Merge "Add safety comments." into main

2023-07-25 07:00:16 +00:00 · 2023-07-25 07:00:16 +00:00 · 406d43397c
commit 406d43397c
parent a414e2fd9b f580fe5799
2 changed files with 7 additions and 2 deletions
--- a/libstats/pull_rust/stats_pull.rs
+++ b/libstats/pull_rust/stats_pull.rs
@ -111,7 +111,9 @@ lazy_static! {
    static ref COOKIES: Mutex<HashMap<i32, fn() -> StatsPullResult>> = Mutex::new(HashMap::new());
 }

-// Safety: We store our callbacks in the global so they are valid.
+/// # Safety
+///
+/// `data` must be a valid pointer with no aliases.
 unsafe extern "C" fn callback_wrapper(
    atom_tag: i32,
    data: *mut AStatsEventList,
@ -126,7 +128,8 @@ unsafe extern "C" fn callback_wrapper(
                let stats = cb();
                let result = stats
                    .iter()
-                    .map(|stat| stat.add_astats_event(&mut *data))
+                    // Safety: The caller promises that `data` is valid and unaliased.
+                    .map(|stat| stat.add_astats_event(unsafe { &mut *data }))
                    .collect::<Result<Vec<()>, StatsError>>();
                match result {
                    Ok(_) => {
--- a/trusty/libtrusty-rs/src/lib.rs
+++ b/trusty/libtrusty-rs/src/lib.rs
@ -102,6 +102,8 @@ impl TipcChannel {
        let file = File::options().read(true).write(true).open(device)?;

        let srv_name = CString::new(service).expect("Service name contained null bytes");
+        // SAFETY: The file descriptor is valid because it came from a `File`, and the name is a
+        // valid C string because it came from a `CString`.
        unsafe {
            tipc_connect(file.as_raw_fd(), srv_name.as_ptr())?;
        }