Propagate UNSAFETY through partition alloc raw pointers

tsepez · copybara-github · commit a25ec884fd1d · 2025-08-04T15:58:28.000-07:00
Remove the file-wide pragmas, and mark on an expression by expression basis. Fixed: 435068772 Change-Id: I2ec753cdc931e56f82d43f3fcc7760ac80108483 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6806664 Commit-Queue: Tom Sepez <tsepez@chromium.org> Reviewed-by: Daniel Cheng <dcheng@chromium.org> Cr-Commit-Position: refs/heads/main@{#1496622} NOKEYCHECK=True GitOrigin-RevId: ff17a643261da04611e1a0692cf70afe9a224e7e
diff --git a/src/partition_alloc/pointers/raw_ptr.h b/src/partition_alloc/pointers/raw_ptr.h
@@ -2,11 +2,6 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#ifdef UNSAFE_BUFFERS_BUILD
-// TODO(crbug.com/40284755): Remove this and spanify to fix the errors.
-#pragma allow_unsafe_buffers
-#endif
-
 // IWYU pragma: private, include "base/memory/raw_ptr.h"
 
 #ifndef PARTITION_ALLOC_POINTERS_RAW_PTR_H_
@@ -680,20 +675,23 @@ class PA_TRIVIAL_ABI PA_GSL_POINTER raw_ptr {
     return static_cast<U*>(GetForExtraction());
   }
 
+  // PRECONDITIONS: `this` must not be at the end of the range.
   PA_UNSAFE_BUFFER_USAGE PA_ALWAYS_INLINE constexpr raw_ptr& operator++() {
     static_assert(
         raw_ptr_traits::IsPtrArithmeticAllowed(Traits),
         "cannot increment raw_ptr unless AllowPtrArithmetic trait is present.");
-    wrapped_ptr_ = Impl::Advance(wrapped_ptr_, 1, true);
+    wrapped_ptr_ = PA_UNSAFE_TODO(Impl::Advance(wrapped_ptr_, 1, true));
     return *this;
   }
+  // PRECONDITIONS: `this` must not be at the start of the range.
   PA_UNSAFE_BUFFER_USAGE PA_ALWAYS_INLINE constexpr raw_ptr& operator--() {
     static_assert(
         raw_ptr_traits::IsPtrArithmeticAllowed(Traits),
         "cannot decrement raw_ptr unless AllowPtrArithmetic trait is present.");
-    wrapped_ptr_ = Impl::Retreat(wrapped_ptr_, 1, true);
+    wrapped_ptr_ = PA_UNSAFE_TODO(Impl::Retreat(wrapped_ptr_, 1, true));
     return *this;
   }
+  // PRECONDITIONS: `this` must not be at the end of the range.
   PA_UNSAFE_BUFFER_USAGE PA_ALWAYS_INLINE constexpr raw_ptr operator++(
       int /* post_increment */) {
     static_assert(
@@ -703,6 +701,7 @@ class PA_TRIVIAL_ABI PA_GSL_POINTER raw_ptr {
     ++(*this);
     return result;
   }
+  // PRECONDITIONS: `this` must not be at the start of the range.
   PA_UNSAFE_BUFFER_USAGE PA_ALWAYS_INLINE constexpr raw_ptr operator--(
       int /* post_decrement */) {
     static_assert(
@@ -712,6 +711,7 @@ class PA_TRIVIAL_ABI PA_GSL_POINTER raw_ptr {
     --(*this);
     return result;
   }
+  // PRECONDITIONS: `this` must be at least `delta_elems` before range end.
   template <
       typename Z,
       typename = std::enable_if_t<partition_alloc::internal::is_offset_type<Z>>>
@@ -720,9 +720,11 @@ class PA_TRIVIAL_ABI PA_GSL_POINTER raw_ptr {
     static_assert(
         raw_ptr_traits::IsPtrArithmeticAllowed(Traits),
         "cannot increment raw_ptr unless AllowPtrArithmetic trait is present.");
-    wrapped_ptr_ = Impl::Advance(wrapped_ptr_, delta_elems, true);
+    wrapped_ptr_ =
+        PA_UNSAFE_TODO(Impl::Advance(wrapped_ptr_, delta_elems, true));
     return *this;
   }
+  // PRECONDITIONS: `this` must be at least `delta_elems` after range start.
   template <
       typename Z,
       typename = std::enable_if_t<partition_alloc::internal::is_offset_type<Z>>>
@@ -731,10 +733,12 @@ class PA_TRIVIAL_ABI PA_GSL_POINTER raw_ptr {
     static_assert(
         raw_ptr_traits::IsPtrArithmeticAllowed(Traits),
         "cannot decrement raw_ptr unless AllowPtrArithmetic trait is present.");
-    wrapped_ptr_ = Impl::Retreat(wrapped_ptr_, delta_elems, true);
+    wrapped_ptr_ =
+        PA_UNSAFE_TODO(Impl::Retreat(wrapped_ptr_, delta_elems, true));
     return *this;
   }
 
