Mostly revert previous commit. I think it's not needed

dwrensha · dwrensha · commit 8736d172e30b · 2020-01-21T18:40:12.000-05:00
diff --git a/capnp/src/lib.rs b/capnp/src/lib.rs
@@ -258,7 +258,7 @@ impl <'a> ::std::ops::Deref for OutputSegments<'a> {
     }
 }
 
-unsafe impl<'s> message::ReaderSegments for OutputSegments<'s> {
+impl<'s> message::ReaderSegments for OutputSegments<'s> {
     fn get_segment<'a>(&'a self, id: u32) -> Option<&'a [u8]> {
         match *self {
             OutputSegments::SingleSegment(ref s) => {
diff --git a/capnp/src/message.rs b/capnp/src/message.rs
@@ -87,14 +87,15 @@ impl ReaderOptions {
 }
 
 /// An object that manages the buffers underlying a Cap'n Proto message reader.
-pub unsafe trait ReaderSegments {
+pub trait ReaderSegments {
     /// Gets the segment with index `idx`. Returns `None` if `idx` is out of range.
     ///
     /// The segment must be 8-byte aligned or the "unaligned" feature must
     /// be enabled in the capnp crate. (Otherwise reading the segment will return an error.)
     ///
-    /// UNSAFETY ALERT: implementors must ensure that the returned slice points to memory that remains
-    /// valid until the ReaderSegments object is dropped.
+    /// The returned slice is required to point to memory that remains valid until the ReaderSegments
+    /// object is dropped. In safe Rust, it should not  be possible to violate this requirement. (If we
+    /// discover that it is possible, then we need to mark this trait as `unsafe`.)
     fn get_segment<'a>(&'a self, idx: u32) -> Option<&'a [u8]>;
 
     /// Gets the number of segments.
@@ -119,7 +120,7 @@ impl <'a> SegmentArray<'a> {
     }
 }
 
-unsafe impl <'b> ReaderSegments for SegmentArray<'b> {
+impl <'b> ReaderSegments for SegmentArray<'b> {
     fn get_segment<'a>(&'a self, id: u32) -> Option<&'a [u8]> {
         self.segments.get(id as usize).map(|slice| *slice)
     }
@@ -129,7 +130,7 @@ unsafe impl <'b> ReaderSegments for SegmentArray<'b> {
     }
 }
 
-unsafe impl <'b> ReaderSegments for [&'b [u8]] {
+impl <'b> ReaderSegments for [&'b [u8]] {
     fn get_segment<'a>(&'a self, id: u32) -> Option<&'a [u8]> {
         self.get(id as usize).map(|slice| *slice)
     }
@@ -382,7 +383,7 @@ impl <A> Builder<A> where A: Allocator {
     }
 }
 
-unsafe impl <A> ReaderSegments for Builder<A> where A: Allocator {
+impl <A> ReaderSegments for Builder<A> where A: Allocator {
     fn get_segment<'a>(&'a self, id: u32) -> Option<&'a [u8]> {
         self.get_segments_for_output().get(id as usize).map(|x| *x)
     }
diff --git a/capnp/src/serialize.rs b/capnp/src/serialize.rs
@@ -39,7 +39,7 @@ pub struct SliceSegments<'a> {
     segment_indices : Vec<(usize, usize)>,
 }
 
-unsafe impl <'a> message::ReaderSegments for SliceSegments<'a> {
+impl <'a> message::ReaderSegments for SliceSegments<'a> {
     fn get_segment<'b>(&'b self, id: u32) -> Option<&'b [u8]> {
         if id < self.segment_indices.len() as u32 {
             let (a, b) = self.segment_indices[id as usize];
@@ -104,7 +104,7 @@ impl std::ops::DerefMut for OwnedSegments {
     }
 }
 
-unsafe impl crate::message::ReaderSegments for OwnedSegments {
+impl crate::message::ReaderSegments for OwnedSegments {
     fn get_segment<'a>(&'a self, id: u32) -> Option<&'a [u8]> {
         if id < self.segment_indices.len() as u32 {
             let (a, b) = self.segment_indices[id as usize];

