From 323a27967abe75da79e44132e449fb36cefd240b Mon Sep 17 00:00:00 2001 From: Matthew Jasper Date: Fri, 25 Sep 2020 19:46:06 +0100 Subject: [PATCH 1/2] Improve ::get_unchecked` safety comment --- library/alloc/src/vec.rs | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/library/alloc/src/vec.rs b/library/alloc/src/vec.rs index c54b3aef95ed4..e973c3287ede0 100644 --- a/library/alloc/src/vec.rs +++ b/library/alloc/src/vec.rs @@ -2985,8 +2985,14 @@ impl Iterator for IntoIter { where Self: TrustedRandomAccess, { - // SAFETY: the caller must uphold the contract for - // `Iterator::get_unchecked`. + // SAFETY: the caller must guarantee that `i` is in bounds of the + // `Vec`, so `i` cannot overflow an `isize`, and the `self.ptr.add(i)` + // is guaranteed to pointer to an element of the `Vec` and + // thus guaranteed to be valid to dereference. + // + // Also note the implementation of `Self: TrustedRandomAccess` requires + // that `T: Copy` so reading elements from the buffer doesn't invalidate + // them for `Drop`. unsafe { if mem::size_of::() == 0 { mem::zeroed() } else { ptr::read(self.ptr.add(i)) } } From 04a0b1d0879f7872b09cd8058a15479589ccd352 Mon Sep 17 00:00:00 2001 From: Matthew Jasper Date: Fri, 25 Sep 2020 19:48:24 +0100 Subject: [PATCH 2/2] Rename Iterator::get_unchecked It's possible for method resolution to pick this method over a lower priority stable method, causing compilation errors. Since this method is permanently unstable, give it a name that is very unlikely to be used in user code. --- library/alloc/src/vec.rs | 2 +- library/core/src/iter/adapters/fuse.rs | 5 ++- library/core/src/iter/adapters/mod.rs | 16 ++++---- library/core/src/iter/adapters/zip.rs | 42 +++++++++++---------- library/core/src/iter/traits/iterator.rs | 4 +- library/core/src/slice/iter.rs | 47 ++++++++++++------------ library/core/src/slice/iter/macros.rs | 2 +- library/core/src/str/mod.rs | 6 +-- 8 files changed, 66 insertions(+), 58 deletions(-) diff --git a/library/alloc/src/vec.rs b/library/alloc/src/vec.rs index e973c3287ede0..6e001b0d60a31 100644 --- a/library/alloc/src/vec.rs +++ b/library/alloc/src/vec.rs @@ -2981,7 +2981,7 @@ impl Iterator for IntoIter { self.len() } - unsafe fn get_unchecked(&mut self, i: usize) -> Self::Item + unsafe fn __iterator_get_unchecked(&mut self, i: usize) -> Self::Item where Self: TrustedRandomAccess, { diff --git a/library/core/src/iter/adapters/fuse.rs b/library/core/src/iter/adapters/fuse.rs index c5b3bd5cf11f2..a78da369c241b 100644 --- a/library/core/src/iter/adapters/fuse.rs +++ b/library/core/src/iter/adapters/fuse.rs @@ -115,12 +115,13 @@ where } #[inline] - unsafe fn get_unchecked(&mut self, idx: usize) -> Self::Item + unsafe fn __iterator_get_unchecked(&mut self, idx: usize) -> Self::Item where Self: TrustedRandomAccess, { match self.iter { - // SAFETY: the caller must uphold the contract for `Iterator::get_unchecked`. + // SAFETY: the caller must uphold the contract for + // `Iterator::__iterator_get_unchecked`. Some(ref mut iter) => unsafe { try_get_unchecked(iter, idx) }, // SAFETY: the caller asserts there is an item at `i`, so we're not exhausted. None => unsafe { intrinsics::unreachable() }, diff --git a/library/core/src/iter/adapters/mod.rs b/library/core/src/iter/adapters/mod.rs index ab27fe15a8e2c..422e449b176b7 100644 --- a/library/core/src/iter/adapters/mod.rs +++ b/library/core/src/iter/adapters/mod.rs @@ -285,12 +285,12 @@ where self.it.count() } - unsafe fn get_unchecked(&mut self, idx: usize) -> T + unsafe fn __iterator_get_unchecked(&mut self, idx: usize) -> T where Self: TrustedRandomAccess, { // SAFETY: the caller must uphold the contract for - // `Iterator::get_unchecked`. + // `Iterator::__iterator_get_unchecked`. *unsafe { try_get_unchecked(&mut self.it, idx) } } } @@ -420,12 +420,12 @@ where self.it.map(T::clone).fold(init, f) } - unsafe fn get_unchecked(&mut self, idx: usize) -> T + unsafe fn __iterator_get_unchecked(&mut self, idx: usize) -> T where Self: TrustedRandomAccess, { // SAFETY: the caller must uphold the contract for - // `Iterator::get_unchecked`. + // `Iterator::__iterator_get_unchecked`. unsafe { try_get_unchecked(&mut self.it, idx).clone() } } } @@ -935,12 +935,12 @@ where self.iter.fold(init, map_fold(self.f, g)) } - unsafe fn get_unchecked(&mut self, idx: usize) -> B + unsafe fn __iterator_get_unchecked(&mut self, idx: usize) -> B where Self: TrustedRandomAccess, { // SAFETY: the caller must uphold the contract for - // `Iterator::get_unchecked`. + // `Iterator::__iterator_get_unchecked`. unsafe { (self.f)(try_get_unchecked(&mut self.iter, idx)) } } } @@ -1431,12 +1431,12 @@ where self.iter.fold(init, enumerate(self.count, fold)) } - unsafe fn get_unchecked(&mut self, idx: usize) -> ::Item + unsafe fn __iterator_get_unchecked(&mut self, idx: usize) -> ::Item where Self: TrustedRandomAccess, { // SAFETY: the caller must uphold the contract for - // `Iterator::get_unchecked`. + // `Iterator::__iterator_get_unchecked`. let value = unsafe { try_get_unchecked(&mut self.iter, idx) }; (Add::add(self.count, idx), value) } diff --git a/library/core/src/iter/adapters/zip.rs b/library/core/src/iter/adapters/zip.rs index a854f70dcd0ba..78712988eaea7 100644 --- a/library/core/src/iter/adapters/zip.rs +++ b/library/core/src/iter/adapters/zip.rs @@ -59,12 +59,12 @@ where } #[inline] - unsafe fn get_unchecked(&mut self, idx: usize) -> Self::Item + unsafe fn __iterator_get_unchecked(&mut self, idx: usize) -> Self::Item where Self: TrustedRandomAccess, { - // SAFETY: `ZipImpl::get_unchecked` has same safety requirements as - // `Iterator::get_unchecked`. + // SAFETY: `ZipImpl::__iterator_get_unchecked` has same safety + // requirements as `Iterator::__iterator_get_unchecked`. unsafe { ZipImpl::get_unchecked(self, idx) } } } @@ -93,7 +93,7 @@ trait ZipImpl { where A: DoubleEndedIterator + ExactSizeIterator, B: DoubleEndedIterator + ExactSizeIterator; - // This has the same safety requirements as `Iterator::get_unchecked` + // This has the same safety requirements as `Iterator::__iterator_get_unchecked` unsafe fn get_unchecked(&mut self, idx: usize) -> ::Item where Self: Iterator + TrustedRandomAccess; @@ -197,12 +197,14 @@ where let i = self.index; self.index += 1; // SAFETY: `i` is smaller than `self.len`, thus smaller than `self.a.len()` and `self.b.len()` - unsafe { Some((self.a.get_unchecked(i), self.b.get_unchecked(i))) } + unsafe { + Some((self.a.__iterator_get_unchecked(i), self.b.__iterator_get_unchecked(i))) + } } else if A::may_have_side_effect() && self.index < self.a.size() { // match the base implementation's potential side effects // SAFETY: we just checked that `self.index` < `self.a.len()` unsafe { - self.a.get_unchecked(self.index); + self.a.