{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,12]],"date-time":"2026-06-12T10:08:37Z","timestamp":1781258917861,"version":"3.54.1"},"reference-count":50,"publisher":"Association for Computing Machinery (ACM)","issue":"OOPSLA1","license":[{"start":{"date-parts":[[2022,4,29]],"date-time":"2022-04-29T00:00:00Z","timestamp":1651190400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by-nc\/4.0\/"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["Proc. ACM Program. Lang."],"published-print":{"date-parts":[[2022,4,29]]},"abstract":"Owing to the continued use of C (and C++), spatial safety violations (e.g., buffer overflows) still constitute one of today's most dangerous and prevalent security vulnerabilities. To combat these violations, Checked C extends C with bounds-enforced checked pointer types. Checked C is essentially a gradually typed spatially safe C - checked pointers are backwards-binary compatible with legacy pointers, and the language allows them to be added piecemeal, rather than necessarily all at once, so that safety retrofitting can be incremental. This paper presents a semi-automated process for porting a legacy C program to Checked C. The process centers on 3C, a static analysis-based annotation tool. 3C employs two novel static analysis algorithms - typ3c and boun3c - to annotate legacy pointers as checked pointers, and to infer array bounds annotations for pointers that need them. 3C performs a root cause analysis to direct a human developer to code that should be refactored; once done, 3C can be re-run to infer further annotations (and updated root causes). Experiments on 11 programs totaling 319KLoC show 3C to be effective at inferring checked pointer types, and experience with previously and newly ported code finds 3C works well when combined with human-driven refactoring.<\/jats:p>","DOI":"10.1145\/3527322","type":"journal-article","created":{"date-parts":[[2022,4,29]],"date-time":"2022-04-29T15:42:03Z","timestamp":1651246923000},"page":"1-29","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":17,"title":["C to checked C by 3c"],"prefix":"10.1145","volume":"6","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-5124-6818","authenticated-orcid":false,"given":"Aravind","family":"Machiry","sequence":"first","affiliation":[{"name":"Purdue University, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1273-5990","authenticated-orcid":false,"given":"John","family":"Kastner","sequence":"additional","affiliation":[{"name":"Amazon, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4814-5148","authenticated-orcid":false,"given":"Matt","family":"McCutchen","sequence":"additional","affiliation":[{"name":"Amazon, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9105-4922","authenticated-orcid":false,"given":"Aaron","family":"Eline","sequence":"additional","affiliation":[{"name":"Amazon, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4880-4150","authenticated-orcid":false,"given":"Kyle","family":"Headley","sequence":"additional","affiliation":[{"name":"Amazon, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2759-9223","authenticated-orcid":false,"given":"Michael","family":"Hicks","sequence":"additional","affiliation":[{"name":"Amazon, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"320","published-online":{"date-parts":[[2022,4,29]]},"reference":[{"key":"e_1_2_1_1_1","unstructured":"2021. C to rust translation refactoring and cross-checking. https:\/\/c2rust.com\/ 2021. C to rust translation refactoring and cross-checking. https:\/\/c2rust.com\/"},{"key":"e_1_2_1_2_1","volume-title":"The sample mid-range and interquartiles. Statistics & probability letters, 27, 2","author":"Bingham NH","year":"1996","unstructured":"NH Bingham . 1996. The sample mid-range and interquartiles. Statistics & probability letters, 27, 2 ( 1996 ), 131\u2013136. NH Bingham. 1996. The sample mid-range and interquartiles. Statistics & probability letters, 27, 2 (1996), 131\u2013136."