xref: /linux/rust/kernel/safety.rs (revision c17ee635fd3a482b2ad2bf5e269755c2eae5f25e) 
1*b8d687c7SRitvik Gupta // SPDX-License-Identifier: GPL-2.0
2*b8d687c7SRitvik Gupta 
3*b8d687c7SRitvik Gupta //! Safety related APIs.
4*b8d687c7SRitvik Gupta 
5*b8d687c7SRitvik Gupta /// Checks that a precondition of an unsafe function is followed.
6*b8d687c7SRitvik Gupta ///
7*b8d687c7SRitvik Gupta /// The check is enabled at runtime if debug assertions (`CONFIG_RUST_DEBUG_ASSERTIONS`)
8*b8d687c7SRitvik Gupta /// are enabled. Otherwise, this macro is a no-op.
9*b8d687c7SRitvik Gupta ///
10*b8d687c7SRitvik Gupta /// # Examples
11*b8d687c7SRitvik Gupta ///
12*b8d687c7SRitvik Gupta /// ```no_run
13*b8d687c7SRitvik Gupta /// use kernel::unsafe_precondition_assert;
14*b8d687c7SRitvik Gupta ///
15*b8d687c7SRitvik Gupta /// struct RawBuffer<T: Copy, const N: usize> {
16*b8d687c7SRitvik Gupta ///     data: [T; N],
17*b8d687c7SRitvik Gupta /// }
18*b8d687c7SRitvik Gupta ///
19*b8d687c7SRitvik Gupta /// impl<T: Copy, const N: usize> RawBuffer<T, N> {
20*b8d687c7SRitvik Gupta ///     /// # Safety
21*b8d687c7SRitvik Gupta ///     ///
22*b8d687c7SRitvik Gupta ///     /// The caller must ensure that `index` is less than `N`.
23*b8d687c7SRitvik Gupta ///     unsafe fn set_unchecked(&mut self, index: usize, value: T) {
24*b8d687c7SRitvik Gupta ///         unsafe_precondition_assert!(
25*b8d687c7SRitvik Gupta ///             index < N,
26*b8d687c7SRitvik Gupta ///             "RawBuffer::set_unchecked() requires index ({index}) < N ({N})"
27*b8d687c7SRitvik Gupta ///         );
28*b8d687c7SRitvik Gupta ///
29*b8d687c7SRitvik Gupta ///         // SAFETY: By the safety requirements of this function, `index` is valid.
30*b8d687c7SRitvik Gupta ///         unsafe {
31*b8d687c7SRitvik Gupta ///             *self.data.get_unchecked_mut(index) = value;
32*b8d687c7SRitvik Gupta ///         }
33*b8d687c7SRitvik Gupta ///     }
34*b8d687c7SRitvik Gupta /// }
35*b8d687c7SRitvik Gupta /// ```
36*b8d687c7SRitvik Gupta ///
37*b8d687c7SRitvik Gupta /// # Panics
38*b8d687c7SRitvik Gupta ///
39*b8d687c7SRitvik Gupta /// Panics if the expression is evaluated to [`false`] at runtime.
40*b8d687c7SRitvik Gupta #[macro_export]
41*b8d687c7SRitvik Gupta macro_rules! unsafe_precondition_assert {
42*b8d687c7SRitvik Gupta     ($cond:expr $(,)?) => {
43*b8d687c7SRitvik Gupta         $crate::unsafe_precondition_assert!(@inner $cond, ::core::stringify!($cond))
44*b8d687c7SRitvik Gupta     };
45*b8d687c7SRitvik Gupta 
46*b8d687c7SRitvik Gupta     ($cond:expr, $($arg:tt)+) => {
47*b8d687c7SRitvik Gupta         $crate::unsafe_precondition_assert!(@inner $cond, $crate::prelude::fmt!($($arg)+))
48*b8d687c7SRitvik Gupta     };
49*b8d687c7SRitvik Gupta 
50*b8d687c7SRitvik Gupta     (@inner $cond:expr, $msg:expr) => {
51*b8d687c7SRitvik Gupta         ::core::debug_assert!($cond, "unsafe precondition violated: {}", $msg)
52*b8d687c7SRitvik Gupta     };
53*b8d687c7SRitvik Gupta }
54