volatile_memory: reduce unsafe code blocks

andreeaflorescu · andreeaflorescu · commit cb3825f4663b · 2023-01-03T10:53:03.000+01:00
The only unsafe call in the read_from and write_to functions
is the as_mut_slice. Handling the bytes is safe, so we don't
need to have it in the unsafe block.

Also updated the unsafe documentation to mention that we
checked the offsets as well.

Signed-off-by: Andreea Florescu &lt;fandree@amazon.com&gt;
diff --git a/src/volatile_memory.rs b/src/volatile_memory.rs
@@ -716,17 +716,16 @@ impl<B: BitmapSlice> Bytes<usize> for VolatileSlice<'_, B> {
         F: Read,
     {
         let end = self.compute_end_offset(addr, count)?;
-        // SAFETY: It is safe to overwrite the volatile memory. Accessing the guest
+        // SAFETY: We checked the addr and count so accessing the slice is safe.
+        // Also, it is safe to overwrite the volatile memory. Accessing the guest
         // memory as a mutable slice is OK because nothing assumes another
         // thread won't change what is loaded.
-        let bytes_read = unsafe {
-            let dst = &mut self.as_mut_slice()[addr..end];
-            loop {
-                match src.read(dst) {
-                    Ok(n) => break n,
-                    Err(ref e) if e.kind() == std::io::ErrorKind::Interrupted => continue,
-                    Err(e) => return Err(Error::IOError(e)),
-                }
+        let dst = unsafe { &mut self.as_mut_slice()[addr..end] };
+        let bytes_read = loop {
+            match src.read(dst) {
+                Ok(n) => break n,
+                Err(ref e) if e.kind() == std::io::ErrorKind::Interrupted => continue,
+                Err(e) => return Err(Error::IOError(e)),
             }
         };
 
@@ -802,17 +801,16 @@ impl<B: BitmapSlice> Bytes<usize> for VolatileSlice<'_, B> {
         F: Write,
     {
         let end = self.compute_end_offset(addr, count)?;
-        // SAFETY: It is safe to read from volatile memory. Accessing the guest
+        // SAFETY: We checked the addr and count so accessing the slice is safe.
+        // It is safe to read from volatile memory. Accessing the guest
         // memory as a slice is OK because nothing assumes another thread
         // won't change what is loaded.
-        unsafe {
-            let src = &self.as_slice()[addr..end];
-            loop {
-                match dst.write(src) {
-                    Ok(n) => break Ok(n),
-                    Err(ref e) if e.kind() == std::io::ErrorKind::Interrupted => continue,
-                    Err(e) => break Err(Error::IOError(e)),
-                }
+        let src = unsafe { &self.as_slice()[addr..end] };
+        loop {
+            match dst.write(src) {
+                Ok(n) => break Ok(n),
+                Err(ref e) if e.kind() == std::io::ErrorKind::Interrupted => continue,
+                Err(e) => break Err(Error::IOError(e)),
             }
         }
     }
