Add some safety docs

Manishearth · Manishearth · commit c3d0870594d4 · 2024-04-26T15:02:05.000-07:00
diff --git a/crates/toml_edit/src/parser/datetime.rs b/crates/toml_edit/src/parser/datetime.rs
@@ -255,6 +255,7 @@ pub(crate) fn unsigned_digits<'i, const MIN: usize, const MAX: usize>(
     input: &mut Input<'i>,
 ) -> PResult<&'i str> {
     take_while(MIN..=MAX, DIGIT)
+        // Safety: `digit` only produces ASCII
         .map(|b: &[u8]| unsafe { from_utf8_unchecked(b, "`is_ascii_digit` filters out on-ASCII") })
         .parse_next(input)
 }
diff --git a/crates/toml_edit/src/parser/key.rs b/crates/toml_edit/src/parser/key.rs
@@ -90,6 +90,7 @@ pub(crate) fn simple_key(input: &mut Input<'_>) -> PResult<(RawString, InternalS
 fn unquoted_key<'i>(input: &mut Input<'i>) -> PResult<&'i str> {
     trace(
         "unquoted-key",
+        // Safety: UNQUOTED_CHAR is only ASCII ranges
         take_while(1.., UNQUOTED_CHAR)
             .map(|b| unsafe { from_utf8_unchecked(b, "`is_unquoted_char` filters out on-ASCII") }),
     )
@@ -101,6 +102,7 @@ pub(crate) fn is_unquoted_char(c: u8) -> bool {
     UNQUOTED_CHAR.contains_token(c)
 }
 
+// Safety-usable invariant: UNQUOTED_CHAR is only ASCII ranges
 const UNQUOTED_CHAR: (
     RangeInclusive<u8>,
     RangeInclusive<u8>,
diff --git a/crates/toml_edit/src/parser/numbers.rs b/crates/toml_edit/src/parser/numbers.rs
@@ -79,13 +79,15 @@ pub(crate) fn dec_int<'i>(input: &mut Input<'i>) -> PResult<&'i str> {
             )),
         )
             .recognize()
+            // Safety: DIGIT1_9, digit(), and `_` only covers ASCII ranges
             .map(|b: &[u8]| unsafe {
                 from_utf8_unchecked(b, "`digit` and `_` filter out non-ASCII")
             })
             .context(StrContext::Label("integer")),
     )
     .parse_next(input)
 }
+/// Safety-usable invariant: DIGIT1_9 is only ASCII ranges
 const DIGIT1_9: RangeInclusive<u8> = b'1'..=b'9';
 
 // hex-prefix = %x30.78               ; 0x
@@ -114,11 +116,13 @@ pub(crate) fn hex_int<'i>(input: &mut Input<'i>) -> PResult<&'i str> {
             ))
             .recognize(),
         )
+        // Safety: HEX_PREFIX, hexdig(), and `_` only covers ASCII ranges
         .map(|b| unsafe { from_utf8_unchecked(b, "`hexdig` and `_` filter out non-ASCII") })
         .context(StrContext::Label("hexadecimal integer")),
     )
     .parse_next(input)
 }
+/// Safety-usable invariant: HEX_PREFIX is ASCII only
 const HEX_PREFIX: &[u8] = b"0x";
 
 // oct-prefix = %x30.6F               ; 0o
@@ -147,12 +151,15 @@ pub(crate) fn oct_int<'i>(input: &mut Input<'i>) -> PResult<&'i str> {
             ))
             .recognize(),
         )
+        // Safety: DIGIT0_7, OCT_PREFIX, and `_` only covers ASCII ranges
         .map(|b| unsafe { from_utf8_unchecked(b, "`DIGIT0_7` and `_` filter out non-ASCII") })
         .context(StrContext::Label("octal integer")),
     )
     .parse_next(input)
 }
+/// Safety-usable invariant: OCT_PREFIX is ASCII only
 const OCT_PREFIX: &[u8] = b"0o";
+/// Safety-usable invariant: DIGIT0_7 is ASCII only
 const DIGIT0_7: RangeInclusive<u8> = b'0'..=b'7';
 
