tokio enable the unsafe_op_in_unsafe_fn lint at the crate level

Signed-off-by: ADD-SP <[email protected]>

Author: ADD-SP

tokio/src/fs/file.rs

@@ -917,7 +917,9 @@ impl std::os::unix::io::AsFd for File {
 #[cfg(unix)]
 impl std::os::unix::io::FromRawFd for File {
     unsafe fn from_raw_fd(fd: std::os::unix::io::RawFd) -> Self {
-        StdFile::from_raw_fd(fd).into()
+        // Safety: exactly the same safety contract as
+        // `std::os::unix::io::FromRawFd::from_raw_fd`.
+        unsafe { StdFile::from_raw_fd(fd).into() }
     }
 }
 
@@ -942,7 +944,9 @@ cfg_windows! {
 
     impl FromRawHandle for File {
         unsafe fn from_raw_handle(handle: RawHandle) -> Self {
-            StdFile::from_raw_handle(handle).into()
+            // Safety: exactly the same safety contract as
+            // `FromRawHandle::from_raw_handle`.
+            unsafe { StdFile::from_raw_handle(handle).into() }
         }
     }
 }

tokio/src/io/poll_evented.rs

@@ -171,7 +171,15 @@ feature! {
             loop {
                 let evt = ready!(self.registration.poll_read_ready(cx))?;
 
-                let b = &mut *(buf.unfilled_mut() as *mut [std::mem::MaybeUninit<u8>] as *mut [u8]);
+                // SAFETY:
+                //
+                // 1. `MaybeUninit<u8>` has the same memory layout as `u8`.
+                // 2. `*mut [u8] as *mut [MaybeUninit<u8>]` follows the
+                //    [Pointer-to-pointer cast].
+                //
+                // [Pointer-to-pointer cast]:
+                // https://doc.rust-lang.org/1.90.0/reference/expressions/operator-expr.html#r-expr.as.pointer
+                let b = unsafe { &mut *(buf.unfilled_mut() as *mut [std::mem::MaybeUninit<u8>] as *mut [u8]) };
 
                 // used only when the cfgs below apply
                 #[allow(unused_variables)]
@@ -213,7 +221,7 @@ feature! {
 
                         // Safety: We trust `TcpStream::read` to have filled up `n` bytes in the
                         // buffer.
-                        buf.assume_init(n);
+                        unsafe { buf.assume_init(n) };
                         buf.advance(n);
                         return Poll::Ready(Ok(()));
                     },

tokio/src/io/read_buf.rs

@@ -283,7 +283,9 @@ unsafe impl<'a> bytes::BufMut for ReadBuf<'a> {
 
     // SAFETY: The caller guarantees that at least `cnt` unfilled bytes have been initialized.
     unsafe fn advance_mut(&mut self, cnt: usize) {
-        self.assume_init(cnt);
+        unsafe {
+            self.assume_init(cnt);
+        }
         self.advance(cnt);
     }
 
@@ -311,16 +313,49 @@ impl fmt::Debug for ReadBuf<'_> {
     }
 }
 
+// TODO: This function looks very safe, consider remove the `unsafe` qualifier.
 unsafe fn slice_to_uninit_mut(slice: &mut [u8]) -> &mut [MaybeUninit<u8>] {
-    &mut *(slice as *mut [u8] as *mut [MaybeUninit<u8>])
+    // SAFETY:
+    //
+    // 1. `MaybeUninit<u8>` has the same memory layout as `u8`.
+    // 2. `*mut [u8] as *mut [MaybeUninit<u8>]` follows the
+    //    [Pointer-to-pointer cast].
+    //
+    // [Pointer-to-pointer cast]:
+    // https://doc.rust-lang.org/1.90.0/reference/expressions/operator-expr.html#r-expr.as.pointer
+    unsafe { &mut *(slice as *mut [u8] as *mut [MaybeUninit<u8>]) }
 }
 
+/// # Safety
+///
+/// The caller must ensure that `slice` is fully initialized.
 // TODO: This could use `MaybeUninit::slice_assume_init` when it is stable.
 unsafe fn slice_assume_init(slice: &[MaybeUninit<u8>]) -> &[u8] {
-    &*(slice as *const [MaybeUninit<u8>] as *const [u8])
+    // SAFETY:
+    //
+    // 1. `MaybeUninit<u8>` has the same memory layout as `u8`.
+    // 2. `*const [MaybeUninit<u8>] as *const [u8]` follows the
+    //    [Pointer-to-pointer cast].
+    // 3. The caller guarantees that `slice` is fully initialized.
+    //
+    // [Pointer-to-pointer cast]:
+    // https://doc.rust-lang.org/1.90.0/reference/expressions/operator-expr.html#r-expr.as.pointer
+    unsafe { &*(slice as *const [MaybeUninit<u8>] as *const [u8]) }
 }
 
