@@ -3295,22 +3295,43 @@ pub(crate) const fn miri_promise_symbolic_alignment(ptr: *const (), align: usize
32953295
32963296/// Copies the current location of arglist `src` to the arglist `dst`.
32973297///
3298- /// FIXME: document safety requirements
3298+ /// # Safety
3299+ ///
3300+ /// You must check the following invariants before you call this function:
3301+ ///
3302+ /// - `dest` must be non-null and point to valid, writable memory.
3303+ /// - `dest` must not alias `src`;
3304+ ///
32993305[ rustc_intrinsic]
33003306#[ rustc_nounwind]
33013307pub unsafe fn va_copy<' f>( dest: * mut VaListImpl <' f>, src: & VaListImpl <' f>) ;
33023308
33033309/// Loads an argument of type `T` from the `va_list` `ap` and increment the
33043310.
33053311///
3306- /// FIXME: document safety requirements
3312+ /// # Safety
3313+ ///
3314+ /// This function is only sound to call when:
3315+ ///
3316+ /// - there is a next variable argument available (i.e., the number of arguments already read from `ap` is less than the total number passed)
3317+ /// - the next variable argument has a type that is ABI-compatible with the type `T`
3318+ /// - the next variable argument has a value that is a properly initialized value of type `T`
3319+ ///
3320+ /// Calling this function with an incompatible type, an invalid value, or when there
3321+ /// are no more variable arguments, is unsound.
3322+ ///
33073323[ rustc_intrinsic ]
33083324#[ rustc_nounwind]
33093325pub unsafe fn va_arg<T : VaArgSafe >( ap: & mut VaListImpl <' _>) -> T ;
33103326
33113327/// Destroy the arglist `ap` after initialization with `va_start` or `va_copy`.
33123328
3313- /// FIXME: document safety requirements
3329+ /// # Safety
3330+
3331+ /// You must check the following invariants before you call this function:
3332+
3333+ /// - `ap` must not be used to access variable arguments after this call
3334+
33143335#[ rustc_intrinsic]
33153336#[ rustc_nounwind]
33163337pub unsafe fn va_end( ap: & mut VaListImpl <' _>) ;
0 commit comments