@@ -519,7 +519,15 @@ impl_has_work! {
519519 impl { T } HasWork <Self > for ClosureWork <T > { self . work }
520520}
521521
522- // SAFETY: TODO.
522+ // SAFETY: The `__enqueue` implementation in RawWorkItem uses a `work_struct` initialized with the
523+ // `run` method of this trait as the function pointer because:
524+ // - `__enqueue` gets the `work_struct` from the `Work` field, using `T::raw_get_work`.
525+ // - The only safe way to create a `Work` object is through `Work::new`.
526+ // - `Work::new` makes sure that `T::Pointer::run` is passed to `init_work_with_key`.
527+ // - Finally `Work` and `RawWorkItem` guarantee that the correct `Work` field
528+ // will be used because of the ID const generic bound. This makes sure that `T::raw_get_work`
529+ // uses the correct offset for the `Work` field, and `Work::new` picks the correct
530+ // implementation of `WorkItemPointer` for `Arc<T>`.
523531unsafe impl < T , const ID : u64 > WorkItemPointer < ID > for Arc < T >
524532where
525533 T : WorkItem < ID , Pointer = Self > ,
@@ -537,7 +545,13 @@ where
537545 }
538546}
539547
540- // SAFETY: TODO.
548+ // SAFETY: The `work_struct` raw pointer is guaranteed to be valid for the duration of the call to
549+ // the closure because we get it from an `Arc`, which means that the ref count will be at least 1,
550+ // and we don't drop the `Arc` ourselves. If `queue_work_on` returns true, it is further guaranteed
551+ // to be valid until a call to the function pointer in `work_struct` because we leak the memory it
552+ // points to, and only reclaim it if the closure returns false, or in `WorkItemPointer::run`, which
553+ // is what the function pointer in the `work_struct` must be pointing to, according to the safety
554+ // requirements of `WorkItemPointer`.
541555unsafe impl < T , const ID : u64 > RawWorkItem < ID > for Arc < T >
542556where
543557 T : WorkItem < ID , Pointer = Self > ,
0 commit comments