Explain why pointer::add in slice::as_ptr_range is safe.

Centril · Oct 25, 2019 · de9b660 · de9b660
1 parent f1b69b0
commit de9b660
Showing 1 changed file with 18 additions and 0 deletions.
diff --git a/src/libcore/slice/mod.rs b/src/libcore/slice/mod.rs
@@ -437,6 +437,23 @@ impl<T> [T] {
     #[unstable(feature = "slice_ptr_range", issue = "65807")]
     #[inline]
     pub fn as_ptr_range(&self) -> Range<*const T> {
+        // The `add` here is safe, because:
+        //
+        //   - Both pointers are part of the same object, as pointing directly
+        //     past the object also counts.
+        //
+        //   - The size of the slice is never larger than isize::MAX bytes, as
+        //     noted here:
+        //       - https://github.com/rust-lang/unsafe-code-guidelines/issues/102#issuecomment-473340447
+        //       - https://doc.rust-lang.org/reference/behavior-considered-undefined.html
+        //       - https://doc.rust-lang.org/core/slice/fn.from_raw_parts.html#safety
+        //     (This doesn't seem normative yet, but the very same assumption is
+        //     made in many places, including the Index implementation of slices.)
+        //
+        //   - There is no wrapping around involved, as slices do not wrap past
+        //     the end of the address space.
+        //
+        // See the documentation of pointer::add.
         let start = self.as_ptr();
         let end = unsafe { start.add(self.len()) };
         start..end
@@ -461,6 +478,7 @@ impl<T> [T] {
     #[unstable(feature = "slice_ptr_range", issue = "65807")]
     #[inline]
     pub fn as_mut_ptr_range(&mut self) -> Range<*mut T> {
+        // See as_ptr_range() above for why `add` here is safe.
         let start = self.as_mut_ptr();
         let end = unsafe { start.add(self.len()) };
         start..end