Move to unchecked_sub as suggested by @the8472

SUPERCILEX · SUPERCILEX · commit 496e8679b7a4 · 2023-12-30T22:12:26.000-08:00
Signed-off-by: Alex Saveau &lt;saveau.alexandre@gmail.com&gt;
diff --git a/library/alloc/src/collections/vec_deque/mod.rs b/library/alloc/src/collections/vec_deque/mod.rs
@@ -756,8 +756,8 @@ impl<T, A: Allocator> VecDeque<T, A> {
         let old_cap = self.capacity();
 
         if new_cap > old_cap {
-            self.buf.reserve_exact(self.len, additional);
             unsafe {
+                self.buf.reserve_exact(self.len, additional);
                 self.handle_capacity_increase(old_cap);
             }
         }
@@ -787,8 +787,8 @@ impl<T, A: Allocator> VecDeque<T, A> {
         if new_cap > old_cap {
             // we don't need to reserve_exact(), as the size doesn't have
             // to be a power of 2.
-            self.buf.reserve(self.len, additional);
             unsafe {
+                self.buf.reserve(self.len, additional);
                 self.handle_capacity_increase(old_cap);
             }
         }
@@ -838,8 +838,8 @@ impl<T, A: Allocator> VecDeque<T, A> {
         let old_cap = self.capacity();
 
         if new_cap > old_cap {
-            self.buf.try_reserve_exact(self.len, additional)?;
             unsafe {
+                self.buf.try_reserve_exact(self.len, additional)?;
                 self.handle_capacity_increase(old_cap);
             }
         }
@@ -886,8 +886,8 @@ impl<T, A: Allocator> VecDeque<T, A> {
         let old_cap = self.capacity();
 
         if new_cap > old_cap {
-            self.buf.try_reserve(self.len, additional)?;
             unsafe {
+                self.buf.try_reserve(self.len, additional)?;
                 self.handle_capacity_increase(old_cap);
             }
         }
diff --git a/library/alloc/src/raw_vec.rs b/library/alloc/src/raw_vec.rs
@@ -276,10 +276,6 @@ impl<T, A: Allocator> RawVec<T, A> {
     /// *O*(1) behavior. Will limit this behavior if it would needlessly cause
     /// itself to panic.
     ///
-    /// If `len` exceeds `self.capacity()`, this may fail to actually allocate
-    /// the requested space. This is not really unsafe, but the unsafe
-    /// code *you* write that relies on the behavior of this function may break.
-    ///
     /// This is ideal for implementing a bulk-push operation like `extend`.
     ///
     /// # Panics
@@ -289,9 +285,13 @@ impl<T, A: Allocator> RawVec<T, A> {
     /// # Aborts
     ///
     /// Aborts on OOM.
+    ///
+    /// # Safety
+    ///
+    /// `len` must be less than or equal to the capacity of this [`RawVec`].
     #[cfg(not(no_global_oom_handling))]
     #[inline]
-    pub fn reserve(&mut self, len: usize, additional: usize) {
+    pub unsafe fn reserve(&mut self, len: usize, additional: usize) {
         // Callers expect this function to be very cheap when there is already sufficient capacity.
         // Therefore, we move all the resizing and error-handling logic from grow_amortized and
         // handle_reserve behind a call, while making sure that this function is likely to be
@@ -305,7 +305,7 @@ impl<T, A: Allocator> RawVec<T, A> {
             handle_reserve(slf.grow_amortized(len, additional));
         }
 
-        if self.needs_to_grow(len, additional) {
+        if unsafe { self.needs_to_grow(len, additional) } {
             do_reserve_and_handle(self, len, additional);
         }
         unsafe {
@@ -323,8 +323,16 @@ impl<T, A: Allocator> RawVec<T, A> {
     }
 
