Improve overall `unsafe` hygiene
This adds `#![deny(unsafe_op_in_unsafe_fn)]` which removes the
implicit `unsafe` block that `unsafe fn` does.
It also adds many more `SAFETY` docs, corrects some incomplete
ones, and catches a null pointer returned by `upb_Arena_New`.
PiperOrigin-RevId: 549067106
diff --git a/rust/internal.rs b/rust/internal.rs
index ec4fd00..ada1025 100644
--- a/rust/internal.rs
+++ b/rust/internal.rs
@@ -61,14 +61,17 @@
/// Unsafely dereference this slice.
///
/// # Safety
- /// - `ptr` must be valid for `len` bytes. It can be null or dangling if
- /// `self.len == 0`.
+ /// - `self.ptr` must be dereferencable and immutable for `self.len` bytes
+ /// for the lifetime `'a`. It can be null or dangling if `self.len == 0`.
pub unsafe fn as_ref<'a>(self) -> &'a [u8] {
if self.ptr.is_null() {
assert_eq!(self.len, 0, "Non-empty slice with null data pointer");
&[]
} else {
- slice::from_raw_parts(self.ptr, self.len)
+ // SAFETY:
+ // - `ptr` is non-null
+ // - `ptr` is valid for `len` bytes as promised by the caller.
+ unsafe { slice::from_raw_parts(self.ptr, self.len) }
}
}
}
