Revert "Move to unchecked_sub as suggested by @the8472"

This reverts commit 1dfff2e.

Author: SUPERCILEX

library/alloc/src/collections/vec_deque/mod.rs

@@ -756,8 +756,8 @@ impl<T, A: Allocator> VecDeque<T, A> {
         let old_cap = self.capacity();
 
         if new_cap > old_cap {
+            self.buf.reserve_exact(self.len, additional);
             unsafe {
-                self.buf.reserve_exact(self.len, additional);
                 self.handle_capacity_increase(old_cap);
             }
         }
@@ -787,8 +787,8 @@ impl<T, A: Allocator> VecDeque<T, A> {
         if new_cap > old_cap {
             // we don't need to reserve_exact(), as the size doesn't have
             // to be a power of 2.
+            self.buf.reserve(self.len, additional);
             unsafe {
-                self.buf.reserve(self.len, additional);
                 self.handle_capacity_increase(old_cap);
             }
         }
@@ -838,8 +838,8 @@ impl<T, A: Allocator> VecDeque<T, A> {
         let old_cap = self.capacity();
 
         if new_cap > old_cap {
+            self.buf.try_reserve_exact(self.len, additional)?;
             unsafe {
-                self.buf.try_reserve_exact(self.len, additional)?;
                 self.handle_capacity_increase(old_cap);
             }
         }
@@ -886,8 +886,8 @@ impl<T, A: Allocator> VecDeque<T, A> {
         let old_cap = self.capacity();
 
         if new_cap > old_cap {
+            self.buf.try_reserve(self.len, additional)?;
             unsafe {
-                self.buf.try_reserve(self.len, additional)?;
                 self.handle_capacity_increase(old_cap);
             }
         }

library/alloc/src/raw_vec.rs

@@ -276,6 +276,10 @@ impl<T, A: Allocator> RawVec<T, A> {
     /// *O*(1) behavior. Will limit this behavior if it would needlessly cause
     /// itself to panic.
     ///
+    /// If `len` exceeds `self.capacity()`, this may fail to actually allocate
+    /// the requested space. This is not really unsafe, but the unsafe
+    /// code *you* write that relies on the behavior of this function may break.
+    ///
     /// This is ideal for implementing a bulk-push operation like `extend`.
     ///
     /// # Panics
@@ -285,13 +289,9 @@ impl<T, A: Allocator> RawVec<T, A> {
     /// # Aborts
     ///
     /// Aborts on OOM.
-    ///
-    /// # Safety
-    ///
-    /// `len` must be less than or equal to the capacity of this [`RawVec`].
     #[cfg(not(no_global_oom_handling))]
     #[inline]
-    pub unsafe fn reserve(&mut self, len: usize, additional: usize) {
+    pub fn reserve(&mut self, len: usize, additional: usize) {
         // Callers expect this function to be very cheap when there is already sufficient capacity.
         // Therefore, we move all the resizing and error-handling logic from grow_amortized and
         // handle_reserve behind a call, while making sure that this function is likely to be
@@ -305,7 +305,7 @@ impl<T, A: Allocator> RawVec<T, A> {
             handle_reserve(slf.grow_amortized(len, additional));
         }
 
-        if unsafe { self.needs_to_grow(len, additional) } {
+        if self.needs_to_grow(len, additional) {
             do_reserve_and_handle(self, len, additional);
         }
         unsafe {
@@ -323,16 +323,8 @@ impl<T, A: Allocator> RawVec<T, A> {
     }
 
