alt.hn

5/21/2026 at 4:54:48 PM

Improving C# Memory Safety

 https://devblogs.microsoft.com/dotnet/improving-csharp-memory-safety/

by soheilpro

5/23/2026 at 4:52:59 PM

C# is one of the best languages we evaluated for LLM problem solving. In fact, many strongly typed, lower level languages perform well in our testing (this isn't to say that the solutions are more maintainable, but the LLMs come up with better ideas when writing C# or Rust than Python). Google models especially, for whatever reason, outperform in C#, not Golang.

Data at https://gertlabs.com/rankings?provider=google

by gertlabs

5/23/2026 at 10:20:33 PM

This is why C# is superior to C++ for game development (not the graphics low level, but the game play higher level).

Being able to use Events, ECS, Reflection, Dynamic code is a god send. I have written game engines in C# and I still find myself defaulting to it anytime I think about Vulkan. I even published my own bindings for it. The best thing about .Net unfortunately is also one of its worst.

The deployment and packaging situation. It’s better than it’s been but it’s still a freaking mess. A mix of undocumented cli commands and wacky xml so that I can get an amalgamated build… or if I wanted to target another OS… or something of that nature. Even adding a project reference to a project, you have to go the long way round and use the cli commands. It’s better than having to install Visual Studio Ultimate but I wish they would put some love into their VSCode extension to give .Net some more powah.

Other than that, if you need Cish speed but need to support a GUI or something, C# is a good choice. If you’re happy with HTML UI, use that and forget C#. The UI cross platform situation is basically MIA.

by reactordev

5/24/2026 at 7:59:26 AM

I respectfully disagree — a lot of conveniences that C# provides produce GC trash which will cause frame spikes. I remember having had to add a non-allocation string.contains alternative at one project. Lambdas and linq also have this problem, or if a string is passed through native-c# boundary. Language itself is really nice though :)

by scott01

5/24/2026 at 2:38:12 PM

C# is too much of a you hold it wrong language, you can easily avoid the problem you describe, but it is such a pain, i do like the fact that the language constantly improves in all directions so it definitely does not remove its positive sides when you do a thing in the right way

by lucas_t_a

5/24/2026 at 11:48:40 AM

I think you need to revisit your biases

by reactordev

5/24/2026 at 7:54:12 AM

Google is mainly a user of Java, Kotlin, Python and C++.

Go might be have been created by three Google employees, two of which UNIX idols, but the language isn't that widely deployment outside anything to do with Kubernetes.

See how much Go related content shows at Google IO. If I am not mistaken, it got a single talk this year.

by pjmlp

5/24/2026 at 1:00:05 PM

Go is actually widely adopted in web backends and desktop apps. You might just miss some scenarios. And from my naive perspective, Go is a strong type alternative than TypeScript though it has a unique idiom syntax, but for most web devs this could be a reason to adopt Go, e.g. Wails instead of Electron in desktop.

by EFLKumo

5/24/2026 at 1:01:33 PM

Outside Google, yes I guess.

Well I for one, think that using node, Python, Ruby on the backend is an anti pattern anyway.

And I certainly don't want to use a language that makes me feel like coding in Java 5, that was 20 years ago.

by pjmlp

5/24/2026 at 11:55:24 AM

It's widely used in Cloud. Within Cloud you there is a policy to use it for all new products.

by benol

5/24/2026 at 1:01:02 PM

It certainly isn't reflected on Google IO cloud product talks, though, unless it is something directly related to Kubernetes.

by pjmlp

5/23/2026 at 12:12:13 PM

What you can do in C# today is convert any unsafe pointer to Span whenever you get your hands on it, and pass around slices. You can still drop down to ‘fixed’ when it turns out you need it for performance.

by superjan

5/23/2026 at 7:50:42 PM

I could say that the perf difference between spans and unsafe pointers in most cases is just zero, if not in favor of spans at times due to the optimized helper methods or just better code generation. Add the safety benefits to the mix, and it's a no brainer. So, unsafe pointers may not have an edge for performance anymore. They might have other uses cases of course: interop, etc.

by sedatk

5/23/2026 at 7:46:06 PM

With fixed you do pinning on GC memory, which can have a negative performance effect. You can also do unchecked pointer arithmetics on references with the Unsafe class, which avoids that. A lot of the methods of Span use that internally.

by legulere

5/21/2026 at 8:38:34 PM

Most likely a side effect related to Windows team finally giving some C# love, instead of COM and C++, given the comparisons between C# 16 with Rust and Swift in a few article sections.

by pjmlp

5/23/2026 at 12:32:23 PM

The Windows team is talking to DevDiv again? Satan's putting on his ice skates right now.

by moomin

5/23/2026 at 1:34:40 PM

One can only hope.

