Is Rust Used Safely by Software Developers?

TL;DR

This study investigates how Rust developers use Unsafe Rust in real-world projects, revealing limited explicit unsafe keyword usage but widespread potential for unsafe code propagation, challenging Rust's memory safety claims.

Contribution

It provides the first large-scale empirical analysis of Unsafe Rust usage, highlighting safety challenges and proposing improvements to compiler and repository interfaces.

Findings

Unsafe keyword used in less than 30% of libraries

Over half of the code cannot be fully statically checked for safety

Unsafe code propagation complicates Rust's safety guarantees

Abstract

Rust, an emerging programming language with explosive growth, provides a robust type system that enables programmers to write memory-safe and data-race free code. To allow access to a machine's hardware and to support low-level performance optimizations, a second language, Unsafe Rust, is embedded in Rust. It contains support for operations that are difficult to statically check, such as C-style pointers for access to arbitrary memory locations and mutable global variables. When a program uses these features, the compiler is unable to statically guarantee the safety properties Rust promotes. In this work, we perform a large-scale empirical study to explore how software developers are using Unsafe Rust in real-world Rust libraries and applications. Our results indicate that software engineers use the keyword unsafe in less than 30% of Rust libraries, but more than half cannot be entirely statically checked by the Rust compiler because of Unsafe Rust hidden somewhere in a library's call chain. We conclude that although the use of the keyword unsafe is limited, the propagation of unsafeness offers a challenge to the claim of Rust as a memory-safe language. Furthermore, we recommend changes to the Rust compiler and to the central Rust repository's interface to help Rust software developers be aware of when their Rust code is unsafe.