Add Safety section to docs of unsafe functions

GabrielMajeri · GabrielMajeri · commit 37039fd133a9 · 2019-11-01T08:37:02.000+02:00
diff --git a/src/data_types/strs.rs b/src/data_types/strs.rs
@@ -24,6 +24,12 @@ pub struct CStr8([Char8]);
 
 impl CStr8 {
     /// Wraps a raw UEFI string with a safe C string wrapper
+    ///
+    /// # Safety
+    ///
+    /// The function will start accessing memory from `ptr` until the first
+    /// null byte. It's the callers responsability to ensure `ptr` points to
+    /// a valid string, in accessible memory.
     pub unsafe fn from_ptr<'ptr>(ptr: *const Char8) -> &'ptr Self {
         let mut len = 0;
         while *ptr.add(len) != NUL_8 {
@@ -47,6 +53,11 @@ impl CStr8 {
     }
 
     /// Unsafely creates a C string wrapper from bytes
+    ///
+    /// # Safety
+    ///
+    /// It's the callers responsability to ensure chars is a valid Latin-1
+    /// null-terminated string, with no interior null bytes.
     pub unsafe fn from_bytes_with_nul_unchecked(chars: &[u8]) -> &Self {
         &*(chars as *const [u8] as *const Self)
     }
@@ -77,6 +88,12 @@ pub struct CStr16([Char16]);
 
 impl CStr16 {
     /// Wraps a raw UEFI string with a safe C string wrapper
+    ///
+    /// # Safety
+    ///
+    /// The function will start accessing memory from `ptr` until the first
+    /// null byte. It's the callers responsability to ensure `ptr` points to
+    /// a valid string, in accessible memory.
     pub unsafe fn from_ptr<'ptr>(ptr: *const Char16) -> &'ptr Self {
         let mut len = 0;
         while *ptr.add(len) != NUL_16 {
@@ -110,6 +127,11 @@ impl CStr16 {
     }
 
     /// Unsafely creates a C string wrapper from a u16 slice.
+    ///
+    /// # Safety
+    ///
+    /// It's the callers responsability to ensure chars is a valid UCS-2
+    /// null-terminated string, with no interior null bytes.
     pub unsafe fn from_u16_with_nul_unchecked(codes: &[u16]) -> &Self {
         &*(codes as *const [u16] as *const Self)
     }
diff --git a/src/logger.rs b/src/logger.rs
@@ -31,6 +31,11 @@ impl Logger {
     ///
     /// You must arrange for the `disable` method to be called or for this logger
     /// to be otherwise discarded before boot services are exited.
+    ///
+    /// # Safety
+    ///
+    /// Undefined behaviour may occur if this logger is still active after the
+    /// application has exited the boot services stage.
     pub unsafe fn new(output: &mut Output) -> Self {
         Logger {
             writer: NonNull::new(output as *const _ as *mut _),
diff --git a/src/proto/console/gop.rs b/src/proto/console/gop.rs
@@ -550,6 +550,8 @@ impl<'gop> FrameBuffer<'gop> {
 
     /// Modify the i-th byte of the frame buffer
     ///
+    /// # Safety
+    ///
     /// This operation is unsafe because...
     /// - You must honor the pixel format and stride specified by the mode info
     /// - There is no bound checking on memory accesses in release mode
@@ -561,6 +563,8 @@ impl<'gop> FrameBuffer<'gop> {
 