+  // PRECONDITIONS: `delta_elems` must be an index inside the range.
   template <typename Z,
             typename U = T,
             typename = std::enable_if_t<
@@ -748,7 +752,7 @@ class PA_TRIVIAL_ABI PA_GSL_POINTER raw_ptr {
     // Call SafelyUnwrapPtrForDereference() to simulate what GetForDereference()
     // does, but without creating a temporary.
     return *Impl::SafelyUnwrapPtrForDereference(
-        Impl::Advance(wrapped_ptr_, delta_elems, false));
+        PA_UNSAFE_TODO(Impl::Advance(wrapped_ptr_, delta_elems, false)));
   }
 
   // Do not disable operator+() and operator-().
@@ -764,6 +768,8 @@ class PA_TRIVIAL_ABI PA_GSL_POINTER raw_ptr {
   // operators for Z=uint64_t on 32-bit systems. The compiler instead would
   // generate code that converts `raw_ptr<T>` to `T*` and adds uint64_t to that,
   // bypassing the OOB protection entirely.
+  //
+  // PRECONDITIONS: `this` must be at least `delta_elems` before range end.
   template <typename Z>
   PA_UNSAFE_BUFFER_USAGE PA_ALWAYS_INLINE friend constexpr raw_ptr operator+(
       const raw_ptr& p,
@@ -773,15 +779,18 @@ class PA_TRIVIAL_ABI PA_GSL_POINTER raw_ptr {
     static_assert(
         raw_ptr_traits::IsPtrArithmeticAllowed(Traits),
         "cannot add to raw_ptr unless AllowPtrArithmetic trait is present.");
-    raw_ptr result = Impl::Advance(p.wrapped_ptr_, delta_elems, false);
+    raw_ptr result =
+        PA_UNSAFE_TODO(Impl::Advance(p.wrapped_ptr_, delta_elems, false));
     return result;
   }
+  // PRECONDITIONS: `this` must be at least `delta_elems` before range end.
   template <typename Z>
   PA_UNSAFE_BUFFER_USAGE PA_ALWAYS_INLINE friend constexpr raw_ptr operator+(
       Z delta_elems,
       const raw_ptr& p) {
     return p + delta_elems;
   }
+  // PRECONDITIONS: `this` must be at least `delta_elems` after range start.
   template <typename Z>
   PA_UNSAFE_BUFFER_USAGE PA_ALWAYS_INLINE friend constexpr raw_ptr operator-(
       const raw_ptr& p,
@@ -791,7 +800,8 @@ class PA_TRIVIAL_ABI PA_GSL_POINTER raw_ptr {
     static_assert(raw_ptr_traits::IsPtrArithmeticAllowed(Traits),
                   "cannot subtract from raw_ptr unless AllowPtrArithmetic "
                   "trait is present.");
-    raw_ptr result = Impl::Retreat(p.wrapped_ptr_, delta_elems, false);
+    raw_ptr result =
+        PA_UNSAFE_TODO(Impl::Retreat(p.wrapped_ptr_, delta_elems, false));
     return result;
   }
 
diff --git a/src/partition_alloc/pointers/raw_ptr_backup_ref_impl.h b/src/partition_alloc/pointers/raw_ptr_backup_ref_impl.h
@@ -2,11 +2,6 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#ifdef UNSAFE_BUFFERS_BUILD
-// TODO(crbug.com/40284755): Remove this and spanify to fix the errors.
-#pragma allow_unsafe_buffers
-#endif
-
 #ifndef PARTITION_ALLOC_POINTERS_RAW_PTR_BACKUP_REF_IMPL_H_
 #define PARTITION_ALLOC_POINTERS_RAW_PTR_BACKUP_REF_IMPL_H_
 