 // bin-prefix = %x30.62               ; 0b
@@ -181,12 +188,15 @@ pub(crate) fn bin_int<'i>(input: &mut Input<'i>) -> PResult<&'i str> {
             ))
             .recognize(),
         )
+        // Safety: DIGIT0_1, BIN_PREFIX, and `_` only covers ASCII ranges
         .map(|b| unsafe { from_utf8_unchecked(b, "`DIGIT0_1` and `_` filter out non-ASCII") })
         .context(StrContext::Label("binary integer")),
     )
     .parse_next(input)
 }
+/// Safety-usable invariant: BIN_PREFIX is ASCII only
 const BIN_PREFIX: &[u8] = b"0b";
+/// Safety-usable invariant: DIGIT0_1 is ASCII only
 const DIGIT0_1: RangeInclusive<u8> = b'0'..=b'1';
 
 // ;; Float
@@ -234,6 +244,7 @@ pub(crate) fn frac<'i>(input: &mut Input<'i>) -> PResult<&'i str> {
     )
         .recognize()
         .map(|b: &[u8]| unsafe {
+            // Safety: `.` and `zero_prefixable_int` only handle ASCII
             from_utf8_unchecked(
                 b,
                 "`.` and `parse_zero_prefixable_int` filter out non-ASCII",
@@ -243,6 +254,7 @@ pub(crate) fn frac<'i>(input: &mut Input<'i>) -> PResult<&'i str> {
 }
 
 // zero-prefixable-int = DIGIT *( DIGIT / underscore DIGIT )
+/// Safety-usable invariant: only produces ASCII
 pub(crate) fn zero_prefixable_int<'i>(input: &mut Input<'i>) -> PResult<&'i str> {
     (
         digit,
@@ -261,8 +273,10 @@ pub(crate) fn zero_prefixable_int<'i>(input: &mut Input<'i>) -> PResult<&'i str>
         .map(|()| ()),
     )
         .recognize()
+        // Safety: `digit()` and `_` are all ASCII
         .map(|b: &[u8]| unsafe { from_utf8_unchecked(b, "`digit` and `_` filter out non-ASCII") })
         .parse_next(input)
+    /// Safety-usable invariant upheld by only using `digit` and `_` in the parser
 }
 
 // exp = "e" float-exp-part
@@ -275,6 +289,7 @@ pub(crate) fn exp<'i>(input: &mut Input<'i>) -> PResult<&'i str> {
     )
         .recognize()
         .map(|b: &[u8]| unsafe {
+            // Safety: `e`, `E`, `+`, `-`, and `zero_prefixable_int` are all ASCII
             from_utf8_unchecked(
                 b,
                 "`one_of` and `parse_zero_prefixable_int` filter out non-ASCII",
@@ -305,15 +320,20 @@ pub(crate) fn nan(input: &mut Input<'_>) -> PResult<f64> {
 const NAN: &[u8] = b"nan";
 
 // DIGIT = %x30-39 ; 0-9
+/// Safety-usable invariant: only parses ASCII
 pub(crate) fn digit(input: &mut Input<'_>) -> PResult<u8> {
+    // Safety: DIGIT is all ASCII
     one_of(DIGIT).parse_next(input)
 }
 const DIGIT: RangeInclusive<u8> = b'0'..=b'9';
 
