Skip to content

Commit

Permalink
Add some safety comments (#4288)
Browse files Browse the repository at this point in the history
  • Loading branch information
Manishearth authored Nov 14, 2023
1 parent 57692e3 commit 62ccc20
Show file tree
Hide file tree
Showing 5 changed files with 15 additions and 3 deletions.
4 changes: 4 additions & 0 deletions components/casemap/src/provider/exceptions.rs
Original file line number Diff line number Diff line change
Expand Up @@ -137,6 +137,10 @@ impl ExceptionULE {
#[inline]
fn empty_exception() -> &'static Self {
static EMPTY_BYTES: &[u8] = &[0, 0];
// Safety:
// ExceptionULE is a packed DST with `(u8, u8, unsized)` fields. All bit patterns are valid for the two u8s
//
// An "empty" one can be constructed from a slice of two u8s
unsafe {
let slice: *const [u8] = ptr::slice_from_raw_parts(EMPTY_BYTES.as_ptr(), 0);
&*(slice as *const Self)
Expand Down
3 changes: 2 additions & 1 deletion components/list/src/provider/serde_dfa.rs
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,8 @@ impl databake::Bake for SerdeDFA<'_> {
env.insert("icu_list");
let le_bytes = databake::Bake::bake(&self.deref().to_bytes_little_endian().as_slice(), env);
let be_bytes = databake::Bake::bake(&self.deref().to_bytes_big_endian().as_slice(), env);
// Safe because of `to_bytes_little_endian`/`to_bytes_big_endian`'s invariant.
// Safe because of `to_bytes_little_endian`/`to_bytes_big_endian`'s invariant: They produce
// valid DFA representations, and we consume them correctly taking care of the endianness of the target platform.
databake::quote! {
unsafe {
icu_list::provider::SerdeDFA::from_dfa_bytes_unchecked(
Expand Down
6 changes: 5 additions & 1 deletion components/locid_transform/src/fallback/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -148,7 +148,11 @@ impl LocaleFallbacker {
parents: crate::provider::Baked::SINGLETON_FALLBACK_PARENTS_V1,
collation_supplement: Some(crate::provider::Baked::SINGLETON_FALLBACK_SUPPLEMENT_CO_V1),
};
// Shitty covariance because the zeromaps confuse the compiler
// Safety: we're transmuting down from LocaleFallbackerBorrowed<'static> to LocaleFallbackerBorrowed<'a>
// ZeroMaps use associated types in a way that confuse the compiler which gives up and marks them
// as invariant. However, they are covariant, and in non-const code this covariance can be safely triggered
// using Yokeable::transform. In const code we must transmute. In the long run we should
// be able to `transform()` in const code, and also we will have hopefully improved map polymorphism (#3128)
unsafe { core::mem::transmute(tickstatic) }
}

Expand Down
1 change: 1 addition & 0 deletions provider/blob/src/blob_schema.rs
Original file line number Diff line number Diff line change
Expand Up @@ -230,6 +230,7 @@ impl<'a> ZeroMapKV<'a> for Index32U8 {
}

impl Index32U8 {
// Safety: Index32U8 is a transparent DST wrapper around `[u8]`, so a transmute is fine
#[allow(dead_code)]
pub(crate) const SENTINEL: &'static Self = unsafe { &*(&[] as *const [u8] as *const Self) };
}
4 changes: 3 additions & 1 deletion provider/core/src/response.rs
Original file line number Diff line number Diff line change
Expand Up @@ -390,7 +390,9 @@ where
DataPayloadInner::StaticRef(r) => {
let output: <M2::Yokeable as Yokeable<'static>>::Output =
f(Yokeable::transform(*r), PhantomData);
// Safety: <M2::Yokeable as Yokeable<'static>>::Output is the same type as M2::Yokeable
// Safety: <M2::Yokeable as Yokeable<'static>>::Output is the same type as M2::Yokeable;
// we're going from 'static to 'static, however in a generic context it's not
// clear to the compiler that that is the case. We have to use the unsafe make API to do this.
let yokeable: M2::Yokeable = unsafe { M2::Yokeable::make(output) };
Yoke::new_owned(yokeable)
}
Expand Down

0 comments on commit 62ccc20

Please sign in to comment.