This document summarizes and explains the remaining -Wunsafe-buffer-usage and -Wunsafe-buffer-usage-in-container suppressions in the Tint codebase.
tint::CopyThe tint::Copy utility in src/tint/utils/memory/copy.h encapsulates memcpy calls.
memcpy is intrinsically unsafe but necessary for performance-critical byte copying. By using tint::Copy, we localize the suppressions to a single file and provide a safer API that accepts std::span.src/tint/utils/memory/copy.hstd::span ConstructorsClang's -Wunsafe-buffer-usage-in-container warning is triggered by std::span(ptr, size).
std::string_view::data()) or when reinterpreting byte buffers (e.g., std::span<std::byte> to std::span<uint8_t>). We prefer this over raw pointer arithmetic as it still provides a bound-checked view for subsequent operations.src/tint/utils/bytes/buffer_reader.hsrc/tint/utils/text/unicode.ccIn some performance-critical code (like UTF-8 decoding), we use UNSAFE_BUFFER_USAGE_IN_CONTAINER to allow standard indexing after manual bounds checks.
span::at() or other methods might be safer, standard indexing [] is preferred in certain Tint utilities for consistency and to avoid the overhead of redundant checks where we have already validated the size.src/tint/utils/text/unicode.ccsrc/tint/utils/containers/vector.hCode that interfaces with C-style external APIs (like std::from_chars or terminal IO) requires raw pointers.
std::from_chars requires a pointer to one-past-the-end of the buffer. This pattern is inherently flagged but necessary to use the standard library feature.src/tint/lang/wgsl/reader/parser/lexer.cc (for line_end())src/tint/utils/system/terminal_posix.ccSome foundational Tint containers (Vector, HashMap, BlockAllocator) still contain suppressions.
src/tint/utils/containers/vector.hsrc/tint/utils/containers/hashmap_base.hsrc/tint/utils/memory/block_allocator.hsrc/tint/utils/memory/bump_allocator.h