sparse_mmap: remove C code and add SAFETY comments

Cargo.lock

@@ -6254,7 +6254,6 @@ dependencies = [
 name = "sparse_mmap"
 version = "0.0.0"
 dependencies = [
- "cc",
  "criterion",
  "getrandom",
  "libc",

support/sparse_mmap/Cargo.toml

@@ -6,9 +6,6 @@ name = "sparse_mmap"
 edition.workspace = true
 rust-version.workspace = true
 
-[build-dependencies]
-cc.workspace = true
-
 [dependencies]
 pal.workspace = true
 

support/sparse_mmap/src/alloc.rs

@@ -13,13 +13,22 @@ use unix as sys;
 use windows as sys;
 
 #[derive(Debug)]
+/// A `Box`-like smart pointer for memory mappings.
+/// Relies on the kernel interfaces rather than the
+/// standard library API. That allows for the low-level
+/// features this crate deals with.
 pub struct Allocation {
     ptr: *mut u8,
     size: usize,
     _dummy: std::marker::PhantomData<[u8]>,
 }
 
+// SAFETY: memory mappings are for created managing the guest memory
+// and expected to live longer than the guest and any threads running
+// the guest VPs. Essentially, these are constant when the guest runs.
+// Thus the `ptr` field can be sent to other threads.
 unsafe impl Send for Allocation {}
+// SAFETY: Same as above for the sharing considerations.
 unsafe impl Sync for Allocation {}
 
 impl Allocation {
@@ -35,6 +44,7 @@ impl Allocation {
 
 impl DerefMut for Allocation {
     fn deref_mut(&mut self) -> &mut [u8] {
+        // SAFETY: the pointer is valid.
         unsafe { slice::from_raw_parts_mut(self.ptr, self.size) }
     }
 }
@@ -43,12 +53,14 @@ impl Deref for Allocation {
     type Target = [u8];
 
     fn deref(&self) -> &[u8] {
+        // SAFETY: the pointer is valid.
         unsafe { slice::from_raw_parts(self.ptr, self.size) }
     }
 }
 
 impl Drop for Allocation {
     fn drop(&mut self) {
+        // SAFETY: the pointer is valid.
         unsafe {
             sys::free(self.ptr, self.size);
         }
@@ -70,6 +82,7 @@ impl Deref for SharedMem {
     type Target = [AtomicU8];
 
     fn deref(&self) -> &Self::Target {
+        // SAFETY: the pointer is valid.
         unsafe { slice::from_raw_parts(self.alloc.ptr as *const AtomicU8, self.alloc.size) }
     }
 }
@@ -85,6 +98,8 @@ mod windows {
     use windows_sys::Win32::System::Memory::PAGE_READWRITE;
 
     pub fn alloc(size: usize) -> std::io::Result<*mut u8> {
+        // SAFETY: Calling the system API as required. The parameters have
+        // valid values.
         let ptr = unsafe {
             VirtualAlloc(
                 ptr::null_mut(),
@@ -100,6 +115,8 @@ mod windows {
     }
 
     pub unsafe fn free(ptr: *mut u8, _size: usize) {
+        // SAFETY: Calling the system API as required. The parameters have
+        // valid values.
         let ret = unsafe { VirtualFree(ptr.cast(), 0, MEM_RELEASE) };
         assert!(ret != 0);
     }
@@ -110,6 +127,8 @@ mod unix {
     use std::ptr;
 
     pub fn alloc(size: usize) -> std::io::Result<*mut u8> {
+        // SAFETY: using the system API as required by the documentation.
+        // The values for the parameters are valid.
         let ptr = unsafe {
             libc::mmap(
                 ptr::null_mut(),
@@ -127,6 +146,8 @@ mod unix {
     }
 
     pub unsafe fn free(ptr: *mut u8, size: usize) {
+        // SAFETY: using the system API as required by the documentation.
+        // The values for the parameters are valid.
         let ret = unsafe { libc::munmap(ptr.cast::<libc::c_void>(), size) };
         assert!(ret == 0);
     }
@@ -138,6 +159,7 @@ mod tests {
 
     #[test]
     fn test_alloc_free() -> Result<(), Box<dyn std::error::Error>> {
+        // SAFETY: memory is not shared between threads.
         unsafe {
             let x = sys::alloc(4096)?;
             sys::free(x, 4096);

support/sparse_mmap/src/lib.rs

@@ -2,12 +2,11 @@
 // Licensed under the MIT License.
 
