Value validity for the unsafe fn type?

prootia · February 20, 2026, 1:05am

So in The Reference, I can't really find information regarding whether [...] fn([...]) [-> ...] has to reference a function callable with the given signature and ABI. We know behavior allowed by safe rust will try to be safe in the future, so since safe function pointers (e.g. fn(T) -> U, extern "C" fn(T) -> U) are callable without unsafe blocks, they must have an invariant like str, Pin<T> or &T that they properly reference a function with correct signature. But the same line of reasoning cannot be applied to unsafe function pointers (e.g. unsafe fn(T) -> U, unsafe extern "C" fn(T) -> U) because they need to be called within unsafe blocks.
So are unsafe [...] fn([...]) [-> ...]s more like NonNull<T> or &T?

For now I am using a #[repr(C)] union to represent "probably dangling" function pointers

quinedot · February 20, 2026, 2:10am

In case you're not familiar with the distinction, some library/interface/whatever being "sound" means that safe code can not cause UB by using it. Your "callable without unsafe blocks" reasoning is about soundness, or what is sometimes called a safety invariant.^[1] Safety invariants can be temporarily violated by unsafe code, but safe code should not be exposed to it -- that would be unsound. There are also validity invariants, which are always UB when violated.

The validity invariants of function pointers are more like NonNull<T>, and are the same for unsafe fn() and fn(), etc. Creating a function pointers to garbage is not immediate UB so long as the pointer is initialized and non-null.

The safety invariants of fn() and unsafe fn() are different, since you can't call the latter in safe code. So technically it's always sound to expose an unsafe fn() safe code.^[2] But realistically, if you do expose one, you would have documentation detailing when it was valid to call the function or not.

The answer to "so when can I soundly call it" depends on how you got the value.

All that being said, why not just use Option<fn(..)>? Sentinel values beyond "don't call me"?

Some of your analogies are safety invariants, but others are validity invariants. ↩︎
that is NonNull and initialized -- otherwise you've already encountered UB before exposing anything ↩︎

prootia · February 20, 2026, 2:59am

Thank you for answering my question (transmute::<_, fn()>(1usize) is not immediate UB if it compiles, since transmute does width checking)! So it is unsound to expose an unsound-on-call safe fn() but the language does not make it immediate UB.

to answer your question, Option<fn(..)> seems to say "don't call me if I'm None", but FnPtr in

#[repr(transparent)]
pub struct Sentinel(MaybeUninit<fn(..)>);
pub const A: FnPtr = /* 0 */;
pub const B: FnPtr = /* 1 */;
#[repr(C)]
pub union FnPtr { sentinel: Sentinel, fnptr: fn(..) }

seems to say "don't call me if I'm any of those sentinel variants". Exposing the constants as Option<fn(..)> would make my library unsound, and I wasn't sure if B as Option<fn(..)> would be immediate UB
But given this information I can indeed just write FnPtr as

#[repr(C)]
pub struct FnPtr(Option<fn(..)>);

.

Topic		Replies	Views
Why can the unsafe function pointer be as the function operand? help	8	357	November 18, 2025
Is it UB to transmute fn(&mut T) to fn(*mut T) and then call them? help	11	487	March 16, 2025
ABI of (unsafe) fn() and can you (unsafely) create a safe pointer to an unsafe fn (if you know what you're doing)? help	7	525	May 29, 2021
Should FFI callbacks into Rust be marked `unsafe`?	6	1690	January 12, 2023
Are there any specific rules regarding the choice between "unsafe fn" and "unsafe block"? help	5	520	July 11, 2019

Value validity for the unsafe fn type?

Related topics