From 302b9e4b540cc352e75d3de6f803a99147107a50 Mon Sep 17 00:00:00 2001
From: Amos Onn <amosonn@gmail.com>
Date: Sat, 15 Feb 2020 13:58:54 +0100
Subject: [PATCH 1/4] Improve #Safety in various methods in core::ptr

s/for reads and writes/for both ...
---
 src/libcore/ptr/mod.rs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/libcore/ptr/mod.rs b/src/libcore/ptr/mod.rs
index 0ee50966f968c..d465ab11c55da 100644
--- a/src/libcore/ptr/mod.rs
+++ b/src/libcore/ptr/mod.rs
@@ -289,7 +289,7 @@ pub const fn slice_from_raw_parts_mut<T>(data: *mut T, len: usize) -> *mut [T] {
 ///
 /// Behavior is undefined if any of the following conditions are violated:
 ///
-/// * Both `x` and `y` must be [valid] for reads and writes.
+/// * Both `x` and `y` must be [valid] for both reads and writes.
 ///
 /// * Both `x` and `y` must be properly aligned.
 ///
@@ -355,7 +355,7 @@ pub unsafe fn swap<T>(x: *mut T, y: *mut T) {
 ///
 /// Behavior is undefined if any of the following conditions are violated:
 ///
-/// * Both `x` and `y` must be [valid] for reads and writes of `count *
+/// * Both `x` and `y` must be [valid] for both reads and writes of `count *
 ///   size_of::<T>()` bytes.
 ///
 /// * Both `x` and `y` must be properly aligned.

From 351782d30aaa6e15204e17ecdd51ac1e712685cf Mon Sep 17 00:00:00 2001
From: Amos Onn <amosonn@gmail.com>
Date: Fri, 31 Jan 2020 15:18:27 +0100
Subject: [PATCH 2/4] Improve #Safety of core::ptr::replace

Added missing condition:
`dst` must be readable
---
 src/libcore/ptr/mod.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/libcore/ptr/mod.rs b/src/libcore/ptr/mod.rs
index d465ab11c55da..7faede4402031 100644
--- a/src/libcore/ptr/mod.rs
+++ b/src/libcore/ptr/mod.rs
@@ -471,7 +471,7 @@ unsafe fn swap_nonoverlapping_bytes(x: *mut u8, y: *mut u8, len: usize) {
 ///
 /// Behavior is undefined if any of the following conditions are violated:
 ///
-/// * `dst` must be [valid] for writes.
+/// * `dst` must be [valid] for both reads and writes.
 ///
 /// * `dst` must be properly aligned.
 ///

From 40ca16794456e9b1520bba6d887a176395f127f0 Mon Sep 17 00:00:00 2001
From: Amos Onn <amosonn@gmail.com>
Date: Fri, 31 Jan 2020 15:22:51 +0100
Subject: [PATCH 3/4] Improve #Safety in various methods in core::ptr

For all methods which read a value of type T, `read`, `read_unaligned`,
`read_volatile` and `replace`, added missing
constraint:
The value they point to must be properly initialized
---
 src/libcore/ptr/mod.rs | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/libcore/ptr/mod.rs b/src/libcore/ptr/mod.rs
index 7faede4402031..7fb2d4f039929 100644
--- a/src/libcore/ptr/mod.rs
+++ b/src/libcore/ptr/mod.rs
@@ -475,6 +475,8 @@ unsafe fn swap_nonoverlapping_bytes(x: *mut u8, y: *mut u8, len: usize) {
 ///
 /// * `dst` must be properly aligned.
 ///
+/// * `dst` must point to a properly initialized value of type `T`.
+///
 /// Note that even if `T` has size `0`, the pointer must be non-NULL and properly aligned.
 ///
 /// [valid]: ../ptr/index.html#safety
@@ -514,6 +516,8 @@ pub unsafe fn replace<T>(dst: *mut T, mut src: T) -> T {
 /// * `src` must be properly aligned. Use [`read_unaligned`] if this is not the
 ///   case.
 ///
+/// * `src` must point to a properly initialized value of type `T`.
+///
 /// Note that even if `T` has size `0`, the pointer must be non-NULL and properly aligned.
 ///
 /// # Examples
@@ -628,6 +632,8 @@ pub unsafe fn read<T>(src: *const T) -> T {
 ///
 /// * `src` must be [valid] for reads.
 ///
+/// * `src` must point to a properly initialized value of type `T`.
+///
 /// Like [`read`], `read_unaligned` creates a bitwise copy of `T`, regardless of
 /// whether `T` is [`Copy`]. If `T` is not [`Copy`], using both the returned
 /// value and the value at `*src` can [violate memory safety][read-ownership].
@@ -922,6 +928,8 @@ pub unsafe fn write_unaligned<T>(dst: *mut T, src: T) {
 ///
 /// * `src` must be properly aligned.
 ///
+/// * `src` must point to a properly initialized value of type `T`.
+///
 /// Like [`read`], `read_volatile` creates a bitwise copy of `T`, regardless of
 /// whether `T` is [`Copy`]. If `T` is not [`Copy`], using both the returned
 /// value and the value at `*src` can [violate memory safety][read-ownership].

From 943e65396d7bc7b91bcc30407d323d06f4b20a22 Mon Sep 17 00:00:00 2001
From: Amos Onn <amosonn@gmail.com>
Date: Sat, 15 Feb 2020 00:34:15 +0100
Subject: [PATCH 4/4] Improve #Safety of core::ptr::drop_in_place

Added missing conditions:
- Valid for writes
- Valid for destructing
---
 src/libcore/ptr/mod.rs | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/libcore/ptr/mod.rs b/src/libcore/ptr/mod.rs
index 7fb2d4f039929..88b490a25d5dd 100644
--- a/src/libcore/ptr/mod.rs
+++ b/src/libcore/ptr/mod.rs
@@ -119,10 +119,13 @@ mod mut_ptr;
 ///
 /// Behavior is undefined if any of the following conditions are violated:
 ///
-/// * `to_drop` must be [valid] for reads.
+/// * `to_drop` must be [valid] for both reads and writes.
 ///
 /// * `to_drop` must be properly aligned.
 ///
+/// * The value `to_drop` points to must be valid for dropping, which may mean it must uphold
+///   additional invariants - this is type-dependent.
+///
 /// Additionally, if `T` is not [`Copy`], using the pointed-to value after
 /// calling `drop_in_place` can cause undefined behavior. Note that `*to_drop =
 /// foo` counts as a use because it will cause the value to be dropped