Sebastian Scholz

But those are safer conversions than just using transmute.

And the fact that the type system guarantees no just random conversion between different types is really helpful to reason about these invariants in your code.

So, for example, just think about in C, I can create any struct at any point in any time.

In Rust, you need unsafe to do that.

And it's a big kind of flag.

If you see unsafe in the code, it helps you during the review because when you use unsafe, you always need to prove, at least with a comment, that certain invariants are holding up.

And that makes it very easy to prove that your code can be safe, even if you're using unsafe.

So unfortunately, we still have C libraries underneath, which are all unsafe.

I mean, it's C code, so there's no help from the Rust compiler there.

And so interfacing with those does require unsafe boundaries, unsafe blocks.

But when we write our wrapper functions for these functions in the C libraries, we make sure that all of the unsafe free conditions that need to be met for this library to be called are met.

And one of the examples is, as I said, the CSP library, where we make sure that it's initialized before we use any of the functions.

Yeah, so direct unwraps are also somewhat forbidden in our code.

The best that we can do are expects, where you provide a message and a reasoning of why this certain thing can never fail.

And there's still a few pain points in Rust with this, where you do need to unwrap certain things.

For example, think about creating a non-zero value.

You can do this unwrapping or this expecting in const code, which is very nice.

So you can make it a compile time error.

Yet still, it's unfortunate that certain things can't be expressed correctly

as you want them and need to be unwrapped.