diff options
| author | Matthias Krüger <matthias.krueger@famsik.de> | 2025-02-16 17:14:03 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-02-16 17:14:03 +0100 |
| commit | 53b4c7c631544c6a156c30a7dfbdcfecbd846201 (patch) | |
| tree | e9612b6f3076bf247b18fccf6027f22d656558d1 /library | |
| parent | 23032f31c91f2bb74ba4be20e075fcc929f66527 (diff) | |
| parent | 28307554125f60440fcbf8076eee86f2ec1e4c1d (diff) | |
| download | rust-53b4c7c631544c6a156c30a7dfbdcfecbd846201.tar.gz rust-53b4c7c631544c6a156c30a7dfbdcfecbd846201.zip | |
Rollup merge of #136986 - ehuss:library-unsafe-fun, r=Noratrieb
Apply unsafe_op_in_unsafe_fn to the standard library This applies unsafe_op_in_unsafe_fn to the standard library in preparation for updating to Rust 2024. Closes https://github.com/rust-lang/rust/issues/127747 (I think?) cc ``@workingjubilee`` I have been testing a variety of targets, and I feel like they are all pretty much covered. I'll continue doing some testing async, but I don't expect to catch any more.
Diffstat (limited to 'library')
24 files changed, 181 insertions, 139 deletions
diff --git a/library/core/src/alloc/global.rs b/library/core/src/alloc/global.rs index 8f48af24557..5bf6f143b4f 100644 --- a/library/core/src/alloc/global.rs +++ b/library/core/src/alloc/global.rs @@ -70,7 +70,7 @@ use crate::{cmp, ptr}; /// { /// return null_mut(); /// }; -/// self.arena.get().cast::<u8>().add(allocated) +/// unsafe { self.arena.get().cast::<u8>().add(allocated) } /// } /// unsafe fn dealloc(&self, _ptr: *mut u8, _layout: Layout) {} /// } diff --git a/library/core/src/hint.rs b/library/core/src/hint.rs index 520b9941ae4..76afb3b8e20 100644 --- a/library/core/src/hint.rs +++ b/library/core/src/hint.rs @@ -52,7 +52,7 @@ use crate::{intrinsics, ub_checks}; /// // Safety: `divisor` can't be zero because of `prepare_inputs`, /// // but the compiler does not know about this. We *promise* /// // that we always call `prepare_inputs`. -/// std::hint::unreachable_unchecked() +/// unsafe { std::hint::unreachable_unchecked() } /// } /// // The compiler would normally introduce a check here that prevents /// // a division by zero. However, if `divisor` was zero, the branch diff --git a/library/core/src/intrinsics/mod.rs b/library/core/src/intrinsics/mod.rs index 6c9c6d0edc2..99c42f3626e 100644 --- a/library/core/src/intrinsics/mod.rs +++ b/library/core/src/intrinsics/mod.rs @@ -1703,12 +1703,12 @@ pub const fn forget<T: ?Sized>(_: T) { /// ``` /// struct R<'a>(&'a i32); /// unsafe fn extend_lifetime<'b>(r: R<'b>) -> R<'static> { -/// std::mem::transmute::<R<'b>, R<'static>>(r) +/// unsafe { std::mem::transmute::<R<'b>, R<'static>>(r) } /// } /// /// unsafe fn shorten_invariant_lifetime<'b, 'c>(r: &'b mut R<'static>) /// -> &'b mut R<'c> { -/// std::mem::transmute::<&'b mut R<'static>, &'b mut R<'c>>(r) +/// unsafe { std::mem::transmute::<&'b mut R<'static>, &'b mut R<'c>>(r) } /// } /// ``` /// @@ -4498,11 +4498,11 @@ pub const unsafe fn copy_nonoverlapping<T>(src: *const T, dst: *mut T, count: us /// /// // SAFETY: Our precondition ensures the source is aligned and valid, /// // and `Vec::with_capacity` ensures that we have usable space to write them. -/// ptr::copy(ptr, dst.as_mut_ptr(), elts); +/// unsafe { ptr::copy(ptr, dst.as_mut_ptr(), elts); } /// /// // SAFETY: We created it with this much capacity earlier, /// // and the previous `copy` has initialized these elements. -/// dst.set_len(elts); +/// unsafe { dst.set_len(elts); } /// dst /// } /// ``` diff --git a/library/core/src/mem/maybe_uninit.rs b/library/core/src/mem/maybe_uninit.rs index 2c7f1d86341..edc39f8f28c 100644 --- a/library/core/src/mem/maybe_uninit.rs +++ b/library/core/src/mem/maybe_uninit.rs @@ -98,7 +98,7 @@ use crate::{fmt, intrinsics, ptr, slice}; /// /// unsafe fn make_vec(out: *mut Vec<i32>) { /// // `write` does not drop the old contents, which is important. -/// out.write(vec![1, 2, 3]); +/// unsafe { out.write(vec![1, 2, 3]); } /// } /// /// let mut v = MaybeUninit::uninit(); @@ -844,7 +844,7 @@ impl<T> MaybeUninit<T> { /// # #![allow(unexpected_cfgs)] /// use std::mem::MaybeUninit; /// - /// # unsafe extern "C" fn initialize_buffer(buf: *mut [u8; 1024]) { *buf = [0; 1024] } + /// # unsafe extern "C" fn initialize_buffer(buf: *mut [u8; 1024]) { unsafe { *buf = [0; 1024] } } /// # #[cfg(FALSE)] /// extern "C" { /// /// Initializes *all* the bytes of the input buffer. diff --git a/library/core/src/mem/transmutability.rs b/library/core/src/mem/transmutability.rs index 6a4f84c849c..7b920d7a777 100644 --- a/library/core/src/mem/transmutability.rs +++ b/library/core/src/mem/transmutability.rs @@ -32,7 +32,7 @@ use crate::marker::{ConstParamTy_, UnsizedConstParamTy}; /// src: ManuallyDrop::new(src), /// }; /// -/// let dst = transmute.dst; +/// let dst = unsafe { transmute.dst }; /// /// ManuallyDrop::into_inner(dst) /// } diff --git a/library/core/src/ptr/const_ptr.rs b/library/core/src/ptr/const_ptr.rs index 0c6eaf60d04..974946a7818 100644 --- a/library/core/src/ptr/const_ptr.rs +++ b/library/core/src/ptr/const_ptr.rs @@ -724,13 +724,13 @@ impl<T: ?Sized> *const T { /// that their safety preconditions are met: /// ```rust /// # #![feature(ptr_sub_ptr)] - /// # unsafe fn blah(ptr: *const i32, origin: *const i32, count: usize) -> bool { + /// # unsafe fn blah(ptr: *const i32, origin: *const i32, count: usize) -> bool { unsafe { /// ptr.sub_ptr(origin) == count /// # && /// origin.add(count) == ptr /// # && /// ptr.sub(count) == origin - /// # } + /// # } } /// ``` /// /// # Safety diff --git a/library/core/src/ptr/mut_ptr.rs b/library/core/src/ptr/mut_ptr.rs index d1b0104c0fa..94ebd0d2522 100644 --- a/library/core/src/ptr/mut_ptr.rs +++ b/library/core/src/ptr/mut_ptr.rs @@ -896,13 +896,13 @@ impl<T: ?Sized> *mut T { /// that their safety preconditions are met: /// ```rust /// # #![feature(ptr_sub_ptr)] - /// # unsafe fn blah(ptr: *mut i32, origin: *mut i32, count: usize) -> bool { + /// # unsafe fn blah(ptr: *mut i32, origin: *mut i32, count: usize) -> bool { unsafe { /// ptr.sub_ptr(origin) == count /// # && /// origin.add(count) == ptr /// # && /// ptr.sub(count) == origin - /// # } + /// # } } /// ``` /// /// # Safety diff --git a/library/core/src/ptr/non_null.rs b/library/core/src/ptr/non_null.rs index d93069d384e..f4ac00062d7 100644 --- a/library/core/src/ptr/non_null.rs +++ b/library/core/src/ptr/non_null.rs @@ -857,13 +857,13 @@ impl<T: ?Sized> NonNull<T> { /// that their safety preconditions are met: /// ```rust /// # #![feature(ptr_sub_ptr)] - /// # unsafe fn blah(ptr: std::ptr::NonNull<u32>, origin: std::ptr::NonNull<u32>, count: usize) -> bool { + /// # unsafe fn blah(ptr: std::ptr::NonNull<u32>, origin: std::ptr::NonNull<u32>, count: usize) -> bool { unsafe { /// ptr.sub_ptr(origin) == count /// # && /// origin.add(count) == ptr /// # && /// ptr.sub(count) == origin - /// # } + /// # } } /// ``` /// /// # Safety diff --git a/library/panic_abort/src/android.rs b/library/panic_abort/src/android.rs index 