Skip to content

Commit c000fc8

Browse files
joshlfjoshlf
committed
Add some SAFETY comments, some TODO comments (#66)
Deny the `clippy::undocumented_unsafe_blocks` lint. Add SAFETY comments to some unsafe code, and add `#[allow(...)]` to the rest along with TODO comments to follow up. This is the first step of #61.
1 parent 3aeb26b commit c000fc8

File tree

2 files changed

+67
-18
lines changed

2 files changed

+67
-18
lines changed

src/byteorder.rs

+3
Original file line numberDiff line numberDiff line change
@@ -190,6 +190,9 @@ example of how it can be used for parsing UDP packets.
190190

191191
// TODO(#10): Replace this with `#[derive(AsBytes)]` once that derive
192192
// supports type parameters.
193+
//
194+
// TODO(#61): Add a "SAFETY" comment and remove this `allow`.
195+
#[allow(clippy::undocumented_unsafe_blocks)]
193196
unsafe impl<O: ByteOrder> AsBytes for $name<O> {
194197
fn only_derive_is_allowed_to_implement_this_trait()
195198
where

src/lib.rs

+64-18
Original file line numberDiff line numberDiff line change
@@ -66,6 +66,7 @@
6666
clippy::style,
6767
clippy::suspicious,
6868
clippy::todo,
69+
clippy::undocumented_unsafe_blocks,
6970
clippy::unimplemented,
7071
clippy::unnested_or_patterns,
7172
clippy::unwrap_used,
@@ -143,22 +144,26 @@ mod zerocopy {
143144
// Implements an unsafe trait for a range of container types.
144145
macro_rules! impl_for_composite_types {
145146
($trait:ident) => {
147+
// TODO(#61): Add a "SAFETY" comment and remove this `allow`.
148+
#[allow(clippy::undocumented_unsafe_blocks)]
146149
unsafe impl<T> $trait for PhantomData<T> {
147150
fn only_derive_is_allowed_to_implement_this_trait()
148151
where
149152
Self: Sized,
150153
{
151154
}
152155
}
156+
// TODO(#61): Add a "SAFETY" comment and remove this `allow`.
157+
#[allow(clippy::undocumented_unsafe_blocks)]
153158
unsafe impl<T: $trait> $trait for [T] {
154159
fn only_derive_is_allowed_to_implement_this_trait()
155160
where
156161
Self: Sized,
157162
{
158163
}
159164
}
160-
// According to the `Wrapping` docs, "`Wrapping<T>` is guaranteed to
161-
// have the same layout and ABI as `T`."
165+
// SAFETY: According to the `Wrapping` docs, "`Wrapping<T>` is
166+
// guaranteed to have the same layout and ABI as `T`."
162167
unsafe impl<T: $trait> $trait for Wrapping<T> {
163168
fn only_derive_is_allowed_to_implement_this_trait()
164169
where
@@ -167,6 +172,9 @@ macro_rules! impl_for_composite_types {
167172
}
168173
}
169174
// Unit type has an empty representation.
175+
//
176+
// TODO(#61): Add a "SAFETY" comment and remove this `allow`.
177+
#[allow(clippy::undocumented_unsafe_blocks)]
170178
unsafe impl $trait for () {
171179
fn only_derive_is_allowed_to_implement_this_trait()
172180
where
@@ -175,6 +183,9 @@ macro_rules! impl_for_composite_types {
175183
}
176184
}
177185
// Constant sized array with elements implementing `$trait`.
186+
//
187+
// TODO(#61): Add a "SAFETY" comment and remove this `allow`.
188+
#[allow(clippy::undocumented_unsafe_blocks)]
178189
unsafe impl<T: $trait, const N: usize> $trait for [T; N] {
179190
fn only_derive_is_allowed_to_implement_this_trait()
180191
where
@@ -189,6 +200,8 @@ macro_rules! impl_for_composite_types {
189200
macro_rules! impl_for_types {
190201
($trait:ident, $($types:ty),* $(,)?) => (
191202
$(
203+
// TODO(#61): Add a "SAFETY" comment and remove this `allow`.
204+
#[allow(clippy::undocumented_unsafe_blocks)]
192205
unsafe impl $trait for $types {
193206
fn only_derive_is_allowed_to_implement_this_trait() {}
194207
}
@@ -339,11 +352,9 @@ pub unsafe trait FromBytes {
339352
where
340353
Self: Sized,
341354
{
342-
unsafe {
343-
// SAFETY: `FromBytes` says all bit patterns (including zeroes) are
344-
// legal.
345-
mem::zeroed()
346-
}
355+
// SAFETY: `FromBytes` says all bit patterns (including zeroes) are
356+
// legal.
357+
unsafe { mem::zeroed() }
347358
}
348359

