This article includes a list ofgeneral references, butit lacks sufficient correspondinginline citations. Please help toimprove this article byintroducing more precise citations.(August 2015) (Learn how and when to remove this message)

TheCycloneprogramming language was intended to be a safe dialect of theC language.^[3] It avoidsbuffer overflows and other vulnerabilities that are possible in C programs by design, without losing the power and convenience of C as a tool forsystem programming. It is no longer supported by its original developers, with the reference tooling not supporting64-bit platforms. TheRust language is mentioned by the original developers for having integrated many of the same ideas Cyclone had.^[4]

Cyclone development was started as a joint project of Trevor Jim fromAT&T Labs Research andGreg Morrisett's group atCornell University in 2001. Version 1.0 was released on May 8, 2006.^[5]

Cyclone attempts to avoid some of the common pitfalls ofC, while still maintaining its look and performance. To this end, Cyclone places the following limits on programs:

• NULL checks are inserted to preventsegmentation faults
• Pointer arithmetic is limited
• Pointers must be initialized before use (this is enforced bydefinite assignment analysis)
• Dangling pointers are prevented through region analysis and limits onfree()
• Only "safe" casts and unions are allowed
• goto into scopes is disallowed
• switch labels in different scopes are disallowed
• Pointer-returning functions must executereturn
• setjmp andlongjmp are not supported

To maintain the tool set that C programmers are used to, Cyclone provides the following extensions:

• Never-NULL pointers do not requireNULL checks
• "Fat" pointers support pointer arithmetic with run-timebounds checking
• Growable regions support a form of safe manual memory management
• Garbage collection for heap-allocated values
• Smart pointers, such as unique pointers
• Region-based memory management
• Tagged unions support type-varying arguments
• Injections help automate the use of tagged unions for programmers
• Polymorphism replaces some uses ofvoid*
• Variadic arguments are implemented as fat pointers
• Exceptions replace some uses ofsetjmp andlongjmp
• Namespaces
• Type inference
• Pattern matching
• Templates, parameterized types

For a better high-level introduction to Cyclone, the reasoning behind Cyclone and the source of these lists, seethis paper.

Cyclone looks, in general, much like C, but it should be viewed as a C-like language.

Cyclone implements three kinds ofpointer:

• * (the normal type)
• @ (the never-NULL pointer), and
• ? (the only type withpointer arithmetic allowed,"fat" pointers).

The purpose of introducing these new pointer types is to avoid common problems when using pointers. Take for instance a function, calledfoo that takes a pointer to an int:

intfoo(int*p);

Although the person who wrote the functionfoo could have insertedNULL checks, let us assume that for performance reasons they did not. Callingfoo(NULL); will result inundefined behavior (typically, although not necessarily, aSIGSEGVsignal being sent to the application). To avoid such problems, Cyclone introduces the@ pointer type, which can never beNULL. Thus, the "safe" version offoo would be:

intfoo(int@p);

This tells the Cyclone compiler that the argument tofoo should never beNULL, avoiding the aforementioned undefined behavior. The simple change of* to@ saves the programmer from having to writeNULL checks and the operating system from having to trapNULL pointer dereferences. This extra limit, however, can be a rather large stumbling block for most C programmers, who are used to being able to manipulate their pointers directly with arithmetic. Although this is desirable, it can lead tobuffer overflows and other "off-by-one"-style mistakes. To avoid this, the? pointer type is delimited by a known bound, the size of the array. Although this adds overhead due to the extra information stored about the pointer, it improves safety and security. Take for instance a simple (and naïve)strlen function, written in C:

intstrlen(constchar*s){inti=0;if(!s){return0;}while(s[i]!='\0'){i++;}returni;}

This function assumes that the string being passed in is terminated by'\0'. However, what would happen ifcharbuf[6]={'h','e','l','l','o','!'}; were passed to this string? This is perfectly legal in C, yet would causestrlen to iterate through memory not necessarily associated with the strings. There are functions, such asstrnlen which can be used to avoid such problems, but these functions are not standard with every implementation ofANSI C. The Cyclone version ofstrlen is not so different from the C version:

intstrlen(constchar?s){intn=s.size;if(!s){return0;}for(inti=0;i<n;i++,s++){if(*s=='\0'){returni;}}returnn;}

Here,strlen bounds itself by the length of the array passed to it, thus not going over the actual length. Each of the kinds of pointer type can be safely cast to each of the others, and arrays and strings are automatically cast to? by the compiler. (Casting from? to* invokes abounds check, and casting from? to@ invokes both aNULL check and a bounds check. Casting from* to? results in no checks whatsoever; the resulting? pointer has a size of 1.)

