#![deny(unsafe_op_in_unsafe_fn)] in sys/hermit

library/std/src/sys/hermit/alloc.rs

@@ -1,3 +1,5 @@
+#![deny(unsafe_op_in_unsafe_fn)]
+
 use crate::alloc::{GlobalAlloc, Layout, System};
 use crate::ptr;
 use crate::sys::hermit::abi;
@@ -6,26 +8,33 @@ use crate::sys::hermit::abi;
 unsafe impl GlobalAlloc for System {
     #[inline]
     unsafe fn alloc(&self, layout: Layout) -> *mut u8 {
-        abi::malloc(layout.size(), layout.align())
+        // SAFETY: The safety contract for `malloc` must be upheld by the caller.
+        unsafe { abi::malloc(layout.size(), layout.align()) }
     }
 
     unsafe fn alloc_zeroed(&self, layout: Layout) -> *mut u8 {
-        let addr = abi::malloc(layout.size(), layout.align());
+        // SAFETY: The safety contract for `malloc` must be upheld by the caller.
+        // Also, `addr` must be valid for writes of `layout.size() * size_of::<u8>()` bytes.
+        unsafe {
+            let addr = abi::malloc(layout.size(), layout.align());
 
-        if !addr.is_null() {
-            ptr::write_bytes(addr, 0x00, layout.size());
-        }
+            if !addr.is_null() {
+                ptr::write_bytes(addr, 0x00, layout.size());
+            }
 
-        addr
+            addr
+        }
     }
 
     #[inline]
     unsafe fn dealloc(&self, ptr: *mut u8, layout: Layout) {
-        abi::free(ptr, layout.size(), layout.align())
+        // SAFETY: The safety contract for `free` must be upheld by the caller.
+        unsafe { abi::free(ptr, layout.size(), layout.align()) }
     }
 
     #[inline]
     unsafe fn realloc(&self, ptr: *mut u8, layout: Layout, new_size: usize) -> *mut u8 {
-        abi::realloc(ptr, layout.size(), layout.align(), new_size)
+        // SAFETY: The safety contract for `realloc` must be upheld by the caller.
+        unsafe { abi::realloc(ptr, layout.size(), layout.align(), new_size) }
     }
 }

library/std/src/sys/hermit/args.rs

@@ -1,15 +1,17 @@
+#![deny(unsafe_op_in_unsafe_fn)]
+
 use crate::ffi::OsString;
 use crate::marker::PhantomData;
 use crate::vec;
 
 /// One-time global initialization.
 pub unsafe fn init(argc: isize, argv: *const *const u8) {
-    imp::init(argc, argv)
+    unsafe { imp::init(argc, argv) }
 }
 
 /// One-time global cleanup.
 pub unsafe fn cleanup() {
-    imp::cleanup()
+    unsafe { imp::cleanup() }
 }
 
 /// Returns the command line arguments
@@ -65,14 +67,18 @@ mod imp {
 
     pub unsafe fn init(argc: isize, argv: *const *const u8) {
         let _guard = LOCK.lock();
-        ARGC = argc;
-        ARGV = argv;
+        unsafe {
+            ARGC = argc;
+            ARGV = argv;
+        }
     }
 
     pub unsafe fn cleanup() {
         let _guard = LOCK.lock();
         ARGC = 0;
-        ARGV = ptr::null();
+        unsafe {
+            ARGV = ptr::null();
+        }
     }
 
     pub fn args() -> Args {

library/std/src/sys/hermit/condvar.rs

@@ -1,3 +1,5 @@
+#![deny(unsafe_op_in_unsafe_fn)]
+
 use crate::ffi::c_void;
 use crate::ptr;
 use crate::sync::atomic::{AtomicUsize, Ordering::SeqCst};
@@ -23,33 +25,43 @@ impl Condvar {
     }
 
     pub unsafe fn init(&mut self) {
-        let _ = abi::sem_init(&mut self.sem1 as *mut *const c_void, 0);
-        let _ = abi::sem_init(&mut self.sem2 as *mut *const c_void, 0);
+        unsafe {
+            let _ = abi::sem_init(&mut self.sem1 as *mut *const c_void, 0);
+            let _ = abi::sem_init(&mut self.sem2 as *mut *const c_void, 0);
+        }
     }
 
     pub unsafe fn notify_one(&self) {
         if self.counter.load(SeqCst) > 0 {
             self.counter.fetch_sub(1, SeqCst);
-            abi::sem_post(self.sem1);
-            abi::sem_timedwait(self.sem2, 0);
+            unsafe {
+                abi::sem_post(self.sem1);
+                abi::sem_timedwait(self.sem2, 0);
+            }
         }
     }
 