 // HEXDIG = DIGIT / "A" / "B" / "C" / "D" / "E" / "F"
+/// Safety-usable invariant: only parses ASCII
 pub(crate) fn hexdig(input: &mut Input<'_>) -> PResult<u8> {
+    // Safety: HEXDIG is all ASCII
     one_of(HEXDIG).parse_next(input)
 }
+/// Safety-usable invariant: only ASCII ranges
 pub(crate) const HEXDIG: (RangeInclusive<u8>, RangeInclusive<u8>, RangeInclusive<u8>) =
     (DIGIT, b'A'..=b'F', b'a'..=b'f');
 
diff --git a/crates/toml_edit/src/parser/strings.rs b/crates/toml_edit/src/parser/strings.rs
@@ -138,6 +138,7 @@ fn escape_seq_char(input: &mut Input<'_>) -> PResult<char> {
 pub(crate) fn hexescape<const N: usize>(input: &mut Input<'_>) -> PResult<char> {
     take_while(0..=N, HEXDIG)
         .verify(|b: &[u8]| b.len() == N)
+        // Safety: HEXDIG is ASCII-only
         .map(|b: &[u8]| unsafe { from_utf8_unchecked(b, "`is_ascii_digit` filters out on-ASCII") })
         .verify_map(|s| u32::from_str_radix(s, 16).ok())
         .try_map(|h| char::from_u32(h).ok_or(CustomError::OutOfRange))
@@ -217,13 +218,15 @@ fn mlb_quotes<'i>(
     move |input: &mut Input<'i>| {
         let start = input.checkpoint();
         let res = terminated(b"\"\"", peek(term.by_ref()))
+            // Safety: ???
             .map(|b| unsafe { from_utf8_unchecked(b, "`bytes` out non-ASCII") })
             .parse_next(input);
 
         match res {
             Err(winnow::error::ErrMode::Backtrack(_)) => {
                 input.reset(&start);
                 terminated(b"\"", peek(term.by_ref()))
+                    // Safety: ???
                     .map(|b| unsafe { from_utf8_unchecked(b, "`bytes` out non-ASCII") })
                     .parse_next(input)
             }
@@ -346,13 +349,15 @@ fn mll_quotes<'i>(
     move |input: &mut Input<'i>| {
         let start = input.checkpoint();
         let res = terminated(b"''", peek(term.by_ref()))
+            // Safety: ???
             .map(|b| unsafe { from_utf8_unchecked(b, "`bytes` out non-ASCII") })
             .parse_next(input);
 
         match res {
             Err(winnow::error::ErrMode::Backtrack(_)) => {
                 input.reset(&start);
                 terminated(b"'", peek(term.by_ref()))
+                    // Safety: ???
                     .map(|b| unsafe { from_utf8_unchecked(b, "`bytes` out non-ASCII") })
                     .parse_next(input)
             }
diff --git a/crates/toml_edit/src/parser/trivia.rs b/crates/toml_edit/src/parser/trivia.rs
@@ -11,6 +11,7 @@ use winnow::token::take_while;
 
 use crate::parser::prelude::*;
 
+/// Safety invariant: must be called with valid UTF-8 in `bytes`
 pub(crate) unsafe fn from_utf8_unchecked<'b>(
     bytes: &'b [u8],
     safety_justification: &'static str,
@@ -27,10 +28,12 @@ pub(crate) unsafe fn from_utf8_unchecked<'b>(
 
 // wschar = ( %x20 /              ; Space
 //            %x09 )              ; Horizontal tab
+/// Safety-usable invariant: WSCHAR is only ASCII values
 pub(crate) const WSCHAR: (u8, u8) = (b' ', b'\t');
 
 // ws = *wschar
 pub(crate) fn ws<'i>(input: &mut Input<'i>) -> PResult<&'i str> {
+    // Safety: WSCHAR only contains ASCII
     take_while(0.., WSCHAR)
         .map(|b| unsafe { from_utf8_unchecked(b, "`is_wschar` filters out on-ASCII") })
         .parse_next(input)
@@ -58,8 +61,10 @@ pub(crate) fn comment<'i>(input: &mut Input<'i>) -> PResult<&'i [u8]> {
 