__iterator_get_unchecked(self.index); } self.index += 1; None @@ -229,13 +231,13 @@ where // ensures that `end` is smaller than or equal to `self.len`, // so `i` is also smaller than `self.len`. unsafe { - self.a.get_unchecked(i); + self.a.__iterator_get_unchecked(i); } } if B::may_have_side_effect() { // SAFETY: same as above. unsafe { - self.b.get_unchecked(i); + self.b.__iterator_get_unchecked(i); } } } @@ -277,7 +279,9 @@ where let i = self.len; // SAFETY: `i` is smaller than the previous value of `self.len`, // which is also smaller than or equal to `self.a.len()` and `self.b.len()` - unsafe { Some((self.a.get_unchecked(i), self.b.get_unchecked(i))) } + unsafe { + Some((self.a.__iterator_get_unchecked(i), self.b.__iterator_get_unchecked(i))) + } } else { None } @@ -286,8 +290,8 @@ where #[inline] unsafe fn get_unchecked(&mut self, idx: usize) -> ::Item { // SAFETY: the caller must uphold the contract for - // `Iterator::get_unchecked`. - unsafe { (self.a.get_unchecked(idx), self.b.get_unchecked(idx)) } + // `Iterator::__iterator_get_unchecked`. + unsafe { (self.a.__iterator_get_unchecked(idx), self.b.__iterator_get_unchecked(idx)) } } } @@ -386,8 +390,8 @@ impl ZipFmt::get_unchecked` must be safe to call provided the -/// following conditions are met. +/// `::__iterator_get_unchecked` must be safe to call +/// provided the following conditions are met. /// /// 1. `0 <= idx` and `idx < self.size()`. /// 2. If `self: !Clone`, then `get_unchecked` is never called with the same @@ -399,7 +403,7 @@ impl ZipFmt bool; } -/// Like `Iterator::get_unchecked`, but doesn't require the compiler to +/// Like `Iterator::__iterator_get_unchecked`, but doesn't require the compiler to /// know that `U: TrustedRandomAccess`. /// /// ## Safety @@ -436,13 +440,13 @@ where I: Iterator, { // SAFETY: the caller must uphold the contract for - // `Iterator::get_unchecked`. + // `Iterator::__iterator_get_unchecked`. unsafe { it.try_get_unchecked(idx) } } unsafe trait SpecTrustedRandomAccess: Iterator { /// If `Self: TrustedRandomAccess`, it must be safe to call a - /// `Iterator::get_unchecked(self, index)`. + /// `Iterator::__iterator_get_unchecked(self, index)`. unsafe fn try_get_unchecked(&mut self, index: usize) -> Self::Item; } @@ -455,7 +459,7 @@ unsafe impl SpecTrustedRandomAccess for I { unsafe impl SpecTrustedRandomAccess for I { unsafe fn try_get_unchecked(&mut self, index: usize) -> Self::Item { // SAFETY: the caller must uphold the contract for - // `Iterator::get_unchecked`. - unsafe { self.get_unchecked(index) } + // `Iterator::__iterator_get_unchecked`. + unsafe { self.__iterator_get_unchecked(index) } } } diff --git a/library/core/src/iter/traits/iterator.rs b/library/core/src/iter/traits/iterator.rs index f70e92f0ffafe..a75f1d56fb7e6 100644 --- a/library/core/src/iter/traits/iterator.rs +++ b/library/core/src/iter/traits/iterator.rs @@ -3241,10 +3241,12 @@ pub trait Iterator { } /// See [TrustedRandomAccess] + // The unusual name is to avoid name collisions in method resolution + // see #76479. #[inline] #[doc(hidden)] #[unstable(feature = "trusted_random_access", issue = "none")] - unsafe fn get_unchecked(&mut self, _idx: usize) -> Self::Item + unsafe fn __iterator_get_unchecked(&mut self, _idx: usize) -> Self::Item where Self: TrustedRandomAccess, { diff --git a/library/core/src/slice/iter.rs b/library/core/src/slice/iter.rs index 546edef7f5753..76b8aa7d82162 100644 --- a/library/core/src/slice/iter.rs +++ b/library/core/src/slice/iter.rs @@ -1178,7 +1178,7 @@ impl<'a, T> Iterator for Windows<'a, T> { } #[doc(hidden)] - unsafe fn get_unchecked(&mut self, idx: usize) -> Self::Item { + unsafe fn __iterator_get_unchecked(&mut self, idx: usize) -> Self::Item { // SAFETY: since the caller guarantees that `i` is in bounds, // which means that `i` cannot overflow an `isize`, and the // slice created by `from_raw_parts` is a subslice of `self.v` @@ -1324,7 +1324,7 @@ impl<'a, T> Iterator for Chunks<'a, T> { } #[doc(hidden)] - unsafe fn get_unchecked(&mut self, idx: usize) -> Self::Item { + unsafe fn __iterator_get_unchecked(&mut self, idx: usize) -> Self::Item { let start = idx * self.chunk_size; let end = match start.checked_add(self.chunk_size) { None => self.v.len(), @@ -1480,13 +1480,13 @@ impl<'a, T> Iterator for ChunksMut<'a, T> { } #[doc(hidden)] - unsafe fn get_unchecked(&mut self, idx: usize) -> Self::Item { + unsafe fn __iterator_get_unchecked(&mut self, idx: usize) -> Self::Item { let start = idx * self.chunk_size; let end = match start.checked_add(self.chunk_size) { None => self.v.len(), Some(end) => cmp::min(end, self.v.len()), }; - // SAFETY: see comments for `Chunks::get_unchecked`. + // SAFETY: see comments for `Chunks::__iterator_get_unchecked`. // // Also note that the caller also guarantees that we're never called // with the same index again, and that no other methods that will @@ -1642,9 +1642,9 @@ impl<'a, T> Iterator for ChunksExact<'a, T> { } #[doc(hidden)] - unsafe fn get_unchecked(&mut self, idx: usize) -> Self::Item { + unsafe fn __iterator_get_unchecked(&mut self, idx: usize) -> Self::Item { let start = idx * self.chunk_size; - // SAFETY: mostly identical to `Chunks::get_unchecked`. + // SAFETY: mostly identical to `Chunks::__iterator_get_unchecked`. unsafe { from_raw_parts(self.v.as_ptr().add(start), self.chunk_size) } } } @@ -1785,9 +1785,9 @@ impl<'a, T> Iterator for ChunksExactMut<'a, T> { } #[doc(hidden)] - unsafe fn get_unchecked(&mut self, idx: usize) -> Self::Item { + unsafe fn __iterator_get_unchecked(&mut self, idx: usize) -> Self::Item { let start = idx * self.chunk_size; - // SAFETY: see comments for `ChunksMut::get_unchecked`. + // SAFETY: see comments for `ChunksMut::__iterator_get_unchecked`. unsafe { from_raw_parts_mut(self.v.as_mut_ptr().add(start), self.chunk_size) } } } @@ -2030,10 +2030,10 @@ impl<'a, T, const N: usize> Iterator for ArrayChunks<'a, T, N> { self.iter.last() } - unsafe fn get_unchecked(&mut self, i: usize) -> &'a [T; N] { - // SAFETY: The safety guarantees of `get_unchecked` are transferred to - // the caller. - unsafe { self.iter.get_unchecked(i) } + unsafe fn __iterator_get_unchecked(&mut self, i: usize) -> &'a [T; N] { + // SAFETY: The safety guarantees of `__iterator_get_unchecked` are + // transferred to the caller. + unsafe { self.iter.__iterator_get_unchecked(i) } } } @@ -2141,10 +2141,10 @@ impl<'a, T, const N: usize> Iterator for ArrayChunksMut<'a, T, N> { self.iter.last() } - unsafe fn get_unchecked(&mut self, i: usize) -> &'a mut [T; N] { - // SAFETY: The safety guarantees of `get_unchecked` are transferred to + unsafe fn __iterator_get_unchecked(&mut self, i: usize) -> &'a mut [T; N] { + // SAFETY: The safety guarantees of `__iterator_get_unchecked` are transferred to // the caller. - unsafe { self.iter.get_unchecked(i) } + unsafe { self.iter.