Bjarne Stroustrup’s Plan for Bringing Safety to C++ (The New Stack)

My point, only now there will be some production Linux Rust code.

As for "wc -l" part, the statement is far from true.

Imagine you're an independent auditor tasked with reviewing Linux C binder code.
You're reading it and red-penning everything you can't prove to yourself is correct.

For example it is quite easy to verify that binder_ctl_ioctl() is OK:
* struct binderfs_device doesn't have padding -- good

even better to have builtin __builtin_type_has_padding() and refuse copy_from_user/copy_to_user on types which have padding, but OK.

* copy_from_user() is correct, although that block is verbosely written (which is not a bug).

* binderfs_binder_device_create() does some shenanigans with inodes,
quota and ACL aren't initialised.
Rust must scream here but it is OK, because Binder doesn't support quotactl and ACLs.

* req->name[BINDERFS_MAX_NAME] = '\0'; /* NUL-terminate */
Hell, yes! Comment is of "increment i by 1" variety (which is not a bug).

* first memory allocation

device = kzalloc(sizeof(*device), GFP_KERNEL);
inode->i_private = device;

Eww, scary pointers... But VFS guarantees to not touch i_private (and, god forbid, free it), so

kfree(device);
iput(inode);

is OK.

* second memory allocation
name = kmemdup(req->name, name_len + 1, GFP_KERNEL);
device->context.name = name;
device->miscdev.name = name;

Eww, sketchy territory, naked pointers, unrefcounted, but searching for "context.name" shows that only 1 is freed.
and "miscdev.name" is not freed, phew.

* backcopy
if (userp && copy_to_user(userp, req, sizeof(*req))) {

if (userp) is obviously unnecessary, because it was used to copy _from_ userspace thus a valid pointer.

"req" was mutated by clearing last byte to '\0' which doesn't leak secret kernel data, so OK.
Ergo, it safe to ship to userspace.

Now suddenly (221 - 111) + (256 - 233) = 133 LOC are most certainly safe, not unsafe.

This "all C code is unsafe" is such a non true.