diff options
| author | Dylan DPC <99973273+Dylan-DPC@users.noreply.github.com> | 2024-01-29 12:56:51 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-01-29 12:56:51 +0000 |
| commit | 8017ea40165b3e84549f9b699a013fabd964e422 (patch) | |
| tree | 95cf8b123f8c3514f89e4c484b8a0cc60643fb27 | |
| parent | fb4bca04fa1bde2f7db1b31a59e066f7bebd7fc6 (diff) | |
| parent | b867c7c707be0070beac663a03eb6a797f076f68 (diff) | |
| download | rust-8017ea40165b3e84549f9b699a013fabd964e422.tar.gz rust-8017ea40165b3e84549f9b699a013fabd964e422.zip | |
Rollup merge of #116677 - joshlf:patch-11, r=RalfJung
References refer to allocated objects Partially addresses https://github.com/rust-lang/unsafe-code-guidelines/issues/465
| -rw-r--r-- | library/core/src/primitive_docs.rs | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/library/core/src/primitive_docs.rs b/library/core/src/primitive_docs.rs index 7dee30585e9..bf47d767a92 100644 --- a/library/core/src/primitive_docs.rs +++ b/library/core/src/primitive_docs.rs @@ -1384,6 +1384,30 @@ mod prim_usize {} /// work on references as well as they do on owned values! The implementations described here are /// meant for generic contexts, where the final type `T` is a type parameter or otherwise not /// locally known. +/// +/// # Safety +/// +/// For all types, `T: ?Sized`, and for all `t: &T` or `t: &mut T`, when such values cross an API +/// boundary, the following invariants must generally be upheld: +/// +/// * `t` is aligned to `align_of_val(t)` +/// * `t` is dereferenceable for `size_of_val(t)` many bytes +/// +/// If `t` points at address `a`, being "dereferenceable" for N bytes means that the memory range +/// `[a, a + N)` is all contained within a single [allocated object]. +/// +/// For instance, this means that unsafe code in a safe function may assume these invariants are +/// ensured of arguments passed by the caller, and it may assume that these invariants are ensured +/// of return values from any safe functions it calls. In most cases, the inverse is also true: +/// unsafe code must not violate these invariants when passing arguments to safe functions or +/// returning values from safe functions; such violations may result in undefined behavior. Where +/// exceptions to this latter requirement exist, they will be called out explicitly in documentation. +/// +/// It is not decided yet whether unsafe code may violate these invariants temporarily on internal +/// data. As a consequence, unsafe code which violates these invariants temporarily on internal data +/// may become unsound in future versions of Rust depending on how this question is decided. +/// +/// [allocated object]: ptr#allocated-object #[stable(feature = "rust1", since = "1.0.0")] mod prim_ref {} |