- All unsafe code lives in
rawsubmodules only. - Crate roots declare
#![deny(unsafe_code)]. - Only
raw/mod.rsdeclares#![allow(unsafe_code)]. - Every
unsafeblock has a// SAFETY:comment that states:- Which invariant makes this safe
- What the caller must guarantee
- What could go wrong if the invariant is violated
- Every unsafe function documents preconditions in rustdoc.
| Tier | Method | Runs |
|---|---|---|
| 1 | Unit tests exercising safe API boundaries | Every PR |
| 2 | Miri (stacked borrows + tree borrows) | Every PR |
| 3 | cargo careful (stdlib debug assertions) | Every PR |
| 4 | Kani bounded model checking | Nightly |
| 5 | Differential testing across implementations | Every PR |
| 6 | cargo-mutants (mutation testing) | Nightly |
core::sync::atomicoperations with documented ordering rationaleMaybeUninitfor uninitialized slot storage in ring bufferscore::arch::asm!for platform-specific fast paths#[repr(C)]/#[repr(align)]casts for layout-controlled typesUnsafeCellfor interior mutability in single-writer structures
- Raw pointer arithmetic when slice indexing works
transmute— usefrom_bytes/to_bytesor specific safe castsunsafe impl Send/Syncwithout kani proof or formal argument- Unsafe in tests (use safe API to test unsafe internals)