Use unsafe blocks in unsafe functions

Needed for Rust 2024.
Thomasdezeeuw · Mar 1, 2025 · 2c3c842 · 2c3c842
1 parent 5e9065d
commit 2c3c842
Show file tree

Hide file tree

Showing 10 changed files with 48 additions and 44 deletions.
diff --git a/src/drop_waker.rs b/src/drop_waker.rs
@@ -45,7 +45,7 @@ impl<T: DropWake> DropWake for UnsafeCell<T> {
     }
 
     unsafe fn drop_from_waker_data(data: *const ()) {
-        T::drop_from_waker_data(data);
+        unsafe { T::drop_from_waker_data(data) };
     }
 }
 
@@ -55,7 +55,7 @@ impl<T> DropWake for Box<T> {
     }
 
     unsafe fn drop_from_waker_data(data: *const ()) {
-        drop(Box::<T>::from_raw(data.cast_mut().cast()));
+        drop(unsafe { Box::<T>::from_raw(data.cast_mut().cast()) });
     }
 }
 
@@ -65,7 +65,7 @@ impl DropWake for CString {
     }
 
     unsafe fn drop_from_waker_data(data: *const ()) {
-        drop(CString::from_raw(data.cast_mut().cast()));
+        drop(unsafe { CString::from_raw(data.cast_mut().cast()) });
     }
 }
 
@@ -75,7 +75,7 @@ impl<A> DropWake for AddressStorage<Box<A>> {
     }
 
     unsafe fn drop_from_waker_data(data: *const ()) {
-        Box::<A>::drop_from_waker_data(data);
+        unsafe { Box::<A>::drop_from_waker_data(data) };
     }
 }
 
@@ -85,7 +85,7 @@ impl DropWake for ReadBufPool {
     }
 
     unsafe fn drop_from_waker_data(data: *const ()) {
-        drop(ReadBufPool::from_raw(data));
+        drop(unsafe { ReadBufPool::from_raw(data) });
     }
 }
 
@@ -107,7 +107,7 @@ impl<T, U> DropWake for (T, U) {
     }
 
     unsafe fn drop_from_waker_data(data: *const ()) {
-        Box::<(T, U)>::drop_from_waker_data(data);
+        unsafe { Box::<(T, U)>::drop_from_waker_data(data) };
     }
 }
 
@@ -117,7 +117,7 @@ impl<T, U, V> DropWake for (T, U, V) {
     }
 
     unsafe fn drop_from_waker_data(data: *const ()) {
-        Box::<(T, U, V)>::drop_from_waker_data(data);
+        unsafe { Box::<(T, U, V)>::drop_from_waker_data(data) };
     }
 }
 
@@ -127,6 +127,6 @@ impl<B> DropWake for Buffer<B> {
     }
 
     unsafe fn drop_from_waker_data(data: *const ()) {
-        Box::<B>::drop_from_waker_data(data);
+        unsafe { Box::<B>::drop_from_waker_data(data) };
     }
 }
diff --git a/src/fd.rs b/src/fd.rs
@@ -69,7 +69,8 @@ impl AsyncFd<File> {
     /// The caller must ensure that `fd` is valid and that it's no longer used
     /// by anything other than the returned `AsyncFd`.
     pub unsafe fn from_raw_fd(fd: RawFd, sq: SubmissionQueue) -> AsyncFd {
-        AsyncFd::new(OwnedFd::from_raw_fd(fd), sq)
+        // SAFETY: caller must ensure that `fd` is valid.
+        AsyncFd::new(unsafe { OwnedFd::from_raw_fd(fd) }, sq)
     }
 
