The iter() and iter mut() APIs compute current = (&children[0] as *const *const RawAutoChild).sub(1), which performs pointer subtraction going before the start of the allocation. This is undefined behavior per Rust's pointer arithmetic rules.

This can be triggered through safe public APIs — iter() and iter mut() — with no unsafe required from the caller.