Gitiles
Code Review Sign In
gerrit.omnirom.org / android_packages_modules_Virtualization / 47842801e9cb39da3337311f834da39cb71641b3^! / . / vmbase / example / src / main.rs
commit47842801e9cb39da3337311f834da39cb71641b3[log] [tgz]
authorAndrew Walbran <qwandor@google.com>Wed Jul 05 16:56:08 2023 +0000
committerAndrew Walbran <qwandor@google.com>Mon Jul 10 14:17:48 2023 +0100
tree164067f9b4c35649c8ed0705c62bb1367ff29c47
parent9fa1650b1ce4ad9aace560f27efa12a3fafc5ea6 [diff] [blame]
Require safety comments in vmbase example.

Bug: 290018030
Test: m vmbase_example_bin
Change-Id: If384f5e640c2b62e988b40bed24406240b11a85e

diff --git a/vmbase/example/src/main.rs b/vmbase/example/src/main.rs
index 4fe532a..a6f3bfa 100644
--- a/vmbase/example/src/main.rs
+++ b/vmbase/example/src/main.rs

@@ -16,6 +16,8 @@
 
 #![no_main]
 #![no_std]
+#![deny(unsafe_op_in_unsafe_fn)]
+#![deny(clippy::undocumented_unsafe_blocks)]
 
 mod exceptions;
 mod layout;
@@ -80,8 +82,9 @@
 
     info!("Checking FDT...");
     let fdt = dtb_range();
-    let fdt =
-        unsafe { core::slice::from_raw_parts_mut(fdt.start.0 as *mut u8, fdt.end.0 - fdt.start.0) };
+    let fdt_size = fdt.end.0 - fdt.start.0;
+    // SAFETY: The DTB range is valid, writable memory, and we don't construct any aliases to it.
+    let fdt = unsafe { core::slice::from_raw_parts_mut(fdt.start.0 as *mut u8, fdt_size) };
     let fdt = Fdt::from_mut_slice(fdt).unwrap();
     info!("FDT passed verification.");
     check_fdt(fdt);
@@ -98,6 +101,7 @@
     check_data();
     check_dice();
 
+    // SAFETY: This is the only place where `make_pci_root` is called.
     let mut pci_root = unsafe { pci_info.make_pci_root() };
     check_pci(&mut pci_root);
 
@@ -123,7 +127,9 @@
 
 fn check_data() {
     info!("INITIALISED_DATA: {:?}", INITIALISED_DATA.as_ptr());
+    // SAFETY: We only print the addresses of the static mutable variable, not actually access it.
     info!("ZEROED_DATA: {:?}", unsafe { ZEROED_DATA.as_ptr() });
+    // SAFETY: We only print the addresses of the static mutable variable, not actually access it.
     info!("MUTABLE_DATA: {:?}", unsafe { MUTABLE_DATA.as_ptr() });
 
     assert_eq!(INITIALISED_DATA[0], 1);
@@ -131,7 +137,11 @@
     assert_eq!(INITIALISED_DATA[2], 3);
     assert_eq!(INITIALISED_DATA[3], 4);
 
+    // SAFETY: Nowhere else in the program accesses this static mutable variable, so there is no
+    // chance of concurrent access.
     let zeroed_data = unsafe { &mut ZEROED_DATA };
+    // SAFETY: Nowhere else in the program accesses this static mutable variable, so there is no
+    // chance of concurrent access.
     let mutable_data = unsafe { &mut MUTABLE_DATA };
 
     for element in zeroed_data.iter() {