rust: num: bounded: mark __new as unsafe

HsiuCheYu · ojeda · commit 3a1ec424dd9c · 2026-01-06T21:01:47.000+01:00
The `Bounded::__new()` constructor relies on the caller to ensure the value can be represented within N bits. Failing to uphold this requirement breaks the type invariant. Mark it as unsafe and document this requirement in a Safety section to make the contract explicit. Update all call sites to use unsafe blocks and change their comments from `INVARIANT:` to `SAFETY:`, as they are now justifying unsafe operations rather than establishing type invariants. Fixes: 01e345e ("rust: num: add Bounded integer wrapping type") Link: https://lore.kernel.org/all/aS1qC_ol2XEpZ44b@google.com/ Reported-by: Miguel Ojeda <ojeda@kernel.org> Closes: #1211 Signed-off-by: Hsiu Che Yu <yu.whisper.personal@gmail.com> Acked-by: Alexandre Courbot <acourbot@nvidia.com> Link: https://patch.msgid.link/20251204033849.23480-1-yu.whisper.personal@gmail.com Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
diff --git a/rust/kernel/num/bounded.rs b/rust/kernel/num/bounded.rs
@@ -259,9 +259,9 @@ macro_rules! impl_const_new {
                     assert!(fits_within!(VALUE, $type, N));
                 }
 
-                // INVARIANT: `fits_within` confirmed that `VALUE` can be represented within
+                // SAFETY: `fits_within` confirmed that `VALUE` can be represented within
                 // `N` bits.
-                Self::__new(VALUE)
+                unsafe { Self::__new(VALUE) }
             }
         }
         )*
@@ -284,7 +284,11 @@ where
     ///
     /// The caller remains responsible for checking, either statically or dynamically, that `value`
     /// can be represented as a `T` using at most `N` bits.
-    const fn __new(value: T) -> Self {
+    ///
+    /// # Safety
+    ///
+    /// The caller must ensure that `value` can be represented within `N` bits.
+    const unsafe fn __new(value: T) -> Self {
         // Enforce the type invariants.
         const {
             // `N` cannot be zero.
@@ -328,8 +332,8 @@ where
     /// ```
     pub fn try_new(value: T) -> Option<Self> {
         fits_within(value, N).then(|| {
-            // INVARIANT: `fits_within` confirmed that `value` can be represented within `N` bits.
-            Self::__new(value)
+            // SAFETY: `fits_within` confirmed that `value` can be represented within `N` bits.
+            unsafe { Self::__new(value) }
         })
     }
 
@@ -370,8 +374,8 @@ where
             "Requested value larger than maximal representable value."
         );
 
-        // INVARIANT: `fits_within` confirmed that `expr` can be represented within `N` bits.
-        Self::__new(expr)
+        // SAFETY: `fits_within` confirmed that `expr` can be represented within `N` bits.
+        unsafe { Self::__new(expr) }
     }
 
     /// Returns the wrapped value as the backing type.
@@ -410,9 +414,9 @@ where
             );
         }
 
-        // INVARIANT: The value did fit within `N` bits, so it will all the more fit within
+        // SAFETY: The value did fit within `N` bits, so it will all the more fit within
         // the larger `M` bits.
-        Bounded::__new(self.0)
+        unsafe { Bounded::__new(self.0) }
     }
 
     /// Attempts to shrink the number of bits usable for `self`.
@@ -466,9 +470,9 @@ where
         // `U` and `T` have the same sign, hence this conversion cannot fail.
         let value = unsafe { U::try_from(self.get()).unwrap_unchecked() };
 
-        // INVARIANT: Although the backing type has changed, the value is still represented within
+        // SAFETY: Although the backing type has changed, the value is still represented within
         // `N` bits, and with the same signedness.
-        Bounded::__new(value)
+        unsafe { Bounded::__new(value) }
     }
 }
 
