Add assert_unsafe_precondition to unchecked_{add,sub,neg,mul,shl,shr} methods

clarfonthey · clarfonthey · commit d111a777b578 · 2023-11-18T00:08:03.000-05:00
diff --git a/library/core/src/num/int_macros.rs b/library/core/src/num/int_macros.rs
@@ -475,9 +475,15 @@ macro_rules! int_impl {
         #[inline(always)]
         #[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
         pub const unsafe fn unchecked_add(self, rhs: Self) -> Self {
-            // SAFETY: the caller must uphold the safety contract for
-            // `unchecked_add`.
-            unsafe { intrinsics::unchecked_add(self, rhs) }
+            // SAFETY: this is guaranteed to be safe by the caller.
+            unsafe {
+                let lhs = self;
+                intrinsics::assert_unsafe_precondition!(
+                    concat!(stringify!($SelfT), "::unchecked_add cannot overflow"),
+                    (lhs: $SelfT, rhs: $SelfT) => !lhs.overflowing_add(rhs).1
+                );
+                intrinsics::unchecked_add(lhs, rhs)
+            }
         }
 
         /// Checked addition with an unsigned integer. Computes `self + rhs`,
@@ -543,9 +549,15 @@ macro_rules! int_impl {
         #[inline(always)]
         #[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
         pub const unsafe fn unchecked_sub(self, rhs: Self) -> Self {
-            // SAFETY: the caller must uphold the safety contract for
-            // `unchecked_sub`.
-            unsafe { intrinsics::unchecked_sub(self, rhs) }
+            // SAFETY: this is guaranteed to be safe by the caller.
+            unsafe {
+                let lhs = self;
+                intrinsics::assert_unsafe_precondition!(
+                    concat!(stringify!($SelfT), "::unchecked_sub cannot overflow"),
+                    (lhs: $SelfT, rhs: $SelfT) => !lhs.overflowing_sub(rhs).1
+                );
+                intrinsics::unchecked_sub(lhs, rhs)
+            }
         }
 
         /// Checked subtraction with an unsigned integer. Computes `self - rhs`,
@@ -611,9 +623,15 @@ macro_rules! int_impl {
         #[inline(always)]
         #[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
         pub const unsafe fn unchecked_mul(self, rhs: Self) -> Self {
-            // SAFETY: the caller must uphold the safety contract for
-            // `unchecked_mul`.
-            unsafe { intrinsics::unchecked_mul(self, rhs) }
+            // SAFETY: this is guaranteed to be safe by the caller.
+            unsafe {
+                let lhs = self;
+                intrinsics::assert_unsafe_precondition!(
+                    concat!(stringify!($SelfT), "::unchecked_mul cannot overflow"),
+                    (lhs: $SelfT, rhs: $SelfT) => !lhs.overflowing_mul(rhs).1
+                );
+                intrinsics::unchecked_mul(lhs, rhs)
+            }
         }
 
         /// Checked integer division. Computes `self / rhs`, returning `None` if `rhs == 0`
@@ -760,9 +778,15 @@ macro_rules! int_impl {
         #[inline(always)]
         #[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
         pub const unsafe fn unchecked_neg(self) -> Self {
-            // SAFETY: the caller must uphold the safety contract for
-            // `unchecked_neg`.
-            unsafe { intrinsics::unchecked_sub(0, self) }
+            // SAFETY: this is guaranteed to be safe by the caller.
+            unsafe {
+                let n = self;
+                intrinsics::assert_unsafe_precondition!(
+                    concat!(stringify!($SelfT), "::unchecked_neg cannot overflow"),
+                    (n: $SelfT) => !n.overflowing_neg().1
+                );
+                intrinsics::unchecked_sub(0, n)
+            }
         }
 
         /// Checked shift left. Computes `self << rhs`, returning `None` if `rhs` is larger
@@ -807,10 +831,17 @@ macro_rules! int_impl {
         #[inline(always)]
         #[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
         pub const unsafe fn unchecked_shl(self, rhs: u32) -> Self {
-            // SAFETY: the caller must uphold the safety contract for
-            // `unchecked_shl`.
+            // SAFETY: this is guaranteed to be safe by the caller.
             // Any legal shift amount is losslessly representable in the self type.
-            unsafe { intrinsics::unchecked_shl(self, conv_rhs_for_unchecked_shift!($SelfT, rhs)) }
+            unsafe {
+                let lhs = self;
+                intrinsics::assert_unsafe_precondition!(
+                    concat!(stringify!($SelfT), "::unchecked_shl cannot overflow"),
+                    (rhs: u32) => rhs < <$SelfT>::BITS
+                );
+                let rhs = conv_rhs_for_unchecked_shift!($SelfT, rhs);
+                intrinsics::unchecked_shl(lhs, rhs)
+            }
         }
 
