Fix soundness issues and improve safety comments

vks · vks · commit 0cd09e96dedf · 2025-03-13T12:37:33.000+01:00
diff --git a/src/distr/integer.rs b/src/distr/integer.rs
@@ -119,7 +119,7 @@ impl Distribution<__m128i> for StandardUniform {
         rng.fill_bytes(&mut buf);
         // x86 is little endian so no need for conversion
 
-        // SAFETY: both source and result types are valid for all values.
+        // SAFETY: All representations of the source are also representations of the target.
         unsafe { core::mem::transmute(buf) }
     }
 }
@@ -132,7 +132,7 @@ impl Distribution<__m256i> for StandardUniform {
         rng.fill_bytes(&mut buf);
         // x86 is little endian so no need for conversion
 
-        // SAFETY: both source and result types are valid for all values.
+        // SAFETY: All representations of the source are also representations of the target.
         unsafe { core::mem::transmute(buf) }
     }
 }
@@ -148,7 +148,7 @@ impl Distribution<__m512i> for StandardUniform {
         rng.fill_bytes(&mut buf);
         // x86 is little endian so no need for conversion
 
-        // SAFETY: both source and result types are valid for all values.
+        // SAFETY: All representations of the source are also representations of the target.
         unsafe { core::mem::transmute(buf) }
     }
 }
diff --git a/src/distr/other.rs b/src/distr/other.rs
@@ -118,6 +118,7 @@ impl Distribution<char> for StandardUniform {
         if n <= 0xDFFF {
             n -= GAP_SIZE;
         }
+        // SAFETY: The representation of `n` is a valid representation of `u32`.
         unsafe { char::from_u32_unchecked(n) }
     }
 }
@@ -166,6 +167,7 @@ impl Distribution<u8> for Alphabetic {
 #[cfg(feature = "alloc")]
 impl SampleString for Alphanumeric {
     fn append_string<R: Rng + ?Sized>(&self, rng: &mut R, string: &mut String, len: usize) {
+        // SAFETY: `self` only samples alphanumeric characters, which are valid UTF-8.
         unsafe {
             let v = string.as_mut_vec();
             v.extend(self.sample_iter(rng).take(len));
diff --git a/src/lib.rs b/src/lib.rs
@@ -59,6 +59,7 @@
     clippy::neg_cmp_op_on_partial_ord,
     clippy::nonminimal_bool
 )]
+#![deny(clippy::undocumented_unsafe_blocks)]
 
 #[cfg(feature = "alloc")]
 extern crate alloc;
diff --git a/src/rng.rs b/src/rng.rs
@@ -393,20 +393,26 @@ impl Fill for [u8] {
     }
 }
 
-// This macro is unsafe to call: target types must support transmute from
-// random bits (i.e. all bit representations are valid).
+/// Implement `Fill` for given type `T`.
+///
+/// # Safety
+/// All representations of `[u8; size_of::<T>()]` are also representations of `T`.
 macro_rules! unsafe_impl_fill {
     () => {};
     ($t:ty) => {
         impl Fill for [$t] {
             fn fill<R: Rng + ?Sized>(&mut self, rng: &mut R) {
                 if self.len() > 0 {
-                    rng.fill_bytes(unsafe {
-                        slice::from_raw_parts_mut(self.as_mut_ptr()
-                            as *mut u8,
-                            mem::size_of_val(self)
-                        )
-                    });
+                    let size = mem::size_of_val(self);
+                    rng.fill_bytes(
+                        // SAFETY: `self` is not borrowed and all byte sequences are representations of `T`.
+                        unsafe {
+                            slice::from_raw_parts_mut(self.as_mut_ptr()
+                                as *mut u8,
+                                size
+                            )
+                        }
+                    );
                     for x in self {
                         *x = x.to_le();
                     }
@@ -417,12 +423,16 @@ macro_rules! unsafe_impl_fill {
         impl Fill for [Wrapping<$t>] {
             fn fill<R: Rng + ?Sized>(&mut self, rng: &mut R) {
                 if self.len() > 0 {
-                    rng.fill_bytes(unsafe {
-                        slice::from_raw_parts_mut(self.as_mut_ptr()
-                            as *mut u8,
-                            self.len() * mem::size_of::<$t>()
-                        )
-                    });
+                    let size = self.len() * mem::size_of::<$t>();
+                    rng.fill_bytes(
+                        // SAFETY: `self` is not borrowed and all byte sequences are representations of `T`.
+                        unsafe {
+                            slice::from_raw_parts_mut(self.as_mut_ptr()
+                                as *mut u8,
+                                size
+                            )
+                        }
+                    );
                     for x in self {
                         *x = Wrapping(x.0.to_le());
                     }
@@ -438,7 +448,9 @@ macro_rules! unsafe_impl_fill {
     }
 }
 
