Mark unsafe raw_ptr<T> operations as unsafe.

tsepez · copybara-github · commit 4e92c91bb300 · 2025-08-04T13:11:11.000-07:00
Single-file CL for easy revert should we have missed some places where unsafe operations are present in the prior CLs. Bug: 435068772 Cq-Include-Trybots: luci.chromium.try:linux-v4l2-codec-rel Change-Id: I46d611d306049e8b8d538682aaab2eeb8aa6074f Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6803421 Reviewed-by: Kentaro Hara <haraken@chromium.org> Commit-Queue: Tom Sepez <tsepez@chromium.org> Cr-Commit-Position: refs/heads/main@{#1496539} NOKEYCHECK=True GitOrigin-RevId: 11bf594ca1bc0c9d9d143a53f9323b120c1db123
diff --git a/src/partition_alloc/pointers/raw_ptr.h b/src/partition_alloc/pointers/raw_ptr.h
@@ -680,29 +680,31 @@ class PA_TRIVIAL_ABI PA_GSL_POINTER raw_ptr {
     return static_cast<U*>(GetForExtraction());
   }
 
-  PA_ALWAYS_INLINE constexpr raw_ptr& operator++() {
+  PA_UNSAFE_BUFFER_USAGE PA_ALWAYS_INLINE constexpr raw_ptr& operator++() {
     static_assert(
         raw_ptr_traits::IsPtrArithmeticAllowed(Traits),
         "cannot increment raw_ptr unless AllowPtrArithmetic trait is present.");
     wrapped_ptr_ = Impl::Advance(wrapped_ptr_, 1, true);
     return *this;
   }
-  PA_ALWAYS_INLINE constexpr raw_ptr& operator--() {
+  PA_UNSAFE_BUFFER_USAGE PA_ALWAYS_INLINE constexpr raw_ptr& operator--() {
     static_assert(
         raw_ptr_traits::IsPtrArithmeticAllowed(Traits),
         "cannot decrement raw_ptr unless AllowPtrArithmetic trait is present.");
     wrapped_ptr_ = Impl::Retreat(wrapped_ptr_, 1, true);
     return *this;
   }
-  PA_ALWAYS_INLINE constexpr raw_ptr operator++(int /* post_increment */) {
+  PA_UNSAFE_BUFFER_USAGE PA_ALWAYS_INLINE constexpr raw_ptr operator++(
+      int /* post_increment */) {
     static_assert(
         raw_ptr_traits::IsPtrArithmeticAllowed(Traits),
         "cannot increment raw_ptr unless AllowPtrArithmetic trait is present.");
     raw_ptr result = *this;
     ++(*this);
     return result;
   }
-  PA_ALWAYS_INLINE constexpr raw_ptr operator--(int /* post_decrement */) {
+  PA_UNSAFE_BUFFER_USAGE PA_ALWAYS_INLINE constexpr raw_ptr operator--(
+      int /* post_decrement */) {
     static_assert(
         raw_ptr_traits::IsPtrArithmeticAllowed(Traits),
         "cannot decrement raw_ptr unless AllowPtrArithmetic trait is present.");
@@ -713,7 +715,8 @@ class PA_TRIVIAL_ABI PA_GSL_POINTER raw_ptr {
   template <
       typename Z,
       typename = std::enable_if_t<partition_alloc::internal::is_offset_type<Z>>>
-  PA_ALWAYS_INLINE constexpr raw_ptr& operator+=(Z delta_elems) {
+  PA_UNSAFE_BUFFER_USAGE PA_ALWAYS_INLINE constexpr raw_ptr& operator+=(
+      Z delta_elems) {
     static_assert(
         raw_ptr_traits::IsPtrArithmeticAllowed(Traits),
         "cannot increment raw_ptr unless AllowPtrArithmetic trait is present.");
@@ -723,7 +726,8 @@ class PA_TRIVIAL_ABI PA_GSL_POINTER raw_ptr {
   template <
       typename Z,
       typename = std::enable_if_t<partition_alloc::internal::is_offset_type<Z>>>
-  PA_ALWAYS_INLINE constexpr raw_ptr& operator-=(Z delta_elems) {
+  PA_UNSAFE_BUFFER_USAGE PA_ALWAYS_INLINE constexpr raw_ptr& operator-=(
+      Z delta_elems) {
     static_assert(
         raw_ptr_traits::IsPtrArithmeticAllowed(Traits),
         "cannot decrement raw_ptr unless AllowPtrArithmetic trait is present.");
@@ -736,7 +740,8 @@ class PA_TRIVIAL_ABI PA_GSL_POINTER raw_ptr {
             typename = std::enable_if_t<
                 !std::is_void_v<typename std::remove_cv<U>::type> &&
                 partition_alloc::internal::is_offset_type<Z>>>
-  PA_ALWAYS_INLINE constexpr U& operator[](Z delta_elems) const {
+  PA_UNSAFE_BUFFER_USAGE PA_ALWAYS_INLINE constexpr U& operator[](
+      Z delta_elems) const {
     static_assert(
         raw_ptr_traits::IsPtrArithmeticAllowed(Traits),
         "cannot index raw_ptr unless AllowPtrArithmetic trait is present.");
@@ -760,8 +765,9 @@ class PA_TRIVIAL_ABI PA_GSL_POINTER raw_ptr {
   // generate code that converts `raw_ptr<T>` to `T*` and adds uint64_t to that,
   // bypassing the OOB protection entirely.
   template <typename Z>
-  PA_ALWAYS_INLINE friend constexpr raw_ptr operator+(const raw_ptr& p,
-                                                      Z delta_elems) {
+  PA_UNSAFE_BUFFER_USAGE PA_ALWAYS_INLINE friend constexpr raw_ptr operator+(
+      const raw_ptr& p,
+      Z delta_elems) {
     // Don't check `is_offset_type<Z>` here, as existence of `Advance` is
     // already gated on that, and we'd get double errors.
     static_assert(
@@ -771,13 +777,15 @@ class PA_TRIVIAL_ABI PA_GSL_POINTER raw_ptr {
     return result;
   }
   template <typename Z>
-  PA_ALWAYS_INLINE friend constexpr raw_ptr operator+(Z delta_elems,
-                                                      const raw_ptr& p) {
+  PA_UNSAFE_BUFFER_USAGE PA_ALWAYS_INLINE friend constexpr raw_ptr operator+(
+      Z delta_elems,
+      const raw_ptr& p) {
     return p + delta_elems;
   }
   template <typename Z>
-  PA_ALWAYS_INLINE friend constexpr raw_ptr operator-(const raw_ptr& p,
-                                                      Z delta_elems) {
+  PA_UNSAFE_BUFFER_USAGE PA_ALWAYS_INLINE friend constexpr raw_ptr operator-(
+      const raw_ptr& p,
+      Z delta_elems) {
     // Don't check `is_offset_type<Z>` here, as existence of `Retreat` is
     // already gated on that, and we'd get double errors.
     static_assert(raw_ptr_traits::IsPtrArithmeticAllowed(Traits),