     /// Creates a new independently owned `AsyncFd` that shares the same
@@ -95,7 +96,8 @@ impl<D: Descriptor> AsyncFd<D> {
     /// on `D`.
     pub(crate) unsafe fn from_raw(fd: RawFd, sq: SubmissionQueue) -> AsyncFd<D> {
         AsyncFd {
-            fd: ManuallyDrop::new(OwnedFd::from_raw_fd(fd)),
+            // SAFETY: caller must ensure that `fd` is valid.
+            fd: ManuallyDrop::new(unsafe { OwnedFd::from_raw_fd(fd) }),
             sq,
             kind: PhantomData,
         }

diff --git a/src/io/mod.rs b/src/io/mod.rs
@@ -701,12 +701,12 @@ pub(crate) struct ReadNBuf<B> {
 
 unsafe impl<B: BufMut> BufMut for ReadNBuf<B> {
     unsafe fn parts_mut(&mut self) -> (*mut u8, u32) {
-        self.buf.parts_mut()
+        unsafe { self.buf.parts_mut() }
     }
 
     unsafe fn set_init(&mut self, n: usize) {
         self.last_read = n;
-        self.buf.set_init(n);
+        unsafe { self.buf.set_init(n) };
     }
 
     fn buffer_group(&self) -> Option<BufGroupId> {
@@ -715,18 +715,18 @@ unsafe impl<B: BufMut> BufMut for ReadNBuf<B> {
 
     unsafe fn buffer_init(&mut self, id: BufId, n: u32) {
         self.last_read = n as usize;
-        self.buf.buffer_init(id, n);
+        unsafe { self.buf.buffer_init(id, n) };
     }
 }
 
 unsafe impl<B: BufMutSlice<N>, const N: usize> BufMutSlice<N> for ReadNBuf<B> {
     unsafe fn as_iovecs_mut(&mut self) -> [IoMutSlice; N] {
-        self.buf.as_iovecs_mut()
+        unsafe { self.buf.as_iovecs_mut() }
     }
 
     unsafe fn set_init(&mut self, n: usize) {
         self.last_read = n;
-        self.buf.set_init(n);
+        unsafe { self.buf.set_init(n) };
     }
 }
 
@@ -740,11 +740,11 @@ pub(crate) struct SkipBuf<B> {
 
 unsafe impl<B: Buf> Buf for SkipBuf<B> {
     unsafe fn parts(&self) -> (*const u8, u32) {
-        let (ptr, size) = self.buf.parts();
+        let (ptr, size) = unsafe { self.buf.parts() };
         if self.skip >= size {
             (ptr, 0)
         } else {
-            (ptr.add(self.skip as usize), size - self.skip)
+            (unsafe { ptr.add(self.skip as usize) }, size - self.skip)
         }
     }
 }

diff --git a/src/io/read_buf.rs b/src/io/read_buf.rs
@@ -78,7 +78,7 @@ impl ReadBufPool {
             // buffer.
             None
         } else {
-            Some(self.shared.init_buffer(id, n))
+            Some(unsafe { self.shared.init_buffer(id, n) })
         };
         ReadBuf {
             shared: self.shared.clone(),
@@ -100,7 +100,7 @@ impl ReadBufPool {
     /// [`DropWake`]: crate::drop_waker::DropWake
     pub(crate) unsafe fn from_raw(ptr: *const ()) -> ReadBufPool {
         ReadBufPool {
-            shared: Arc::from_raw(ptr.cast_mut().cast()),
+            shared: unsafe { Arc::from_raw(ptr.cast_mut().cast()) },
         }
     }
 }
@@ -322,7 +322,7 @@ unsafe impl BufMut for ReadBuf {
     unsafe fn parts_mut(&mut self) -> (*mut u8, u32) {
         if let Some(ptr) = self.owned {
             let len = (self.capacity() - ptr.len()) as u32;
-            (ptr.cast::<u8>().add(ptr.len()).as_ptr(), len)
+            unsafe { (ptr.cast::<u8>().add(ptr.len()).as_ptr(), len) }
         } else {
             (ptr::null_mut(), self.capacity() as u32)
         }
@@ -348,7 +348,7 @@ unsafe impl BufMut for ReadBuf {
             debug_assert!(id.0 == 0);
             self.owned = Some(change_size(ptr, ptr.len() + n as usize));
         } else {
-            self.owned = Some(self.shared.init_buffer(id, n));
+            self.owned = Some(unsafe { self.shared.init_buffer(id, n) });
         }
     }
 }

diff --git a/src/io/traits.rs b/src/io/traits.rs
@@ -80,7 +80,7 @@ pub unsafe trait BufMut: 'static {
     #[allow(private_interfaces)]
     unsafe fn buffer_init(&mut self, id: BufId, n: u32) {
         debug_assert!(id.0 == 0);
-        self.set_init(n as usize);
+        unsafe { self.set_init(n as usize) };
     }
 }
 
