From 24b33d5fdc9513c1b46e99b526d21e0a7b5eea38 Mon Sep 17 00:00:00 2001
From: iximeow <me@iximeow.net>
Date: Mon, 24 Jun 2024 15:21:56 -0700
Subject: document one more stray unsafe

---
 src/long_mode/display.rs      | 10 ++++++----
 src/protected_mode/display.rs | 10 ++++++----
 src/real_mode/display.rs      | 10 ++++++----
 3 files changed, 18 insertions(+), 12 deletions(-)

diff --git a/src/long_mode/display.rs b/src/long_mode/display.rs
index 89d952b..b9023ed 100644
--- a/src/long_mode/display.rs
+++ b/src/long_mode/display.rs
@@ -9,6 +9,7 @@ use crate::long_mode::{RegSpec, Opcode, Operand, MergeMode, InstDecoder, Instruc
 
 use yaxpeax_arch::display::DisplaySink;
 use yaxpeax_arch::safer_unchecked::GetSaferUnchecked as _;
+use yaxpeax_arch::safer_unchecked::unreachable_kinda_unchecked as unreachable_unchecked;
 
 trait DisplaySinkExt {
     // `write_opcode` depends on all mnemonics being less than 32 bytes long. check that here, at
@@ -3693,15 +3694,16 @@ pub(crate) fn contextualize_intel<T: DisplaySink>(instr: &Instruction, out: &mut
             // don't worry about checking for `instr.operands[i] != Nothing`, it would be a bug to
             // reach that while iterating only to `operand_count`..
             out.write_fixed_size(", ")?;
+            // hint that accessing `inster.operands[i]` can't panic: this is useful for
+            // `instr.operands` and the segment selector check after.
             if i >= 4 {
-                unsafe { core::hint::unreachable_unchecked(); }
+                // Safety: Instruction::operands is a four-element array; operand_count is always
+                // low enough that 0..operand_count is a valid index.
+                unsafe { unreachable_unchecked(); }
             }
 
             if instr.operands[i as usize].is_memory() {
                 out.write_mem_size_label(instr.mem_size)?;
-                if i >= 4 {
-                    unsafe { core::hint::unreachable_unchecked(); }
-                }
                 if let Some(prefix) = instr.segment_override_for_op(i) {
                     let name = prefix.name();
                     out.write_char(' ')?;
diff --git a/src/protected_mode/display.rs b/src/protected_mode/display.rs
index 321b5b5..8124337 100644
--- a/src/protected_mode/display.rs
+++ b/src/protected_mode/display.rs
@@ -9,6 +9,7 @@ use crate::protected_mode::{RegSpec, Opcode, Operand, MergeMode, InstDecoder, In
 
 use yaxpeax_arch::display::DisplaySink;
 use yaxpeax_arch::safer_unchecked::GetSaferUnchecked as _;
+use yaxpeax_arch::safer_unchecked::unreachable_kinda_unchecked as unreachable_unchecked;
 
 trait DisplaySinkExt {
     // `write_opcode` depends on all mnemonics being less than 32 bytes long. check that here, at
@@ -2249,15 +2250,16 @@ pub(crate) fn contextualize_intel<T: DisplaySink>(instr: &Instruction, out: &mut
             // don't worry about checking for `instr.operands[i] != Nothing`, it would be a bug to
             // reach that while iterating only to `operand_count`..
             out.write_fixed_size(", ")?;
+            // hint that accessing `inster.operands[i]` can't panic: this is useful for
+            // `instr.operands` and the segment selector check after.
             if i >= 4 {
-                unsafe { core::hint::unreachable_unchecked(); }
+                // Safety: Instruction::operands is a four-element array; operand_count is always
+                // low enough that 0..operand_count is a valid index.
+                unsafe { unreachable_unchecked(); }
             }
 
             if instr.operands[i as usize].is_memory() {
                 out.write_mem_size_label(instr.mem_size)?;
-                if i >= 4 {
-                    unsafe { core::hint::unreachable_unchecked(); }
-                }
                 if let Some(prefix) = instr.segment_override_for_op(i) {
                     let name = prefix.name();
                     out.write_char(' ')?;
diff --git a/src/real_mode/display.rs b/src/real_mode/display.rs
index 669b8d7..9607e9d 100644
--- a/src/real_mode/display.rs
+++ b/src/real_mode/display.rs
@@ -9,6 +9,7 @@ use crate::real_mode::{RegSpec, Opcode, Operand, MergeMode, InstDecoder, Instruc
 
 use yaxpeax_arch::display::DisplaySink;
 use yaxpeax_arch::safer_unchecked::GetSaferUnchecked as _;
+use yaxpeax_arch::safer_unchecked::unreachable_kinda_unchecked as unreachable_unchecked;
 
 trait DisplaySinkExt {
     // `write_opcode` depends on all mnemonics being less than 32 bytes long. check that here, at
@@ -2251,15 +2252,16 @@ pub(crate) fn contextualize_intel<T: DisplaySink>(instr: &Instruction, out: &mut
             // don't worry about checking for `instr.operands[i] != Nothing`, it would be a bug to
             // reach that while iterating only to `operand_count`..
             out.write_fixed_size(", ")?;
+            // hint that accessing `inster.operands[i]` can't panic: this is useful for
+            // `instr.operands` and the segment selector check after.
             if i >= 4 {
-                unsafe { core::hint::unreachable_unchecked(); }
+                // Safety: Instruction::operands is a four-element array; operand_count is always
+                // low enough that 0..operand_count is a valid index.
+                unsafe { unreachable_unchecked(); }
             }
 
             if instr.operands[i as usize].is_memory() {
                 out.write_mem_size_label(instr.mem_size)?;
-                if i >= 4 {
-                    unsafe { core::hint::unreachable_unchecked(); }
-                }
                 if let Some(prefix) = instr.segment_override_for_op(i) {
                     let name = prefix.name();
                     out.write_char(' ')?;
-- 
cgit v1.1