47c22834597..1cc2077d14b 100644 --- a/library/panic_abort/src/android.rs +++ b/library/panic_abort/src/android.rs @@ -16,9 +16,10 @@ type SetAbortMessageType = unsafe extern "C" fn(*const libc::c_char) -> (); // Weakly resolve the symbol for android_set_abort_message. This function is only available // for API >= 21. pub(crate) unsafe fn android_set_abort_message(payload: &mut dyn PanicPayload) { - let func_addr = + let func_addr = unsafe { libc::dlsym(libc::RTLD_DEFAULT, ANDROID_SET_ABORT_MESSAGE.as_ptr() as *const libc::c_char) - as usize; + as usize + }; if func_addr == 0 { return; } @@ -37,13 +38,14 @@ pub(crate) unsafe fn android_set_abort_message(payload: &mut dyn PanicPayload) { // Allocate a new buffer to append the null byte. let size = msg.len() + 1usize; - let buf = libc::malloc(size) as *mut libc::c_char; + let buf = unsafe { libc::malloc(size) as *mut libc::c_char }; if buf.is_null() { return; // allocation failure } - copy_nonoverlapping(msg.as_ptr(), buf as *mut u8, msg.len()); - buf.add(msg.len()).write(0); - - let func = transmute::<usize, SetAbortMessageType>(func_addr); - func(buf); + unsafe { + copy_nonoverlapping(msg.as_ptr(), buf as *mut u8, msg.len()); + buf.add(msg.len()).write(0); + let func = transmute::<usize, SetAbortMessageType>(func_addr); + func(buf); + } } diff --git a/library/panic_abort/src/lib.rs b/library/panic_abort/src/lib.rs index 7718d68aef8..b2ad0f4ac3d 100644 --- a/library/panic_abort/src/lib.rs +++ b/library/panic_abort/src/lib.rs @@ -15,6 +15,7 @@ #![feature(staged_api)] #![feature(rustc_attrs)] #![allow(internal_features)] +#![deny(unsafe_op_in_unsafe_fn)] #[cfg(target_os = "android")] mod android; @@ -36,16 +37,22 @@ pub unsafe extern "C" fn __rust_panic_cleanup(_: *mut u8) -> *mut (dyn Any + Sen pub unsafe fn __rust_start_panic(_payload: &mut dyn PanicPayload) -> u32 { // Android has the ability to attach a message as part of the abort. #[cfg(target_os = "android")] - android::android_set_abort_message(_payload); + unsafe { + android::android_set_abort_message(_payload); + } #[cfg(target_os = "zkvm")] - zkvm::zkvm_set_abort_message(_payload); + unsafe { + zkvm::zkvm_set_abort_message(_payload); + } - abort(); + unsafe { + abort(); + } cfg_if::cfg_if! { if #[cfg(any(unix, target_os = "solid_asp3"))] { unsafe fn abort() -> ! { - libc::abort(); + unsafe { libc::abort(); } } } else if #[cfg(any(target_os = "hermit", all(target_vendor = "fortanix", target_env = "sgx"), @@ -57,7 +64,7 @@ pub unsafe fn __rust_start_panic(_payload: &mut dyn PanicPayload) -> u32 { unsafe extern "C" { pub fn __rust_abort() -> !; } - __rust_abort(); + unsafe { __rust_abort(); } } } else if #[cfg(all(windows, not(miri)))] { // On Windows, use the processor-specific __fastfail mechanism. In Windows 8 @@ -75,11 +82,17 @@ pub unsafe fn __rust_start_panic(_payload: &mut dyn PanicPayload) -> u32 { const FAST_FAIL_FATAL_APP_EXIT: usize = 7; cfg_if::cfg_if! { if #[cfg(any(target_arch = "x86", target_arch = "x86_64"))] { - core::arch::asm!("int $$0x29", in("ecx") FAST_FAIL_FATAL_APP_EXIT, options(noreturn, nostack)); + unsafe { + core::arch::asm!("int $$0x29", in("ecx") FAST_FAIL_FATAL_APP_EXIT, options(noreturn, nostack)); + } } else if #[cfg(all(target_arch = "arm", target_feature = "thumb-mode"))] { - core::arch::asm!(".inst 0xDEFB", in("r0") FAST_FAIL_FATAL_APP_EXIT, options(noreturn, nostack)); + unsafe { + core::arch::asm!(".inst 0xDEFB", in("r0") FAST_FAIL_FATAL_APP_EXIT, options(noreturn, nostack)); + } } else if #[cfg(any(target_arch = "aarch64", target_arch = "arm64ec"))] { - core::arch::asm!