[Const-me]

> C# is not more safe than Rust

By design, Rust requires unsafe code to implement any non-trivial data structures (except trivial POD types). This applies to both Rust standard library, and third-party crates.

The issue is not a theory, security bugs actually happened in reality. Here’s an example about the Rust standard library: https://shnatsel.medium.com/how-rusts-standard-library-was-v...

By contrast, thanks to the VM and the GC, C# allows to implement very complicated data structures without any unsafe code or unmanaged interop. The standard library is also implemented in idiomatic memory-safe subset of the language. For example, here’s the hash map: https://source.dot.net/#System.Private.CoreLib/src/libraries...

> falls to prevent null pointer exceptions and modified collection exceptions

Yes indeed, but these exceptions are very unlikely to cause security bugs in the software.

[jbboehr]

> Rust requires unsafe code to implement any non-trivial data structures

That seems like a gross overstatement.

https://github.com/rust-lang/rust/blob/master/library/std/sr...

CTRL-F: unsafe

Only one result, an optional utility function: "pub unsafe fn get_many_unchecked_mut"

[duckerude]

That's a wrapper around the actual implementation (which lives in an external package). Notice "use hashbrown::hash_map as base;" at the top.

There's far more unsafe there: https://github.com/rust-lang/hashbrown/blob/f2e62124cd947b5e...

[dequan]

The entire JIT, garbage collector and most of the C#'s VM are all implemented in C++. This has caused various issues in the past which are exploitable from managed code. The amount of unsafe code used to implement C# vastly outweighs the amount in Rust's standard library.

[pjmlp]

If you are going that way, Rust's reference compiler is dependent on LLVM, fully written in C++, and the C++ semantics of bitcode have broken Rust's code generation multiple times, forcing regressions and newer compiler releases with desactivated optimization features.

Also plenty of crates are bindings to C and C++ libraries with nice unsafe blocks.

Then was that Axium drama.

[dequan]

Hmm? Dotnet on Linux uses LLVM for codegen so that seems to be a wash. Lots of nuget packages are wrappers around native libraries as well.

[pjmlp]

Yeah, doesn't make Rust's dependency on C++ go away for its safety.

The point is the "look at what I say, not what I do", when talking about safe languages and dependencies into C and C++ libraries and compiler toolchains.

[dequan]

Which doesn't really have anything to do with GP's incorrect assertion that C# is somehow safer than Rust.

[pjmlp]

It has to do with yours incorrect assertion that using C++ in the runtime is a disadvantage for C# in regards to Rust, which equally depends on C++, in both of its compilers toolchains, rustc and gcc-rs.

When Rust gets fully bootstrapped in self hosted toolchain you'll have a point.

[Const-me]

> The amount of unsafe code used to implement C# vastly outweighs the amount in Rust's standard library.

According to bing.com chat, https://github.com/dotnet/runtime has 3.5M LOC, and https://github.com/rust-lang/rust has 6M LOC. The right panel of https://github.com/dotnet/runtime says 80% of the .NET runtime is written in C#.

This makes me wonder, do you happen to have a link for your “vastly outweighs” statement?

[dequan]

The "link" is just the repos rather than asking AI to hallucinate an answer. Rust's repo contains 2.2M LOC. The dotnet runtime contains 1.5M lines of C++.

Now if we remove in tree tests from the totals, we arrive at 1.5M lines of C++ (most tests are written in C# as you would expect) and 1.7M lines of Rust.

However, this does not exclude safe Rust code. I don't have a tool off hand that can provide a precise count of lines of unsafe code but we can get some general estimates. There are 1958 instances of "unsafe fn" out of 103,205 instances of "fn ". Further there are 11,545 instances of "unsafe " in the Rust repo while there are 10,768 instances of "unsafe " in the runtime repo.

Given that unsafe functions comprise less than 2% of all functions in the Rust repo, I think my claims are reasonable.