Transpiling rust to C is still dangerous if you don't control the compiler on the other side - one of the many footguns with C is thinking that there is any "inherently safe" C code. There isn't, because tomorrow the optimizing compiler may optimize away your null checks or start optimizing away your variables due to aliasing, and this danger is ever-present because of the sweeping nature of "undefined behavior" in C.

C is safe if you are using a 1970s-style compilers that don't perform optimizations, or perform a limited and predictable subset. C that is passed through an optimizing compiler (which in the context of this comment is all modern compilers) can never be inherently safe unless you conform strictly to the "undefined behavior" spec which is impossible in practice.

In contrast transpiling (really this is just compiling) Rust to assembly should never be unsafe, because you know there is no additional transformation step. Or at least, unless the processor has an implementation flaw... which is, of course, the whole thing about Spectre/Meltdown.

C has far far too many things in the "unsafe behavior" categories that really should just be compiler errors. But like "implementation-dependent" behavior in general, this was seen as an advantage at the time, it makes it possible for low-power or esoteric hardware to be driven with C code. But in modern high-level software development contexts, this makes it a foot-howitzer to try and use.

Why don't you think it's possible to avoid undefined behavior in machine-emitted C?

Machine-emitted C can avoid most of the language, guarantee it won't incorrectly alias anything, and guarantee bounds are always checked.

Bugs are possible but you can make Rust->C bugs no more likely than Rust->assembly bugs.

Thank you for the correction. I agree with everything you wrote, and should have known better and added a caveat regarding the difficulty of correctly divining the behavior of a C program, instead of assuming compiler writers are flawless omniscient beings.