},{"key":"e_1_2_1_3_1","unstructured":"BlueHat. 2019. Memory corruption is still the most prevalent security vulnerability. https:\/\/www.zdnet.com\/article\/microsoft-70-percent-of-all-security-bugs-are-memory-safety-issues\/ Accessed: 2020-02-11. BlueHat. 2019. Memory corruption is still the most prevalent security vulnerability. https:\/\/www.zdnet.com\/article\/microsoft-70-percent-of-all-security-bugs-are-memory-safety-issues\/ Accessed: 2020-02-11."},{"key":"e_1_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1002\/spe.4380180902"},{"key":"e_1_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-71316-6_35"},{"key":"e_1_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1145\/512950.512973"},{"key":"e_1_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1109\/SecDev45635.2020.00018"},{"key":"e_1_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1145\/2892208.2892212"},{"key":"e_1_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1145\/3485498"},{"key":"e_1_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1145\/1186632.1186635"},{"key":"e_1_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1145\/512529.512531"},{"key":"e_1_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1145\/2651360"},{"key":"e_1_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1145\/3236766"},{"key":"e_1_2_1_14_1","volume-title":"Proceedings of the 2002 USENIX Annual Technical Conference (ATC). 275\u2013288","author":"Jim Trevor","year":"2002","unstructured":"Trevor Jim , J Gregory Morrisett , Dan Grossman , Michael W Hicks , James Cheney , and Yanling Wang . 2002 . Cyclone: A Safe Dialect of C . In Proceedings of the 2002 USENIX Annual Technical Conference (ATC). 275\u2013288 . Trevor Jim, J Gregory Morrisett, Dan Grossman, Michael W Hicks, James Cheney, and Yanling Wang. 2002. Cyclone: A Safe Dialect of C. In Proceedings of the 2002 USENIX Annual Technical Conference (ATC). 275\u2013288."},{"key":"e_1_2_1_15_1","volume-title":"Proceedings of the USENIX Summer Conference. 5\u201316","author":"Kendall Samuel C","year":"1983","unstructured":"Samuel C Kendall . 1983 . Bcc: Runtime checking for C programs . In Proceedings of the USENIX Summer Conference. 5\u201316 . Samuel C Kendall. 1983. Bcc: Runtime checking for C programs. In Proceedings of the USENIX Summer Conference. 5\u201316."},{"key":"e_1_2_1_16_1","unstructured":"Per Larson. 2018. Migrating Legacy Code to Rust. RustConf 2018 talk. Per Larson. 2018. Migrating Legacy Code to Rust. RustConf 2018 talk."},{"key":"e_1_2_1_17_1","volume-title":"Proceedings of the Computer Security Foundations Symposium (CSF).","author":"Li Liyi","year":"2022","unstructured":"Liyi Li , Yiyun Liu , Deena L. Postol , Leonidas Lampropoulos , David Van Horn , and Michael Hicks . 2022 . A Formal Model of Checked C . In Proceedings of the Computer Security Foundations Symposium (CSF). Liyi Li, Yiyun Liu, Deena L. Postol, Leonidas Lampropoulos, David Van Horn, and Michael Hicks. 2022. A Formal Model of Checked C. In Proceedings of the Computer Security Foundations Symposium (CSF)."},{"key":"e_1_2_1_18_1","doi-asserted-by":"crossref","unstructured":"Aravind Machiry John Kastner Matt McCutchen Aaron Eline Kyle Headley and Michael Hicks. 2022. C to Checked C by 3C (Extended Version). arXiv preprint arXiv:2203.13445. Aravind Machiry John Kastner Matt McCutchen Aaron Eline Kyle Headley and Michael Hicks. 2022. C to Checked C by 3C (Extended Version). arXiv preprint arXiv:2203.13445.","DOI":"10.1145\/3527322"},{"key":"e_1_2_1_19_1","unstructured":"Microsoft. 2019. Benchmarks for evaluating Checked C. https:\/\/github.com\/microsoft\/checkedc\/wiki\/Benchmarks-for-evaluating-Checked-C Accessed: 2020-10-27. Microsoft. 2019. Benchmarks for evaluating Checked C. https:\/\/github.com\/microsoft\/checkedc\/wiki\/Benchmarks-for-evaluating-Checked-C Accessed: 2020-10-27."},{"key":"e_1_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1145\/3371097"},{"key":"e_1_2_1_21_1","unstructured":"MITRE. 2021. 