Rust code, including within unsafe
blocks and unsafe
functions is incorrect if it exhibits any of the behaviors in the following list. It is the programmer's responsibility when writing unsafe
code that it is not possible to let safe
code exhibit these behaviors.
Warning: The following list is not exhaustive. There is no formal model of Rust's semantics for what is and is not allowed in unsafe code, so there may be more behavior considered unsafe. The following list is just what we know for sure is undefined behavior. Please read the Rustonomicon before writing unsafe code.
read_unaligned
and write_unaligned
.&mut T
and &T
follow LLVM’s scoped noalias model, except if the &T
contains an UnsafeCell<U>
.let
binding), unless that data is contained within an UnsafeCell<U>
.offset
with the exception of one byte past the end of the object.std::ptr::copy_nonoverlapping_memory
, a.k.a. the memcpy32
and memcpy64
intrinsics, on overlapping buffers.false
(0
) or true
(1
) in a bool
.enum
not included in the type definition.char
which is a surrogate or above char::MAX
.str
.target_feature
).Note: Undefined behavior affects the entire program. For example, calling a function in C that exhibits undefined behavior of C means your entire program contains undefined behaviour that can also affect the Rust code. And vice versa, undefined behavior in Rust can cause adverse affects on code executed by any FFI calls to other languages.