@@ -944,9 +948,9 @@ macro_rules! impl_from_primitive {
             Self: AtLeastXBits<{ <$type as Integer>::BITS as usize }>,
         {
             fn from(value: $type) -> Self {
-                // INVARIANT: The trait bound on `Self` guarantees that `N` bits is
+                // SAFETY: The trait bound on `Self` guarantees that `N` bits is
                 // enough to hold any value of the source type.
-                Self::__new(T::from(value))
+                unsafe { Self::__new(T::from(value)) }
             }
         }
         )*
@@ -1051,8 +1055,8 @@ where
     T: Integer + From<bool>,
 {
     fn from(value: bool) -> Self {
-        // INVARIANT: A boolean can be represented using a single bit, and thus fits within any
+        // SAFETY: A boolean can be represented using a single bit, and thus fits within any
         // integer type for any `N` > 0.
-        Self::__new(T::from(value))
+        unsafe { Self::__new(T::from(value)) }
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -259,9 +259,9 @@ macro_rules! impl_const_new {`
`259`	`259`	`assert!(fits_within!(VALUE, $type, N));`
`260`	`260`	`}`
`261`	`261`
`262`		- // INVARIANT: `fits_within` confirmed that `VALUE` can be represented within
	`262`	+ // SAFETY: `fits_within` confirmed that `VALUE` can be represented within
`263`	`263`	// `N` bits.
`264`		`- Self::__new(VALUE)`
	`264`	`+ unsafe { Self::__new(VALUE) }`
`265`	`265`	`}`
`266`	`266`	`}`
`267`	`267`	`)*`
`@@ -284,7 +284,11 @@ where`
`284`	`284`	`///`
`285`	`285`	/// The caller remains responsible for checking, either statically or dynamically, that `value`
`286`	`286`	/// can be represented as a `T` using at most `N` bits.
`287`		`- const fn __new(value: T) -> Self {`
	`287`	`+ ///`
	`288`	`+ /// # Safety`
	`289`	`+ ///`
	`290`	+ /// The caller must ensure that `value` can be represented within `N` bits.
	`291`	`+ const unsafe fn __new(value: T) -> Self {`
`288`	`292`	`// Enforce the type invariants.`
`289`	`293`	`const {`
`290`	`294`	// `N` cannot be zero.
`@@ -328,8 +332,8 @@ where`
`328`	`332`	/// ```
`329`	`333`	`pub fn try_new(value: T) -> Option<Self> {`
`330`	`334`	`fits_within(value, N).then(\|\| {`
`331`		- // INVARIANT: `fits_within` confirmed that `value` can be represented within `N` bits.
`332`		`- Self::__new(value)`
	`335`	+ // SAFETY: `fits_within` confirmed that `value` can be represented within `N` bits.
	`336`	`+ unsafe { Self::__new(value) }`
`333`	`337`	`})`
`334`	`338`	`}`
`335`	`339`
`@@ -370,8 +374,8 @@ where`
`370`	`374`	`"Requested value larger than maximal representable value."`
`371`	`375`	`);`
`372`	`376`
`373`		- // INVARIANT: `fits_within` confirmed that `expr` can be represented within `N` bits.
`374`		`- Self::__new(expr)`
	`377`	+ // SAFETY: `fits_within` confirmed that `expr` can be represented within `N` bits.
	`378`	`+ unsafe { Self::__new(expr) }`
`375`	`379`	`}`
`376`	`380`
`377`	`381`	`/// Returns the wrapped value as the backing type.`
`@@ -410,9 +414,9 @@ where`
`410`	`414`	`);`
`411`	`415`	`}`
`412`	`416`
`413`		- // INVARIANT: The value did fit within `N` bits, so it will all the more fit within
	`417`	+ // SAFETY: The value did fit within `N` bits, so it will all the more fit within
`414`	`418`	// the larger `M` bits.
`415`		`- Bounded::__new(self.0)`
	`419`	`+ unsafe { Bounded::__new(self.0) }`
`416`	`420`	`}`
`417`	`421`
`418`	`422`	/// Attempts to shrink the number of bits usable for `self`.
`@@ -466,9 +470,9 @@ where`
`466`	`470`	// `U` and `T` have the same sign, hence this conversion cannot fail.
`467`	`471`	`let value = unsafe { U::try_from(self.get()).unwrap_unchecked() };`
`468`	`472`
`469`		`- // INVARIANT: Although the backing type has changed, the value is still represented within`
	`473`	`+ // SAFETY: Although the backing type has changed, the value is still represented within`
`470`	`474`	// `N` bits, and with the same signedness.
`471`		`- Bounded::__new(value)`
	`475`	`+ unsafe { Bounded::__new(value) }`
`472`	`476`	`}`
`473`	`477`	`}`
`474`	`478`
`@@ -944,9 +948,9 @@ macro_rules! impl_from_primitive {`
`944`	`948`	`Self: AtLeastXBits<{ <$type as Integer>::BITS as usize }>,`
`945`	`949`	`{`
`946`	`950`	`fn from(value: $type) -> Self {`
`947`		- // INVARIANT: The trait bound on `Self` guarantees that `N` bits is
	`951`	+ // SAFETY: The trait bound on `Self` guarantees that `N` bits is
`948`	`952`	`// enough to hold any value of the source type.`
`949`		`- Self::__new(T::from(value))`
	`953`	`+ unsafe { Self::__new(T::from(value)) }`
`950`	`954`	`}`
`951`	`955`	`}`
`952`	`956`	`)*`
`@@ -1051,8 +1055,8 @@ where`
`1051`	`1055`	`T: Integer + From<bool>,`
`1052`	`1056`	`{`
`1053`	`1057`	`fn from(value: bool) -> Self {`
`1054`		`- // INVARIANT: A boolean can be represented using a single bit, and thus fits within any`
	`1058`	`+ // SAFETY: A boolean can be represented using a single bit, and thus fits within any`
`1055`	`1059`	// integer type for any `N` > 0.
`1056`		`- Self::__new(T::from(value))`
	`1060`	`+ unsafe { Self::__new(T::from(value)) }`
`1057`	`1061`	`}`
`1058`	`1062`	`}`