2021 CWE Top 25 Most Dangerous Software Weaknesses. https:\/\/cwe.mitre.org\/top25\/archive\/2021\/2021_cwe_top25.html MITRE. 2021. 2021 CWE Top 25 Most Dangerous Software Weaknesses. https:\/\/cwe.mitre.org\/top25\/archive\/2021\/2021_cwe_top25.html"},{"key":"e_1_2_1_22_1","unstructured":"Mozilla. 2021. Rust Programming Language. https:\/\/www.rust-lang.org\/ Mozilla. 2021. Rust Programming Language. https:\/\/www.rust-lang.org\/"},{"key":"e_1_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1145\/1542476.1542504"},{"key":"e_1_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1145\/1806651.1806657"},{"key":"e_1_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1145\/1065887.1065892"},{"key":"e_1_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1145\/3485488"},{"key":"e_1_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1007\/11823230_7"},{"key":"e_1_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1145\/1889997.1890000"},{"key":"e_1_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1145\/2103656.2103714"},{"key":"e_1_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-22038-9_23"},{"key":"e_1_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1016\/S0167-6423(99)00011-8"},{"key":"e_1_2_1_32_1","unstructured":"Clang repo. 2022. The Checked C project code. https:\/\/github.com\/secure-sw-dev\/checkedc-clang Clang repo. 2022. The Checked C project code. https:\/\/github.com\/secure-sw-dev\/checkedc-clang"},{"key":"e_1_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1109\/CGO.2019.8661178"},{"key":"e_1_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1109\/CGO.2013.6494996"},{"key":"e_1_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-17138-4_4"},{"key":"e_1_2_1_36_1","volume-title":"Proceedings of the 2012 USENIX Annual Technical Conference (ATC). 309\u2013318","author":"Serebryany Konstantin","year":"2012","unstructured":"Konstantin Serebryany , Derek Bruening , Alexander Potapenko , and Dmitriy Vyukov . 2012 . AddressSanitizer: A fast address sanity checker . In Proceedings of the 2012 USENIX Annual Technical Conference (ATC). 309\u2013318 . Konstantin Serebryany, Derek Bruening, Alexander Potapenko, and Dmitriy Vyukov. 2012. AddressSanitizer: A fast address sanity checker. In Proceedings of the 2012 USENIX Annual Technical Conference (ATC). 309\u2013318."},{"key":"e_1_2_1_37_1","volume-title":"Proceedings of the 2001 USENIX Security Symposium (SEC). Washington, D.C.. 201\u2013218","author":"Shankar Umesh","year":"2001","unstructured":"Umesh Shankar , Kunal Talwar , Jeffrey S. Foster , and David Wagner . 2001 . Detecting Format String Vulnerabilities with Type Qualifiers . In Proceedings of the 2001 USENIX Security Symposium (SEC). Washington, D.C.. 201\u2013218 . Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, and David Wagner. 2001. Detecting Format String Vulnerabilities with Type Qualifiers. In Proceedings of the 2001 USENIX Security Symposium (SEC). Washington, D.C.. 201\u2013218."},{"key":"e_1_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-73589-2_2"},{"key":"e_1_2_1_39_1","volume-title":"Proceedings of the 2008 Symposium on Dynamic Languages (DLS).","author":"Jeremy","unstructured":"Jeremy G. Siek and Manish Vachharajani. 2008. Gradual Typing with Unification-Based Inference . In Proceedings of the 2008 Symposium on Dynamic Languages (DLS). Jeremy G. Siek and Manish Vachharajani. 2008. Gradual Typing with Unification-Based Inference. In Proceedings of the 2008 Symposium on Dynamic Languages (DLS)."},{"key":"e_1_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00010"},{"key":"e_1_2_1_41_1","unstructured":"Checked C Specification. 2016. The Checked C. https:\/\/github.com\/secure-sw-dev\/checkedc Accessed: 2022-01-26. Checked C Specification. 2016. The Checked C. https:\/\/github.com\/secure-sw-dev\/checkedc Accessed: 2022-01-26."