349360
/// Creates a `Box<Self>` from zeroed bytes.
@@ -502,6 +513,8 @@ pub unsafe trait AsBytes {
502513
/// `as_bytes` provides access to the bytes of this value as an immutable
503514
/// byte slice.
504515
fn as_bytes(&self) -> &[u8] {
516+
// TODO(#61): Add a "SAFETY" comment and remove this `allow`.
517+
#[allow(clippy::undocumented_unsafe_blocks)]
505518
unsafe {
506519
// Note that this method does not have a `Self: Sized` bound;
507520
// `size_of_val` works for unsized values too.
@@ -519,6 +532,8 @@ pub unsafe trait AsBytes {
519532
where
520533
Self: FromBytes,
521534
{
535+
// TODO(#61): Add a "SAFETY" comment and remove this `allow`.
536+
#[allow(clippy::undocumented_unsafe_blocks)]
522537
unsafe {
523538
// Note that this method does not have a `Self: Sized` bound;
524539
// `size_of_val` works for unsized values too.
@@ -889,10 +904,10 @@ macro_rules! transmute {
889904
}
890905
transmute(e)
891906
} else {
892-
// `core::mem::transmute` ensures that the type of `e` and the type
893-
// of this macro invocation expression have the same size. We know
894-
// this transmute is safe thanks to the `AsBytes` and `FromBytes`
895-
// bounds enforced by the `false` branch.
907+
// SAFETY: `core::mem::transmute` ensures that the type of `e` and
908+
// the type of this macro invocation expression have the same size.
909+
// We know this transmute is safe thanks to the `AsBytes` and
910+
// `FromBytes` bounds enforced by the `false` branch.
896911
//
897912
// We use `$crate::__real_transmute` because we know it will always
898913
// be available for crates which are using the 2015 edition of Rust.
@@ -1613,7 +1628,11 @@ where
16131628
/// and no mutable references to the same memory may be constructed during
16141629
/// `'a`.
16151630
unsafe fn deref_helper<'a>(&self) -> &'a T {
1616-
unsafe { &*self.0.as_ptr().cast::<T>() }
1631+
// TODO(#61): Add a "SAFETY" comment and remove this `allow`.
1632+
#[allow(clippy::undocumented_unsafe_blocks)]
1633+
unsafe {
1634+
&*self.0.as_ptr().cast::<T>()
1635+
}
16171636
}
16181637
}
16191638

@@ -1634,7 +1653,11 @@ where
16341653
/// and no other references - mutable or immutable - to the same memory may
16351654
/// be constructed during `'a`.
16361655
unsafe fn deref_mut_helper<'a>(&mut self) -> &'a mut T {
1637-
unsafe { &mut *self.0.as_mut_ptr().cast::<T>() }
1656+
// TODO(#61): Add a "SAFETY" comment and remove this `allow`.
1657+
#[allow(clippy::undocumented_unsafe_blocks)]
1658+
unsafe {
1659+
&mut *self.0.as_mut_ptr().cast::<T>()
1660+
}
16381661
}
16391662
}
16401663

@@ -1659,7 +1682,11 @@ where
16591682
debug_assert_eq!(len % elem_size, 0);
16601683
len / elem_size
16611684
};
1662-
unsafe { slice::from_raw_parts(self.0.as_ptr().cast::<T>(), elems) }
1685+
// TODO(#61): Add a "SAFETY" comment and remove this `allow`.
1686+
#[allow(clippy::undocumented_unsafe_blocks)]
1687+
unsafe {
1688+
slice::from_raw_parts(self.0.as_ptr().cast::<T>(), elems)
1689+
}
16631690
}
16641691
}
16651692

