Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Document unsafety in core::{panicking, alloc::layout, hint, iter::adapters::zip} #71492

Merged
merged 1 commit into from
Apr 24, 2020
Merged

Document unsafety in core::{panicking, alloc::layout, hint, iter::adapters::zip} #71492

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 8 additions & 10 deletions src/libcore/alloc/layout.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,3 @@
// ignore-tidy-undocumented-unsafe

use crate::cmp;
use crate::fmt;
use crate::mem;
Expand Down Expand Up @@ -77,6 +75,8 @@ impl Layout {
return Err(LayoutErr { private: () });
}

// SAFETY: the conditions for `from_size_align_unchecked` have been
// checked above.
unsafe { Ok(Layout::from_size_align_unchecked(size, align)) }
}

Expand Down Expand Up @@ -115,7 +115,7 @@ impl Layout {
#[inline]
pub const fn new<T>() -> Self {
let (size, align) = size_align::<T>();
// Note that the align is guaranteed by rustc to be a power of two and
// SAFETY: the align is guaranteed by Rust to be a power of two and
// the size+align combo is guaranteed to fit in our address space. As a
// result use the unchecked constructor here to avoid inserting code
// that panics if it isn't optimized well enough.
Expand All @@ -129,8 +129,8 @@ impl Layout {
#[inline]
pub fn for_value<T: ?Sized>(t: &T) -> Self {
let (size, align) = (mem::size_of_val(t), mem::align_of_val(t));
// See rationale in `new` for why this is using an unsafe variant below
debug_assert!(Layout::from_size_align(size, align).is_ok());
// SAFETY: see rationale in `new` for why this is using an unsafe variant below
unsafe { Layout::from_size_align_unchecked(size, align) }
}

Expand All @@ -143,7 +143,7 @@ impl Layout {
#[unstable(feature = "alloc_layout_extra", issue = "55724")]
#[inline]
pub const fn dangling(&self) -> NonNull<u8> {
// align is non-zero and a power of two
// SAFETY: align is guaranteed to be non-zero
unsafe { NonNull::new_unchecked(self.align() as *mut u8) }
}

Expand Down Expand Up @@ -249,11 +249,9 @@ impl Layout {
let padded_size = self.size() + self.padding_needed_for(self.align());
let alloc_size = padded_size.checked_mul(n).ok_or(LayoutErr { private: () })?;

unsafe {
// self.align is already known to be valid and alloc_size has been
// padded already.
Ok((Layout::from_size_align_unchecked(alloc_size, self.align()), padded_size))
}
// SAFETY: self.align is already known to be valid and alloc_size has been
// padded already.
unsafe { Ok((Layout::from_size_align_unchecked(alloc_size, self.align()), padded_size)) }
}

/// Creates a layout describing the record for `self` followed by
Expand Down
9 changes: 7 additions & 2 deletions src/libcore/hint.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,6 @@

//! Hints to compiler that affects how code should be emitted or optimized.

// ignore-tidy-undocumented-unsafe

use crate::intrinsics;

/// Informs the compiler that this point in the code is not reachable, enabling
Expand Down Expand Up @@ -68,11 +66,13 @@ pub fn spin_loop() {
{
#[cfg(target_arch = "x86")]
{
// SAFETY: the `cfg` attr ensures that we only execute this on x86 targets.
unsafe { crate::arch::x86::_mm_pause() };
}

#[cfg(target_arch = "x86_64")]
{
// SAFETY: the `cfg` attr ensures that we only execute this on x86_64 targets.
unsafe { crate::arch::x86_64::_mm_pause() };
}
}
Expand All @@ -81,10 +81,13 @@ pub fn spin_loop() {
{
#[cfg(target_arch = "aarch64")]
{
// SAFETY: the `cfg` attr ensures that we only execute this on aarch64 targets.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we have this setup so strangely? Can we "unwrap" these inner cfg's?

AFAICT we should also be able to do the same for the x86/x86_64 cfg's, just gating on target_feature = "sse2" in the wrapper (or inlining that).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should probably be done in a separate PR?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, just leaving feedback in case you're up for making that PR :)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems like a low-effort low-hanging fruit. Yum!

unsafe { crate::arch::aarch64::__yield() };
}
#[cfg(target_arch = "arm")]
{
// SAFETY: the `cfg` attr ensures that we only execute this on arm targets
// with support for the v6 feature.
unsafe { crate::arch::arm::__yield() };
}
}
Expand Down Expand Up @@ -112,6 +115,8 @@ pub fn black_box<T>(dummy: T) -> T {
// this. LLVM's interpretation of inline assembly is that it's, well, a black
// box. This isn't the greatest implementation since it probably deoptimizes
// more than we want, but it's so far good enough.

