Warn on unsafe_op_in_unsafe_fn by default

Edition 2024 requires that we avoid this. There is a lot of code that
will need to be adjusted, so start the process here with a warning that
will show up in CI.

Author: tgross35

builtins-test-intrinsics/src/main.rs

@@ -647,14 +647,14 @@ fn something_with_a_dtor(f: &dyn Fn()) {
     f();
 }
 
-#[no_mangle]
+#[unsafe(no_mangle)]
 #[cfg(not(thumb))]
 fn main(_argc: core::ffi::c_int, _argv: *const *const u8) -> core::ffi::c_int {
     run();
     0
 }
 
-#[no_mangle]
+#[unsafe(no_mangle)]
 #[cfg(thumb)]
 pub fn _start() -> ! {
     run();
@@ -667,30 +667,30 @@ pub fn _start() -> ! {
 extern "C" {}
 
 // ARM targets need these symbols
-#[no_mangle]
+#[unsafe(no_mangle)]
 pub fn __aeabi_unwind_cpp_pr0() {}
 
-#[no_mangle]
+#[unsafe(no_mangle)]
 pub fn __aeabi_unwind_cpp_pr1() {}
 
 #[cfg(not(any(windows, target_os = "cygwin")))]
 #[allow(non_snake_case)]
-#[no_mangle]
+#[unsafe(no_mangle)]
 pub fn _Unwind_Resume() {}
 
 #[cfg(not(any(windows, target_os = "cygwin")))]
 #[lang = "eh_personality"]
-#[no_mangle]
+#[unsafe(no_mangle)]
 pub extern "C" fn eh_personality() {}
 
 #[cfg(any(all(windows, target_env = "gnu"), target_os = "cygwin"))]
 mod mingw_unwinding {
-    #[no_mangle]
+    #[unsafe(no_mangle)]
     pub fn rust_eh_personality() {}
-    #[no_mangle]
+    #[unsafe(no_mangle)]
     pub fn rust_eh_unwind_resume() {}
-    #[no_mangle]
+    #[unsafe(no_mangle)]
     pub fn rust_eh_register_frames() {}
-    #[no_mangle]
+    #[unsafe(no_mangle)]
     pub fn rust_eh_unregister_frames() {}
 }

src/arm.rs

@@ -23,143 +23,261 @@ intrinsics! {
     #[naked]
     #[cfg(not(target_env = "msvc"))]
     pub unsafe extern "C" fn __aeabi_uidivmod() {
-        core::arch::naked_asm!(
-            "push {{lr}}",
-            "sub sp, sp, #4",
-            "mov r2, sp",
-            bl!("__udivmodsi4"),
-            "ldr r1, [sp]",
-            "add sp, sp, #4",
-            "pop {{pc}}",
-        );
+        unsafe {
+            core::arch::naked_asm!(
+                "push {{lr}}",
+                "sub sp, sp, #4",
+                "mov r2, sp",
+                bl!("__udivmodsi4"),
+                "ldr r1, [sp]",
+                "add sp, sp, #4",
+                "pop {{pc}}",
+            );
+        }
     }
 
     #[naked]
     pub unsafe extern "C" fn __aeabi_uldivmod() {
-        core::arch::naked_asm!(
-            "push {{r4, lr}}",
-            "sub sp, sp, #16",
-            "add r4, sp, #8",
-            "str r4, [sp]",
-            bl!("__udivmoddi4"),
-            "ldr r2, [sp, #8]",
-            "ldr r3, [sp, #12]",
-            "add sp, sp, #16",
-            "pop {{r4, pc}}",
-        );
+        unsafe {
+            core::arch::naked_asm!(
+                "push {{r4, lr}}",
+                "sub sp, sp, #16",
+                "add r4, sp, #8",
+                "str r4, [sp]",
+                bl!("__udivmoddi4"),
+                "ldr r2, [sp, #8]",
+                "ldr r3, [sp, #12]",
+                "add sp, sp, #16",
+                "pop {{r4, pc}}",
+            );
+        }
     }
 
