From 2402e84e78c2e2503a088e7d6d1b7501a8f00983 Mon Sep 17 00:00:00 2001
From: Chris Denton <chris@chrisdenton.dev>
Date: Mon, 15 Jul 2024 06:45:17 +0000
Subject: [PATCH 1/3] Make pal/windows default to deny unsafe in unsafe
---
library/std/src/sys/pal/windows/api.rs | 6 ++++--
library/std/src/sys/pal/windows/c.rs | 1 +
library/std/src/sys/pal/windows/compat.rs | 8 +++++---
library/std/src/sys/pal/windows/fs.rs | 1 +
library/std/src/sys/pal/windows/handle.rs | 1 +
library/std/src/sys/pal/windows/io.rs | 1 +
library/std/src/sys/pal/windows/mod.rs | 11 +++++++----
library/std/src/sys/pal/windows/net.rs | 4 ++--
library/std/src/sys/pal/windows/os.rs | 1 +
library/std/src/sys/pal/windows/pipe.rs | 1 +
library/std/src/sys/pal/windows/stack_overflow.rs | 1 +
library/std/src/sys/pal/windows/thread.rs | 1 +
12 files changed, 26 insertions(+), 11 deletions(-)
diff --git a/library/std/src/sys/pal/windows/api.rs b/library/std/src/sys/pal/windows/api.rs
index 17a0e47ad59..00c816a6c09 100644
--- a/library/std/src/sys/pal/windows/api.rs
+++ b/library/std/src/sys/pal/windows/api.rs
@@ -227,8 +227,10 @@ pub fn set_file_information_by_handle<T: SetFileInformation>(
info: *const c_void,
size: u32,
) -> Result<(), WinError> {
- let result = c::SetFileInformationByHandle(handle, class, info, size);
- (result != 0).then_some(()).ok_or_else(get_last_error)
+ unsafe {
+ let result = c::SetFileInformationByHandle(handle, class, info, size);
+ (result != 0).then_some(()).ok_or_else(get_last_error)
+ }
}
// SAFETY: The `SetFileInformation` trait ensures that this is safe.
unsafe { set_info(handle, T::CLASS, info.as_ptr(), info.size()) }
diff --git a/library/std/src/sys/pal/windows/c.rs b/library/std/src/sys/pal/windows/c.rs
index 7dfda4f714c..710dc97d150 100644
--- a/library/std/src/sys/pal/windows/c.rs
+++ b/library/std/src/sys/pal/windows/c.rs
@@ -4,6 +4,7 @@
#![cfg_attr(test, allow(dead_code))]
#![unstable(issue = "none", feature = "windows_c")]
#![allow(clippy::style)]
+#![allow(unsafe_op_in_unsafe_fn)]
use crate::ffi::CStr;
use crate::mem;
diff --git a/library/std/src/sys/pal/windows/compat.rs b/library/std/src/sys/pal/windows/compat.rs
index f5d57a28db6..190e6ba0cf2 100644
--- a/library/std/src/sys/pal/windows/compat.rs
+++ b/library/std/src/sys/pal/windows/compat.rs
@@ -111,9 +111,11 @@ impl Module {
/// This should only be use for modules that exist for the lifetime of std
/// (e.g. kernel32 and ntdll).
pub unsafe fn new(name: &CStr) -> Option<Self> {
- // SAFETY: A CStr is always null terminated.
- let module = c::GetModuleHandleA(name.as_ptr().cast::<u8>());
- NonNull::new(module).map(Self)
+ unsafe {
+ // SAFETY: A CStr is always null terminated.
+ let module = c::GetModuleHandleA(name.as_ptr().cast::<u8>());
+ NonNull::new(module).map(Self)
+ }
}
// Try to get the address of a function.