// SAFETY: the inline assembly is a no-op.
unsafe {
llvm_asm!("" : : "r"(&dummy));
dummy
Expand Down
10 changes: 8 additions & 2 deletions src/libcore/iter/adapters/zip.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,3 @@
// ignore-tidy-undocumented-unsafe

use crate::cmp;

use super::super::{DoubleEndedIterator, ExactSizeIterator, FusedIterator, Iterator, TrustedLen};
Expand Down Expand Up @@ -176,9 +174,11 @@ where
if self.index < self.len {
let i = self.index;
self.index += 1;
// SAFETY: `i` is smaller than `self.len`, thus smaller than `self.a.len()` and `self.b.len()`
unsafe { Some((self.a.get_unchecked(i), self.b.get_unchecked(i))) }
} else if A::may_have_side_effect() && self.index < self.a.len() {
// match the base implementation's potential side effects
// SAFETY: we just checked that `self.index` < `self.a.len()`
unsafe {
self.a.get_unchecked(self.index);
}
Expand All @@ -203,11 +203,15 @@ where
let i = self.index;
self.index += 1;
if A::may_have_side_effect() {
// SAFETY: the usage of `cmp::min` to calculate `delta`
// ensures that `end` is smaller than or equal to `self.len`,
// so `i` is also smaller than `self.len`.
unsafe {
self.a.get_unchecked(i);
}
}
if B::may_have_side_effect() {
// SAFETY: same as above.
unsafe {
self.b.get_unchecked(i);
}
Expand Down Expand Up @@ -243,6 +247,8 @@ where
if self.index < self.len {
self.len -= 1;
let i = self.len;
// SAFETY: `i` is smaller than the previous value of `self.len`,
// which is also smaller than or equal to `self.a.len()` and `self.b.len()`
unsafe { Some((self.a.get_unchecked(i), self.b.get_unchecked(i))) }
} else {
None
Expand Down
7 changes: 5 additions & 2 deletions src/libcore/panicking.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,8 +19,6 @@
//! necessary lang items for the compiler. All panics are funneled through this
//! one function. The actual symbol is declared through the `#[panic_handler]` attribute.

// ignore-tidy-undocumented-unsafe

#![allow(dead_code, missing_docs)]
#![unstable(
feature = "core_panic",
Expand All @@ -41,6 +39,7 @@ use crate::panic::{Location, PanicInfo};
#[lang = "panic"] // needed by codegen for panic on overflow and other `Assert` MIR terminators
pub fn panic(expr: &str) -> ! {
if cfg!(feature = "panic_immediate_abort") {
// SAFETY: the `abort` intrinsic has no requirements to be called.
unsafe { super::intrinsics::abort() }
}

Expand All @@ -63,6 +62,7 @@ pub fn panic(expr: &str) -> ! {
#[lang = "panic_bounds_check"] // needed by codegen for panic on OOB array/slice access
fn panic_bounds_check(index: usize, len: usize) -> ! {
if cfg!(feature = "panic_immediate_abort") {
// SAFETY: the `abort` intrinsic has no requirements to be called.
unsafe { super::intrinsics::abort() }
}

Expand All @@ -77,6 +77,7 @@ fn panic_bounds_check(index: usize, len: usize) -> ! {
#[lang = "panic_bounds_check"] // needed by codegen for panic on OOB array/slice access
fn panic_bounds_check(location: &Location<'_>, index: usize, len: usize) -> ! {
if cfg!(feature = "panic_immediate_abort") {
// SAFETY: the `abort` intrinsic has no requirements to be called.
unsafe { super::intrinsics::abort() }
}

Expand All @@ -93,6 +94,7 @@ fn panic_bounds_check(location: &Location<'_>, index: usize, len: usize) -> ! {
#[cfg_attr(not(bootstrap), track_caller)]
pub fn panic_fmt(fmt: fmt::Arguments<'_>, #[cfg(bootstrap)] location: &Location<'_>) -> ! {
if cfg!(feature = "panic_immediate_abort") {
// SAFETY: the `abort` intrinsic has no requirements to be called.
unsafe { super::intrinsics::abort() }
}

Expand All @@ -108,5 +110,6 @@ pub fn panic_fmt(fmt: fmt::Arguments<'_>, #[cfg(bootstrap)] location: &Location<
#[cfg(not(bootstrap))]
let pi = PanicInfo::internal_constructor(Some(&fmt), Location::caller());

// SAFETY: `panic_impl` is defined in safe Rust code and thus is safe to call.
unsafe { panic_impl(&pi) }
}