Merge "Add safety comments." into main am: 406d43397c am: 947d407b3c
Original change: https://android-review.googlesource.com/c/platform/system/core/+/2672075
Change-Id: I4f1b988923ea87b03145fe7bf3564c989a2fdcd4
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
diff --git a/libstats/pull_rust/stats_pull.rs b/libstats/pull_rust/stats_pull.rs
index 09b2623..d188b5f 100644
--- a/libstats/pull_rust/stats_pull.rs
+++ b/libstats/pull_rust/stats_pull.rs
@@ -111,7 +111,9 @@
static ref COOKIES: Mutex<HashMap<i32, fn() -> StatsPullResult>> = Mutex::new(HashMap::new());
}
-// Safety: We store our callbacks in the global so they are valid.
+/// # Safety
+///
+/// `data` must be a valid pointer with no aliases.
unsafe extern "C" fn callback_wrapper(
atom_tag: i32,
data: *mut AStatsEventList,
@@ -126,7 +128,8 @@
let stats = cb();
let result = stats
.iter()
- .map(|stat| stat.add_astats_event(&mut *data))
+ // Safety: The caller promises that `data` is valid and unaliased.
+ .map(|stat| stat.add_astats_event(unsafe { &mut *data }))
.collect::<Result<Vec<()>, StatsError>>();
match result {
Ok(_) => {
diff --git a/trusty/libtrusty-rs/src/lib.rs b/trusty/libtrusty-rs/src/lib.rs
index 28ea075..22b894a 100644
--- a/trusty/libtrusty-rs/src/lib.rs
+++ b/trusty/libtrusty-rs/src/lib.rs
@@ -102,6 +102,8 @@
let file = File::options().read(true).write(true).open(device)?;
let srv_name = CString::new(service).expect("Service name contained null bytes");
+ // SAFETY: The file descriptor is valid because it came from a `File`, and the name is a
+ // valid C string because it came from a `CString`.
unsafe {
tipc_connect(file.as_raw_fd(), srv_name.as_ptr())?;
}