Rust's safety model is in an awkward position of being already complicated enough that adding proofs for skipping bounds checks probably will not happen for a long time, even though this kind of low-level operation is where a lot of optimisation is lost.
It is also unstable underneath, since there is no public, stable contract for carrying high-level semantics from HIR into MIR, which will only delay adding mechanisms for expressing and exploiting proofs of low-level optimisation facts, such as skipped bounds checks, from high-level invariants
If I followed, Rust's memory safety guarantee means sacrificing roughly ~3% performance with some worst case paths being ~15% (compared to C++ performance)?
Rust's safety model is in an awkward position of being already complicated enough that adding proofs for skipping bounds checks probably will not happen for a long time, even though this kind of low-level operation is where a lot of optimisation is lost.
It is also unstable underneath, since there is no public, stable contract for carrying high-level semantics from HIR into MIR, which will only delay adding mechanisms for expressing and exploiting proofs of low-level optimisation facts, such as skipped bounds checks, from high-level invariants
If I followed, Rust's memory safety guarantee means sacrificing roughly ~3% performance with some worst case paths being ~15% (compared to C++ performance)?
That's on the typical performance for bounds checking in C too.
But no, "memory safety" includes most of the things discussed on the slides, and those number are for bounds checking only.