Executive Summary
dotMetal is a portable execution platform built on a constrained, verifiable subset of LLVM IR. It replaces MSIL/CLI bytecode with an intermediate representation designed for deterministic semantics, cross-architecture portability, and explicit memory control.
The platform preserves full binary and source compatibility with .NET (ECMA-335) while extending support to deterministic native code and kernel-level systems programming. It defines three execution zones—Managed, Native, and Kernel—each with distinct memory models and guarantees, unified under a single compilation and runtime model.
C#.metal serves as the canonical surface language. In the Managed Zone, it provides standard C# with garbage collection for user-level application development. In Native and Kernel zones, it extends the language with ownership-based memory management, explicit lifetimes, and deterministic resource control.
Problem Domain
Software systems increasingly outlive the languages and platforms used to create them. Organizations face a choice between indefinite maintenance of aging codebases, risky rewrites, or brittle wrapping strategies. Modern software demands span managed applications, high-performance native libraries, real-time systems, and operating system kernels—domains traditionally served by incompatible toolchains and memory models.
dotMetal addresses this by providing a stable, disciplined execution substrate that enables software to survive changes in language, platform, and time. It does not replace existing languages. It provides a semantic foundation beneath them.
Representative Use Cases
Operating System Development
A kernel written in C#.metal Kernel Profile compiles to portable dotMetal IR. Architecture-specific code (boot, MMU, interrupts) remains platform-dependent. The majority of the kernel—scheduling, filesystems, networking—becomes architecture-neutral. Driver modules use Native Zone. User-space applications run in Managed Zone.
Cross-Platform Native Libraries
A high-performance library implemented in Native Zone compiles once to dotMetal IR and runs on any supported architecture with a backend. Memory management is deterministic. Performance is predictable. The library interoperates cleanly with Managed Zone applications through defined boundaries.
.NET Ecosystem Reuse
Existing .NET assemblies translate to dotMetal Managed assemblies via IL-to-IR conversion. Metadata and semantics are preserved. The full NuGet ecosystem becomes available across all architectures without recompilation. Managed and Native code coexist within a single deployment.
Legacy System Modernization
Constrained subsets of legacy languages (Fortran, COBOL, C/C++) compile to dotMetal Native IR under explicit constraints. The IR is decompiled into readable C#.metal. Semantic equivalence is validated. The resulting codebase is maintainable with modern tooling. Migration proceeds incrementally without wholesale rewrites.
Design Principles
Explicit Semantics
Memory ownership is explicit. Execution zones are explicit. Interoperability boundaries are explicit. Guarantees are opt-in and documented. The platform avoids inference and heuristics in favor of clear contracts.
Multiple Execution Models
The Managed Zone provides garbage collection and full .NET compatibility for user-level application development. Standard C# code runs unmodified, with automatic memory management and the complete .NET class library. The Native Zone provides deterministic, ownership-based memory management without runtime overhead for systems programming. The Kernel Profile supports operating systems, drivers, and firmware with predictable execution and no dependency on runtime services. These zones coexist with strict isolation and defined interaction rules.
Portable Intermediate Representation
dotMetal IR is based on LLVM IR, restricted to avoid undefined behavior and extended with metadata that preserves semantic intent. The IR is designed to be both executable and reconstructible. It serves as a long-term contract, not a compiler artifact.
Ownership and Safety
The Native Zone adopts an ownership model comparable to Rust's: owner<T> for owned resources, borrow<T> for immutable references, mut borrow<T> for exclusive mutable access. Lifetimes are lexically scoped. The verifier enforces aliasing and lifetime rules at compile time, eliminating use-after-free, double-free, and most data races without garbage collection.
Binary Compatibility
Two independent implementations conforming to the specification must interoperate. Metadata formats, calling conventions, type layouts, and symbol resolution are defined deterministically. Generic instantiations use canonical hashing. Cross-runtime type identity is preserved.
