Make pal/windows default to deny unsafe in unsafe

ChrisDenton · ChrisDenton · commit d96ed862d21d · 2024-07-15T07:00:40.000Z
diff --git a/std/src/sys/pal/windows/api.rs b/std/src/sys/pal/windows/api.rs
@@ -227,8 +227,10 @@ pub fn set_file_information_by_handle<T: SetFileInformation>(
         info: *const c_void,
         size: u32,
     ) -> Result<(), WinError> {
-        let result = c::SetFileInformationByHandle(handle, class, info, size);
-        (result != 0).then_some(()).ok_or_else(get_last_error)
+        unsafe {
+            let result = c::SetFileInformationByHandle(handle, class, info, size);
+            (result != 0).then_some(()).ok_or_else(get_last_error)
+        }
     }
     // SAFETY: The `SetFileInformation` trait ensures that this is safe.
     unsafe { set_info(handle, T::CLASS, info.as_ptr(), info.size()) }
diff --git a/std/src/sys/pal/windows/c.rs b/std/src/sys/pal/windows/c.rs
@@ -4,6 +4,7 @@
 #![cfg_attr(test, allow(dead_code))]
 #![unstable(issue = "none", feature = "windows_c")]
 #![allow(clippy::style)]
+#![allow(unsafe_op_in_unsafe_fn)]
 
 use crate::ffi::CStr;
 use crate::mem;
diff --git a/std/src/sys/pal/windows/compat.rs b/std/src/sys/pal/windows/compat.rs
@@ -111,9 +111,11 @@ impl Module {
     /// This should only be use for modules that exist for the lifetime of std
     /// (e.g. kernel32 and ntdll).
     pub unsafe fn new(name: &CStr) -> Option<Self> {
-        // SAFETY: A CStr is always null terminated.
-        let module = c::GetModuleHandleA(name.as_ptr().cast::<u8>());
-        NonNull::new(module).map(Self)
+        unsafe {
+            // SAFETY: A CStr is always null terminated.
+            let module = c::GetModuleHandleA(name.as_ptr().cast::<u8>());
+            NonNull::new(module).map(Self)
+        }
     }
 
     // Try to get the address of a function.
diff --git a/std/src/sys/pal/windows/fs.rs b/std/src/sys/pal/windows/fs.rs
@@ -1,3 +1,4 @@
+#![allow(unsafe_op_in_unsafe_fn)]
 use core::ptr::addr_of;
 
 use crate::os::windows::prelude::*;
diff --git a/std/src/sys/pal/windows/handle.rs b/std/src/sys/pal/windows/handle.rs
@@ -1,4 +1,5 @@
 #![unstable(issue = "none", feature = "windows_handle")]
+#![allow(unsafe_op_in_unsafe_fn)]
 
 #[cfg(test)]
 mod tests;
diff --git a/std/src/sys/pal/windows/io.rs b/std/src/sys/pal/windows/io.rs
@@ -1,3 +1,4 @@
+#![allow(unsafe_op_in_unsafe_fn)]
 use crate::marker::PhantomData;
 use crate::mem::size_of;
 use crate::os::windows::io::{AsHandle, AsRawHandle, BorrowedHandle};
diff --git a/std/src/sys/pal/windows/mod.rs b/std/src/sys/pal/windows/mod.rs
@@ -1,4 +1,5 @@
 #![allow(missing_docs, nonstandard_style)]
+#![deny(unsafe_op_in_unsafe_fn)]
 
 use crate::ffi::{OsStr, OsString};
 use crate::io::ErrorKind;
@@ -54,11 +55,13 @@ impl<T> IoResult<T> for Result<T, api::WinError> {
 // SAFETY: must be called only once during runtime initialization.
 // NOTE: this is not guaranteed to run, for example when Rust code is called externally.
 pub unsafe fn init(_argc: isize, _argv: *const *const u8, _sigpipe: u8) {
-    stack_overflow::init();
+    unsafe {
+        stack_overflow::init();
 
-    // Normally, `thread::spawn` will call `Thread::set_name` but since this thread already
-    // exists, we have to call it ourselves.
-    thread::Thread::set_name_wide(wide_str!("main"));
+        // Normally, `thread::spawn` will call `Thread::set_name` but since this thread already
+        // exists, we have to call it ourselves.
+        thread::Thread::set_name_wide(wide_str!("main"));
+    }
 }
 
