Deny unsafe ops in unsafe fns, part 6

LeSeulArtichaut · LeSeulArtichaut · commit a1623ff3b6a4 · 2020-06-30T19:28:51.000+02:00
And final part!!!
diff --git a/src/libcore/alloc/mod.rs b/src/libcore/alloc/mod.rs
@@ -1,7 +1,6 @@
 //! Memory allocation APIs
 
 #![stable(feature = "alloc_module", since = "1.28.0")]
-#![deny(unsafe_op_in_unsafe_fn)]
 
 mod global;
 mod layout;
diff --git a/src/libcore/cell.rs b/src/libcore/cell.rs
@@ -187,7 +187,6 @@
 //!
 
 #![stable(feature = "rust1", since = "1.0.0")]
-#![deny(unsafe_op_in_unsafe_fn)]
 
 use crate::cmp::Ordering;
 use crate::fmt::{self, Debug, Display};
diff --git a/src/libcore/char/convert.rs b/src/libcore/char/convert.rs
@@ -1,7 +1,5 @@
 //! Character conversions.
 
-#![deny(unsafe_op_in_unsafe_fn)]
-
 use crate::convert::TryFrom;
 use crate::fmt;
 use crate::mem::transmute;
diff --git a/src/libcore/char/methods.rs b/src/libcore/char/methods.rs
@@ -1,7 +1,5 @@
 //! impl char {}
 
-#![deny(unsafe_op_in_unsafe_fn)]
-
 use crate::slice;
 use crate::str::from_utf8_unchecked_mut;
 use crate::unicode::printable::is_printable;
diff --git a/src/libcore/convert/num.rs b/src/libcore/convert/num.rs
@@ -1,5 +1,3 @@
-#![deny(unsafe_op_in_unsafe_fn)]
-
 use super::{From, TryFrom};
 use crate::num::TryFromIntError;
 
diff --git a/src/libcore/ffi.rs b/src/libcore/ffi.rs
@@ -1,6 +1,5 @@
 #![stable(feature = "", since = "1.30.0")]
 #![allow(non_camel_case_types)]
-#![deny(unsafe_op_in_unsafe_fn)]
 
 //! Utilities related to FFI bindings.
 
diff --git a/src/libcore/future/mod.rs b/src/libcore/future/mod.rs
@@ -85,5 +85,7 @@ where
 #[unstable(feature = "gen_future", issue = "50547")]
 #[inline]
 pub unsafe fn get_context<'a, 'b>(cx: ResumeTy) -> &'a mut Context<'b> {
-    &mut *cx.0.as_ptr().cast()
+    // SAFETY: the caller must guarantee that `cx.0` is a valid pointer
+    // that fulfills all the requirements for a mutable reference.
+    unsafe { &mut *cx.0.as_ptr().cast() }
 }
diff --git a/src/libcore/hash/sip.rs b/src/libcore/hash/sip.rs
@@ -1,7 +1,6 @@
 //! An implementation of SipHash.
 
 #![allow(deprecated)] // the types in this module are deprecated
-#![deny(unsafe_op_in_unsafe_fn)]
 
 use crate::cmp;
 use crate::marker::PhantomData;
diff --git a/src/libcore/hint.rs b/src/libcore/hint.rs
@@ -2,8 +2,6 @@
 
 //! Hints to compiler that affects how code should be emitted or optimized.
 
-#![deny(unsafe_op_in_unsafe_fn)]
-
 use crate::intrinsics;
 
 /// Informs the compiler that this point in the code is not reachable, enabling
diff --git a/src/libcore/intrinsics.rs b/src/libcore/intrinsics.rs
@@ -53,7 +53,6 @@
     issue = "none"
 )]
 #![allow(missing_docs)]
-#![deny(unsafe_op_in_unsafe_fn)]
 
 use crate::marker::DiscriminantKind;
 use crate::mem;
diff --git a/src/libcore/iter/mod.rs b/src/libcore/iter/mod.rs
@@ -309,7 +309,6 @@
 //! [`min`]: trait.Iterator.html#method.min
 
 #![stable(feature = "rust1", since = "1.0.0")]
-#![deny(unsafe_op_in_unsafe_fn)]
 
 use crate::ops::Try;
 
diff --git a/src/libcore/lib.rs b/src/libcore/lib.rs
@@ -149,6 +149,7 @@
 #![feature(const_caller_location)]
 #![feature(no_niche)] // rust-lang/rust#68303
 #![feature(unsafe_block_in_unsafe_fn)]
+#![deny(unsafe_op_in_unsafe_fn)]
 
