@@ -3295,22 +3295,41 @@ pub(crate) const fn miri_promise_symbolic_alignment(ptr: *const (), align: usize
32953295
32963296/// Copies the current location of arglist `src` to the arglist `dst`.
32973297///
3298- /// FIXME: document safety requirements
3298+ /// # Safety
3299+ ///
3300+ /// You must check the following invariants before you call this function:
3301+ ///
3302+ /// - `dest` must be non-null and point to valid, writable memory.
3303+ /// - `dest` must not alias `src`.
3304+ ///
32993305[ rustc_intrinsic]
33003306#[ rustc_nounwind]
33013307pub unsafe fn va_copy<' f>( dest: * mut VaListImpl <' f>, src: & VaListImpl <' f>) ;
33023308
33033309/// Loads an argument of type `T` from the `va_list` `ap` and increment the
33043310.
33053311///
3306- /// FIXME: document safety requirements
3312+ /// # Safety
3313+ ///
3314+ /// This function is only sound to call when:
3315+ ///
3316+ /// - there is a next variable argument available.
3317+ /// - the next argument's type must be ABI-compatible with the type `T`.
3318+ /// - the next argument must have a properly initialized value of type `T`.
3319+ ///
3320+ /// Calling this function with an incompatible type, an invalid value, or when there
3321+ /// are no more variable arguments, is unsound.
3322+ ///
33073323[ rustc_intrinsic ]
33083324#[ rustc_nounwind]
33093325pub unsafe fn va_arg<T : VaArgSafe >( ap: & mut VaListImpl <' _>) -> T ;
33103326
33113327/// Destroy the arglist `ap` after initialization with `va_start` or `va_copy`.
33123328
3313- /// FIXME: document safety requirements
3329+ /// # Safety
3330+
3331+ /// `ap` must not be used to access variable arguments after this call.
3332+
33143333#[ rustc_intrinsic]
33153334#[ rustc_nounwind]
33163335pub unsafe fn va_end( ap: & mut VaListImpl <' _>) ;
0 commit comments