fix formatting of safety comments

All safety comments must start with "SAFETY:".
We are not adding safety comments in tests and in the benchmarks.

Signed-off-by: Andreea Florescu <[email protected]>

Author: andreeaflorescu

benches/mmap/mod.rs

@@ -2,6 +2,7 @@
 //
 // SPDX-License-Identifier: Apache-2.0 OR BSD-3-Clause
 #![cfg(feature = "backend-mmap")]
+#![allow(clippy::undocumented_unsafe_blocks)]
 
 extern crate criterion;
 extern crate vm_memory;

src/atomic_integer.rs

@@ -25,6 +25,9 @@ pub unsafe trait AtomicInteger: Sync + Send {
 
 macro_rules! impl_atomic_integer_ops {
     ($T:path, $V:ty) => {
+        // SAFETY: This is safe as long as T is an Atomic type.
+        // This is a helper macro for generating the implementation for common
+        // Atomic types.
         unsafe impl AtomicInteger for $T {
             type V = $V;
 

src/bitmap/backend/atomic_bitmap.rs

@@ -147,7 +147,7 @@ impl NewBitmap for AtomicBitmap {
 
         #[cfg(unix)]
         {
-            // There's no unsafe potential in calling this function.
+            // SAFETY: There's no unsafe potential in calling this function.
             page_size = unsafe { libc::sysconf(libc::_SC_PAGE_SIZE) };
         }
 

src/bytes.rs

@@ -44,11 +44,12 @@ pub unsafe trait ByteValued: Copy + Default + Send + Sync {
             return None;
         }
 
-        // Safe because the ByteValued trait asserts any data is valid for this type, and we ensured
-        // the size of the pointer's buffer is the correct size. The `align_to` method ensures that
-        // we don't have any unaligned references. This aliases a pointer, but because the pointer
-        // is from a const slice reference, there are no mutable aliases. Finally, the reference
-        // returned can not outlive data because they have equal implicit lifetime constraints.
+        // SAFETY: Safe because the ByteValued trait asserts any data is valid for this type, and
+        // we ensured the size of the pointer's buffer is the correct size. The `align_to` method
+        // ensures that we don't have any unaligned references. This aliases a pointer, but because
+        // the pointer is from a const slice reference, there are no mutable aliases. Finally, the
+        // reference returned can not outlive data because they have equal implicit lifetime
+        // constraints.
         match unsafe { data.align_to::<Self>() } {
             ([], [mid], []) => Some(mid),
             _ => None,
@@ -69,12 +70,12 @@ pub unsafe trait ByteValued: Copy + Default + Send + Sync {
             return None;
         }
 
-        // Safe because the ByteValued trait asserts any data is valid for this type, and we ensured
-        // the size of the pointer's buffer is the correct size. The `align_to` method ensures that
-        // we don't have any unaligned references. This aliases a pointer, but because the pointer
-        // is from a mut slice reference, we borrow the passed in mutable reference. Finally, the
-        // reference returned can not outlive data because they have equal implicit lifetime
-        // constraints.
+        // SAFETY: Safe because the ByteValued trait asserts any data is valid for this type, and
+        // we ensured the size of the pointer's buffer is the correct size. The `align_to` method
+        // ensures that we don't have any unaligned references. This aliases a pointer, but because
+        // the pointer is from a mut slice reference, we borrow the passed in mutable reference.
+        // Finally, the reference returned can not outlive data because they have equal implicit
+        // lifetime constraints.
         match unsafe { data.align_to_mut::<Self>() } {
             ([], [mid], []) => Some(mid),
             _ => None,
@@ -87,9 +88,9 @@ pub unsafe trait ByteValued: Copy + Default + Send + Sync {
     /// The value of bytes in the returned slice will depend on the representation of the type in
     /// memory, and may change in an unstable fashion.
     fn as_slice(&self) -> &[u8] {
-        // Safe because the entire size of self is accessible as bytes because the trait guarantees
-        // it. The lifetime of the returned slice is the same as the passed reference, so that no
-        // dangling pointers will result from this pointer alias.
+        // SAFETY: Safe because the entire size of self is accessible as bytes because the trait
+        // guarantees it. The lifetime of the returned slice is the same as the passed reference,
+        // so that no dangling pointers will result from this pointer alias.
         unsafe { from_raw_parts(self as *const Self as *const u8, size_of::<Self>()) }
     }
 