@@ -1685,7 +1712,11 @@ where
16851712
debug_assert_eq!(len % elem_size, 0);
16861713
len / elem_size
16871714
};
1688-
unsafe { slice::from_raw_parts_mut(self.0.as_mut_ptr().cast::<T>(), elems) }
1715+
// TODO(#61): Add a "SAFETY" comment and remove this `allow`.
1716+
#[allow(clippy::undocumented_unsafe_blocks)]
1717+
unsafe {
1718+
slice::from_raw_parts_mut(self.0.as_mut_ptr().cast::<T>(), elems)
1719+
}
16891720
}
16901721
}
16911722

@@ -2032,32 +2063,48 @@ pub unsafe trait ByteSliceMut: ByteSlice + DerefMut {
20322063
}
20332064
}
20342065

2066+
// TODO(#61): Add a "SAFETY" comment and remove this `allow`.
2067+
#[allow(clippy::undocumented_unsafe_blocks)]
20352068
unsafe impl<'a> ByteSlice for &'a [u8] {
20362069
#[inline]
20372070
fn split_at(self, mid: usize) -> (Self, Self) {
20382071
<[u8]>::split_at(self, mid)
20392072
}
20402073
}
2074+
2075+
// TODO(#61): Add a "SAFETY" comment and remove this `allow`.
2076+
#[allow(clippy::undocumented_unsafe_blocks)]
20412077
unsafe impl<'a> ByteSlice for &'a mut [u8] {
20422078
#[inline]
20432079
fn split_at(self, mid: usize) -> (Self, Self) {
20442080
<[u8]>::split_at_mut(self, mid)
20452081
}
20462082
}
2083+
2084+
// TODO(#61): Add a "SAFETY" comment and remove this `allow`.
2085+
#[allow(clippy::undocumented_unsafe_blocks)]
20472086
unsafe impl<'a> ByteSlice for Ref<'a, [u8]> {
20482087
#[inline]
20492088
fn split_at(self, mid: usize) -> (Self, Self) {
20502089
Ref::map_split(self, |slice| <[u8]>::split_at(slice, mid))
20512090
}
20522091
}
2092+
2093+
// TODO(#61): Add a "SAFETY" comment and remove this `allow`.
2094+
#[allow(clippy::undocumented_unsafe_blocks)]
20532095
unsafe impl<'a> ByteSlice for RefMut<'a, [u8]> {
20542096
#[inline]
20552097
fn split_at(self, mid: usize) -> (Self, Self) {
20562098
RefMut::map_split(self, |slice| <[u8]>::split_at_mut(slice, mid))
20572099
}
20582100
}
20592101

2102+
// TODO(#61): Add a "SAFETY" comment and remove this `allow`.
2103+
#[allow(clippy::undocumented_unsafe_blocks)]
20602104
unsafe impl<'a> ByteSliceMut for &'a mut [u8] {}
2105+
2106+
// TODO(#61): Add a "SAFETY" comment and remove this `allow`.
2107+
#[allow(clippy::undocumented_unsafe_blocks)]
20612108
unsafe impl<'a> ByteSliceMut for RefMut<'a, [u8]> {}
20622109

20632110
#[cfg(feature = "alloc")]
@@ -2326,7 +2373,7 @@ pub use alloc_support::*;
23262373
mod tests {
23272374
#![allow(clippy::unreadable_literal)]
23282375

2329-
use core::ops::Deref;
2376+
use core::{convert::TryInto, ops::Deref};
23302377

23312378
use super::*;
23322379

@@ -2346,8 +2393,7 @@ mod tests {
23462393

23472394
// Converts a `u64` to bytes using this platform's endianness.
23482395
fn u64_to_bytes(u: u64) -> [u8; 8] {
2349-
let u: *const u64 = &u;
2350-
unsafe { ptr::read(u.cast::<[u8; 8]>()) }
2396+
U64::<NativeEndian>::new(u).as_bytes().try_into().unwrap()
23512397
}
23522398

23532399
#[test]

0 commit comments

Comments
 (0)