rust-lang/unsafe-code-guidelines

Issues

• Is there a way to soundly implement racy read/writes as used in Chase/Lev deques?

  #531 opened a day ago by anp
  3

• Should closures implicitly be wrapped in `MaybeDangling`?

  #511 opened 4 months ago by RalfJung
  4

• Do the current nightly `std::ptr` docs violate provenance monotonicity?

  #530 opened 19 days ago by joshlf
  1

• Re-evaluate ABI compatibility rules in light of CFI

  #489 opened 8 months ago by RalfJung
  11

• Dead variant removal in `#[repr(C)]` enums

  #500 opened 18 days ago by GoldsteinE
  4

• Do ZST `Box`es violate provenance monotonicity?

  #529 opened 18 days ago by joshlf
  4

• Promotion introduces UB into otherwise well-defined code

  #493 opened 7 months ago by RalfJung
  17

• What are the requirements for unloading a library (`dlclose`)?

  #526 opened a month ago by VorpalBlade
  8

• Can FFI code use `memory_order_consume`

  #528 opened a month ago by chorman0773
  9

• Can uninitialized memory come from the outside world?

  #527 opened a month ago by ChayimFriedman2
  4

• What are the soundness requirements for `dlopen`?

  #525 opened a month ago by RalfJung
  40

• What do we say about the equality of pointers in constants, vtables, and function pointers?

  #522 opened 2 months ago by RalfJung
  19

• Is it UB to have a mutable reference that could be misused, or simply to misuse it?

  #524 opened a month ago by clarfonthey
  4

• How do aliasing model protectors interact with tail calls?

  #523 opened 2 months ago by RalfJung
  5

• repr(C) does not always match the current target's C toolchain (when that target is windows-msvc)

  #521 opened 2 months ago by RalfJung
  7

• Should we have a language concept of erroneous behavior?

  #512 opened 4 months ago by CAD97
  7

• What are the operational semantics of unsized locals?

  #520 opened 2 months ago by RalfJung
  4

• How to avoid smuggling of data via TLS and scoped-tls and other means

  #484 opened 9 months ago by RalfJung
  28

• If a Pin is changed to point to a different location, what happens?

  #519 opened 2 months ago by theemathas
  3

• Packing pointers into double-word width atomics

  #517 opened 2 months ago by eggyal
  44

• Should we / can we make MaybeUninit<T> always preserve all bytes of T?

  #518 opened 2 months ago by RalfJung
  19

• Is it UB to change a non-`mut` `extern static`?

  #514 opened 2 months ago by ChayimFriedman2
  3

• What are the validity requirements of wide pointers/references with `dyn Trait` tail?

  #516 opened 2 months ago by RalfJung
  1

• What's the source of immutability for pointers produced by `const`?

  #502 opened 6 months ago by RalfJung
  19

• Tree Borrows: Two-phase borrows + interior mutability have surprising interactions

  #501 opened 6 months ago by RalfJung
  15

• Should we have a way to give functions a stable address?

  #515 opened 3 months ago by RalfJung
  5

• Expressivity Gap: concurrent ABA-safe stack (atomics + provenance = pain)

  #480 opened 10 months ago by RalfJung
  24

• Validity of a `char` value that is a surrogate

  #513 opened 3 months ago by celinval
  16

• Decide on validity for metadata of wide pointer/reference with slice tail

  #510 opened 4 months ago by RalfJung
  23

• Are &mut references that point to read only memory but are never written to undefined behavior

  #509 opened 5 months ago by gmorenz
  3

• Is `usize::MAX` an allocatable address?

  #508 opened 5 months ago by CAD97
  6

• Minimum guarantees regarding `UnsafeCell`

  #495 opened 7 months ago by joshlf
  19

• Better documentation needed: reentrancy through the panic hook

  #505 opened 5 months ago by RalfJung
  3

• Who is responsible for preventing reentrancy issues through the allocator?

  #506 opened 5 months ago by RalfJung
  3

• LLVM integer/pointer casts are unreliable and observably disagree with the intended Rust semantics

  #507 opened 5 months ago by joboet
  2

• What are the guarantees over ZST pointers

  #503 opened 5 months ago by celinval
  11

• `handle_alloc_error` + UnsafeCell = ???

  #479 opened 5 months ago by workingjubilee
  4

• Adopt Minimum Union Validity Rules

  #494 opened 7 months ago by chorman0773
  24

• How transitive is repr(transparent)?

  #486 opened 9 months ago by Manishearth
  11

• When are `static` symbols guaranteed to show up in the final binary?

  #504 opened 6 months ago by RalfJung
  11

• Provenance: storing to/loading from arbitrary addresses in an interpreter's registers

  #497 opened 6 months ago by anp
  41

• Is String allowed to switch to a small-string optimization?

  #499 opened 6 months ago by Manishearth
  10

• What happens to the validiy requirements of the return value on a tail call?

  #491 opened 7 months ago by RalfJung
  4

• std::slice::from_raw_parts alternative that would allow NULL pointer if len == 0 by returning an empty slice?

  #496 opened 7 months ago by procedural
  3

• Does `Box` contain any `UnsafeCell`s?

  #492 opened 7 months ago by joshlf
  9

• Is it sound to check whether the bytes of an `Option<&T>` are zero?

  #488 opened 8 months ago by joshlf
  25

• Provenance for zero-sized accesses?

  #490 opened 7 months ago by joshlf
  2

• Semantics of SetDiscriminant with niched variants

  #487 opened 9 months ago by RalfJung
  5

• How can we allow read-read races between atomic and non-atomic accesses?

  #483 opened 10 months ago by RalfJung
  1

• Does the repr(transparent) guarantee work for fields that are empty types?

  #485 opened 9 months ago by Manishearth
  7