Replace safety_comment! with const blocks (#2483)

Replace:

  safety_comment! {
      /// SAFETY:
      /// ...
      foo!();
      bar!();
  }

With:

  // SAFETY: ...
  const _: () = unsafe {
      foo!();
      bar!();
  };

Remove the `safety_comment!` macro.

gherrit-pr-id: Id5df96f57c34a4e7e8d261399f01fd23cded339e

Author: joshlf

src/byteorder.rs

@@ -489,19 +489,19 @@ example of how it can be used for parsing UDP packets.
         #[cfg(not(any(feature = "derive", test)))]
         impl_known_layout!(O => $name<O>);
 
-        safety_comment! {
-            /// SAFETY:
-            /// `$name<O>` is `repr(transparent)`, and so it has the same layout
-            /// as its only non-zero field, which is a `u8` array. `u8` arrays
-            /// are `Immutable`, `TryFromBytes`, `FromZeros`, `FromBytes`,
-            /// `IntoBytes`, and `Unaligned`.
+        #[allow(unused_unsafe)] // Unused when `feature = "derive"`.
+        // SAFETY: `$name<O>` is `repr(transparent)`, and so it has the same
+        // layout as its only non-zero field, which is a `u8` array. `u8` arrays
+        // are `Immutable`, `TryFromBytes`, `FromZeros`, `FromBytes`,
+        // `IntoBytes`, and `Unaligned`.
+        const _: () = unsafe {
             impl_or_verify!(O => Immutable for $name<O>);
             impl_or_verify!(O => TryFromBytes for $name<O>);
             impl_or_verify!(O => FromZeros for $name<O>);
             impl_or_verify!(O => FromBytes for $name<O>);
             impl_or_verify!(O => IntoBytes for $name<O>);
             impl_or_verify!(O => Unaligned for $name<O>);
-        }
+        };
 
         impl<O> Default for $name<O> {
             #[inline(always)]

src/impls.rs

@@ -1010,45 +1010,45 @@ impl_known_layout!(
 );
 impl_known_layout!(const N: usize, T => [T; N]);
 
-safety_comment! {
-    /// SAFETY:
-    /// `str` has the same representation as `[u8]`. `ManuallyDrop<T>` [1],
-    /// `UnsafeCell<T>` [2], and `Cell<T>` [3] have the same representation as
-    /// `T`.
-    ///
-    /// [1] Per https://doc.rust-lang.org/1.85.0/std/mem/struct.ManuallyDrop.html:
-    ///
-    ///   `ManuallyDrop<T>` is guaranteed to have the same layout and bit
-    ///   validity as `T`
-    ///
-    /// [2] Per https://doc.rust-lang.org/1.85.0/core/cell/struct.UnsafeCell.html#memory-layout:
-    ///
-    ///   `UnsafeCell<T>` has the same in-memory representation as its inner
-    ///   type `T`.
-    ///
-    /// [3] Per https://doc.rust-lang.org/1.85.0/core/cell/struct.Cell.html#memory-layout:
-    ///
-    ///   `Cell<T>` has the same in-memory representation as `T`.
-    unsafe_impl_known_layout!(#[repr([u8])] str);
+// SAFETY: `str` has the same representation as `[u8]`. `ManuallyDrop<T>` [1],
+// `UnsafeCell<T>` [2], and `Cell<T>` [3] have the same representation as `T`.
+//
+// [1] Per https://doc.rust-lang.org/1.85.0/std/mem/struct.ManuallyDrop.html:
+//
+//   `ManuallyDrop<T>` is guaranteed to have the same layout and bit validity as
+//   `T`
+//
+// [2] Per https://doc.rust-lang.org/1.85.0/core/cell/struct.UnsafeCell.html#memory-layout:
+//
+//   `UnsafeCell<T>` has the same in-memory representation as its inner type
+//   `T`.
+//
+// [3] Per https://doc.rust-lang.org/1.85.0/core/cell/struct.Cell.html#memory-layout:
+//
+//   `Cell<T>` has the same in-memory representation as `T`.
+const _: () = unsafe {
+    unsafe_impl_known_layout!(
+        #[repr([u8])]
+        str
+    );
     unsafe_impl_known_layout!(T: ?Sized + KnownLayout => #[repr(T)] ManuallyDrop<T>);
     unsafe_impl_known_layout!(T: ?Sized + KnownLayout => #[repr(T)] UnsafeCell<T>);
     unsafe_impl_known_layout!(T: ?Sized + KnownLayout => #[repr(T)] Cell<T>);
-}
+};
 