         /// Checked shift right. Computes `self >> rhs`, returning `None` if `rhs` is
@@ -855,10 +886,17 @@ macro_rules! int_impl {
         #[inline(always)]
         #[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
         pub const unsafe fn unchecked_shr(self, rhs: u32) -> Self {
-            // SAFETY: the caller must uphold the safety contract for
-            // `unchecked_shr`.
+            // SAFETY: this is guaranteed to be safe by the caller.
             // Any legal shift amount is losslessly representable in the self type.
-            unsafe { intrinsics::unchecked_shr(self, conv_rhs_for_unchecked_shift!($SelfT, rhs)) }
+            unsafe {
+                let lhs = self;
+                intrinsics::assert_unsafe_precondition!(
+                    concat!(stringify!($SelfT), "::unchecked_shr cannot overflow"),
+                    (rhs: u32) => rhs < <$SelfT>::BITS
+                );
+                let rhs = conv_rhs_for_unchecked_shift!($SelfT, rhs);
+                intrinsics::unchecked_shr(lhs, rhs)
+            }
         }
 
         /// Checked absolute value. Computes `self.abs()`, returning `None` if
diff --git a/library/core/src/num/uint_macros.rs b/library/core/src/num/uint_macros.rs
@@ -483,9 +483,15 @@ macro_rules! uint_impl {
         #[inline(always)]
         #[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
         pub const unsafe fn unchecked_add(self, rhs: Self) -> Self {
-            // SAFETY: the caller must uphold the safety contract for
-            // `unchecked_add`.
-            unsafe { intrinsics::unchecked_add(self, rhs) }
+            // SAFETY: this is guaranteed to be safe by the caller.
+            unsafe {
+                let lhs = self;
+                intrinsics::assert_unsafe_precondition!(
+                    concat!(stringify!($SelfT), "::unchecked_add cannot overflow"),
+                    (lhs: $SelfT, rhs: $SelfT) => !lhs.overflowing_add(rhs).1
+                );
+                intrinsics::unchecked_add(lhs, rhs)
+            }
         }
 
         /// Checked addition with a signed integer. Computes `self + rhs`,
@@ -552,9 +558,15 @@ macro_rules! uint_impl {
         #[inline(always)]
         #[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
         pub const unsafe fn unchecked_sub(self, rhs: Self) -> Self {
-            // SAFETY: the caller must uphold the safety contract for
-            // `unchecked_sub`.
-            unsafe { intrinsics::unchecked_sub(self, rhs) }
+            // SAFETY: this is guaranteed to be safe by the caller.
+            unsafe {
+                let lhs = self;
+                intrinsics::assert_unsafe_precondition!(
+                    concat!(stringify!($SelfT), "::unchecked_sub cannot overflow"),
+                    (lhs: $SelfT, rhs: $SelfT) => !lhs.overflowing_sub(rhs).1
+                );
+                intrinsics::unchecked_sub(lhs, rhs)
+            }
         }
 
         /// Checked integer multiplication. Computes `self * rhs`, returning
@@ -599,9 +611,15 @@ macro_rules! uint_impl {
         #[inline(always)]
         #[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
         pub const unsafe fn unchecked_mul(self, rhs: Self) -> Self {
-            // SAFETY: the caller must uphold the safety contract for
-            // `unchecked_mul`.
-            unsafe { intrinsics::unchecked_mul(self, rhs) }
+            // SAFETY: this is guaranteed to be safe by the caller.
+            unsafe {
+                let lhs = self;
+                intrinsics::assert_unsafe_precondition!(
+                    concat!(stringify!($SelfT), "::unchecked_mul cannot overflow"),
+                    (lhs: $SelfT, rhs: $SelfT) => !lhs.overflowing_mul(rhs).1
+                );
+                intrinsics::unchecked_mul(lhs, rhs)
+            }
         }
 
         /// Checked integer division. Computes `self / rhs`, returning `None`
@@ -936,10 +954,17 @@ macro_rules! uint_impl {
         #[inline(always)]
         #[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
         pub const unsafe fn unchecked_shl(self, rhs: u32) -> Self {
-            // SAFETY: the caller must uphold the safety contract for
-            // `unchecked_shl`.
+            // SAFETY: this is guaranteed to be safe by the caller.
             // Any legal shift amount is losslessly representable in the self type.
-            unsafe { intrinsics::unchecked_shl(self, conv_rhs_for_unchecked_shift!($SelfT, rhs)) }
+            unsafe {
+                let lhs = self;
+                intrinsics::assert_unsafe_precondition!(
+                    concat!(stringify!($SelfT), "::unchecked_shl cannot overflow"),
+                    (rhs: u32) => rhs < <$SelfT>::BITS
+                );
+                let rhs = conv_rhs_for_unchecked_shift!($SelfT, rhs);
+                intrinsics::unchecked_shl(lhs, rhs)
+            }
         }
 
