Add more ## Safety comments to docs

Author: phil-opp

src/instructions/port.rs

@@ -134,6 +134,8 @@ impl<T: PortRead> PortReadOnly<T> {
 
     /// Reads from the port.
     ///
+    /// ## Safety
+    ///
     /// This function is unsafe because the I/O port could have side effects that violate memory
     /// safety.
     #[inline]
@@ -163,6 +165,8 @@ impl<T: PortWrite> PortWriteOnly<T> {
 
     /// Writes to the port.
     ///
+    /// ## Safety
+    ///
     /// This function is unsafe because the I/O port could have side effects that violate memory
     /// safety.
     #[inline]
@@ -192,6 +196,8 @@ impl<T: PortReadWrite> Port<T> {
 
     /// Reads from the port.
     ///
+    /// ## Safety
+    ///
     /// This function is unsafe because the I/O port could have side effects that violate memory
     /// safety.
     #[inline]
@@ -201,6 +207,8 @@ impl<T: PortReadWrite> Port<T> {
 
     /// Writes to the port.
     ///
+    /// ## Safety
+    ///
     /// This function is unsafe because the I/O port could have side effects that violate memory
     /// safety.
     #[inline]

src/instructions/segmentation.rs

@@ -8,6 +8,11 @@ use crate::structures::gdt::SegmentSelector;
 /// to %cs. Instead we push the new segment selector
 /// and return value on the stack and use lretq
 /// to reload cs and continue at 1:.
+///
+/// ## Safety
+///
+/// This function is unsafe because the caller must ensure that `sel`
+/// is a valid code segment descriptor.
 pub unsafe fn set_cs(sel: SegmentSelector) {
     #[cfg(feature = "inline_asm")]
     #[inline(always)]
@@ -29,6 +34,11 @@ pub unsafe fn set_cs(sel: SegmentSelector) {
 }
 
 /// Reload stack segment register.
+///
+/// ## Safety
+///
+/// This function is unsafe because the caller must ensure that `sel`
+/// is a valid stack segment descriptor.
 #[inline]
 pub unsafe fn load_ss(sel: SegmentSelector) {
     #[cfg(feature = "inline_asm")]
@@ -39,6 +49,11 @@ pub unsafe fn load_ss(sel: SegmentSelector) {
 }
 
 /// Reload data segment register.
+///
+/// ## Safety
+///
+/// This function is unsafe because the caller must ensure that `sel`
+/// is a valid data segment descriptor.
 #[inline]
 pub unsafe fn load_ds(sel: SegmentSelector) {
     #[cfg(feature = "inline_asm")]
@@ -49,6 +64,11 @@ pub unsafe fn load_ds(sel: SegmentSelector) {
 }
 
 /// Reload es segment register.
+///
+/// ## Safety
+///
+/// This function is unsafe because the caller must ensure that `sel`
+/// is a valid extra segment descriptor.
 #[inline]
 pub unsafe fn load_es(sel: SegmentSelector) {
     #[cfg(feature = "inline_asm")]
@@ -59,6 +79,11 @@ pub unsafe fn load_es(sel: SegmentSelector) {
 }
 
 /// Reload fs segment register.
+///
+/// ## Safety
+///
+/// This function is unsafe because the caller must ensure that `sel`
+/// is a valid fs segment descriptor.
 #[inline]
 pub unsafe fn load_fs(sel: SegmentSelector) {
     #[cfg(feature = "inline_asm")]
@@ -69,6 +94,11 @@ pub unsafe fn load_fs(sel: SegmentSelector) {
 }
 
 /// Reload gs segment register.
+///
+/// ## Safety
+///
+/// This function is unsafe because the caller must ensure that `sel`
+/// is a valid gs segment descriptor.
 #[inline]
 pub unsafe fn load_gs(sel: SegmentSelector) {
     #[cfg(feature = "inline_asm")]
@@ -79,6 +109,11 @@ pub unsafe fn load_gs(sel: SegmentSelector) {
 }
 
 /// Swap `KernelGsBase` MSR and `GsBase` MSR.
+///
+/// ## Safety
+///
+/// This function is unsafe because the caller must ensure that the
+/// swap operation cannot lead to undefined behavior.
 #[inline]
 pub unsafe fn swap_gs() {
     #[cfg(feature = "inline_asm")]

src/instructions/tables.rs

@@ -4,9 +4,17 @@ use crate::structures::gdt::SegmentSelector;
 
 pub use crate::structures::DescriptorTablePointer;
 
