Capitalize SAFETY in safety comments. (#559)

Follow the convention [here] and in the majority of safety comments in
std and use '// SAFETY:' instead of '// Safety:'.

[here]: https://std-dev-guide.rust-lang.org/documentation/safety-comments.html#inside-safe-elements

Author: sunfishcode

src/backend/libc/fs/inotify.rs

@@ -77,7 +77,7 @@ bitflags! {
 /// descriptor from being implicitly passed across `exec` boundaries.
 #[doc(alias = "inotify_init1")]
 pub fn inotify_init(flags: CreateFlags) -> io::Result<OwnedFd> {
-    // Safety: `inotify_init1` has no safety preconditions.
+    // SAFETY: `inotify_init1` has no safety preconditions.
     unsafe { ret_owned_fd(c::inotify_init1(flags.bits())) }
 }
 
@@ -96,7 +96,7 @@ pub fn inotify_add_watch<P: crate::path::Arg>(
     flags: WatchFlags,
 ) -> io::Result<i32> {
     let path = path.as_cow_c_str().unwrap();
-    // Safety: The fd and path we are passing is guranteed valid by the type
+    // SAFETY: The fd and path we are passing is guranteed valid by the type
     // system.
     unsafe {
         ret_c_int(c::inotify_add_watch(
@@ -116,6 +116,6 @@ pub fn inotify_remove_watch(inot: BorrowedFd<'_>, wd: i32) -> io::Result<()> {
     // Android's `inotify_rm_watch` takes u32 despite `inotify_add_watch` is i32.
     #[cfg(target_os = "android")]
     let wd = wd as u32;
-    // Safety: The fd is valid and closing an arbitrary wd is valid.
+    // SAFETY: The fd is valid and closing an arbitrary wd is valid.
     unsafe { ret(c::inotify_rm_watch(borrowed_fd(inot), wd)) }
 }

src/backend/libc/io/epoll.rs

@@ -126,7 +126,7 @@ bitflags! {
 #[inline]
 #[doc(alias = "epoll_create1")]
 pub fn epoll_create(flags: CreateFlags) -> io::Result<OwnedFd> {
-    // Safety: We're calling `epoll_create1` via FFI and we know how it
+    // SAFETY: We're calling `epoll_create1` via FFI and we know how it
     // behaves.
     unsafe { ret_owned_fd(c::epoll_create1(flags.bits())) }
 }
@@ -147,7 +147,7 @@ pub fn epoll_add(
     data: u64,
     event_flags: EventFlags,
 ) -> io::Result<()> {
-    // Safety: We're calling `epoll_ctl` via FFI and we know how it
+    // SAFETY: We're calling `epoll_ctl` via FFI and we know how it
     // behaves.
     unsafe {
         let raw_fd = source.as_fd().as_raw_fd();
@@ -176,7 +176,7 @@ pub fn epoll_mod(
 ) -> io::Result<()> {
     let raw_fd = source.as_fd().as_raw_fd();
 
-    // Safety: We're calling `epoll_ctl` via FFI and we know how it
+    // SAFETY: We're calling `epoll_ctl` via FFI and we know how it
     // behaves.
     unsafe {
         ret(c::epoll_ctl(
@@ -195,7 +195,7 @@ pub fn epoll_mod(
 /// this `Epoll`.
 #[doc(alias = "epoll_ctl")]
 pub fn epoll_del(epoll: impl AsFd, source: impl AsFd) -> io::Result<()> {
-    // Safety: We're calling `epoll_ctl` via FFI and we know how it
+    // SAFETY: We're calling `epoll_ctl` via FFI and we know how it
     // behaves.
     unsafe {
         let raw_fd = source.as_fd().as_raw_fd();
@@ -218,7 +218,7 @@ pub fn epoll_wait(
     event_list: &mut EventVec,
     timeout: c::c_int,
 ) -> io::Result<()> {
-    // Safety: We're calling `epoll_wait` via FFI and we know how it
+    // SAFETY: We're calling `epoll_wait` via FFI and we know how it
     // behaves.
     unsafe {
         event_list.events.set_len(0);
@@ -243,7 +243,7 @@ impl<'a> Iterator for Iter<'a> {
     type Item = (EventFlags, u64);
 