C++/WinRT is in maintenance, and you will notice the WinUI 3.0 does most of their demos, and gallery with C#.

by pjmlp

5/24/2026 at 1:04:25 PM

In terms of XAML UI, C++/WinRT struggles. When it was released, C++ just lacked good reflection methods, and many practices that were easily achieved in C#, such as MVVM, data bindings, were difficult to migrate. I think this prevented C++ from re-entering modern Windows development practices.

by EFLKumo

5/23/2026 at 4:26:44 PM

It would be nice if any display API actually covered the entire API with the exception of the actual OS API…

by moomin

5/23/2026 at 4:57:24 PM

Are they finally marking all those functions that use IntPtrs as unsafe? (such as Marshal.Copy)

by Dwedit

5/23/2026 at 8:26:27 PM

This change suggests that passing pointers is "generally safe", the unsafe boundaries are when they are de-referenced. It sounds like the Marshal methods are probably going to get a lot of surprising new safety warnings, but not all of them just because of the use of IntPtr. This change does open more opportunities to switch IntPtr to more explicit type-safe options like void* or byte* as the new compiler no longer needs unsafe {} blocks around just passing around pointers from one function to another.

by WorldMaker

5/23/2026 at 5:31:03 PM

Not really, because IntPtr is just a native-sized integer.

Marshal.Copy will certainly be marked unsafe, as will anything else that touches unmanaged memory.

by orphea

5/23/2026 at 3:52:22 PM

They are aligning more closely with the Rust 2024 model for unsafety, which requires inner annotations at the point of unsafety in addition to notation of the function (unless it is the safe-unsafe boundary) plus it imposes a requirement for a SAFETY doc notation for describing the specific invariants the caller must enforce to uphold the safety guarantees. Not terribly onerous in my opinion. I maintain a few native library wrappers on nuget, so I will have to do some updates around IntPtr usage, but this doesn’t seem like it will be terribly painful in my case. Thankfully I don’t do much marshalling. Plus you get a nifty badge on nuget for making your library safe.

The blurb toward the end about Rent/return makes me a bit nervous though. They say they’re not going full borrow checker, but rent at least sounds an awful lot like borrow to me. Details were basically non-existent though.

I guess I wonder what the end game is here though. The more they make C# like Rust with a GC, the less incentive people have to use C# except maybe to support legacy work. I am still far more comfortable in C# than Rust, and I believe C# is superior for e.g. web, but over time this advantage could be lessened quite a bit as the Rust ecosystem continues to grow.

by caspper69

5/23/2026 at 5:41:59 PM

> The blurb toward the end about Rent/return makes me a bit nervous though. They say they’re not going full borrow checker, but rent at least sounds an awful lot like borrow to me. Details were basically non-existent though.

Since they state outright that they're not going for a borrow checker, I would assume they're going for "second class references": the borrow checker is both powerful and complicated because references are first-class types: you can pass a reference as parameter, you can return a reference, and you can store a reference.

You can get a lot of the benefits (though also lose a fair amount of expressive power) if you drop the last two and only allow borrows downwards, and that is way easier to track.

Graydon Hoare's original conception of rust used second-class references (https://graydon2.dreamwidth.org/307291.html#:~:text=First-cl...). The Val language uses second-class references. Hylo (formerly Val) uses second-class references under the name of mutable value semantics (https://www.jot.fm/issues/issue_2022_02/article2.pdf).

Although the rent/return case doesn't even seem like a references concern, instead it's affine types which is orthogonal: after you `Return` an array to the pool, you want the array to become inaccessible to the caller (you could make the value linear, but as the text explains missing a `Return` is a safe leak it doesn't look like that's in scope). Rust mutable references are affine but you don't need references to do this...

by masklinn

5/23/2026 at 11:35:08 PM

C# already has second-class references; this is essentially what the ref keyword does. It's actually a bit more expressive than what Hoare suggests he'd have done (you can return ref structs and you can store them in other ref structs), but it doesn't have full-blown Rust-style lifetime annotations.

by ameliaquining

5/23/2026 at 2:24:37 PM

> The unsafe keyword is being redesigned

OK, I see a lot of C# code often and over a long time.

I see the "unsafe" keyword used approximately never.

I'm sure that this is useful for some cases. But not everyday things for most of us. If we did use it, it would be carefully isolated in a library for a specific purpose.

by SideburnsOfDoom

5/23/2026 at 2:51:14 PM

This moves C# to a more modern systematic understanding of what this keyword is for, but it'll remain very rare in C# the same way it's rare in Rust, and presumably in Swift.

The choice of keyword "unsafe" is partly psychological. Turns out if you called this exact same feature "trusted" or whatever the programmers don't have the appropriate feelings about it. They want to write trusted code, they don't want to write unsafe code, so making them write the keyword "unsafe" provides that psychological disincentive.

by tialaramex

5/23/2026 at 3:49:54 PM

Initialize liveHandgrenade;

by pixl97

5/23/2026 at 3:30:05 PM

There are standard library APIs that let you do memory-unsafe things without the unsafe keyword (CollectionsMarshal, MemoryMarshal). They're useful, but the burden is on the caller to uphold the invariants. This proposal seems aimed at making that kind of contract more explicit and obvious.

by zmj

5/23/2026 at 2:37:27 PM

Many of us use it in scenarios where others would write a blog post about a rewrite in Rust, C++ or whatever.

