If you use a C FFI in any language, including Java, all kinds of safety are off. Unsafe Rust is equivalent to C (with a lot of mandatory lints) in terms of safety, so Rust is not really less safe.
Not necessarily. There is no actual reason that you couldn't be required to prove to the compiler that your code is safe.
That proof might be parameterised by a proof that some external FFI function was safe, which you might not be able to actually prove and have to assume, but then you would have your assumptions well-documented.
As it is, you have to justify the safety of your unsafe blocks to other programmers using comments, which kind of sucks.
Still better than every other fast language in this area though so I can't complain much.
That proof might be parameterised by a proof that some external FFI function was safe, which you might not be able to actually prove and have to assume, but then you would have your assumptions well-documented.
As it is, you have to justify the safety of your unsafe blocks to other programmers using comments, which kind of sucks.
Still better than every other fast language in this area though so I can't complain much.