-safety_comment! {
-    /// SAFETY:
-    /// - By consequence of the invariant on `T::MaybeUninit` that `T::LAYOUT`
-    ///   and `T::MaybeUninit::LAYOUT` are equal, `T` and `T::MaybeUninit`
-    ///   have the same:
-    ///   - Fixed prefix size
-    ///   - Alignment
-    ///   - (For DSTs) trailing slice element size
-    /// - By consequence of the above, referents `T::MaybeUninit` and `T` have
-    ///   the require the same kind of pointer metadata, and thus it is valid to
-    ///   perform an `as` cast from `*mut T` and `*mut T::MaybeUninit`, and this
-    ///   operation preserves referent size (ie, `size_of_val_raw`).
-    unsafe_impl_known_layout!(T: ?Sized + KnownLayout => #[repr(T::MaybeUninit)] MaybeUninit<T>);
-}
+// SAFETY:
+// - By consequence of the invariant on `T::MaybeUninit` that `T::LAYOUT` and
+//   `T::MaybeUninit::LAYOUT` are equal, `T` and `T::MaybeUninit` have the same:
+//   - Fixed prefix size
+//   - Alignment
+//   - (For DSTs) trailing slice element size
+// - By consequence of the above, referents `T::MaybeUninit` and `T` have the
+//   require the same kind of pointer metadata, and thus it is valid to perform
+//   an `as` cast from `*mut T` and `*mut T::MaybeUninit`, and this operation
+//   preserves referent size (ie, `size_of_val_raw`).
+const _: () = unsafe {
+    unsafe_impl_known_layout!(T: ?Sized + KnownLayout => #[repr(T::MaybeUninit)] MaybeUninit<T>)
+};
 
 /// Analyzes whether a type is [`FromZeros`].
 ///

src/lib.rs

@@ -217,10 +217,13 @@ where
 pub(crate) enum BecauseInvariantsEq {}
 
 macro_rules! unsafe_impl_invariants_eq {
-    ($tyvar:ident => $t:ty, $u:ty) => {
+    ($tyvar:ident => $t:ty, $u:ty) => {{
+        crate::util::macros::__unsafe();
+        // SAFETY: The caller promises that this is sound.
         unsafe impl<$tyvar> InvariantsEq<$t> for $u {}
+        // SAFETY: The caller promises that this is sound.
         unsafe impl<$tyvar> InvariantsEq<$u> for $t {}
-    };
+    }};
 }
 
 impl_transitive_transmute_from!(T => MaybeUninit<T> => T => Wrapping<T>);
@@ -342,98 +345,92 @@ where
 {
 }
 
