Deny unsafe ops in unsafe fns, part 6

And final part!!!

src/libcore/alloc/mod.rs

@@ -1,7 +1,6 @@
 //! Memory allocation APIs
 
 #![stable(feature = "alloc_module", since = "1.28.0")]
-#![deny(unsafe_op_in_unsafe_fn)]
 
 mod global;
 mod layout;

src/libcore/cell.rs

@@ -187,7 +187,6 @@
 //!
 
 #![stable(feature = "rust1", since = "1.0.0")]
-#![deny(unsafe_op_in_unsafe_fn)]
 
 use crate::cmp::Ordering;
 use crate::fmt::{self, Debug, Display};

src/libcore/char/convert.rs

@@ -1,7 +1,5 @@
 //! Character conversions.
 
-#![deny(unsafe_op_in_unsafe_fn)]
-
 use crate::convert::TryFrom;
 use crate::fmt;
 use crate::mem::transmute;

src/libcore/char/methods.rs

@@ -1,7 +1,5 @@
 //! impl char {}
 
-#![deny(unsafe_op_in_unsafe_fn)]
-
 use crate::slice;
 use crate::str::from_utf8_unchecked_mut;
 use crate::unicode::printable::is_printable;

src/libcore/convert/num.rs

@@ -1,5 +1,3 @@
-#![deny(unsafe_op_in_unsafe_fn)]
-
 use super::{From, TryFrom};
 use crate::num::TryFromIntError;
 

src/libcore/ffi.rs

@@ -1,6 +1,5 @@
 #![stable(feature = "", since = "1.30.0")]
 #![allow(non_camel_case_types)]
-#![deny(unsafe_op_in_unsafe_fn)]
 
 //! Utilities related to FFI bindings.
 

src/libcore/future/mod.rs

@@ -85,5 +85,7 @@ where
 #[unstable(feature = "gen_future", issue = "50547")]
 #[inline]
 pub unsafe fn get_context<'a, 'b>(cx: ResumeTy) -> &'a mut Context<'b> {
- &mut *cx.0.as_ptr().cast()
+ // SAFETY: the caller must guarantee that `cx.0` is a valid pointer
+ // that fulfills all the requirements for a mutable reference.
+ unsafe { &mut *cx.0.as_ptr().cast() }
 }

src/libcore/hash/sip.rs

@@ -1,7 +1,6 @@
 //! An implementation of SipHash.
 
 #![allow(deprecated)] // the types in this module are deprecated
-#![deny(unsafe_op_in_unsafe_fn)]
 
 use crate::cmp;
 use crate::marker::PhantomData;

src/libcore/hint.rs

@@ -2,8 +2,6 @@
 
 //! Hints to compiler that affects how code should be emitted or optimized.
 
-#![deny(unsafe_op_in_unsafe_fn)]
-
 use crate::intrinsics;
 
 /// Informs the compiler that this point in the code is not reachable, enabling

src/libcore/intrinsics.rs

@@ -53,7 +53,6 @@
  issue = "none"
 )]
 #![allow(missing_docs)]
-#![deny(unsafe_op_in_unsafe_fn)]
 
 use crate::marker::DiscriminantKind;
 use crate::mem;

src/libcore/iter/mod.rs

@@ -309,7 +309,6 @@
 //! [`min`]: trait.Iterator.html#method.min
 
 #![stable(feature = "rust1", since = "1.0.0")]
-#![deny(unsafe_op_in_unsafe_fn)]
 
 use crate::ops::Try;
 

src/libcore/lib.rs

@@ -149,6 +149,7 @@
 #![feature(const_caller_location)]
 #![feature(no_niche)] // rust-lang/rust#68303
 #![feature(unsafe_block_in_unsafe_fn)]
+#![deny(unsafe_op_in_unsafe_fn)]
 
 #[prelude_import]
 #[allow(unused)]
@@ -279,7 +280,13 @@ pub mod primitive;
 // set up in such a way that directly pulling it here works such that the
 // crate uses the this crate as its libcore.
 #[path = "../stdarch/crates/core_arch/src/mod.rs"]
-#[allow(missing_docs, missing_debug_implementations, dead_code, unused_imports)]
+#[allow(
+ missing_docs,
+ missing_debug_implementations,
+ dead_code,
+ unused_imports,
+ unsafe_op_in_unsafe_fn
+)]
 // FIXME: This annotation should be moved into rust-lang/stdarch after clashing_extern_declarations is
 // merged. It currently cannot because bootstrap fails as the lint hasn't been defined yet.
 #[cfg_attr(not(bootstrap), allow(clashing_extern_declarations))]

src/libcore/mem/mod.rs

@@ -4,7 +4,6 @@
 //! types, initializing and manipulating memory.
 
 #![stable(feature = "rust1", since = "1.0.0")]
-#![deny(unsafe_op_in_unsafe_fn)]
 
 use crate::clone;
 use crate::cmp;

src/libcore/num/f32.rs

@@ -9,7 +9,6 @@
 //! new code should use the associated constants directly on the primitive type.
 