     fn next(&mut self) -> Option<Self::Item> {
-        // Safety: `self.context` is guaranteed to be valid because we hold
+        // SAFETY: `self.context` is guaranteed to be valid because we hold
         // `'context` for it. And we know this event is associated with this
         // context because `wait` sets both.
         self.iter

src/backend/libc/io/poll_fd.rs

@@ -119,7 +119,7 @@ impl<'fd> PollFd<'fd> {
 impl<'fd> AsFd for PollFd<'fd> {
     #[inline]
     fn as_fd(&self) -> BorrowedFd<'_> {
-        // Safety: Our constructors and `set_fd` require `pollfd.fd` to be
+        // SAFETY: Our constructors and `set_fd` require `pollfd.fd` to be
         // valid for the `fd lifetime.
         unsafe { BorrowedFd::borrow_raw(self.pollfd.fd) }
     }
@@ -129,7 +129,7 @@ impl<'fd> AsFd for PollFd<'fd> {
 impl<'fd> io_lifetimes::AsSocket for PollFd<'fd> {
     #[inline]
     fn as_socket(&self) -> BorrowedFd<'_> {
-        // Safety: Our constructors and `set_fd` require `pollfd.fd` to be
+        // SAFETY: Our constructors and `set_fd` require `pollfd.fd` to be
         // valid for the `fd lifetime.
         unsafe { BorrowedFd::borrow_raw(self.pollfd.fd as RawFd) }
     }

src/backend/libc/net/addr.rs

@@ -97,7 +97,7 @@ impl SocketAddrUnix {
         if len != 0 && self.unix.sun_path[0] != b'\0' as c::c_char {
             let end = len as usize - offsetof_sun_path();
             let bytes = &self.unix.sun_path[..end];
-            // Safety: `from_raw_parts` to convert from `&[c_char]` to `&[u8]`. And
+            // SAFETY: `from_raw_parts` to convert from `&[c_char]` to `&[u8]`. And
             // `from_bytes_with_nul_unchecked` since the string is NUL-terminated.
             unsafe {
                 Some(CStr::from_bytes_with_nul_unchecked(slice::from_raw_parts(
@@ -118,7 +118,7 @@ impl SocketAddrUnix {
         if len != 0 && self.unix.sun_path[0] == b'\0' as c::c_char {
             let end = len as usize - offsetof_sun_path();
             let bytes = &self.unix.sun_path[1..end];
-            // Safety: `from_raw_parts` to convert from `&[c_char]` to `&[u8]`.
+            // SAFETY: `from_raw_parts` to convert from `&[c_char]` to `&[u8]`.
             unsafe { Some(slice::from_raw_parts(bytes.as_ptr().cast(), bytes.len())) }
         } else {
             None

src/backend/linux_raw/conv.rs

@@ -143,7 +143,7 @@ impl<'a, Num: ArgNumber> From<Option<&'a CStr>> for ArgReg<'a, Num> {
 impl<'a, Num: ArgNumber> From<BorrowedFd<'a>> for ArgReg<'a, Num> {
     #[inline]
     fn from(fd: BorrowedFd<'a>) -> Self {
-        // Safety: `BorrowedFd` ensures that the file descriptor is valid, and the
+        // SAFETY: `BorrowedFd` ensures that the file descriptor is valid, and the
         // lifetime parameter on the resulting `ArgReg` ensures that the result is
         // bounded by the `BorrowedFd`'s lifetime.
         unsafe { raw_fd(fd.as_raw_fd()) }