 //! Memory-related abstractions.
-
 // UNSAFETY: Manual pointer manipulation, dealing with mmap, and a signal handler.
 #![expect(unsafe_code)]
-#![allow(clippy::undocumented_unsafe_blocks)]
 
 pub mod alloc;
+mod trycopy_unix;
 mod trycopy_windows_arm64;
 mod trycopy_windows_x64;
 pub mod unix;
@@ -37,9 +36,8 @@ pub fn initialize_try_copy() {
     #[cfg(unix)]
     {
         static INIT: std::sync::Once = std::sync::Once::new();
-        INIT.call_once(|| unsafe {
-            let err = install_signal_handlers();
-            if err != 0 {
+        INIT.call_once(|| {
+            if let Err(err) = trycopy_unix::install_signal_handlers() {
                 panic!(
                     "could not install signal handlers: {}",
                     std::io::Error::from_raw_os_error(err)
@@ -50,9 +48,6 @@ pub fn initialize_try_copy() {
 }
 
 unsafe extern "C" {
-    #[cfg(unix)]
-    fn install_signal_handlers() -> i32;
-
     fn try_memmove(
         dest: *mut u8,
         src: *const u8,
@@ -634,6 +629,7 @@ mod tests {
         };
         let af_addr = &mut af as *mut _;
 
+        // SAFETY: no memory is shared between threads.
         let res = unsafe {
             match size {
                 Size::Bit8 => match primitive {
@@ -680,6 +676,7 @@ mod tests {
             "Fault address must not be set for {primitive:?} and {size:?}"
         );
 
+        // SAFETY: no memory is shared between threads.
         let res = unsafe {
             match size {
                 Size::Bit8 => match primitive {
@@ -745,13 +742,15 @@ mod tests {
 
         let mapping = SparseMapping::new(range_size).unwrap();
         mapping.alloc(page_size, page_size).unwrap();
+        // SAFETY: no memory is shared between threads.
         let slice = unsafe {
             std::slice::from_raw_parts_mut(mapping.as_ptr().add(page_size).cast::<u8>(), page_size)
         };
         slice.copy_from_slice(&BUF[..page_size]);
         mapping.unmap(page_size, page_size).unwrap();
 
         mapping.alloc(range_size - page_size, page_size).unwrap();
+        // SAFETY: no memory is shared between threads.
         let slice = unsafe {
             std::slice::from_raw_parts_mut(
                 mapping.as_ptr().add(range_size - page_size).cast::<u8>(),
@@ -780,6 +779,7 @@ mod tests {
         let page_size = SparseMapping::page_size();
         mapping.alloc(page_size, page_size).unwrap();
         let base = mapping.as_ptr().cast::<u8>();
+        // SAFETY: no memory is shared between threads.
         unsafe {
             try_copy(BUF.as_ptr(), base, 100).unwrap_err();
             try_copy(BUF.as_ptr(), base.add(page_size), 100).unwrap();
@@ -795,6 +795,7 @@ mod tests {
         let mapping = SparseMapping::new(page_size * 2).unwrap();
         mapping.alloc(0, page_size).unwrap();
         let base = mapping.as_ptr().cast::<u8>();
+        // SAFETY: no memory is shared between threads.
         unsafe {
             assert_eq!(try_compare_exchange(base.add(8), 0, 1).unwrap().unwrap(), 1);
             assert_eq!(