@@ -108,7 +108,7 @@ unsafe impl BufMut for Vec<u8> {
     }
 
     unsafe fn set_init(&mut self, n: usize) {
-        self.set_len(self.len() + n);
+        unsafe { self.set_len(self.len() + n) };
     }
 }
 
@@ -187,7 +187,7 @@ unsafe impl<B: BufMut, const N: usize> BufMutSlice<N> for [B; N] {
                 buf.buffer_group().is_none(),
                 "can't use a10::ReadBuf as a10::BufMutSlice in vectored I/O",
             );
-            iovec.write(IoMutSlice::new(buf));
+            iovec.write(unsafe { IoMutSlice::new(buf) });
         }
         // SAFETY: `MaybeUninit<IoMutSlice>` and `IoMutSlice` have the same
         // layout as guaranteed by `MaybeUninit`.
@@ -197,15 +197,15 @@ unsafe impl<B: BufMut, const N: usize> BufMutSlice<N> for [B; N] {
     unsafe fn set_init(&mut self, n: usize) {
         let mut left = n;
         for buf in self {
-            let (_, len) = buf.parts_mut();
+            let (_, len) = unsafe { buf.parts_mut() };
             let len = len as usize;
             if len < left {
                 // Fully initialised the buffer.
-                buf.set_init(len);
+                unsafe { buf.set_init(len) };
                 left -= len;
             } else {
                 // Partially initialised the buffer.
-                buf.set_init(left);
+                unsafe { buf.set_init(left) };
                 return;
             }
         }
@@ -350,7 +350,7 @@ unsafe impl<B: Buf, const N: usize> BufSlice<N> for [B; N] {
     unsafe fn as_iovecs(&self) -> [IoSlice; N] {
         let mut iovecs = [const { MaybeUninit::uninit() }; N];
         for (buf, iovec) in self.iter().zip(iovecs.iter_mut()) {
-            iovec.write(IoSlice::new(buf));
+            iovec.write(unsafe { IoSlice::new(buf) });
         }
         // SAFETY: `MaybeUninit<IoSlice>` and `IoSlice` have the same layout as
         // guaranteed by `MaybeUninit`.
@@ -376,23 +376,23 @@ macro_rules! buf_slice_for_tuple {
                             self.$index.buffer_group().is_none(),
                             "can't use a10::ReadBuf as a10::BufMutSlice in vectored I/O"
                         );
-                        IoMutSlice::new(&mut self.$index)
+                        unsafe { IoMutSlice::new(&mut self.$index) }
                     }),+
                 ]
             }
 
             unsafe fn set_init(&mut self, n: usize) {
                 let mut left = n;
                 $({
-                    let (_, len) = self.$index.parts_mut();
+                    let (_, len) = unsafe { self.$index.parts_mut() };
                     let len = len as usize;
                     if len < left {
                         // Fully initialised the buffer.
-                        self.$index.set_init(len);
+                        unsafe { self.$index.set_init(len) };
                         left -= len;
                     } else {
                         // Partially initialised the buffer.
-                        self.$index.set_init(left);
+                        unsafe { self.$index.set_init(left) };
                         return;
                     }
                 })+
@@ -410,7 +410,7 @@ macro_rules! buf_slice_for_tuple {
             unsafe fn as_iovecs(&self) -> [IoSlice; $N] {
                 [
                     $({
-                        IoSlice::new(&self.$index)
+                        unsafe { IoSlice::new(&self.$index) }
                     }),+
                 ]
             }

diff --git a/src/io_uring/io.rs b/src/io_uring/io.rs
@@ -147,7 +147,7 @@ impl ReadBufPool {
     }
 