 #[prelude_import]
 #[allow(unused)]
@@ -279,7 +280,13 @@ pub mod primitive;
 // set up in such a way that directly pulling it here works such that the
 // crate uses the this crate as its libcore.
 #[path = "../stdarch/crates/core_arch/src/mod.rs"]
-#[allow(missing_docs, missing_debug_implementations, dead_code, unused_imports)]
+#[allow(
+    missing_docs,
+    missing_debug_implementations,
+    dead_code,
+    unused_imports,
+    unsafe_op_in_unsafe_fn
+)]
 // FIXME: This annotation should be moved into rust-lang/stdarch after clashing_extern_declarations is
 // merged. It currently cannot because bootstrap fails as the lint hasn't been defined yet.
 #[cfg_attr(not(bootstrap), allow(clashing_extern_declarations))]
diff --git a/src/libcore/mem/mod.rs b/src/libcore/mem/mod.rs
@@ -4,7 +4,6 @@
 //! types, initializing and manipulating memory.
 
 #![stable(feature = "rust1", since = "1.0.0")]
-#![deny(unsafe_op_in_unsafe_fn)]
 
 use crate::clone;
 use crate::cmp;
diff --git a/src/libcore/num/f32.rs b/src/libcore/num/f32.rs
@@ -9,7 +9,6 @@
 //! new code should use the associated constants directly on the primitive type.
 
 #![stable(feature = "rust1", since = "1.0.0")]
-#![deny(unsafe_op_in_unsafe_fn)]
 
 use crate::convert::FloatToInt;
 #[cfg(not(test))]
diff --git a/src/libcore/num/f64.rs b/src/libcore/num/f64.rs
@@ -9,7 +9,6 @@
 //! new code should use the associated constants directly on the primitive type.
 
 #![stable(feature = "rust1", since = "1.0.0")]
-#![deny(unsafe_op_in_unsafe_fn)]
 
 use crate::convert::FloatToInt;
 #[cfg(not(test))]
diff --git a/src/libcore/num/mod.rs b/src/libcore/num/mod.rs
@@ -3,7 +3,6 @@
 //! Numeric traits and functions for the built-in numeric types.
 
 #![stable(feature = "rust1", since = "1.0.0")]
-#![deny(unsafe_op_in_unsafe_fn)]
 
 use crate::convert::Infallible;
 use crate::fmt;
diff --git a/src/libcore/pin.rs b/src/libcore/pin.rs
@@ -375,7 +375,6 @@
 //! [`i32`]: ../../std/primitive.i32.html
 
 #![stable(feature = "pin", since = "1.33.0")]
-#![deny(unsafe_op_in_unsafe_fn)]
 
 use crate::cmp::{self, PartialEq, PartialOrd};
 use crate::fmt;
diff --git a/src/libcore/ptr/const_ptr.rs b/src/libcore/ptr/const_ptr.rs
@@ -95,7 +95,9 @@ impl<T: ?Sized> *const T {
     #[stable(feature = "ptr_as_ref", since = "1.9.0")]
     #[inline]
     pub unsafe fn as_ref<'a>(self) -> Option<&'a T> {
-        if self.is_null() { None } else { Some(&*self) }
+        // SAFETY: the caller must guarantee that `self` is valid
+        // for a reference if it isn't null.
+        if self.is_null() { None } else { unsafe { Some(&*self) } }
     }
 
     /// Calculates the offset from a pointer.
@@ -157,7 +159,8 @@ impl<T: ?Sized> *const T {
     where
         T: Sized,
     {
-        intrinsics::offset(self, count)
+        // SAFETY: the caller must uphold the safety contract for `offset`.
+        unsafe { intrinsics::offset(self, count) }
     }
 
     /// Calculates the offset from a pointer using wrapping arithmetic.
@@ -292,7 +295,8 @@ impl<T: ?Sized> *const T {
     {
         let pointee_size = mem::size_of::<T>();
         assert!(0 < pointee_size && pointee_size <= isize::MAX as usize);
-        intrinsics::ptr_offset_from(self, origin)
+        // SAFETY: the caller must uphold the safety contract for `ptr_offset_from`.
+        unsafe { intrinsics::ptr_offset_from(self, origin) }
     }
 
     /// Returns whether two pointers are guaranteed to be equal.
@@ -471,7 +475,8 @@ impl<T: ?Sized> *const T {
     where
         T: Sized,
     {
-        self.offset(count as isize)
+        // SAFETY: the caller must uphold the safety contract for `offset`.
+        unsafe { self.offset(count as isize) }
     }
 
     /// Calculates the offset from a pointer (convenience for
@@ -534,7 +539,8 @@ impl<T: ?Sized> *const T {
     where
         T: Sized,
     {
-        self.offset((count as isize).wrapping_neg())
+        // SAFETY: the caller must uphold the safety contract for `offset`.
+        unsafe { self.offset((count as isize).wrapping_neg()) }
     }
 
