freshlybakedca.ke / git
Git fork
fork atom

rust/varint: add safety comments

The `decode_varint()` and `encode_varint()` functions in our Rust crate
are reimplementations of the respective C functions. As such, we are
naturally forced to use the same interface in both Rust and C, which
makes use of raw pointers. The consequence is that the code needs to be
marked as unsafe in Rust.

It is common practice in Rust to provide safety documentation for every
block that is marked as unsafe. This common practice is also enforced by
Clippy, Rust's static analyser. We don't have Clippy wired up yet, and
we could of course just disable this check. But we're about to wire it
up, and it is reasonable to always enforce documentation for unsafe
blocks.

Add such safety comments to already squelch those warnings now. While at
it, also document the functions' behaviour.

Helped-by: "brian m. carlson" <sandals@crustytoothpaste.net>
Signed-off-by: Patrick Steinhardt <ps@pks.im>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

authored by

Patrick Steinhardt and committed by
Junio C Hamano 03f3900f e75cd059

+15
unified split
+15
src/varint.rs
··· 1 + /// Decode the variable-length integer stored in `bufp` and return the decoded value. 2 + /// 3 + /// Returns 0 in case the decoded integer would overflow u64::MAX. 4 + /// 5 + /// # Safety 6 + /// 7 + /// The buffer must be NUL-terminated to ensure safety. 1 8 #[no_mangle] 2 9 pub unsafe extern "C" fn decode_varint(bufp: *mut *const u8) -> u64 { 3 10 let mut buf = *bufp; ··· 22 29 val 23 30 } 24 31 32 + /// Encode `value` into `buf` as a variable-length integer unless `buf` is null. 33 + /// 34 + /// Returns the number of bytes written, or, if `buf` is null, the number of bytes that would be 35 + /// written to encode the integer. 36 + /// 37 + /// # Safety 38 + /// 39 + /// `buf` must either be null or point to at least 16 bytes of memory. 25 40 #[no_mangle] 26 41 pub unsafe extern "C" fn encode_varint(value: u64, buf: *mut u8) -> u8 { 27 42 let mut varint: [u8; 16] = [0; 16];