Doc trivial ecs unsafe

[hymm]

Objective

• Trying to doc most of the unsafe in the ecs crate so we can turn on unsafe_op_in_unsafe_fn.

Solution

• Unfortunately reviewing the unsafe docs will probably not be trivial if we try to do it all in one pr. There are 400+ warnings when you turn on the lint. So we need to break it up as much as possible as reviewing the safety contracts in some cases isn't the easiest.
• This pr includes two types of unsafe blocks.
  1. Blocks that already had safety comments, but were missing the unsafe {} block.
  2. Unsafe functions that have the same safety contract as their unsafe parent function and are very short. (Usually just the call to the function).

[james7132]

I'm of the opinion that we should explicitly state what safety invariants are being upheld here, that way if those invariants change, for whatever reason, they'll be propagated up during code review, and a desynchronization can be seen within the function definition.

[hymm]

Yeah, I keep going back on forth on this. I was actually going to do it the way you suggested at first. But while working on this I've looked through a lot of the existing safety comments and I see a lot of slightly different wording between the safety comment on the inner function and the parent function. This makes it not 100% clear that the safety is being transparently passed or being modified slightly. The mismatch actually makes it harder to verify that the safety contracts are being upheld. So this approach avoids that problem at the cost of what you're pointing out. I really wish we had rust-lang/rfcs#3842, which would fix this issue. I'd appreciate some other opinions here.

There also a lot cases like this https://github.com/bevyengine/bevy/pull/22014/files#diff-5625b402c72b0ac8efddfa3a2b8c1dc873e93f23cb28fc7f639c42e17e2011a2L253 where the safety invariants are on the trait definiion. And the method call is just another instance of the trait method. I think I'll change these to say "SAFETY: This method is called by the same trait method and so has the same safety contract."

[zjp-CN]

It's glad to see safety tags are attractive to bevy!

we should explicitly state what safety invariants are being upheld here, that way if those invariants change, for whatever reason, they'll be propagated up during code review, and a desynchronization can be seen within the function definition

As the author of the safety tags RFC and its prototype safety-tool, I recently got the unsafe call trees since Artisan-Lab/tag-std#84 for our draft tagged fork of Asterinas and Rust for Linux to help trace the propagation of safety properties and do better on writing/reviewing/auditing the safety documention and justification.

I'm presenting a talk this weekend. The slides are being iterated on and will be public as soon as possible. The idea may look like the following for this R4L function:

A tag spec is defined as:

[tag.PointToField]
args = [ "ptr", "field", "adt" ]
desc = "The {ptr} must be a pointer to a {field} in {adt}."

And you can see unsafe { &(*Group::<Parent>::container_of(this)).data } has two unsafe operations

• calling the unsafe container_of function
• dereferencing the raw pointer (and getting a reference)

The obligation of the unsafe call is delegated to the caller, while dereferencing is also guarenteed by the caller's ValidPtr property.