rusticl: enforce using unsafe blocks in unsafe functions

Signed-off-by: Karol Herbst <git@karolherbst.de>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/23660>

src/gallium/frontends/rusticl/api/kernel.rs

@@ -122,7 +122,7 @@ const ZERO_ARR: [usize; 3] = [0; 3];
 /// This function is only safe when called on an array of `work_dim` length
 unsafe fn kernel_work_arr_or_default<'a>(arr: *const usize, work_dim: cl_uint) -> &'a [usize] {
     if !arr.is_null() {
-        slice::from_raw_parts(arr, work_dim as usize)
+        unsafe { slice::from_raw_parts(arr, work_dim as usize) }
     } else {
         &ZERO_ARR
     }

src/gallium/frontends/rusticl/api/types.rs

@@ -90,7 +90,9 @@ impl<T: Copy> CLVec<T> {
     ///
     /// Using it for anything else is undefined.
     pub unsafe fn from_raw(v: *const T) -> Self {
-        Self { vals: *v.cast() }
+        Self {
+            vals: unsafe { *v.cast() },
+        }
     }
 
     pub fn pixels<'a>(&'a self) -> T

src/gallium/frontends/rusticl/mesa/compiler/clc/spirv.rs

@@ -38,12 +38,15 @@ pub struct CLCHeader<'a> {
 }
 
 unsafe fn callback_impl(data: *mut c_void, msg: *const c_char) {
-    let msgs = (data as *mut Vec<String>).as_mut().expect("");
+    let data = data as *mut Vec<String>;
+    let msgs = unsafe { data.as_mut() }.unwrap();
     msgs.push(c_string_to_string(msg));
 }
 
 unsafe extern "C" fn spirv_msg_callback(data: *mut c_void, msg: *const c_char) {
-    callback_impl(data, msg);
+    unsafe {
+        callback_impl(data, msg);
+    }
 }
 
 unsafe extern "C" fn spirv_to_nir_msg_callback(
@@ -53,7 +56,9 @@ unsafe extern "C" fn spirv_to_nir_msg_callback(
     msg: *const c_char,
 ) {
     if dbg_level >= nir_spirv_debug_level::NIR_SPIRV_DEBUG_LEVEL_WARNING {
-        callback_impl(data, msg);
+        unsafe {
+            callback_impl(data, msg);
+        }
     }
 }
 

src/gallium/frontends/rusticl/meson.build

@@ -76,6 +76,8 @@ rusticl_files = files(
 )
 
 rusticl_args = [
+  # we want unsafe blocks inside unsafe functions
+  '-Dunsafe_op_in_unsafe_fn',
   # we error on all clippy warnings unless they are disabled
   '-Dclippy::all',
   # we want to add asserts in control flow

src/gallium/frontends/rusticl/util/ptr.rs

@@ -10,9 +10,16 @@ pub trait CheckedPtr<T> {
 }
 
 impl<T> CheckedPtr<T> for *mut T {
+    /// # Safety
+    ///
+    /// This function follows the same safety rules as `std::ptr::copy` except that it already
+    /// checks for a NULL pointer.
     unsafe fn copy_checked(self, val: *const T, size: usize) {
         if !self.is_null() {
-            ptr::copy(val, self, size);
+            // SAFETY: we move the responsibilities up to the caller
+            unsafe {
+                ptr::copy(val, self, size);
+            }
         }
     }