     #[naked]
     pub unsafe extern "C" fn __aeabi_idivmod() {
-        core::arch::naked_asm!(
-            "push {{r0, r1, r4, lr}}",
-            bl!("__aeabi_idiv"),
-            "pop {{r1, r2}}",
-            "muls r2, r2, r0",
-            "subs r1, r1, r2",
-            "pop {{r4, pc}}",
-        );
+        unsafe {
+            core::arch::naked_asm!(
+                "push {{r0, r1, r4, lr}}",
+                bl!("__aeabi_idiv"),
+                "pop {{r1, r2}}",
+                "muls r2, r2, r0",
+                "subs r1, r1, r2",
+                "pop {{r4, pc}}",
+            );
+        }
     }
 
     #[naked]
     pub unsafe extern "C" fn __aeabi_ldivmod() {
-        core::arch::naked_asm!(
-            "push {{r4, lr}}",
-            "sub sp, sp, #16",
-            "add r4, sp, #8",
-            "str r4, [sp]",
-            bl!("__divmoddi4"),
-            "ldr r2, [sp, #8]",
-            "ldr r3, [sp, #12]",
-            "add sp, sp, #16",
-            "pop {{r4, pc}}",
-        );
+        unsafe {
+            core::arch::naked_asm!(
+                "push {{r4, lr}}",
+                "sub sp, sp, #16",
+                "add r4, sp, #8",
+                "str r4, [sp]",
+                bl!("__divmoddi4"),
+                "ldr r2, [sp, #8]",
+                "ldr r3, [sp, #12]",
+                "add sp, sp, #16",
+                "pop {{r4, pc}}",
+            );
+        }
     }
 
-    // FIXME: The `*4` and `*8` variants should be defined as aliases.
+    // FIXME(arm): The `*4` and `*8` variants should be defined as aliases.
 
+    /// `memcpy` provided with the `aapcs` ABI.
+    ///
+    /// # Safety
+    ///
+    /// Usual `memcpy` requirements apply.
     #[cfg(not(target_vendor = "apple"))]
-    pub unsafe extern "aapcs" fn __aeabi_memcpy(dest: *mut u8, src: *const u8, n: usize) {
-        crate::mem::memcpy(dest, src, n);
+    pub unsafe extern "aapcs" fn __aeabi_memcpy(dst: *mut u8, src: *const u8, n: usize) {
+        // SAFETY: memcpy preconditions apply.
+        unsafe { crate::mem::memcpy(dst, src, n) };
     }
 
+    /// `memcpy` for 4-byte alignment.
+    ///
+    /// # Safety
+    ///
+    /// Usual `memcpy` requirements apply. Additionally, `dest` and `src` must be aligned to
+    /// four bytes.
     #[cfg(not(target_vendor = "apple"))]
-    pub unsafe extern "aapcs" fn __aeabi_memcpy4(dest: *mut u8, src: *const u8, n: usize) {
+    pub unsafe extern "aapcs" fn __aeabi_memcpy4(dst: *mut u8, src: *const u8, n: usize) {
         // We are guaranteed 4-alignment, so accessing at u32 is okay.
-        let mut dest = dest as *mut u32;
-        let mut src = src as *mut u32;
+        let mut dst = dst.cast::<u32>();
+        let mut src = src.cast::<u32>();
+        debug_assert!(dst.is_aligned());
+        debug_assert!(src.is_aligned());
         let mut n = n;
 
         while n >= 4 {
-            *dest = *src;
-            dest = dest.offset(1);
-            src = src.offset(1);
+            // SAFETY: `dst` and `src` are both valid for at least 4 bytes, from
+            // `memcpy` preconditions and the loop guard.
+            unsafe { *dst = *src };
+
+            // TODO
+            unsafe {
+                dst = dst.offset(1);
+                src = src.offset(1);
+            }
+
             n -= 4;
         }
 
-        __aeabi_memcpy(dest as *mut u8, src as *const u8, n);
+        // SAFETY: `dst` and `src` will still be valid for `n` bytes
+        unsafe { __aeabi_memcpy(dst.cast::<u8>(), src.cast::<u8>(), n) };
     }
 