("brk 0xF003", in("x0") FAST_FAIL_FATAL_APP_EXIT, options(noreturn, nostack)); + unsafe { + core::arch::asm!("brk 0xF003", in("x0") FAST_FAIL_FATAL_APP_EXIT, options(noreturn, nostack)); + } } else { core::intrinsics::abort(); } @@ -93,7 +106,7 @@ pub unsafe fn __rust_start_panic(_payload: &mut dyn PanicPayload) -> u32 { } unsafe fn abort() -> ! { - teeos::TEE_Panic(1); + unsafe { teeos::TEE_Panic(1); } } } else { unsafe fn abort() -> ! { diff --git a/library/panic_abort/src/zkvm.rs b/library/panic_abort/src/zkvm.rs index 11150eafd0b..7b1e89c6a8e 100644 --- a/library/panic_abort/src/zkvm.rs +++ b/library/panic_abort/src/zkvm.rs @@ -20,5 +20,7 @@ pub(crate) unsafe fn zkvm_set_abort_message(payload: &mut dyn PanicPayload) { fn sys_panic(msg_ptr: *const u8, len: usize) -> !; } - sys_panic(msg.as_ptr(), msg.len()); + unsafe { + sys_panic(msg.as_ptr(), msg.len()); + } } diff --git a/library/panic_unwind/src/emcc.rs b/library/panic_unwind/src/emcc.rs index 4140b004ad1..1569c26c9de 100644 --- a/library/panic_unwind/src/emcc.rs +++ b/library/panic_unwind/src/emcc.rs @@ -71,42 +71,46 @@ pub(crate) unsafe fn cleanup(ptr: *mut u8) -> Box<dyn Any + Send> { ptr: *mut u8, is_rust_panic: bool, } - let catch_data = &*(ptr as *mut CatchData); + unsafe { + let catch_data = &*(ptr as *mut CatchData); - let adjusted_ptr = __cxa_begin_catch(catch_data.ptr as *mut libc::c_void) as *mut Exception; - if !catch_data.is_rust_panic { - super::__rust_foreign_exception(); - } + let adjusted_ptr = __cxa_begin_catch(catch_data.ptr as *mut libc::c_void) as *mut Exception; + if !catch_data.is_rust_panic { + super::__rust_foreign_exception(); + } - let canary = (&raw const (*adjusted_ptr).canary).read(); - if !ptr::eq(canary, &EXCEPTION_TYPE_INFO) { - super::__rust_foreign_exception(); - } + let canary = (&raw const (*adjusted_ptr).canary).read(); + if !ptr::eq(canary, &EXCEPTION_TYPE_INFO) { + super::__rust_foreign_exception(); + } - let was_caught = (*adjusted_ptr).caught.swap(true, Ordering::Relaxed); - if was_caught { - // Since cleanup() isn't allowed to panic, we just abort instead. - intrinsics::abort(); + let was_caught = (*adjusted_ptr).caught.swap(true, Ordering::Relaxed); + if was_caught { + // Since cleanup() isn't allowed to panic, we just abort instead. + intrinsics::abort(); + } + let out = (*adjusted_ptr).data.take().unwrap(); + __cxa_end_catch(); + out } - let out = (*adjusted_ptr).data.take().unwrap(); - __cxa_end_catch(); - out } pub(crate) unsafe fn panic(data: Box<dyn Any + Send>) -> u32 { - let exception = __cxa_allocate_exception(mem::size_of::<Exception>()) as *mut Exception; - if exception.is_null() { - return uw::_URC_FATAL_PHASE1_ERROR as u32; + unsafe { + let exception = __cxa_allocate_exception(mem::size_of::<Exception>()) as *mut Exception; + if exception.is_null() { + return uw::_URC_FATAL_PHASE1_ERROR as u32; + } + ptr::write( + exception, + Exception { + canary: &EXCEPTION_TYPE_INFO, + caught: AtomicBool::new(false), + data: Some(data), + }, + ); + __cxa_throw(exception as *mut _, &EXCEPTION_TYPE_INFO, exception_cleanup); } - ptr::write( - exception, - Exception { - canary: &EXCEPTION_TYPE_INFO, - caught: AtomicBool::new(false), - data: Some(data), - }, - ); - __cxa_throw(exception as *mut _, &EXCEPTION_TYPE_INFO, exception_cleanup); } extern "C" fn exception_cleanup(ptr: *mut libc::c_void) -> *mut libc::c_void { diff --git a/library/panic_unwind/src/gcc.rs