Deny unsafe_op_in_unsafe_fn

The unsafe_op_in_unsafe_fn lint was previously set to allow, meaning that unsafe function calls and operations were allowed within unsafe functions without a surrounding unsafe block. This patch changes the lint to deny, for the purpose of making unsafe operations in the codebase more explicit.
3 years ago · 5e612f153c
parent 299553bebf
commit 5e612f153c
4 changed files with 8 additions and 4 deletions
--- a/src/either.rs
+++ b/src/either.rs
@ -332,7 +332,7 @@ impl<L, R> Either<L, R> {
            Inl(l) => l,
            // SAFETY:
            // The caller is responsible for ensuring that the value is not `Inr`.
-            Inr(_) => hint::unreachable_unchecked(),
+            Inr(_) => unsafe { hint::unreachable_unchecked() },
        }
    }

@ -343,7 +343,7 @@ impl<L, R> Either<L, R> {
        match self {
            // SAFETY:
            // The caller is responsible for ensuring that the value is not `Inl`.
-            Inl(_) => hint::unreachable_unchecked(),
+            Inl(_) => unsafe { hint::unreachable_unchecked() },
            Inr(r) => r,
        }
    }
--- a/src/lib.rs
+++ b/src/lib.rs
@ -1,3 +1,5 @@
+#![deny(unsafe_op_in_unsafe_fn)]
+
 #![cfg_attr(not(feature = "std"), no_std)]

 #[cfg(all(feature = "alloc", not(feature = "std")))]
--- a/src/strings/fixed.rs
+++ b/src/strings/fixed.rs
@ -24,7 +24,9 @@ impl<const N: usize> FixedString<N> {
    #[inline]
    pub unsafe fn from_raw_slice(bytes: &[u8]) -> Result<Self, Error> {
        match bytes.try_into() {
-            Ok(bytes) => Ok(Self::from_raw_array(bytes)),
+            // SAFETY:
+            // The caller is reponsible for ensuring that the provided bytes are valid UTF-8.
+            Ok(bytes) => unsafe { Ok(Self::from_raw_array(bytes)) },
            Err(_) => Err(Error {
                expected_len: N,
                actual_len: bytes.len(),
--- a/src/strings/inlining.rs
+++ b/src/strings/inlining.rs
@ -183,7 +183,7 @@ impl<const N: usize> InliningString<N> {
        // The caller is responsible for ensuring that `len` is less than or equal to
        // `Self::MAX_LEN`, which is no greater than `u8::MAX - 2`. If this contract is upheld,
        // `len + 1` can never overflow, so `len + 1` can never be zero.
-        let discrim = NonZeroU8::new_unchecked(len + 1);
+        let discrim = unsafe { NonZeroU8::new_unchecked(len + 1) };

        Self {
            repr: Repr { inline: buf },