C++ provides the tools that C lacks for writing safer code.
Of course it doesn't help if people write "C with C++ compiler" and better alternatives are desired, where copy-pasting C code is not possible.
Eventually one of the current candidates will won over the roles of C and C++, except for environments married with C, like UNIX derivatives.
Until then, when the choice boils down only to C vs C++, there is no question that in regards to language features for writing safer code, C++ is the only possible answer.
C++ would not have helped as a target language for compiling Ragel, at the level the compiling is done. Actually IIRC Ragel enhanced their output to mitigate that kind of situation, and the intermediate language they target is still C.
I'm not sure anybody targets C++ as an intermediate language when emitting code at this level. (I do have written some code that emits some C++, but at a wildly different and higher level). I'm not sure this would bring any value.
Of course it would have helped if they made use of a std::vector like class with bounds checking enabled, instead of a pure C array.
"Many years later we asked our customers whether they wished us to provide an option to switch off these checks in the interests of efficiency on production runs. Unanimously, they urged us not to--they already knew how frequently subscript errors occur on production runs where failure to detect them could be disastrous. I note with fear and horror that even in 1980, language designers and users have not learned this lesson. In any respectable branch of engineering, failure to observe such elementary precautions would have long been against the law. "
I'm still unsure of the rate at which this could be a solution to leverage checked C++ library types, and whether in the precise case of the Cloudfare issue this would be applicable. However I still think that in most case if you must handle out-of-bound conditions from a checked language outputting to an unchecked one, you just emit your checking code yourself...
Also the C++ standard is 1500 pages long. I prefer to avoid knowing that as a backend language when I can...
Of course it doesn't help if people write "C with C++ compiler" and better alternatives are desired, where copy-pasting C code is not possible.
Eventually one of the current candidates will won over the roles of C and C++, except for environments married with C, like UNIX derivatives.
Until then, when the choice boils down only to C vs C++, there is no question that in regards to language features for writing safer code, C++ is the only possible answer.