Enable the unsafe-op-in-unsafe-fn lint (#10559)

* Enable the `unsafe-op-in-unsafe-fn` lint

This commit enables the `unsafe-op-in-unsafe-fn` lint in rustc for the
entire workspace. This lint will be warn-by-default in the 2024 edition
so this is intended to smooth the future migration to the new edition.

Many `unsafe` blocks were added in places the lint warned about, with
two major exceptions. The `wasmtime` and `wasmtime-c-api` crates simply
expect this lint to fire and effectively disable the lint. They're too
big at this time to do through this PR. My hope is that one day in the
future they'll be migrated, but more realistically that probably won't
happen so these crates just won't benefit from this lint.

* Fix nostd fiber build

prtest:full

* Fix build on Windows

* Fix asan build

Author: alexcrichton

Cargo.toml

@@ -196,6 +196,7 @@ rust-2024-prelude-collisions = 'warn'
 rust-2024-incompatible-pat = 'warn'
 missing-unsafe-on-extern = 'warn'
 impl-trait-overcaptures = 'warn'
+unsafe-op-in-unsafe-fn = 'warn'
 
 # Don't warn about unknown cfgs for pulley
 [workspace.lints.rust.unexpected_cfgs]

cranelift/codegen/src/data_value.rs

@@ -231,13 +231,13 @@ impl DataValue {
     /// Write a [DataValue] to a memory location in native-endian byte order.
     pub unsafe fn write_value_to(&self, p: *mut u128) {
         let size = self.ty().bytes() as usize;
-        self.write_to_slice_ne(std::slice::from_raw_parts_mut(p as *mut u8, size));
+        self.write_to_slice_ne(unsafe { std::slice::from_raw_parts_mut(p as *mut u8, size) });
     }
 
     /// Read a [DataValue] from a memory location using a given [Type] in native-endian byte order.
     pub unsafe fn read_value_from(p: *const u128, ty: Type) -> Self {
         DataValue::read_from_slice_ne(
-            std::slice::from_raw_parts(p as *const u8, ty.bytes() as usize),
+            unsafe { std::slice::from_raw_parts(p as *const u8, ty.bytes() as usize) },
             ty,
         )
     }

cranelift/entity/src/boxed_slice.rs

@@ -33,7 +33,7 @@ where
     /// This relies on `raw` pointing to a valid slice of `V`s.
     pub unsafe fn from_raw(raw: *mut [V]) -> Self {
         Self {
-            elems: Box::from_raw(raw),
+            elems: unsafe { Box::from_raw(raw) },
             unused: PhantomData,
         }
     }

cranelift/filetests/src/function_runner.rs

@@ -394,14 +394,16 @@ impl<'a> Trampoline<'a> {
             | Architecture::Pulley32be
             | Architecture::Pulley64be => {
                 let mut state = pulley::Vm::new();
-                state.call(
-                    NonNull::new(trampoline_ptr.cast_mut()).unwrap(),
-                    &[
-                        pulley::XRegVal::new_ptr(function_ptr.cast_mut()).into(),
-                        pulley::XRegVal::new_ptr(arguments_address).into(),
-                    ],
-                    [],
-                );
+                unsafe {
+                    state.call(
+                        NonNull::new(trampoline_ptr.cast_mut()).unwrap(),
+                        &[
+                            pulley::XRegVal::new_ptr(function_ptr.cast_mut()).into(),
+                            pulley::XRegVal::new_ptr(arguments_address).into(),
+                        ],
+                        [],
+                    );
+                }
             }
 
             // Other targets natively execute this machine code.

cranelift/jit/src/lib.rs

@@ -4,6 +4,7 @@
 //! which shows how to use some of the features of `cranelift_jit`.
 
 #![deny(missing_docs, unreachable_pub)]
+#![expect(unsafe_op_in_unsafe_fn, reason = "crate isn't migrated yet")]
 
 mod backend;
 mod compiled_blob;

crates/c-api/src/lib.rs

@@ -13,6 +13,7 @@
 //! specific to Wasmtime and has fewer gymnastics to implement.
 
 #![expect(non_camel_case_types, reason = "matching C style, not Rust")]
+#![expect(unsafe_op_in_unsafe_fn, reason = "crate isn't migrated yet")]
 
 pub use wasmtime;
 

crates/environ/src/stack_map.rs

@@ -103,7 +103,7 @@ impl<'a> StackMap<'a> {
     /// map is associated with.
     pub unsafe fn sp(&self, fp: *mut usize) -> *mut usize {
         let frame_size = usize::try_from(self.frame_size).unwrap();
-        fp.byte_sub(frame_size)
+        unsafe { fp.byte_sub(frame_size) }
     }
 
     /// Given the stack pointer, get a reference to each live GC reference in
@@ -117,7 +117,7 @@ impl<'a> StackMap<'a> {
         self.offsets().map(move |i| {
             log::trace!("Live GC ref in frame at frame offset {:#x}", i);
             let i = usize::try_from(i).unwrap();
-            let ptr_to_gc_ref = sp.byte_add(i);
+            let ptr_to_gc_ref = unsafe { sp.byte_add(i) };
 
