You can't always hide the problem behind an API, because for instance an API may call back into your code and access data. Or it may want to do that in the future. The "unsafe" world will spread like a virus.

Absolutely ridiculous.

Rust itself is written using plenty of unsafe code, all of which runs on top of fundamentally-unsafe CPU architectures. And yet it manages to expose a safe API to its users who somehow to write memory-safe Rust programs every day.

> You can't always hide the problem behind an API, because for instance an API may call back into your code and access data.

This is quite literally all that Cell and RefCell do and they hide this behavior behind a safe API.

Do memory-safety leaks in supposedly memory-safe abstractions crop up occasionally? Sure, nobody's perfect. But this idea that unsafety is uncontainable and spreads out everywhere until your whole program is infected and riddled with memory-safety bugs is completely detached from reality and regularly disproven by Rust developers on a daily basis.

Rust is still in a research phase. People are still figuring out how to do certain very basic stuff without a garbage collector. See e.g. how long it has been taking to get a decent GUI library with callback functions that can be closures that reference external parts of data.

In my view it is silly to do very high-level stuff in a systems language that was never intended for that purpose, and when you can clearly see the downsides of that approach; you are thinking of memory issues a large part of the time instead of being able to focus on your high-level functionality or even high-level security issues. Of course you can try to do it, but then it is research, not practical or necessarily sustainable programming.

> Rust is still in a research phase. People are still figuring out how to do certain very basic stuff without a garbage collector. See e.g. how long it has been taking to get a decent GUI library with callback functions that can be closures that reference external parts of data.

Are Golang, Ruby, Python et al still in the "research phase"? After all, none of them have native GUI frameworks written in them yet.

That said, you're moving the goalposts. The entire premise of my original reply was objecting to your claim that Rust paints you into a corner should you need a non-tree-like data structure. Which is absolutely ridiculous, there are countless examples of self-referential datastructures written in Rust. They use unsafe, which is what it's there for.

Original poster said of Nanite:

> It's brittle, and full of internal relative addresses within the data item, so it's very vulnerable to buffer overflows.

I think the hope was that rewriting it in Rust would make it more robust. But if the only way to write it efficiently is to unsafe your way to writing C++ in disguise, it's not clear it will be any more robust.

You're casually ignoring the entire rest of your program, which can now be written in safe Rust.

Just because some part of your program needs to use features unavailable in safe rust doesn't mean your entire program might as well be written in asm.

"Just use unsafe! That’s what it’s there for."

No, no. "Unsafe" should not be used because you can't figure out how to do some data structure in Rust. You'll get it wrong.

I have 27,000 lines of Rust in one complicated program with no "unsafe".

First, please consider the context of my comment.

Second, Rust itself is implemented with unsafe. Self-referential data structures are necessary for some problem domains, and those must be implemented with unsafe. Unsafe exists and is a tool that is sometimes necessary. When it is necessary, it should be used carefully.

Just because you haven't needed unsafe personally doesn't mean others don't. And the Rust developers aren't superintelligences capable of using it correctly while the rest of us mere mortals aren't.