
For example, I've used a compiler for the PIC16 that supported structs
and arrays, but not arrays of structs or structs containing arrays. If
the code does not use these features, you can write it in standard C -
but plenty of perfectly ordinary standard C code would not work with
that compiler.

There is also a huge difference between being /able/ to write the code
in only standard C, and pure standard C being an appropriate way to
write the code for the microcontroller. Using the target-specific
features of these kinds of devices and their tools makes a massive
difference to code efficiency. Basically, if you are trying to stick to
pure standard C for an 8051 or 68HC05, you are doing it wrong.
I believe that goes under the category of "niche" :-) For some types of
application, you stick to what you have tested - no one wants to have
the first pacemaker with a new microcontroller!

Of course in this field there are always exceptions - no generalisation
is going to be correct in absolutely all cases. But I'd guess my
statement was accurate in 99.9% or more cases.
Have you a reference for that claim? I am very confident that it is not
the case. The 6502 was primarily developed as a microprocessor core,
not a microcontroller core - it was found in early microcomputers and
games consoles. It was also used in early embedded systems, but once
microcontrollers became common, they dominated quickly in numbers.
(Microprocessors were used for high-end embedded systems, like embedded
PC's with x86 cpus and network equipment with m68k processors.) I don't
know that the 6502 was ever common in the automotive industry - but I
can't believe it was ever used by "most" car manufacturers.
My point is that almost no general-purpose software written now will
ever be used on 8-bit devices, especially not 8-bit CISC cores. For
most software written on these cores, standard C is not a practical
option anyway. And the cores are used in very conservative situations,
such as when there is a lot of legacy code or when many years or decades
of field testing is important - new external software will not be used
by such developers. So it makes no sense to me to restrict the code to
an old standard because of the /tiny/ chance that there is someone who
might want to use it on such devices.

I also disagree completely that C90 is somehow a better fit for 8-bit
devices than C99. It is not. C has /always/ expected at least 16-bit -
it's not something new in C99. Apart from VLA's, there is nothing in
C99 that would result in code generation that is a poorer fit for these
devices than C90. There are some sort-of-C compilers for 8-bit
microcontrollers that have 8-bit ints or do not follow the C rules for
integer promotions - these are, of course, no more standard C90
compilers than they are standard C99 compilers.

A long time ago (several decades) I was working with a system that had
no malloc. Iirc, it was a version of Quadros.

Yes - I mentioned that in one of my posts. It is quite common for
compilers for embedded systems to be missing a few standard library
features (such as support for locales or wide characters), to have
limited features (such as printf / scanf implementations without
floating point, to reduce the code size), and to have somewhat odd
system-specific implementations of things like file and stream IO functions.

However, all embedded toolchains I have ever used implement a
substantial part of the standard library - pretty much everything that
can reasonably be implemented and used on the embedded targets.

P.S. Of course, I do not expect my code to be super-optimized either, I
only strive for the best I can get by "generic programming", again the
idea being that at least micro-optimization (very local, very low-level)
remains possible by ad-hoc program transformations: or e.g. I'd code
against a "generic" math library that is a thin wrapper by default
around a standard library, but can then be "relinked/redirected" to
anything at compile time... Of course, assuming the code is written to
be conducive of such "parametricity", I do not expect it to come for free.

Does it make sense? Does it work?

-Julio

The C99 features that I consider to make code easier to write, clearer,
safer, more portable, more efficient, and generally better are:

long long int (via <stdint.h> types)
compound literals
designated initialisers
// comments
<stdint.h> types
mixing declaration and code
declaring index variables inside a "for" statement
variadic macros
inline functions
boolean type and <stdbool.h>

(The ordering here is from the changelog in the C standards.)

There are also a few cleanups, like removal of implicit int and implicit
function declaration, but those can be enforced in C90 mode too by
static analysis tools.

Effective type is irrelevant. This particular undefined behavior
occurs only when an object _defined_ with a const-qualified type
is changed. There are no objects defined in a block of memory
allocated by malloc().

On Thu, 09 Jan 2025 23:40:52 -0800
I believe that the Standard really says that, but find the part about
value of ptr variable ridiculous. It breaks natural hierarchy by which
standard library is somewhat special, but it is not above rules of core
language. free() is defined as function rather than macro. By rules of
core language, a function call can not modify the value of local
variable at caller's scope, unless pointers to the variable was passed
to it explicitly.

I must be missing something here. Humm... I thought is was okay to do
something like this:
_____________________________
#include <stdio.h>
#include <stdlib.h>

int main() {
int* a = malloc(sizeof(*a));

if (a)
{
*a = 42;

printf("a = %p\n", (void*)a);
printf("*a = %d\n", *a);

free(a);

printf("a = %p was just freed! do not deref\n", (void*)a);
}

return 0;
}
_____________________________

Is that okay?

[...]

Any object with static storage duration has a lifetime that extends over
the entire execution of the program, so the program can never see such
an object outside its lifetime regardless of how it's stored.

If an object happens to be stored in a ROM image that the program
accesses directly, then sure, those bits can survive across multiple
executions. But the C "lifetime" extends only across a single
execution.

Nothing in particular *has* to happen when an object reaches the end of
its lifetime.
A call to malloc or free can modify the bits that make up an object, but
they do so only before or after the object's C lifetime.

From such a radically "physical" point of view, nothing is and nothing
will ever be `const`... Sorry, this is not even close to what
"constness" in C is about.

In C and C++ (as well in virtually all higher level languages)
"constness" is not a physical concept. It is a purely high-level
logic-level concept, designed, implemented and enforced entirely by the
author of the code (of the public interface of the module) in accordance
with their intent.

It has absolutely no relation to any physical modifications that might
occur anywhere in the execution environment. Nobody cares whether
something somewhere gets "modified". It is always a question of whether
_I_ want to recognize such modifications as part of the public interface
designed by me. I'm the one who says whether the operation is "constant"
or not, based purely on my idea of "logical constness".

That's the reason `const` exists in C (and C++).

However (returning to the more narrowly focused matter at hand), two
things - creation and deletion of objects - will always indisputably
stand apart as operations that transcend/defeat/ignore the idea of
"constness" with relation to the object itself. Creation/deletion might
logically be seen as "non-constant" wrt to the surrounding environment
(e.g. memory manager), but wrt to the object itself they shall not (and,
obviously, cannot) care about its "constness" at all.

An object begins being `const` only after the process of its creation
(construction) is complete. An object stops being `const` the moment the
process of its destruction begins. That's how it works in C and C++.
(Again, using C++ as an example, you all know that `const` objects are
not seen as `const` inside their constructors and destructors.) In C we
don't have constructors and destructors, but we still naturally follow
the same ideas in hand-written code. It would've been nice to have
`free` to play along with this.

David Brown <***@hesbynett.no> writes:
[...]
I'm not sure that would work. A void** argument means you need to pass
a pointer to a void* object. If you've assigned the converted result of
malloc() to, say, an int* object, you don't have a void* object. (int*
and void* might not even have the same representation).

Some kind of generic function that takes a pointer to an object of any
object pointer type could work, but the language doesn't support that.
(C++ addressed this by making `new` and `delete` built-in operators
rather than library functions.)