The Rust programming language restricts aliasing to provide static safety guarantees. However, in certain situations, developers need to bypass these guarantees by using a set of unsafe features. If they are used incorrectly, these features can reintroduce the types of safety issues that Rust was designed to prevent. We seek to understand how current development tools can be improved to better assist developers who find it necessary to interact with unsafe code. To that end, we study how developers reason about foreign function calls, the limitations of the tools that they currently use, their motivations for using unsafe code, and how they reason about encapsulating it. We conducted a mixed-methods investigation consisting of semi-structured interviews with 19 developers, followed by a survey that reached an additional 160 developers. Our participants were motivated to use unsafe code when they perceived that there was no alternative, and most avoided using it. However, limited tooling support for foreign function calls made participants uncertain about their design choices, and certain foreign aliasing and concurrency patterns were difficult to encapsulate. To overcome these challenges, Rust developers need verification tools that can provide guarantees of soundness within multi-language applications.

翻译：Rust 编程语言通过限制别名使用以提供静态安全保证。然而在某些情况下，开发者需要通过一组不安全特性来绕过这些保证。若使用不当，这些特性可能重新引入 Rust 设计初衷所要预防的安全问题。本研究旨在探究如何改进现有开发工具，以更好地协助必须处理不安全代码的开发者。为此，我们研究了开发者如何理解外部函数调用、现有工具的局限性、使用不安全代码的动机，以及他们如何考虑代码封装策略。我们采用混合研究方法：首先对 19 位开发者进行半结构化访谈，随后开展覆盖 160 位开发者的问卷调查。研究发现：参与者仅在认为别无选择时才会使用不安全代码，且多数开发者倾向于避免使用。然而，外部函数调用工具支持的不足使参与者对其设计决策产生疑虑，某些外部别名模式与并发模式也难以实现有效封装。为应对这些挑战，Rust 开发者需要能在多语言应用中提供正确性保证的验证工具。