     /// The same as `reserve`, but returns on errors instead of panicking or aborting.
-    pub fn try_reserve(&mut self, len: usize, additional: usize) -> Result<(), TryReserveError> {
-        if self.needs_to_grow(len, additional) {
+    ///
+    /// # Safety
+    ///
+    /// `len` must be less than or equal to the capacity of this [`RawVec`].
+    pub unsafe fn try_reserve(
+        &mut self,
+        len: usize,
+        additional: usize,
+    ) -> Result<(), TryReserveError> {
+        if unsafe { self.needs_to_grow(len, additional) } {
             self.grow_amortized(len, additional)?;
         }
         unsafe {
@@ -340,29 +348,35 @@ impl<T, A: Allocator> RawVec<T, A> {
     /// exactly the amount of memory necessary, but in principle the allocator
     /// is free to give back more than we asked for.
     ///
-    /// If `len` exceeds `self.capacity()`, this may fail to actually allocate
-    /// the requested space. This is not really unsafe, but the unsafe code
-    /// *you* write that relies on the behavior of this function may break.
-    ///
     /// # Panics
     ///
     /// Panics if the new capacity exceeds `isize::MAX` _bytes_.
     ///
     /// # Aborts
     ///
     /// Aborts on OOM.
+    ///
+    /// # Safety
+    ///
+    /// `len` must be less than or equal to the capacity of this [`RawVec`].
     #[cfg(not(no_global_oom_handling))]
-    pub fn reserve_exact(&mut self, len: usize, additional: usize) {
-        handle_reserve(self.try_reserve_exact(len, additional));
+    pub unsafe fn reserve_exact(&mut self, len: usize, additional: usize) {
+        unsafe {
+            handle_reserve(self.try_reserve_exact(len, additional));
+        }
     }
 
     /// The same as `reserve_exact`, but returns on errors instead of panicking or aborting.
-    pub fn try_reserve_exact(
+    ///
+    /// # Safety
+    ///
+    /// `len` must be less than or equal to the capacity of this [`RawVec`].
+    pub unsafe fn try_reserve_exact(
         &mut self,
         len: usize,
         additional: usize,
     ) -> Result<(), TryReserveError> {
-        if self.needs_to_grow(len, additional) {
+        if unsafe { self.needs_to_grow(len, additional) } {
             self.grow_exact(len, additional)?;
         }
         unsafe {
@@ -391,8 +405,8 @@ impl<T, A: Allocator> RawVec<T, A> {
 impl<T, A: Allocator> RawVec<T, A> {
     /// Returns if the buffer needs to grow to fulfill the needed extra capacity.
     /// Mainly used to make inlining reserve-calls possible without inlining `grow`.
-    pub(crate) fn needs_to_grow(&self, len: usize, additional: usize) -> bool {
-        additional > self.capacity().wrapping_sub(len)
+    pub(crate) unsafe fn needs_to_grow(&self, len: usize, additional: usize) -> bool {
+        unsafe { additional > self.capacity().unchecked_sub(len) }
     }
 
     /// # Safety:
diff --git a/library/alloc/src/string.rs b/library/alloc/src/string.rs
@@ -1152,7 +1152,7 @@ impl String {
         self.vec.reserve(additional);
         unsafe {
             // Inform the optimizer that the reservation has succeeded or wasn't needed
-            intrinsics::assume(additional <= self.capacity().wrapping_sub(self.len()));
+            intrinsics::assume(additional <= self.capacity().unchecked_sub(self.len()));
         }
     }
 
@@ -1206,7 +1206,7 @@ impl String {
         self.vec.reserve_exact(additional);
         unsafe {
             // Inform the optimizer that the reservation has succeeded or wasn't needed
-            intrinsics::assume(additional <= self.capacity().wrapping_sub(self.len()));
+            intrinsics::assume(additional <= self.capacity().unchecked_sub(self.len()));
         }
     }
 
