Google：2024年安全设计-Google对内存安全的洞察白皮书（英文版）

With very few, well-defined exceptions, all code should be writable in the well-delineated safe subset. In new development, potentially unsafe code should only occur in components/modules that explicitly opt into use of unsafe constructs outside of the safe language subset, and expose a safe abstraction that is expert-reviewed for soundness. Unsafe constructs should only be used when necessary, e.g. for critical performance reasons or in code that interacts with low-level components. When wor