diff --git a/library/std/src/sys/pal/windows/fs.rs b/library/std/src/sys/pal/windows/fs.rs
index cc68f5ef5f0..37a4587dccf 100644
--- a/library/std/src/sys/pal/windows/fs.rs
+++ b/library/std/src/sys/pal/windows/fs.rs
@@ -1,3 +1,4 @@
+#![allow(unsafe_op_in_unsafe_fn)]
use core::ptr::addr_of;
use crate::os::windows::prelude::*;
diff --git a/library/std/src/sys/pal/windows/handle.rs b/library/std/src/sys/pal/windows/handle.rs
index 3f85bb0a099..21b9f6b816b 100644
--- a/library/std/src/sys/pal/windows/handle.rs
+++ b/library/std/src/sys/pal/windows/handle.rs
@@ -1,4 +1,5 @@
#![unstable(issue = "none", feature = "windows_handle")]
+#![allow(unsafe_op_in_unsafe_fn)]
#[cfg(test)]
mod tests;
diff --git a/library/std/src/sys/pal/windows/io.rs b/library/std/src/sys/pal/windows/io.rs
index 77b8f3c410e..6b05791a4ec 100644
--- a/library/std/src/sys/pal/windows/io.rs
+++ b/library/std/src/sys/pal/windows/io.rs
@@ -1,3 +1,4 @@
+#![allow(unsafe_op_in_unsafe_fn)]
use crate::marker::PhantomData;
use crate::mem::size_of;
use crate::os::windows::io::{AsHandle, AsRawHandle, BorrowedHandle};
diff --git a/library/std/src/sys/pal/windows/mod.rs b/library/std/src/sys/pal/windows/mod.rs
index 6406cec9c27..e070251fbdb 100644
--- a/library/std/src/sys/pal/windows/mod.rs
+++ b/library/std/src/sys/pal/windows/mod.rs
@@ -1,4 +1,5 @@
#![allow(missing_docs, nonstandard_style)]
+#![deny(unsafe_op_in_unsafe_fn)]
use crate::ffi::{OsStr, OsString};
use crate::io::ErrorKind;
@@ -54,11 +55,13 @@ impl<T> IoResult<T> for Result<T, api::WinError> {
// SAFETY: must be called only once during runtime initialization.
// NOTE: this is not guaranteed to run, for example when Rust code is called externally.
pub unsafe fn init(_argc: isize, _argv: *const *const u8, _sigpipe: u8) {
- stack_overflow::init();
+ unsafe {
+ stack_overflow::init();
- // Normally, `thread::spawn` will call `Thread::set_name` but since this thread already
- // exists, we have to call it ourselves.
- thread::Thread::set_name_wide(wide_str!("main"));
+ // Normally, `thread::spawn` will call `Thread::set_name` but since this thread already
+ // exists, we have to call it ourselves.
+ thread::Thread::set_name_wide(wide_str!("main"));
+ }
}
// SAFETY: must be called only once during runtime cleanup.
diff --git a/library/std/src/sys/pal/windows/net.rs b/library/std/src/sys/pal/windows/net.rs
index 9e15b15a351..37a38e2940f 100644
--- a/library/std/src/sys/pal/windows/net.rs
+++ b/library/std/src/sys/pal/windows/net.rs
@@ -436,7 +436,7 @@ impl Socket {
pub unsafe fn from_raw(raw: c::SOCKET) -> Self {
debug_assert_eq!(mem::size_of::<c::SOCKET>(), mem::size_of::<RawSocket>());
debug_assert_eq!(mem::align_of::<c::SOCKET>(), mem::align_of::<RawSocket>());
- Self::from_raw_socket(raw as RawSocket)
+ unsafe { Self::from_raw_socket(raw as RawSocket) }
}
}
@@ -486,6 +486,6 @@ impl IntoRawSocket for Socket {
impl FromRawSocket for Socket {
unsafe fn from_raw_socket(raw_socket: RawSocket) -> Self {
- Self(FromRawSocket::from_raw_socket(raw_socket))
+ unsafe { Self(FromRawSocket::from_raw_socket(raw_socket)) }
}
}
diff --git a/library/std/src/sys/pal/windows/os.rs b/library/std/src/sys/pal/windows/os.rs
index 62199c16bfe..d406e4e797a 100644
--- a/library/std/src/sys/pal/windows/os.rs
+++ b/library/std/src/sys/pal/windows/os.rs
@@ -1,6 +1,7 @@
//! Implementation of `std::os` functionality for Windows.