b/library/panic_unwind/src/gcc.rs index e478f6c5fc8..5f95870069d 100644 --- a/library/panic_unwind/src/gcc.rs +++ b/library/panic_unwind/src/gcc.rs @@ -69,7 +69,7 @@ pub(crate) unsafe fn panic(data: Box<dyn Any + Send>) -> u32 { cause: data, }); let exception_param = Box::into_raw(exception) as *mut uw::_Unwind_Exception; - return uw::_Unwind_RaiseException(exception_param) as u32; + return unsafe { uw::_Unwind_RaiseException(exception_param) as u32 }; extern "C" fn exception_cleanup( _unwind_code: uw::_Unwind_Reason_Code, @@ -83,26 +83,28 @@ pub(crate) unsafe fn panic(data: Box<dyn Any + Send>) -> u32 { } pub(crate) unsafe fn cleanup(ptr: *mut u8) -> Box<dyn Any + Send> { - let exception = ptr as *mut uw::_Unwind_Exception; - if (*exception).exception_class != RUST_EXCEPTION_CLASS { - uw::_Unwind_DeleteException(exception); - super::__rust_foreign_exception(); - } + unsafe { + let exception = ptr as *mut uw::_Unwind_Exception; + if (*exception).exception_class != RUST_EXCEPTION_CLASS { + uw::_Unwind_DeleteException(exception); + super::__rust_foreign_exception(); + } - let exception = exception.cast::<Exception>(); - // Just access the canary field, avoid accessing the entire `Exception` as - // it can be a foreign Rust exception. - let canary = (&raw const (*exception).canary).read(); - if !ptr::eq(canary, &CANARY) { - // A foreign Rust exception, treat it slightly differently from other - // foreign exceptions, because call into `_Unwind_DeleteException` will - // call into `__rust_drop_panic` which produces a confusing - // "Rust panic must be rethrown" message. - super::__rust_foreign_exception(); - } + let exception = exception.cast::<Exception>(); + // Just access the canary field, avoid accessing the entire `Exception` as + // it can be a foreign Rust exception. + let canary = (&raw const (*exception).canary).read(); + if !ptr::eq(canary, &CANARY) { + // A foreign Rust exception, treat it slightly differently from other + // foreign exceptions, because call into `_Unwind_DeleteException` will + // call into `__rust_drop_panic` which produces a confusing + // "Rust panic must be rethrown" message. + super::__rust_foreign_exception(); + } - let exception = Box::from_raw(exception as *mut Exception); - exception.cause + let exception = Box::from_raw(exception as *mut Exception); + exception.cause + } } // Rust's exception class identifier. This is used by personality routines to diff --git a/library/panic_unwind/src/hermit.rs b/library/panic_unwind/src/hermit.rs index 9719c133415..8f4562d07fc 100644 --- a/library/panic_unwind/src/hermit.rs +++ b/library/panic_unwind/src/hermit.rs @@ -9,12 +9,16 @@ pub(crate) unsafe fn cleanup(_ptr: *mut u8) -> Box<dyn Any + Send> { unsafe extern "C" { fn __rust_abort() -> !; } - __rust_abort(); + unsafe { + __rust_abort(); + } } pub(crate) unsafe fn panic(_data: Box<dyn Any + Send>) -> u32 { unsafe extern "C" { fn __rust_abort() -> !; } - __rust_abort(); + unsafe { + __rust_abort(); + } } diff --git a/library/panic_unwind/src/lib.rs b/library/panic_unwind/src/lib.rs index 45e2a466b4d..1111c2009b3 100644 --- a/library/panic_unwind/src/lib.rs +++ b/library/panic_unwind/src/lib.rs @@ -27,6 +27,7 @@ #![allow(internal_features)] #![cfg_attr(not(bootstrap), feature(cfg_emscripten_wasm_eh))] #![warn(unreachable_pub)] +#![deny(unsafe_op_in_unsafe_fn)] use alloc::boxed::Box; use core::any::Any; @@ -87,14 +88,16 @@ unsafe extern "C" { #[rustc_std_internal_symbol] #[allow(improper_ctypes_definitions)] pub unsafe