         /// Checked shift right. Computes `self >> rhs`, returning `None`
@@ -984,10 +1009,17 @@ macro_rules! uint_impl {
         #[inline(always)]
         #[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
         pub const unsafe fn unchecked_shr(self, rhs: u32) -> Self {
-            // SAFETY: the caller must uphold the safety contract for
-            // `unchecked_shr`.
+            // SAFETY: this is guaranteed to be safe by the caller.
             // Any legal shift amount is losslessly representable in the self type.
-            unsafe { intrinsics::unchecked_shr(self, conv_rhs_for_unchecked_shift!($SelfT, rhs)) }
+            unsafe {
+                let lhs = self;
+                intrinsics::assert_unsafe_precondition!(
+                    concat!(stringify!($SelfT), "::unchecked_shl cannot overflow"),
+                    (rhs: u32) => rhs < <$SelfT>::BITS
+                );
+                let rhs = conv_rhs_for_unchecked_shift!($SelfT, rhs);
+                intrinsics::unchecked_shl(lhs, rhs)
+            }
         }
 
         /// Checked exponentiation. Computes `self.pow(exp)`, returning `None` if
diff --git a/library/core/src/ops/index_range.rs b/library/core/src/ops/index_range.rs
@@ -1,4 +1,4 @@
-use crate::intrinsics::{assert_unsafe_precondition, unchecked_add, unchecked_sub};
+use crate::intrinsics::assert_unsafe_precondition;
 use crate::iter::{FusedIterator, TrustedLen};
 use crate::num::NonZeroUsize;
 
@@ -47,7 +47,7 @@ impl IndexRange {
     #[inline]
     pub const fn len(&self) -> usize {
         // SAFETY: By invariant, this cannot wrap
-        unsafe { unchecked_sub(self.end, self.start) }
+        unsafe { self.end.unchecked_sub(self.start) }
     }
 
     /// # Safety
@@ -58,7 +58,7 @@ impl IndexRange {
 
         let value = self.start;
         // SAFETY: The range isn't empty, so this cannot overflow
-        self.start = unsafe { unchecked_add(value, 1) };
+        self.start = unsafe { value.unchecked_add(1) };
         value
     }
 
@@ -69,7 +69,7 @@ impl IndexRange {
         debug_assert!(self.start < self.end);
 
         // SAFETY: The range isn't empty, so this cannot overflow
-        let value = unsafe { unchecked_sub(self.end, 1) };
+        let value = unsafe { self.end.unchecked_sub(1) };
         self.end = value;
         value
     }
@@ -84,7 +84,7 @@ impl IndexRange {
         let mid = if n <= self.len() {
             // SAFETY: We just checked that this will be between start and end,
             // and thus the addition cannot overflow.
-            unsafe { unchecked_add(self.start, n) }
+            unsafe { self.start.unchecked_add(n) }
         } else {
             self.end
         };
@@ -103,7 +103,7 @@ impl IndexRange {
         let mid = if n <= self.len() {
             // SAFETY: We just checked that this will be between start and end,
             // and thus the addition cannot overflow.
-            unsafe { unchecked_sub(self.end, n) }
+            unsafe { self.end.unchecked_sub(n) }
         } else {
             self.start
         };
diff --git a/library/core/src/ptr/const_ptr.rs b/library/core/src/ptr/const_ptr.rs
@@ -1032,7 +1032,7 @@ impl<T: ?Sized> *const T {
             // SAFETY: the caller must uphold the safety contract for `offset`.
             // Because the pointee is *not* a ZST, that means that `count` is
             // at most `isize::MAX`, and thus the negation cannot overflow.
-            unsafe { self.offset(intrinsics::unchecked_sub(0, count as isize)) }
+            unsafe { self.offset((count as isize).unchecked_neg()) }
         }
     }
 
diff --git a/library/core/src/ptr/mut_ptr.rs b/library/core/src/ptr/mut_ptr.rs
@@ -1133,7 +1133,7 @@ impl<T: ?Sized> *mut T {
             // SAFETY: the caller must uphold the safety contract for `offset`.
             // Because the pointee is *not* a ZST, that means that `count` is
             // at most `isize::MAX`, and thus the negation cannot overflow.
-            unsafe { self.offset(intrinsics::unchecked_sub(0, count as isize)) }
+            unsafe { self.offset((count as isize).unchecked_neg()) }
         }
     }
 
diff --git a/library/core/src/slice/index.rs b/library/core/src/slice/index.rs
@@ -2,7 +2,6 @@
 
 use crate::intrinsics::assert_unsafe_precondition;
 use crate::intrinsics::const_eval_select;
-use crate::intrinsics::unchecked_sub;
 use crate::ops;
 use crate::ptr;
 