 // SAFETY: must be called only once during runtime cleanup.
diff --git a/std/src/sys/pal/windows/net.rs b/std/src/sys/pal/windows/net.rs
@@ -436,7 +436,7 @@ impl Socket {
     pub unsafe fn from_raw(raw: c::SOCKET) -> Self {
         debug_assert_eq!(mem::size_of::<c::SOCKET>(), mem::size_of::<RawSocket>());
         debug_assert_eq!(mem::align_of::<c::SOCKET>(), mem::align_of::<RawSocket>());
-        Self::from_raw_socket(raw as RawSocket)
+        unsafe { Self::from_raw_socket(raw as RawSocket) }
     }
 }
 
@@ -486,6 +486,6 @@ impl IntoRawSocket for Socket {
 
 impl FromRawSocket for Socket {
     unsafe fn from_raw_socket(raw_socket: RawSocket) -> Self {
-        Self(FromRawSocket::from_raw_socket(raw_socket))
+        unsafe { Self(FromRawSocket::from_raw_socket(raw_socket)) }
     }
 }
diff --git a/std/src/sys/pal/windows/os.rs b/std/src/sys/pal/windows/os.rs
@@ -1,6 +1,7 @@
 //! Implementation of `std::os` functionality for Windows.
 
 #![allow(nonstandard_style)]
+#![allow(unsafe_op_in_unsafe_fn)]
 
 #[cfg(test)]
 mod tests;
diff --git a/std/src/sys/pal/windows/pipe.rs b/std/src/sys/pal/windows/pipe.rs
@@ -1,3 +1,4 @@
+#![allow(unsafe_op_in_unsafe_fn)]
 use crate::os::windows::prelude::*;
 
 use crate::ffi::OsStr;
diff --git a/std/src/sys/pal/windows/stack_overflow.rs b/std/src/sys/pal/windows/stack_overflow.rs
@@ -1,4 +1,5 @@
 #![cfg_attr(test, allow(dead_code))]
+#![allow(unsafe_op_in_unsafe_fn)]
 
 use crate::sys::c;
 use crate::thread;
diff --git a/std/src/sys/pal/windows/thread.rs b/std/src/sys/pal/windows/thread.rs
@@ -1,3 +1,4 @@
+#![allow(unsafe_op_in_unsafe_fn)]
 use crate::ffi::CStr;
 use crate::io;
 use crate::num::NonZero;

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,4 @@`
	`1`	`+#![allow(unsafe_op_in_unsafe_fn)]`
`1`	`2`	`use core::ptr::addr_of;`
`2`	`3`
`3`	`4`	`use crate::os::windows::prelude::*;`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,5 @@`
`1`	`1`	`#![unstable(issue = "none", feature = "windows_handle")]`
	`2`	`+#![allow(unsafe_op_in_unsafe_fn)]`
`2`	`3`
`3`	`4`	`#[cfg(test)]`
`4`	`5`	`mod tests;`
Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,4 @@`
	`1`	`+#![allow(unsafe_op_in_unsafe_fn)]`
`1`	`2`	`use crate::marker::PhantomData;`
`2`	`3`	`use crate::mem::size_of;`
`3`	`4`	`use crate::os::windows::io::{AsHandle, AsRawHandle, BorrowedHandle};`
Original file line number	Diff line number	Diff line change
`@@ -436,7 +436,7 @@ impl Socket {`
`436`	`436`	`pub unsafe fn from_raw(raw: c::SOCKET) -> Self {`
`437`	`437`	`debug_assert_eq!(mem::size_of::<c::SOCKET>(), mem::size_of::<RawSocket>());`
`438`	`438`	`debug_assert_eq!(mem::align_of::<c::SOCKET>(), mem::align_of::<RawSocket>());`
`439`		`- Self::from_raw_socket(raw as RawSocket)`
	`439`	`+ unsafe { Self::from_raw_socket(raw as RawSocket) }`
`440`	`440`	`}`
`441`	`441`	`}`
`442`	`442`
`@@ -486,6 +486,6 @@ impl IntoRawSocket for Socket {`
`486`	`486`
`487`	`487`	`impl FromRawSocket for Socket {`
`488`	`488`	`unsafe fn from_raw_socket(raw_socket: RawSocket) -> Self {`
`489`		`- Self(FromRawSocket::from_raw_socket(raw_socket))`
	`489`	`+ unsafe { Self(FromRawSocket::from_raw_socket(raw_socket)) }`
`490`	`490`	`}`
`491`	`491`	`}`