Add safety comments.

These will soon be required by a lint. Bug: 290018030 Test: m rust Change-Id: I0b25bcaa18d167fb9c2d63e637833d4935dc8ff4
2023-07-21 19:13:48 +01:00 · 2023-07-21 19:13:48 +01:00 · f580fe5799
commit f580fe5799
parent 1c77579a06
2 changed files with 7 additions and 2 deletions
--- a/libstats/pull_rust/stats_pull.rs
+++ b/libstats/pull_rust/stats_pull.rs
@ -111,7 +111,9 @@ lazy_static! {
    static ref COOKIES: Mutex<HashMap<i32, fn() -> StatsPullResult>> = Mutex::new(HashMap::new());
 }

-// Safety: We store our callbacks in the global so they are valid.
+/// # Safety
+///
+/// `data` must be a valid pointer with no aliases.
 unsafe extern "C" fn callback_wrapper(
    atom_tag: i32,
    data: *mut AStatsEventList,
@ -126,7 +128,8 @@ unsafe extern "C" fn callback_wrapper(
                let stats = cb();
                let result = stats
                    .iter()
-                    .map(|stat| stat.add_astats_event(&mut *data))
+                    // Safety: The caller promises that `data` is valid and unaliased.
+                    .map(|stat| stat.add_astats_event(unsafe { &mut *data }))
                    .collect::<Result<Vec<()>, StatsError>>();
                match result {
                    Ok(_) => {
--- a/trusty/libtrusty-rs/src/lib.rs
+++ b/trusty/libtrusty-rs/src/lib.rs
@ -102,6 +102,8 @@ impl TipcChannel {
        let file = File::options().read(true).write(true).open(device)?;

        let srv_name = CString::new(service).expect("Service name contained null bytes");
+        // SAFETY: The file descriptor is valid because it came from a `File`, and the name is a
+        // valid C string because it came from a `CString`.
        unsafe {
            tipc_connect(file.as_raw_fd(), srv_name.as_ptr())?;
        }