← Back to context

Comment by baq

7 hours ago

> I don't know what one should even make from that statement.

it's just a fact. by definition of the Rust language unsafe Rust is approximately as safe as C (technically Rust is still safer than C in its unsafe blocks, but we can ignore that.)

> you didn't even bother to look at the code but still presented

of course I did, what I've seen were one-liner trait impls (the 'whole traits' from your own post) and sub-line expressions of unsafe access to bindings.

17 comments

baq

Reply
zozbot234  7 hours ago

> technically Rust is still safer than C in its unsafe blocks

This is quite dubious in a practical sense, since Rust unsafe blocks must manually uphold the safety invariants that idiomatic Safe Rust relies on at all times, which includes, e.g. references pointing to valid and properly aligned data, as well as requirements on mutable references comparable to what the `restrict` qualifier (which is rarely used) involves in C. In practice, this is hard to do consistently, and may trigger unexpected UB.

Some of these safety invariants can be relaxed in simple ways (e.g. &Cell<T> being aliasable where &mut T isn't) but this isn't always idiomatic or free of boilerplate in Safe Rust.

  • Xylakant  5 hours ago

    It's great that the Google Android team has been tracking data to answer that question for years now and their conclusion is:

    -------

    The primary security concern regarding Rust generally centers on the approximately 4% of code written within unsafe{} blocks. This subset of Rust has fueled significant speculation, misconceptions, and even theories that unsafe Rust might be more buggy than C. Empirical evidence shows this to be quite wrong.

    Our data indicates that even a more conservative assumption, that a line of unsafe Rust is as likely to have a bug as a line of C or C++, significantly overestimates the risk of unsafe Rust. We don’t know for sure why this is the case, but there are likely several contributing factors:

        unsafe{} doesn't actually disable all or even most of Rust’s safety checks (a common misconception).
    The practice of encapsulation enables local reasoning about safety invariants.
    The additional scrutiny that unsafe{} blocks receive.

    -----

    From https://security.googleblog.com/2025/11/rust-in-android-move...

    • zozbot234  3 hours ago

      > The practice of encapsulation enables local reasoning about safety invariants.

      > The additional scrutiny that unsafe{} blocks receive.

      None of this supports an argument that "unsafe Rust is safer than C". It's just saying that with enough scrutiny on those unsafe blocks, the potential bugs will be found and addressed as part of development. That's a rather different claim.

      8 replies →

menaerus  6 hours ago

So, unsafe block every 70 LoC in 1500 LoC toy example? Sure, it's a strong argument.

  • kaoD  4 hours ago

    How is that worse than everything being unsafe?

    I've seen this argument thrown around often here in HN ("$IMPROVEMENT is still not perfect! So let's keep the statu quo.") and it baffles me.

    C is not perfect and it still replaced ASM in 99% of its use cases.

    • menaerus  2 hours ago

      No, I am not saying keep the status quo. I am simply challenging the idea that kernel will enjoy benefits that is supposed to be provided by Rust.

      Distribution of bugs across the whole codebase is not following the normal distribution but multimodal. Now, imagine where the highest concentration of bugs will be. And how many bugs there will be elsewhere. Easy to guess.

      3 replies →