> Rust is too constrained without [unsafe blocks] to get any useful work done.
Just saw this in the wild again.
@veloren has about 330,000 lines of Rust code today. It's a networked, multi-threaded, 3D, portable game and game engine played by thousands of people. Very much not a contrived example. Name any sort of code and you'll find it in there: GUI, packet parsing, physics, DSP, decision trees, database calls, ECS, procgen, audio. It's all in there.
It has 12 instances of `unsafe`:
(1/2)
Of those 12 instances:
- 6 relate to hot reloading (dynamic linking) and aren't even presented in public builds
- 3 relate to the plugin system (JIT compilation and other things that are almost impossible to provide hard soundness proofs for)
- 2 relate to shader compilation (also JIT)
- 1 relates to accessing the OS clipboard and is unsafe because the underlying abstraction is perilously easy to abuse (thanks C)
@jsbarretto To me this confirms even more that Rust's unsafe {} blocks are a good thing: if you have a crash / vulnerability related to memory corruption, you can dramatically reduce the amount of places you have to check for and it's likely much easier to fix.
I think anyone who has worked in a big enough C or C++ codebase has heard about at least one elusive memory corruption that is somewhere in the code that either took weeks to pinpoint, or took weeks to fix, or is still unfixed months later.
The same is very unlikely to happen in Rust.
@jsbarretto Rust is useless without unsafe blocks in the same way Python is useless without writing C code.
(Or rather less so. Since a lot of C dependencies you Python code depends on could be safe or mostly safe Rust as well.)
Joshua Barretto
Peter Bindels
_L4NyrlfL1I0
amarioguy
mei
Soso
Ian Douglas Scott
aburka 🫣
Raeve 
Alessandro Re