bjoernager/rust
bjoernager/rust
1
Fork 0
Code Activity

The unsafety in iter.rs is already documented wonderfully

Browse source
This commit is contained in:
Oliver Scherer 2019-10-25 18:35:51 +02:00
parent 34f7fcb862
commit e28287b32c
1 changed files with 8 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

13
src/libcore/array/iter.rs
View file

@ -51,7 +51,7 @@ where
/// iterator (either via `IntoIterator` for arrays or via another way). /// iterator (either via `IntoIterator` for arrays or via another way).
#[unstable(feature = "array_value_iter", issue = "65798")] #[unstable(feature = "array_value_iter", issue = "65798")]
pub fn new(array: [T; N]) -> Self { pub fn new(array: [T; N]) -> Self {
// The transmute here is actually safe. The docs of `MaybeUninit` // SAFETY: The transmute here is actually safe. The docs of `MaybeUninit`
// promise: // promise:
// //
// > `MaybeUninit<T>` is guaranteed to have the same size and alignment // > `MaybeUninit<T>` is guaranteed to have the same size and alignment
@ -84,10 +84,10 @@ where
/// Returns an immutable slice of all elements that have not been yielded /// Returns an immutable slice of all elements that have not been yielded
/// yet. /// yet.
fn as_slice(&self) -> &[T] { fn as_slice(&self) -> &[T] {
// This transmute is safe. As mentioned in `new`, `MaybeUninit` retains let slice = &self.data[self.alive.clone()];
// SAFETY: This transmute is safe. As mentioned in `new`, `MaybeUninit` retains
// the size and alignment of `T`. Furthermore, we know that all // the size and alignment of `T`. Furthermore, we know that all
// elements within `alive` are properly initialized. // elements within `alive` are properly initialized.
let slice = &self.data[self.alive.clone()];
unsafe { unsafe {
mem::transmute::<&[MaybeUninit<T>], &[T]>(slice) mem::transmute::<&[MaybeUninit<T>], &[T]>(slice)
} }
@ -117,7 +117,8 @@ where
let idx = self.alive.start; let idx = self.alive.start;
self.alive.start += 1; self.alive.start += 1;
// Read the element from the array. This is safe: `idx` is an index // Read the element from the array.
// SAFETY: This is safe: `idx` is an index
// into the "alive" region of the array. Reading this element means // into the "alive" region of the array. Reading this element means
// that `data[idx]` is regarded as dead now (i.e. do not touch). As // that `data[idx]` is regarded as dead now (i.e. do not touch). As
// `idx` was the start of the alive-zone, the alive zone is now // `idx` was the start of the alive-zone, the alive zone is now
@ -163,7 +164,8 @@ where
// + 1]`. // + 1]`.
self.alive.end -= 1; self.alive.end -= 1;
// Read the element from the array. This is safe: `alive.end` is an // Read the element from the array.
// SAFETY: This is safe: `alive.end` is an
// index into the "alive" region of the array. Compare the previous // index into the "alive" region of the array. Compare the previous
// comment that states that the alive region is // comment that states that the alive region is
// `data[alive.start..alive.end + 1]`. Reading this element means that // `data[alive.start..alive.end + 1]`. Reading this element means that
@ -226,6 +228,7 @@ where
[T; N]: LengthAtMost32, [T; N]: LengthAtMost32,
{ {
fn clone(&self) -> Self { fn clone(&self) -> Self {
// SAFETY: each point of unsafety is documented inside the unsafe block
unsafe { unsafe {
// This creates a new uninitialized array. Note that the `assume_init` // This creates a new uninitialized array. Note that the `assume_init`
// refers to the array, not the individual elements. And it is Ok if // refers to the array, not the individual elements. And it is Ok if