+    /// `memcpy` for 8-byte alignment.
+    ///
+    /// # Safety
+    ///
+    /// Usual `memcpy` requirements apply. Additionally, `dest` and `src` must be aligned to
+    /// eight bytes.
     #[cfg(not(target_vendor = "apple"))]
-    pub unsafe extern "aapcs" fn __aeabi_memcpy8(dest: *mut u8, src: *const u8, n: usize) {
-        __aeabi_memcpy4(dest, src, n);
+    pub unsafe extern "aapcs" fn __aeabi_memcpy8(dst: *mut u8, src: *const u8, n: usize) {
+        debug_assert!(dst.addr() & 7 == 0);
+        debug_assert!(src.addr() & 7 == 0);
+
+        // SAFETY: memcpy preconditions apply, less strict alignment.
+        unsafe { __aeabi_memcpy4(dst, src, n) };
     }
 
+    /// `memmove` provided with the `aapcs` ABI.
+    ///
+    /// # Safety
+    ///
+    /// Usual `memmove` requirements apply.
     #[cfg(not(target_vendor = "apple"))]
-    pub unsafe extern "aapcs" fn __aeabi_memmove(dest: *mut u8, src: *const u8, n: usize) {
-        crate::mem::memmove(dest, src, n);
+    pub unsafe extern "aapcs" fn __aeabi_memmove(dst: *mut u8, src: *const u8, n: usize) {
+        // SAFETY: memmove preconditions apply.
+        unsafe { crate::mem::memmove(dst, src, n) };
     }
 
+    /// `memmove` for 4-byte alignment.
+    ///
+    /// # Safety
+    ///
+    /// Usual `memmove` requirements apply. Additionally, `dest` and `src` must be aligned to
+    /// four bytes.
     #[cfg(not(any(target_vendor = "apple", target_env = "msvc")))]
-    pub unsafe extern "aapcs" fn __aeabi_memmove4(dest: *mut u8, src: *const u8, n: usize) {
-        __aeabi_memmove(dest, src, n);
+    pub unsafe extern "aapcs" fn __aeabi_memmove4(dst: *mut u8, src: *const u8, n: usize) {
+        debug_assert!(dst.addr() & 3 == 0);
+        debug_assert!(src.addr() & 3 == 0);
+
+        // SAFETY: same preconditions, less strict aligment.
+        unsafe { __aeabi_memmove(dst, src, n) };
     }
 
+    /// `memmove` for 8-byte alignment.
+    ///
+    /// # Safety
+    ///
+    /// Usual `memmove` requirements apply. Additionally, `dst` and `src` must be aligned to
+    /// eight bytes.
     #[cfg(not(any(target_vendor = "apple", target_env = "msvc")))]
-    pub unsafe extern "aapcs" fn __aeabi_memmove8(dest: *mut u8, src: *const u8, n: usize) {
-        __aeabi_memmove(dest, src, n);
+    pub unsafe extern "aapcs" fn __aeabi_memmove8(dst: *mut u8, src: *const u8, n: usize) {
+        debug_assert!(dst.addr() & 7 == 0);
+        debug_assert!(src.addr() & 7 == 0);
+
+        // SAFETY: memmove preconditions apply, less strict alignment.
+        unsafe { __aeabi_memmove(dst, src, n) };
     }
 
+    /// `memset` provided with the `aapcs` ABI.
+    ///
+    /// # Safety
+    ///
+    /// Usual `memset` requirements apply.
     #[cfg(not(target_vendor = "apple"))]
-    pub unsafe extern "aapcs" fn __aeabi_memset(dest: *mut u8, n: usize, c: i32) {
+    pub unsafe extern "aapcs" fn __aeabi_memset(dst: *mut u8, n: usize, c: i32) {
         // Note the different argument order
-        crate::mem::memset(dest, c, n);
+        // SAFETY: memset preconditions apply.
+        unsafe { crate::mem::memset(dst, c, n) };
     }
 
+    /// `memset` for 4-byte alignment.
+    ///
+    /// # Safety
+    ///
+    /// Usual `memset` requirements apply. Additionally, `dest` and `src` must be aligned to
+    /// four bytes.
     #[cfg(not(target_vendor = "apple"))]
-    pub unsafe extern "aapcs" fn __aeabi_memset4(dest: *mut u8, n: usize, c: i32) {
-        let mut dest = dest as *mut u32;
+    pub unsafe extern "aapcs" fn __aeabi_memset4(dst: *mut u8, n: usize, c: i32) {
+        let mut dst = dst.cast::<u32>();
+        debug_assert!(dst.is_aligned());
         let mut n = n;
 
         let byte = (c as u32) & 0xff;
         let c = (byte << 24) | (byte << 16) | (byte << 8) | byte;
 
         while n >= 4 {
-            *dest = c;
-            dest = dest.offset(1);
+            // SAFETY: `dst` is valid for at least 4 bytes, from `memset` preconditions and
+            // the loop guard.
+            unsafe { *dst = c };
+            // TODO
+            unsafe {
+                dst = dst.offset(1);
+            }
             n -= 4;
         }
 
