Rust code is incorrect if it exhibits any of the behaviors in the following
list. This includes code within
unsafe blocks and
unsafe only means that avoiding undefined behavior is on the programmer; it
does not change anything about the fact that Rust programs must never cause
It is the programmer's responsibility when writing
unsafe code to ensure that
any safe code interacting with the
unsafe code cannot trigger these
unsafe code that satisfies this property for any safe client is
called sound; if
unsafe code can be misused by safe code to exhibit
undefined behavior, it is unsound.
Warning: The following list is not exhaustive. There is no formal model of Rust's semantics for what is and is not allowed in unsafe code, so there may be more behavior considered unsafe. The following list is just what we know for sure is undefined behavior. Please read the Rustonomicon before writing unsafe code.
- Data races.
- Dereferencing a null or dangling raw pointer.
- Unaligned pointer reading and writing outside of
- Reads of undef (uninitialized) memory.
- Breaking the pointer aliasing rules on accesses through raw pointers; a subset of the rules used by C.
&Tfollow LLVM’s scoped noalias model, except if the
- Mutating non-mutable data — that is, data reached through a shared
reference or data owned by a
letbinding), unless that data is contained within an
- Invoking undefined behavior via compiler intrinsics:
- Invalid values in primitive types, even in private fields and locals:
- Dangling or null references and boxes.
- A value other than
1) in a
- A discriminant in an
enumnot included in the type definition.
- A value in a
charwhich is a surrogate or above
- Non-UTF-8 byte sequences in a
- Executing code compiled with platform features that the current platform
does not support (see
Note: Undefined behavior affects the entire program. For example, calling a function in C that exhibits undefined behavior of C means your entire program contains undefined behaviour that can also affect the Rust code. And vice versa, undefined behavior in Rust can cause adverse affects on code executed by any FFI calls to other languages.