@@ -340,15 +335,18 @@ struct RawPtrBackupRefImpl {
   // Advance the wrapped pointer by `delta_elems`.
   // `is_in_pointer_modification` means that the result is intended to modify
   // the pointer (as opposed to creating a new one).
+  // PRECONDITIONS: `wrapped_ptr` must be at least `delta_elems` before the
+  // end of the range.
   template <
       typename T,
       typename Z,
       typename =
           std::enable_if_t<partition_alloc::internal::is_offset_type<Z>, void>>
-  PA_ALWAYS_INLINE static constexpr T*
+  PA_UNSAFE_BUFFER_USAGE PA_ALWAYS_INLINE static constexpr T*
   Advance(T* wrapped_ptr, Z delta_elems, bool is_in_pointer_modification) {
+    // SAFETY: Preconditions enforced by PA_UNSAFE_BUFFER_USAGE.
     if (partition_alloc::internal::base::is_constant_evaluated()) {
-      return wrapped_ptr + delta_elems;
+      return PA_UNSAFE_BUFFERS(wrapped_ptr + delta_elems);
     }
     T* unpoisoned_ptr = UnpoisonPtr(wrapped_ptr);
     // When modifying the pointer, we have to make sure it doesn't migrate to a
@@ -357,24 +355,29 @@ struct RawPtrBackupRefImpl {
     // properly. Do it anyway if extra OOB checks are enabled.
     if (PA_BUILDFLAG(BACKUP_REF_PTR_EXTRA_OOB_CHECKS) ||
         is_in_pointer_modification) {
+      // SAFETY: Preconditions enforced by PA_UNSAFE_BUFFER_USAGE.
       return VerifyAndPoisonPointerAfterAdvanceOrRetreat(
-          unpoisoned_ptr, unpoisoned_ptr + delta_elems);
+          unpoisoned_ptr, PA_UNSAFE_BUFFERS(unpoisoned_ptr + delta_elems));
     }
-    return unpoisoned_ptr + delta_elems;
+    // SAFETY: Preconditions enforced by PA_UNSAFE_BUFFER_USAGE.
+    return PA_UNSAFE_BUFFERS(unpoisoned_ptr + delta_elems);
   }
 
   // Retreat the wrapped pointer by `delta_elems`.
   // `is_in_pointer_modification` means that the result is intended to modify
   // the pointer (as opposed to creating a new one).
+  // PRECONDITIONS: `wrapped_ptr` must be at least `delta_elems` after
+  // the start of the range.
   template <
       typename T,
       typename Z,
       typename =
           std::enable_if_t<partition_alloc::internal::is_offset_type<Z>, void>>
-  PA_ALWAYS_INLINE static constexpr T*
+  PA_UNSAFE_BUFFER_USAGE PA_ALWAYS_INLINE static constexpr T*
   Retreat(T* wrapped_ptr, Z delta_elems, bool is_in_pointer_modification) {
     if (partition_alloc::internal::base::is_constant_evaluated()) {
-      return wrapped_ptr - delta_elems;
+      // SAFETY: Preconditions enforced by PA_UNSAFE_BUFFER_USAGE.
+      return PA_UNSAFE_BUFFERS(wrapped_ptr - delta_elems);
     }
     T* unpoisoned_ptr = UnpoisonPtr(wrapped_ptr);
     // When modifying the pointer, we have to make sure it doesn't migrate to a
@@ -383,10 +386,12 @@ struct RawPtrBackupRefImpl {
     // properly. Do it anyway if extra OOB checks are enabled.
     if (PA_BUILDFLAG(BACKUP_REF_PTR_EXTRA_OOB_CHECKS) ||
         is_in_pointer_modification) {
+      // SAFETY: Preconditions enforced by PA_UNSAFE_BUFFER_USAGE.
       return VerifyAndPoisonPointerAfterAdvanceOrRetreat(
-          unpoisoned_ptr, unpoisoned_ptr - delta_elems);
+          unpoisoned_ptr, PA_UNSAFE_BUFFERS(unpoisoned_ptr - delta_elems));
     }
-    return unpoisoned_ptr - delta_elems;
+    // SAFETY: Preconditions enforced by PA_UNSAFE_BUFFER_USAGE.
+    return PA_UNSAFE_BUFFERS(unpoisoned_ptr - delta_elems);
   }
 
   template <typename T>
diff --git a/src/partition_alloc/pointers/raw_ptr_hookable_impl.h b/src/partition_alloc/pointers/raw_ptr_hookable_impl.h
@@ -2,11 +2,6 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#ifdef UNSAFE_BUFFERS_BUILD
-// TODO(crbug.com/40284755): Remove this and spanify to fix the errors.
-#pragma allow_unsafe_buffers
-#endif
-
 #ifndef PARTITION_ALLOC_POINTERS_RAW_PTR_HOOKABLE_IMPL_H_
 #define PARTITION_ALLOC_POINTERS_RAW_PTR_HOOKABLE_IMPL_H_
 