-safety_comment! {
-    /// SAFETY:
-    /// - `ManuallyDrop<T>` has the same size as `T` [1]
-    /// - `ManuallyDrop<T>` has the same validity as `T` [1]
-    ///
-    /// [1] Per https://doc.rust-lang.org/1.81.0/std/mem/struct.ManuallyDrop.html:
-    ///
-    ///   `ManuallyDrop<T>` is guaranteed to have the same layout and bit
-    ///   validity as `T`
-    unsafe_impl_for_transparent_wrapper!(T: ?Sized => ManuallyDrop<T>);
-
-    /// SAFETY:
-    /// - `Unalign<T>` promises to have the same size as `T`.
-    /// - `Unalign<T>` promises to have the same validity as `T`.
-    unsafe_impl_for_transparent_wrapper!(T => Unalign<T>);
-    /// SAFETY:
-    /// `Unalign<T>` promises to have the same size and validity as `T`. Given
-    /// `u: &Unalign<T>`, it is already possible to obtain `let t =
-    /// u.try_deref().unwrap()`. Because `Unalign<T>` has the same size as `T`,
-    /// the returned `&T` must point to the same referent as `u`, and thus it
-    /// must be sound for these two references to exist at the same time since
-    /// it's already possible for safe code to get into this state.
-    unsafe_impl_invariants_eq!(T => T, Unalign<T>);
-
-    /// SAFETY:
-    /// - `Wrapping<T>` has the same size as `T` [1].
-    /// - `Wrapping<T>` has only one field, which is `pub` [2]. We are also
-    ///   guaranteed per that `Wrapping<T>` has the same layout as `T` [1]. The
-    ///   only way for both of these to be true simultaneously is for
-    ///   `Wrapping<T>` to have the same bit validity as `T`. In particular, in
-    ///   order to change the bit validity, one of the following would need to
-    ///   happen:
-    ///   - `Wrapping` could change its `repr`, but this would violate the
-    ///     layout guarantee.
-    ///   - `Wrapping` could add or change its fields, but this would be a
-    ///     stability-breaking change.
-    ///
-    /// [1] Per https://doc.rust-lang.org/1.85.0/core/num/struct.Wrapping.html#layout-1:
-    ///
-    ///   `Wrapping<T>` is guaranteed to have the same layout and ABI as `T`.
-    ///
-    /// [2] Definition from https://doc.rust-lang.org/1.85.0/core/num/struct.Wrapping.html:
-    ///
-    ///   ```
-    ///   #[repr(transparent)]
-    ///   pub struct Wrapping<T>(pub T);
-    ///   ```
-    unsafe_impl_for_transparent_wrapper!(T => Wrapping<T>);
-    /// SAFETY:
-    /// By the preceding safety proof, `Wrapping<T>` and `T` have the same
-    /// layout and bit validity. Since a `Wrapping<T>`'s `T` field is `pub`,
-    /// given `w: &Wrapping<T>`, it's possible to do `let t = &w.t`, which means
-    /// that it's already possible for safe code to obtain a `&Wrapping<T>` and
-    /// a `&T` pointing to the same referent at the same time. Thus, this must
-    /// be sound.
-    unsafe_impl_invariants_eq!(T => T, Wrapping<T>);
-
-    /// SAFETY:
-    /// - `UnsafeCell<T>` has the same size as `T` [1].
-    /// - Per [1], `UnsafeCell<T>` has the same bit validity as `T`. Technically
-    ///   the term "representation" doesn't guarantee this, but the subsequent
-    ///   sentence in the documentation makes it clear that this is the
-    ///   intention.
-    ///
-    /// [1] Per https://doc.rust-lang.org/1.81.0/core/cell/struct.UnsafeCell.html#memory-layout:
-    ///
-    ///   `UnsafeCell<T>` has the same in-memory representation as its inner
-    ///   type `T`. A consequence of this guarantee is that it is possible to
-    ///   convert between `T` and `UnsafeCell<T>`.
-    unsafe_impl_for_transparent_wrapper!(T: ?Sized => UnsafeCell<T>);
-
-    /// SAFETY:
-    /// - `Cell<T>` has the same size as `T` [1].
-    /// - Per [1], `Cell<T>` has the same bit validity as `T`. Technically the
-    ///   term "representation" doesn't guarantee this, but it does promise to
-    ///   have the "same memory layout and caveats as `UnsafeCell<T>`." The
-    ///   `UnsafeCell` docs [2] make it clear that bit validity is the intention
-    ///   even if that phrase isn't used.
-    ///
-    /// [1] Per https://doc.rust-lang.org/1.85.0/std/cell/struct.Cell.html#memory-layout:
-    ///
-    ///   `Cell<T>` has the same memory layout and caveats as `UnsafeCell<T>`.
-    ///   In particular, this means that `Cell<T>` has the same in-memory
-    ///   representation as its inner type `T`.
-    ///
-    /// [2] Per https://doc.rust-lang.org/1.81.0/core/cell/struct.UnsafeCell.html#memory-layout:
-    ///
-    ///   `UnsafeCell<T>` has the same in-memory representation as its inner
-    ///   type `T`. A consequence of this guarantee is that it is possible to
-    ///   convert between `T` and `UnsafeCell<T>`.
