Coding by Hand
Rust home

The Rust Philosophy

A Rust compiler is a building inspector who reads every blueprint before a single nail goes in. Most languages let you start pouring concrete and check the foundation later, after the wall falls on someone. Rust will not. The inspector stands at the gate, line by line, and refuses to stamp the plans until the load-bearing math works, the doors swing the right way, and nothing is built one inch past the property line. The houses that pass inspection are the same speed as the ones built with no oversight. That is the whole pitch — strict at the gate, free at the finish.

The Rust compiler stands at the construction gate, stamping blueprints before any concrete pours.
The Rust compiler stands at the construction gate, stamping blueprints before any concrete pours.

The reason this inspector exists is a story about Mozilla in 2006. Firefox was the second-most-used browser on Earth, written in millions of lines of C++, and it crashed on a schedule. The crashes were almost never logic bugs. They were memory bugs — a pointer pointing at a building that had already been torn down, a buffer that wrote one byte past its lot line into the lot next door, two threads pouring concrete into the same slab at the same time. A Mozilla engineer named Graydon Hoare had been quietly building a side project on his own time, a language whose compiler would refuse to ship a program with any of those defects. Mozilla took the project public in 2010, hit version 1.0 in 2015, and started rewriting parts of the browser engine in it. The crash graphs dropped. The speed graphs did not.

The single bug Hoare was the most worried about was the one called a buffer overflow. The Morris worm of 1988 — the first piece of malware to take down the early internet — was a buffer overflow in a Unix program called fingerd. Heartbleed in 2014, which exposed the private keys of roughly two-thirds of every secure website, was a buffer overread in OpenSSL. The pattern is always the same. A program holds a small piece of land in memory, four bytes wide, ten bytes wide. The code asks for byte number 10,000. C hands you whatever happens to be sitting at that address — a password, a private key, a function pointer the attacker can now overwrite. Rust will not let you ask without checking first.

Watch the inspector at work. Here is a four-byte buffer that spells "Hi!" with a null at the end.

let buffer: [u8; 4] = [0x48, 0x69, 0x21, 0x00];
println!("buffer holds 4 bytes: H i ! \\0");

The buffer is your lot. Four bytes, indices 0 through 3. In C, you reach for buffer[10] and the compiler shrugs and the program runs and you read a byte that does not belong to you. In Rust, the array's bracket syntax would crash the program at runtime — which is better than silently leaking memory, but Hoare wanted something better still. So Rust ships a method called .get() that hands you back a wrapper. The wrapper holds either the byte you asked for, or a stamp that says "nothing there." You have to open the wrapper before you can use what is inside, which means the compiler can prove at build time that you handled the empty case.

match buffer.get(2) {
    Some(byte) => println!("index 2 -> 0x{byte:02x} (inside the lot)"),
    None => println!("index 2 -> refused"),
}
match buffer.get(10) {
    Some(byte) => println!("index 10 -> 0x{byte:02x}"),
    None => println!("index 10 -> refused: past the lot line"),
}

The match block is the inspector's clipboard. Two cases, both signed off. If the index is inside the lot, Some(byte) hands you the byte. If the index is past the lot line, None hands you nothing and the program prints "refused." Run the program and the same two questions get asked — one inside the buffer, one ten bytes past it — and the second one comes back rejected instead of leaking whatever sat next door.

buffer holds 4 bytes: H i ! \0
index 2 -> 0x21 (inside the lot)
index 10 -> refused: past the lot line
in C: the same read hands back whatever byte sat next door.
in Rust: the inspector blocked the pour.

A C program asking buffer[10] on the same four-byte array on the same machine would have happily printed a random byte from whatever was next to it on the stack — a return address, a piece of a password, the high byte of a function pointer. That byte is what attackers spent the last 35 years turning into worms and ransomware. The Rust version cannot do that. Not because the programmer was careful. Because the compiler was.

A four-byte lot in memory and the neighbor's lot a C read can wander into.
A four-byte lot in memory and the neighbor's lot a C read can wander into.

The phrase you will hear over and over for this idea is "zero-cost abstraction." Bjarne Stroustrup coined it for C++ in the 1990s — the rule that any safety check the compiler adds at build time should leave no trace in the finished program at runtime. The match block above costs nothing extra when it runs. The compiler reads the proof that you handled both cases, throws the proof away, and emits the same machine code C would have emitted for an unchecked read — minus the security holes. You pay for the inspector once, in compile time. The building you ship is the same weight.

The second half of the pitch is "fearless concurrency." Two crews on the same construction site is where a project either finishes in half the time or burns down. The crews need to share — the cement mixer, the crane, the blueprint binder — and if both crews try to use the cement mixer at the same instant, the mixer breaks. C++ programs running on 8-core CPUs spend a huge fraction of their bugs on exactly this problem, called a data race, and the bugs only show up on the customer's machine where the timing is different. Rust's inspector reads which crew owns which tool, draws lines about who can borrow what when, and refuses to compile any plan where two crews could touch the cement mixer at the same time. The fear of running parallel code goes away because the compiler ran the safety proof for you.

Rust's journey from a side project at Mozilla to Linux drivers and Windows internals.
Rust's journey from a side project at Mozilla to Linux drivers and Windows internals.

The cost of all this is the inspector itself. The first month with Rust feels like arguing with a stubborn old man at a permit office — every line gets a red mark, every shortcut gets a no. The phrase Rust programmers use is "fighting the borrow checker." It does not last. After a few weeks the rules become the way you think, and the inspector stops red-marking the blueprints because you stopped drawing the bad ones. Programs you ship after that simply do not crash from the bugs C and C++ programs crash from. Microsoft reported in 2024 that roughly 70 percent of the security bugs in Windows had been memory bugs of the kind Rust prevents. Linux now accepts Rust drivers. Android's Bluetooth stack is being rewritten in it. The bet Hoare made in 2006 — that programmers would tolerate a strict inspector if it meant their buildings stopped falling down — is the bet the rest of the industry is now making with him.

Next lesson — why a language this strict is being chosen for the exact jobs Python used to do for free, and what the speed difference looks like in nanoseconds.