Update safety comments

Author: febo

program/src/processor/amount_to_ui_amount.rs

@@ -23,16 +23,18 @@ pub fn process_amount_to_ui_amount(
 
     let mint_info = accounts.first().ok_or(ProgramError::NotEnoughAccountKeys)?;
     check_account_owner(mint_info)?;
-    // SAFETY: there is a single immutable borrow of the `Mint` account data.
+    // SAFETY: there is a single immutable borrow of the `Mint` account data. The `load`
+    // validates that the mint is initialized.
     let mint = unsafe {
         load::<Mint>(mint_info.borrow_data_unchecked()).map_err(|_| TokenError::InvalidMint)?
     };
 
     let mut logger = Logger::<MAX_FORMATTED_DIGITS>::default();
     logger.append_with_args(amount, &[Argument::Precision(mint.decimals)]);
+
     // "Extract" the formatted string from the logger.
     //
-    // SAFETY: the logger is guaranteed to be a valid UTF-8 string.
+    // SAFETY: the logger is guaranteed to have a valid UTF-8 string.
     let mut s = unsafe { from_utf8_unchecked(&logger) };
 
     if mint.decimals > 0 && s.contains('.') {

program/src/processor/close_account.rs

@@ -26,9 +26,9 @@ pub fn process_close_account(accounts: &[AccountInfo]) -> ProgramResult {
         return Err(ProgramError::InvalidAccountData);
     }
 
-    // SAFETY: scoped immutable borrow of the source account data. Changes to the
-    // account info data happens after the borrow ends.
     {
+        // SAFETY: scoped immutable borrow of the `source_account_info` account data. The `load`
+        // validates that the mint is initialized.
         let source_account =
             unsafe { load::<Account>(source_account_info.borrow_data_unchecked())? };
 
@@ -48,10 +48,12 @@ pub fn process_close_account(accounts: &[AccountInfo]) -> ProgramResult {
     }
 
     let destination_starting_lamports = destination_account_info.lamports();
-    // SAFETY: there are no other borrows of the source and destination accounts
-    // at this point.
+
+    // Moves the lamports to the destination account.
+
+    // SAFETY: single mutable borrow of `destination_account_info` lamports and
+    // there are no "active" borrows of `source_account_info` account data.
     unsafe {
-        // Moves the lamports to the destination account.
         *destination_account_info.borrow_mut_lamports_unchecked() = destination_starting_lamports
             .checked_add(source_account_info.lamports())
             .ok_or(TokenError::Overflow)?;

program/src/processor/get_account_data_size.rs

@@ -16,9 +16,8 @@ pub fn process_get_account_data_size(accounts: &[AccountInfo]) -> ProgramResult
 
     // Make sure the mint is valid.
     check_account_owner(mint_info)?;
-    // SAFETY: there is a single immutable borrow of the `Mint` account data.
-    //
-    // The `Mint` account is loaded to check if it is initialized.
+    // SAFETY: single immutable borrow of the `Mint` account data. The `load`
+    // validates that the mint is initialized.
     let _ = unsafe {
         load::<Mint>(mint_info.borrow_data_unchecked()).map_err(|_| TokenError::InvalidMint)?
     };

program/src/processor/initialize_account2.rs

@@ -1,4 +1,9 @@
-use pinocchio::{account_info::AccountInfo, pubkey::Pubkey, ProgramResult};
+use pinocchio::{
+    account_info::AccountInfo,
+    program_error::ProgramError,
+    pubkey::{Pubkey, PUBKEY_BYTES},
+    ProgramResult,
+};
 
 use super::shared;
 
