Explain why pointer::add in slice::as_ptr_range is safe.

2019-10-25 15:21:00 +02:00 · 2019-10-25 15:21:00 +02:00 · de9b660a40
commit de9b660a40
parent f1b69b0a87
1 changed files with 18 additions and 0 deletions
--- a/src/libcore/slice/mod.rs
+++ b/src/libcore/slice/mod.rs
@ -437,6 +437,23 @@ impl<T> [T] {
    #[unstable(feature = "slice_ptr_range", issue = "65807")]
    #[inline]
    pub fn as_ptr_range(&self) -> Range<*const T> {
+        // The `add` here is safe, because:
+        //
+        //   - Both pointers are part of the same object, as pointing directly
+        //     past the object also counts.
+        //
+        //   - The size of the slice is never larger than isize::MAX bytes, as
+        //     noted here:
+        //       - https://github.com/rust-lang/unsafe-code-guidelines/issues/102#issuecomment-473340447
+        //       - https://doc.rust-lang.org/reference/behavior-considered-undefined.html
+        //       - https://doc.rust-lang.org/core/slice/fn.from_raw_parts.html#safety
+        //     (This doesn't seem normative yet, but the very same assumption is
+        //     made in many places, including the Index implementation of slices.)
+        //
+        //   - There is no wrapping around involved, as slices do not wrap past
+        //     the end of the address space.
+        //
+        // See the documentation of pointer::add.
        let start = self.as_ptr();
        let end = unsafe { start.add(self.len()) };
        start..end
@ -461,6 +478,7 @@ impl<T> [T] {
    #[unstable(feature = "slice_ptr_range", issue = "65807")]
    #[inline]
    pub fn as_mut_ptr_range(&mut self) -> Range<*mut T> {
+        // See as_ptr_range() above for why `add` here is safe.
        let start = self.as_mut_ptr();
        let end = unsafe { start.add(self.len()) };
        start..end