@@ -2071,21 +2071,26 @@ impl<F: FnPtr> fmt::Debug for F {
20712071/// as all other references. This macro can create a raw pointer *without* creating
20722072/// a reference first.
20732073///
2074- /// The `expr` in `addr_of!(expr)` is evaluated as a place expression, but never loads
2075- /// from the place or requires the place to be dereferenceable. This means that
2076- /// `addr_of!(*ptr)` is defined behavior even if `ptr` is null, dangling, or misaligned.
2077- /// Note however that `addr_of!((*ptr).field)` still requires the projection to
2078- /// `field` to be in-bounds, using the same rules as [`offset`].
2074+ /// The `expr` in `addr_of!(expr)` is evaluated as a place expression, but never loads from the
2075+ /// place or requires the place to be dereferenceable. This means that `addr_of!((*ptr).field)`
2076+ /// still requires the projection to `field` to be in-bounds, using the same rules as [`offset`].
2077+ /// However, `addr_of!(*ptr)` is defined behavior even if `ptr` is null, dangling, or misaligned.
20792078///
20802079/// Note that `Deref`/`Index` coercions (and their mutable counterparts) are applied inside
20812080/// `addr_of!` like everywhere else, in which case a reference is created to call `Deref::deref` or
20822081/// `Index::index`, respectively. The statements above only apply when no such coercions are
20832082/// applied.
20842083///
2084+ /// See [`addr_of_mut`] for how to create a pointer to uninitialized data.
2085+ /// Doing that with `addr_of` would not make much sense since one could only
2086+ /// read the data, and that would be Undefined Behavior.
2087+ ///
20852088/// [`offset`]: pointer::offset
20862089///
20872090/// # Example
20882091///
2092+ /// **Correct usage: Creating a pointer to unaligned data**
2093+ ///
20892094/// ```
20902095/// use std::ptr;
20912096///
@@ -2101,9 +2106,24 @@ impl<F: FnPtr> fmt::Debug for F {
21012106/// assert_eq!(unsafe { raw_f2.read_unaligned() }, 2);
21022107/// ```
21032108///
2104- /// See [`addr_of_mut`] for how to create a pointer to uninitialized data.
2105- /// Doing that with `addr_of` would not make much sense since one could only
2106- /// read the data, and that would be Undefined Behavior.
2109+ /// **Incorrect usage: Out-of-bounds fields projection**
2110+ ///
2111+ /// ```rust,no_run
2112+ /// use std::ptr;
2113+ ///
2114+ /// #[repr(C)]
2115+ /// struct MyStruct {
2116+ /// field1: i32,
2117+ /// field2: i32,
2118+ /// }
2119+ ///
2120+ /// let ptr: *const MyStruct = ptr::null();
2121+ /// let fieldptr = unsafe { ptr::addr_of!((*ptr).field2) }; // Undefined Behavior ⚠️
2122+ /// ```
2123+ ///
2124+ /// The field projection `.field2` would offset the pointer by 4 bytes,
2125+ /// but the pointer is not in-bounds of an allocation for 4 bytes,
2126+ /// so this offset is Undefined Behavior.
21072127#[ stable( feature = "raw_ref_macros" , since = "1.51.0" ) ]
21082128#[ rustc_macro_transparency = "semitransparent" ]
21092129#[ allow_internal_unstable( raw_ref_op) ]
@@ -2120,11 +2140,10 @@ pub macro addr_of($place:expr) {
21202140/// as all other references. This macro can create a raw pointer *without* creating
21212141/// a reference first.
21222142///
2123- /// The `expr` in `addr_of_mut!(expr)` is evaluated as a place expression, but never loads
2124- /// from the place or requires the place to be dereferenceable. This means that
2125- /// `addr_of_mut!(*ptr)` is defined behavior even if `ptr` is null, dangling, or misaligned.
2126- /// Note however that `addr_of_mut!((*ptr).field)` still requires the projection to
2127- /// `field` to be in-bounds, using the same rules as [`offset`].
2143+ /// The `expr` in `addr_of_mut!(expr)` is evaluated as a place expression, but never loads from the
2144+ /// place or requires the place to be dereferenceable. This means that `addr_of_mut!((*ptr).field)`
2145+ /// still requires the projection to `field` to be in-bounds, using the same rules as [`offset`].
2146+ /// However, `addr_of_mut!(*ptr)` is defined behavior even if `ptr` is null, dangling, or misaligned.
21282147///
21292148/// Note that `Deref`/`Index` coercions (and their mutable counterparts) are applied inside
21302149/// `addr_of_mut!` like everywhere else, in which case a reference is created to call `Deref::deref`
@@ -2135,7 +2154,7 @@ pub macro addr_of($place:expr) {
21352154///
21362155/// # Examples
21372156///
2138- /// **Creating a pointer to unaligned data: **
2157+ /// **Correct usage: Creating a pointer to unaligned data**
21392158///
21402159/// ```
21412160/// use std::ptr;
@@ -2153,7 +2172,7 @@ pub macro addr_of($place:expr) {
21532172/// assert_eq!({packed.f2}, 42); // `{...}` forces copying the field instead of creating a reference.
21542173/// ```
21552174///
2156- /// **Creating a pointer to uninitialized data: **
2175+ /// **Correct usage: Creating a pointer to uninitialized data**
21572176///
21582177/// ```rust
21592178/// use std::{ptr, mem::MaybeUninit};
@@ -2169,6 +2188,25 @@ pub macro addr_of($place:expr) {
21692188/// unsafe { f1_ptr.write(true); }
21702189/// let init = unsafe { uninit.assume_init() };
21712190/// ```
2191+ ///
2192+ /// **Incorrect usage: Out-of-bounds fields projection**
2193+ ///
2194+ /// ```rust,no_run
2195+ /// use std::ptr;
2196+ ///
2197+ /// #[repr(C)]
2198+ /// struct MyStruct {
2199+ /// field1: i32,
2200+ /// field2: i32,
2201+ /// }
2202+ ///
2203+ /// let ptr: *mut MyStruct = ptr::null_mut();
2204+ /// let fieldptr = unsafe { ptr::addr_of_mut!((*ptr).field2) }; // Undefined Behavior ⚠️
2205+ /// ```
2206+ ///
2207+ /// The field projection `.field2` would offset the pointer by 4 bytes,
2208+ /// but the pointer is not in-bounds of an allocation for 4 bytes,
2209+ /// so this offset is Undefined Behavior.
21722210#[ stable( feature = "raw_ref_macros" , since = "1.51.0" ) ]
21732211#[ rustc_macro_transparency = "semitransparent" ]
21742212#[ allow_internal_unstable( raw_ref_op) ]
0 commit comments