@@ -7,6 +12,13 @@ pub fn process_initialize_account2(
     accounts: &[AccountInfo],
     instruction_data: &[u8],
 ) -> ProgramResult {
-    let owner = unsafe { &*(instruction_data.as_ptr() as *const Pubkey) };
+    // SAFETY: validate `instruction_data` length.
+    let owner = unsafe {
+        if instruction_data.len() != PUBKEY_BYTES {
+            return Err(ProgramError::InvalidInstructionData);
+        } else {
+            &*(instruction_data.as_ptr() as *const Pubkey)
+        }
+    };
     shared::initialize_account::process_initialize_account(accounts, Some(owner), true)
 }

program/src/processor/initialize_account3.rs

@@ -1,4 +1,9 @@
-use pinocchio::{account_info::AccountInfo, pubkey::Pubkey, ProgramResult};
+use pinocchio::{
+    account_info::AccountInfo,
+    program_error::ProgramError,
+    pubkey::{Pubkey, PUBKEY_BYTES},
+    ProgramResult,
+};
 
 use super::shared;
 
@@ -7,6 +12,13 @@ pub fn process_initialize_account3(
     accounts: &[AccountInfo],
     instruction_data: &[u8],
 ) -> ProgramResult {
-    let owner = unsafe { &*(instruction_data.as_ptr() as *const Pubkey) };
+    // SAFETY: validate `instruction_data` length.
+    let owner = unsafe {
+        if instruction_data.len() != PUBKEY_BYTES {
+            return Err(ProgramError::InvalidInstructionData);
+        } else {
+            &*(instruction_data.as_ptr() as *const Pubkey)
+        }
+    };
     shared::initialize_account::process_initialize_account(accounts, Some(owner), false)
 }

program/src/processor/initialize_immutable_owner.rs

@@ -7,7 +7,7 @@ use token_interface::{
 #[inline(always)]
 pub fn process_initialize_immutable_owner(accounts: &[AccountInfo]) -> ProgramResult {
     let token_account_info = accounts.first().ok_or(ProgramError::NotEnoughAccountKeys)?;
-    // SAFETY: there is a single immutable borrow of the `Account` account data.
+    // SAFETY: single immutable borrow of the `Account` account data.
     let account = unsafe { load_unchecked::<Account>(token_account_info.borrow_data_unchecked())? };
 
     if account.is_initialized() {

program/src/processor/mod.rs

@@ -93,6 +93,9 @@ fn check_account_owner(account_info: &AccountInfo) -> ProgramResult {
 }
 
 /// Validates owner(s) are present
+///
+/// Note that `owner_account_info` will be immutable borrowed when it represents
+/// a multisig account.
 #[inline(always)]
 fn validate_owner(
     expected_owner: &Pubkey,
@@ -107,8 +110,7 @@ fn validate_owner(
         && owner_account_info.owner() == &TOKEN_PROGRAM_ID
     {
         // SAFETY: the caller guarantees that there are no mutable borrows of `owner_account_info`
-        // account data, so it is ok to have multiple immutable borrows (this would normally only
-        // happen if the account/mint is the same as the owner).
+        // account data. The `load` validates that the account is initialized and data length.
         let multisig = unsafe { load::<Multisig>(owner_account_info.borrow_data_unchecked())? };
 
         let mut num_signers = 0;

program/src/processor/revoke.rs

@@ -1,7 +1,7 @@
 use pinocchio::{account_info::AccountInfo, program_error::ProgramError, ProgramResult};
 use token_interface::{
     error::TokenError,
-    state::{account::Account, load_mut},
+    state::{account::Account, load, load_mut_unchecked},
 };
 
 use super::validate_owner;
@@ -11,17 +11,24 @@ pub fn process_revoke(accounts: &[AccountInfo], _instruction_data: &[u8]) -> Pro
     let [source_account_info, owner_info, remaning @ ..] = accounts else {
         return Err(ProgramError::NotEnoughAccountKeys);
     };
-    // SAFETY: there are no other borrows of the `source_account` data.
-    let source_account =
-        unsafe { load_mut::<Account>(source_account_info.borrow_mut_data_unchecked())? };
 
-    if source_account.is_frozen() {
-        return Err(TokenError::AccountFrozen.into());
-    }
+    {
+        // SAFETY: scoped immutable borrow of the `source_account` account data. The `load`
+        // validates that the source account is initialized.
+        let source_account =
+            unsafe { load::<Account>(source_account_info.borrow_data_unchecked())? };
 