+// SAFETY: All representations of `[u8; size_of::<u*>()]` are representations of `u*`.
 unsafe_impl_fill!(u16, u32, u64, u128,);
+// SAFETY: All representations of `[u8; size_of::<i*>()]` are representations of `i*`.
 unsafe_impl_fill!(i8, i16, i32, i64, i128,);
 
 impl<T, const N: usize> Fill for [T; N]

Original file line number	Diff line number	Diff line change
`@@ -119,7 +119,7 @@ impl Distribution<__m128i> for StandardUniform {`
`119`	`119`	`rng.fill_bytes(&mut buf);`
`120`	`120`	`// x86 is little endian so no need for conversion`
`121`	`121`
`122`		`- // SAFETY: both source and result types are valid for all values.`
	`122`	`+ // SAFETY: All representations of the source are also representations of the target.`
`123`	`123`	`unsafe { core::mem::transmute(buf) }`
`124`	`124`	`}`
`125`	`125`	`}`
`@@ -132,7 +132,7 @@ impl Distribution<__m256i> for StandardUniform {`
`132`	`132`	`rng.fill_bytes(&mut buf);`
`133`	`133`	`// x86 is little endian so no need for conversion`
`134`	`134`
`135`		`- // SAFETY: both source and result types are valid for all values.`
	`135`	`+ // SAFETY: All representations of the source are also representations of the target.`
`136`	`136`	`unsafe { core::mem::transmute(buf) }`
`137`	`137`	`}`
`138`	`138`	`}`
`@@ -148,7 +148,7 @@ impl Distribution<__m512i> for StandardUniform {`
`148`	`148`	`rng.fill_bytes(&mut buf);`
`149`	`149`	`// x86 is little endian so no need for conversion`
`150`	`150`
`151`		`- // SAFETY: both source and result types are valid for all values.`
	`151`	`+ // SAFETY: All representations of the source are also representations of the target.`
`152`	`152`	`unsafe { core::mem::transmute(buf) }`
`153`	`153`	`}`
`154`	`154`	`}`
Original file line number	Diff line number	Diff line change
`@@ -118,6 +118,7 @@ impl Distribution<char> for StandardUniform {`
`118`	`118`	`if n <= 0xDFFF {`
`119`	`119`	`n -= GAP_SIZE;`
`120`	`120`	`}`
	`121`	+ // SAFETY: The representation of `n` is a valid representation of `u32`.
`121`	`122`	`unsafe { char::from_u32_unchecked(n) }`
`122`	`123`	`}`
`123`	`124`	`}`
`@@ -166,6 +167,7 @@ impl Distribution<u8> for Alphabetic {`
`166`	`167`	`#[cfg(feature = "alloc")]`
`167`	`168`	`impl SampleString for Alphanumeric {`
`168`	`169`	`fn append_string<R: Rng + ?Sized>(&self, rng: &mut R, string: &mut String, len: usize) {`
	`170`	+ // SAFETY: `self` only samples alphanumeric characters, which are valid UTF-8.
`169`	`171`	`unsafe {`
`170`	`172`	`let v = string.as_mut_vec();`
`171`	`173`	`v.extend(self.sample_iter(rng).take(len));`