src/backend/linux_raw/io/epoll.rs

@@ -147,7 +147,7 @@ pub fn epoll_add(
     data: u64,
     event_flags: EventFlags,
 ) -> io::Result<()> {
-    // Safety: We're calling `epoll_ctl` via FFI and we know how it
+    // SAFETY: We're calling `epoll_ctl` via FFI and we know how it
     // behaves.
     unsafe {
         syscalls::epoll_add(
@@ -172,7 +172,7 @@ pub fn epoll_mod(
     data: u64,
     event_flags: EventFlags,
 ) -> io::Result<()> {
-    // Safety: We're calling `epoll_ctl` via FFI and we know how it
+    // SAFETY: We're calling `epoll_ctl` via FFI and we know how it
     // behaves.
     unsafe {
         let raw_fd = source.as_fd().as_raw_fd();
@@ -193,7 +193,7 @@ pub fn epoll_mod(
 /// This also returns the owning `Data`.
 #[doc(alias = "epoll_ctl")]
 pub fn epoll_del(epoll: impl AsFd, source: impl AsFd) -> io::Result<()> {
-    // Safety: We're calling `epoll_ctl` via FFI and we know how it
+    // SAFETY: We're calling `epoll_ctl` via FFI and we know how it
     // behaves.
     unsafe {
         let raw_fd = source.as_fd().as_raw_fd();
@@ -211,7 +211,7 @@ pub fn epoll_wait(
     event_list: &mut EventVec,
     timeout: c::c_int,
 ) -> io::Result<()> {
-    // Safety: We're calling `epoll_wait` via FFI and we know how it
+    // SAFETY: We're calling `epoll_wait` via FFI and we know how it
     // behaves.
     unsafe {
         event_list.events.set_len(0);

src/backend/linux_raw/io/errno.rs

@@ -69,7 +69,7 @@ impl Errno {
         // TODO: Use Range::contains, once that's `const`.
         const_assert!(encoded >= 0xf001);
 
-        // Safety: Linux syscalls return negated error values in the range
+        // SAFETY: Linux syscalls return negated error values in the range
         // `-4095..0`, which we just asserted.
         unsafe { Self(encoded) }
     }
@@ -82,7 +82,7 @@ pub(in crate::backend) fn try_decode_c_int<Num: RetNumber>(
     raw: RetReg<Num>,
 ) -> io::Result<c::c_int> {
     if raw.is_in_range(-4095..0) {
-        // Safety: `raw` must be in `-4095..0`, and we just checked that raw is
+        // SAFETY: `raw` must be in `-4095..0`, and we just checked that raw is
         // in that range.
         return Err(unsafe { Errno(raw.decode_error_code()) });
     }
@@ -97,7 +97,7 @@ pub(in crate::backend) fn try_decode_c_uint<Num: RetNumber>(
     raw: RetReg<Num>,
 ) -> io::Result<c::c_uint> {
     if raw.is_in_range(-4095..0) {
-        // Safety: `raw` must be in `-4095..0`, and we just checked that raw is
+        // SAFETY: `raw` must be in `-4095..0`, and we just checked that raw is
         // in that range.
         return Err(unsafe { Errno(raw.decode_error_code()) });
     }
@@ -110,7 +110,7 @@ pub(in crate::backend) fn try_decode_c_uint<Num: RetNumber>(
 #[inline]
 pub(in crate::backend) fn try_decode_usize<Num: RetNumber>(raw: RetReg<Num>) -> io::Result<usize> {
     if raw.is_in_range(-4095..0) {
-        // Safety: `raw` must be in `-4095..0`, and we just checked that raw is
+        // SAFETY: `raw` must be in `-4095..0`, and we just checked that raw is
         // in that range.
         return Err(unsafe { Errno(raw.decode_error_code()) });
     }
@@ -125,7 +125,7 @@ pub(in crate::backend) fn try_decode_void_star<Num: RetNumber>(
     raw: RetReg<Num>,
 ) -> io::Result<*mut c::c_void> {
     if raw.is_in_range(-4095..0) {
-        // Safety: `raw` must be in `-4095..0`, and we just checked that raw is
+        // SAFETY: `raw` must be in `-4095..0`, and we just checked that raw is
         // in that range.
         return Err(unsafe { Errno(raw.decode_error_code()) });
     }
@@ -139,7 +139,7 @@ pub(in crate::backend) fn try_decode_void_star<Num: RetNumber>(
 #[inline]
 pub(in crate::backend) fn try_decode_u64<Num: RetNumber>(raw: RetReg<Num>) -> io::Result<u64> {
     if raw.is_in_range(-4095..0) {
-        // Safety: `raw` must be in `-4095..0`, and we just checked that raw is
+        // SAFETY: `raw` must be in `-4095..0`, and we just checked that raw is
         // in that range.
         return Err(unsafe { Errno(raw.decode_error_code()) });
     }

