Rollup merge of rust-lang#71760 - LeSeulArtichaut:document-unsafety, r=Mark-Simulacrum

Dylan-DPC · web-flow · commit 05b1991e76ff · 2020-05-01T23:16:36.000+02:00
Document unsafety for `*const T` and `*mut T` Helps with rust-lang#66219 r? @Mark-Simulacrum
diff --git a/src/libcore/ptr/const_ptr.rs b/src/libcore/ptr/const_ptr.rs
@@ -3,8 +3,6 @@ use crate::cmp::Ordering::{self, Equal, Greater, Less};
 use crate::intrinsics;
 use crate::mem;
 
-// ignore-tidy-undocumented-unsafe
-
 #[lang = "const_ptr"]
 impl<T: ?Sized> *const T {
     /// Returns `true` if the pointer is null.
@@ -215,6 +213,7 @@ impl<T: ?Sized> *const T {
     where
         T: Sized,
     {
+        // SAFETY: the `arith_offset` intrinsic has no prerequisites to be called.
         unsafe { intrinsics::arith_offset(self, count) }
     }
 
@@ -702,6 +701,7 @@ impl<T: ?Sized> *const T {
         if !align.is_power_of_two() {
             panic!("align_offset: align is not a power-of-two");
         }
+        // SAFETY: `align` has been checked to be a power of 2 above
         unsafe { align_offset(self, align) }
     }
 }
@@ -729,6 +729,8 @@ impl<T> *const [T] {
     #[unstable(feature = "slice_ptr_len", issue = "71146")]
     #[rustc_const_unstable(feature = "const_slice_ptr_len", issue = "71146")]
     pub const fn len(self) -> usize {
+        // SAFETY: this is safe because `*const [T]` and `FatPtr<T>` have the same layout.
+        // Only `std` can make this guarantee.
         unsafe { Repr { rust: self }.raw }.len
     }
 }
diff --git a/src/libcore/ptr/mut_ptr.rs b/src/libcore/ptr/mut_ptr.rs
@@ -2,8 +2,6 @@ use super::*;
 use crate::cmp::Ordering::{self, Equal, Greater, Less};
 use crate::intrinsics;
 
-// ignore-tidy-undocumented-unsafe
-
 #[lang = "mut_ptr"]
 impl<T: ?Sized> *mut T {
     /// Returns `true` if the pointer is null.
@@ -208,6 +206,7 @@ impl<T: ?Sized> *mut T {
     where
         T: Sized,
     {
+        // SAFETY: the `arith_offset` intrinsic has no prerequisites to be called.
         unsafe { intrinsics::arith_offset(self, count) as *mut T }
     }
 
@@ -890,6 +889,7 @@ impl<T: ?Sized> *mut T {
         if !align.is_power_of_two() {
             panic!("align_offset: align is not a power-of-two");
         }
+        // SAFETY: `align` has been checked to be a power of 2 above
         unsafe { align_offset(self, align) }
     }
 }
@@ -917,6 +917,8 @@ impl<T> *mut [T] {
     #[unstable(feature = "slice_ptr_len", issue = "71146")]
     #[rustc_const_unstable(feature = "const_slice_ptr_len", issue = "71146")]
     pub const fn len(self) -> usize {
+        // SAFETY: this is safe because `*const [T]` and `FatPtr<T>` have the same layout.
+        // Only `std` can make this guarantee.
         unsafe { Repr { rust_mut: self }.raw }.len
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -3,8 +3,6 @@ use crate::cmp::Ordering::{self, Equal, Greater, Less};`
`3`	`3`	`use crate::intrinsics;`
`4`	`4`	`use crate::mem;`
`5`	`5`
`6`		`-// ignore-tidy-undocumented-unsafe`
`7`		`-`
`8`	`6`	`#[lang = "const_ptr"]`
`9`	`7`	`impl<T: ?Sized> *const T {`
`10`	`8`	/// Returns `true` if the pointer is null.
`@@ -215,6 +213,7 @@ impl<T: ?Sized> *const T {`
`215`	`213`	`where`
`216`	`214`	`T: Sized,`
`217`	`215`	`{`
	`216`	+ // SAFETY: the `arith_offset` intrinsic has no prerequisites to be called.
`218`	`217`	`unsafe { intrinsics::arith_offset(self, count) }`
`219`	`218`	`}`
`220`	`219`
`@@ -702,6 +701,7 @@ impl<T: ?Sized> *const T {`
`702`	`701`	`if !align.is_power_of_two() {`
`703`	`702`	`panic!("align_offset: align is not a power-of-two");`
`704`	`703`	`}`
	`704`	+ // SAFETY: `align` has been checked to be a power of 2 above
`705`	`705`	`unsafe { align_offset(self, align) }`
`706`	`706`	`}`
`707`	`707`	`}`
`@@ -729,6 +729,8 @@ impl<T> *const [T] {`
`729`	`729`	`#[unstable(feature = "slice_ptr_len", issue = "71146")]`
`730`	`730`	`#[rustc_const_unstable(feature = "const_slice_ptr_len", issue = "71146")]`
`731`	`731`	`pub const fn len(self) -> usize {`
	`732`	+ // SAFETY: this is safe because `*const [T]` and `FatPtr<T>` have the same layout.
	`733`	+ // Only `std` can make this guarantee.
`732`	`734`	`unsafe { Repr { rust: self }.raw }.len`
`733`	`735`	`}`
`734`	`736`	`}`
Original file line number	Diff line number	Diff line change
`@@ -2,8 +2,6 @@ use super::*;`
`2`	`2`	`use crate::cmp::Ordering::{self, Equal, Greater, Less};`
`3`	`3`	`use crate::intrinsics;`
`4`	`4`
`5`		`-// ignore-tidy-undocumented-unsafe`
`6`		`-`
`7`	`5`	`#[lang = "mut_ptr"]`
`8`	`6`	`impl<T: ?Sized> *mut T {`
`9`	`7`	/// Returns `true` if the pointer is null.
`@@ -208,6 +206,7 @@ impl<T: ?Sized> *mut T {`
`208`	`206`	`where`
`209`	`207`	`T: Sized,`
`210`	`208`	`{`
	`209`	+ // SAFETY: the `arith_offset` intrinsic has no prerequisites to be called.
`211`	`210`	`unsafe { intrinsics::arith_offset(self, count) as *mut T }`
`212`	`211`	`}`
`213`	`212`
`@@ -890,6 +889,7 @@ impl<T: ?Sized> *mut T {`
`890`	`889`	`if !align.is_power_of_two() {`
`891`	`890`	`panic!("align_offset: align is not a power-of-two");`
`892`	`891`	`}`
	`892`	+ // SAFETY: `align` has been checked to be a power of 2 above
`893`	`893`	`unsafe { align_offset(self, align) }`
`894`	`894`	`}`
`895`	`895`	`}`
`@@ -917,6 +917,8 @@ impl<T> *mut [T] {`
`917`	`917`	`#[unstable(feature = "slice_ptr_len", issue = "71146")]`
`918`	`918`	`#[rustc_const_unstable(feature = "const_slice_ptr_len", issue = "71146")]`
`919`	`919`	`pub const fn len(self) -> usize {`
	`920`	+ // SAFETY: this is safe because `*const [T]` and `FatPtr<T>` have the same layout.
	`921`	+ // Only `std` can make this guarantee.
`920`	`922`	`unsafe { Repr { rust_mut: self }.raw }.len`
`921`	`923`	`}`
`922`	`924`	`}`