@@ -1246,7 +1246,7 @@ impl String {
         self.vec.try_reserve(additional)?;
         unsafe {
             // Inform the optimizer that the reservation has succeeded or wasn't needed
-            intrinsics::assume(additional <= self.capacity().wrapping_sub(self.len()));
+            intrinsics::assume(additional <= self.capacity().unchecked_sub(self.len()));
         }
         Ok(())
     }
@@ -1293,7 +1293,7 @@ impl String {
         self.vec.try_reserve_exact(additional)?;
         unsafe {
             // Inform the optimizer that the reservation has succeeded or wasn't needed
-            intrinsics::assume(additional <= self.capacity().wrapping_sub(self.len()));
+            intrinsics::assume(additional <= self.capacity().unchecked_sub(self.len()));
         }
         Ok(())
     }
diff --git a/library/alloc/src/vec/mod.rs b/library/alloc/src/vec/mod.rs
@@ -909,7 +909,10 @@ impl<T, A: Allocator> Vec<T, A> {
     #[stable(feature = "rust1", since = "1.0.0")]
     #[inline]
     pub fn reserve(&mut self, additional: usize) {
-        self.buf.reserve(self.len, additional);
+        // SAFETY: len <= capacity
+        unsafe {
+            self.buf.reserve(self.len, additional);
+        }
         unsafe {
             // Inform the optimizer that the reservation has succeeded or wasn't needed
             intrinsics::assume(!self.buf.needs_to_grow(self.len, additional));
@@ -944,7 +947,10 @@ impl<T, A: Allocator> Vec<T, A> {
     #[stable(feature = "rust1", since = "1.0.0")]
     #[inline]
     pub fn reserve_exact(&mut self, additional: usize) {
-        self.buf.reserve_exact(self.len, additional);
+        // SAFETY: len <= capacity
+        unsafe {
+            self.buf.reserve_exact(self.len, additional);
+        }
         unsafe {
             // Inform the optimizer that the reservation has succeeded or wasn't needed
             intrinsics::assume(!self.buf.needs_to_grow(self.len, additional));
@@ -986,7 +992,10 @@ impl<T, A: Allocator> Vec<T, A> {
     #[stable(feature = "try_reserve", since = "1.57.0")]
     #[inline]
     pub fn try_reserve(&mut self, additional: usize) -> Result<(), TryReserveError> {
-        self.buf.try_reserve(self.len, additional)?;
+        // SAFETY: len <= capacity
+        unsafe {
+            self.buf.try_reserve(self.len, additional)?;
+        }
         unsafe {
             // Inform the optimizer that the reservation has succeeded or wasn't needed
             intrinsics::assume(!self.buf.needs_to_grow(self.len, additional));
@@ -1035,7 +1044,10 @@ impl<T, A: Allocator> Vec<T, A> {
     #[stable(feature = "try_reserve", since = "1.57.0")]
     #[inline]
     pub fn try_reserve_exact(&mut self, additional: usize) -> Result<(), TryReserveError> {
-        self.buf.try_reserve_exact(self.len, additional)?;
+        // SAFETY: len <= capacity
+        unsafe {
+            self.buf.try_reserve_exact(self.len, additional)?;
+        }
         unsafe {
             // Inform the optimizer that the reservation has succeeded or wasn't needed
             intrinsics::assume(!self.buf.needs_to_grow(self.len, additional));
diff --git a/library/alloc/src/vec/splice.rs b/library/alloc/src/vec/splice.rs
@@ -126,7 +126,9 @@ impl<T, A: Allocator> Drain<'_, T, A> {
     unsafe fn move_tail(&mut self, additional: usize) {
         let vec = unsafe { self.vec.as_mut() };
         let len = self.tail_start + self.tail_len;
-        vec.buf.reserve(len, additional);
+        unsafe {
+            vec.buf.reserve(len, additional);
+        }
 
