The Hardest Kind of Unsafe Rust
In this episode of Oxide and Friends, the hosts discuss the most challenging aspects of writing unsafe Rust code, focusing on subtle memory safety issues, pointer provenance, and the difficulty of correctly using raw pointers in complex systems programming contexts.
Background
- Oxide and Friends is a podcast hosted by Bryan Cantrill and Adam Leventhal, co-founders of Oxide Computer Company, which builds bare-metal cloud servers and is known for deep systems engineering in Rust.
- This episode discusses the hardest forms of unsafe Rust — likely referring to writing Rust code that interacts directly with hardware, manages memory manually, or implements synchronization primitives (like spinlocks or reference counters). The "hardest kind" is often code that must uphold invariants the compiler cannot check, such as interior mutability or data-race-free concurrency.
- Rust's safety guarantees come from its borrow checker; "unsafe" blocks let programmers do raw pointer dereferencing, call foreign functions (FFI), or mutate static variables. Getting unsafe wrong can cause undefined behavior (UB), crashes, or security holes.
- This matters because Oxide's entire business depends on writing reliable, low-level systems software (firmware, hypervisors, storage) in Rust, where unsafe is unavoidable. Understanding where unsafe is most dangerous helps engineers avoid bugs that defeat Rust's purpose.