`ArrayPtr::into_slice` and `ArrayPtr::into_slice_mut` should be `unsafe`

Question

`ArrayPtr::into_slice` and `ArrayPtr::into_slice_mut` should be `unsafe`

Closed this issue 8 months ago · 0 comments

Those two functions are defined as follows:

fn into_slice<'a>(&'a self, len: usize) -> &'a [NonNullPtr<T>] {
    // SAFETY: We have shared reference to the array.
    unsafe { core::slice::from_raw_parts(self.as_ptr(), len) }
}

fn into_slice_mut<'a>(&'a mut self, len: usize) -> &'a mut [NonNullPtr<T>] {
    // SAFETY: We have exculusive access to the array.
    unsafe { core::slice::from_raw_parts_mut(self.as_ptr(), len) }
}

But it is perfectly valid to call the function with a len that's way too large for the data actually referenced by the pointer. The pointer knows it references an array, but it does not know how many items it points to.

The safety doc of the functions should include something like this:

/// # Safety
///
/// The specified `len` must not exceed the number of elements actually referenced by the pointer.

... or something like that.

I'd be down to implement the pull request for this though.