Merge "Add safety comments." into main am: 406d43397c am: 947d407b3c

Original change: https://android-review.googlesource.com/c/platform/system/core/+/2672075 Change-Id: I4f1b988923ea87b03145fe7bf3564c989a2fdcd4 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2023-07-25 08:34:33 +00:00 · 2023-07-25 08:34:33 +00:00 · 5faeba2780
commit 5faeba2780
parent 661bf674cc 947d407b3c
2 changed files with 7 additions and 2 deletions
--- a/libstats/pull_rust/stats_pull.rs
+++ b/libstats/pull_rust/stats_pull.rs
@ -111,7 +111,9 @@ lazy_static! {
    static ref COOKIES: Mutex<HashMap<i32, fn() -> StatsPullResult>> = Mutex::new(HashMap::new());
 }

-// Safety: We store our callbacks in the global so they are valid.
+/// # Safety
+///
+/// `data` must be a valid pointer with no aliases.
 unsafe extern "C" fn callback_wrapper(
    atom_tag: i32,
    data: *mut AStatsEventList,
@ -126,7 +128,8 @@ unsafe extern "C" fn callback_wrapper(
                let stats = cb();
                let result = stats
                    .iter()
-                    .map(|stat| stat.add_astats_event(&mut *data))
+                    // Safety: The caller promises that `data` is valid and unaliased.
+                    .map(|stat| stat.add_astats_event(unsafe { &mut *data }))
                    .collect::<Result<Vec<()>, StatsError>>();
                match result {
                    Ok(_) => {
--- a/trusty/libtrusty-rs/src/lib.rs
+++ b/trusty/libtrusty-rs/src/lib.rs
@ -102,6 +102,8 @@ impl TipcChannel {
        let file = File::options().read(true).write(true).open(device)?;

        let srv_name = CString::new(service).expect("Service name contained null bytes");
+        // SAFETY: The file descriptor is valid because it came from a `File`, and the name is a
+        // valid C string because it came from a `CString`.
        unsafe {
            tipc_connect(file.as_raw_fd(), srv_name.as_ptr())?;
        }