safety comments, more explicit

Manishearth · Nov 12, 2024 · ff2cc52 · ff2cc52
1 parent d7c8d0f
commit ff2cc52
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 2 deletions.
diff --git a/utils/zerovec/src/ule/multi.rs b/utils/zerovec/src/ule/multi.rs
@@ -101,7 +101,7 @@ impl<const LEN: usize, Format: VarZeroVecFormat> MultiFieldsULE<LEN, Format> {
     #[inline]
     pub unsafe fn from_byte_slice_unchecked(bytes: &[u8]) -> &Self {
         // &Self is transparent over &VZS<..>
-        mem::transmute(<VarZeroLengthlessSlice<[u8]>>::from_bytes_unchecked(bytes))
+        mem::transmute(<VarZeroLengthlessSlice<[u8], Format>>::from_bytes_unchecked(bytes))
     }
 
     /// Get the bytes behind this value

diff --git a/utils/zerovec/src/ule/tuplevar.rs b/utils/zerovec/src/ule/tuplevar.rs
@@ -71,6 +71,8 @@ macro_rules! tuple_varule {
         unsafe impl<$($T: VarULE + ?Sized,)+ Format: VarZeroVecFormat> VarULE for $name<$($T,)+ Format>
         {
             fn validate_byte_slice(bytes: &[u8]) -> Result<(), UleError> {
+                // Safety: We validate that this type is the same kind of MultiFieldsULE (with $len, Format)
+                // as in the type def
                 let multi = <MultiFieldsULE<$len, Format> as VarULE>::parse_byte_slice(bytes)?;
                 $(
                     // Safety invariant: $i < $len, from the macro invocation
@@ -82,6 +84,8 @@ macro_rules! tuple_varule {
             }
 
             unsafe fn from_byte_slice_unchecked(bytes: &[u8]) -> &Self {
+                 // Safety: We validate that this type is the same kind of MultiFieldsULE (with $len, Format)
+                // as in the type def
                 let multi = <MultiFieldsULE<$len, Format> as VarULE>::from_byte_slice_unchecked(bytes);
 
                 // This type is repr(transparent) over MultiFieldsULE<$len>, so its slices can be transmuted
@@ -136,12 +140,16 @@ macro_rules! tuple_varule {
 
             #[inline]
             fn encode_var_ule_len(&self) -> usize {
+                // Safety: We validate that this type is the same kind of MultiFieldsULE (with $len, Format)
+                // as in the type def
                 MultiFieldsULE::<$len, Format>::compute_encoded_len_for([$(self.$i.encode_var_ule_len()),+])
             }
 
             #[inline]
             fn encode_var_ule_write(&self, dst: &mut [u8]) {
                 let lengths = [$(self.$i.encode_var_ule_len()),+];
+                // Safety: We validate that this type is the same kind of MultiFieldsULE (with $len, Format)
+                // as in the type def
                 let multi = MultiFieldsULE::<$len, Format>::new_from_lengths_partially_initialized(lengths, dst);
                 $(
                     // Safety: $i < $len, from the macro invocation, and field $i is supposed to be of type $T

diff --git a/utils/zerovec/src/varzerovec/lengthless.rs b/utils/zerovec/src/varzerovec/lengthless.rs
@@ -14,7 +14,7 @@ use core::mem;
 /// Without knowing the length this is of course unsafe to use directly.
 #[repr(transparent)]
 #[derive(PartialEq, Eq)]
-pub(crate) struct VarZeroLengthlessSlice<T: ?Sized, F = Index16> {
+pub(crate) struct VarZeroLengthlessSlice<T: ?Sized, F> {
     marker: PhantomData<(F, T)>,
     /// The original slice this was constructed from
     // Safety invariant: This field must have successfully passed through