 // TODO: This could use `MaybeUninit::slice_assume_init_mut` when it is stable.
+/// # Safety
+///
+/// The caller must ensure that `slice` is fully initialized.
 unsafe fn slice_assume_init_mut(slice: &mut [MaybeUninit<u8>]) -> &mut [u8] {
-    &mut *(slice as *mut [MaybeUninit<u8>] as *mut [u8])
+    // SAFETY:
+    //
+    // 1. `MaybeUninit<u8>` has the same memory layout as `u8`.
+    // 2. `*const [MaybeUninit<u8>] as *const [u8]` follows the
+    //    [Pointer-to-pointer cast].
+    // 3. The caller guarantees that `slice` is fully initialized.
+    //
+    // [Pointer-to-pointer cast]:
+    // https://doc.rust-lang.org/1.90.0/reference/expressions/operator-expr.html#r-expr.as.pointer
+    unsafe { &mut *(slice as *mut [MaybeUninit<u8>] as *mut [u8]) }
 }

tokio/src/lib.rs

@@ -10,7 +10,7 @@
     rust_2018_idioms,
     unreachable_pub
 )]
-#![deny(unused_must_use)]
+#![deny(unused_must_use, unsafe_op_in_unsafe_fn)]
 #![doc(test(
     no_crate_inject,
     attr(deny(warnings, rust_2018_idioms), allow(dead_code, unused_variables))

tokio/src/loom/std/atomic_u16.rs

@@ -26,7 +26,7 @@ impl AtomicU16 {
     /// All mutations must have happened before the unsynchronized load.
     /// Additionally, there must be no concurrent mutations.
     pub(crate) unsafe fn unsync_load(&self) -> u16 {
-        core::ptr::read(self.inner.get() as *const u16)
+        unsafe { core::ptr::read(self.inner.get() as *const u16) }
     }
 }
 

tokio/src/loom/std/atomic_u32.rs

@@ -26,7 +26,7 @@ impl AtomicU32 {
     /// All mutations must have happened before the unsynchronized load.
     /// Additionally, there must be no concurrent mutations.
     pub(crate) unsafe fn unsync_load(&self) -> u32 {
-        core::ptr::read(self.inner.get() as *const u32)
+        unsafe { core::ptr::read(self.inner.get() as *const u32) }
     }
 }
 

tokio/src/loom/std/atomic_usize.rs

@@ -26,7 +26,7 @@ impl AtomicUsize {
     /// All mutations must have happened before the unsynchronized load.
     /// Additionally, there must be no concurrent mutations.
     pub(crate) unsafe fn unsync_load(&self) -> usize {
-        core::ptr::read(self.inner.get() as *const usize)
+        unsafe { core::ptr::read(self.inner.get() as *const usize) }
     }
 
     pub(crate) fn with_mut<R>(&mut self, f: impl FnOnce(&mut usize) -> R) -> R {

tokio/src/macros/addr_of.rs

@@ -11,11 +11,16 @@ macro_rules! generate_addr_of_methods {
     )*}
     ) => {
         impl<$($gen)*> $struct_name {$(
+            #[doc = "# Safety"]
+            #[doc = ""]
+            #[doc = "The `self` pointer must be valid."]
             $(#[$attrs])*
             $vis unsafe fn $fn_name(me: ::core::ptr::NonNull<Self>) -> ::core::ptr::NonNull<$field_type> {
                 let me = me.as_ptr();
-                let field = ::std::ptr::addr_of_mut!((*me) $(.$field_name)+ );
-                ::core::ptr::NonNull::new_unchecked(field)
+                // safety: the caller guarantees that `me` is valid
+                let field = unsafe { ::std::ptr::addr_of_mut!((*me) $(.$field_name)+ ) };
+                // safety: the field pointer is never null
+                unsafe { ::core::ptr::NonNull::new_unchecked(field) }
             }
         )*}
     };

tokio/src/net/tcp/socket.rs

@@ -836,7 +836,9 @@ cfg_unix! {
         /// The caller is responsible for ensuring that the socket is in
         /// non-blocking mode.
         unsafe fn from_raw_fd(fd: RawFd) -> TcpSocket {
-            let inner = socket2::Socket::from_raw_fd(fd);
+            // Safety: exactly the same safety requirements as the
+            // `FromRawFd::from_raw_fd` trait method.
+            let inner = unsafe { socket2::Socket::from_raw_fd(fd) };
             TcpSocket { inner }
         }
     }
@@ -875,7 +877,7 @@ cfg_windows! {
         /// The caller is responsible for ensuring that the socket is in
         /// non-blocking mode.
         unsafe fn from_raw_socket(socket: RawSocket) -> TcpSocket {
-            let inner = socket2::Socket::from_raw_socket(socket);
+            let inner = unsafe { socket2::Socket::from_raw_socket(socket) };
             TcpSocket { inner }
         }
     }

tokio/src/net/unix/socket.rs

@@ -259,7 +259,9 @@ impl AsFd for UnixSocket {
 
 impl FromRawFd for UnixSocket {
     unsafe fn from_raw_fd(fd: RawFd) -> UnixSocket {
-        let inner = socket2::Socket::from_raw_fd(fd);
+        // Safety: exactly the same safety requirements as the
+        // `FromRawFd::from_raw_fd` trait method.
+        let inner = unsafe { socket2::Socket::from_raw_fd(fd) };
         UnixSocket { inner }
     }
 }