             // Assert that the pointer is inside this stack map's frame.
             assert!({

crates/fiber/src/lib.rs

@@ -70,9 +70,9 @@ impl FiberStack {
     /// The caller must properly allocate the stack space with a guard page and
     /// make the pages accessible for correct behavior.
     pub unsafe fn from_raw_parts(bottom: *mut u8, guard_size: usize, len: usize) -> Result<Self> {
-        Ok(Self(imp::FiberStack::from_raw_parts(
-            bottom, guard_size, len,
-        )?))
+        Ok(Self(unsafe {
+            imp::FiberStack::from_raw_parts(bottom, guard_size, len)?
+        }))
     }
 
     /// Gets the top of the stack.

crates/fiber/src/nostd.rs

@@ -81,7 +81,7 @@ impl FiberStack {
     pub unsafe fn from_raw_parts(base: *mut u8, guard_size: usize, len: usize) -> Result<Self> {
         Ok(FiberStack {
             storage: vec![],
-            base: BasePtr(base.offset(isize::try_from(guard_size).unwrap())),
+            base: BasePtr(unsafe { base.offset(isize::try_from(guard_size).unwrap()) }),
             len,
         })
     }
@@ -174,15 +174,19 @@ impl Suspend {
     }
 
     unsafe fn take_resume<A, B, C>(&self) -> A {
-        match (*self.result_location::<A, B, C>()).replace(RunResult::Executing) {
-            RunResult::Resuming(val) => val,
-            _ => panic!("not in resuming state"),
+        unsafe {
+            match (*self.result_location::<A, B, C>()).replace(RunResult::Executing) {
+                RunResult::Resuming(val) => val,
+                _ => panic!("not in resuming state"),
+            }
         }
     }
 
     unsafe fn result_location<A, B, C>(&self) -> *const Cell<RunResult<A, B, C>> {
-        let ret = self.top_of_stack.cast::<*const u8>().offset(-1).read();
-        assert!(!ret.is_null());
-        ret.cast()
+        unsafe {
+            let ret = self.top_of_stack.cast::<*const u8>().offset(-1).read();
+            assert!(!ret.is_null());
+            ret.cast()
+        }
     }
 }

crates/fiber/src/unix.rs

@@ -90,7 +90,7 @@ impl FiberStack {
             return Self::from_custom(asan::new_fiber_stack(len)?);
         }
         Ok(FiberStack {
-            base: BasePtr(base.add(guard_size)),
+            base: BasePtr(unsafe { base.add(guard_size) }),
             len,
             storage: FiberStackStorage::Unmanaged(guard_size),
         })
@@ -277,16 +277,20 @@ impl Suspend {
     }
 
     unsafe fn take_resume<A, B, C>(&self) -> A {
-        match (*self.result_location::<A, B, C>()).replace(RunResult::Executing) {
-            RunResult::Resuming(val) => val,
-            _ => panic!("not in resuming state"),
+        unsafe {
+            match (*self.result_location::<A, B, C>()).replace(RunResult::Executing) {
+                RunResult::Resuming(val) => val,
+                _ => panic!("not in resuming state"),
+            }
         }
     }
 
     unsafe fn result_location<A, B, C>(&self) -> *const Cell<RunResult<A, B, C>> {
-        let ret = self.top_of_stack.cast::<*const u8>().offset(-1).read();
-        assert!(!ret.is_null());
-        ret.cast()
+        unsafe {
+            let ret = self.top_of_stack.cast::<*const u8>().offset(-1).read();
+            assert!(!ret.is_null());
+            ret.cast()
+        }
     }
 }
 
@@ -370,15 +374,19 @@ mod asan {
         // trigger false positives in ASAN. That leads to the design of this
         // module as-is where this function exists to have these three
         // functions very close to one another.
-        __sanitizer_start_switch_fiber(private_asan_pointer_ref, prev.bottom, prev.size);
-        super::wasmtime_fiber_switch(top_of_stack);
-        __sanitizer_finish_switch_fiber(private_asan_pointer, &mut prev.bottom, &mut prev.size);
+        unsafe {
+            __sanitizer_start_switch_fiber(private_asan_pointer_ref, prev.bottom, prev.size);
+            super::wasmtime_fiber_switch(top_of_stack);
+            __sanitizer_finish_switch_fiber(private_asan_pointer, &mut prev.bottom, &mut prev.size);
+        }
     }
 
     /// Hook for when a fiber first starts, used to configure ASAN.
     pub unsafe fn fiber_start_complete() -> PreviousStack {
         let mut ret = PreviousStack::default();
-        __sanitizer_finish_switch_fiber(std::ptr::null_mut(), &mut ret.bottom, &mut ret.size);
+        unsafe {
+            __sanitizer_finish_switch_fiber(std::ptr::null_mut(), &mut ret.bottom, &mut ret.size);
+        }
         ret
     }
 
@@ -485,7 +493,9 @@ mod asan_disabled {
         _prev: &mut PreviousStack,
     ) {
         assert!(super::SUPPORTED_ARCH);
-        super::wasmtime_fiber_switch(top_of_stack);
+        unsafe {
+            super::wasmtime_fiber_switch(top_of_stack);
+        }
     }
 
     #[inline]