From 619814e65216acea15c2151ae8a2b060554e056d Mon Sep 17 00:00:00 2001 From: Ruihan Li Date: Wed, 7 May 2025 23:47:32 +0800 Subject: [PATCH] Add `unsafe` with caller-upheld comments --- ostd/src/io/io_mem/allocator.rs | 3 ++- ostd/src/io/mod.rs | 9 +++++++-- ostd/src/mm/io.rs | 10 +++++++--- ostd/src/mm/page_table/cursor/mod.rs | 3 ++- ostd/src/mm/page_table/mod.rs | 12 +++++++++--- ostd/src/mm/page_table/node/mod.rs | 6 ++++-- 6 files changed, 31 insertions(+), 12 deletions(-) diff --git a/ostd/src/io/io_mem/allocator.rs b/ostd/src/io/io_mem/allocator.rs index eb7c81aa..1f8c41f3 100644 --- a/ostd/src/io/io_mem/allocator.rs +++ b/ostd/src/io/io_mem/allocator.rs @@ -114,7 +114,8 @@ pub static IO_MEM_ALLOCATOR: Once = Once::new(); /// User must ensure all the memory I/O regions that belong to the system device have been removed by calling the /// `remove` function. pub(crate) unsafe fn init(io_mem_builder: IoMemAllocatorBuilder) { - IO_MEM_ALLOCATOR.call_once(|| IoMemAllocator::new(io_mem_builder.allocators)); + // SAFETY: The safety is upheld by the caller. + IO_MEM_ALLOCATOR.call_once(|| unsafe { IoMemAllocator::new(io_mem_builder.allocators) }); } fn find_allocator<'a>( diff --git a/ostd/src/io/mod.rs b/ostd/src/io/mod.rs index ca7c3e4b..3be216ba 100644 --- a/ostd/src/io/mod.rs +++ b/ostd/src/io/mod.rs @@ -37,7 +37,12 @@ cfg_if!( /// 3. `MAX_IO_PORT` defined in `crate::arch::io` is guaranteed not to /// exceed the maximum value specified by architecture. pub(crate) unsafe fn init(io_mem_builder: IoMemAllocatorBuilder) { - self::io_mem::init(io_mem_builder); + // SAFETY: The safety is upheld by the caller. + unsafe { self::io_mem::init(io_mem_builder) }; + + // SAFETY: The safety is upheld by the caller. #[cfg(target_arch = "x86_64")] - self::io_port::init(); + unsafe { + self::io_port::init() + }; } diff --git a/ostd/src/mm/io.rs b/ostd/src/mm/io.rs index a28ba62a..43a05ff7 100644 --- a/ostd/src/mm/io.rs +++ b/ostd/src/mm/io.rs @@ -302,7 +302,9 @@ unsafe fn memcpy(dst: *mut u8, src: *const u8, len: usize) { // // For more details and future possibilities, see // . - core::intrinsics::volatile_copy_memory(dst, src, len); + + // SAFETY: The safety is guaranteed by the safety preconditions and the explanation above. + unsafe { core::intrinsics::volatile_copy_memory(dst, src, len) }; } /// Copies `len` bytes from `src` to `dst`. @@ -322,7 +324,8 @@ unsafe fn memcpy(dst: *mut u8, src: *const u8, len: usize) { /// /// [valid]: crate::mm::io#safety unsafe fn memcpy_fallible(dst: *mut u8, src: *const u8, len: usize) -> usize { - let failed_bytes = __memcpy_fallible(dst, src, len); + // SAFETY: The safety is upheld by the caller. + let failed_bytes = unsafe { __memcpy_fallible(dst, src, len) }; len - failed_bytes } @@ -337,7 +340,8 @@ unsafe fn memcpy_fallible(dst: *mut u8, src: *const u8, len: usize) -> usize { /// /// [valid]: crate::mm::io#safety unsafe fn memset_fallible(dst: *mut u8, value: u8, len: usize) -> usize { - let failed_bytes = __memset_fallible(dst, value, len); + // SAFETY: The safety is upheld by the caller. + let failed_bytes = unsafe { __memset_fallible(dst, value, len) }; len - failed_bytes } diff --git a/ostd/src/mm/page_table/cursor/mod.rs b/ostd/src/mm/page_table/cursor/mod.rs index 0045920f..69c58fce 100644 --- a/ostd/src/mm/page_table/cursor/mod.rs +++ b/ostd/src/mm/page_table/cursor/mod.rs @@ -781,7 +781,8 @@ impl<'rcu, M: PageTableMode, E: PageTableEntryTrait, C: PagingConstsTrait> // Do copy. op(&mut prop); self.jump(src_va).unwrap(); - let original = self.map(page, prop); + // SAFETY: The safety is upheld by the caller. + let original = unsafe { self.map(page, prop) }; assert!(original.is_none()); // Only move the source cursor forward since `Self::map` will do it. diff --git a/ostd/src/mm/page_table/mod.rs b/ostd/src/mm/page_table/mod.rs index b5a5959b..dbd8f74b 100644 --- a/ostd/src/mm/page_table/mod.rs +++ b/ostd/src/mm/page_table/mod.rs @@ -183,7 +183,10 @@ impl PageTable { ) -> Result<(), PageTableError> { let preempt_guard = disable_preempt(); let mut cursor = CursorMut::new(self, &preempt_guard, vaddr)?; - while let Some(range) = cursor.protect_next(vaddr.end - cursor.virt_addr(), &mut op) { + // SAFETY: The safety is upheld by the caller. + while let Some(range) = + unsafe { cursor.protect_next(vaddr.end - cursor.virt_addr(), &mut op) } + { crate::arch::mm::tlb_flush_addr(range.start); } Ok(()) @@ -202,7 +205,8 @@ impl PageTable PageTable Result<(), PageTableError> { let preempt_guard = disable_preempt(); - self.cursor_mut(&preempt_guard, vaddr)?.map_pa(paddr, prop); + let mut cursor = self.cursor_mut(&preempt_guard, vaddr)?; + // SAFETY: The safety is upheld by the caller. + unsafe { cursor.map_pa(paddr, prop) }; Ok(()) } diff --git a/ostd/src/mm/page_table/node/mod.rs b/ostd/src/mm/page_table/node/mod.rs index ee8d2fc8..d691f3b8 100644 --- a/ostd/src/mm/page_table/node/mod.rs +++ b/ostd/src/mm/page_table/node/mod.rs @@ -109,7 +109,8 @@ impl PageTableNode { return; } - activate_page_table(self.clone().into_raw(), CachePolicy::Writeback); + // SAFETY: The safety is upheld by the caller. + unsafe { activate_page_table(self.clone().into_raw(), CachePolicy::Writeback) }; // Restore and drop the last activated page table. // SAFETY: The physical address is valid and points to a forgotten page table node. @@ -123,7 +124,8 @@ impl PageTableNode { pub(super) unsafe fn first_activate(&self) { use crate::{arch::mm::activate_page_table, mm::CachePolicy}; - activate_page_table(self.clone().into_raw(), CachePolicy::Writeback); + // SAFETY: The safety is upheld by the caller. + unsafe { activate_page_table(self.clone().into_raw(), CachePolicy::Writeback) }; } }