     /// Read the i-th byte of the frame buffer
     ///
+    /// # Safety
+    ///
     /// This operation is unsafe because...
     /// - You must honor the pixel format and stride specified by the mode info
     /// - There is no bound checking on memory accesses in release mode
@@ -576,6 +580,8 @@ impl<'gop> FrameBuffer<'gop> {
     /// const generics, it will be deprecated and replaced with a write_bytes()
     /// method that only accepts [u8; N] input.
     ///
+    /// # Safety
+    ///
     /// This operation is unsafe because...
     /// - It is your reponsibility to make sure that the value type makes sense
     /// - You must honor the pixel format and stride specified by the mode info
@@ -595,6 +601,8 @@ impl<'gop> FrameBuffer<'gop> {
     /// const generics, it will be deprecated and replaced with a read_bytes()
     /// method that only accepts [u8; N] input.
     ///
+    /// # Safety
+    ///
     /// This operation is unsafe because...
     /// - It is your reponsibility to make sure that the value type makes sense
     /// - You must honor the pixel format and stride specified by the mode info
diff --git a/src/proto/media/file/info.rs b/src/proto/media/file/info.rs
@@ -21,6 +21,11 @@ pub trait FileProtocolInfo: Align + Identify + FromUefi {}
 /// the fat pointer must be reconstructed using hidden UEFI-provided metadata.
 pub trait FromUefi {
     /// Turn an UEFI-provided pointer-to-base into a (possibly fat) Rust reference
+    ///
+    /// # Safety
+    ///
+    /// This function can lead to undefined behavior if the given pointer is not
+    /// pointing to a valid object of the specified type.
     unsafe fn from_uefi<'ptr>(ptr: *mut c_void) -> &'ptr mut Self;
 }
 
diff --git a/src/table/boot.rs b/src/table/boot.rs
@@ -134,6 +134,12 @@ impl BootServices {
     ///
     /// This function outputs an RAII guard that will automatically restore the
     /// original `Tpl` when dropped.
+    ///
+    /// # Safety
+    ///
+    /// Raising a task's priority level can affect other running tasks and
+    /// critical processes run by UEFI. The highest priority level is the
+    /// most dangerous, since it disables interrupts.
     pub unsafe fn raise_tpl(&self, tpl: Tpl) -> TplGuard<'_> {
         TplGuard {
             boot_services: self,
@@ -260,6 +266,8 @@ impl BootServices {
     /// will be delivered next time `wait_for_event` or `check_event` is called.
     /// In both cases, a `notify_fn` callback must be specified.
     ///
+    /// # Safety
+    ///
     /// This function is unsafe because callbacks must handle exit from boot
     /// services correctly.
     pub unsafe fn create_event(
@@ -472,6 +480,8 @@ impl BootServices {
 
     /// Copies memory from source to destination. The buffers can overlap.
     ///
+    /// # Safety
+    ///
     /// This function is unsafe as it can be used to violate most safety
     /// invariants of the Rust type system.
     pub unsafe fn memmove(&self, dest: *mut u8, src: *const u8, size: usize) {
@@ -480,6 +490,8 @@ impl BootServices {
 
     /// Sets a buffer to a certain value.
     ///
+    /// # Safety
+    ///
     /// This function is unsafe as it can be used to violate most safety
     /// invariants of the Rust type system.
     pub unsafe fn memset(&self, buffer: *mut u8, size: usize, value: u8) {
diff --git a/src/table/runtime.rs b/src/table/runtime.rs
@@ -45,7 +45,12 @@ impl RuntimeServices {
     /// Sets the current local time and date information
     ///
     /// During runtime, if a PC-AT CMOS device is present in the platform, the
-    /// caller must synchronize access to the device before calling set_time.
+    /// caller must synchronize access to the device before calling `set_time`.
+    ///
+    /// # Safety
+    ///
+    /// Undefined behavior could happen if multiple tasks try to
+    /// use this function at the same time without synchronisation.
     pub unsafe fn set_time(&mut self, time: &Time) -> Result {
         (self.set_time)(time).into()
     }
diff --git a/src/table/system.rs b/src/table/system.rs
@@ -170,6 +170,8 @@ impl SystemTable<Boot> {
 
     /// Clone this boot-time UEFI system table interface
     ///
+    /// # Safety
+    ///
     /// This is unsafe because you must guarantee that the clone will not be
     /// used after boot services are exited. However, the singleton-based
     /// designs that Rust uses for memory allocation, logging, and panic
@@ -187,6 +189,8 @@ impl SystemTable<Boot> {
 impl SystemTable<Runtime> {
     /// Access runtime services
     ///
+    /// # Safety
+    ///
     /// This is unsafe because UEFI runtime services require an elaborate
     /// CPU configuration which may not be preserved by OS loaders. See the
     /// "Calling Conventions" chapter of the UEFI specification for details.