 // newline = ( %x0A /              ; LF
 //             %x0D.0A )           ; CRLF
+/// Safety-usable invariant: Only returns ASCII bytes
 pub(crate) fn newline(input: &mut Input<'_>) -> PResult<u8> {
     alt((
+        // Safety: CR and LF are ASCII
         one_of(LF).value(b'\n'),
         (one_of(CR), one_of(LF)).value(b'\n'),
     ))
@@ -76,6 +81,7 @@ pub(crate) fn ws_newline<'i>(input: &mut Input<'i>) -> PResult<&'i str> {
     )
     .map(|()| ())
     .recognize()
+    // Safety: `newline` and `WSCHAR` are all ASCII
     .map(|b| unsafe { from_utf8_unchecked(b, "`is_wschar` and `newline` filters out on-ASCII") })
     .parse_next(input)
 }
@@ -85,6 +91,7 @@ pub(crate) fn ws_newlines<'i>(input: &mut Input<'i>) -> PResult<&'i str> {
     (newline, ws_newline)
         .recognize()
         .map(|b| unsafe {
+    // Safety: `newline` and `WSCHAR` are all ASCII
             from_utf8_unchecked(b, "`is_wschar` and `newline` filters out on-ASCII")
         })
         .parse_next(input)

Original file line number	Diff line number	Diff line change
`@@ -255,6 +255,7 @@ pub(crate) fn unsigned_digits<'i, const MIN: usize, const MAX: usize>(`
`255`	`255`	`input: &mut Input<'i>,`
`256`	`256`	`) -> PResult<&'i str> {`
`257`	`257`	`take_while(MIN..=MAX, DIGIT)`
	`258`	+ // Safety: `digit` only produces ASCII
`258`	`259`	.map(\|b: &[u8]\| unsafe { from_utf8_unchecked(b, "`is_ascii_digit` filters out on-ASCII") })
`259`	`260`	`.parse_next(input)`
`260`	`261`	`}`
Original file line number	Diff line number	Diff line change
`@@ -90,6 +90,7 @@ pub(crate) fn simple_key(input: &mut Input<'_>) -> PResult<(RawString, InternalS`
`90`	`90`	`fn unquoted_key<'i>(input: &mut Input<'i>) -> PResult<&'i str> {`
`91`	`91`	`trace(`
`92`	`92`	`"unquoted-key",`
	`93`	`+ // Safety: UNQUOTED_CHAR is only ASCII ranges`
`93`	`94`	`take_while(1.., UNQUOTED_CHAR)`
`94`	`95`	.map(\|b\| unsafe { from_utf8_unchecked(b, "`is_unquoted_char` filters out on-ASCII") }),
`95`	`96`	`)`
`@@ -101,6 +102,7 @@ pub(crate) fn is_unquoted_char(c: u8) -> bool {`
`101`	`102`	`UNQUOTED_CHAR.contains_token(c)`
`102`	`103`	`}`
`103`	`104`
	`105`	`+// Safety-usable invariant: UNQUOTED_CHAR is only ASCII ranges`
`104`	`106`	`const UNQUOTED_CHAR: (`
`105`	`107`	`RangeInclusive<u8>,`
`106`	`108`	`RangeInclusive<u8>,`
Original file line number	Diff line number	Diff line change
`@@ -79,13 +79,15 @@ pub(crate) fn dec_int<'i>(input: &mut Input<'i>) -> PResult<&'i str> {`
`79`	`79`	`)),`
`80`	`80`	`)`
`81`	`81`	`.recognize()`
	`82`	+ // Safety: DIGIT1_9, digit(), and `_` only covers ASCII ranges