     /// Calculates the offset from a pointer using wrapping arithmetic.
@@ -663,7 +669,8 @@ impl<T: ?Sized> *const T {
     where
         T: Sized,
     {
-        read(self)
+        // SAFETY: the caller must uphold the safety contract for `read`.
+        unsafe { read(self) }
     }
 
     /// Performs a volatile read of the value from `self` without moving it. This
@@ -682,7 +689,8 @@ impl<T: ?Sized> *const T {
     where
         T: Sized,
     {
-        read_volatile(self)
+        // SAFETY: the caller must uphold the safety contract for `read_volatile`.
+        unsafe { read_volatile(self) }
     }
 
     /// Reads the value from `self` without moving it. This leaves the
@@ -699,7 +707,8 @@ impl<T: ?Sized> *const T {
     where
         T: Sized,
     {
-        read_unaligned(self)
+        // SAFETY: the caller must uphold the safety contract for `read_unaligned`.
+        unsafe { read_unaligned(self) }
     }
 
     /// Copies `count * size_of<T>` bytes from `self` to `dest`. The source
@@ -716,7 +725,8 @@ impl<T: ?Sized> *const T {
     where
         T: Sized,
     {
-        copy(self, dest, count)
+        // SAFETY: the caller must uphold the safety contract for `copy`.
+        unsafe { copy(self, dest, count) }
     }
 
     /// Copies `count * size_of<T>` bytes from `self` to `dest`. The source
@@ -733,7 +743,8 @@ impl<T: ?Sized> *const T {
     where
         T: Sized,
     {
-        copy_nonoverlapping(self, dest, count)
+        // SAFETY: the caller must uphold the safety contract for `copy_nonoverlapping`.
+        unsafe { copy_nonoverlapping(self, dest, count) }
     }
 
     /// Computes the offset that needs to be applied to the pointer in order to make it aligned to
diff --git a/src/libcore/ptr/mod.rs b/src/libcore/ptr/mod.rs
diff --git a/src/libcore/ptr/mut_ptr.rs b/src/libcore/ptr/mut_ptr.rs
diff --git a/src/libcore/ptr/non_null.rs b/src/libcore/ptr/non_null.rs
diff --git a/src/libcore/ptr/unique.rs b/src/libcore/ptr/unique.rs
diff --git a/src/libcore/slice/mod.rs b/src/libcore/slice/mod.rs
diff --git a/src/libcore/str/mod.rs b/src/libcore/str/mod.rs
diff --git a/src/libcore/sync/atomic.rs b/src/libcore/sync/atomic.rs

