From 4e36f46464d6473ca1f2c8612b7aed4ea0141bcf Mon Sep 17 00:00:00 2001 From: Eric Huss Date: Thu, 13 Feb 2025 12:40:27 -0800 Subject: [PATCH 1/8] core: Apply unsafe_op_in_unsafe_fn --- library/core/src/alloc/global.rs | 2 +- library/core/src/hint.rs | 2 +- library/core/src/intrinsics/mod.rs | 8 ++++---- library/core/src/mem/maybe_uninit.rs | 4 ++-- library/core/src/mem/transmutability.rs | 2 +- library/core/src/ptr/const_ptr.rs | 4 ++-- library/core/src/ptr/mut_ptr.rs | 4 ++-- library/core/src/ptr/non_null.rs | 4 ++-- 8 files changed, 15 insertions(+), 15 deletions(-) diff --git a/library/core/src/alloc/global.rs b/library/core/src/alloc/global.rs index 8f48af24557d8..5bf6f143b4f82 100644 --- a/library/core/src/alloc/global.rs +++ b/library/core/src/alloc/global.rs @@ -70,7 +70,7 @@ use crate::{cmp, ptr}; /// { /// return null_mut(); /// }; -/// self.arena.get().cast::().add(allocated) +/// unsafe { self.arena.get().cast::().add(allocated) } /// } /// unsafe fn dealloc(&self, _ptr: *mut u8, _layout: Layout) {} /// } diff --git a/library/core/src/hint.rs b/library/core/src/hint.rs index 520b9941ae45d..76afb3b8e20c0 100644 --- a/library/core/src/hint.rs +++ b/library/core/src/hint.rs @@ -52,7 +52,7 @@ use crate::{intrinsics, ub_checks}; /// // Safety: `divisor` can't be zero because of `prepare_inputs`, /// // but the compiler does not know about this. We *promise* /// // that we always call `prepare_inputs`. -/// std::hint::unreachable_unchecked() +/// unsafe { std::hint::unreachable_unchecked() } /// } /// // The compiler would normally introduce a check here that prevents /// // a division by zero. However, if `divisor` was zero, the branch diff --git a/library/core/src/intrinsics/mod.rs b/library/core/src/intrinsics/mod.rs index 6c9c6d0edc235..99c42f3626e7c 100644 --- a/library/core/src/intrinsics/mod.rs +++ b/library/core/src/intrinsics/mod.rs @@ -1703,12 +1703,12 @@ pub const fn forget(_: T) { /// ``` /// struct R<'a>(&'a i32); /// unsafe fn extend_lifetime<'b>(r: R<'b>) -> R<'static> { -/// std::mem::transmute::, R<'static>>(r) +/// unsafe { std::mem::transmute::, R<'static>>(r) } /// } /// /// unsafe fn shorten_invariant_lifetime<'b, 'c>(r: &'b mut R<'static>) /// -> &'b mut R<'c> { -/// std::mem::transmute::<&'b mut R<'static>, &'b mut R<'c>>(r) +/// unsafe { std::mem::transmute::<&'b mut R<'static>, &'b mut R<'c>>(r) } /// } /// ``` /// @@ -4498,11 +4498,11 @@ pub const unsafe fn copy_nonoverlapping(src: *const T, dst: *mut T, count: us /// /// // SAFETY: Our precondition ensures the source is aligned and valid, /// // and `Vec::with_capacity` ensures that we have usable space to write them. -/// ptr::copy(ptr, dst.as_mut_ptr(), elts); +/// unsafe { ptr::copy(ptr, dst.as_mut_ptr(), elts); } /// /// // SAFETY: We created it with this much capacity earlier, /// // and the previous `copy` has initialized these elements. -/// dst.set_len(elts); +/// unsafe { dst.set_len(elts); } /// dst /// } /// ``` diff --git a/library/core/src/mem/maybe_uninit.rs b/library/core/src/mem/maybe_uninit.rs index 0d8c3ef906bf0..9ab05ca89d135 100644 --- a/library/core/src/mem/maybe_uninit.rs +++ b/library/core/src/mem/maybe_uninit.rs @@ -98,7 +98,7 @@ use crate::{fmt, intrinsics, ptr, slice}; /// /// unsafe fn make_vec(out: *mut Vec) { /// // `write` does not drop the old contents, which is important. -/// out.write(vec![1, 2, 3]); +/// unsafe { out.write(vec![1, 2, 3]); } /// } /// /// let mut v = MaybeUninit::uninit(); @@ -844,7 +844,7 @@ impl MaybeUninit { /// # #![allow(unexpected_cfgs)] /// use std::mem::MaybeUninit; /// - /// # unsafe extern "C" fn initialize_buffer(buf: *mut [u8; 1024]) { *buf = [0; 1024] } + /// # unsafe extern "C" fn initialize_buffer(buf: *mut [u8; 1024]) { unsafe { *buf = [0; 1024] } } /// # #[cfg(FALSE)] /// extern "C" { /// /// Initializes *all* the bytes of the input buffer. diff --git a/library/core/src/mem/transmutability.rs b/library/core/src/mem/transmutability.rs index 6a4f84c849cb1..7b920d7a777ca 100644 --- a/library/core/src/mem/transmutability.rs +++ b/library/core/src/mem/transmutability.rs @@ -32,7 +32,7 @@ use crate::marker::{ConstParamTy_, UnsizedConstParamTy}; /// src: ManuallyDrop::new(src), /// }; /// -/// let dst = transmute.dst; +/// let dst = unsafe { transmute.dst }; /// /// ManuallyDrop::into_inner(dst) /// } diff --git a/library/core/src/ptr/const_ptr.rs b/library/core/src/ptr/const_ptr.rs index 0c6eaf60d0480..974946a7818d7 100644 --- a/library/core/src/ptr/const_ptr.rs +++ b/library/core/src/ptr/const_ptr.rs @@ -724,13 +724,13 @@ impl *const T { /// that their safety preconditions are met: /// ```rust /// # #![feature(ptr_sub_ptr)] - /// # unsafe fn blah(ptr: *const i32, origin: *const i32, count: usize) -> bool { + /// # unsafe fn blah(ptr: *const i32, origin: *const i32, count: usize) -> bool { unsafe { /// ptr.sub_ptr(origin) == count /// # && /// origin.add(count) == ptr /// # && /// ptr.sub(count) == origin - /// # } + /// # } } /// ``` /// /// # Safety diff --git a/library/core/src/ptr/mut_ptr.rs b/library/core/src/ptr/mut_ptr.rs index d1b0104c0fa92..94ebd0d2522ee 100644 --- a/library/core/src/ptr/mut_ptr.rs +++ b/library/core/src/ptr/mut_ptr.rs @@ -896,13 +896,13 @@ impl *mut T { /// that their safety preconditions are met: /// ```rust /// # #![feature(ptr_sub_ptr)] - /// # unsafe fn blah(ptr: *mut i32, origin: *mut i32, count: usize) -> bool { + /// # unsafe fn blah(ptr: *mut i32, origin: *mut i32, count: usize) -> bool { unsafe { /// ptr.sub_ptr(origin) == count /// # && /// origin.add(count) == ptr /// # && /// ptr.sub(count) == origin - /// # } + /// # } } /// ``` /// /// # Safety diff --git a/library/core/src/ptr/non_null.rs b/library/core/src/ptr/non_null.rs index d93069d384edd..f4ac00062d733 100644 --- a/library/core/src/ptr/non_null.rs +++ b/library/core/src/ptr/non_null.rs @@ -857,13 +857,13 @@ impl NonNull { /// that their safety preconditions are met: /// ```rust /// # #![feature(ptr_sub_ptr)] - /// # unsafe fn blah(ptr: std::ptr::NonNull, origin: std::ptr::NonNull, count: usize) -> bool { + /// # unsafe fn blah(ptr: std::ptr::NonNull, origin: std::ptr::NonNull, count: usize) -> bool { unsafe { /// ptr.sub_ptr(origin) == count /// # && /// origin.add(count) == ptr /// # && /// ptr.sub(count) == origin - /// # } + /// # } } /// ``` /// /// # Safety From e13928de93c142d2b4052d28d7ed0aaca192c0ee Mon Sep 17 00:00:00 2001 From: Eric Huss Date: Thu, 13 Feb 2025 12:42:29 -0800 Subject: [PATCH 2/8] panic_abort: Apply unsafe_op_in_unsafe_fn --- library/panic_abort/src/android.rs | 18 +++++++++-------- library/panic_abort/src/lib.rs | 31 +++++++++++++++++++++--------- library/panic_abort/src/zkvm.rs | 4 +++- 3 files changed, 35 insertions(+), 18 deletions(-) diff --git a/library/panic_abort/src/android.rs b/library/panic_abort/src/android.rs index 47c22834597de..1cc2077d14bd4 100644 --- a/library/panic_abort/src/android.rs +++ b/library/panic_abort/src/android.rs @@ -16,9 +16,10 @@ type SetAbortMessageType = unsafe extern "C" fn(*const libc::c_char) -> (); // Weakly resolve the symbol for android_set_abort_message. This function is only available // for API >= 21. pub(crate) unsafe fn android_set_abort_message(payload: &mut dyn PanicPayload) { - let func_addr = + let func_addr = unsafe { libc::dlsym(libc::RTLD_DEFAULT, ANDROID_SET_ABORT_MESSAGE.as_ptr() as *const libc::c_char) - as usize; + as usize + }; if func_addr == 0 { return; } @@ -37,13 +38,14 @@ pub(crate) unsafe fn android_set_abort_message(payload: &mut dyn PanicPayload) { // Allocate a new buffer to append the null byte. let size = msg.len() + 1usize; - let buf = libc::malloc(size) as *mut libc::c_char; + let buf = unsafe { libc::malloc(size) as *mut libc::c_char }; if buf.is_null() { return; // allocation failure } - copy_nonoverlapping(msg.as_ptr(), buf as *mut u8, msg.len()); - buf.add(msg.len()).write(0); - - let func = transmute::(func_addr); - func(buf); + unsafe { + copy_nonoverlapping(msg.as_ptr(), buf as *mut u8, msg.len()); + buf.add(msg.len()).write(0); + let func = transmute::(func_addr); + func(buf); + } } diff --git a/library/panic_abort/src/lib.rs