`82`	`83`	`.map(\|b: &[u8]\| unsafe {`
`83`	`84`	from_utf8_unchecked(b, "`digit` and `_` filter out non-ASCII")
`84`	`85`	`})`
`85`	`86`	`.context(StrContext::Label("integer")),`
`86`	`87`	`)`
`87`	`88`	`.parse_next(input)`
`88`	`89`	`}`
	`90`	`+/// Safety-usable invariant: DIGIT1_9 is only ASCII ranges`
`89`	`91`	`const DIGIT1_9: RangeInclusive<u8> = b'1'..=b'9';`
`90`	`92`
`91`	`93`	`// hex-prefix = %x30.78 ; 0x`
`@@ -114,11 +116,13 @@ pub(crate) fn hex_int<'i>(input: &mut Input<'i>) -> PResult<&'i str> {`
`114`	`116`	`))`
`115`	`117`	`.recognize(),`
`116`	`118`	`)`
	`119`	+ // Safety: HEX_PREFIX, hexdig(), and `_` only covers ASCII ranges
`117`	`120`	.map(\|b\| unsafe { from_utf8_unchecked(b, "`hexdig` and `_` filter out non-ASCII") })
`118`	`121`	`.context(StrContext::Label("hexadecimal integer")),`
`119`	`122`	`)`
`120`	`123`	`.parse_next(input)`
`121`	`124`	`}`
	`125`	`+/// Safety-usable invariant: HEX_PREFIX is ASCII only`
`122`	`126`	`const HEX_PREFIX: &[u8] = b"0x";`
`123`	`127`
`124`	`128`	`// oct-prefix = %x30.6F ; 0o`
`@@ -147,12 +151,15 @@ pub(crate) fn oct_int<'i>(input: &mut Input<'i>) -> PResult<&'i str> {`
`147`	`151`	`))`
`148`	`152`	`.recognize(),`
`149`	`153`	`)`
	`154`	+ // Safety: DIGIT0_7, OCT_PREFIX, and `_` only covers ASCII ranges
`150`	`155`	.map(\|b\| unsafe { from_utf8_unchecked(b, "`DIGIT0_7` and `_` filter out non-ASCII") })
`151`	`156`	`.context(StrContext::Label("octal integer")),`
`152`	`157`	`)`
`153`	`158`	`.parse_next(input)`
`154`	`159`	`}`
	`160`	`+/// Safety-usable invariant: OCT_PREFIX is ASCII only`
`155`	`161`	`const OCT_PREFIX: &[u8] = b"0o";`
	`162`	`+/// Safety-usable invariant: DIGIT0_7 is ASCII only`
`156`	`163`	`const DIGIT0_7: RangeInclusive<u8> = b'0'..=b'7';`
`157`	`164`
`158`	`165`	`// bin-prefix = %x30.62 ; 0b`
`@@ -181,12 +188,15 @@ pub(crate) fn bin_int<'i>(input: &mut Input<'i>) -> PResult<&'i str> {`
`181`	`188`	`))`
`182`	`189`	`.recognize(),`
`183`	`190`	`)`
	`191`	+ // Safety: DIGIT0_1, BIN_PREFIX, and `_` only covers ASCII ranges
`184`	`192`	.map(\|b\| unsafe { from_utf8_unchecked(b, "`DIGIT0_1` and `_` filter out non-ASCII") })
`185`	`193`	`.context(StrContext::Label("binary integer")),`
`186`	`194`	`)`
`187`	`195`	`.parse_next(input)`
`188`	`196`	`}`
	`197`	`+/// Safety-usable invariant: BIN_PREFIX is ASCII only`
`189`	`198`	`const BIN_PREFIX: &[u8] = b"0b";`
	`199`	`+/// Safety-usable invariant: DIGIT0_1 is ASCII only`
`190`	`200`	`const DIGIT0_1: RangeInclusive<u8> = b'0'..=b'1';`
`191`	`201`
`192`	`202`	`// ;; Float`
`@@ -234,6 +244,7 @@ pub(crate) fn frac<'i>(input: &mut Input<'i>) -> PResult<&'i str> {`
