From d96ed862d21d64e9880998a40c8dd31ad6173b0e Mon Sep 17 00:00:00 2001 From: Chris Denton Date: Mon, 15 Jul 2024 06:45:17 +0000 Subject: [PATCH 1/3] Make pal/windows default to deny unsafe in unsafe --- std/src/sys/pal/windows/api.rs | 6 ++++-- std/src/sys/pal/windows/c.rs | 1 + std/src/sys/pal/windows/compat.rs | 8 +++++--- std/src/sys/pal/windows/fs.rs | 1 + std/src/sys/pal/windows/handle.rs | 1 + std/src/sys/pal/windows/io.rs | 1 + std/src/sys/pal/windows/mod.rs | 11 +++++++---- std/src/sys/pal/windows/net.rs | 4 ++-- std/src/sys/pal/windows/os.rs | 1 + std/src/sys/pal/windows/pipe.rs | 1 + std/src/sys/pal/windows/stack_overflow.rs | 1 + std/src/sys/pal/windows/thread.rs | 1 + 12 files changed, 26 insertions(+), 11 deletions(-) diff --git a/std/src/sys/pal/windows/api.rs b/std/src/sys/pal/windows/api.rs index 17a0e47ad5950..00c816a6c09b8 100644 --- a/std/src/sys/pal/windows/api.rs +++ b/std/src/sys/pal/windows/api.rs @@ -227,8 +227,10 @@ pub fn set_file_information_by_handle( info: *const c_void, size: u32, ) -> Result<(), WinError> { - let result = c::SetFileInformationByHandle(handle, class, info, size); - (result != 0).then_some(()).ok_or_else(get_last_error) + unsafe { + let result = c::SetFileInformationByHandle(handle, class, info, size); + (result != 0).then_some(()).ok_or_else(get_last_error) + } } // SAFETY: The `SetFileInformation` trait ensures that this is safe. unsafe { set_info(handle, T::CLASS, info.as_ptr(), info.size()) } diff --git a/std/src/sys/pal/windows/c.rs b/std/src/sys/pal/windows/c.rs index 7dfda4f714c77..710dc97d150c6 100644 --- a/std/src/sys/pal/windows/c.rs +++ b/std/src/sys/pal/windows/c.rs @@ -4,6 +4,7 @@ #![cfg_attr(test, allow(dead_code))] #![unstable(issue = "none", feature = "windows_c")] #![allow(clippy::style)] +#![allow(unsafe_op_in_unsafe_fn)] use crate::ffi::CStr; use crate::mem; diff --git a/std/src/sys/pal/windows/compat.rs b/std/src/sys/pal/windows/compat.rs index f5d57a28db69a..190e6ba0cf24f 100644 --- a/std/src/sys/pal/windows/compat.rs +++ b/std/src/sys/pal/windows/compat.rs @@ -111,9 +111,11 @@ impl Module { /// This should only be use for modules that exist for the lifetime of std /// (e.g. kernel32 and ntdll). pub unsafe fn new(name: &CStr) -> Option { - // SAFETY: A CStr is always null terminated. - let module = c::GetModuleHandleA(name.as_ptr().cast::()); - NonNull::new(module).map(Self) + unsafe { + // SAFETY: A CStr is always null terminated. + let module = c::GetModuleHandleA(name.as_ptr().cast::()); + NonNull::new(module).map(Self) + } } // Try to get the address of a function. diff --git a/std/src/sys/pal/windows/fs.rs b/std/src/sys/pal/windows/fs.rs index cc68f5ef5f08c..37a4587dccf0a 100644 --- a/std/src/sys/pal/windows/fs.rs +++ b/std/src/sys/pal/windows/fs.rs @@ -1,3 +1,4 @@ +#![allow(unsafe_op_in_unsafe_fn)] use core::ptr::addr_of; use crate::os::windows::prelude::*; diff --git a/std/src/sys/pal/windows/handle.rs b/std/src/sys/pal/windows/handle.rs index 3f85bb0a099a9..21b9f6b816b58 100644 --- a/std/src/sys/pal/windows/handle.rs +++ b/std/src/sys/pal/windows/handle.rs @@ -1,4 +1,5 @@ #![unstable(issue = "none", feature = "windows_handle")] +#![allow(unsafe_op_in_unsafe_fn)] #[cfg(test)] mod tests; diff --git a/std/src/sys/pal/windows/io.rs b/std/src/sys/pal/windows/io.rs index 77b8f3c410eb8..6b05791a4ec2c 100644 --- a/std/src/sys/pal/windows/io.rs +++ b/std/src/sys/pal/windows/io.rs @@ -1,3 +1,4 @@ +#![allow(unsafe_op_in_unsafe_fn)] use crate::marker::PhantomData; use crate::mem::size_of; use crate::os::windows::io::{AsHandle, AsRawHandle, BorrowedHandle}; diff --git a/std/src/sys/pal/windows/mod.rs b/std/src/sys/pal/windows/mod.rs index 6406cec9c27d2..e070251fbdba5 100644 --- a/std/src/sys/pal/windows/mod.rs +++ b/std/src/sys/pal/windows/mod.rs @@ -1,4 +1,5 @@ #![allow(missing_docs, nonstandard_style)] +#![deny(unsafe_op_in_unsafe_fn)] use crate::ffi::{OsStr, OsString}; use crate::io::ErrorKind; @@ -54,11 +55,13 @@ impl IoResult for Result { // SAFETY: must be called only once during runtime initialization. // NOTE: this is not guaranteed to run, for example when Rust code is called externally. pub unsafe fn init(_argc: isize, _argv: *const *const u8, _sigpipe: u8) { - stack_overflow::init(); + unsafe { + stack_overflow::init(); - // Normally, `thread::spawn` will call `Thread::set_name` but since this thread already - // exists, we have to call it ourselves. - thread::Thread::set_name_wide(wide_str!("main")); + // Normally, `thread::spawn` will call `Thread::set_name` but since this thread already + // exists, we have to call it ourselves. + thread::Thread::set_name_wide(wide_str!("main")); + } } // SAFETY: must be called only once during runtime cleanup. diff --git a/std/src/sys/pal/windows/net.rs b/std/src/sys/pal/windows/net.rs index 9e15b15a3513a..37a38e2940fd4 100644 --- a/std/src/sys/pal/windows/net.rs +++ b/std/src/sys/pal/windows/net.rs @@ -436,7 +436,7 @@ impl Socket { pub unsafe fn from_raw(raw: c::SOCKET) -> Self { debug_assert_eq!(mem::size_of::(), mem::size_of::()); debug_assert_eq!(mem::align_of::(), mem::align_of::()); - Self::from_raw_socket(raw as RawSocket) + unsafe { Self::from_raw_socket(raw as RawSocket) } } } @@ -486,6 +486,6 @@ impl IntoRawSocket for Socket { impl FromRawSocket for Socket { unsafe fn from_raw_socket(raw_socket: RawSocket) -> Self { - Self(FromRawSocket::from_raw_socket(raw_socket)) + unsafe { Self(FromRawSocket::from_raw_socket(raw_socket)) } } } diff --git a/std/src/sys/pal/windows/os.rs b/std/src/sys/pal/windows/os.rs index 62199c16bfed3..d406e4e797a0f 100644 --- a/std/src/sys/pal/windows/os.rs +++ b/std/src/sys/pal/windows/os.rs @@ -1,6 +1,7 @@ //! Implementation of `std::os` functionality for Windows. #![allow(nonstandard_style)] +#![allow(unsafe_op_in_unsafe_fn)] #[cfg(test)] mod tests; diff --git a/std/src/sys/pal/windows/pipe.rs b/std/src/sys/pal/windows/pipe.rs index 67ef3ca82da02..ebf6435e83549 100644 --- a/std/src/sys/pal/windows/pipe.rs +++ b/std/src/sys/pal/windows/pipe.rs @@ -1,3 +1,4 @@ +#![allow(unsafe_op_in_unsafe_fn)] use crate::os::windows::prelude::*; use crate::ffi::OsStr; diff --git a/std/src/sys/pal/windows/stack_overflow.rs