mirror of
https://chromium.googlesource.com/crosvm/crosvm
synced 2024-10-23 04:46:29 +00:00
clippy: enforce safety doc comment
BUG=b:316168567 TEST=none Change-Id: I4e0a74e509ed4ef672fb9f334654a50aa5e257f1 Reviewed-on: https://chromium-review.googlesource.com/c/crosvm/crosvm/+/5118513 Reviewed-by: Dennis Kempin <denniskempin@google.com> Commit-Queue: Vikram Auradkar <auradkar@google.com>
This commit is contained in:
parent
32bf962689
commit
96b82c0294
11 changed files with 75 additions and 3 deletions
|
@ -4,9 +4,6 @@
|
|||
# https://github.com/rust-lang/cargo/issues/5034
|
||||
[build]
|
||||
rustflags = [
|
||||
# TODO(crbug/908640): To be resolved.
|
||||
"-Aclippy::missing_safety_doc", # 26 errors
|
||||
|
||||
# We don't care about these lints. Okay to remain suppressed globally.
|
||||
"-Aclippy::bool_assert_comparison",
|
||||
"-Aclippy::cast_lossless",
|
||||
|
|
|
@ -170,6 +170,7 @@ pub unsafe fn ioctl_with_val(descriptor: &dyn AsRawDescriptor, nr: IoctlNr, arg:
|
|||
|
||||
/// Run an ioctl with an immutable reference.
|
||||
/// # Safety
|
||||
///
|
||||
/// The caller is responsible for determining the safety of the particular ioctl.
|
||||
pub unsafe fn ioctl_with_ref<T>(descriptor: &dyn AsRawDescriptor, nr: IoctlNr, arg: &T) -> c_int {
|
||||
libc::ioctl(
|
||||
|
@ -181,6 +182,7 @@ pub unsafe fn ioctl_with_ref<T>(descriptor: &dyn AsRawDescriptor, nr: IoctlNr, a
|
|||
|
||||
/// Run an ioctl with a mutable reference.
|
||||
/// # Safety
|
||||
///
|
||||
/// The caller is responsible for determining the safety of the particular ioctl.
|
||||
pub unsafe fn ioctl_with_mut_ref<T>(
|
||||
descriptor: &dyn AsRawDescriptor,
|
||||
|
|
|
@ -166,6 +166,12 @@ pub unsafe extern "C" fn crosvm_client_balloon_vms(
|
|||
}
|
||||
|
||||
/// See crosvm_client_balloon_vms.
|
||||
///
|
||||
/// # Safety
|
||||
///
|
||||
/// Function is unsafe due to raw pointer usage - a null pointer could be passed in. Usage of
|
||||
/// !raw_pointer.is_null() checks should prevent unsafe behavior but the caller should ensure no
|
||||
/// null pointers are passed.
|
||||
#[cfg(any(target_os = "android", target_os = "linux"))]
|
||||
#[no_mangle]
|
||||
pub unsafe extern "C" fn crosvm_client_balloon_vms_wait_with_timeout(
|
||||
|
@ -710,6 +716,12 @@ pub unsafe extern "C" fn crosvm_client_balloon_stats(
|
|||
}
|
||||
|
||||
/// See crosvm_client_balloon_stats.
|
||||
///
|
||||
/// # Safety
|
||||
///
|
||||
/// Function is unsafe due to raw pointer usage - a null pointer could be passed in. Usage of
|
||||
/// !raw_pointer.is_null() checks should prevent unsafe behavior but the caller should ensure no
|
||||
/// null pointers are passed.