Original file line number	Diff line number	Diff line change
`@@ -258,7 +258,7 @@ impl <'a> ::std::ops::Deref for OutputSegments<'a> {`
`258`	`258`	`}`
`259`	`259`	`}`
`260`	`260`
`261`		`-unsafe impl<'s> message::ReaderSegments for OutputSegments<'s> {`
	`261`	`+impl<'s> message::ReaderSegments for OutputSegments<'s> {`
`262`	`262`	`fn get_segment<'a>(&'a self, id: u32) -> Option<&'a [u8]> {`
`263`	`263`	`match *self {`
`264`	`264`	`OutputSegments::SingleSegment(ref s) => {`
Original file line number	Diff line number	Diff line change
`@@ -87,14 +87,15 @@ impl ReaderOptions {`
`87`	`87`	`}`
`88`	`88`
`89`	`89`	`/// An object that manages the buffers underlying a Cap'n Proto message reader.`
`90`		`-pub unsafe trait ReaderSegments {`
	`90`	`+pub trait ReaderSegments {`
`91`	`91`	/// Gets the segment with index `idx`. Returns `None` if `idx` is out of range.
`92`	`92`	`///`
`93`	`93`	`/// The segment must be 8-byte aligned or the "unaligned" feature must`
`94`	`94`	`/// be enabled in the capnp crate. (Otherwise reading the segment will return an error.)`
`95`	`95`	`///`
`96`		`- /// UNSAFETY ALERT: implementors must ensure that the returned slice points to memory that remains`
`97`		`- /// valid until the ReaderSegments object is dropped.`
	`96`	`+ /// The returned slice is required to point to memory that remains valid until the ReaderSegments`
	`97`	`+ /// object is dropped. In safe Rust, it should not be possible to violate this requirement. (If we`
	`98`	+ /// discover that it is possible, then we need to mark this trait as `unsafe`.)
`98`	`99`	`fn get_segment<'a>(&'a self, idx: u32) -> Option<&'a [u8]>;`
`99`	`100`
`100`	`101`	`/// Gets the number of segments.`
`@@ -119,7 +120,7 @@ impl <'a> SegmentArray<'a> {`
`119`	`120`	`}`
`120`	`121`	`}`
`121`	`122`
`122`		`-unsafe impl <'b> ReaderSegments for SegmentArray<'b> {`
	`123`	`+impl <'b> ReaderSegments for SegmentArray<'b> {`
`123`	`124`	`fn get_segment<'a>(&'a self, id: u32) -> Option<&'a [u8]> {`
`124`	`125`	`self.segments.get(id as usize).map(\|slice\| *slice)`
`125`	`126`	`}`
`@@ -129,7 +130,7 @@ unsafe impl <'b> ReaderSegments for SegmentArray<'b> {`
`129`	`130`	`}`
`130`	`131`	`}`
`131`	`132`
`132`		`-unsafe impl <'b> ReaderSegments for [&'b [u8]] {`
	`133`	`+impl <'b> ReaderSegments for [&'b [u8]] {`
`133`	`134`	`fn get_segment<'a>(&'a self, id: u32) -> Option<&'a [u8]> {`
`134`	`135`	`self.get(id as usize).map(\|slice\| *slice)`
`135`	`136`	`}`
`@@ -382,7 +383,7 @@ impl <A> Builder<A> where A: Allocator {`
`382`	`383`	`}`
`383`	`384`	`}`
`384`	`385`
`385`		`-unsafe impl <A> ReaderSegments for Builder<A> where A: Allocator {`
	`386`	`+impl <A> ReaderSegments for Builder<A> where A: Allocator {`
`386`	`387`	`fn get_segment<'a>(&'a self, id: u32) -> Option<&'a [u8]> {`
`387`	`388`	`self.get_segments_for_output().get(id as usize).map(\|x\| *x)`
`388`	`389`	`}`
Original file line number	Diff line number	Diff line change
`@@ -39,7 +39,7 @@ pub struct SliceSegments<'a> {`
`39`	`39`	`segment_indices : Vec<(usize, usize)>,`
`40`	`40`	`}`
`41`	`41`
`42`		`-unsafe impl <'a> message::ReaderSegments for SliceSegments<'a> {`
	`42`	`+impl <'a> message::ReaderSegments for SliceSegments<'a> {`
`43`	`43`	`fn get_segment<'b>(&'b self, id: u32) -> Option<&'b [u8]> {`
`44`	`44`	`if id < self.segment_indices.len() as u32 {`
`45`	`45`	`let (a, b) = self.segment_indices[id as usize];`
`@@ -104,7 +104,7 @@ impl std::ops::DerefMut for OwnedSegments {`
`104`	`104`	`}`
`105`	`105`	`}`
`106`	`106`
`107`		`-unsafe impl crate::message::ReaderSegments for OwnedSegments {`
	`107`	`+impl crate::message::ReaderSegments for OwnedSegments {`
`108`	`108`	`fn get_segment<'a>(&'a self, id: u32) -> Option<&'a [u8]> {`
`109`	`109`	`if id < self.segment_indices.len() as u32 {`
`110`	`110`	`let (a, b) = self.segment_indices[id as usize];`