 #![stable(feature = "rust1", since = "1.0.0")]
-#![deny(unsafe_op_in_unsafe_fn)]
 
 use crate::convert::FloatToInt;
 #[cfg(not(test))]

src/libcore/num/f64.rs

@@ -9,7 +9,6 @@
 //! new code should use the associated constants directly on the primitive type.
 
 #![stable(feature = "rust1", since = "1.0.0")]
-#![deny(unsafe_op_in_unsafe_fn)]
 
 use crate::convert::FloatToInt;
 #[cfg(not(test))]

src/libcore/num/mod.rs

@@ -3,7 +3,6 @@
 //! Numeric traits and functions for the built-in numeric types.
 
 #![stable(feature = "rust1", since = "1.0.0")]
-#![deny(unsafe_op_in_unsafe_fn)]
 
 use crate::convert::Infallible;
 use crate::fmt;

src/libcore/pin.rs

@@ -375,7 +375,6 @@
 //! [`i32`]: ../../std/primitive.i32.html
 
 #![stable(feature = "pin", since = "1.33.0")]
-#![deny(unsafe_op_in_unsafe_fn)]
 
 use crate::cmp::{self, PartialEq, PartialOrd};
 use crate::fmt;

src/libcore/ptr/const_ptr.rs

@@ -95,7 +95,9 @@ impl<T: ?Sized> *const T {
  #[stable(feature = "ptr_as_ref", since = "1.9.0")]
  #[inline]
  pub unsafe fn as_ref<'a>(self) -> Option<&'a T> {
- if self.is_null() { None } else { Some(&*self) }
+ // SAFETY: the caller must guarantee that `self` is valid
+ // for a reference if it isn't null.
+ if self.is_null() { None } else { unsafe { Some(&*self) } }
  }
 
  /// Calculates the offset from a pointer.
@@ -157,7 +159,8 @@ impl<T: ?Sized> *const T {
  where
  T: Sized,
  {
- intrinsics::offset(self, count)
+ // SAFETY: the caller must uphold the safety contract for `offset`.
+ unsafe { intrinsics::offset(self, count) }
  }
 
  /// Calculates the offset from a pointer using wrapping arithmetic.
@@ -292,7 +295,8 @@ impl<T: ?Sized> *const T {
  {
  let pointee_size = mem::size_of::<T>();
  assert!(0 < pointee_size && pointee_size <= isize::MAX as usize);
- intrinsics::ptr_offset_from(self, origin)
+ // SAFETY: the caller must uphold the safety contract for `ptr_offset_from`.
+ unsafe { intrinsics::ptr_offset_from(self, origin) }
  }
 
  /// Returns whether two pointers are guaranteed to be equal.
@@ -471,7 +475,8 @@ impl<T: ?Sized> *const T {
  where
  T: Sized,
  {
- self.offset(count as isize)
+ // SAFETY: the caller must uphold the safety contract for `offset`.
+ unsafe { self.offset(count as isize) }
  }
 
  /// Calculates the offset from a pointer (convenience for
@@ -534,7 +539,8 @@ impl<T: ?Sized> *const T {
  where
  T: Sized,
  {
- self.offset((count as isize).wrapping_neg())
+ // SAFETY: the caller must uphold the safety contract for `offset`.
+ unsafe { self.offset((count as isize).wrapping_neg()) }
  }
 
  /// Calculates the offset from a pointer using wrapping arithmetic.
@@ -663,7 +669,8 @@ impl<T: ?Sized> *const T {
  where
  T: Sized,
  {
- read(self)
+ // SAFETY: the caller must uphold the safety contract for `read`.
+ unsafe { read(self) }
  }
 
  /// Performs a volatile read of the value from `self` without moving it. This
@@ -682,7 +689,8 @@ impl<T: ?Sized> *const T {
  where
  T: Sized,
  {
- read_volatile(self)
+ // SAFETY: the caller must uphold the safety contract for `read_volatile`.
+ unsafe { read_volatile(self) }
  }
 
  /// Reads the value from `self` without moving it. This leaves the
@@ -699,7 +707,8 @@ impl<T: ?Sized> *const T {
  where
  T: Sized,
  {
- read_unaligned(self)
+ // SAFETY: the caller must uphold the safety contract for `read_unaligned`.
+ unsafe { read_unaligned(self) }
  }
 
  /// Copies `count * size_of<T>` bytes from `self` to `dest`. The source
@@ -716,7 +725,8 @@ impl<T: ?Sized> *const T {
  where
  T: Sized,
  {
- copy(self, dest, count)
+ // SAFETY: the caller must uphold the safety contract for `copy`.
+ unsafe { copy(self, dest, count) }
  }
 
  /// Copies `count * size_of<T>` bytes from `self` to `dest`. The source
@@ -733,7 +743,8 @@ impl<T: ?Sized> *const T {
  where
  T: Sized,
  {
- copy_nonoverlapping(self, dest, count)
+ // SAFETY: the caller must uphold the safety contract for `copy_nonoverlapping`.
+ unsafe { copy_nonoverlapping(self, dest, count) }
  }
 
  /// Computes the offset that needs to be applied to the pointer in order to make it aligned to