#![allow(nonstandard_style)]
+#![allow(unsafe_op_in_unsafe_fn)]
#[cfg(test)]
mod tests;
diff --git a/library/std/src/sys/pal/windows/pipe.rs b/library/std/src/sys/pal/windows/pipe.rs
index 67ef3ca82da..ebf6435e835 100644
--- a/library/std/src/sys/pal/windows/pipe.rs
+++ b/library/std/src/sys/pal/windows/pipe.rs
@@ -1,3 +1,4 @@
+#![allow(unsafe_op_in_unsafe_fn)]
use crate::os::windows::prelude::*;
use crate::ffi::OsStr;
diff --git a/library/std/src/sys/pal/windows/stack_overflow.rs b/library/std/src/sys/pal/windows/stack_overflow.rs
index f93f31026f8..9f83c4a1760 100644
--- a/library/std/src/sys/pal/windows/stack_overflow.rs
+++ b/library/std/src/sys/pal/windows/stack_overflow.rs
@@ -1,4 +1,5 @@
#![cfg_attr(test, allow(dead_code))]
+#![allow(unsafe_op_in_unsafe_fn)]
use crate::sys::c;
use crate::thread;
diff --git a/library/std/src/sys/pal/windows/thread.rs b/library/std/src/sys/pal/windows/thread.rs
index 70099e0a3b5..7d79439d056 100644
--- a/library/std/src/sys/pal/windows/thread.rs
+++ b/library/std/src/sys/pal/windows/thread.rs
@@ -1,3 +1,4 @@
+#![allow(unsafe_op_in_unsafe_fn)]
use crate::ffi::CStr;
use crate::io;
use crate::num::NonZero;
From 3411a025d5716967ba9bc8b259acd687998bcc40 Mon Sep 17 00:00:00 2001
From: Chris Denton <chris@chrisdenton.dev>
Date: Mon, 15 Jul 2024 07:10:41 +0000
Subject: [PATCH 2/3] Make os/windows default to deny unsafe in unsafe
---
library/std/src/os/windows/io/raw.rs | 28 ++++++++++++++++---------
library/std/src/os/windows/io/socket.rs | 8 ++++---
library/std/src/os/windows/mod.rs | 1 +
library/std/src/os/windows/process.rs | 4 ++--
4 files changed, 26 insertions(+), 15 deletions(-)
diff --git a/library/std/src/os/windows/io/raw.rs b/library/std/src/os/windows/io/raw.rs
index 770583a9ce3..343cc6e4a8a 100644
--- a/library/std/src/os/windows/io/raw.rs
+++ b/library/std/src/os/windows/io/raw.rs
@@ -159,10 +159,12 @@ fn stdio_handle(raw: RawHandle) -> RawHandle {
impl FromRawHandle for fs::File {
#[inline]
unsafe fn from_raw_handle(handle: RawHandle) -> fs::File {
- let handle = handle as sys::c::HANDLE;
- fs::File::from_inner(sys::fs::File::from_inner(FromInner::from_inner(
- OwnedHandle::from_raw_handle(handle),
- )))
+ unsafe {
+ let handle = handle as sys::c::HANDLE;
+ fs::File::from_inner(sys::fs::File::from_inner(FromInner::from_inner(
+ OwnedHandle::from_raw_handle(handle),
+ )))
+ }
}
}
@@ -260,24 +262,30 @@ impl AsRawSocket for net::UdpSocket {
impl FromRawSocket for net::TcpStream {
#[inline]
unsafe fn from_raw_socket(sock: RawSocket) -> net::TcpStream {
- let sock = sys::net::Socket::from_inner(OwnedSocket::from_raw_socket(sock));
- net::TcpStream::from_inner(sys_common::net::TcpStream::from_inner(sock))
+ unsafe {
+ let sock = sys::net::Socket::from_inner(OwnedSocket::from_raw_socket(sock));
+ net::TcpStream::from_inner(sys_common::net::TcpStream::from_inner(sock))
+ }
}
}
#[stable(feature = "from_raw_os", since = "1.1.0")]
impl FromRawSocket for net::TcpListener {
#[inline]
unsafe fn from_raw_socket(sock: RawSocket) -> net::TcpListener {
- let sock = sys::net::Socket::from_inner(OwnedSocket::from_raw_socket(sock));
- net::TcpListener::from_inner(sys_common::net::TcpListener::from_inner(sock))
+ unsafe {
+ let sock = sys::net::Socket::from_inner(OwnedSocket::from_raw_socket(sock));
+ net::TcpListener::from_inner(sys_common::net::TcpListener::from_inner(sock))
+ }
}
}
#[stable(feature = "from_raw_os", since = "1.1.0")]
impl FromRawSocket for net::UdpSocket {
#[inline]