@@ -380,7 +379,7 @@ unsafe impl<T> SliceIndex<[T]> for ops::Range<usize> {
                 [T](this: ops::Range<usize>, slice: *const [T]) =>
                 this.end >= this.start && this.end <= slice.len()
             );
-            let new_len = unchecked_sub(self.end, self.start);
+            let new_len = self.end.unchecked_sub(self.start);
             ptr::slice_from_raw_parts(slice.as_ptr().add(self.start), new_len)
         }
     }
@@ -395,7 +394,7 @@ unsafe impl<T> SliceIndex<[T]> for ops::Range<usize> {
                 [T](this: ops::Range<usize>, slice: *mut [T]) =>
                 this.end >= this.start && this.end <= slice.len()
             );
-            let new_len = unchecked_sub(self.end, self.start);
+            let new_len = self.end.unchecked_sub(self.start);
             ptr::slice_from_raw_parts_mut(slice.as_mut_ptr().add(self.start), new_len)
         }
     }

Original file line number	Diff line number	Diff line change
`@@ -1032,7 +1032,7 @@ impl<T: ?Sized> *const T {`
`1032`	`1032`	// SAFETY: the caller must uphold the safety contract for `offset`.
`1033`	`1033`	// Because the pointee is not a ZST, that means that `count` is
`1034`	`1034`	// at most `isize::MAX`, and thus the negation cannot overflow.
`1035`		`- unsafe { self.offset(intrinsics::unchecked_sub(0, count as isize)) }`
	`1035`	`+ unsafe { self.offset((count as isize).unchecked_neg()) }`
`1036`	`1036`	`}`
`1037`	`1037`	`}`
`1038`	`1038`
Original file line number	Diff line number	Diff line change
`@@ -1133,7 +1133,7 @@ impl<T: ?Sized> *mut T {`
`1133`	`1133`	// SAFETY: the caller must uphold the safety contract for `offset`.
`1134`	`1134`	// Because the pointee is not a ZST, that means that `count` is
`1135`	`1135`	// at most `isize::MAX`, and thus the negation cannot overflow.
`1136`		`- unsafe { self.offset(intrinsics::unchecked_sub(0, count as isize)) }`
	`1136`	`+ unsafe { self.offset((count as isize).unchecked_neg()) }`
`1137`	`1137`	`}`
`1138`	`1138`	`}`
`1139`	`1139`
Original file line number	Diff line number	Diff line change
`@@ -2,7 +2,6 @@`
`2`	`2`
`3`	`3`	`use crate::intrinsics::assert_unsafe_precondition;`
`4`	`4`	`use crate::intrinsics::const_eval_select;`
`5`		`-use crate::intrinsics::unchecked_sub;`
`6`	`5`	`use crate::ops;`
`7`	`6`	`use crate::ptr;`
`8`	`7`
`@@ -380,7 +379,7 @@ unsafe impl<T> SliceIndex<[T]> for ops::Range<usize> {`
`380`	`379`	`[T](this: ops::Range<usize>, slice: *const [T]) =>`
`381`	`380`	`this.end >= this.start && this.end <= slice.len()`
`382`	`381`	`);`
`383`		`- let new_len = unchecked_sub(self.end, self.start);`
	`382`	`+ let new_len = self.end.unchecked_sub(self.start);`
`384`	`383`	`ptr::slice_from_raw_parts(slice.as_ptr().add(self.start), new_len)`
`385`	`384`	`}`
`386`	`385`	`}`
`@@ -395,7 +394,7 @@ unsafe impl<T> SliceIndex<[T]> for ops::Range<usize> {`
`395`	`394`	`[T](this: ops::Range<usize>, slice: *mut [T]) =>`
`396`	`395`	`this.end >= this.start && this.end <= slice.len()`
`397`	`396`	`);`
`398`		`- let new_len = unchecked_sub(self.end, self.start);`
	`397`	`+ let new_len = self.end.unchecked_sub(self.start);`
`399`	`398`	`ptr::slice_from_raw_parts_mut(slice.as_mut_ptr().add(self.start), new_len)`
`400`	`399`	`}`
`401`	`400`	`}`