-    unsafe_impl_for_transparent_wrapper!(T: ?Sized => Cell<T>);
-}
+// SAFETY:
+// - `ManuallyDrop<T>` has the same size as `T` [1]
+// - `ManuallyDrop<T>` has the same validity as `T` [1]
+//
+// [1] Per https://doc.rust-lang.org/1.81.0/std/mem/struct.ManuallyDrop.html:
+//
+//   `ManuallyDrop<T>` is guaranteed to have the same layout and bit validity as
+//   `T`
+const _: () = unsafe { unsafe_impl_for_transparent_wrapper!(T: ?Sized => ManuallyDrop<T>) };
+
+// SAFETY:
+// - `Unalign<T>` promises to have the same size as `T`.
+// - `Unalign<T>` promises to have the same validity as `T`.
+const _: () = unsafe { unsafe_impl_for_transparent_wrapper!(T => Unalign<T>) };
+// SAFETY: `Unalign<T>` promises to have the same size and validity as `T`.
+// Given `u: &Unalign<T>`, it is already possible to obtain `let t =
+// u.try_deref().unwrap()`. Because `Unalign<T>` has the same size as `T`, the
+// returned `&T` must point to the same referent as `u`, and thus it must be
+// sound for these two references to exist at the same time since it's already
+// possible for safe code to get into this state.
+const _: () = unsafe { unsafe_impl_invariants_eq!(T => T, Unalign<T>) };
+
+// SAFETY:
+// - `Wrapping<T>` has the same size as `T` [1].
+// - `Wrapping<T>` has only one field, which is `pub` [2]. We are also
+//   guaranteed per that `Wrapping<T>` has the same layout as `T` [1]. The only
+//   way for both of these to be true simultaneously is for `Wrapping<T>` to
+//   have the same bit validity as `T`. In particular, in order to change the
+//   bit validity, one of the following would need to happen:
+//   - `Wrapping` could change its `repr`, but this would violate the layout
+//     guarantee.
+//   - `Wrapping` could add or change its fields, but this would be a
+//     stability-breaking change.
+//
+// [1] Per https://doc.rust-lang.org/1.85.0/core/num/struct.Wrapping.html#layout-1:
+//
+//   `Wrapping<T>` is guaranteed to have the same layout and ABI as `T`.
+//
+// [2] Definition from https://doc.rust-lang.org/1.85.0/core/num/struct.Wrapping.html:
+//
+//   ```
+//   #[repr(transparent)]
+//   pub struct Wrapping<T>(pub T);
+//   ```
+const _: () = unsafe { unsafe_impl_for_transparent_wrapper!(T => Wrapping<T>) };
+
+// SAFETY: By the preceding safety proof, `Wrapping<T>` and `T` have the same
+// layout and bit validity. Since a `Wrapping<T>`'s `T` field is `pub`, given
+// `w: &Wrapping<T>`, it's possible to do `let t = &w.t`, which means that it's
+// already possible for safe code to obtain a `&Wrapping<T>` and a `&T` pointing
+// to the same referent at the same time. Thus, this must be sound.
+const _: () = unsafe { unsafe_impl_invariants_eq!(T => T, Wrapping<T>) };
+
+// SAFETY:
+// - `UnsafeCell<T>` has the same size as `T` [1].
+// - Per [1], `UnsafeCell<T>` has the same bit validity as `T`. Technically the
+//   term "representation" doesn't guarantee this, but the subsequent sentence
+//   in the documentation makes it clear that this is the intention.
+//
+// [1] Per https://doc.rust-lang.org/1.81.0/core/cell/struct.UnsafeCell.html#memory-layout:
+//
+//   `UnsafeCell<T>` has the same in-memory representation as its inner type
+//   `T`. A consequence of this guarantee is that it is possible to convert
+//   between `T` and `UnsafeCell<T>`.
+const _: () = unsafe { unsafe_impl_for_transparent_wrapper!(T: ?Sized => UnsafeCell<T>) };
+
+// SAFETY:
+// - `Cell<T>` has the same size as `T` [1].
+// - Per [1], `Cell<T>` has the same bit validity as `T`. Technically the term
+//   "representation" doesn't guarantee this, but it does promise to have the
+//   "same memory layout and caveats as `UnsafeCell<T>`." The `UnsafeCell` docs
+//   [2] make it clear that bit validity is the intention even if that phrase
+//   isn't used.
+//
+// [1] Per https://doc.rust-lang.org/1.85.0/std/cell/struct.Cell.html#memory-layout:
+//
+//   `Cell<T>` has the same memory layout and caveats as `UnsafeCell<T>`. In
+//   particular, this means that `Cell<T>` has the same in-memory representation
+//   as its inner type `T`.
+//
+// [2] Per https://doc.rust-lang.org/1.81.0/core/cell/struct.UnsafeCell.html#memory-layout:
+//
+//   `UnsafeCell<T>` has the same in-memory representation as its inner type
+//   `T`. A consequence of this guarantee is that it is possible to convert
+//   between `T` and `UnsafeCell<T>`.
+const _: () = unsafe { unsafe_impl_for_transparent_wrapper!(T: ?Sized => Cell<T>) };
 
 impl_transitive_transmute_from!(T: ?Sized => Cell<T> => T => UnsafeCell<T>);
 impl_transitive_transmute_from!(T: ?Sized => UnsafeCell<T> => T => Cell<T>);