Eclipse ThreadX · Eclipse Foundation

Canon-C

A semantic standard library for C99 — written to be read, engineered to be proved.

Canon-C is a header-only vocabulary that sits above the RTOS kernel and below your application logic. The same discipline that makes it readable makes it verifiable.

Browse the source ↗ Project proposal ↗

The gap it closes

Every safety-critical C team rebuilds the same infrastructure. Canon-C is the shared, verifiable version of it.

Arena allocators, fixed-capacity collections, error-handling conventions, ownership patterns, contract checking — privately re-implemented and re-verified for every certification effort. Canon-C unifies them into one disciplined C99 standard library.

Strict layering · semantic depth

Six layers, organized by depth — not feature count.

Lower layers define unavoidable mechanics; higher layers build meaning on top. Each module is independently usable. The gradient runs the way the dependencies do.

util/
Application-level utilities. Strings, logging, file I/O, parsing, RNG, timing — all configured from lower layers from day one.
algo/
Algorithms on collections. map, filter, fold, find, search, sort, unique — generic, typed-macro, and fully-typed instantiation levels.
data/
Fixed-capacity collections. Vectors, deques, hashmaps, priority queues, bitsets, ring buffers — caller-owned, no hidden allocation.
semantics/
Explicit semantic types. Option<T>, Result<T,E>, borrowed views, and structured diagnostics that carry context with no allocation.
core/
Memory & ownership. Arena and pool allocators, slices, region-based lifetimes, scope-bound cleanup, ownership annotations.
core/primitives/
The bedrock. Fixed-width types, overflow-checked arithmetic, pointer alignment, lifetime tokens, and grep-able contracts.

core/primitives → core → semantics → data → algo → util  ·  upward and circular dependencies are forbidden.

Built for the toolchain auditors already trust

Designed to support certification, on the standards that govern critical software.

Canon-C targets plain C99 with no compiler extensions required, is freestanding-safe in its core layers, and is designed to be verified with Frama-C, compiled with CompCert, and analyzed with aiT for WCET bounds — the certification evidence is reusable across efforts.

DO-178C Avionics
ISO 26262 Automotive · ASIL
IEC 62304 Medical
IEC 61508 Industrial · SIL
EN 50128 Railway
ECSS-E-ST-40C Space

Get involved

Read it, build with it, contribute.

Source

GitHub organization

The headers, tests, CI pipeline, and verification record. Header-only — clone and include.

Governance

Project page

The Eclipse project home: proposal, committers, governance, and developer resources.

Discuss

Mailing list

canon-c-dev — design discussion, feedback on the layering, and contribution coordination.