From 5e612f153ce9891c7ff4114b9d0c2e5a5d3d5d21 Mon Sep 17 00:00:00 2001
From: pantonshire <tom@tomandtally.co.uk>
Date: Thu, 8 Sep 2022 16:08:14 +0100
Subject: [PATCH] Deny unsafe_op_in_unsafe_fn

The unsafe_op_in_unsafe_fn lint was previously set to allow, meaning
that unsafe function calls and operations were allowed within unsafe
functions without a surrounding unsafe block. This patch changes the
lint to deny, for the purpose of making unsafe operations in the
codebase more explicit.
---
 src/either.rs           | 4 ++--
 src/lib.rs              | 2 ++
 src/strings/fixed.rs    | 4 +++-
 src/strings/inlining.rs | 2 +-
 4 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/src/either.rs b/src/either.rs
index 935df28..5bf45b5 100644
--- a/src/either.rs
+++ b/src/either.rs
@@ -332,7 +332,7 @@ impl<L, R> Either<L, R> {
             Inl(l) => l,
             // SAFETY:
             // The caller is responsible for ensuring that the value is not `Inr`.
-            Inr(_) => hint::unreachable_unchecked(),
+            Inr(_) => unsafe { hint::unreachable_unchecked() },
         }
     }
 
@@ -343,7 +343,7 @@ impl<L, R> Either<L, R> {
         match self {
             // SAFETY:
             // The caller is responsible for ensuring that the value is not `Inl`.
-            Inl(_) => hint::unreachable_unchecked(),
+            Inl(_) => unsafe { hint::unreachable_unchecked() },
             Inr(r) => r,
         }
     }
diff --git a/src/lib.rs b/src/lib.rs
index 8271a2f..e46389f 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -1,3 +1,5 @@
+#![deny(unsafe_op_in_unsafe_fn)]
+
 #![cfg_attr(not(feature = "std"), no_std)]
 
 #[cfg(all(feature = "alloc", not(feature = "std")))]
diff --git a/src/strings/fixed.rs b/src/strings/fixed.rs
index b60744b..db4020c 100644
--- a/src/strings/fixed.rs
+++ b/src/strings/fixed.rs
@@ -24,7 +24,9 @@ impl<const N: usize> FixedString<N> {
     #[inline]
     pub unsafe fn from_raw_slice(bytes: &[u8]) -> Result<Self, Error> {
         match bytes.try_into() {
-            Ok(bytes) => Ok(Self::from_raw_array(bytes)),
+            // SAFETY:
+            // The caller is reponsible for ensuring that the provided bytes are valid UTF-8.
+            Ok(bytes) => unsafe { Ok(Self::from_raw_array(bytes)) },
             Err(_) => Err(Error {
                 expected_len: N,
                 actual_len: bytes.len(),
diff --git a/src/strings/inlining.rs b/src/strings/inlining.rs
index 7fa4b81..6d716b6 100644
--- a/src/strings/inlining.rs
+++ b/src/strings/inlining.rs
@@ -183,7 +183,7 @@ impl<const N: usize> InliningString<N> {
         // The caller is responsible for ensuring that `len` is less than or equal to
         // `Self::MAX_LEN`, which is no greater than `u8::MAX - 2`. If this contract is upheld,
         // `len + 1` can never overflow, so `len + 1` can never be zero.
-        let discrim = NonZeroU8::new_unchecked(len + 1);
+        let discrim = unsafe { NonZeroU8::new_unchecked(len + 1) };
 
         Self {
             repr: Repr { inline: buf },