Behavior considered undefined
Rust code, including within
unsafe blocks and
unsafe functions is incorrect if it exhibits any of the behaviors in the following list. It is the programmer's responsibility when writing
unsafe code that it is not possible to let
safe code exhibit these behaviors.
- Data races.
- Dereferencing a null or dangling raw pointer.
- Unaligned pointer reading and writing outside of
- Reads of undef (uninitialized) memory.
- Breaking the pointer aliasing rules on accesses through raw pointers; a subset of the rules used by C.
&mut T and
&T follow LLVM’s scoped noalias model, except if the
&T contains an
- Mutating non-mutable data — that is, data reached through a shared reference or data owned by a
let binding), unless that data is contained within an
- Invoking undefined behavior via compiler intrinsics:
- Indexing outside of the bounds of an object with
offset with the exception of one byte past the end of the object.
std::ptr::copy_nonoverlapping_memory, a.k.a. the
memcpy64 intrinsics, on overlapping buffers.
- Invalid values in primitive types, even in private fields and locals:
- Dangling or null references and boxes.
- A value other than
1) in a
- A discriminant in an
enum not included in the type definition.
- A value in a
char which is a surrogate or above
- Non-UTF-8 byte sequences in a
- Unwinding into Rust from foreign code or unwinding from Rust into foreign code. Rust's panic system is not compatible with exception handling in other languages. Unwinding must be caught and handled at FFI boundaries.