Long-Term Stability
The specification defines versioning and compatibility guarantees. New capabilities are introduced via opt-in profiles. Breaking changes require major version increments and migration guidance. The platform is designed to remain a viable execution target across decades.
Scope and Boundaries
What dotMetal Provides
- A platform for managed, native, and kernel-level software
- Binary and source compatibility with .NET assemblies
- A deterministic systems programming environment
- Ownership-based memory safety without garbage collection
- Cross-architecture portability through IR standardization
- A canonical surface language (C#.metal) for native code
What dotMetal Does Not Attempt
- Universal replacement of all programming languages
- Heuristic decompilation or automatic code inference
- A lowest-common-denominator virtual machine
- Perfect translation of arbitrary legacy code
- Elimination of all undefined behavior from existing systems
These boundaries are intentional. They preserve the platform's credibility and prevent overreach.
Native Zone and Ownership
The Native Zone provides deterministic memory management through explicit ownership. Memory allocations return owner<T> types. Ownership is transferred via move. Resources are released via drop or implicit scope exit. Borrows provide temporary access without ownership transfer.
The borrow checker enforces:
- No borrow may outlive its owner
- Mutable borrows are exclusive (no simultaneous immutable borrows)
- No move or drop while borrows are active
- Ownership validity is tracked through control flow
This model eliminates use-after-free, double-free, iterator invalidation, and most data races at compile time. Performance characteristics are comparable to Rust and hand-optimized C++.
C#.metal Language
C#.metal is a superset of C# that extends the language for systems programming while maintaining full compatibility with standard C# in the Managed Zone. Managed assemblies use standard C# syntax and semantics with garbage collection, providing a productive environment for application development. Native and Kernel assemblies gain access to ownership keywords (owner, borrow, mut, move, drop, raw) and low-level intrinsics for deterministic memory control.
Zone selection occurs at compile time via the --zone flag. Native constructs are rejected in Managed assemblies to preserve language compatibility. The compiler uses Roslyn for parsing and semantic analysis, adding ownership binding and borrow checking as augmenting passes for Native and Kernel zones.
C#.metal provides a single language capable of expressing garbage-collected applications, operating system kernels, device drivers, memory allocators, high-level application logic, and standard libraries within one coherent programming model.
Runtime Implementation
A conforming dotMetal runtime must be implemented in Native Zone (or Kernel Profile for bare-metal environments). The runtime provides:
- Assembly loading and verification
- JIT compilation, AOT compilation, or interpretation
- Garbage collection for Managed Zone
- Type handle and vtable management
- Generic instantiation and dictionary canonicalization
- Reflection and metadata services
- Interop trampolines and transition frames
- Thread scheduling and synchronization
Multiple independent runtimes conforming to the specification interoperate. Assemblies produced by one toolchain load and execute correctly in another runtime. Type identity, calling conventions, and memory layouts are deterministic.
Specifications and Documentation
The following documents define normative and informative aspects of the platform:
- Platform Vision — Architectural philosophy and long-term positioning
- Legacy Modernization Executive Summary — High-level overview of opt-in migration strategy
- dotMetal Specification v1.0 — Complete platform specification, conformance requirements, and compatibility guarantees
- C#.metal Language Specification — Surface language definition, ownership model, and zone semantics
- Runtime Implementation Guidelines — Requirements for conforming runtime implementations
- Compiler Design — Front-end architecture, lowering rules, and IL translation
- Legacy Modernization Whitepaper — Opt-in migration strategy and semantic preservation
- C/C++ Translation Design — Ownership inference and idiom mapping for legacy code
Licensing
The dotMetal specification, compiler design, and runtime guidelines are released under the MIT License. This enables independent implementations, commercial and non-commercial use, modification, and redistribution without restriction.
The licensing model treats dotMetal as infrastructure. Implementations may be proprietary or open-source. Conformance to the specification determines interoperability, not license choice.