     /// The same as `reserve`, but returns on errors instead of panicking or aborting.
-    ///
-    /// # Safety
-    ///
-    /// `len` must be less than or equal to the capacity of this [`RawVec`].
-    pub unsafe fn try_reserve(
-        &mut self,
-        len: usize,
-        additional: usize,
-    ) -> Result<(), TryReserveError> {
-        if unsafe { self.needs_to_grow(len, additional) } {
+    pub fn try_reserve(&mut self, len: usize, additional: usize) -> Result<(), TryReserveError> {
+        if self.needs_to_grow(len, additional) {
             self.grow_amortized(len, additional)?;
         }
         unsafe {
@@ -348,35 +340,29 @@ impl<T, A: Allocator> RawVec<T, A> {
     /// exactly the amount of memory necessary, but in principle the allocator
     /// is free to give back more than we asked for.
     ///
+    /// If `len` exceeds `self.capacity()`, this may fail to actually allocate
+    /// the requested space. This is not really unsafe, but the unsafe code
+    /// *you* write that relies on the behavior of this function may break.
+    ///
     /// # Panics
     ///
     /// Panics if the new capacity exceeds `isize::MAX` _bytes_.
     ///
     /// # Aborts
     ///
     /// Aborts on OOM.
-    ///
-    /// # Safety
-    ///
-    /// `len` must be less than or equal to the capacity of this [`RawVec`].
     #[cfg(not(no_global_oom_handling))]
-    pub unsafe fn reserve_exact(&mut self, len: usize, additional: usize) {
-        unsafe {
-            handle_reserve(self.try_reserve_exact(len, additional));
-        }
+    pub fn reserve_exact(&mut self, len: usize, additional: usize) {
+        handle_reserve(self.try_reserve_exact(len, additional));
     }
 
     /// The same as `reserve_exact`, but returns on errors instead of panicking or aborting.
-    ///
-    /// # Safety
-    ///
-    /// `len` must be less than or equal to the capacity of this [`RawVec`].
-    pub unsafe fn try_reserve_exact(
+    pub fn try_reserve_exact(
         &mut self,
         len: usize,
         additional: usize,
     ) -> Result<(), TryReserveError> {
-        if unsafe { self.needs_to_grow(len, additional) } {
+        if self.needs_to_grow(len, additional) {
             self.grow_exact(len, additional)?;
         }
         unsafe {
@@ -405,8 +391,8 @@ impl<T, A: Allocator> RawVec<T, A> {
 impl<T, A: Allocator> RawVec<T, A> {
     /// Returns if the buffer needs to grow to fulfill the needed extra capacity.
     /// Mainly used to make inlining reserve-calls possible without inlining `grow`.
-    pub(crate) unsafe fn needs_to_grow(&self, len: usize, additional: usize) -> bool {
-        unsafe { additional > self.capacity().unchecked_sub(len) }
+    pub(crate) fn needs_to_grow(&self, len: usize, additional: usize) -> bool {
+        additional > self.capacity().wrapping_sub(len)
     }
 
     /// # Safety:

library/alloc/src/raw_vec/tests.rs

@@ -43,10 +43,7 @@ fn allocator_param() {
     let a = BoundedAlloc { fuel: Cell::new(500) };
     let mut v: RawVec<u8, _> = RawVec::with_capacity_in(50, a);
     assert_eq!(v.alloc.fuel.get(), 450);
-    unsafe {
-        // (causes a realloc, thus using 50 + 150 = 200 units of fuel)
-        v.reserve(50, 150);
-    }
+    v.reserve(50, 150); // (causes a realloc, thus using 50 + 150 = 200 units of fuel)
     assert_eq!(v.alloc.fuel.get(), 250);
 }
 
@@ -55,35 +52,25 @@ fn reserve_does_not_overallocate() {
     {
         let mut v: RawVec<u32> = RawVec::new();
         // First, `reserve` allocates like `reserve_exact`.
-        unsafe {
-            v.reserve(0, 9);
-        }
+        v.reserve(0, 9);
         assert_eq!(9, v.capacity());
     }
 
     {
         let mut v: RawVec<u32> = RawVec::new();
-        unsafe {
-            v.reserve(0, 7);
-        }
+        v.reserve(0, 7);
         assert_eq!(7, v.capacity());
         // 97 is more than double of 7, so `reserve` should work
         // like `reserve_exact`.
-        unsafe {
-            v.reserve(7, 90);
-        }
+        v.reserve(7, 90);
         assert_eq!(97, v.capacity());
     }
 