|
||||
#[cfg(any(target_os = "android", target_os = "linux"))]
|
||||
#[no_mangle]
|
||||
pub unsafe extern "C" fn crosvm_client_balloon_stats_with_timeout(
|
||||
|
|
|
@ -5,6 +5,7 @@
|
|||
#![cfg(any(target_os = "android", target_os = "linux"))]
|
||||
#![cfg(target_arch = "x86_64")]
|
||||
#![allow(non_camel_case_types)]
|
||||
#![allow(clippy::missing_safety_doc)]
|
||||
|
||||
//! This module implements the dynamically loaded client library API used by a crosvm plugin,
|
||||
//! defined in `crosvm.h`. It implements the client half of the plugin protocol, which is defined in
|
||||
|
|
|
@ -682,6 +682,8 @@ impl TypedTrb for PortStatusChangeEventTrb {
|
|||
const TY: TrbType = TrbType::PortStatusChangeEvent;
|
||||
}
|
||||
|
||||
/// # Safety
|
||||
///
|
||||
/// All trb structs have the same size. One trb could be safely casted to another, though the
|
||||
/// values might be invalid.
|
||||
pub unsafe trait TrbCast: FromBytes + AsBytes + TypedTrb {
|
||||
|
|
|
@ -383,6 +383,9 @@ impl VfioContainer {
|
|||
}
|
||||
}
|
||||
|
||||
/// # Safety
|
||||
///
|
||||
/// The caller is responsible for determining the safety of the VFIO_IOMMU_MAP_DMA ioctl.
|
||||
pub unsafe fn vfio_dma_map(
|
||||
&self,
|
||||
iova: u64,
|
||||
|
@ -401,6 +404,9 @@ impl VfioContainer {
|
|||
}
|
||||
}
|
||||
|
||||
/// # Safety
|
||||
///
|
||||
/// The caller is responsible for determining the safety of the VFIO_IOMMU_MAP_DMA ioctl.
|
||||
unsafe fn vfio_iommu_type1_dma_map(
|
||||
&self,
|
||||
iova: u64,
|
||||
|
@ -1824,6 +1830,9 @@ impl VfioDevice {
|
|||
}
|
||||
|
||||
/// Add (iova, user_addr) map into vfio container iommu table
|
||||
/// # Safety
|
||||
///
|
||||
/// The caller is responsible for determining the safety of the VFIO_IOMMU_MAP_DMA ioctl.
|
||||
pub unsafe fn vfio_dma_map(
|
||||
&self,
|
||||
iova: u64,
|
||||
|
|
|
@ -202,6 +202,11 @@ pub trait TapTCommon: Read + Write + AsRawDescriptor + Send + Sized {
|
|||
fn try_clone(&self) -> Result<Self>;
|
||||
|
||||
/// Convert raw descriptor to
|
||||
///
|
||||
/// # Safety
|
||||
///
|
||||
/// Caller must ensure that RawDescriptor stays valid as long as the lifetime
|
||||
/// of Self.
|
||||
unsafe fn from_raw_descriptor(descriptor: RawDescriptor) -> Result<Self>;
|
||||
}
|
||||
|
||||
|
|
|
@ -17,6 +17,10 @@ pub use shm::SharedMemory;
|
|||
pub use sys::platform::descriptor::RawDescriptor;
|
||||
pub use sys::platform::shm::round_up_to_page_size;
|
||||
|
||||
/// # Safety
|
||||
///
|
||||
/// Caller must ensure that MappedRegion's lifetime contains the lifetime of
|
||||
/// pointer returned.
|
||||
pub unsafe trait MappedRegion: Send + Sync {
|
||||
/// Returns a pointer to the beginning of the memory region. Should only be
|
||||
/// used for passing this region to ioctls for setting guest memory.
|
||||
|
|
|
@ -29,18 +29,34 @@ impl<T> __IncompleteArrayField<T> {
|
|||
pub fn new() -> Self {
|
||||
__IncompleteArrayField(::std::marker::PhantomData)
|
||||
}
|
||||
/// # Safety
|
||||
///
|
||||
/// Caller must ensure that Self's size and alignment requirements matches
|
||||
/// those of `T`s.