-    // TODO: can source == owner?
-    validate_owner(&source_account.owner, owner_info, remaning)?;
+        if source_account.is_frozen() {
+            return Err(TokenError::AccountFrozen.into());
+        }
 
+        validate_owner(&source_account.owner, owner_info, remaning)?;
+    }
+
+    // SAFETY: single mutable borrow of the `source_account_info` account data. The
+    // `source_account_info` is guaranteed to be initialized.
+    let source_account =
+        unsafe { load_mut_unchecked::<Account>(source_account_info.borrow_mut_data_unchecked())? };
     source_account.clear_delegate();
     source_account.set_delegated_amount(0);
 

program/src/processor/set_authority.rs

@@ -6,7 +6,7 @@ use pinocchio::{
 use token_interface::{
     error::TokenError,
     instruction::AuthorityType,
-    state::{account::Account, load_mut, mint::Mint, RawType},
+    state::{account::Account, load, load_mut_unchecked, mint::Mint, RawType},
 };
 
 use super::validate_owner;
@@ -27,18 +27,24 @@ pub fn process_set_authority(accounts: &[AccountInfo], instruction_data: &[u8])
     };
 
     if account_info.data_len() == Account::LEN {
-        // SAFETY: there are no other active borrows of the `account` data.
-        let account = unsafe { load_mut::<Account>(account_info.borrow_mut_data_unchecked())? };
+        // SAFETY: immutable borrow of `account_info` account data. The `load`
+        // validates that the account is initialized.
+        let account = unsafe { load::<Account>(account_info.borrow_data_unchecked())? };
 
         if account.is_frozen() {
             return Err(TokenError::AccountFrozen.into());
         }
 
         match authority_type {
             AuthorityType::AccountOwner => {
-                // TODO: Can account and authority be the same?
                 validate_owner(&account.owner, authority_info, remaning)?;
 
+                // SAFETY: single mutable borrow of `account_info` account data. The
+                // `account_info` is guaranteed to the initialized.
+                let account = unsafe {
+                    load_mut_unchecked::<Account>(account_info.borrow_mut_data_unchecked())?
+                };
+
                 if let Some(authority) = new_authority {
                     account.owner = *authority;
                 } else {
@@ -54,9 +60,15 @@ pub fn process_set_authority(accounts: &[AccountInfo], instruction_data: &[u8])
             }
             AuthorityType::CloseAccount => {
                 let authority = account.close_authority().unwrap_or(&account.owner);
-                // TODO: Can account and authority be the same?
+
                 validate_owner(authority, authority_info, remaning)?;
 
+                // SAFETY: single mutable borrow of `account_info` account data. The
+                // `account_info` is guaranteed to the initialized.
+                let account = unsafe {
+                    load_mut_unchecked::<Account>(account_info.borrow_mut_data_unchecked())?
+                };
+
                 if let Some(authority) = new_authority {
                     account.set_close_authority(authority);
                 } else {
@@ -68,17 +80,24 @@ pub fn process_set_authority(accounts: &[AccountInfo], instruction_data: &[u8])
             }
         }
     } else if account_info.data_len() == Mint::LEN {
-        // SAFETY: there are no other active borrows of the `account` data.
-        let mint = unsafe { load_mut::<Mint>(account_info.borrow_mut_data_unchecked())? };
+        // SAFETY: immutable borrow of `account_info` account data. The `load`
+        // validates that the mint is initialized.
+        let mint = unsafe { load::<Mint>(account_info.borrow_mut_data_unchecked())? };
 
         match authority_type {
             AuthorityType::MintTokens => {
                 // Once a mint's supply is fixed, it cannot be undone by setting a new
                 // mint_authority.
                 let mint_authority = mint.mint_authority().ok_or(TokenError::FixedSupply)?;
-                // TODO: Can account and authority be the same?
+
                 validate_owner(mint_authority, authority_info, remaning)?;
 