     {
         let mut v: RawVec<u32> = RawVec::new();
-        unsafe {
-            v.reserve(0, 12);
-        }
+        v.reserve(0, 12);
         assert_eq!(12, v.capacity());
-        unsafe {
-            v.reserve(12, 3);
-        }
+        v.reserve(12, 3);
         // 3 is less than half of 12, so `reserve` must grow
         // exponentially. At the time of writing this test grow
         // factor is 2, so new capacity is 24, however, grow factor
@@ -129,28 +116,24 @@ fn zst() {
 
     // Check all these operations work as expected with zero-sized elements.
 
-    assert!(unsafe { !v.needs_to_grow(100, usize::MAX - 100) });
-    assert!(unsafe { v.needs_to_grow(101, usize::MAX - 100) });
+    assert!(!v.needs_to_grow(100, usize::MAX - 100));
+    assert!(v.needs_to_grow(101, usize::MAX - 100));
     zst_sanity(&v);
 
-    unsafe {
-        v.reserve(100, usize::MAX - 100);
-    }
+    v.reserve(100, usize::MAX - 100);
     //v.reserve(101, usize::MAX - 100); // panics, in `zst_reserve_panic` below
     zst_sanity(&v);
 
-    unsafe {
-        v.reserve_exact(100, usize::MAX - 100);
-    }
+    v.reserve_exact(100, usize::MAX - 100);
     //v.reserve_exact(101, usize::MAX - 100); // panics, in `zst_reserve_exact_panic` below
     zst_sanity(&v);
 
-    assert_eq!(unsafe { v.try_reserve(100, usize::MAX - 100) }, Ok(()));
-    assert_eq!(unsafe { v.try_reserve(101, usize::MAX - 100) }, cap_err);
+    assert_eq!(v.try_reserve(100, usize::MAX - 100), Ok(()));
+    assert_eq!(v.try_reserve(101, usize::MAX - 100), cap_err);
     zst_sanity(&v);
 
-    assert_eq!(unsafe { v.try_reserve_exact(100, usize::MAX - 100) }, Ok(()));
-    assert_eq!(unsafe { v.try_reserve_exact(101, usize::MAX - 100) }, cap_err);
+    assert_eq!(v.try_reserve_exact(100, usize::MAX - 100), Ok(()));
+    assert_eq!(v.try_reserve_exact(101, usize::MAX - 100), cap_err);
     zst_sanity(&v);
 
     assert_eq!(v.grow_amortized(100, usize::MAX - 100), cap_err);
@@ -168,9 +151,7 @@ fn zst_reserve_panic() {
     let mut v: RawVec<ZST> = RawVec::new();
     zst_sanity(&v);
 
-    unsafe {
-        v.reserve(101, usize::MAX - 100);
-    }
+    v.reserve(101, usize::MAX - 100);
 }
 
 #[test]
@@ -179,9 +160,7 @@ fn zst_reserve_exact_panic() {
     let mut v: RawVec<ZST> = RawVec::new();
     zst_sanity(&v);
 
-    unsafe {
-        v.reserve_exact(101, usize::MAX - 100);
-    }
+    v.reserve_exact(101, usize::MAX - 100);
 }
 
 #[test]

library/alloc/src/string.rs

@@ -1152,7 +1152,7 @@ impl String {
         self.vec.reserve(additional);
         unsafe {
             // Inform the optimizer that the reservation has succeeded or wasn't needed
-            intrinsics::assume(additional <= self.capacity().unchecked_sub(self.len()));
+            intrinsics::assume(additional <= self.capacity().wrapping_sub(self.len()));
         }
     }
 
@@ -1206,7 +1206,7 @@ impl String {
         self.vec.reserve_exact(additional);
         unsafe {
             // Inform the optimizer that the reservation has succeeded or wasn't needed
-            intrinsics::assume(additional <= self.capacity().unchecked_sub(self.len()));
+            intrinsics::assume(additional <= self.capacity().wrapping_sub(self.len()));
         }
     }
 
@@ -1246,7 +1246,7 @@ impl String {
         self.vec.try_reserve(additional)?;
         unsafe {
             // Inform the optimizer that the reservation has succeeded or wasn't needed
-            intrinsics::assume(additional <= self.capacity().unchecked_sub(self.len()));
+            intrinsics::assume(additional <= self.capacity().wrapping_sub(self.len()));
         }
         Ok(())
     }
@@ -1293,7 +1293,7 @@ impl String {
         self.vec.try_reserve_exact(additional)?;
         unsafe {
             // Inform the optimizer that the reservation has succeeded or wasn't needed
-            intrinsics::assume(additional <= self.capacity().unchecked_sub(self.len()));
+            intrinsics::assume(additional <= self.capacity().wrapping_sub(self.len()));
         }
         Ok(())
     }

library/alloc/src/vec/mod.rs

@@ -909,10 +909,7 @@ impl<T, A: Allocator> Vec<T, A> {
     #[stable(feature = "rust1", since = "1.0.0")]
     #[inline]
     pub fn reserve(&mut self, additional: usize) {
-        // SAFETY: len <= capacity
-        unsafe {
-            self.buf.reserve(self.len, additional);
-        }
+        self.buf.reserve(self.len, additional);
         unsafe {
             // Inform the optimizer that the reservation has succeeded or wasn't needed
             intrinsics::assume(!self.buf.needs_to_grow(self.len, additional));
@@ -947,10 +944,7 @@ impl<T, A: Allocator> Vec<T, A> {
     #[stable(feature = "rust1", since = "1.0.0")]
     #[inline]
     pub fn reserve_exact(&mut self, additional: usize) {
-        // SAFETY: len <= capacity
-        unsafe {
-            self.buf.reserve_exact(self.len, additional);
-        }
+        self.buf.reserve_exact(self.len, additional);
         unsafe {
             // Inform the optimizer that the reservation has succeeded or wasn't needed
             intrinsics::assume(!self.buf.needs_to_grow(self.len, additional));
@@ -992,10 +986,7 @@ impl<T, A: Allocator> Vec<T, A> {
     #[stable(feature = "try_reserve", since = "1.57.0")]
     #[inline]
     pub fn try_reserve(&mut self, additional: usize) -> Result<(), TryReserveError> {
-        // SAFETY: len <= capacity
-        unsafe {
-            self.buf.try_reserve(self.len, additional)?;
-        }
+        self.buf.try_reserve(self.len, additional)?;
         unsafe {
             // Inform the optimizer that the reservation has succeeded or wasn't needed
             intrinsics::assume(!self.buf.needs_to_grow(self.len, additional));
@@ -1044,10 +1035,7 @@ impl<T, A: Allocator> Vec<T, A> {
     #[stable(feature = "try_reserve", since = "1.57.0")]
     #[inline]
     pub fn try_reserve_exact(&mut self, additional: usize) -> Result<(), TryReserveError> {
-        // SAFETY: len <= capacity
-        unsafe {
-            self.buf.try_reserve_exact(self.len, additional)?;
-        }
+        self.buf.try_reserve_exact(self.len, additional)?;
         unsafe {
             // Inform the optimizer that the reservation has succeeded or wasn't needed
             intrinsics::assume(!self.buf.needs_to_grow(self.len, additional));

library/alloc/src/vec/splice.rs

@@ -126,9 +126,7 @@ impl<T, A: Allocator> Drain<'_, T, A> {
     unsafe fn move_tail(&mut self, additional: usize) {
         let vec = unsafe { self.vec.as_mut() };
         let len = self.tail_start + self.tail_len;
-        unsafe {
-            vec.buf.reserve(len, additional);
-        }
+        vec.buf.reserve(len, additional);
 
         let new_tail_start = self.tail_start + additional;
         unsafe {