b/std/src/sys/pal/windows/stack_overflow.rs index f93f31026f818..9f83c4a1760c4 100644 --- a/std/src/sys/pal/windows/stack_overflow.rs +++ b/std/src/sys/pal/windows/stack_overflow.rs @@ -1,4 +1,5 @@ #![cfg_attr(test, allow(dead_code))] +#![allow(unsafe_op_in_unsafe_fn)] use crate::sys::c; use crate::thread; diff --git a/std/src/sys/pal/windows/thread.rs b/std/src/sys/pal/windows/thread.rs index 70099e0a3b560..7d79439d056f9 100644 --- a/std/src/sys/pal/windows/thread.rs +++ b/std/src/sys/pal/windows/thread.rs @@ -1,3 +1,4 @@ +#![allow(unsafe_op_in_unsafe_fn)] use crate::ffi::CStr; use crate::io; use crate::num::NonZero; From 3c286d52b7dc2c0f0074bc28c9818e05cc398367 Mon Sep 17 00:00:00 2001 From: Chris Denton Date: Mon, 15 Jul 2024 07:10:41 +0000 Subject: [PATCH 2/3] Make os/windows default to deny unsafe in unsafe --- std/src/os/windows/io/raw.rs | 28 ++++++++++++++++++---------- std/src/os/windows/io/socket.rs | 8 +++++--- std/src/os/windows/mod.rs | 1 + std/src/os/windows/process.rs | 4 ++-- 4 files changed, 26 insertions(+), 15 deletions(-) diff --git a/std/src/os/windows/io/raw.rs b/std/src/os/windows/io/raw.rs index 770583a9ce3e0..343cc6e4a8a5a 100644 --- a/std/src/os/windows/io/raw.rs +++ b/std/src/os/windows/io/raw.rs @@ -159,10 +159,12 @@ fn stdio_handle(raw: RawHandle) -> RawHandle { impl FromRawHandle for fs::File { #[inline] unsafe fn from_raw_handle(handle: RawHandle) -> fs::File { - let handle = handle as sys::c::HANDLE; - fs::File::from_inner(sys::fs::File::from_inner(FromInner::from_inner( - OwnedHandle::from_raw_handle(handle), - ))) + unsafe { + let handle = handle as sys::c::HANDLE; + fs::File::from_inner(sys::fs::File::from_inner(FromInner::from_inner( + OwnedHandle::from_raw_handle(handle), + ))) + } } } @@ -260,24 +262,30 @@ impl AsRawSocket for net::UdpSocket { impl FromRawSocket for net::TcpStream { #[inline] unsafe fn from_raw_socket(sock: RawSocket) -> net::TcpStream { - let sock = sys::net::Socket::from_inner(OwnedSocket::from_raw_socket(sock)); - net::TcpStream::from_inner(sys_common::net::TcpStream::from_inner(sock)) + unsafe { + let sock = sys::net::Socket::from_inner(OwnedSocket::from_raw_socket(sock)); + net::TcpStream::from_inner(sys_common::net::TcpStream::from_inner(sock)) + } } } #[stable(feature = "from_raw_os", since = "1.1.0")] impl FromRawSocket for net::TcpListener { #[inline] unsafe fn from_raw_socket(sock: RawSocket) -> net::TcpListener { - let sock = sys::net::Socket::from_inner(OwnedSocket::from_raw_socket(sock)); - net::TcpListener::from_inner(sys_common::net::TcpListener::from_inner(sock)) + unsafe { + let sock = sys::net::Socket::from_inner(OwnedSocket::from_raw_socket(sock)); + net::TcpListener::from_inner(sys_common::net::TcpListener::from_inner(sock)) + } } } #[stable(feature = "from_raw_os", since = "1.1.0")] impl FromRawSocket for net::UdpSocket { #[inline] unsafe fn from_raw_socket(sock: RawSocket) -> net::UdpSocket { - let sock = sys::net::Socket::from_inner(OwnedSocket::from_raw_socket(sock)); - net::UdpSocket::from_inner(sys_common::net::UdpSocket::from_inner(sock)) + unsafe { + let