     pub unsafe fn notify_all(&self) {
         let counter = self.counter.swap(0, SeqCst);
         for _ in 0..counter {
-            abi::sem_post(self.sem1);
+            unsafe {
+                abi::sem_post(self.sem1);
+            }
         }
         for _ in 0..counter {
-            abi::sem_timedwait(self.sem2, 0);
+            unsafe {
+                abi::sem_timedwait(self.sem2, 0);
+            }
         }
     }
 
     pub unsafe fn wait(&self, mutex: &Mutex) {
         self.counter.fetch_add(1, SeqCst);
         mutex.unlock();
-        abi::sem_timedwait(self.sem1, 0);
-        abi::sem_post(self.sem2);
+        unsafe {
+            abi::sem_timedwait(self.sem1, 0);
+            abi::sem_post(self.sem2);
+        }
         mutex.lock();
     }
 
@@ -58,7 +70,9 @@ impl Condvar {
     }
 
     pub unsafe fn destroy(&self) {
-        let _ = abi::sem_destroy(self.sem1);
-        let _ = abi::sem_destroy(self.sem2);
+        unsafe {
+            let _ = abi::sem_destroy(self.sem1);
+            let _ = abi::sem_destroy(self.sem2);
+        }
     }
 }

library/std/src/sys/hermit/fd.rs

@@ -1,3 +1,4 @@
+#![deny(unsafe_op_in_unsafe_fn)]
 #![unstable(reason = "not public", issue = "none", feature = "fd")]
 
 use crate::io::{self, ErrorKind, Read};

library/std/src/sys/hermit/mod.rs

@@ -13,6 +13,8 @@
 //! compiling for wasm. That way it's a compile time error for something that's
 //! guaranteed to be a runtime error!
 
+#![deny(unsafe_op_in_unsafe_fn)]
+
 use crate::intrinsics;
 use crate::os::raw::c_char;
 
@@ -62,8 +64,12 @@ pub enum Void {}
 pub unsafe fn strlen(start: *const c_char) -> usize {
     let mut str = start;
 
-    while *str != 0 {
-        str = str.offset(1);
+    // SAFETY: The safety contract for `*str != 0` must be upheld by the caller.
+    // `start` must not be null.
+    unsafe {
+        while *str != 0 {
+            str = str.offset(1);
+        }
     }
 
     (str as usize) - (start as usize)
@@ -111,13 +117,15 @@ pub unsafe extern "C" fn runtime_entry(
         fn main(argc: isize, argv: *const *const c_char) -> i32;
     }
 
-    // initialize environment
-    os::init_environment(env as *const *const i8);
+    unsafe {
+        // initialize environment
+        os::init_environment(env as *const *const i8);
 
-    let result = main(argc as isize, argv);
+        let result = main(argc as isize, argv);
 
-    run_dtors();
-    abi::exit(result);
+        run_dtors();
+        abi::exit(result);
+    }
 }
 
 pub fn decode_error_kind(errno: i32) -> ErrorKind {

library/std/src/sys/hermit/mutex.rs

@@ -1,3 +1,5 @@
+#![deny(unsafe_op_in_unsafe_fn)]
+
 use crate::ffi::c_void;
 use crate::ptr;
 use crate::sys::hermit::abi;
@@ -16,28 +18,34 @@ impl Mutex {
 
     #[inline]
     pub unsafe fn init(&mut self) {
-        let _ = abi::sem_init(&mut self.inner as *mut *const c_void, 1);
+        unsafe {
+            let _ = abi::sem_init(&mut self.inner as *mut *const c_void, 1);
+        }
     }
 
     #[inline]
     pub unsafe fn lock(&self) {
-        let _ = abi::sem_timedwait(self.inner, 0);
+        unsafe {
+            let _ = abi::sem_timedwait(self.inner, 0);
+        }
     }
 
     #[inline]
     pub unsafe fn unlock(&self) {
-        let _ = abi::sem_post(self.inner);
+        unsafe {
+            let _ = abi::sem_post(self.inner);
+        }
     }
 
     #[inline]
     pub unsafe fn try_lock(&self) -> bool {
-        let result = abi::sem_trywait(self.inner);
+        let result = unsafe { abi::sem_trywait(self.inner) };
         result == 0
     }
 
     #[inline]
     pub unsafe fn destroy(&self) {
-        let _ = abi::sem_destroy(self.inner);
+        let _ = unsafe { abi::sem_destroy(self.inner) };
     }
 }
 
