[Coding Guideline]: Do not invoke undefined behavior

[AchimKriso]

Chapter

Unsafety

Guideline Title

Undefined behavior shall not occur during the execution of a program

Category

Required

Status

Draft

Release Begin

1.0.0

Release End

latest

FLS Paragraph ID

fls_ovn9czwnwxue

Decidability

Undecidable

Scope

System

Tags

undefined-behavior, defect

Amplification

This rule addresses all instances of undefined behavior not already covered by other guidelines.

Exception(s)

No response

Rationale

Once an execution encounters undefined behavior it is impossible to reason about it anymore.
Instances of undefined behavior can manifest in any kind of undesired behavior like crashes or silent memory corruption.

Non-Compliant Example - Prose

First Example:
The only allowed representation of bool is either 0 or 1.
Therefore, transmuting 3_u8 to bool violates its validity invariant and is undefined behavior.

Second Example:
A necessary condition to read the value behind a pointer is that it points to a valid allocation.
This is never the case for a null pointer, therefore reading it is undefined behavior.
See the safety precondition of :std:std::ptr::read.

Non-Compliant Example - Code

fn example_function() -> bool {
    unsafe {
        std::transmute<bool>(3_u8)
    }
}

fn example_function() {
    unsafe {
        std::ptr::read(std::ptr::null());
    }
}

Compliant Example - Prose

First Example:
Since 0_u8 is defined to represent the false value of bool, this example is free of undefined behavior.

Second Example:
ptr points to a valid, aligned and properly initialized allocation.
Therefore, it satisfies all safety preconditions of :std:std::ptr::read and can be read without undefined behavior.

Compliant Example - Code

fn example_function() -> bool {
    unsafe {
        std::transmute<bool>(0_u8);
    }
}

fn example_function() {
    let ptr = Box::new(42).into_raw();
    unsafe { std::ptr::read(ptr); }
}

[felix91gr]

@AchimKriso thanks for opening this issue!

Small notes:

1. The Category should probably me Mandatory. Unless there's an acceptable exception to the rule? But I can't think of a reasonable exception to this in the context of Safety Critical.
2. Please add the tag "defect" too. The distinction between Subset and Defect Guidelines is something that should probably not be a tag (and instead a field on its own). But for now, since this Guideline is of the "Defect Avoidance" kind, please add the "defect" tag to it.
3. Feel free to put "Release Begin" as "1.0.0".

Question: are you attending some of the rotating meetings? I'd like to ask you about some specific details of this guideline. Preferably in spoken form, because there's nuance that would be hard to convey in text.

[AchimKriso]

@felix91gr

1. I disagree. Consider a scenario where a developer pins his rustc version. They could perform operations that are technically undefined behavior but well defined for their particular compiler implementation/version. This particular rule has precendence in MISRA (C 2025 Rule 1.3 and C++ 2023 Rule 4.1.3) with the same category for the same reason.
2. Sure, added
3. Changed.

I usually attend the europe timezone friendly meeting, so I intend to attend the meeting today.

[felix91gr]

@AchimKriso thanks for the changes!

I usually attend the europe timezone friendly meeting, so I intend to attend the meeting today.

Dang it, I completely forgot. Though we had little time to spare in the meeting nonetheless. Would you be open to having a chat with me sometime? If you're in the Zulip, I could ping you over there and we can schedule it.

[felix91gr]

Consider a scenario where a developer pins their rustc version.

I don't think it suffices to just pin the rustc version; at least, not just that version of the code of the compiler.

I think this requires pinning the entire binary toolchain and the lower OS stack (system libraries and drivers), unless one is working in no-std, in which case I believe pinning the toolchain binaries should suffice (and the HAL binaries too, right?).

I mention this since UB basically implies "no behavior is reproducible unless all parameters of the system remain the same".

Does the Cargo.toml configuration allow pinning at that level? I think it does, but I'd have to make sure. Having such a setting available seems mandatory if we're going to allow an exception like this. If we don't have it, perhaps we could draft an RFC to Cargo :3

[AchimKriso]

@felix91gr It's possible that pinning rustc is insufficient. But my overall point, that there are scenarios where behavior that is technically undefined can be justified exist and therefore using mandatory is not appropriate for this rule stands.

Would you be open to having a chat with me sometime? If you're in the Zulip, I could ping you over there and we can schedule it.

Sure, you can find me on the Rust zulip.

[felix91gr]

therefore using mandatory is not appropriate for this rule

That seems reasonable. I think I agree.

We will want to elaborate on how an exception can be made then, under the ### Exception(s) section. Feel free to go into detail there if needed; UB is probably one of the most nuanced subjects we will ever touch upon, so dw if it takes a lot of space.

---

Aside: there's still something that bugs me about the idea of "allowing UB". Perhaps it's something about the phrasing or perhaps it's the fact that the boundaries of UB are still being defined by the opsem working group. I'm not sure. But until I find concrete words to describe what bugs me, I won't bother you about it.
Worst case scenario, the document can be edited later.

[senier]

Aside: there's still something that bugs me about the idea of "allowing UB". Perhaps it's something about the phrasing or perhaps it's the fact that the boundaries of UB are still being defined by the opsem working group. I'm not sure. But until I find concrete words to describe what bugs me, I won't bother you about it.

Tbh, I had the very same feeling. At the very least, it should be outlined very clearly under which conditions this would be permissible. But I still have a bad feeling. I guess even if the rustc version is pinned you'd have to make sure that the compiler output in presence of UB is actually safe and that nothing else that might invalidate your analysis changes (configuration / flags).