extern "C" fn __rust_panic_cleanup(payload: *mut u8) -> *mut (dyn Any + Send + 'static) { - Box::into_raw(imp::cleanup(payload)) + unsafe { Box::into_raw(imp::cleanup(payload)) } } // Entry point for raising an exception, just delegates to the platform-specific // implementation. #[rustc_std_internal_symbol] pub unsafe fn __rust_start_panic(payload: &mut dyn PanicPayload) -> u32 { - let payload = Box::from_raw(payload.take_box()); + unsafe { + let payload = Box::from_raw(payload.take_box()); - imp::panic(payload) + imp::panic(payload) + } } diff --git a/library/panic_unwind/src/miri.rs b/library/panic_unwind/src/miri.rs index ec48b1105ab..d6d4af8218d 100644 --- a/library/panic_unwind/src/miri.rs +++ b/library/panic_unwind/src/miri.rs @@ -16,11 +16,11 @@ pub(crate) unsafe fn panic(payload: Box<dyn Any + Send>) -> u32 { // The payload we pass to `miri_start_unwind` will be exactly the argument we get // in `cleanup` below. So we just box it up once, to get something pointer-sized. let payload_box: Payload = Box::new(payload); - miri_start_unwind(Box::into_raw(payload_box) as *mut u8) + unsafe { miri_start_unwind(Box::into_raw(payload_box) as *mut u8) } } pub(crate) unsafe fn cleanup(payload_box: *mut u8) -> Box<dyn Any + Send> { // Recover the underlying `Box`. - let payload_box: Payload = Box::from_raw(payload_box as *mut _); + let payload_box: Payload = unsafe { Box::from_raw(payload_box as *mut _) }; *payload_box } diff --git a/library/panic_unwind/src/seh.rs b/library/panic_unwind/src/seh.rs index c8dfddf821e..3a95b940221 100644 --- a/library/panic_unwind/src/seh.rs +++ b/library/panic_unwind/src/seh.rs @@ -268,9 +268,11 @@ static mut TYPE_DESCRIPTOR: _TypeDescriptor = _TypeDescriptor { macro_rules! define_cleanup { ($abi:tt $abi2:tt) => { unsafe extern $abi fn exception_cleanup(e: *mut Exception) { - if let Exception { data: Some(b), .. } = e.read() { - drop(b); - super::__rust_drop_panic(); + unsafe { + if let Exception { data: Some(b), .. } = e.read() { + drop(b); + super::__rust_drop_panic(); + } } } unsafe extern $abi2 fn exception_copy( @@ -322,45 +324,51 @@ pub(crate) unsafe fn panic(data: Box<dyn Any + Send>) -> u32 { // // In any case, we basically need to do something like this until we can // express more operations in statics (and we may never be able to). - atomic_store_seqcst( - (&raw mut THROW_INFO.pmfnUnwind).cast(), - ptr_t::new(exception_cleanup as *mut u8).raw(), - ); - atomic_store_seqcst( - (&raw mut THROW_INFO.pCatchableTypeArray).cast(), - ptr_t::new((&raw mut CATCHABLE_TYPE_ARRAY).cast()).raw(), - ); - atomic_store_seqcst( - (&raw mut CATCHABLE_TYPE_ARRAY.arrayOfCatchableTypes[0]).cast(), - ptr_t::new((&raw mut CATCHABLE_TYPE).cast()).raw(), - ); - atomic_store_seqcst( - (&raw mut CATCHABLE_TYPE.pType).cast(), - ptr_t::new((&raw mut TYPE_DESCRIPTOR).cast()).raw(), - ); - atomic_store_seqcst( - (&raw mut CATCHABLE_TYPE.copyFunction).cast(), - ptr_t::new(exception_copy as *mut u8).raw(), - ); + unsafe { + atomic_store_seqcst( + (&raw mut THROW_INFO.pmfnUnwind).cast(), + ptr_t::new(exception_cleanup as *mut u8).raw(), + ); + atomic_store_seqcst( + (&raw mut THROW_INFO.pCatchableTypeArray).cast(), + ptr_t::new((&raw mut CATCHABLE_TYPE_ARRAY).cast()).raw(), + ); + atomic_store_seqcst( + (&raw mut CATCHABLE_TYPE_ARRAY.arrayOfCatchableTypes[0]).cast(), + ptr_t::new((&raw mut CATCHABLE_TYPE).cast()).raw(), + ); + atomic_store_seqcst( + (&raw mut CATCHABLE_TYPE.pType).cast(), + ptr_t::new((&raw mut