sock = sys::net::Socket::from_inner(OwnedSocket::from_raw_socket(sock)); + net::UdpSocket::from_inner(sys_common::net::UdpSocket::from_inner(sock)) + } } } diff --git a/std/src/os/windows/io/socket.rs b/std/src/os/windows/io/socket.rs index 6ffdf907c8ed3..4334d041439d9 100644 --- a/std/src/os/windows/io/socket.rs +++ b/std/src/os/windows/io/socket.rs @@ -76,7 +76,7 @@ impl BorrowedSocket<'_> { #[stable(feature = "io_safety", since = "1.63.0")] pub const unsafe fn borrow_raw(socket: RawSocket) -> Self { assert!(socket != sys::c::INVALID_SOCKET as RawSocket); - Self { socket, _phantom: PhantomData } + unsafe { Self { socket, _phantom: PhantomData } } } } @@ -201,8 +201,10 @@ impl IntoRawSocket for OwnedSocket { impl FromRawSocket for OwnedSocket { #[inline] unsafe fn from_raw_socket(socket: RawSocket) -> Self { - debug_assert_ne!(socket, sys::c::INVALID_SOCKET as RawSocket); - Self { socket } + unsafe { + debug_assert_ne!(socket, sys::c::INVALID_SOCKET as RawSocket); + Self { socket } + } } } diff --git a/std/src/os/windows/mod.rs b/std/src/os/windows/mod.rs index 52eb3b7c06769..f452403ee8426 100644 --- a/std/src/os/windows/mod.rs +++ b/std/src/os/windows/mod.rs @@ -24,6 +24,7 @@ #![stable(feature = "rust1", since = "1.0.0")] #![doc(cfg(windows))] +#![deny(unsafe_op_in_unsafe_fn)] pub mod ffi; pub mod fs; diff --git a/std/src/os/windows/process.rs b/std/src/os/windows/process.rs index 05ffb8925a1f0..3927b2ed9bb5c 100644 --- a/std/src/os/windows/process.rs +++ b/std/src/os/windows/process.rs @@ -16,7 +16,7 @@ use crate::sys_common::{AsInner, AsInnerMut, FromInner, IntoInner}; #[stable(feature = "process_extensions", since = "1.2.0")] impl FromRawHandle for process::Stdio { unsafe fn from_raw_handle(handle: RawHandle) -> process::Stdio { - let handle = sys::handle::Handle::from_raw_handle(handle as *mut _); + let handle = unsafe { sys::handle::Handle::from_raw_handle(handle as *mut _) }; let io = sys::process::Stdio::Handle(handle); process::Stdio::from_inner(io) } @@ -407,7 +407,7 @@ impl CommandExt for process::Command { attribute: usize, value: T, ) -> &mut process::Command { - self.as_inner_mut().raw_attribute(attribute, value); + unsafe { self.as_inner_mut().raw_attribute(attribute, value) }; self } } From 1b70afd5267455366baeaf886f7a5f9d4bdbe842 Mon Sep 17 00:00:00 2001 From: Chris Denton Date: Mon, 15 Jul 2024 07:30:11 +0000 Subject: [PATCH 3/3] Move safety comment outside unsafe block --- std/src/sys/pal/windows/compat.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/std/src/sys/pal/windows/compat.rs b/std/src/sys/pal/windows/compat.rs index 190e6ba0cf24f..49fa1603f3e1e 100644 --- a/std/src/sys/pal/windows/compat.rs +++ b/std/src/sys/pal/windows/compat.rs @@ -111,8 +111,8 @@ impl Module { /// This should only be use for modules that exist for the lifetime of std /// (e.g. kernel32 and ntdll). pub unsafe fn new(name: &CStr) -> Option { + // SAFETY: A CStr is always null terminated. unsafe { - // SAFETY: A CStr is always null terminated. let module = c::GetModuleHandleA(name.as_ptr().cast::()); NonNull::new(module).map(Self) }