Fix remaining safety comments, turn on warning

os/src/exec.rs

@@ -499,6 +499,9 @@ pub unsafe fn run_tasks_with_preemption_and_idle(
         //    be wrong.
         let futures_ptr: *mut [Pin<*mut dyn Future<Output = Infallible>>] = futures_ptr as _;
         // Stash the task future array in a known location.
+        //
+        // Safety: this is written by code but never read back, so the fact that
+        // it's a static mut has no effect on code other than the warning.
         unsafe {
             TASK_FUTURES = Some(futures_ptr);
         }

os/src/lib.rs

@@ -142,6 +142,7 @@
     unsafe_op_in_unsafe_fn,
     unused_qualifications,
 )]
+#![warn(clippy::undocumented_unsafe_blocks)]
 
 /// Internal assert macro that doesn't stringify its expression or generate any
 /// fancy messages. This means failures must be diagnosed by file:line only, so,

os/src/mutex.rs

@@ -249,8 +249,18 @@ impl<T> Mutex<T> {
         }
     }
 
+    /// Grabs a reference to the contents of the mutex.
+    ///
+    /// Used internally by Deref.
+    ///
+    /// # Safety
+    ///
+    /// For this to be sound, you must ensure that there are no aliasing `&mut`
+    /// references to the contents.
     unsafe fn contents(&self) -> &T {
         let ptr = self.value.get();
+        // Safety: as long as our contract is upheld, this won't produce a
+        // reference aliasing a `&mut` so we should be fine.
         unsafe { &*ptr }
     }
 }

os/src/spsc.rs

@@ -64,8 +64,8 @@ pub struct Queue<'s, T> {
     pushed: Notify,
 }
 
-/// This type is easily sharable across threads, because there are no useful
-/// operations that can be performed using only a shared reference.
+/// Safety: This type is easily sharable across threads, because there are no
+/// useful operations that can be performed using only a shared reference.
 unsafe impl<T> Sync for Queue<'_, T> where T: Send {}
 
 impl<'s, T> Queue<'s, T> {