CLR was designed to support languages like C++, yet many don't learn the knobs.

by pjmlp

5/23/2026 at 4:48:13 PM

Any lesser known knobs one should know? I'm considering a .NET backend for my compiler

by Weebs

5/23/2026 at 5:00:28 PM

If on Windows, one is to see what C++/CLI would generate, with ildisam or similar tool.

You can also emit MSIL for what you actually want to do, with low-level bytecodes.

Then there is unsafe, ref structs, stack allocation, fixed buffers, scoped types, manual memory management, array pools, memory pipelines, the various span variants.

by pjmlp

5/24/2026 at 12:24:33 AM

> I see the "unsafe" keyword used approximately never.

The core libraries of .NET are written in C# and it's like a completely different language:

https://github.com/dotnet/runtime/blob/main/src/libraries/Sy...

One might not make use of it application code but these features a major part of the platform itself.

by wvenable

5/24/2026 at 1:12:18 PM

Good language has a unique flavor, and better language allows for diverse tastes and usages

by EFLKumo

5/23/2026 at 3:18:57 PM

Around here C# is only really used at stagnant middle sized companies with horrible code bases. The sort where the company follow Uncle Bob religiously, while completely misunderstanding everything Uncle Bob ever said. Doesn't mean the language (and it's runtime) can't be good.

by Quothling

5/23/2026 at 7:53:01 PM

The examples in Clean Code show that Uncle Bob himself misunderstood heuristics as strict rules that are to be taken to the extreme. There's nothing to not misunderstand.

by legulere

5/23/2026 at 4:20:47 PM

Yes, many people instinctively stay away from anything microsoft (except github, typescript and npm). But the stack is solid. I’m always reminded of Stack Overflow and how they built on asp.net and like 7 servers and it scaled very well for years.

Everyone has what they like and what they’re familiar with, and for better or worse, especially for startups it’s rarely .net. But I couldn’t imagine e.g. using js instead on the back end, but that’s just me.

by caspper69

5/23/2026 at 4:56:05 PM

A VM with good FFI and structs is pretty unique and all of the tooling around .NET is excellent

F# is a sleeping giant of capability in the FP/ML space, being able to use a lot of the existing tooling

People rightfully point out how it's sort of second class in comparison to C# at times, but its still A tier tooling that few languages have

by Weebs

5/23/2026 at 3:59:03 PM

In a game development context, especially where C++ interop is involved and a lot of code lives across a boundary where memory is owned by C++ but you want to avoid/minimize marshaling overhead or just generally maximize performance, the unsafe keyword is quite handy, but outside of those you can indeed probably get around by approximately never using it.

There's a lot of power C# gives you if carefully curated, making a lot of cases where people previously might have seen C++ as the only option as suddenly quite viable.

... See also the somewhat arcane Unsafe.As etc APIs

by Profan

5/23/2026 at 8:42:55 PM

Yes, the article itself even points out that the C# default has always been to make the unsafe keyword a compile error by default and must be opted in at the project level to even use it. So most C# application code doesn't use unsafe.

The benefits here are mostly to specific types of libraries, often either deeply performance-focused libraries or complex native interop libraries (things that wrap C/C++/Rust/etc code as a .NET Library).

The article mostly also points out that like Span<T> many of the biggest benefits to application writers here are going to be making the runtime itself quietly better (faster and safer). The new compile errors will make Base Class Library code and runtime code more auditable for potential memory safety issues by bubbling up safety concerns higher into the code stack and making the boundaries between the unsafe and "safe" code much easier to find. It will provide additional incentive to narrow the number of things that need to be marked `unsafe` and provide extra incentive to the runtime to minimize `unsafe` dependencies. This includes adding additional weight furthering the push for rewrites from "performance" C++ code (under the hood of the runtime) to memory safe C# code with modern safety/performance tools like Span<T>, while also reducing some of the similar pressure to rewrite that C++ code as Rust for memory safety reasons rather than directly to C# (with less overhead of transitioning to/from "managed code" and "native code") by providing similar `unsafe` safety marker tools to what Rust has had since 2024.

(ETA: There may still be some possible breaking changes to today's application code when opting into the new safety checks though by adding possibly more uses of the unsafe keyword than were needed before as many APIs with unsafe in the name or documentation such as the Marshall.* family of functions will probably get new safety documentation. Most of those concerns are still in P/Invoke and native library interop spaces and would probably be refactored into libraries to re-isolate the unsafe code and have the application continue to not allow unsafe blocks, but that will be tech debt migrations that may show up when opting into the new behaviors.)

by WorldMaker

5/23/2026 at 3:17:30 PM

C# is like Rust in the sense that a regular (web, desktop, etc.) developer probably won’t need unsafe, but it’s useful for lower-level work in libraries and CLI tools, especially where performance is important.

by smt88

5/24/2026 at 3:22:12 PM

[flagged]

by ryanshrott

5/23/2026 at 7:34:52 PM

just use perl instead

by effnorwood