Edit - Software Engineering Stack Exchange

You are not logged in. Your edit will be placed in a queue until it is peer reviewed.

We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.

Required fields*

Can a language be sound if it doesn't promise safety?

It is said that C's type system is unsound, which means that it has "false negatives", it tells the programmer everything is fine, but then the code fails at runtime. for example, "the program can reach a state where an expression evaluates to a value that doesn't match the expression's static type"

I learned it from the lecture notes of the course CSE341 in university of Washington which are available online. It says:

But we can give a more precise description of correctness by defining the terms soundness and completeness. For both, the definition is with respect to some thing X we wish to prevent. For example, X could be, "a program looks up a variable that is not in the environment."

A type system is sound if it never accepts a program that, when run with some input, does X.

A type system is complete if it never rejects a program that, no matter what input it is run with, will not do X.

So, basically a language is unsound if a program type-checks and claims there is no unwanted behavior, yet that unwanted behavior occurs at runtime.

For instance, in C we can write:

#include <stdio.h>
int main() {
 // in grams
 float medicineAmounts[] = {12, 8, 5.5};
 float totalAmount = 0;
 for(int i = 0; i < 5; i++) { // mistake: should be i < 3
 totalAmount += medicineAmounts[i];
 printf("%f\n", medicineAmounts[i]);
 }
 printf("total: %f grams", totalAmount); 
 // outputs: total 607785.50 grams :D
 return 0;
}

My question is: while the language is clearly unsafe, is it really unsound? We expect the expression medicineAmounts[i] to always evaluate to a value of type float (which it does—the garbage values are still bit patterns interpreted as floats). But does the C standard actually promise that out-of-bounds access will work correctly? Since the C standard says it's an "undefined behavior", and undefined means the implementation can do anything, why call it unsound when C doesn't consider it a problem? In other words: can a language be called "unsound" if it never promised the safety guarantees it's accused of violating?

Edit this Wikipedia article is very nice and full good insights and links to good resources

what precisely it means for a program to be "well typed" or to "go wrong" are properties of its static and dynamic semantics, which are specific to each programming language. Consequently, a precise, formal definition of type soundness depends upon the style of formal semantics used to specify a language

In 1994, Andrew Wright and Matthias Felleisen formulated what has become the standard definition and proof technique for type safety in languages defined by operational semantics,[4] which is closest to the notion of type safety as understood by most programmers [...]

Andrew Wright and Matthias Felleisen defined one proprty that seems to answer my question:

Progress: A well-typed program never gets "stuck": every expression is either already a value or can be reduced towards a value in some well-defined way. In other words, the program never gets into an undefined state where no further transitions are possible.

By that definition, I think, it makes the C example program I wrote above unsound.

Finally, perhaps it's worth noting, Matthias Felleisen once said in a presentation on Youtube, that many academics think of soundness as a yes/no matter, and he, as an academic and a programmer, believes it's not practical criteria. he said, we should think of it as a spectrum, we went from really evil (C) to pretty ok (e.g. Java)

Answer*

Your quote contains a very important point.

> the definition is with respect to some thing X we wish to prevent. 

If a language doesn't promise anything, then it is vacuously sound, because it prevents everything that it promises to prevent. In the case of C, *nothing* is promised about arbitrary programs, the only promises relate to a subset, "well-formed" programs.

> We expect the expression `medicineAmounts[i]` to always evaluate to a value of type float.

That isn't something you should expect from C. Because it accesses beyond the array, the program is ill-formed, and C promises *nothing* (about the whole program).

To contrast, Java does make some promises. E.g. promises that a variable of type `T` is either null, or holds a reference to an object of type `T`. NullPointerExceptions are an expected part of Java, it doesn't promise that a variable must hold a value.

However, we can subvert the promise about the type of a value. Thus we say that Java is unsound, because it makes promises that it doesn't keep.

```
U Transmute<T, U> (T value) {
 U[] us = new U[1];
 Object[] objs = us;
 objs[0] = value;
 return us[0];
}
```

Draft saved

Draft discarded

Edit Summary*

Cancel

1

"In the case of C, nothing is promised about arbitrary programs, the only promises relate to a subset, "well-formed" programs." In other words, if you can't dive off the 10M platform safely, keep your tush in the kiddie pool.

Andrew Henle
– Andrew Henle

08/20/2025 15:10:39
Commented Aug 20 at 15:10
2

This is the answer I was looking for, even though the conclusion almost seems crazy (C is sound and Java is unsound) When I first read the definition it surprised me a bit (and something felt off) because it made if feel as if C is sound, because it pretty much promises nothing, and Java is unsound because it promises you some things it doesn't deliver in some rare cases. so the the concept of soundness doesn't seem that useful to me right now in fact this is thing I always hear about soundness: "it's useless" ... but never have I ever seen someone explain why. thank you for your insight

Ghassen
– Ghassen

08/22/2025 18:59:35
Commented Aug 22 at 18:59
@Ghassen you can also say that for any property, C is unsound w.r.t. that property.

Caleth
– Caleth

08/25/2025 12:59:53
Commented Aug 25 at 12:59

Add a comment |

How to Edit

Correct minor typos or mistakes
Clarify meaning without changing it
Add related resources or links
Always respect the author’s intent
Don’t use edits to reply to the author

How to Format

create code fences with backticks ` or tildes ~
```
like so
```
add language identifier to highlight code
```python
def function(foo):
print(foo)
```
put returns between paragraphs
for linebreak add 2 spaces at end
_italic_ or **bold**
indent code by 4 spaces
backtick escapes `like _so_`
quote by placing > at start of line
to make links (use https whenever possible)

<https://example.com>

[example](https://example.com)

<a href="https://example.com">example</a>

formatting help »
answering help »

How to Tag

A tag is a keyword or label that categorizes your question with other, similar questions. Choose one or more (up to 5) tags that will help answerers to find and interpret your question.

complete the sentence: my question is about...
use tags that describe things or concepts that are essential, not incidental to your question
favor using existing popular tags
read the descriptions that appear below the tag

If your question is primarily about a topic for which you can't find a tag:

combine multiple words into single-words with hyphens (e.g. design-patterns), up to a maximum of 35 characters
creating new tags is a privilege; if you can't yet create a tag you need, then post this question without it, then ask the community to create it for you

popular tags »

default