@@ -132,39 +127,45 @@ struct RawPtrHookableImpl {
   }
 
   // Advance the wrapped pointer by `delta_elems`.
+  // PRECONDITIONS: `wrapped_ptr` must be at least `delta_elems` before the
+  // end of the range.
   template <
       typename T,
       typename Z,
       typename =
           std::enable_if_t<partition_alloc::internal::is_offset_type<Z>, void>>
-  PA_ALWAYS_INLINE static constexpr T*
+  PA_UNSAFE_BUFFER_USAGE PA_ALWAYS_INLINE static constexpr T*
   Advance(T* wrapped_ptr, Z delta_elems, bool /*is_in_pointer_modification*/) {
+    // SAFETY: required from caller, enforced by PA_UNSAFE_BUFFER_USAGE.
     if (!partition_alloc::internal::base::is_constant_evaluated()) {
       if (EnableHooks) {
-        GetRawPtrHooks()->advance(
-            reinterpret_cast<uintptr_t>(wrapped_ptr),
-            reinterpret_cast<uintptr_t>(wrapped_ptr + delta_elems));
+        GetRawPtrHooks()->advance(reinterpret_cast<uintptr_t>(wrapped_ptr),
+                                  reinterpret_cast<uintptr_t>(PA_UNSAFE_BUFFERS(
+                                      wrapped_ptr + delta_elems)));
       }
     }
-    return wrapped_ptr + delta_elems;
+    return PA_UNSAFE_BUFFERS(wrapped_ptr + delta_elems);
   }
 
   // Retreat the wrapped pointer by `delta_elems`.
+  // PRECONDITIONS: `wrapped_ptr` must be at least `delta_elems` after
+  // the start of the range.
   template <
       typename T,
       typename Z,
       typename =
           std::enable_if_t<partition_alloc::internal::is_offset_type<Z>, void>>
-  PA_ALWAYS_INLINE static constexpr T*
+  PA_UNSAFE_BUFFER_USAGE PA_ALWAYS_INLINE static constexpr T*
   Retreat(T* wrapped_ptr, Z delta_elems, bool /*is_in_pointer_modification*/) {
+    // SAFETY: required from caller, enforced by PA_UNSAFE_BUFFER_USAGE.
     if (!partition_alloc::internal::base::is_constant_evaluated()) {
       if (EnableHooks) {
-        GetRawPtrHooks()->advance(
-            reinterpret_cast<uintptr_t>(wrapped_ptr),
-            reinterpret_cast<uintptr_t>(wrapped_ptr - delta_elems));
+        GetRawPtrHooks()->advance(reinterpret_cast<uintptr_t>(wrapped_ptr),
+                                  reinterpret_cast<uintptr_t>(PA_UNSAFE_BUFFERS(
+                                      wrapped_ptr - delta_elems)));
       }
     }
-    return wrapped_ptr - delta_elems;
+    return PA_UNSAFE_BUFFERS(wrapped_ptr - delta_elems);
   }
 
   template <typename T>
diff --git a/src/partition_alloc/pointers/raw_ptr_noop_impl.h b/src/partition_alloc/pointers/raw_ptr_noop_impl.h
@@ -2,11 +2,6 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#ifdef UNSAFE_BUFFERS_BUILD
-// TODO(crbug.com/40284755): Remove this and spanify to fix the errors.
-#pragma allow_unsafe_buffers
-#endif
-
 #ifndef PARTITION_ALLOC_POINTERS_RAW_PTR_NOOP_IMPL_H_
 #define PARTITION_ALLOC_POINTERS_RAW_PTR_NOOP_IMPL_H_
 
@@ -68,25 +63,31 @@ struct RawPtrNoOpImpl {
   }
 
   // Advance the wrapped pointer by `delta_elems`.
+  // PRECONDITIONS: `wrapped_ptr` must be at least `delta_elems` before the
+  // end of the range.
   template <
       typename T,
       typename Z,
       typename =
           std::enable_if_t<partition_alloc::internal::is_offset_type<Z>, void>>
-  PA_ALWAYS_INLINE static constexpr T*
+  PA_UNSAFE_BUFFER_USAGE PA_ALWAYS_INLINE static constexpr T*
   Advance(T* wrapped_ptr, Z delta_elems, bool /*is_in_pointer_modification*/) {
-    return wrapped_ptr + delta_elems;
+    // SAFETY: required from caller, enforced by PA_UNSAFE_BUFFER_USAGE.
+    return PA_UNSAFE_BUFFERS(wrapped_ptr + delta_elems);
   }
 
   // Retreat the wrapped pointer by `delta_elems`.
+  // PRECONDITIONS: `wrapped_ptr` must be at least `delta_elems` after
+  // the start of the range.
   template <
       typename T,
       typename Z,
       typename =
           std::enable_if_t<partition_alloc::internal::is_offset_type<Z>, void>>
-  PA_ALWAYS_INLINE static constexpr T*
+  PA_UNSAFE_BUFFER_USAGE PA_ALWAYS_INLINE static constexpr T*
   Retreat(T* wrapped_ptr, Z delta_elems, bool /*is_in_pointer_modification*/) {
-    return wrapped_ptr - delta_elems;
+    // SAFETY: required from caller, enforced by PA_UNSAFE_BUFFER_USAGE.
+    return PA_UNSAFE_BUFFERS(wrapped_ptr - delta_elems);
   }
 
   template <typename T>