         let new_tail_start = self.tail_start + additional;
         unsafe {

Original file line number	Diff line number	Diff line change
`@@ -756,8 +756,8 @@ impl<T, A: Allocator> VecDeque<T, A> {`
`756`	`756`	`let old_cap = self.capacity();`
`757`	`757`
`758`	`758`	`if new_cap > old_cap {`
`759`		`- self.buf.reserve_exact(self.len, additional);`
`760`	`759`	`unsafe {`
	`760`	`+ self.buf.reserve_exact(self.len, additional);`
`761`	`761`	`self.handle_capacity_increase(old_cap);`
`762`	`762`	`}`
`763`	`763`	`}`
`@@ -787,8 +787,8 @@ impl<T, A: Allocator> VecDeque<T, A> {`
`787`	`787`	`if new_cap > old_cap {`
`788`	`788`	`// we don't need to reserve_exact(), as the size doesn't have`
`789`	`789`	`// to be a power of 2.`
`790`		`- self.buf.reserve(self.len, additional);`
`791`	`790`	`unsafe {`
	`791`	`+ self.buf.reserve(self.len, additional);`
`792`	`792`	`self.handle_capacity_increase(old_cap);`
`793`	`793`	`}`
`794`	`794`	`}`
`@@ -838,8 +838,8 @@ impl<T, A: Allocator> VecDeque<T, A> {`
`838`	`838`	`let old_cap = self.capacity();`
`839`	`839`
`840`	`840`	`if new_cap > old_cap {`
`841`		`- self.buf.try_reserve_exact(self.len, additional)?;`
`842`	`841`	`unsafe {`
	`842`	`+ self.buf.try_reserve_exact(self.len, additional)?;`
`843`	`843`	`self.handle_capacity_increase(old_cap);`
`844`	`844`	`}`
`845`	`845`	`}`
`@@ -886,8 +886,8 @@ impl<T, A: Allocator> VecDeque<T, A> {`
`886`	`886`	`let old_cap = self.capacity();`
`887`	`887`
`888`	`888`	`if new_cap > old_cap {`
`889`		`- self.buf.try_reserve(self.len, additional)?;`
`890`	`889`	`unsafe {`
	`890`	`+ self.buf.try_reserve(self.len, additional)?;`
`891`	`891`	`self.handle_capacity_increase(old_cap);`
`892`	`892`	`}`
`893`	`893`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1152,7 +1152,7 @@ impl String {`
`1152`	`1152`	`self.vec.reserve(additional);`
`1153`	`1153`	`unsafe {`
`1154`	`1154`	`// Inform the optimizer that the reservation has succeeded or wasn't needed`
`1155`		`- intrinsics::assume(additional <= self.capacity().wrapping_sub(self.len()));`
	`1155`	`+ intrinsics::assume(additional <= self.capacity().unchecked_sub(self.len()));`
`1156`	`1156`	`}`
`1157`	`1157`	`}`
`1158`	`1158`
`@@ -1206,7 +1206,7 @@ impl String {`
`1206`	`1206`	`self.vec.reserve_exact(additional);`
`1207`	`1207`	`unsafe {`
`1208`	`1208`	`// Inform the optimizer that the reservation has succeeded or wasn't needed`
`1209`		`- intrinsics::assume(additional <= self.capacity().wrapping_sub(self.len()));`
	`1209`	`+ intrinsics::assume(additional <= self.capacity().unchecked_sub(self.len()));`
`1210`	`1210`	`}`
`1211`	`1211`	`}`
`1212`	`1212`
`@@ -1246,7 +1246,7 @@ impl String {`
`1246`	`1246`	`self.vec.try_reserve(additional)?;`
`1247`	`1247`	`unsafe {`
`1248`	`1248`	`// Inform the optimizer that the reservation has succeeded or wasn't needed`
`1249`		`- intrinsics::assume(additional <= self.capacity().wrapping_sub(self.len()));`
	`1249`	`+ intrinsics::assume(additional <= self.capacity().unchecked_sub(self.len()));`
`1250`	`1250`	`}`
`1251`	`1251`	`Ok(())`
`1252`	`1252`	`}`
`@@ -1293,7 +1293,7 @@ impl String {`
`1293`	`1293`	`self.vec.try_reserve_exact(additional)?;`
`1294`	`1294`	`unsafe {`
`1295`	`1295`	`// Inform the optimizer that the reservation has succeeded or wasn't needed`
`1296`		`- intrinsics::assume(additional <= self.capacity().wrapping_sub(self.len()));`
	`1296`	`+ intrinsics::assume(additional <= self.capacity().unchecked_sub(self.len()));`
`1297`	`1297`	`}`
`1298`	`1298`	`Ok(())`
`1299`	`1299`	`}`