[rurban]

Sure, that's why safe languages forbid users to use unsafe things.

"C programmers think memory management is too important to be left to the computer. Lisp programmers think memory management is too important to be left to the user." Ellis and Stroustrup, The Annotated C++ Reference Manual.

[adastra22]

You need a systems programming language to write safe systems. That's what Rust is. Maybe there's room for a higher-level 100% safe language. Rust would be a good language to write it in.

In the mean time, in the messy world of writing software today, one does frequently enough come across the need for new safety primitives. Things that are provably correct but which the type system of your language does not support. In these instances, unsafe lets you lower down into systems code to build and safely wrap these new components.

[rurban]

Yes, Rust is a good systems programming language. Just not safe. Safer than most others, yes. Good enough, yes.

But there exist safe systems programming languages. Safe systems were done in these languages. Just nobody cared, so they died or have no market share.

[adastra22]

Which ones?

[rurban]

Do I have to do osdev language research for you now? I'm certainly missing some, but out of my head: Mesa/Cedar, Concurrent Pascal, Smalltalk, Lisp, ADA, C#/M# for Midori/Singularity, Oberon, ...

[adastra22]

All of those have unsafe-like escape hatches, with the notable and singular exception of Concurrent Pascal. In each of the others you can access their own version of `unsafe` as an escape hatch

Mesa/Cedar: LOOPHOLE inside an UNSAFE module

Smalltalk 80: You can access the built-in VM instructions directly using the <primitive: N> syntax. E.g. basicAt:put: at <primitive: 61> avoids bounds checks and type checks.

Common Lisp: (safety 0)

Ada: Unchecked_Conversion, Unchecked_Deallocation

C#/M#: unsafe class MyClass<T> where T : unmanaged

Oberon: the SYSTEM module

Rust isn't any different, and unsafe exists in Rust for the same reason it exists in all these other languages. You use it to create new constructs the language authors didn't foresee. Concurrent Pascal is the singular exception: You can't do anything the language doesn't provide out of the box. Need something Brinch Hansen didn't think of? Sucks to be you.

If you want the rusty version of Concurrent Pascal though, you can have that. Put #![forbid(unsafe_code)] in your crate's lib.rs, or your Cargo.toml. Done.

[OneWingedShark]

While Ada does have `Unchecked_Deallocation` and `Unchecked_Conversion`, Ada out-of-the-box provides safety roughly on-par with the high-integrity C++ style-guide. For provable safety, the SPARK subset/provers are used.

There's a lot you can do in Ada without resorting to them, and even with using them it can be perfectly fine, such as (eg) "view conversion" of a register or memory-mapped location -- remember that a lot of APIs (and ABIs) have been kneecapped by catering to C's inabilities, so even if the idea is directly expressible in some higher level language it will be exposed at the lower level.

[rurban]

Sucks to need to add unsafe new constructs the language authors didn't foresee, and still call it safe. Should have been forseen.