Consider the following code, in C:

char*itoa(inti){charbuf[20];sprintf(buf,"%d",i);returnbuf;}

The functionitoa allocates an array of charsbuf on the stack and returns a pointer to the start ofbuf. However, the memory used on the stack forbuf is deallocated when the function returns, so the returned value cannot be used safely outside of the function. WhileGNU Compiler Collection and other compilers will warn about such code, the following will typically compile without warnings:

char*itoa(inti){charbuf[20];sprintf(buf,"%d",i);char*z=buf;returnz;}

GNU Compiler Collection can produce warnings for such code as a side-effect of option-O2 or-O3, but there are no guarantees that all such errors will be detected.Cyclone does regional analysis of each segment of code, preventing dangling pointers, such as the one returned from this version ofitoa. All of the local variables in a given scope are considered to be part of the same region, separate from the heap or any other local region. Thus, when analyzingitoa, the Cyclone compiler would see thatz is a pointer into the local stack, and would report an error.

Afat pointer is used for allowing pointer arithmetic. Fat pointers must be declared with@fat. For example,argv is often declared as typechar** (a pointer to a pointer to a character), or alternatively thought of aschar*[] (pointer to an array of characters). In Cyclone, this is instead expressed aschar*@fat*@fat (a fat pointer to a fat pointer to characters).

Cyclone instead allows? to represent*@fat. Thus, the two declarations are equivalent:

intmain(intargc,char??argv);// equivalent to the more verbose declarationintmain(intargc,char*@fat*@fatargv);

Similar totemplates in C++, Cyclone has a form ofgeneric programming.

typedefstructLinkedList<`a>{`ahead;structLinkedList<`a>*next;}LinkedList<`a>;// ...LinkedList<int>*ll=newLinkedList{1,newLinkedList{2,null}};

An "abstract" type can be used, that encapsulates the implementation type but ensures the definition does not leak to the client.

abstractstructQueue<`a>{LinkedList<`a>front;LinkedList<`a>rear;};externstructQueue<`a>;

Namespaces exist in Cyclone, similar to C++. Namespaces are used to avoid name clashes in code, and follow the:: notation as in C++. Namespaces can be nested.

namespacefoo{intx;intf(){returnx;}}namespacebar{usingfoo{intg(){returnf();}}inth(){returnfoo::f();}}

Pattern-matching can be accomplished in Cyclone like so:

intg(inta,intb){switch($(a,b-1)){case$(0,y)&&y>1:return1;case$(3,y)&&f(x+y)==7:return2;case$(4,72):return3;default:return4;}}

Alet declaration is used to match a pattern and expression.

typedefstructPair{intx;inty;}Pair;voidf(Pairp){letPair(first,second)=p;// equivalent to:// int first = p.x;// int second = p.y;// ...}

In Cyclone, rather than usingauto likeC andC++ orvar inJava andC#, Cyclone instead uses_ (an underscore) to denote a type-inferred variable.

_x=(SomeType*)malloc(sizeof(SomeType));// instead of:SomeTypex=(SomeType*)malloc(sizeof(SomeType));_myNumber=100;// inferred to int

Cyclone featuresexceptions. An uncaught exception will halt the program. Like Java, Cyclone features anull pointer exception, calledNull_Exception.

typedefFILEFile;File*f=fopen("/etc/passwd","r");try{intcode=getc((File*@notnull)f);}catch{case&Null_Exception:printf("Error: can't open /etc/passwd\n");return1;case&Invalid_argument(s):printf("Error: invalid argument: %s\n",s);return1;}

One can also manually throw exceptions:

thrownewNull_Exception("This is a null exception");

• C
• ML
• Rust

• Cyclone homepage
• Old web site
• Cyclone - source code repositories
• Cyclone - FAQ
• Cyclone for C programmers
• Cyclone user manual
• Cyclone: a Type-safe Dialect of C by Dan Grossman, Michael Hicks, Trevor Jim, and Greg Morrisett - published January 2005

Presentations:

• Cyclone: A Type-Safe Dialect of C
• Cyclone: A Memory-Safe C-Level Programming Language

• C programming language family
• Programming languages created in 2002

• Articles with short description
• Short description is different from Wikidata
• Use dmy dates from August 2024
• Articles lacking in-text citations from August 2015
• All articles lacking in-text citations