I think you misinterpreted the issue report you linked, which goes along with what Manishearth was saying about there being two meanings of “unsafe”. In this case, ptr::offset is declared as an unsafe fn - meaning only unsafe code can call it - because of the UB issue you mentioned. The reporter was asking to remove “unsafe”, arguing that Rust generally allows safe code to create arbitrary raw pointer values (but not deference them). Which is true, but only because that’s designed not to cause UB. ptr::offset can cause UB, so it has to remain an unsafe fn - lest it become “unsafe” in the sense of “potentially dangerous when called from safe code” - and the report was closed.

Edit: There are some other known ways of causing UB from safe Rust code, but they’re considered bugs - and some longstanding ones are on the way to being fixed in the next few months, thanks to MIR borrow checking and saturating float->int casts.