Meet Safe and Unsafe

safe and unsafe

It would be great to not have to worry about low-level implementation details.Who could possibly care how much space the empty tuple occupies? Sadly, itsometimes matters and we need to worry about it. The most common reasondevelopers start to care about implementation details is performance, but moreimportantly, these details can become a matter of correctness when interfacingdirectly with hardware, operating systems, or other languages.

When implementation details start to matter in a safe programming language,programmers usually have three options:

  • fiddle with the code to encourage the compiler/runtime to perform an optimization
  • adopt a more unidiomatic or cumbersome design to get the desired implementation
  • rewrite the implementation in a language that lets you deal with those details

For that last option, the language programmers tend to use is C. This is oftennecessary to interface with systems that only declare a C interface.

Unfortunately, C is incredibly unsafe to use (sometimes for good reason),and this unsafety is magnified when trying to interoperate with anotherlanguage. Care must be taken to ensure C and the other language agree onwhat’s happening, and that they don’t step on each other’s toes.

So what does this have to do with Rust?

Well, unlike C, Rust is a safe programming language.

But, like C, Rust is an unsafe programming language.

More accurately, Rust contains both a safe and unsafe programming language.

Rust can be thought of as a combination of two programming languages: SafeRust and Unsafe Rust. Conveniently, these names mean exactly what they say:Safe Rust is Safe. Unsafe Rust is, well, not. In fact, Unsafe Rust lets usdo some really unsafe things. Things the Rust authors will implore you not todo, but we’ll do anyway.

Safe Rust is the true Rust programming language. If all you do is write SafeRust, you will never have to worry about type-safety or memory-safety. You willnever endure a dangling pointer, a use-after-free, or any other kind ofUndefined Behavior.

The standard library also gives you enough utilities out of the box that you’llbe able to write high-performance applications and libraries in pure idiomaticSafe Rust.

But maybe you want to talk to another language. Maybe you’re writing alow-level abstraction not exposed by the standard library. Maybe you’rewriting the standard library (which is written entirely in Rust). Maybe youneed to do something the type-system doesn’t understand and just frob some dangbits. Maybe you need Unsafe Rust.

Unsafe Rust is exactly like Safe Rust with all the same rules and semantics.It just lets you do some extra things that are Definitely Not Safe(which we will define in the next section).

The value of this separation is that we gain the benefits of using an unsafelanguage like C — low level control over implementation details — without mostof the problems that come with trying to integrate it with a completelydifferent safe language.

There are still some problems — most notably, we must become aware of propertiesthat the type system assumes and audit them in any code that interacts withUnsafe Rust. That’s the purpose of this book: to teach you about these assumptionsand how to manage them.