Rollup merge of #129892 - oskgo:clarify-slice-from-raw, r=RalfJung · patricklam/verify-rust-std@02ceceb (original) (raw)

`@@ -11,13 +11,13 @@ use crate::{array, ptr, ub_checks};

`

11

11

`///

`

12

12

`/// Behavior is undefined if any of the following conditions are violated:

`

13

13

`///

`

14

``

`` -

/// * data must be [valid] for reads for len * mem::size_of::<T>() many bytes,

``

``

14

`` +

/// * data must be non-null, [valid] for reads for len * mem::size_of::<T>() many bytes,

``

15

15

`/// and it must be properly aligned. This means in particular:

`

16

16

`///

`

17

17

`/// * The entire memory range of this slice must be contained within a single allocated object!

`

18

18

`/// Slices can never span across multiple allocated objects. See below

`

19

19

`/// for an example incorrectly not taking this into account.

`

20

``

`` -

/// * data must be non-null and aligned even for zero-length slices. One

``

``

20

`` +

/// * data must be non-null and aligned even for zero-length slices or slices of ZSTs. One

``

21

21

`/// reason for this is that enum layout optimizations may rely on references

`

22

22

`/// (including slices of any length) being aligned and non-null to distinguish

`

23

23

`` /// them from other data. You can obtain a pointer that is usable as data

``

`@@ -146,12 +146,12 @@ pub const unsafe fn from_raw_parts<'a, T>(data: *const T, len: usize) -> &'a [T]

`

146

146

`///

`

147

147

`/// Behavior is undefined if any of the following conditions are violated:

`

148

148

`///

`

149

``

`` -

/// * data must be [valid] for both reads and writes for len * mem::size_of::<T>() many bytes,

``

``

149

`` +

/// * data must be non-null, [valid] for both reads and writes for len * mem::size_of::<T>() many bytes,

``

150

150

`/// and it must be properly aligned. This means in particular:

`

151

151

`///

`

152

152

`/// * The entire memory range of this slice must be contained within a single allocated object!

`

153

153

`/// Slices can never span across multiple allocated objects.

`

154

``

`` -

/// * data must be non-null and aligned even for zero-length slices. One

``

``

154

`` +

/// * data must be non-null and aligned even for zero-length slices or slices of ZSTs. One

``

155

155

`/// reason for this is that enum layout optimizations may rely on references

`

156

156

`/// (including slices of any length) being aligned and non-null to distinguish

`

157

157

`` /// them from other data. You can obtain a pointer that is usable as data

``

`@@ -219,7 +219,7 @@ pub const fn from_mut(s: &mut T) -> &mut [T] {

`

219

219

`///

`

220

220

`/// Behavior is undefined if any of the following conditions are violated:

`

221

221

`///

`

222

``

`` -

/// * The start pointer of the range must be a [valid] and properly aligned pointer

``

``

222

`` +

/// * The start pointer of the range must be a non-null, [valid] and properly aligned pointer

``

223

223

`/// to the first element of a slice.

`

224

224

`///

`

225

225

`` /// * The end pointer must be a [valid] and properly aligned pointer to one past

``

`@@ -235,7 +235,7 @@ pub const fn from_mut(s: &mut T) -> &mut [T] {

`

235

235

`` /// of lifetime 'a, except inside an UnsafeCell.

``

236

236

`///

`

237

237

`` /// * The total length of the range must be no larger than isize::MAX,

``

238

``

`` -

/// and adding that size to data must not "wrap around" the address space.

``

``

238

`` +

/// and adding that size to start must not "wrap around" the address space.

``

239

239

`` /// See the safety documentation of [pointer::offset].

``

240

240

`///

`

241

241

`` /// Note that a range created from [slice::as_ptr_range] fulfills these requirements.

``

`@@ -288,7 +288,7 @@ pub const unsafe fn from_ptr_range<'a, T>(range: Range<*const T>) -> &'a [T] {

`

288

288

`///

`

289

289

`/// Behavior is undefined if any of the following conditions are violated:

`

290

290

`///

`

291

``

`` -

/// * The start pointer of the range must be a [valid] and properly aligned pointer

``

``

291

`` +

/// * The start pointer of the range must be a non-null, [valid] and properly aligned pointer

``

292

292

`/// to the first element of a slice.

`

293

293

`///

`

294

294

`` /// * The end pointer must be a [valid] and properly aligned pointer to one past

``

`@@ -305,7 +305,7 @@ pub const unsafe fn from_ptr_range<'a, T>(range: Range<*const T>) -> &'a [T] {

`

305

305

`/// Both read and write accesses are forbidden.

`

306

306

`///

`

307

307

`` /// * The total length of the range must be no larger than isize::MAX,

``

308

``

`` -

/// and adding that size to data must not "wrap around" the address space.

``

``

308

`` +

/// and adding that size to start must not "wrap around" the address space.

``

309

309

`` /// See the safety documentation of [pointer::offset].

``

310

310

`///

`

311

311

`` /// Note that a range created from [slice::as_mut_ptr_range] fulfills these requirements.

``