unsafe fn from_raw_socket(sock: RawSocket) -> net::UdpSocket {
- let sock = sys::net::Socket::from_inner(OwnedSocket::from_raw_socket(sock));
- net::UdpSocket::from_inner(sys_common::net::UdpSocket::from_inner(sock))
+ unsafe {
+ let sock = sys::net::Socket::from_inner(OwnedSocket::from_raw_socket(sock));
+ net::UdpSocket::from_inner(sys_common::net::UdpSocket::from_inner(sock))
+ }
}
}
diff --git a/library/std/src/os/windows/io/socket.rs b/library/std/src/os/windows/io/socket.rs
index 6ffdf907c8e..4334d041439 100644
--- a/library/std/src/os/windows/io/socket.rs
+++ b/library/std/src/os/windows/io/socket.rs
@@ -76,7 +76,7 @@ impl BorrowedSocket<'_> {
#[stable(feature = "io_safety", since = "1.63.0")]
pub const unsafe fn borrow_raw(socket: RawSocket) -> Self {
assert!(socket != sys::c::INVALID_SOCKET as RawSocket);
- Self { socket, _phantom: PhantomData }
+ unsafe { Self { socket, _phantom: PhantomData } }
}
}
@@ -201,8 +201,10 @@ impl IntoRawSocket for OwnedSocket {
impl FromRawSocket for OwnedSocket {
#[inline]
unsafe fn from_raw_socket(socket: RawSocket) -> Self {
- debug_assert_ne!(socket, sys::c::INVALID_SOCKET as RawSocket);
- Self { socket }
+ unsafe {
+ debug_assert_ne!(socket, sys::c::INVALID_SOCKET as RawSocket);
+ Self { socket }
+ }
}
}
diff --git a/library/std/src/os/windows/mod.rs b/library/std/src/os/windows/mod.rs
index 52eb3b7c067..f452403ee84 100644
--- a/library/std/src/os/windows/mod.rs
+++ b/library/std/src/os/windows/mod.rs
@@ -24,6 +24,7 @@
#![stable(feature = "rust1", since = "1.0.0")]
#![doc(cfg(windows))]
+#![deny(unsafe_op_in_unsafe_fn)]
pub mod ffi;
pub mod fs;
diff --git a/library/std/src/os/windows/process.rs b/library/std/src/os/windows/process.rs
index 05ffb8925a1..3927b2ed9bb 100644
--- a/library/std/src/os/windows/process.rs
+++ b/library/std/src/os/windows/process.rs
@@ -16,7 +16,7 @@ use crate::sys_common::{AsInner, AsInnerMut, FromInner, IntoInner};
#[stable(feature = "process_extensions", since = "1.2.0")]
impl FromRawHandle for process::Stdio {
unsafe fn from_raw_handle(handle: RawHandle) -> process::Stdio {
- let handle = sys::handle::Handle::from_raw_handle(handle as *mut _);
+ let handle = unsafe { sys::handle::Handle::from_raw_handle(handle as *mut _) };
let io = sys::process::Stdio::Handle(handle);
process::Stdio::from_inner(io)
}
@@ -407,7 +407,7 @@ impl CommandExt for process::Command {
attribute: usize,
value: T,
) -> &mut process::Command {
- self.as_inner_mut().raw_attribute(attribute, value);
+ unsafe { self.as_inner_mut().raw_attribute(attribute, value) };
self
}
}
From 7e16d5fb6111fc974c5b9a2aff951f2eb07b3deb Mon Sep 17 00:00:00 2001
From: Chris Denton <chris@chrisdenton.dev>
Date: Mon, 15 Jul 2024 07:30:11 +0000
Subject: [PATCH 3/3] Move safety comment outside unsafe block
---
library/std/src/sys/pal/windows/compat.rs | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/library/std/src/sys/pal/windows/compat.rs b/library/std/src/sys/pal/windows/compat.rs
index 190e6ba0cf2..49fa1603f3e 100644
--- a/library/std/src/sys/pal/windows/compat.rs
+++ b/library/std/src/sys/pal/windows/compat.rs
@@ -111,8 +111,8 @@ impl Module {
/// This should only be use for modules that exist for the lifetime of std
/// (e.g. kernel32 and ntdll).
pub unsafe fn new(name: &CStr) -> Option<Self> {
+ // SAFETY: A CStr is always null terminated.
unsafe {
- // SAFETY: A CStr is always null terminated.
let module = c::GetModuleHandleA(name.as_ptr().cast::<u8>());
NonNull::new(module).map(Self)
}