Behavior considered undefined
Rust code, including within unsafe
blocks and unsafe
functions is incorrect
if it exhibits any of the behaviors in the following list. It is the
programmer's responsibility when writing unsafe
code that it is not possible
to let safe
code exhibit these behaviors.
Warning: The following list is not exhaustive. There is no formal model of Rust's semantics for what is and is not allowed in unsafe code, so there may be more behavior considered unsafe. The following list is just what we know for sure is undefined behavior. Please read the Rustonomicon before writing unsafe code.
- Data races.
- Dereferencing a null or dangling raw pointer.
- Unaligned pointer reading and writing outside of
read_unaligned
andwrite_unaligned
. - Reads of undef (uninitialized) memory.
- Breaking the pointer aliasing rules on accesses through raw pointers; a subset of the rules used by C.
&mut T
and&T
follow LLVM’s scoped noalias model, except if the&T
contains anUnsafeCell<U>
.- Mutating non-mutable data — that is, data reached through a shared
reference or data owned by a
let
binding), unless that data is contained within anUnsafeCell<U>
. - Invoking undefined behavior via compiler intrinsics:
- Indexing outside of the bounds of an object with
offset
with the exception of one byte past the end of the object. - Using
std::ptr::copy_nonoverlapping_memory
, a.k.a. thememcpy32
andmemcpy64
intrinsics, on overlapping buffers.
- Indexing outside of the bounds of an object with
- Invalid values in primitive types, even in private fields and locals:
- Dangling or null references and boxes.
- A value other than
false
(0
) ortrue
(1
) in abool
. - A discriminant in an
enum
not included in the type definition. - A value in a
char
which is a surrogate or abovechar::MAX
. - Non-UTF-8 byte sequences in a
str
.