The unsafe code is in the JVM, and Rust does not have an equivalent.

(Also, Java had an unsafe mode for a long time, and its removal caused quite the upheaval, from what I understand.)

It's not the case that Rust's unsafe feature is there to facilitate the standard library. I'm still not clear if that's what you were saying.

If you're trying to print "hello world" on the screen, you need to make a system call. Doing so is unsafe, by Rust's definition.

There are two main solutions to this:

1. have some sort of "unsafe" language construct so that you can make syscalls yourself.

2. Disallow arbitrary syscalls. put the code for making said syscall inside of some trusted code, whether that be the the runtime or the standard library.

Rust has chosen option #1. Java has chosen #2.

(Also, virtually every language has an "unsafe mode" in whatever C FFI exists. I was referring to sun.misc.Unsafe earlier, but JNI still exists, of course.)

Sure, that all sounds about right.

To rephrase my point: including an unsafe mode is an option when designing a language. Your original comment appeared be suggesting that it was a necessity, and that one could not write a Hello World program in a language that lacks an unsafe mode. Which is not the case, of course. JavaScript, for instance.

It would seem that a takeaway from this thread is that languages should not have C FFI if they want to be safe.