__iterator_get_unchecked(i) } } } @@ -2278,13 +2278,13 @@ impl<'a, T> Iterator for RChunks<'a, T> { } #[doc(hidden)] - unsafe fn get_unchecked(&mut self, idx: usize) -> Self::Item { + unsafe fn __iterator_get_unchecked(&mut self, idx: usize) -> Self::Item { let end = self.v.len() - idx * self.chunk_size; let start = match end.checked_sub(self.chunk_size) { None => 0, Some(start) => start, }; - // SAFETY: mostly identical to `Chunks::get_unchecked`. + // SAFETY: mostly identical to `Chunks::__iterator_get_unchecked`. unsafe { from_raw_parts(self.v.as_ptr().add(start), end - start) } } } @@ -2431,13 +2431,14 @@ impl<'a, T> Iterator for RChunksMut<'a, T> { } #[doc(hidden)] - unsafe fn get_unchecked(&mut self, idx: usize) -> Self::Item { + unsafe fn __iterator_get_unchecked(&mut self, idx: usize) -> Self::Item { let end = self.v.len() - idx * self.chunk_size; let start = match end.checked_sub(self.chunk_size) { None => 0, Some(start) => start, }; - // SAFETY: see comments for `RChunks::get_unchecked` and `ChunksMut::get_unchecked` + // SAFETY: see comments for `RChunks::__iterator_get_unchecked` and + // `ChunksMut::__iterator_get_unchecked` unsafe { from_raw_parts_mut(self.v.as_mut_ptr().add(start), end - start) } } } @@ -2585,11 +2586,11 @@ impl<'a, T> Iterator for RChunksExact<'a, T> { } #[doc(hidden)] - unsafe fn get_unchecked(&mut self, idx: usize) -> Self::Item { + unsafe fn __iterator_get_unchecked(&mut self, idx: usize) -> Self::Item { let end = self.v.len() - idx * self.chunk_size; let start = end - self.chunk_size; // SAFETY: - // SAFETY: mostmy identical to `Chunks::get_unchecked`. + // SAFETY: mostmy identical to `Chunks::__iterator_get_unchecked`. unsafe { from_raw_parts(self.v.as_ptr().add(start), self.chunk_size) } } } @@ -2734,10 +2735,10 @@ impl<'a, T> Iterator for RChunksExactMut<'a, T> { } #[doc(hidden)] - unsafe fn get_unchecked(&mut self, idx: usize) -> Self::Item { + unsafe fn __iterator_get_unchecked(&mut self, idx: usize) -> Self::Item { let end = self.v.len() - idx * self.chunk_size; let start = end - self.chunk_size; - // SAFETY: see comments for `RChunksMut::get_unchecked`. + // SAFETY: see comments for `RChunksMut::__iterator_get_unchecked`. unsafe { from_raw_parts_mut(self.v.as_mut_ptr().add(start), self.chunk_size) } } } diff --git a/library/core/src/slice/iter/macros.rs b/library/core/src/slice/iter/macros.rs index 9fcc7a71af8ad..457b2a3605e8b 100644 --- a/library/core/src/slice/iter/macros.rs +++ b/library/core/src/slice/iter/macros.rs @@ -318,7 +318,7 @@ macro_rules! iterator { } #[doc(hidden)] - unsafe fn get_unchecked(&mut self, idx: usize) -> Self::Item { + unsafe fn __iterator_get_unchecked(&mut self, idx: usize) -> Self::Item { // SAFETY: the caller must guarantee that `i` is in bounds of // the underlying slice, so `i` cannot overflow an `isize`, and // the returned references is guaranteed to refer to an element diff --git a/library/core/src/str/mod.rs b/library/core/src/str/mod.rs index 6dc14f9125fef..e4a6b7e142a51 100644 --- a/library/core/src/str/mod.rs +++ b/library/core/src/str/mod.rs @@ -813,10 +813,10 @@ impl Iterator for Bytes<'_> { } #[inline] - unsafe fn get_unchecked(&mut self, idx: usize) -> u8 { + unsafe fn __iterator_get_unchecked(&mut self, idx: usize) -> u8 { // SAFETY: the caller must uphold the safety contract - // for `Iterator::get_unchecked`. - unsafe { self.0.get_unchecked(idx) } + // for `Iterator::__iterator_get_unchecked`. + unsafe { self.0.__iterator_get_unchecked(idx) } } }