diff --git a/library/core/src/ffi/va_list.rs b/library/core/src/ffi/va_list.rs index 0d4ccb5aeb28c..3d8ce6508bf3f 100644 --- a/library/core/src/ffi/va_list.rs +++ b/library/core/src/ffi/va_list.rs @@ -243,10 +243,11 @@ impl<'f> VaListImpl<'f> { /// /// # Safety /// - /// This function is only sound to call when the next variable argument: + /// This function is only sound to call when: /// - /// - has a type that is ABI-compatible with the type `T` - /// - has a value that is a properly initialized value of type `T` + /// - there is a next variable argument available. + /// - the next argument's type must be ABI-compatible with the type `T`. + /// - the next argument must have a properly initialized value of type `T`. /// /// Calling this function with an incompatible type, an invalid value, or when there /// are no more variable arguments, is unsound. diff --git a/library/core/src/intrinsics/mod.rs b/library/core/src/intrinsics/mod.rs index a174ced5a2a63..af0356be26498 100644 --- a/library/core/src/intrinsics/mod.rs +++ b/library/core/src/intrinsics/mod.rs @@ -3295,7 +3295,13 @@ pub(crate) const fn miri_promise_symbolic_alignment(ptr: *const (), align: usize /// Copies the current location of arglist `src` to the arglist `dst`. /// -/// FIXME: document safety requirements +/// # Safety +/// +/// You must check the following invariants before you call this function: +/// +/// - `dest` must be non-null and point to valid, writable memory. +/// - `dest` must not alias `src`. +/// #[rustc_intrinsic] #[rustc_nounwind] pub unsafe fn va_copy<'f>(dest: *mut VaListImpl<'f>, src: &VaListImpl<'f>); @@ -3303,14 +3309,27 @@ pub unsafe fn va_copy<'f>(dest: *mut VaListImpl<'f>, src: &VaListImpl<'f>); /// Loads an argument of type `T` from the `va_list` `ap` and increment the /// argument `ap` points to. /// -/// FIXME: document safety requirements +/// # Safety +/// +/// This function is only sound to call when: +/// +/// - there is a next variable argument available. +/// - the next argument's type must be ABI-compatible with the type `T`. +/// - the next argument must have a properly initialized value of type `T`. +/// +/// Calling this function with an incompatible type, an invalid value, or when there +/// are no more variable arguments, is unsound. +/// #[rustc_intrinsic] #[rustc_nounwind] pub unsafe fn va_arg(ap: &mut VaListImpl<'_>) -> T; /// Destroy the arglist `ap` after initialization with `va_start` or `va_copy`. /// -/// FIXME: document safety requirements +/// # Safety +/// +/// `ap` must not be used to access variable arguments after this call. +/// #[rustc_intrinsic] #[rustc_nounwind] pub unsafe fn va_end(ap: &mut VaListImpl<'_>);