Revise compliant and non-compliant examples in values.rst

rcseacord · web-flow · commit d9d72499f8fd · 2025-12-08T06:52:19.000-05:00
Updated examples to clarify compliant and non-compliant behavior with uninitialized padding in Rust.
diff --git a/src/coding-guidelines/values.rst b/src/coding-guidelines/values.rst
@@ -215,16 +215,12 @@ Values
          let u = U { x: 255 };        // 255 is not a valid bool representation
          let b = unsafe { u.b };      // UB — invalid bool
 
-   .. compliant_example::
-      :id: compl_ex_Ke869nSXuShT
+   .. non_compliant_example::
+      :id: non_compl_ex_Qb5GqYTP6db4
       :status: draft
 
-      In this compliant example, ``s`` contains uninitialized padding and ``copy_of_s`` contains a copy of those uninitialized padding bytes.
-      Both values are fully valid as long as only their fields are read.
-      ``#[derive(Copy, Clone)]`` allows ``S`` to be bitwise copied.
-      Bitwise copying does not read the padding, it just copies whatever bytes are present.
-      Uninitialized bytes can be copied (including padding).
-      Reading padding is undefined behavior, but copying it is not.
+      This noncompliant example has undefined behavior when ``assume_init()`` is called on ``tmp`` because
+      not all the fields of ``struct S`` have been initialized.
 
       .. code-block:: rust
 
@@ -242,17 +238,44 @@ Values
 
              unsafe {
                  (*tmp.as_mut_ptr()).a = a;
-                 tmp.assume_init()
+                 tmp.assume_init()  // Error: UB
              }
          }
 
          fn main() {
              let s = make_s(10);
-             println!("s.a = {}", s.a); // OK
-             println!("s.b = {}", s.b); // Error: UB
+             println!("s.a = {}, s.b = {}", s.a, s.b);
+         }
 
-             let copy_of_s = s; // OK
-             println!("copy_of_s.a = {}", copy_of_s.a);  // OK
-             println!("copy_of_s.b = {}", copy_of_s.b); // Error: UB
+   .. compliant_example::
+      :id: compl_ex_Ke869nSXuShT
+      :status: draft
+
+      This compliant example example is free from undefined behavior, even though the three bytes of padding between ``s.a`` and ``s.b`` is uninitialized.
+      Padding bytes do not need to be initialized.
+
+      .. code-block:: rust
+
+         use std::mem::MaybeUninit;
+
+         #[repr(C)]
+         #[derive(Copy, Clone)]
+         struct S {
+             a: u8,
+             b: u32,
+         }
+
+         fn make_s(a: u8, b: u32) -> S {
+             let mut tmp = MaybeUninit::<S>::uninit();
+
+             unsafe {
+                 (*tmp.as_mut_ptr()).a = a;
+                 (*tmp.as_mut_ptr()).b = b;
+                 tmp.assume_init()
+             }
          }
 
+         fn main() {
+             let s = make_s(10, 42);
+             println!("s.a = {}, s.b = {}", s.a, s.b);
+         }
