Safe Rust code is memory safe, data-race free, and free of other kinds of undefined behavior. Unsafe Rust code is meant to be well-encapsulated and exposed via a safe interface.
Example: Ownership and borrowing
Where we compromise on this
We don't. We'll even break stability.
You can have nice things
The high-level features in Rust are scalable, performant, and full-featured. We don't expect our users to "drop down" to low-level code, except in extreme cases.
Example: Iterators
values.iter().map(|x| x * 2).sum()
In Rust (or C++), as fast as a for loop
Or faster! No bounds checks.
In many other languages:
Costs performance
More examples
Iterators, async fn, etc
Closures that desugar to struct fields
Autoderef and . syntax
Operator overloading
Where do we give up on "nice things"?
Bounds checks:
Using vec[i] in C is faster, but we value safety more.
Unsafe code to skip indexing checks ensures we still "expose all capabilities"
Transparent and predictable
Rust avoids hidden control flow, silent memory allocation, or complex built-in operations. You don't need a lot of context to figure out what some Rust code will do when it runs or what machine code it will generate.
Example: No garbage collector
Example: Copy vs Clone
some_function(y);
In Rust, always does a memcpy
In C++, could invoke a copy constructor
Arguably, not entirely true to the spirit of principle
More examples
Unwind, ? operator
Exceptions make it harder to reason about control flow
No implicit allocation
Leads to unexpected performance cliffs
The "Predictability" rules of the API guidelines
e.g., Smart pointers do not add inherent methods
Where do we give up on transparency?
To be used, must be "nice enough".
Optimizations often unpredictable:
e.g., reordering struct fields and enums to enable composition
Orthogonal, composable, extensible
Rust encourages components that can be reused in many ways and in many environments. Rust programs work across mainstream architectures and operating systems by default. We encourage exploration, but we also recognize that exploration sometimes requires standardization.