|
||||
#[inline]
|
||||
pub unsafe fn as_ptr(&self) -> *const T {
|
||||
::std::mem::transmute(self)
|
||||
}
|
||||
/// # Safety
|
||||
///
|
||||
/// Caller must ensure that Self's size and alignment requirements matches
|
||||
/// those of `T`s.
|
||||
#[inline]
|
||||
pub unsafe fn as_mut_ptr(&mut self) -> *mut T {
|
||||
::std::mem::transmute(self)
|
||||
}
|
||||
/// # Safety
|
||||
///
|
||||
/// Caller must ensure that Self's size and alignment requirements matches
|
||||
/// those of `T`s.
|
||||
#[inline]
|
||||
pub unsafe fn as_slice(&self, len: usize) -> &[T] {
|
||||
::std::slice::from_raw_parts(self.as_ptr(), len)
|
||||
}
|
||||
/// # Safety
|
||||
///
|
||||
/// Caller must ensure that Self's size and alignment requirements matches
|
||||
/// those of `T`s.
|
||||
#[inline]
|
||||
pub unsafe fn as_mut_slice(&mut self, len: usize) -> &mut [T] {
|
||||
::std::slice::from_raw_parts_mut(self.as_mut_ptr(), len)
|
||||
|
|
|
@ -23,10 +23,18 @@ impl<T> __IncompleteArrayField<T> {
|
|||
pub fn as_mut_ptr(&mut self) -> *mut T {
|
||||
self as *mut _ as *mut T
|
||||
}
|
||||
/// # Safety
|
||||
///
|
||||
/// Caller must ensure that Self's size and alignment requirements match
|
||||
/// those of `T`'s.
|
||||
#[inline]
|
||||
pub unsafe fn as_slice(&self, len: usize) -> &[T] {
|
||||
::std::slice::from_raw_parts(self.as_ptr(), len)
|
||||
}
|
||||
/// # Safety
|
||||
///
|
||||
/// Caller must ensure that Self's size and alignment requirements match
|
||||
/// those of `T`'s.
|
||||
#[inline]
|
||||
pub unsafe fn as_mut_slice(&mut self, len: usize) -> &mut [T] {
|
||||
::std::slice::from_raw_parts_mut(self.as_mut_ptr(), len)
|
||||
|
|
|
@ -28,19 +28,35 @@ impl<T> __IncompleteArrayField<T> {
|
|||
pub fn new() -> Self {
|
||||
__IncompleteArrayField(::std::marker::PhantomData, [])
|
||||
}
|
||||
/// # Safety
|
||||
///
|
||||
/// Caller must ensure that Self`s size, alignment and lifetime are
|
||||
/// compatible with returned values requirements.
|
||||
#[inline]
|
||||
pub unsafe fn as_ptr(&self) -> *const T {
|
||||
::std::mem::transmute(self)
|
||||
}
|
||||
/// # Safety
|
||||
///
|
||||
/// Caller must ensure that Self`s size, alignment and lifetime are
|
||||
/// compatible with returned values requirements.
|
||||
#[inline]
|
||||
pub unsafe fn as_mut_ptr(&mut self) -> *mut T {
|
||||
::std::mem::transmute(self)
|
||||
}
|
||||
/// # Safety
|
||||
///
|
||||
/// Caller must ensure that Self`s size, alignment and lifetime are
|
||||
/// compatible with returned values requirements.
|
||||
#[inline]
|
||||
pub unsafe fn as_slice(&self, len: usize) -> &[T] {
|
||||
::std::slice::from_raw_parts(self.as_ptr(), len)
|
||||
}
|
||||
#[inline]
|
||||
/// # Safety
|
||||
///
|
||||
/// Caller must ensure that Self`s size, alignment and lifetime are
|
||||
/// compatible with returned values requirements.
|
||||
pub unsafe fn as_mut_slice(&mut self, len: usize) -> &mut [T] {
|
||||
::std::slice::from_raw_parts_mut(self.as_mut_ptr(), len)
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue