Rollup merge of #86521 - the8472:add-footgun-comments, r=RalfJung

Dylan-DPC · web-flow · commit 6023ac2c8d10 · 2021-06-23T00:20:20.000+02:00
Add comments around code where ordering is important due for panic-safety Iterators contain arbitrary code which may panic. Unsafe code has to be careful to do its state updates at the right point between calls that may panic. As requested in #86452 (comment) r? `@RalfJung`
diff --git a/library/alloc/src/vec/mod.rs b/library/alloc/src/vec/mod.rs
@@ -2568,6 +2568,8 @@ impl<T, A: Allocator> Vec<T, A> {
             }
             unsafe {
                 ptr::write(self.as_mut_ptr().add(len), element);
+                // Since next() executes user code which can panic we have to bump the length
+                // after each step.
                 // NB can't overflow since we would have had to alloc the address space
                 self.set_len(len + 1);
             }
diff --git a/library/alloc/src/vec/source_iter_marker.rs b/library/alloc/src/vec/source_iter_marker.rs
@@ -89,6 +89,8 @@ fn write_in_place_with_drop<T>(
             // all we can do is check if it's still in range
             debug_assert!(sink.dst as *const _ <= src_end, "InPlaceIterable contract violation");
             ptr::write(sink.dst, item);
+            // Since this executes user code which can panic we have to bump the pointer
+            // after each step.
             sink.dst = sink.dst.add(1);
         }
         Ok(sink)
@@ -136,6 +138,8 @@ where
                 let dst = dst_buf.offset(i as isize);
                 debug_assert!(dst as *const _ <= end, "InPlaceIterable contract violation");
                 ptr::write(dst, self.__iterator_get_unchecked(i));
+                // Since this executes user code which can panic we have to bump the pointer
+                // after each step.
                 drop_guard.dst = dst.add(1);
             }
         }
diff --git a/library/alloc/src/vec/spec_extend.rs b/library/alloc/src/vec/spec_extend.rs
@@ -40,6 +40,8 @@ where
                 iterator.for_each(move |element| {
                     ptr::write(ptr, element);
                     ptr = ptr.offset(1);
+                    // Since the loop executes user code which can panic we have to bump the pointer
+                    // after each step.
                     // NB can't overflow since we would have had to alloc the address space
                     local_len.increment_len(1);
                 });
diff --git a/library/core/src/iter/adapters/zip.rs b/library/core/src/iter/adapters/zip.rs
@@ -227,13 +227,16 @@ where
     fn next(&mut self) -> Option<(A::Item, B::Item)> {
         if self.index < self.len {
             let i = self.index;
+            // since get_unchecked executes code which can panic we increment the counters beforehand
+            // so that the same index won't be accessed twice, as required by TrustedRandomAccess
             self.index += 1;
             // SAFETY: `i` is smaller than `self.len`, thus smaller than `self.a.len()` and `self.b.len()`
             unsafe {
                 Some((self.a.__iterator_get_unchecked(i), self.b.__iterator_get_unchecked(i)))
             }
         } else if A::MAY_HAVE_SIDE_EFFECT && self.index < self.a_len {
             let i = self.index;
+            // as above, increment before executing code that may panic
             self.index += 1;
             self.len += 1;
             // match the base implementation's potential side effects
@@ -259,6 +262,8 @@ where
         let end = self.index + delta;
         while self.index < end {
             let i = self.index;
+            // since get_unchecked executes code which can panic we increment the counters beforehand
+            // so that the same index won't be accessed twice, as required by TrustedRandomAccess
             self.index += 1;
             if A::MAY_HAVE_SIDE_EFFECT {
                 // SAFETY: the usage of `cmp::min` to calculate `delta`
@@ -295,6 +300,8 @@ where
                 let sz_a = self.a.size();
                 if A::MAY_HAVE_SIDE_EFFECT && sz_a > self.len {
                     for _ in 0..sz_a - self.len {
+                        // since next_back() may panic we increment the counters beforehand
+                        // to keep Zip's state in sync with the underlying iterator source
                         self.a_len -= 1;
                         self.a.next_back();
                     }
@@ -309,6 +316,8 @@ where
             }
         }
         if self.index < self.len {
+            // since get_unchecked executes code which can panic we increment the counters beforehand
+            // so that the same index won't be accessed twice, as required by TrustedRandomAccess
             self.len -= 1;
             self.a_len -= 1;
             let i = self.len;

Original file line number	Diff line number	Diff line change
`@@ -2568,6 +2568,8 @@ impl<T, A: Allocator> Vec<T, A> {`
`2568`	`2568`	`}`
`2569`	`2569`	`unsafe {`
`2570`	`2570`	`ptr::write(self.as_mut_ptr().add(len), element);`
	`2571`	`+ // Since next() executes user code which can panic we have to bump the length`
	`2572`	`+ // after each step.`
`2571`	`2573`	`// NB can't overflow since we would have had to alloc the address space`
`2572`	`2574`	`self.set_len(len + 1);`
`2573`	`2575`	`}`
Original file line number	Diff line number	Diff line change
`@@ -89,6 +89,8 @@ fn write_in_place_with_drop<T>(`
`89`	`89`	`// all we can do is check if it's still in range`
`90`	`90`	`debug_assert!(sink.dst as *const _ <= src_end, "InPlaceIterable contract violation");`
`91`	`91`	`ptr::write(sink.dst, item);`
	`92`	`+ // Since this executes user code which can panic we have to bump the pointer`
	`93`	`+ // after each step.`
`92`	`94`	`sink.dst = sink.dst.add(1);`
`93`	`95`	`}`
`94`	`96`	`Ok(sink)`
`@@ -136,6 +138,8 @@ where`
`136`	`138`	`let dst = dst_buf.offset(i as isize);`
`137`	`139`	`debug_assert!(dst as *const _ <= end, "InPlaceIterable contract violation");`
`138`	`140`	`ptr::write(dst, self.__iterator_get_unchecked(i));`
	`141`	`+ // Since this executes user code which can panic we have to bump the pointer`
	`142`	`+ // after each step.`
`139`	`143`	`drop_guard.dst = dst.add(1);`
`140`	`144`	`}`
`141`	`145`	`}`