I once implemented a WASM to Rust compiler that due to WASM's safety compiles to fully safe Rust. So I was able to compile C -> WASM -> Rust and ended up with fully safe code. Though of course, just like in WASM, the C code is still able to corrupt its own linear memory, just can't escape the "sandbox". Firefox has employed a similar strategy: https://hacks.mozilla.org/2020/02/securing-firefox-with-weba...

I'd love to check that out. Did it unroll a wasm interpreter into wasm_op function calls?

There's no interpreter, I just map each instruction to equivalent Rust code. Linear memory is accessed through a trait.

The compiler is here: https://github.com/CryZe/wasm-to-rust

I have an example of a GameBoy emulator compiled from AssemblyScript to WASM to Rust here: https://github.com/CryZe/wasmboy-rs/blob/master/src/wasm.rs

That is super cool!

Have you run into any limitations?

Have you tried running in loop, wasm->rust->wasm->rust ?

This is not-unlike unrolling an interpreter. There was a lua2c project that did something similar.

If your translator is correct, the rust front end enforces the semantics of rust then C implements them. It's as safe as any other implementation.

If that feels uncomfortable, consider that x64 machine code has no approximation to rust safety checks, and you trust rust binaries running on x64.

"Correct" is doing some heavy lifting here but generally people seem willing to believe that their toolchain is bug free.

They are discussing C to Rust, not the topic of the post. Rust would need to guess the semantics of the original C.