`234`	`244`	`)`
`235`	`245`	`.recognize()`
`236`	`246`	`.map(\|b: &[u8]\| unsafe {`
	`247`	+ // Safety: `.` and `zero_prefixable_int` only handle ASCII
`237`	`248`	`from_utf8_unchecked(`
`238`	`249`	`b,`
`239`	`250`	"`.` and `parse_zero_prefixable_int` filter out non-ASCII",
`@@ -243,6 +254,7 @@ pub(crate) fn frac<'i>(input: &mut Input<'i>) -> PResult<&'i str> {`
`243`	`254`	`}`
`244`	`255`
`245`	`256`	`// zero-prefixable-int = DIGIT *( DIGIT / underscore DIGIT )`
	`257`	`+/// Safety-usable invariant: only produces ASCII`
`246`	`258`	`pub(crate) fn zero_prefixable_int<'i>(input: &mut Input<'i>) -> PResult<&'i str> {`
`247`	`259`	`(`
`248`	`260`	`digit,`
`@@ -261,8 +273,10 @@ pub(crate) fn zero_prefixable_int<'i>(input: &mut Input<'i>) -> PResult<&'i str>`
`261`	`273`	`.map(\|()\| ()),`
`262`	`274`	`)`
`263`	`275`	`.recognize()`
	`276`	+ // Safety: `digit()` and `_` are all ASCII
`264`	`277`	.map(\|b: &[u8]\| unsafe { from_utf8_unchecked(b, "`digit` and `_` filter out non-ASCII") })
`265`	`278`	`.parse_next(input)`
	`279`	+ /// Safety-usable invariant upheld by only using `digit` and `_` in the parser
`266`	`280`	`}`
`267`	`281`
`268`	`282`	`// exp = "e" float-exp-part`
`@@ -275,6 +289,7 @@ pub(crate) fn exp<'i>(input: &mut Input<'i>) -> PResult<&'i str> {`
`275`	`289`	`)`
`276`	`290`	`.recognize()`
`277`	`291`	`.map(\|b: &[u8]\| unsafe {`
	`292`	+ // Safety: `e`, `E`, `+`, `-`, and `zero_prefixable_int` are all ASCII
`278`	`293`	`from_utf8_unchecked(`
`279`	`294`	`b,`
`280`	`295`	"`one_of` and `parse_zero_prefixable_int` filter out non-ASCII",
`@@ -305,15 +320,20 @@ pub(crate) fn nan(input: &mut Input<'_>) -> PResult<f64> {`
`305`	`320`	`const NAN: &[u8] = b"nan";`
`306`	`321`
`307`	`322`	`// DIGIT = %x30-39 ; 0-9`
	`323`	`+/// Safety-usable invariant: only parses ASCII`
`308`	`324`	`pub(crate) fn digit(input: &mut Input<'_>) -> PResult<u8> {`
	`325`	`+ // Safety: DIGIT is all ASCII`
`309`	`326`	`one_of(DIGIT).parse_next(input)`
`310`	`327`	`}`
`311`	`328`	`const DIGIT: RangeInclusive<u8> = b'0'..=b'9';`
`312`	`329`
`313`	`330`	`// HEXDIG = DIGIT / "A" / "B" / "C" / "D" / "E" / "F"`
	`331`	`+/// Safety-usable invariant: only parses ASCII`
`314`	`332`	`pub(crate) fn hexdig(input: &mut Input<'_>) -> PResult<u8> {`
	`333`	`+ // Safety: HEXDIG is all ASCII`
`315`	`334`	`one_of(HEXDIG).parse_next(input)`
`316`	`335`	`}`
	`336`	`+/// Safety-usable invariant: only ASCII ranges`
`317`	`337`	`pub(crate) const HEXDIG: (RangeInclusive<u8>, RangeInclusive<u8>, RangeInclusive<u8>) =`
`318`	`338`	`(DIGIT, b'A'..=b'F', b'a'..=b'f');`
`319`	`339`