[Merged by Bors] - add more SAFETY comments and lint for missing ones in bevy_ecs

[jakobhellermann]

Objective

SAFETY comments are meant to be placed before unsafe blocks and should contain the reasoning of why in this case the usage of unsafe is okay. This is useful when reading the code because it makes it clear which assumptions are required for safety, and makes it easier to spot possible unsoundness holes. It also forces the code writer to think of something to write and maybe look at the safety contracts of any called unsafe methods again to double-check their correct usage.

There's a clippy lint called undocumented_unsafe_blocks which warns when using a block without such a comment.

Solution

• since clippy expects SAFETY instead of SAFE, rename those
• add SAFETY comments in more places
• for the last remaining 3 places, add an #[allow()] and // TODO since I wasn't comfortable enough with the code to justify their safety
• add #![warn(clippy::undocumented_unsafe_blocks)] to bevy_ecs

Note for reviewers

The first commit only renames SAFETY to SAFE so it doesn't need a thorough review.
https://github.com/bevyengine/bevy/pull/4835/files/cb042a416ecbe5e7d74797449969e064d8a5f13c..55cef2d6fa3aa634667a60f6d5abc16f43f16298 is the diff for all other changes.

Safety comments where I'm not too familiar with the code

bevy/crates/bevy_ecs/src/entity/mod.rs

Lines 540 to 546 in 774012e

	// SAFETY: as per `flush` safety docs, the archetype id can be set to [`ArchetypeId::INVALID`] if
	// the [`Entity`] has not been assigned to an [`Archetype`][crate::archetype::Archetype], which is the case here
	unsafe {
	self.flush(|_entity, location| {
	location.archetype_id = ArchetypeId::INVALID;
	});
	}

bevy/crates/bevy_ecs/src/world/entity_ref.rs

Lines 249 to 252 in 774012e

	// SAFETY: `archetype_id` exists because it is referenced in the old `EntityLocation` which is valid,
	// components exist in `bundle_info` because `Bundles::init_info` initializes a `BundleInfo` containing all components of the bundle type `T`
	let new_archetype_id = unsafe {
	remove_bundle_from_archetype(

Locations left undocumented with a TODO comment

bevy/crates/bevy_ecs/src/schedule/executor_parallel.rs

Lines 196 to 199 in 5dde944

	#[allow(clippy::undocumented_unsafe_blocks)] // TODO: document why this is safe
	unsafe {
	system.run_unsafe((), world)
	};

bevy/crates/bevy_ecs/src/world/entity_ref.rs

Lines 287 to 289 in 5dde944

	#[allow(clippy::undocumented_unsafe_blocks)] // TODO: document why this is safe
	unsafe {
	Self::move_entity_from_remove::<false>(

bevy/crates/bevy_ecs/src/world/entity_ref.rs

Lines 413 to 415 in 5dde944

	#[allow(clippy::undocumented_unsafe_blocks)] // TODO: document why this is safe
	unsafe {
	Self::move_entity_from_remove::<true>(

[alice-i-cecile]

This should note that Command: Send as a trait bound.

[alice-i-cecile]

I'm happy with both the direction and the safety comments added. I think this should wait on @cart as it's a) a change to project style and b) mostly their code.

[cart]

Definitely on board for these changes! I'll do one last review once conflicts have been resolved, but I think this is pretty much good to go.

[jakobhellermann]

rebased

[cart]

The new safety docs are correct and checking for undocumented unsafe blocks is a huge improvement. Thanks!

One last round of merge conflict resolutions and then we should merge this asap.

[cart]

bors r+

[bors]

Build failed:

• ci

[jakobhellermann]

I documented the blob vec safety in 4de4571, switching the increment in grow_exact to a NonZeroUsize and making it an unsafe fn requiring it not to be called on a ZST layout vec.

I also introduced a new runtime check in reserve_exact:

-        if available_space < additional {
+        if available_space < additional && self.item_layout.size() > 0 {

[alice-i-cecile]

New changes LGTM. The runtime check is worth it for soundness too. I'll retry this once I get a second approval.

[alice-i-cecile]

bors r+

[bors]

Build failed (retrying...):

• ci

[bors]

Build failed:

• ci

[jakobhellermann]

@alice-i-cecile there were two new undocumented usages of unsafe which are fixed now, I think bors can be retried again

[alice-i-cecile]

bors retry

[bors]

Pull request successfully merged into main.

Build succeeded:

• build-and-install-on-iOS
• build-android
• build (nightly, ubuntu-latest)
• build (stable, macos-latest)
• build (stable, ubuntu-latest)
• build (stable, windows-latest)
• build-wasm (nightly, ubuntu-latest)
• build-wasm (stable, ubuntu-latest)
• check-compiles
• check-doc
• check-missing-examples-in-docs
• ci
• markdownlint
• miri
• run-examples
• run-examples-on-wasm
• run-examples-on-windows