b/library/panic_abort/src/lib.rs index 7718d68aef8e5..b2ad0f4ac3d04 100644 --- a/library/panic_abort/src/lib.rs +++ b/library/panic_abort/src/lib.rs @@ -15,6 +15,7 @@ #![feature(staged_api)] #![feature(rustc_attrs)] #![allow(internal_features)] +#![deny(unsafe_op_in_unsafe_fn)] #[cfg(target_os = "android")] mod android; @@ -36,16 +37,22 @@ pub unsafe extern "C" fn __rust_panic_cleanup(_: *mut u8) -> *mut (dyn Any + Sen pub unsafe fn __rust_start_panic(_payload: &mut dyn PanicPayload) -> u32 { // Android has the ability to attach a message as part of the abort. #[cfg(target_os = "android")] - android::android_set_abort_message(_payload); + unsafe { + android::android_set_abort_message(_payload); + } #[cfg(target_os = "zkvm")] - zkvm::zkvm_set_abort_message(_payload); + unsafe { + zkvm::zkvm_set_abort_message(_payload); + } - abort(); + unsafe { + abort(); + } cfg_if::cfg_if! { if #[cfg(any(unix, target_os = "solid_asp3"))] { unsafe fn abort() -> ! { - libc::abort(); + unsafe { libc::abort(); } } } else if #[cfg(any(target_os = "hermit", all(target_vendor = "fortanix", target_env = "sgx"), @@ -57,7 +64,7 @@ pub unsafe fn __rust_start_panic(_payload: &mut dyn PanicPayload) -> u32 { unsafe extern "C" { pub fn __rust_abort() -> !; } - __rust_abort(); + unsafe { __rust_abort(); } } } else if #[cfg(all(windows, not(miri)))] { // On Windows, use the processor-specific __fastfail mechanism. In Windows 8 @@ -75,11 +82,17 @@ pub unsafe fn __rust_start_panic(_payload: &mut dyn PanicPayload) -> u32 { const FAST_FAIL_FATAL_APP_EXIT: usize = 7; cfg_if::cfg_if! { if #[cfg(any(target_arch = "x86", target_arch = "x86_64"))] { - core::arch::asm!("int $$0x29", in("ecx") FAST_FAIL_FATAL_APP_EXIT, options(noreturn, nostack)); + unsafe { + core::arch::asm!("int $$0x29", in("ecx") FAST_FAIL_FATAL_APP_EXIT, options(noreturn, nostack)); + } } else if #[cfg(all(target_arch = "arm", target_feature = "thumb-mode"))] { - core::arch::asm!(".inst 0xDEFB", in("r0") FAST_FAIL_FATAL_APP_EXIT, options(noreturn, nostack)); + unsafe { + core::arch::asm!(".inst 0xDEFB", in("r0") FAST_FAIL_FATAL_APP_EXIT, options(noreturn, nostack)); + } } else if #[cfg(any(target_arch = "aarch64", target_arch = "arm64ec"))] { - core::arch::asm!("brk 0xF003", in("x0") FAST_FAIL_FATAL_APP_EXIT, options(noreturn, nostack)); + unsafe { + core::arch::asm!("brk 0xF003", in("x0") FAST_FAIL_FATAL_APP_EXIT, options(noreturn, nostack)); + } } else { core::intrinsics::abort(); } @@ -93,7 +106,7 @@ pub unsafe fn __rust_start_panic(_payload: &mut dyn PanicPayload) -> u32 { } unsafe fn abort() -> ! { - teeos::TEE_Panic(1); + unsafe { teeos::TEE_Panic(1); } } } else { unsafe fn abort() -> ! { diff --git a/library/panic_abort/src/zkvm.rs b/library/panic_abort/src/zkvm.rs index 11150eafd0b80..7b1e89c6a8e63 100644 --- a/library/panic_abort/src/zkvm.rs +++ b/library/panic_abort/src/zkvm.rs @@ -20,5 +20,7 @@ pub(crate) unsafe fn zkvm_set_abort_message(payload: &mut dyn PanicPayload) { fn sys_panic(msg_ptr: *const u8, len: usize) -> !; } - sys_panic(msg.as_ptr(), msg.len()); + unsafe { + sys_panic(msg.as_ptr(), msg.len()); + } } From 331911e699f91bc890074fa42374c63dbea06c44 Mon Sep 17 00:00:00 2001 From: Eric Huss Date: Thu, 13 Feb 2025 12:44:32 -0800 Subject: [PATCH 3/8] panic_unwind: Apply unsafe_op_in_unsafe_fn --- library/panic_unwind/src/emcc.rs | 60 ++++++++++++----------- library/panic_unwind/src/gcc.rs | 40 +++++++-------- library/panic_unwind/src/hermit.rs | 8 ++- library/panic_unwind/src/lib.rs | 9 ++-- library/panic_unwind/src/miri.rs | 4 +- library/panic_unwind/src/seh.rs | 78 ++++++++++++++++-------------- 6 files changed, 110 insertions(+), 89 deletions(-) diff --git a/library/panic_unwind/src/emcc.rs b/library/panic_unwind/src/emcc.rs index 4140b004ad13e..1569c26c9de47 100644 --- a/library/panic_unwind/src/emcc.rs +++ b/library/panic_unwind/src/emcc.rs @@ -71,42 +71,46 @@ pub(crate) unsafe fn cleanup(ptr: *mut u8) -> Box { ptr: *mut u8, is_rust_panic: bool, } - let catch_data = &*(ptr as *mut CatchData); + unsafe { + let catch_data = &*(ptr as *mut CatchData); - let adjusted_ptr = __cxa_begin_catch(catch_data.ptr as *mut libc::c_void) as *mut Exception; - if !catch_data.is_rust_panic { - super::__rust_foreign_exception(); - } + let adjusted_ptr = __cxa_begin_catch(catch_data.ptr as *mut libc::c_void) as *mut Exception; + if !catch_data.is_rust_panic { + super::__rust_foreign_exception(); + } - let canary = (&raw const (*adjusted_ptr).canary).read(); - if !ptr::eq(canary, &EXCEPTION_TYPE_INFO) { - super::__rust_foreign_exception(); - } + let canary = (&raw const (*adjusted_ptr).canary).read(); + if !ptr::eq(canary, &EXCEPTION_TYPE_INFO) { + super::__rust_foreign_exception(); + } - let was_caught = (*adjusted_ptr).caught.swap(true, Ordering::Relaxed); - if was_caught { - // Since cleanup() isn't allowed to panic, we just abort instead. - intrinsics::abort(); + let was_caught = (*adjusted_ptr).caught.swap(true, Ordering::Relaxed); + if was_caught { + // Since cleanup() isn't allowed to panic, we just abort instead. + intrinsics::abort(); + } + let out = (*adjusted_ptr).data.take().unwrap(); + __cxa_end_catch(); + out } - let out = (*adjusted_ptr).data.take().unwrap(); - __cxa_end_catch(); - out } pub(crate) unsafe fn panic(data: Box) -> u32 { - let exception = __cxa_allocate_exception(mem::size_of::()) as *mut Exception; - if exception.is_null() { - return uw::_URC_FATAL_PHASE1_ERROR as u32; + unsafe { + let exception = __cxa_allocate_exception(mem::size_of::()) as *mut Exception; + if exception.is_null() { + return uw::_URC_FATAL_PHASE1_ERROR as u32; + } + ptr::write( + exception, + Exception { + canary: &EXCEPTION_TYPE_INFO, + caught: AtomicBool::new(false), + data: Some(data), + }, + ); + __cxa_throw(exception as *mut _, &EXCEPTION_TYPE_INFO, exception_cleanup); } - ptr::write( - exception, - Exception { - canary: &EXCEPTION_TYPE_INFO, - caught: AtomicBool::new(false), - data: Some(data), - }, - ); - __cxa_throw(exception as *mut _, &EXCEPTION_TYPE_INFO, exception_cleanup); } extern "C" fn exception_cleanup(ptr: *mut libc::c_void) -> *mut libc::c_void { diff --git a/library/panic_unwind/src/gcc.rs b/library/panic_unwind/src/gcc.rs index e478f6c5fc86c..5f95870069dc5 100644 --- a/library/panic_unwind/src/gcc.rs +++ b/library/panic_unwind/src/gcc.rs @@ -69,7 +69,7 @@ pub(crate) unsafe fn panic(data: Box) -> u32 { cause: data, }); let exception_param = Box::into_raw(exception) as *mut uw::_Unwind_Exception; - return uw::_Unwind_RaiseException(exception_param) as u32; + return unsafe { uw::_Unwind_RaiseException(exception_param) as u32 }; extern "C" fn exception_cleanup( _unwind_code: uw::_Unwind_Reason_Code, @@ -83,26 +83,28 @@ pub(crate) unsafe fn panic(data: Box) -> u32 { } pub(crate) unsafe fn cleanup(ptr: *mut u8) -> Box { - let exception = ptr as *mut uw::_Unwind_Exception; - if (*exception).exception_class != RUST_EXCEPTION_CLASS { - uw::_Unwind_DeleteException(exception); - super::__rust_foreign_exception(); - } + unsafe { + let exception = ptr as *mut uw::_Unwind_Exception; + if (*exception).exception_class != RUST_EXCEPTION_CLASS { + uw::_Unwind_DeleteException(exception); + super::__rust_foreign_exception(); + } - let exception = exception.cast::(); - // Just access the canary field, avoid accessing the entire `Exception` as - // it can be a foreign Rust exception. - let canary = (&raw const (*exception).canary).read(); - if !ptr::eq(canary, &CANARY) { - // A foreign Rust exception, treat it slightly differently from other - // foreign exceptions, because call into `_Unwind_DeleteException` will - // call into `__rust_drop_panic` which produces a confusing - // "Rust panic must be rethrown" message. - super::__rust_foreign_exception(); - } + let exception = exception.cast::(); + // Just access the canary field, avoid accessing the entire `Exception` as + // it can be a foreign Rust exception. + let canary = (&raw const (*exception).canary).read(); + if !ptr::eq(canary, &CANARY) { + // A foreign Rust exception, treat it slightly differently from other + // foreign exceptions, because call into `_Unwind_DeleteException` will + // call into `__rust_drop_panic` which produces a confusing + // "Rust panic must be rethrown" message. + super::__rust_foreign_exception(); + } - let exception = Box::from_raw(exception as *mut Exception); - exception.cause + let exception = Box::from_raw(exception as *mut Exception); + exception.cause + } } // Rust's exception class identifier. This is used by personality routines to diff --git a/library/panic_unwind/src/hermit.rs b/library/panic_unwind/src/hermit.rs index 9719c13341520..8f4562d07fc4e 100644 --- a/library/panic_unwind/src/hermit.rs +++ b/library/panic_unwind/src/hermit.rs @@ -9,12 +9,16 @@ pub(crate) unsafe fn cleanup(_ptr: *mut u8) -> Box { unsafe extern "C" { fn __rust_abort() -> !; } - __rust_abort(); + unsafe { + __rust_abort(); + } } pub(crate) unsafe fn panic(_data: Box) -> u32 { unsafe extern "C" { fn __rust_abort() -> !; } - __rust_abort(); + unsafe { + __rust_abort(); + } } diff --git a/library/panic_unwind/src/lib.rs b/library/panic_unwind/src/lib.rs index 45e2a466b4df6..1111c2009b3dd 100644 --- a/library/panic_unwind/src/lib.rs +++ b/library/panic_unwind/src/lib.rs @@ -27,6 +27,7 @@ #![allow(internal_features)] #![cfg_attr(not(bootstrap), feature(cfg_emscripten_wasm_eh))] #![warn(unreachable_pub)] +#![deny(unsafe_op_in_unsafe_fn)] use alloc::boxed::Box; use core::any::Any; @@ -87,14 +88,16 @@ unsafe extern "C" { #[rustc_std_internal_symbol] #[allow(improper_ctypes_definitions)] pub unsafe extern "C" fn __rust_panic_cleanup(payload: *mut u8) -> *mut (dyn Any + Send + 'static) { - Box::into_raw(imp::cleanup(payload)) + unsafe { Box::into_raw(imp::cleanup(payload)) } } // Entry point for raising an exception, just delegates to the platform-specific // implementation. #[rustc_std_internal_symbol] pub unsafe fn __rust_start_panic(payload: &mut dyn PanicPayload) -> u32 { - let payload = Box::from_raw(payload.take_box()); + unsafe { + let payload = Box::from_raw(payload.take_box()); - imp::panic(payload) + imp::panic(payload) + } } diff --git a/library/panic_unwind/src/miri.rs b/library/panic_unwind/src/miri.rs index ec48b1105ab47..d6d4af8218d31 100644 --- a/library/panic_unwind/src/miri.rs +++ b/library/panic_unwind/src/miri.rs @@ -16,11 +16,11 @@ pub(crate) unsafe fn panic(payload: Box) -> u32 { // The payload we pass to `miri_start_unwind` will be exactly the argument we get // in `cleanup` below. So we just box it up once, to get something pointer-sized. let payload_box: Payload = Box::new(payload); - miri_start_unwind(Box::into_raw(payload_box) as *mut u8) + unsafe { miri_start_unwind(Box::into_raw(payload_box) as *mut u8) } } pub(crate) unsafe fn cleanup(payload_box: *mut u8) -> Box { // Recover the underlying `Box`. - let payload_box: Payload = Box::from_raw(payload_box as *mut _); + let payload_box: Payload = unsafe { Box::from_raw(payload_box as *mut _) }; *payload_box } diff --git a/library/panic_unwind/src/seh.rs b/library/panic_unwind/src/seh.rs index c8dfddf821e68..3a95b940221c2 100644 --- a/library/panic_unwind/src/seh.rs +++ b/library/panic_unwind/src/seh.rs @@ -268,9 +268,11 @@ static mut TYPE_DESCRIPTOR: _TypeDescriptor = _TypeDescriptor { macro_rules! define_cleanup { ($abi:tt $abi2:tt) => { unsafe extern $abi fn exception_cleanup(e: *mut Exception) { - if let Exception { data: Some(b), .. } = e.read() { - drop(b); - super::__rust_drop_panic(); + unsafe { + if let Exception { data: Some(b), .. } = e.read() { + drop(b); + super::__rust_drop_panic(); + } } } unsafe extern $abi2 fn exception_copy( @@ -322,45 +324,51 @@ pub(crate) unsafe fn panic(data: Box) -> u32 { // // In any case, we basically need to do something like this until we can // express more operations in statics (and we may never be able to). - atomic_store_seqcst( - (&raw mut THROW_INFO.pmfnUnwind).cast(), - ptr_t::new(exception_cleanup as *mut u8).raw(), - ); - atomic_store_seqcst( - (&raw mut THROW_INFO.pCatchableTypeArray).cast(), - ptr_t::new((&raw mut CATCHABLE_TYPE_ARRAY).cast()).raw(), - ); - atomic_store_seqcst( - (&raw mut