Safety comments are missing

[RalfJung]

mmap is an incredibly subtle topic when it comes to memory safety. Therefore, I would expect the unsafe functions in this library to really carefully document what is required to call them soundly. However, that is not the case -- functions like this don't have any safety comment at all!

I think the requirements are something like, "the caller must ensure that the file will not be mutated or truncated while the mapping exists".

[dhardy]

You should probably re-direct this comment at the fork memmap2-rs.
Also see RazrFalcon#101.

This type of safety does not appear to translate to Rust's unsafe well; e.g. this is used by fontdb::Database::make_shared_face_data, which is itself an unsafe method, but technically speaking (if I understand correctly) calling make_shared_face_data then makes usage of several other methods on that Database unsafe. Possibly this should instead be done via an unsafe variant of struct Database, but that API would be nigh-unusable.

[RalfJung]

This type of safety does not appear to translate to Rust's unsafe well;

Well, I would say it translates just fine, but the facilities provided by Linux unfortunately do not permit to ensure safety of mmap in a local way -- very global reasoning is required. In C that "just" makes it hard to reason about, in Rust it crosses the bar to "the type system cannot help you".

Thanks for the references, I will take a look at those crates!