-        __aeabi_memset(dest as *mut u8, n, byte as i32);
+        // SAFETY: `dst` will still be valid for `n` bytes
+        unsafe { __aeabi_memset(dst.cast::<u8>(), n, byte as i32) };
     }
 
+    /// `memset` for 8-byte alignment.
+    ///
+    /// # Safety
+    ///
+    /// Usual `memset` requirements apply. Additionally, `dst` and `src` must be aligned to
+    /// eight bytes.
     #[cfg(not(target_vendor = "apple"))]
-    pub unsafe extern "aapcs" fn __aeabi_memset8(dest: *mut u8, n: usize, c: i32) {
-        __aeabi_memset4(dest, n, c);
+    pub unsafe extern "aapcs" fn __aeabi_memset8(dst: *mut u8, n: usize, c: i32) {
+        debug_assert!(dst.addr() & 7 == 0);
+
+        // SAFETY: memset preconditions apply, less strict alignment.
+        unsafe { __aeabi_memset4(dst, n, c) };
     }
 
+    /// `memclr` provided with the `aapcs` ABI.
+    ///
+    /// # Safety
+    ///
+    /// Usual `memclr` requirements apply.
     #[cfg(not(target_vendor = "apple"))]
-    pub unsafe extern "aapcs" fn __aeabi_memclr(dest: *mut u8, n: usize) {
-        __aeabi_memset(dest, n, 0);
+    pub unsafe extern "aapcs" fn __aeabi_memclr(dst: *mut u8, n: usize) {
+        // SAFETY: memclr preconditions apply, less strict alignment.
+        unsafe { __aeabi_memset(dst, n, 0) };
     }
 
+    /// `memclr` for 4-byte alignment.
+    ///
+    /// # Safety
+    ///
+    /// Usual `memclr` requirements apply. Additionally, `dest` and `src` must be aligned to
+    /// four bytes.
     #[cfg(not(any(target_vendor = "apple", target_env = "msvc")))]
-    pub unsafe extern "aapcs" fn __aeabi_memclr4(dest: *mut u8, n: usize) {
-        __aeabi_memset4(dest, n, 0);
+    pub unsafe extern "aapcs" fn __aeabi_memclr4(dst: *mut u8, n: usize) {
+        debug_assert!(dst.addr() & 3 == 0);
+
+        // SAFETY: memclr preconditions apply, less strict alignment.
+        unsafe { __aeabi_memset4(dst, n, 0) };
     }
 
+    /// `memclr` for 8-byte alignment.
+    ///
+    /// # Safety
+    ///
+    /// Usual `memclr` requirements apply. Additionally, `dst` and `src` must be aligned to
+    /// eight bytes.
     #[cfg(not(any(target_vendor = "apple", target_env = "msvc")))]
-    pub unsafe extern "aapcs" fn __aeabi_memclr8(dest: *mut u8, n: usize) {
-        __aeabi_memset4(dest, n, 0);
+    pub unsafe extern "aapcs" fn __aeabi_memclr8(dst: *mut u8, n: usize) {
+        debug_assert!(dst.addr() & 7 == 0);
+
+        // SAFETY: memclr preconditions apply, less strict alignment.
+        unsafe { __aeabi_memset4(dst, n, 0) };
     }
 }

src/lib.rs

@@ -22,6 +22,9 @@
 #![allow(clippy::manual_swap)]
 // Support compiling on both stage0 and stage1 which may differ in supported stable features.
 #![allow(stable_features)]
+// By default, disallow this as it is forbidden in edition 2024. There is a lot of unsafe code to
+// be migrated, however, so exceptions exist.
+#![warn(unsafe_op_in_unsafe_fn)]
 
 // We disable #[no_mangle] for tests so that we can verify the test results
 // against the native compiler-rt implementations of the builtins.