Clarify safety properties of casts between [MaybeUninit<T>] <-> [T].

briansmith · briansmith · commit fd6209d496eb · 2024-05-22T15:35:43.000-07:00
Reduce the scope of the `unsafe` blocks to the unsafe operations.
diff --git a/src/util.rs b/src/util.rs
@@ -6,8 +6,15 @@ use core::{mem::MaybeUninit, ptr};
 /// been initialized.
 #[inline(always)]
 pub unsafe fn slice_assume_init_mut<T>(slice: &mut [MaybeUninit<T>]) -> &mut [T] {
-    // SAFETY: `MaybeUninit<T>` is guaranteed to be layout-compatible with `T`.
-    &mut *(slice as *mut [MaybeUninit<T>] as *mut [T])
+    let ptr: *mut [MaybeUninit<T>] = slice;
+    // SAFETY: `MaybeUninit<T>` is guaranteed to be layout-compatible with `T`
+    // and casting between two slice types of layout-compatible types is sound.
+    let ptr = ptr as *mut [T];
+    // SAFETY: ptr was soundly constructed from a valid `&mut` reference so it
+    // safe to dereference it if the caller has ensured every element of `slice`
+    // has been ininitialized.
+    #[allow(unused_unsafe)] // TODO(MSRV 1.65): Remove this.
+    unsafe { &mut *ptr }
 }
 
 #[inline]
@@ -18,10 +25,16 @@ pub fn uninit_slice_fill_zero(slice: &mut [MaybeUninit<u8>]) -> &mut [u8] {
 
 #[inline(always)]
 pub fn slice_as_uninit<T>(slice: &[T]) -> &[MaybeUninit<T>] {
-    // SAFETY: `MaybeUninit<T>` is guaranteed to be layout-compatible with `T`.
-    // There is no risk of writing a `MaybeUninit<T>` into the result since
-    // the result isn't mutable.
-    unsafe { &*(slice as *const [T] as *const [MaybeUninit<T>]) }
+    let ptr: *const [T] = slice;
+    // SAFETY: `MaybeUninit<T>` is guaranteed to be layout-compatible with `T`
+    // and casting between two slice types of layout-compatible types is sound.
+    let ptr = ptr as *const [MaybeUninit<T>];
+    // SAFETY:
+    //  * ptr was soundly constructed from a valid reference so it safe to
+    //    dereference it.
+    //  * There is no risk of writing a `MaybeUninit<T>` into the result
+    //    since the result isn't mutable.
+    unsafe { &*ptr }
 }
 
 /// View an mutable initialized array as potentially-uninitialized.
@@ -30,6 +43,15 @@ pub fn slice_as_uninit<T>(slice: &[T]) -> &[MaybeUninit<T>] {
 /// `slice`, which would be undefined behavior.
 #[inline(always)]
 pub unsafe fn slice_as_uninit_mut<T>(slice: &mut [T]) -> &mut [MaybeUninit<T>] {
-    // SAFETY: `MaybeUninit<T>` is guaranteed to be layout-compatible with `T`.
-    &mut *(slice as *mut [T] as *mut [MaybeUninit<T>])
+    let ptr: *mut [T] = slice;
+    // SAFETY: `MaybeUninit<T>` is guaranteed to be layout-compatible with `T`
+    // and casting between two slice types of layout-compatible types is sound.
+    let ptr = ptr as *mut [MaybeUninit<T>];
+    // SAFETY:
+    //  * ptr was soundly constructed from a valid reference so it safe to
+    //    dereference it.
+    //  * There *IS* a risk of writing a `MaybeUninit<T>` into the result,
+    //    which is why this function is unsafe.
+    #[allow(unused_unsafe)] // TODO(MSRV 1.65): Remove this.
+    unsafe { &mut *ptr }
 }