@@ -99,12 +100,12 @@ pub unsafe trait ByteValued: Copy + Default + Send + Sync {
     /// immediately reflected in `self`. The value of bytes in the returned slice will depend on
     /// the representation of the type in memory, and may change in an unstable fashion.
     fn as_mut_slice(&mut self) -> &mut [u8] {
-        // Safe because the entire size of self is accessible as bytes because the trait guarantees
-        // it. The trait also guarantees that any combination of bytes is valid for this type, so
-        // modifying them in the form of a byte slice is valid. The lifetime of the returned slice
-        // is the same as the passed reference, so that no dangling pointers will result from this
-        // pointer alias. Although this does alias a mutable pointer, we do so by exclusively
-        // borrowing the given mutable reference.
+        // SAFETY: Safe because the entire size of self is accessible as bytes because the trait
+        // guarantees it. The trait also guarantees that any combination of bytes is valid for this
+        // type, so modifying them in the form of a byte slice is valid. The lifetime of the
+        // returned slice is the same as the passed reference, so that no dangling pointers will
+        // result from this pointer alias. Although this does alias a mutable pointer, we do so by
+        // exclusively borrowing the given mutable reference.
         unsafe { from_raw_parts_mut(self as *mut Self as *mut u8, size_of::<Self>()) }
     }
 
@@ -118,24 +119,25 @@ pub unsafe trait ByteValued: Copy + Default + Send + Sync {
     /// that all accesses to `self` use volatile accesses (because there can
     /// be no other accesses).
     fn as_bytes(&mut self) -> VolatileSlice {
-        unsafe {
-            // This is safe because the lifetime is the same as self
-            VolatileSlice::new(self as *mut Self as usize as *mut _, size_of::<Self>())
-        }
+        // SAFETY: This is safe because the lifetime is the same as self
+        unsafe { VolatileSlice::new(self as *mut Self as usize as *mut _, size_of::<Self>()) }
     }
 }
 
-// All intrinsic types and arrays of intrinsic types are ByteValued. They are just numbers.
 macro_rules! byte_valued_array {
     ($T:ty, $($N:expr)+) => {
         $(
+            // SAFETY: All intrinsic types and arrays of intrinsic types are ByteValued.
+            // They are just numbers.
             unsafe impl ByteValued for [$T; $N] {}
         )+
     }
 }
 
 macro_rules! byte_valued_type {
     ($T:ty) => {
+        // SAFETY: Safe as long T is POD.
+        // We are using this macro to generated the implementation for integer types below.
         unsafe impl ByteValued for $T {}
         byte_valued_array! {
             $T,
@@ -329,6 +331,7 @@ pub trait Bytes<A> {
 
 #[cfg(test)]
 pub(crate) mod tests {
+    #![allow(clippy::undocumented_unsafe_blocks)]
     use super::*;
 
     use std::fmt::Debug;

src/endian.rs

@@ -63,6 +63,8 @@ macro_rules! endian_type {
             }
         }
 
+        // SAFETY: Safe because we are using this for implementing ByteValued for endian types
+        // which are POD.
         unsafe impl ByteValued for $new_type {}
 
         impl PartialEq<$old_type> for $new_type {
@@ -102,6 +104,7 @@ endian_type!(usize, BeSize, to_be, from_be);
 
 #[cfg(test)]
 mod tests {
+    #![allow(clippy::undocumented_unsafe_blocks)]
     use super::*;
 
     use std::convert::From;

src/guest_memory.rs

@@ -848,6 +848,7 @@ impl<T: GuestMemory + ?Sized> Bytes<GuestAddress> for T {
         self.try_access(count, addr, |offset, len, caddr, region| -> Result<usize> {
             // Check if something bad happened before doing unsafe things.
             assert!(offset <= count);
+            // SAFETY: Safe because we are checking the offset.
             if let Some(dst) = unsafe { region.as_mut_slice() } {
                 // This is safe cause `start` and `len` are within the `region`, and we manually
                 // record the dirty status of the written range below.
@@ -935,6 +936,7 @@ impl<T: GuestMemory + ?Sized> Bytes<GuestAddress> for T {
         self.try_access(count, addr, |offset, len, caddr, region| -> Result<usize> {
             // Check if something bad happened before doing unsafe things.
             assert!(offset <= count);
+            // SAFETY: Safe because we are checking the offset is valid.
             if let Some(src) = unsafe { region.as_slice() } {
                 // This is safe cause `start` and `len` are within the `region`.
                 let start = caddr.raw_value() as usize;
@@ -1024,6 +1026,7 @@ impl<T: GuestMemory + ?Sized> Bytes<GuestAddress> for T {
 
 #[cfg(test)]
 mod tests {
+    #![allow(clippy::undocumented_unsafe_blocks)]
     use super::*;
     #[cfg(feature = "backend-mmap")]
     use crate::bytes::ByteValued;

src/mmap.rs

@@ -670,6 +670,7 @@ impl<B: Bitmap + 'static> GuestMemory for GuestMemoryMmap<B> {
 