},{"key":"e_1_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1002\/spe.4380220403"},{"key":"e_1_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2013.13"},{"key":"e_1_2_1_44_1","volume-title":"IEEE Cybersecurity Development Conference 2018 (SecDev).","author":"Tarditi David","year":"2018","unstructured":"David Tarditi , Archibald Samuel Elliott , Andrew Ruef , and Michael Hicks . 2018 . Checked C: Making C Safe by Extension . In IEEE Cybersecurity Development Conference 2018 (SecDev). David Tarditi, Archibald Samuel Elliott, Andrew Ruef, and Michael Hicks. 2018. Checked C: Making C Safe by Extension. In IEEE Cybersecurity Development Conference 2018 (SecDev)."},{"key":"e_1_2_1_45_1","volume-title":"Migratory Typing: Ten Years Later. In 2nd Summit on Advances in Programming Languages (SNAPL","author":"Tobin-Hochstadt Sam","year":"2017","unstructured":"Sam Tobin-Hochstadt , Matthias Felleisen , Robert Findler , Matthew Flatt , Ben Greenman , Andrew M. Kent , Vincent St-Amour , T. Stephen Strickland , and Asumu Takikawa . 2017 . Migratory Typing: Ten Years Later. In 2nd Summit on Advances in Programming Languages (SNAPL 2017). 71, 17:1\u201317:17. Sam Tobin-Hochstadt, Matthias Felleisen, Robert Findler, Matthew Flatt, Ben Greenman, Andrew M. Kent, Vincent St-Amour, T. Stephen Strickland, and Asumu Takikawa. 2017. Migratory Typing: Ten Years Later. In 2nd Summit on Advances in Programming Languages (SNAPL 2017). 71, 17:1\u201317:17."},{"key":"e_1_2_1_46_1","unstructured":"CVE Trends. 2021. CVE trends. https:\/\/www.cvedetails.com\/vulnerabilities-by-types.php Accessed: 2020-10-11. CVE Trends. 2021. CVE trends. https:\/\/www.cvedetails.com\/vulnerabilities-by-types.php Accessed: 2020-10-11."},{"key":"e_1_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2015.44"},{"key":"e_1_2_1_48_1","unstructured":"Anna Zeng and Will Crichton. 2019. Identifying Barriers to Adoption for Rust through Online Discourse. arXiv preprint arXiv:1901.01001. Anna Zeng and Will Crichton. 2019. Identifying Barriers to Adoption for Rust through Online Discourse. arXiv preprint arXiv:1901.01001."},{"key":"e_1_2_1_49_1","volume-title":"Proceedings of the 2006 symposium on Operating systems design and implementation (OSDI). 45\u201360","author":"Zhou Feng","year":"2006","unstructured":"Feng Zhou , Jeremy Condit , Zachary Anderson , Ilya Bagrak , Rob Ennals , Matthew Harren , George Necula , and Eric Brewer . 2006 . SafeDrive: Safe and recoverable extensions using language-based techniques . In Proceedings of the 2006 symposium on Operating systems design and implementation (OSDI). 45\u201360 . Feng Zhou, Jeremy Condit, Zachary Anderson, Ilya Bagrak, Rob Ennals, Matthew Harren, George Necula, and Eric Brewer. 2006. SafeDrive: Safe and recoverable extensions using language-based techniques. In Proceedings of the 2006 symposium on Operating systems design and implementation (OSDI). 45\u201360."},{"key":"e_1_2_1_50_1","unstructured":"Jie Zhou. 2021. The Benefits and Costs of Using Fat Pointers for Temporal Memory Safety. Poster presentation at PLDI 2021 student research competition (silver medalist). Jie Zhou. 2021. The Benefits and Costs of Using Fat Pointers for Temporal Memory Safety. Poster presentation at PLDI 2021 student research competition (silver medalist)."}],"container-title":["Proceedings of the ACM on Programming Languages"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3527322","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3527322","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T20:18:53Z","timestamp":1750191533000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3527322"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,4,29]]},"references-count":50,"journal-issue":{"issue":"OOPSLA1","published-print":{"date-parts":[[2022,4,29]]}},"alternative-id":["10.1145\/3527322"],"URL":"https:\/\/doi.org\/10.1145\/3527322","relation":{},"ISSN":["2475-1421"],"issn-type":[{"value":"2475-1421","type":"electronic"}],"subject":[],"published":{"date-parts":[[2022,4,29]]},"assertion":[{"value":"2022-04-29","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}