     pub(crate) unsafe fn init_buffer(&self, id: BufId, n: u32) -> NonNull<[u8]> {
-        let addr = self.bufs_addr.add(id.0 as usize * self.buf_size());
+        let addr = unsafe { self.bufs_addr.add(id.0 as usize * self.buf_size()) };
         log::trace!(buffer_group = self.id.0, buffer = id.0, addr:? = addr, len = n; "initialised buffer");
         // SAFETY: `bufs_addr` is not NULL.
         let addr = unsafe { NonNull::new_unchecked(addr) };
@@ -162,8 +162,10 @@ impl ReadBufPool {
         // of our buffer, and `bufs_addr`, which points to the start of the
         // pool, by calculating the difference and dividing it by the buffer
         // size.
-        let buf_id = ((ptr.as_ptr().cast::<u8>().offset_from(self.bufs_addr) as usize)
-            / (self.buf_size as usize)) as u16;
+        let buf_id = unsafe {
+            ((ptr.as_ptr().cast::<u8>().offset_from(self.bufs_addr) as usize)
+                / (self.buf_size as usize)) as u16
+        };
 
         // Because we need to fill the `ring_buf` and then atomatically update
         // the `ring_tail` we do it while holding a lock.

diff --git a/src/io_uring/mod.rs b/src/io_uring/mod.rs
@@ -399,5 +399,5 @@ pub(crate) fn munmap(addr: *mut libc::c_void, len: libc::size_t) -> io::Result<(
 
 /// Load a `u32` using relaxed ordering from `ptr`.
 unsafe fn load_atomic_u32(ptr: *mut libc::c_void) -> u32 {
-    (*ptr.cast::<AtomicU32>()).load(Ordering::Relaxed)
+    unsafe { (*ptr.cast::<AtomicU32>()).load(Ordering::Relaxed) }
 }
diff --git a/src/lib.rs b/src/lib.rs
@@ -324,7 +324,7 @@ impl SubmissionQueue {
     ) -> MutexGuard<
         Option<QueuedOperation<<<<sys::Implementation as Implementation>::Completions as cq::Completions>::Event as cq::Event>::State>>,
     >{
-        self.inner.get_op(op_id)
+        unsafe { self.inner.get_op(op_id) }
     }
 
     /// See [`sq::Queue::make_op_available`].
@@ -336,7 +336,7 @@ impl SubmissionQueue {
         Option<QueuedOperation<<<<sys::Implementation as Implementation>::Completions as cq::Completions>::Event as cq::Event>::State>>,
     >,
     ) {
-        self.inner.make_op_available(op_id, op);
+        unsafe { self.inner.make_op_available(op_id, op) };
     }
 }
 

diff --git a/src/net.rs b/src/net.rs
@@ -857,10 +857,10 @@ impl private::SocketAddress for SocketAddr {
         debug_assert!(length as usize >= size_of::<libc::sa_family_t>());
         let family = unsafe { ptr::addr_of!((*storage.as_ptr()).sin6_family).read() };
         if family == libc::AF_INET as libc::sa_family_t {
-            let storage = storage.as_ptr().cast::<libc::sockaddr_in>().read();
-            SocketAddrV4::init(MaybeUninit::new(storage), length).into()
+            let storage = unsafe { storage.as_ptr().cast::<libc::sockaddr_in>().read() };
+            unsafe { SocketAddrV4::init(MaybeUninit::new(storage), length).into() }
         } else {
-            SocketAddrV6::init(storage, length).into()
+            unsafe { SocketAddrV6::init(storage, length).into() }
         }
     }
 }
@@ -995,7 +995,7 @@ impl private::SocketAddress for unix::net::SocketAddr {
         debug_assert!(length as usize >= size_of::<libc::sa_family_t>());
         let family = unsafe { ptr::addr_of!((*storage.as_ptr()).sun_family).read() };
         debug_assert!(family == libc::AF_UNIX as libc::sa_family_t);
-        let path_ptr = ptr::addr_of!((*storage.as_ptr()).sun_path);
+        let path_ptr = unsafe { ptr::addr_of!((*storage.as_ptr()).sun_path) };
         let length = length as usize - (storage.as_ptr().addr() - path_ptr.addr());
         // SAFETY: the kernel ensures that at least `length` bytes are
         // initialised.

diff --git a/src/sq.rs b/src/sq.rs
@@ -117,7 +117,7 @@ impl<I: Implementation> Queue<I> {
     where
         F: FnOnce(&mut <I::Submissions as Submissions>::Submission),
     {
-        self.submit_with_id(op_id, fill)
+        unsafe { self.submit_with_id(op_id, fill) }
     }
 
     /// Add a new submission using an existing operation `id`.