 #[cfg(test)]
 mod tests {
+    #![allow(clippy::undocumented_unsafe_blocks)]
     extern crate vmm_sys_util;
 
     use super::*;

src/mmap_unix.rs

@@ -165,8 +165,9 @@ impl<B: Bitmap> MmapRegionBuilder<B> {
             (-1, 0)
         };
 
-        // This is safe because we're not allowing MAP_FIXED, and invalid parameters cannot break
-        // Rust safety guarantees (things may change if we're mapping /dev/mem or some wacky file).
+        // SAFETY: This is safe because we're not allowing MAP_FIXED, and invalid parameters
+        // cannot break Rust safety guarantees (things may change if we're mapping /dev/mem or
+        // some wacky file).
         let addr = unsafe {
             libc::mmap(
                 null_mut(),
@@ -195,7 +196,8 @@ impl<B: Bitmap> MmapRegionBuilder<B> {
     }
 
     fn build_raw(self) -> Result<MmapRegion<B>> {
-        // Safe because this call just returns the page size and doesn't have any side effects.
+        // SAFETY: Safe because this call just returns the page size and doesn't have any side
+        // effects.
         let page_size = unsafe { libc::sysconf(libc::_SC_PAGESIZE) } as usize;
         let addr = self.raw_ptr.unwrap();
 
@@ -238,11 +240,12 @@ pub struct MmapRegion<B = ()> {
     hugetlbfs: Option<bool>,
 }
 
-// Send and Sync aren't automatically inherited for the raw address pointer.
+// SAFETY: Send and Sync aren't automatically inherited for the raw address pointer.
 // Accessing that pointer is only done through the stateless interface which
 // allows the object to be shared by multiple threads without a decrease in
 // safety.
 unsafe impl<B: Send> Send for MmapRegion<B> {}
+// SAFETY: See comment above.
 unsafe impl<B: Sync> Sync for MmapRegion<B> {}
 
 impl<B: NewBitmap> MmapRegion<B> {
@@ -399,16 +402,16 @@ impl<B: Bitmap> MmapRegion<B> {
 }
 
 impl<B> AsSlice for MmapRegion<B> {
+    // SAFETY: This is safe because we mapped the area at addr ourselves, so this slice will not
+    // overflow. However, it is possible to alias.
     unsafe fn as_slice(&self) -> &[u8] {
-        // This is safe because we mapped the area at addr ourselves, so this slice will not
-        // overflow. However, it is possible to alias.
         std::slice::from_raw_parts(self.addr, self.size)
     }
 
+    // SAFETY: This is safe because we mapped the area at addr ourselves, so this slice will not
+    // overflow. However, it is possible to alias.
     #[allow(clippy::mut_from_ref)]
     unsafe fn as_mut_slice(&self) -> &mut [u8] {
-        // This is safe because we mapped the area at addr ourselves, so this slice will not
-        // overflow. However, it is possible to alias.
         std::slice::from_raw_parts_mut(self.addr, self.size)
     }
 }
@@ -430,23 +433,25 @@ impl<B: Bitmap> VolatileMemory for MmapRegion<B> {
             return Err(volatile_memory::Error::OutOfBounds { addr: end });
         }
 
-        // Safe because we checked that offset + count was within our range and we only ever hand
-        // out volatile accessors.
-        Ok(unsafe {
-            VolatileSlice::with_bitmap(
-                (self.addr as usize + offset) as *mut _,
-                count,
-                self.bitmap.slice_at(offset),
-            )
-        })
+        Ok(
+            // SAFETY: Safe because we checked that offset + count was within our range and we only
+            // ever hand out volatile accessors.
+            unsafe {
+                VolatileSlice::with_bitmap(
+                    (self.addr as usize + offset) as *mut _,
+                    count,
+                    self.bitmap.slice_at(offset),
+                )
+            },
+        )
     }
 }
 
 impl<B> Drop for MmapRegion<B> {
     fn drop(&mut self) {
-        // This is safe because we mmap the area at addr ourselves, and nobody
-        // else is holding a reference to it.
         if self.owned {
+            // SAFETY: This is safe because we mmap the area at addr ourselves, and nobody
+            // else is holding a reference to it.
             unsafe {
                 libc::munmap(self.addr as *mut libc::c_void, self.size);
             }
@@ -456,6 +461,7 @@ impl<B> Drop for MmapRegion<B> {
 
 #[cfg(test)]
 mod tests {
+    #![allow(clippy::undocumented_unsafe_blocks)]
     use super::*;
 
     use std::io::Write;