+                // SAFETY: single mutable borrow of `account_info` account data. The
+                // `account_info` is guaranteed to the initialized.
+                let mint = unsafe {
+                    load_mut_unchecked::<Mint>(account_info.borrow_mut_data_unchecked())?
+                };
+
                 if let Some(authority) = new_authority {
                     mint.set_mint_authority(authority);
                 } else {
@@ -91,9 +110,15 @@ pub fn process_set_authority(accounts: &[AccountInfo], instruction_data: &[u8])
                 let freeze_authority = mint
                     .freeze_authority()
                     .ok_or(TokenError::MintCannotFreeze)?;
-                // TODO: Can account and authority be the same?
+
                 validate_owner(freeze_authority, authority_info, remaning)?;
 
+                // SAFETY: single mutable borrow of `account_info` account data. The
+                // `account_info` is guaranteed to the initialized.
+                let mint = unsafe {
+                    load_mut_unchecked::<Mint>(account_info.borrow_mut_data_unchecked())?
+                };
+
                 if let Some(authority) = new_authority {
                     mint.set_freeze_authority(authority);
                 } else {
@@ -123,7 +148,7 @@ impl SetAuthority<'_> {
         // The minimum expected size of the instruction data.
         // - authority_type (1 byte)
         // - option + new_authority (1 byte + 32 bytes)
-        if bytes.len() < 2 {
+        if bytes.len() < 2 || (bytes[1] == 1 && bytes.len() < 34) {
             return Err(ProgramError::InvalidInstructionData);
         }
 
@@ -135,11 +160,13 @@ impl SetAuthority<'_> {
 
     #[inline(always)]
     pub fn authority_type(&self) -> Result<AuthorityType, ProgramError> {
+        // SAFETY: `bytes` length is validated in `try_from_bytes`.
         unsafe { AuthorityType::from(*self.raw) }
     }
 
     #[inline(always)]
     pub fn new_authority(&self) -> Option<&Pubkey> {
+        // SAFETY: `bytes` length is validated in `try_from_bytes`.
         unsafe {
             if *self.raw.add(1) == 0 {
                 Option::None

program/src/processor/shared/approve.rs

@@ -1,7 +1,7 @@
 use pinocchio::{account_info::AccountInfo, program_error::ProgramError, ProgramResult};
 use token_interface::{
     error::TokenError,
-    state::{account::Account, load, load_mut, mint::Mint},
+    state::{account::Account, load, load_mut_unchecked, mint::Mint},
 };
 
 use crate::processor::validate_owner;
@@ -45,9 +45,8 @@ pub fn process_approve(
 
     // Validates source account.
     {
-        // SAFETY: scoped immutable borrow of `source_account_info` account data. When
-        // `owner_info` is the same as `source_account_info`, there will be another immutable
-        // borrow in `validate_owner` – this is safe because both borrows are immutable.
+        // SAFETY: scoped immutable borrow of `source_account_info` account data. The `load`
+        // validates that the account is initialized.
         let source_account =
             unsafe { load::<Account>(source_account_info.borrow_data_unchecked())? };
 
@@ -60,6 +59,8 @@ pub fn process_approve(
                 return Err(TokenError::MintMismatch.into());
             }
 
+            // SAFETY: scoped immutable borrow of `mint_info` account data. The `load`
+            // validates that the account is initialized.
             let mint = unsafe { load::<Mint>(mint_info.borrow_data_unchecked())? };
 
             if expected_decimals != mint.decimals {
@@ -72,10 +73,10 @@ pub fn process_approve(
 
     // Sets the delegate and delegated amount.
 
-    // SAFETY: any immutable borrow of `source_account_info` account data is dropped at
-    // this point, so it is safe to borrow mutably.
+    // SAFETY: there is a single mutable borrow to `source_account_info` account data.
+    // The account is also guaranteed to be initialized.
     let source_account =
-        unsafe { load_mut::<Account>(source_account_info.borrow_mut_data_unchecked())? };
+        unsafe { load_mut_unchecked::<Account>(source_account_info.borrow_mut_data_unchecked())? };
     source_account.set_delegate(delegate_info.key());
     source_account.set_delegated_amount(amount);