TYPE_DESCRIPTOR).cast()).raw(), + ); + atomic_store_seqcst( + (&raw mut CATCHABLE_TYPE.copyFunction).cast(), + ptr_t::new(exception_copy as *mut u8).raw(), + ); + } unsafe extern "system-unwind" { fn _CxxThrowException(pExceptionObject: *mut c_void, pThrowInfo: *mut u8) -> !; } - _CxxThrowException(throw_ptr, (&raw mut THROW_INFO) as *mut _); + unsafe { + _CxxThrowException(throw_ptr, (&raw mut THROW_INFO) as *mut _); + } } pub(crate) unsafe fn cleanup(payload: *mut u8) -> Box<dyn Any + Send> { - // A null payload here means that we got here from the catch (...) of - // __rust_try. This happens when a non-Rust foreign exception is caught. - if payload.is_null() { - super::__rust_foreign_exception(); - } - let exception = payload as *mut Exception; - let canary = (&raw const (*exception).canary).read(); - if !core::ptr::eq(canary, &raw const TYPE_DESCRIPTOR) { - // A foreign Rust exception. - super::__rust_foreign_exception(); + unsafe { + // A null payload here means that we got here from the catch (...) of + // __rust_try. This happens when a non-Rust foreign exception is caught. + if payload.is_null() { + super::__rust_foreign_exception(); + } + let exception = payload as *mut Exception; + let canary = (&raw const (*exception).canary).read(); + if !core::ptr::eq(canary, &raw const TYPE_DESCRIPTOR) { + // A foreign Rust exception. + super::__rust_foreign_exception(); + } + (*exception).data.take().unwrap() } - (*exception).data.take().unwrap() } diff --git a/library/proc_macro/src/bridge/closure.rs b/library/proc_macro/src/bridge/closure.rs index 524fdf53d6b..e0e688434dc 100644 --- a/library/proc_macro/src/bridge/closure.rs +++ b/library/proc_macro/src/bridge/closure.rs @@ -19,7 +19,7 @@ struct Env; impl<'a, A, R, F: FnMut(A) -> R> From<&'a mut F> for Closure<'a, A, R> { fn from(f: &'a mut F) -> Self { unsafe extern "C" fn call<A, R, F: FnMut(A) -> R>(env: *mut Env, arg: A) -> R { - (*(env as *mut _ as *mut F))(arg) + unsafe { (*(env as *mut _ as *mut F))(arg) } } Closure { call: call::<A, R, F>, env: f as *mut _ as *mut Env, _marker: PhantomData } } diff --git a/library/proc_macro/src/lib.rs b/library/proc_macro/src/lib.rs index 6611ce30a1b..d9141eab591 100644 --- a/library/proc_macro/src/lib.rs +++ b/library/proc_macro/src/lib.rs @@ -33,6 +33,7 @@ #![deny(ffi_unwind_calls)] #![warn(rustdoc::unescaped_backticks)] #![warn(unreachable_pub)] +#![deny(unsafe_op_in_unsafe_fn)] #[unstable(feature = "proc_macro_internals", issue = "27812")] #[doc(hidden)] diff --git a/library/std/src/alloc.rs b/library/std/src/alloc.rs index 3936ed057e6..99d105a2454 100644 --- a/library/std/src/alloc.rs +++ b/library/std/src/alloc.rs @@ -20,11 +20,11 @@ //! //! unsafe impl GlobalAlloc for MyAllocator { //! unsafe fn alloc(&self, layout: Layout) -> *mut u8 { -//! System.alloc(layout) +//! unsafe { System.alloc(layout) } //! } //! //! unsafe fn dealloc(&self, ptr: *mut u8, layout: Layout) { -//! System.dealloc(ptr, layout) +//! unsafe { System.dealloc(ptr, layout) } //! } //! } //! @@ -102,7 +102,7 @@ pub use alloc_crate::alloc::*; /// /// unsafe impl GlobalAlloc for Counter { /// unsafe fn alloc(&self, layout: Layout) -> *mut u8 { -/// let ret = System.alloc(layout); +/// let ret = unsafe { System.alloc(layout) }; /// if !ret.is_null() { /// ALLOCATED.fetch_add(layout.size(), Relaxed); /// } @@ -110,7 +110,7 @@ pub use alloc_crate::alloc::*; /// } /// /// unsafe fn dealloc(&self, ptr: *mut u8, layout: Layout) { -/// System.dealloc(ptr, layout); +/// unsafe { System.dealloc(ptr, layout); } /// ALLOCATED.fetch_sub(layout.size(), Relaxed); /// } /// } diff --git a/library/std/src/sys/pal/teeos/thread.rs b/library/std/src/sys/pal/teeos/thread.rs index c779c5f3ed8..e3b4908f858 100644 --- a/library/std/src/sys/pal/teeos/thread.rs +++ b/library/std/src/sys/pal/teeos/thread.rs @@ -56,7 +56,7 @@ impl Thread { } }; - let ret = libc::pthread_create(&mut native, &attr, thread_start, p as *mut _); + let ret = unsafe { libc::pthread_create(&mut native, &attr, thread_start, p as *mut _) }; // Note: if the thread creation fails and this assert fails, then p will // be leaked. However, an alternative design could cause double-free // which is clearly worse. diff --git a/library/std/src/sys/pal/windows/stack_overflow_uwp.rs b/library/std/src/sys/pal/windows/stack_overflow_uwp.rs index 9e9b3efaf1b..6f1ea12fc1e 100644 --- a/library/std/src/sys/pal/windows/stack_overflow_uwp.rs +++ b/library/std/src/sys/pal/windows/stack_overflow_uwp.rs @@ -1,4 +1,4 @@ #![cfg_attr(test, allow(dead_code))] -pub unsafe fn reserve_stack() {} -pub unsafe fn init() {} +pub fn reserve_stack() {} +pub fn init() {} diff --git a/library/unwind/src/lib.rs b/library/unwind/src/lib.rs index 2650b273a4d..761f9248446 100644 --- a/library/unwind/src/lib.rs +++ b/library/unwind/src/lib.rs @@ -9,6 +9,7 @@ )] #![allow(internal_features)] #![cfg_attr(not(bootstrap), feature(cfg_emscripten_wasm_eh))] +#![deny(unsafe_op_in_unsafe_fn)] // Force libc to be included even if unused. This is required by many platforms. #[cfg(not(all(windows, target_env = "msvc")))] diff --git a/library/unwind/src/libunwind.rs b/library/unwind/src/libunwind.rs index 62165f8a200..1a640bbde71 100644 --- a/library/unwind/src/libunwind.rs +++ b/library/unwind/src/libunwind.rs @@ -218,36 +218,38 @@ if #[cfg(any(target_vendor = "apple", target_os = "netbsd", not(target_arch = "a pub unsafe fn _Unwind_GetGR(ctx: *mut _Unwind_Context, reg_index: c_int) -> _Unwind_Word { let mut val: _Unwind_Word = core::ptr::null(); - _Unwind_VRS_Get(ctx, _UVRSC_CORE, reg_index as _Unwind_Word, _UVRSD_UINT32, - (&raw mut val) as *mut c_void); + unsafe { _Unwind_VRS_Get(ctx, _UVRSC_CORE, reg_index as _Unwind_Word, _UVRSD_UINT32, + (&raw mut val) as *mut c_void); } val } pub unsafe fn _Unwind_SetGR(ctx: *mut _Unwind_Context, reg_index: c_int, value: _Unwind_Word) { let mut value = value; - _Unwind_VRS_Set(ctx, _UVRSC_CORE, reg_index as _Unwind_Word, _UVRSD_UINT32, - (&raw mut value) as *mut c_void); + unsafe { _Unwind_VRS_Set(ctx, _UVRSC_CORE, reg_index as _Unwind_Word, _UVRSD_UINT32, + (&raw mut value) as *mut c_void); } } pub unsafe fn _Unwind_GetIP(ctx: *mut _Unwind_Context) -> _Unwind_Word { - let val = _Unwind_GetGR(ctx, UNWIND_IP_REG); + let val = unsafe { _Unwind_GetGR(ctx, UNWIND_IP_REG) }; val.map_addr(|v| v & !1) } pub unsafe fn _Unwind_SetIP(ctx: *mut _Unwind_Context, value: _Unwind_Word) { // Propagate thumb bit to instruction pointer - let thumb_state = _Unwind_GetGR(ctx, UNWIND_IP_REG).addr() & 1; + let thumb_state = unsafe { _Unwind_GetGR(ctx, UNWIND_IP_REG).addr() & 1 }; let value = value.map_addr(|v| v | thumb_state); - _Unwind_SetGR(ctx, UNWIND_IP_REG, value); + unsafe { _Unwind_SetGR(ctx, UNWIND_IP_REG, value); } } pub unsafe fn _Unwind_GetIPInfo(ctx: *mut _Unwind_Context, ip_before_insn: *mut c_int) -> _Unwind_Word { - *ip_before_insn = 0; - _Unwind_GetIP(ctx) + unsafe { + *ip_before_insn = 0; + _Unwind_GetIP(ctx) + } } // This function also doesn't exist on Android or ARM/Linux, so make it a no-op |