-/// Load a GDT. Use the
+/// Load a GDT.
+///
+/// Use the
 /// [`GlobalDescriptorTable`](crate::structures::gdt::GlobalDescriptorTable) struct for a high-level
 /// interface to loading a GDT.
+///
+/// ## Safety
+///
+/// This function is unsafe because the caller must ensure that the given
+/// `DescriptorTablePointer` points to a valid GDT and that loading this
+/// GDT is safe.
 #[inline]
 pub unsafe fn lgdt(gdt: &DescriptorTablePointer) {
     #[cfg(feature = "inline_asm")]
@@ -16,9 +24,17 @@ pub unsafe fn lgdt(gdt: &DescriptorTablePointer) {
     crate::asm::x86_64_asm_lgdt(gdt as *const _);
 }
 
-/// Load an IDT. Use the
+/// Load an IDT.
+///
+/// Use the
 /// [`InterruptDescriptorTable`](crate::structures::idt::InterruptDescriptorTable) struct for a high-level
 /// interface to loading an IDT.
+///
+/// ## Safety
+///
+/// This function is unsafe because the caller must ensure that the given
+/// `DescriptorTablePointer` points to a valid IDT and that loading this
+/// IDT is safe.
 #[inline]
 pub unsafe fn lidt(idt: &DescriptorTablePointer) {
     #[cfg(feature = "inline_asm")]
@@ -29,6 +45,12 @@ pub unsafe fn lidt(idt: &DescriptorTablePointer) {
 }
 
 /// Load the task state register using the `ltr` instruction.
+///
+/// ## Safety
+///
+/// This function is unsafe because the caller must ensure that the given
+/// `SegmentSelector` points to a valid TSS entry in the GDT and that loading
+/// this TSS is safe.
 #[inline]
 pub unsafe fn load_tss(sel: SegmentSelector) {
     #[cfg(feature = "inline_asm")]

src/registers/control.rs

@@ -158,8 +158,12 @@ mod x86_64 {
 
         /// Write CR0 flags.
         ///
-        /// Preserves the value of reserved fields. Unsafe because it's possible to violate memory
-        /// safety by e.g. disabling paging.
+        /// Preserves the value of reserved fields.
+        ///
+        /// ## Safety
+        ///
+        /// This function is unsafe because it's possible to violate memory
+        /// safety through it, e.g. by disabling paging.
         #[inline]
         pub unsafe fn write(flags: Cr0Flags) {
             let old_value = Self::read_raw();
@@ -171,8 +175,12 @@ mod x86_64 {
 
         /// Write raw CR0 flags.
         ///
-        /// Does _not_ preserve any values, including reserved fields. Unsafe because it's possible to violate memory
-        /// safety by e.g. disabling paging.
+        /// Does _not_ preserve any values, including reserved fields.
+        ///
+        /// ## Safety
+        ///
+        /// This function is unsafe because it's possible to violate memory
+        /// safety through it, e.g. by disabling paging.
         #[inline]
         pub unsafe fn write_raw(value: u64) {
             #[cfg(feature = "inline_asm")]
@@ -184,8 +192,12 @@ mod x86_64 {
 
         /// Updates CR0 flags.
         ///
-        /// Preserves the value of reserved fields. Unsafe because it's possible to violate memory
-        /// safety by e.g. disabling paging.
+        /// Preserves the value of reserved fields.
+        ///
+        /// ## Safety
+        ///
+        /// This function is unsafe because it's possible to violate memory
+        /// safety through it, e.g. by disabling paging.
         #[inline]
         pub unsafe fn update<F>(f: F)
         where
@@ -283,8 +295,13 @@ mod x86_64 {
 
         /// Write CR4 flags.
         ///
-        /// Preserves the value of reserved fields. Unsafe because it's possible to violate memory
-        /// safety by e.g. physical address extension.
+        /// Preserves the value of reserved fields.
+        ///
+        /// ## Safety
+        ///
+        /// This function is unsafe because it's possible to violate memory
+        /// safety through it, e.g. by overwriting the physical address extension
+        /// flag.
         #[inline]
         pub unsafe fn write(flags: Cr4Flags) {
             let old_value = Self::read_raw();
@@ -296,8 +313,13 @@ mod x86_64 {
 
         /// Write raw CR4 flags.
         ///
-        /// Does _not_ preserve any values, including reserved fields. Unsafe because it's possible to violate memory
-        /// safety by e.g. physical address extension.
+        /// Does _not_ preserve any values, including reserved fields.
+        ///
+        /// ## Safety
+        ///
+        /// This function is unsafe because it's possible to violate memory
+        /// safety through it, e.g. by overwriting the physical address extension
+        /// flag.
         #[inline]
         pub unsafe fn write_raw(value: u64) {
             #[cfg(feature = "inline_asm")]
@@ -309,8 +331,12 @@ mod x86_64 {
 
         /// Updates CR4 flags.
         ///
-        /// Preserves the value of reserved fields. Unsafe because it's possible to violate memory
-        /// safety by e.g. physical address extension.
+        /// Preserves the value of reserved fields.
+        /// ## Safety
+        ///
+        /// This function is unsafe because it's possible to violate memory
+        /// safety through it, e.g. by overwriting the physical address extension
+        /// flag.
         #[inline]
         pub unsafe fn update<F>(f: F)
         where

src/registers/model_specific.rs

@@ -110,6 +110,11 @@ mod x86_64 {
 
     impl Msr {
         /// Read 64 bits msr register.
+        ///
+        /// ## Safety
+        ///
+        /// The caller must ensure that this read operation has no unsafe side
+        /// effects.
         #[inline]
         pub unsafe fn read(&self) -> u64 {
             #[cfg(feature = "inline_asm")]
@@ -124,6 +129,11 @@ mod x86_64 {
         }
 
         /// Write 64 bits to msr register.
+        ///
+        /// ## Safety
+        ///
+        /// The caller must ensure that this write operation has no unsafe side
+        /// effects.
         #[inline]
         pub unsafe fn write(&mut self, value: u64) {
             #[cfg(feature = "inline_asm")]
@@ -153,8 +163,12 @@ mod x86_64 {
 
         /// Write the EFER flags, preserving reserved values.
         ///
-        /// Preserves the value of reserved fields. Unsafe because it's possible to break memory
-        /// safety, e.g. by disabling long mode.
+        /// Preserves the value of reserved fields.
+        ///
+        /// ## Safety
+        ///
+        /// Unsafe because it's possible to break memory
+        /// safety with wrong flags, e.g. by disabling long mode.
         #[inline]
         pub unsafe fn write(flags: EferFlags) {
             let old_value = Self::read_raw();
@@ -166,17 +180,25 @@ mod x86_64 {
 
         /// Write the EFER flags.
         ///
-        /// Does not preserve any bits, including reserved fields. Unsafe because it's possible to
-        /// break memory safety, e.g. by disabling long mode.
+        /// Does not preserve any bits, including reserved fields.
+        ///
+        /// ## Safety
+        ///
+        /// Unsafe because it's possible to
+        /// break memory safety with wrong flags, e.g. by disabling long mode.
         #[inline]
         pub unsafe fn write_raw(flags: u64) {
             Self::MSR.write(flags);
         }
 
         /// Update EFER flags.
         ///
-        /// Preserves the value of reserved fields. Unsafe because it's possible to break memory
-        /// safety, e.g. by disabling long mode.
+        /// Preserves the value of reserved fields.
+        ///
+        /// ## Safety
+        ///
+        /// Unsafe because it's possible to break memory
+        /// safety with wrong flags, e.g. by disabling long mode.
         #[inline]
         pub unsafe fn update<F>(f: F)
         where
@@ -284,7 +306,8 @@ mod x86_64 {
         ///  this field + 8. Because SYSCALL always switches to CPL 0, the RPL bits
         /// 33:32 should be initialized to 00b.
         ///
-        /// # Unsafety
+        /// # Safety
+        ///
         /// Unsafe because this can cause system instability if passed in the
         /// wrong values for the fields.
         #[inline]

src/structures/idt.rs

@@ -755,6 +755,8 @@ pub struct InterruptStackFrame {
 impl InterruptStackFrame {
     /// Gives mutable access to the contents of the interrupt stack frame.
     ///
+    /// ## Safety
+    ///
     /// This function is unsafe since modifying the content of the interrupt stack frame
     /// can easily lead to undefined behavior. For example, by writing an invalid value to
     /// the instruction pointer field, the CPU can jump to arbitrary code at the end of the

src/structures/paging/mapper/mod.rs

@@ -113,6 +113,10 @@ pub trait Mapper<S: PageSize> {
     fn translate_page(&self, page: Page<S>) -> Result<PhysFrame<S>, TranslateError>;
 
     /// Maps the given frame to the virtual page with the same address.
+    ///
+    /// ## Safety
+    ///
+    /// TODO: Should this function be safe?
     #[inline]
     unsafe fn identity_map<A>(
         &mut self,

src/structures/paging/mapper/offset_page_table.rs

@@ -19,6 +19,8 @@ impl<'a> OffsetPageTable<'a> {
     /// the mapper needs to access page tables, which are not mapped into the virtual address
     /// space by default.
     ///
+    /// ## Safety
+    ///
     /// This function is unsafe because the caller must guarantee that the passed `phys_offset`
     /// is correct. Also, the passed `level_4_table` must point to the level 4 page table
     /// of a valid page table hierarchy. Otherwise this function might break memory safety, e.g.