CATCHABLE_TYPE_ARRAY.arrayOfCatchableTypes[0]).cast(), - ptr_t::new((&raw mut CATCHABLE_TYPE).cast()).raw(), - ); - atomic_store_seqcst( - (&raw mut CATCHABLE_TYPE.pType).cast(), - ptr_t::new((&raw mut TYPE_DESCRIPTOR).cast()).raw(), - ); - atomic_store_seqcst( - (&raw mut CATCHABLE_TYPE.copyFunction).cast(), - ptr_t::new(exception_copy as *mut u8).raw(), - ); + unsafe { + atomic_store_seqcst( + (&raw mut THROW_INFO.pmfnUnwind).cast(), + ptr_t::new(exception_cleanup as *mut u8).raw(), + ); + atomic_store_seqcst( + (&raw mut THROW_INFO.pCatchableTypeArray).cast(), + ptr_t::new((&raw mut CATCHABLE_TYPE_ARRAY).cast()).raw(), + ); + atomic_store_seqcst( + (&raw mut CATCHABLE_TYPE_ARRAY.arrayOfCatchableTypes[0]).cast(), + ptr_t::new((&raw mut CATCHABLE_TYPE).cast()).raw(), + ); + atomic_store_seqcst( + (&raw mut CATCHABLE_TYPE.pType).cast(), + ptr_t::new((&raw mut TYPE_DESCRIPTOR).cast()).raw(), + ); + atomic_store_seqcst( + (&raw mut CATCHABLE_TYPE.copyFunction).cast(), + ptr_t::new(exception_copy as *mut u8).raw(), + ); + } unsafe extern "system-unwind" { fn _CxxThrowException(pExceptionObject: *mut c_void, pThrowInfo: *mut u8) -> !; } - _CxxThrowException(throw_ptr, (&raw mut THROW_INFO) as *mut _); + unsafe { + _CxxThrowException(throw_ptr, (&raw mut THROW_INFO) as *mut _); + } } pub(crate) unsafe fn cleanup(payload: *mut u8) -> Box { - // A null payload here means that we got here from the catch (...) of - // __rust_try. This happens when a non-Rust foreign exception is caught. - if payload.is_null() { - super::__rust_foreign_exception(); - } - let exception = payload as *mut Exception; - let canary = (&raw const (*exception).canary).read(); - if !core::ptr::eq(canary, &raw const TYPE_DESCRIPTOR) { - // A foreign Rust exception. - super::__rust_foreign_exception(); + unsafe { + // A null payload here means that we got here from the catch (...) of + // __rust_try. This happens when a non-Rust foreign exception is caught. + if payload.is_null() { + super::__rust_foreign_exception(); + } + let exception = payload as *mut Exception; + let canary = (&raw const (*exception).canary).read(); + if !core::ptr::eq(canary, &raw const TYPE_DESCRIPTOR) { + // A foreign Rust exception. + super::__rust_foreign_exception(); + } + (*exception).data.take().unwrap() } - (*exception).data.take().unwrap() } From 0484d23465eb8b977e7549cd8ee7b12c7a62b54d Mon Sep 17 00:00:00 2001 From: Eric Huss Date: Thu, 13 Feb 2025 12:45:31 -0800 Subject: [PATCH 4/8] unwind: Apply unsafe_op_in_unsafe_fn --- library/unwind/src/lib.rs | 1 + library/unwind/src/libunwind.rs | 20 +++++++++++--------- 2 files changed, 12 insertions(+), 9 deletions(-) diff --git a/library/unwind/src/lib.rs b/library/unwind/src/lib.rs index 2650b273a4dbe..761f924844620 100644 --- a/library/unwind/src/lib.rs +++ b/library/unwind/src/lib.rs @@ -9,6 +9,7 @@ )] #![allow(internal_features)] #![cfg_attr(not(bootstrap), feature(cfg_emscripten_wasm_eh))] +#![deny(unsafe_op_in_unsafe_fn)] // Force libc to be included even if unused. This is required by many platforms. #[cfg(not(all(windows, target_env = "msvc")))] diff --git a/library/unwind/src/libunwind.rs b/library/unwind/src/libunwind.rs index 62165f8a20039..1a640bbde71d7 100644 --- a/library/unwind/src/libunwind.rs +++ b/library/unwind/src/libunwind.rs @@ -218,36 +218,38 @@ if #[cfg(any(target_vendor = "apple", target_os = "netbsd", not(target_arch = "a pub unsafe fn _Unwind_GetGR(ctx: *mut _Unwind_Context, reg_index: c_int) -> _Unwind_Word { let mut val: _Unwind_Word = core::ptr::null(); - _Unwind_VRS_Get(ctx, _UVRSC_CORE, reg_index as _Unwind_Word, _UVRSD_UINT32, - (&raw mut val) as *mut c_void); + unsafe { _Unwind_VRS_Get(ctx, _UVRSC_CORE, reg_index as _Unwind_Word, _UVRSD_UINT32, + (&raw mut val) as *mut c_void); } val } pub unsafe fn _Unwind_SetGR(ctx: *mut _Unwind_Context, reg_index: c_int, value: _Unwind_Word) { let mut value = value; - _Unwind_VRS_Set(ctx, _UVRSC_CORE, reg_index as _Unwind_Word, _UVRSD_UINT32, - (&raw mut value) as *mut c_void); + unsafe { _Unwind_VRS_Set(ctx, _UVRSC_CORE, reg_index as _Unwind_Word, _UVRSD_UINT32, + (&raw mut value) as *mut c_void); } } pub unsafe fn _Unwind_GetIP(ctx: *mut _Unwind_Context) -> _Unwind_Word { - let val = _Unwind_GetGR(ctx, UNWIND_IP_REG); + let val = unsafe { _Unwind_GetGR(ctx, UNWIND_IP_REG) }; val.map_addr(|v| v & !1) } pub unsafe fn _Unwind_SetIP(ctx: *mut _Unwind_Context, value: _Unwind_Word) { // Propagate thumb bit to instruction pointer - let thumb_state = _Unwind_GetGR(ctx, UNWIND_IP_REG).addr() & 1; + let thumb_state = unsafe { _Unwind_GetGR(ctx, UNWIND_IP_REG).addr() & 1 }; let value = value.map_addr(|v| v | thumb_state); - _Unwind_SetGR(ctx, UNWIND_IP_REG, value); + unsafe { _Unwind_SetGR(ctx, UNWIND_IP_REG, value); } } pub unsafe fn _Unwind_GetIPInfo(ctx: *mut _Unwind_Context, ip_before_insn: *mut c_int) -> _Unwind_Word { - *ip_before_insn = 0; - _Unwind_GetIP(ctx) + unsafe { + *ip_before_insn = 0; + _Unwind_GetIP(ctx) + } } // This function also doesn't exist on Android or ARM/Linux, so make it a no-op From d5f0aa49e711db038d7bd30ceb76ba260de8b1fd Mon Sep 17 00:00:00 2001 From: Eric Huss Date: Wed, 12 Feb 2025 14:15:19 -0800 Subject: [PATCH 5/8] Fix safety of windows uwp functions These functions were changed to be safe in /~https://github.com/rust-lang/rust/pull/127763, but this particular UWP version was missed. Otherwise this causes unnecessary unsafe block warnings/errors. --- library/std/src/sys/pal/windows/stack_overflow_uwp.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/library/std/src/sys/pal/windows/stack_overflow_uwp.rs b/library/std/src/sys/pal/windows/stack_overflow_uwp.rs index 9e9b3efaf1b14..6f1ea12fc1e06 100644 --- a/library/std/src/sys/pal/windows/stack_overflow_uwp.rs +++ b/library/std/src/sys/pal/windows/stack_overflow_uwp.rs @@ -1,4 +1,4 @@ #![cfg_attr(test, allow(dead_code))] -pub unsafe fn reserve_stack() {} -pub unsafe fn init() {} +pub fn reserve_stack() {} +pub fn init() {} From 4f4ea35a6969cdbebfdf96778e8a9d49bea8c9ce Mon Sep 17 00:00:00 2001 From: Eric Huss Date: Thu, 13 Feb 2025 12:51:22 -0800 Subject: [PATCH 6/8] std: Apply unsafe_op_in_unsafe_fn --- library/std/src/alloc.rs | 8 ++++---- library/std/src/sys/pal/teeos/thread.rs | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/library/std/src/alloc.rs b/library/std/src/alloc.rs index 3936ed057e6e2..99d105a2454a5 100644 --- a/library/std/src/alloc.rs +++ b/library/std/src/alloc.rs @@ -20,11 +20,11 @@ //! //! unsafe impl GlobalAlloc for MyAllocator { //! unsafe fn alloc(&self, layout: Layout) -> *mut u8 { -//! System.alloc(layout) +//! unsafe { System.alloc(layout) } //! } //! //! unsafe fn dealloc(&self, ptr: *mut u8, layout: Layout) { -//! System.dealloc(ptr, layout) +//! unsafe { System.dealloc(ptr, layout) } //! } //! } //! @@ -102,7 +102,7 @@ pub use alloc_crate::alloc::*; /// /// unsafe impl GlobalAlloc for Counter { /// unsafe fn alloc(&self, layout: Layout) -> *mut u8 { -/// let ret = System.alloc(layout); +/// let ret = unsafe { System.alloc(layout) }; /// if !ret.is_null() { /// ALLOCATED.fetch_add(layout.size(), Relaxed); /// } @@ -110,7 +110,7 @@ pub use alloc_crate::alloc::*; /// } /// /// unsafe fn dealloc(&self, ptr: *mut u8, layout: Layout) { -/// System.dealloc(ptr, layout); +/// unsafe { System.dealloc(ptr, layout); } /// ALLOCATED.fetch_sub(layout.size(), Relaxed); /// } /// } diff --git a/library/std/src/sys/pal/teeos/thread.rs b/library/std/src/sys/pal/teeos/thread.rs index c779c5f3ed89c..e3b4908f85863 100644 --- a/library/std/src/sys/pal/teeos/thread.rs +++ b/library/std/src/sys/pal/teeos/thread.rs @@ -56,7 +56,7 @@ impl Thread { } }; - let ret = libc::pthread_create(&mut native, &attr, thread_start, p as *mut _); + let ret = unsafe { libc::pthread_create(&mut native, &attr, thread_start, p as *mut _) }; // Note: if the thread creation fails and this assert fails, then p will // be leaked. However, an alternative design could cause double-free // which is clearly worse. From 80a7eb1c09b97f7ad1a68f538d2d9b04ded7da2b Mon Sep 17 00:00:00 2001 From: Eric Huss Date: Thu, 13 Feb 2025 12:52:22 -0800 Subject: [PATCH 7/8] proc_macro: Apply unsafe_op_in_unsafe_fn --- library/proc_macro/src/bridge/closure.rs | 2 +- library/proc_macro/src/lib.rs | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/library/proc_macro/src/bridge/closure.rs b/library/proc_macro/src/bridge/closure.rs index 524fdf53d6b7e..e0e688434dce5 100644 --- a/library/proc_macro/src/bridge/closure.rs +++ b/library/proc_macro/src/bridge/closure.rs @@ -19,7 +19,7 @@ struct Env; impl<'a, A, R, F: FnMut(A) -> R> From<&'a mut F> for Closure<'a, A, R> { fn from(f: &'a mut F) -> Self { unsafe extern "C" fn call R>(env: *mut Env, arg: A) -> R { - (*(env as *mut _ as *mut F))(arg) + unsafe { (*(env as *mut _ as *mut F))(arg) } } Closure { call: call::, env: f as *mut _ as *mut Env, _marker: PhantomData } } diff --git a/library/proc_macro/src/lib.rs b/library/proc_macro/src/lib.rs index 6611ce30a1b01..d9141eab5919f 100644 --- a/library/proc_macro/src/lib.rs +++ b/library/proc_macro/src/lib.rs @@ -33,6 +33,7 @@ #![deny(ffi_unwind_calls)] #![warn(rustdoc::unescaped_backticks)] #![warn(unreachable_pub)] +#![deny(unsafe_op_in_unsafe_fn)] #[unstable(feature = "proc_macro_internals", issue = "27812")] #[doc(hidden)] From 28307554125f60440fcbf8076eee86f2ec1e4c1d Mon Sep 17 00:00:00 2001 From: Eric Huss Date: Thu, 13 Feb 2025 14:26:15 -0800 Subject: [PATCH 8/8] Bless miri tests after applying unsafe_op_in_unsafe_fn --- src/tools/miri/tests/fail/panic/panic_abort1.rs | 2 +- src/tools/miri/tests/fail/panic/panic_abort2.rs | 2 +- src/tools/miri/tests/fail/panic/panic_abort3.rs | 2 +- src/tools/miri/tests/fail/panic/panic_abort4.rs | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/tools/miri/tests/fail/panic/panic_abort1.rs b/src/tools/miri/tests/fail/panic/panic_abort1.rs index 300bfa32ecbd6..7552c7b7e808e 100644 --- a/src/tools/miri/tests/fail/panic/panic_abort1.rs +++ b/src/tools/miri/tests/fail/panic/panic_abort1.rs @@ -1,6 +1,6 @@ //@error-in-other-file: the program aborted execution //@normalize-stderr-test: "\| +\^+" -> "| ^" -//@normalize-stderr-test: "libc::abort\(\);|core::intrinsics::abort\(\);" -> "ABORT();" +//@normalize-stderr-test: "unsafe \{ libc::abort\(\); \}|core::intrinsics::abort\(\);" -> "ABORT();" //@compile-flags: -C panic=abort fn main() { diff --git a/src/tools/miri/tests/fail/panic/panic_abort2.rs b/src/tools/miri/tests/fail/panic/panic_abort2.rs index 5d69135057708..624f99335455f 100644 --- a/src/tools/miri/tests/fail/panic/panic_abort2.rs +++ b/src/tools/miri/tests/fail/panic/panic_abort2.rs @@ -1,6 +1,6 @@ //@error-in-other-file: the program aborted execution //@normalize-stderr-test: "\| +\^+" -> "| ^" -//@normalize-stderr-test: "libc::abort\(\);|core::intrinsics::abort\(\);" -> "ABORT();" +//@normalize-stderr-test: "unsafe \{ libc::abort\(\); \}|core::intrinsics::abort\(\);" -> "ABORT();" //@compile-flags: -C panic=abort fn main() { diff --git a/src/tools/miri/tests/fail/panic/panic_abort3.rs b/src/tools/miri/tests/fail/panic/panic_abort3.rs index 25afc315628e3..d1435b55946c1 100644 --- a/src/tools/miri/tests/fail/panic/panic_abort3.rs +++ b/src/tools/miri/tests/fail/panic/panic_abort3.rs @@ -1,6 +1,6 @@ //@error-in-other-file: the program aborted execution //@normalize-stderr-test: "\| +\^+" -> "| ^" -//@normalize-stderr-test: "libc::abort\(\);|core::intrinsics::abort\(\);" -> "ABORT();" +//@normalize-stderr-test: "unsafe \{ libc::abort\(\); \}|core::intrinsics::abort\(\);" -> "ABORT();" //@compile-flags: -C panic=abort fn main() { diff --git a/src/tools/miri/tests/fail/panic/panic_abort4.rs b/src/tools/miri/tests/fail/panic/panic_abort4.rs index 025b51a5cf51a..54b9c9cbfdb0e 100644 --- a/src/tools/miri/tests/fail/panic/panic_abort4.rs +++ b/src/tools/miri/tests/fail/panic/panic_abort4.rs @@ -1,6 +1,6 @@ //@error-in-other-file: the program aborted execution //@normalize-stderr-test: "\| +\^+" -> "| ^" -//@normalize-stderr-test: "libc::abort\(\);|core::intrinsics::abort\(\);" -> "ABORT();" +//@normalize-stderr-test: "unsafe \{ libc::abort\(\); \}|core::intrinsics::abort\(\);" -> "ABORT();" //@compile-flags: -C panic=abort fn main() {