compiler hint the implied assertions in fmt::Display of integers

pascaldekloe · pascaldekloe · commit 8d5614a5057f · 2025-01-13T19:04:19.000+01:00
diff --git a/library/core/src/fmt/num.rs b/library/core/src/fmt/num.rs
@@ -234,70 +234,76 @@ macro_rules! impl_Display {
         #[cfg(not(feature = "optimize_for_size"))]
         impl $unsigned {
             fn _fmt(self, is_nonnegative: bool, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-                // Buffer decimals for $unsigned type with fixed positions. Thus
-                // the least significant digit is located at the last buf byte.
                 const MAX_DEC_N: usize = $unsigned::MAX.ilog(10) as usize + 1;
+                // Buffer decimals for $unsigned with right alignment.
                 let mut buf = [MaybeUninit::<u8>::uninit(); MAX_DEC_N];
-                // Leading zero count & write index in buf.
+                // Count the number of bytes in buf that are not initialized.
                 let mut offset = buf.len();
-                // Consume decimals from working copy until none left.
+                // Consume the least-significant decimals from a working copy.
                 let mut remain = self;
 
                 // Format per four digits from the lookup table.
                 // Four digits need a 16-bit $unsigned or wider.
                 #[allow(overflowing_literals)]
                 #[allow(unused_comparisons)]
-                while offset >= 4 && remain > 999 {
-                    // SAFETY: Offset from the initial buf.len() gets deducted
-                    // with underflow checks exclusively.
+                while remain > 999 {
+                    // SAFETY: All of the decimals fit in buf due to MAX_DEC_N.
+                    unsafe { core::hint::assert_unchecked(offset >= 4) }
+                    // SAFETY: The offset counts down from its initial buf.len()
+                    // without underflow due to the previous assertion.
                     unsafe { core::hint::assert_unchecked(offset <= buf.len()) }
                     offset -= 4;
 
                     let quad = remain % 100_00;
                     remain /= 100_00;
-                    let i1 = (quad / 100) as usize;
-                    let i2 = (quad % 100) as usize;
-                    buf[offset + 0].write(DEC_DIGITS_LUT[i1 * 2 + 0]);
-                    buf[offset + 1].write(DEC_DIGITS_LUT[i1 * 2 + 1]);
-                    buf[offset + 2].write(DEC_DIGITS_LUT[i2 * 2 + 0]);
-                    buf[offset + 3].write(DEC_DIGITS_LUT[i2 * 2 + 1]);
+                    let pair1 = (quad / 100) as usize;
+                    let pair2 = (quad % 100) as usize;
+                    buf[offset + 0].write(DEC_DIGITS_LUT[pair1 * 2 + 0]);
+                    buf[offset + 1].write(DEC_DIGITS_LUT[pair1 * 2 + 1]);
+                    buf[offset + 2].write(DEC_DIGITS_LUT[pair2 * 2 + 0]);
+                    buf[offset + 3].write(DEC_DIGITS_LUT[pair2 * 2 + 1]);
                 }
 
                 // Format per two digits from the lookup table.
-                if offset >= 2 && remain > 9 {
-                    // SAFETY: Offset from the initial buf.len() gets deducted
-                    // with underflow checks exclusively.
+                if remain > 9 {
+                    // SAFETY: All of the decimals fit in buf due to MAX_DEC_N.
+                    unsafe { core::hint::assert_unchecked(offset >= 2) }
+                    // SAFETY: The offset counts down from its initial buf.len()
+                    // without underflow due to the previous assertion.
                     unsafe { core::hint::assert_unchecked(offset <= buf.len()) }
                     offset -= 2;
 
-                    let i = (remain % 100) as usize;
+                    let pair = (remain % 100) as usize;
                     remain /= 100;
-                    buf[offset + 0].write(DEC_DIGITS_LUT[i * 2 + 0]);
-                    buf[offset + 1].write(DEC_DIGITS_LUT[i * 2 + 1]);
+                    buf[offset + 0].write(DEC_DIGITS_LUT[pair * 2 + 0]);
+                    buf[offset + 1].write(DEC_DIGITS_LUT[pair * 2 + 1]);
                 }
 
                 // Format the last remaining digit, if any.
-                if offset != 0 && remain != 0 || self == 0 {
-                    // SAFETY: Offset from the initial buf.len() gets deducted
-                    // with underflow checks exclusively.
+                if remain != 0 || self == 0 {
+                    // SAFETY: All of the decimals fit in buf due to MAX_DEC_N.
+                    unsafe { core::hint::assert_unchecked(offset >= 1) }
+                    // SAFETY: The offset counts down from its initial buf.len()
+                    // without underflow due to the previous assertion.
                     unsafe { core::hint::assert_unchecked(offset <= buf.len()) }
                     offset -= 1;
 
                     // Either the compiler sees that remain < 10, or it prevents
                     // a boundary check up next.
-                    let i = (remain & 15) as usize;
+                    let last = (remain & 15) as usize;
+                    buf[offset].write(DEC_DIGITS_LUT[last * 2 + 1]);
                     // not used: remain = 0;
-                    buf[offset].write(DEC_DIGITS_LUT[i * 2 + 1]);
                 }
 
+                // SAFETY: Offset has been used as a write index.
+                unsafe { core::hint::assert_unchecked(offset < buf.len()) }
+                let written = &buf[offset..];
                 // SAFETY: All buf content since offset is set with bytes form
                 // the lookup table, which consists of valid ASCII exclusively.
-                let decimals = unsafe {
-                    let written = &buf[offset..];
+                f.pad_integral(is_nonnegative, "", unsafe {
                     let as_init = MaybeUninit::slice_assume_init_ref(written);
                     str::from_utf8_unchecked(as_init)
-                };
-                f.pad_integral(is_nonnegative, "", decimals)
+                })
             }
         })*
 