@@ -52,12 +60,12 @@ impl ReentrantMutex {
 
     #[inline]
     pub unsafe fn init(&self) {
-        let _ = abi::recmutex_init(&self.inner as *const *const c_void as *mut _);
+        let _ = unsafe { abi::recmutex_init(&self.inner as *const *const c_void as *mut _) };
     }
 
     #[inline]
     pub unsafe fn lock(&self) {
-        let _ = abi::recmutex_lock(self.inner);
+        let _ = unsafe { abi::recmutex_lock(self.inner) };
     }
 
     #[inline]
@@ -67,11 +75,11 @@ impl ReentrantMutex {
 
     #[inline]
     pub unsafe fn unlock(&self) {
-        let _ = abi::recmutex_unlock(self.inner);
+        let _ = unsafe { abi::recmutex_unlock(self.inner) };
     }
 
     #[inline]
     pub unsafe fn destroy(&self) {
-        let _ = abi::recmutex_destroy(self.inner);
+        let _ = unsafe { abi::recmutex_destroy(self.inner) };
     }
 }

library/std/src/sys/hermit/os.rs

@@ -1,3 +1,5 @@
+#![deny(unsafe_op_in_unsafe_fn)]
+
 use crate::collections::HashMap;
 use crate::error::Error as StdError;
 use crate::ffi::{CStr, OsStr, OsString};

library/std/src/sys/hermit/rwlock.rs

@@ -1,3 +1,5 @@
+#![deny(unsafe_op_in_unsafe_fn)]
+
 use crate::cell::UnsafeCell;
 use crate::sys::condvar::Condvar;
 use crate::sys::mutex::Mutex;
@@ -32,62 +34,76 @@ impl RWLock {
 
     #[inline]
     pub unsafe fn read(&self) {
-        self.lock.lock();
-        while !(*self.state.get()).inc_readers() {
-            self.cond.wait(&self.lock);
+        unsafe {
+            self.lock.lock();
+            while !(*self.state.get()).inc_readers() {
+                self.cond.wait(&self.lock);
+            }
+            self.lock.unlock();
         }
-        self.lock.unlock();
     }
 
     #[inline]
     pub unsafe fn try_read(&self) -> bool {
-        self.lock.lock();
-        let ok = (*self.state.get()).inc_readers();
-        self.lock.unlock();
+        unsafe {
+            self.lock.lock();
+            let ok = (*self.state.get()).inc_readers();
+            self.lock.unlock();
+        }
         return ok;
     }
 
     #[inline]
     pub unsafe fn write(&self) {
-        self.lock.lock();
-        while !(*self.state.get()).inc_writers() {
-            self.cond.wait(&self.lock);
+        unsafe {
+            self.lock.lock();
+            while !(*self.state.get()).inc_writers() {
+                self.cond.wait(&self.lock);
+            }
         }
         self.lock.unlock();
     }
 
     #[inline]
     pub unsafe fn try_write(&self) -> bool {
-        self.lock.lock();
-        let ok = (*self.state.get()).inc_writers();
-        self.lock.unlock();
+        unsafe {
+            self.lock.lock();
+            let ok = (*self.state.get()).inc_writers();
+            self.lock.unlock();
+        }
         return ok;
     }
 
     #[inline]
     pub unsafe fn read_unlock(&self) {
-        self.lock.lock();
-        let notify = (*self.state.get()).dec_readers();
-        self.lock.unlock();
-        if notify {
-            // FIXME: should only wake up one of these some of the time
-            self.cond.notify_all();
+        unsafe {
+            self.lock.lock();
+            let notify = (*self.state.get()).dec_readers();
+            self.lock.unlock();
+            if notify {
+                // FIXME: should only wake up one of these some of the time
+                self.cond.notify_all();
+            }
         }
     }
 
     #[inline]
     pub unsafe fn write_unlock(&self) {
-        self.lock.lock();
-        (*self.state.get()).dec_writers();
-        self.lock.unlock();
-        // FIXME: should only wake up one of these some of the time
-        self.cond.notify_all();
+        unsafe {
+            self.lock.lock();
+            (*self.state.get()).dec_writers();
+            self.lock.unlock();
+            // FIXME: should only wake up one of these some of the time
+            self.cond.notify_all();
+        }
     }
 
     #[inline]
     pub unsafe fn destroy(&self) {
-        self.lock.destroy();
-        self.cond.destroy();
+        unsafe {
+            self.lock.destroy();
+            self.cond.destroy();
+        }
     }
 }