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,3 @@`
`1`		`-#![deny(unsafe_op_in_unsafe_fn)]`
`2`		`-`
`3`	`1`	`use super::{From, TryFrom};`
`4`	`2`	`use crate::num::TryFromIntError;`
`5`	`3`
Original file line number	Diff line number	Diff line change
`@@ -85,5 +85,7 @@ where`
`85`	`85`	`#[unstable(feature = "gen_future", issue = "50547")]`
`86`	`86`	`#[inline]`
`87`	`87`	`pub unsafe fn get_context<'a, 'b>(cx: ResumeTy) -> &'a mut Context<'b> {`
`88`		`- &mut *cx.0.as_ptr().cast()`
	`88`	+ // SAFETY: the caller must guarantee that `cx.0` is a valid pointer
	`89`	`+ // that fulfills all the requirements for a mutable reference.`
	`90`	`+ unsafe { &mut *cx.0.as_ptr().cast() }`
`89`	`91`	`}`
Original file line number	Diff line number	Diff line change
`@@ -95,7 +95,9 @@ impl<T: ?Sized> *const T {`
`95`	`95`	`#[stable(feature = "ptr_as_ref", since = "1.9.0")]`
`96`	`96`	`#[inline]`
`97`	`97`	`pub unsafe fn as_ref<'a>(self) -> Option<&'a T> {`
`98`		`- if self.is_null() { None } else { Some(&*self) }`
	`98`	+ // SAFETY: the caller must guarantee that `self` is valid
	`99`	`+ // for a reference if it isn't null.`
	`100`	`+ if self.is_null() { None } else { unsafe { Some(&*self) } }`
`99`	`101`	`}`
`100`	`102`
`101`	`103`	`/// Calculates the offset from a pointer.`
`@@ -157,7 +159,8 @@ impl<T: ?Sized> *const T {`
`157`	`159`	`where`
`158`	`160`	`T: Sized,`
`159`	`161`	`{`
`160`		`- intrinsics::offset(self, count)`
	`162`	+ // SAFETY: the caller must uphold the safety contract for `offset`.
	`163`	`+ unsafe { intrinsics::offset(self, count) }`
`161`	`164`	`}`
`162`	`165`
`163`	`166`	`/// Calculates the offset from a pointer using wrapping arithmetic.`
`@@ -292,7 +295,8 @@ impl<T: ?Sized> *const T {`
`292`	`295`	`{`
`293`	`296`	`let pointee_size = mem::size_of::<T>();`
`294`	`297`	`assert!(0 < pointee_size && pointee_size <= isize::MAX as usize);`
`295`		`- intrinsics::ptr_offset_from(self, origin)`
	`298`	+ // SAFETY: the caller must uphold the safety contract for `ptr_offset_from`.
	`299`	`+ unsafe { intrinsics::ptr_offset_from(self, origin) }`
`296`	`300`	`}`
`297`	`301`
`298`	`302`	`/// Returns whether two pointers are guaranteed to be equal.`
`@@ -471,7 +475,8 @@ impl<T: ?Sized> *const T {`
`471`	`475`	`where`
`472`	`476`	`T: Sized,`
`473`	`477`	`{`
`474`		`- self.offset(count as isize)`
	`478`	+ // SAFETY: the caller must uphold the safety contract for `offset`.
	`479`	`+ unsafe { self.offset(count as isize) }`
`475`	`480`	`}`
`476`	`481`
`477`	`482`	`/// Calculates the offset from a pointer (convenience for`
`@@ -534,7 +539,8 @@ impl<T: ?Sized> *const T {`
`534`	`539`	`where`
`535`	`540`	`T: Sized,`
`536`	`541`	`{`
`537`		`- self.offset((count as isize).wrapping_neg())`
	`542`	+ // SAFETY: the caller must uphold the safety contract for `offset`.
	`543`	`+ unsafe { self.offset((count as isize).wrapping_neg()) }`
`538`	`544`	`}`
`539`	`545`
`540`	`546`	`/// Calculates the offset from a pointer using wrapping arithmetic.`
`@@ -663,7 +669,8 @@ impl<T: ?Sized> *const T {`
`663`	`669`	`where`
`664`	`670`	`T: Sized,`
`665`	`671`	`{`
`666`		`- read(self)`
	`672`	+ // SAFETY: the caller must uphold the safety contract for `read`.
	`673`	`+ unsafe { read(self) }`
`667`	`674`	`}`
`668`	`675`
`669`	`676`	/// Performs a volatile read of the value from `self` without moving it. This
`@@ -682,7 +689,8 @@ impl<T: ?Sized> *const T {`
`682`	`689`	`where`
`683`	`690`	`T: Sized,`
`684`	`691`	`{`
`685`		`- read_volatile(self)`
	`692`	+ // SAFETY: the caller must uphold the safety contract for `read_volatile`.
	`693`	`+ unsafe { read_volatile(self) }`
`686`	`694`	`}`
`687`	`695`
`688`	`696`	/// Reads the value from `self` without moving it. This leaves the
`@@ -699,7 +707,8 @@ impl<T: ?Sized> *const T {`
`699`	`707`	`where`
`700`	`708`	`T: Sized,`
`701`	`709`	`{`
`702`		`- read_unaligned(self)`
	`710`	+ // SAFETY: the caller must uphold the safety contract for `read_unaligned`.
	`711`	`+ unsafe { read_unaligned(self) }`
`703`	`712`	`}`
`704`	`713`
`705`	`714`	/// Copies `count * size_of<T>` bytes from `self` to `dest`. The source
`@@ -716,7 +725,8 @@ impl<T: ?Sized> *const T {`
`716`	`725`	`where`
`717`	`726`	`T: Sized,`
`718`	`727`	`{`
`719`		`- copy(self, dest, count)`
	`728`	+ // SAFETY: the caller must uphold the safety contract for `copy`.
	`729`	`+ unsafe { copy(self, dest, count) }`
`720`	`730`	`}`
`721`	`731`
`722`	`732`	/// Copies `count * size_of<T>` bytes from `self` to `dest`. The source
`@@ -733,7 +743,8 @@ impl<T: ?Sized> *const T {`
`733`	`743`	`where`
`734`	`744`	`T: Sized,`
`735`	`745`	`{`
`736`		`- copy_nonoverlapping(self, dest, count)`
	`746`	+ // SAFETY: the caller must uphold the safety contract for `copy_nonoverlapping`.
	`747`	`+ unsafe { copy_nonoverlapping(self, dest, count) }`
`737`	`748`	`}`
`738`	`749`
`739`	`750`	`/// Computes the offset that needs to be applied to the pointer in order to make it aligned to`