Use the "Safety" heading instead of "Undefined Behavior"

Dylan MacKenzie · Dylan MacKenzie · commit e350ba48ed80 · 2018-05-09T14:14:43.000-07:00
diff --git a/src/libcore/intrinsics.rs b/src/libcore/intrinsics.rs
@@ -971,12 +971,6 @@ extern "rust-intrinsic" {
     ///
     /// # Safety
     ///
-    /// `copy_nonoverlapping` is unsafe because it dereferences a raw pointer.
-    /// The caller must ensure that `src` points to a valid sequence of type
-    /// `T`.
-    ///
-    /// # Undefined Behavior
-    ///
     /// Behavior is undefined if any of the following conditions are violated:
     ///
     /// * The region of memory which begins at `src` and has a length of
@@ -986,17 +980,19 @@ extern "rust-intrinsic" {
     ///   `count * size_of::<T>()` bytes must be valid (but may or may not be
     ///   initialized).
     ///
+    /// * The two regions of memory must *not* overlap.
+    ///
     /// * `src` must be properly aligned.
     ///
     /// * `dst` must be properly aligned.
     ///
-    /// * The two regions of memory must *not* overlap.
+    /// Additionally, if `T` is not [`Copy`], only the region at `src` *or* the
+    /// region at `dst` can be used or dropped after calling
+    /// `copy_nonoverlapping`.  `copy_nonoverlapping` creates bitwise copies of
+    /// `T`, regardless of whether `T: Copy`, which can result in undefined
+    /// behavior if both copies are used.
     ///
-    /// Additionally, if `T` is not [`Copy`](../marker/trait.Copy.html), only
-    /// the region at `src` *or* the region at `dst` can be used or dropped
-    /// after calling `copy_nonoverlapping`.  `copy_nonoverlapping` creates
-    /// bitwise copies of `T`, regardless of whether `T: Copy`, which can result
-    /// in undefined behavior if both copies are used.
+    /// [`Copy`]: ../marker/trait.Copy.html
     ///
     /// # Examples
     ///
@@ -1060,11 +1056,6 @@ extern "rust-intrinsic" {
     ///
     /// # Safety
     ///
-    /// `copy` is unsafe because it dereferences a raw pointer. The caller must
-    /// ensure that `src` points to a valid sequence of type `T`.
-    ///
-    /// # Undefined Behavior
-    ///
     /// Behavior is undefined if any of the following conditions are violated:
     ///
     /// * The region of memory which begins at `src` and has a length of
@@ -1112,11 +1103,6 @@ extern "rust-intrinsic" {
     ///
     /// # Safety
     ///
-    /// `write_bytes` is unsafe because it dereferences a raw pointer. The
-    /// caller must ensure that the poiinter points to a valid value of type `T`.
-    ///
-    /// # Undefined Behavior
-    ///
     /// Behavior is undefined if any of the following conditions are violated:
     ///
     /// * The region of memory which begins at `dst` and has a length of
diff --git a/src/libcore/ptr.rs b/src/libcore/ptr.rs
@@ -54,11 +54,6 @@ pub use intrinsics::write_bytes;
 ///
 /// # Safety
 ///
-/// `drop_in_place` is unsafe because it dereferences a raw pointer. The caller
-/// must ensure that the pointer points to a valid value of type `T`.
-///
-/// # Undefined Behavior
-///
 /// Behavior is undefined if any of the following conditions are violated:
 ///
 /// * `to_drop` must point to valid memory.
@@ -153,11 +148,6 @@ pub const fn null_mut<T>() -> *mut T { 0 as *mut T }
 ///
 /// # Safety
 ///
-/// `swap` is unsafe because it dereferences a raw pointer. The caller must
-/// ensure that both pointers point to valid values of type `T`.
-///
-/// # Undefined Behavior
-///
 /// Behavior is undefined if any of the following conditions are violated:
 ///
 /// * `x` and `y` must point to valid, initialized memory.
@@ -307,14 +297,9 @@ unsafe fn swap_nonoverlapping_bytes(x: *mut u8, y: *mut u8, len: usize) {
 /// operates on raw pointers instead of references. When references are
 /// available, [`mem::replace`] should be preferred.
 ///
-/// # Safety
-///
-/// `replace` is unsafe because it dereferences a raw pointer. The caller
-/// must ensure that the pointer points to a valid value of type `T`.
-///
 /// [`mem::replace`]: ../mem/fn.replace.html
 ///
-/// # Undefined Behavior
+/// # Safety
 ///
 /// Behavior is undefined if any of the following conditions are violated:
 ///
@@ -350,11 +335,6 @@ pub unsafe fn replace<T>(dest: *mut T, mut src: T) -> T {
 ///
 /// # Safety
 ///
-/// `read` is unsafe because it dereferences a raw pointer. The caller
-/// must ensure that the pointer points to a valid value of type `T`.
-///
-/// # Undefined Behavior
-///
 /// Behavior is undefined if any of the following conditions are violated:
 ///
 /// * `src` must point to valid, initialized memory.
@@ -440,11 +420,6 @@ pub unsafe fn read<T>(src: *const T) -> T {
 ///
 /// # Safety
 ///
-/// `read_unaligned` is unsafe because it dereferences a raw pointer. The caller
-/// must ensure that the pointer points to a valid value of type `T`.
-///
-/// # Undefined Behavior
-///
 /// Behavior is undefined if any of the following conditions are violated:
 ///
 /// * `src` must point to valid, initialized memory.
@@ -523,10 +498,6 @@ pub unsafe fn read_unaligned<T>(src: *const T) -> T {
 ///
 /// # Safety
 ///
-/// `write` is unsafe because it dereferences a raw pointer.
-///
-/// # Undefined Behavior
-///
 /// Behavior is undefined if any of the following conditions are violated:
 ///
 /// * `dst` must point to valid memory.
@@ -600,10 +571,6 @@ pub unsafe fn write<T>(dst: *mut T, src: T) {
 ///
 /// # Safety
 ///
-/// `write_unaligned` is unsafe because it dereferences a raw pointer.
-///
-/// # Undefined Behavior
-///
 /// Behavior is undefined if any of the following conditions are violated:
 ///
 /// * `dst` must point to valid memory.
@@ -671,11 +638,6 @@ pub unsafe fn write_unaligned<T>(dst: *mut T, src: T) {
 ///
 /// # Safety
 ///
-/// `read_volatile` is unsafe because it dereferences a raw pointer. The caller
-/// must ensure that the pointer points to a valid value of type `T`.
-///
-/// # Undefined Behavior
-///
 /// Behavior is undefined if any of the following conditions are violated:
 ///
 /// * `src` must point to valid, initialized memory.
@@ -741,10 +703,6 @@ pub unsafe fn read_volatile<T>(src: *const T) -> T {
 ///
 /// # Safety
 ///
-/// `write_volatile` is unsafe because it dereferences a raw pointer.
-///
-/// # Undefined Behavior
-///
 /// Behavior is undefined if any of the following conditions are violated:
 ///
 /// * `dst` must point to valid memory.
