Resolve unsafe_op_in_unsafe_fn in wasmtime crate (#11432)

alexcrichton · web-flow · commit 8d4e92348064 · 2025-08-14T14:22:41.000Z
Just a few unsafe blocks remain Closes #11180
diff --git a/crates/wasmtime/src/engine.rs b/crates/wasmtime/src/engine.rs
@@ -845,7 +845,9 @@ impl Engine {
         memory: NonNull<[u8]>,
         expected: ObjectKind,
     ) -> Result<Arc<crate::CodeMemory>> {
-        self.load_code(crate::runtime::vm::MmapVec::from_raw(memory)?, expected)
+        // SAFETY: the contract of this function is the same as that of
+        // `from_raw`.
+        unsafe { self.load_code(crate::runtime::vm::MmapVec::from_raw(memory)?, expected) }
     }
 
     /// Like `load_code_bytes`, but creates a mmap from a file on disk.
@@ -925,8 +927,11 @@ impl Engine {
         assert_eq!(Arc::weak_count(&self.inner), 0);
         assert_eq!(Arc::strong_count(&self.inner), 1);
 
+        // SAFETY: the contract of this function is the same as `deinit_traps`.
         #[cfg(not(miri))]
-        crate::runtime::vm::deinit_traps();
+        unsafe {
+            crate::runtime::vm::deinit_traps();
+        }
     }
 }
 
diff --git a/crates/wasmtime/src/lib.rs b/crates/wasmtime/src/lib.rs
@@ -292,7 +292,6 @@
 // and will prevent the doc build from failing.
 #![cfg_attr(feature = "default", warn(rustdoc::broken_intra_doc_links))]
 #![no_std]
-#![expect(unsafe_op_in_unsafe_fn, reason = "crate isn't migrated yet")]
 
 #[cfg(feature = "std")]
 #[macro_use]
@@ -352,8 +351,10 @@ macro_rules! map_maybe_uninit {
 pub trait MaybeUninitExt<T> {
     /// Maps `MaybeUninit<T>` to `MaybeUninit<U>` using the closure provided.
     ///
-    /// Note that this is `unsafe` as there is no guarantee that `U` comes from
-    /// `T`.
+    /// # Safety
+    ///
+    /// Requires that `*mut U` is a field projection from `*mut T`. Use
+    /// `map_maybe_uninit!` above instead.
     unsafe fn map<U>(&mut self, f: impl FnOnce(*mut T) -> *mut U)
     -> &mut core::mem::MaybeUninit<U>;
 }
@@ -364,7 +365,10 @@ impl<T> MaybeUninitExt<T> for core::mem::MaybeUninit<T> {
         f: impl FnOnce(*mut T) -> *mut U,
     ) -> &mut core::mem::MaybeUninit<U> {
         let new_ptr = f(self.as_mut_ptr());
-        core::mem::transmute::<*mut U, &mut core::mem::MaybeUninit<U>>(new_ptr)
+        // SAFETY: the memory layout of these two types are the same, and
+        // asserting that it's a safe reference with the same lifetime as `self`
+        // is a requirement of this function itself.
+        unsafe { core::mem::transmute::<*mut U, &mut core::mem::MaybeUninit<U>>(new_ptr) }
     }
 }
 
diff --git a/crates/wasmtime/src/runtime.rs b/crates/wasmtime/src/runtime.rs
@@ -25,10 +25,6 @@
 // explanation of why truncation shouldn't be happening at runtime. This
 // situation should be pretty rare though.
 #![warn(clippy::cast_possible_truncation)]
-#![warn(
-    unsafe_op_in_unsafe_fn,
-    reason = "opt-in until the crate opts-in as a whole -- #11180"
-)]
 
 #[macro_use]
 pub(crate) mod func;