src/backend/linux_raw/net/addr.rs

@@ -71,7 +71,7 @@ impl SocketAddrUnix {
         if len != 0 && self.unix.sun_path[0] != b'\0' as c::c_char {
             let end = len as usize - offsetof_sun_path();
             let bytes = &self.unix.sun_path[..end];
-            // Safety: `from_raw_parts` to convert from `&[c_char]` to `&[u8]`. And
+            // SAFETY: `from_raw_parts` to convert from `&[c_char]` to `&[u8]`. And
             // `from_bytes_with_nul_unchecked` since the string is NUL-terminated.
             unsafe {
                 Some(CStr::from_bytes_with_nul_unchecked(slice::from_raw_parts(
@@ -91,7 +91,7 @@ impl SocketAddrUnix {
         if len != 0 && self.unix.sun_path[0] == b'\0' as c::c_char {
             let end = len as usize - offsetof_sun_path();
             let bytes = &self.unix.sun_path[1..end];
-            // Safety: `from_raw_parts` to convert from `&[c_char]` to `&[u8]`.
+            // SAFETY: `from_raw_parts` to convert from `&[c_char]` to `&[u8]`.
             unsafe { Some(slice::from_raw_parts(bytes.as_ptr().cast(), bytes.len())) }
         } else {
             None

src/backend/linux_raw/param/auxv.rs

@@ -77,7 +77,7 @@ pub(crate) fn linux_execfn() -> &'static CStr {
         execfn = EXECFN.load(Relaxed);
     }
 
-    // Safety: We assume the `AT_EXECFN` value provided by the kernel is a
+    // SAFETY: We assume the `AT_EXECFN` value provided by the kernel is a
     // valid pointer to a valid NUL-terminated array of bytes.
     unsafe { CStr::from_ptr(execfn.cast()) }
 }
@@ -102,7 +102,7 @@ pub(crate) fn exe_phdrs() -> (*const c::c_void, usize) {
 pub(in super::super) fn exe_phdrs_slice() -> &'static [Elf_Phdr] {
     let (phdr, phnum) = exe_phdrs();
 
-    // Safety: We assume the `AT_PHDR` and `AT_PHNUM` values provided by the
+    // SAFETY: We assume the `AT_PHDR` and `AT_PHNUM` values provided by the
     // kernel form a valid slice.
     unsafe { slice::from_raw_parts(phdr.cast(), phnum) }
 }
@@ -177,7 +177,7 @@ fn init_from_auxv_file(auxv: OwnedFd) -> Option<()> {
         buffer.resize(cur + n, 0_u8);
     }
 
-    // Safety: We loaded from an auxv file into the buffer.
+    // SAFETY: We loaded from an auxv file into the buffer.
     unsafe { init_from_auxp(buffer.as_ptr().cast()) }
 }
 

src/backend/linux_raw/param/libc_auxv.rs

@@ -66,7 +66,7 @@ pub(crate) fn exe_phdrs() -> (*const libc::c_void, usize) {
 pub(in super::super) fn exe_phdrs_slice() -> &'static [Elf_Phdr] {
     let (phdr, phnum) = exe_phdrs();
 
-    // Safety: We assume the `AT_PHDR` and `AT_PHNUM` values provided by the
+    // SAFETY: We assume the `AT_PHDR` and `AT_PHNUM` values provided by the
     // kernel form a valid slice.
     unsafe { slice::from_raw_parts(phdr.cast(), phnum) }
 }