Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix vec_deque::Drain FIXME #106276

Merged
merged 3 commits into from
Mar 11, 2023
Merged

Fix vec_deque::Drain FIXME #106276

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
8ca25b8
Fix `vec_deque::Drain` FIXME
Sp00ph Dec 29, 2022
1e114a8
Add `slice_ranges` safety comment
Sp00ph Feb 5, 2023
acc876e
Changes according to review
Sp00ph Feb 20, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 13 additions & 27 deletions library/alloc/src/collections/vec_deque/drain.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,36 +52,22 @@ impl<'a, T, A: Allocator> Drain<'a, T, A> {
}
}

// Only returns pointers to the slices, as that's
// all we need to drop them. May only be called if `self.remaining != 0`.
// Only returns pointers to the slices, as that's all we need
// to drop them. May only be called if `self.remaining != 0`.
unsafe fn as_slices(&self) -> (*mut [T], *mut [T]) {
unsafe {
let deque = self.deque.as_ref();
// FIXME: This is doing almost exactly the same thing as the else branch in `VecDeque::slice_ranges`.
// Unfortunately, we can't just call `slice_ranges` here, as the deque's `len` is currently
// just `drain_start`, so the range check would (almost) always panic. Between temporarily
// adjusting the deques `len` to call `slice_ranges`, and just copy pasting the `slice_ranges`
// implementation, this seemed like the less hacky solution, though it might be good to
// find a better one in the future.

// because `self.remaining != 0`, we know that `self.idx < deque.original_len`, so it's a valid
// logical index.
let wrapped_start = deque.to_physical_idx(self.idx);

let head_len = deque.capacity() - wrapped_start;

let (a_range, b_range) = if head_len >= self.remaining {
(wrapped_start..wrapped_start + self.remaining, 0..0)
} else {
let tail_len = self.remaining - head_len;
(wrapped_start..deque.capacity(), 0..tail_len)
};

// SAFETY: the range `self.idx..self.idx+self.remaining` lies strictly inside
// the range `0..deque.original_len`. because of this, and because of the fact
// that we acquire `a_range` and `b_range` exactly like `slice_ranges` would,
// it's guaranteed that `a_range` and `b_range` represent valid ranges into
// the deques buffer.

// We know that `self.idx + self.remaining <= deque.len <= usize::MAX`, so this won't overflow.
let logical_remaining_range = self.idx..self.idx + self.remaining;

// SAFETY: `logical_remaining_range` represents the
// range into the logical buffer of elements that
// haven't been drained yet, so they're all initialized,
// and `slice::range(start..end, end) == start..end`,
// so the preconditions for `slice_ranges` are met.
let (a_range, b_range) =
deque.slice_ranges(logical_remaining_range.clone(), logical_remaining_range.end);
(deque.buffer_range(a_range), deque.buffer_range(b_range))
}
}
Expand Down
27 changes: 18 additions & 9 deletions library/alloc/src/collections/vec_deque/mod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1147,7 +1147,7 @@ impl<T, A: Allocator> VecDeque<T, A> {
#[inline]
#[stable(feature = "deque_extras_15", since = "1.5.0")]
pub fn as_slices(&self) -> (&[T], &[T]) {
let (a_range, b_range) = self.slice_ranges(..);
let (a_range, b_range) = self.slice_ranges(.., self.len);
// SAFETY: `slice_ranges` always returns valid ranges into
// the physical buffer.
unsafe { (&*self.buffer_range(a_range), &*self.buffer_range(b_range)) }
Expand Down Expand Up @@ -1181,7 +1181,7 @@ impl<T, A: Allocator> VecDeque<T, A> {
#[inline]
#[stable(feature = "deque_extras_15", since = "1.5.0")]
pub fn as_mut_slices(&mut self) -> (&mut [T], &mut [T]) {
let (a_range, b_range) = self.slice_ranges(..);
let (a_range, b_range) = self.slice_ranges(.., self.len);
// SAFETY: `slice_ranges` always returns valid ranges into
// the physical buffer.
unsafe { (&mut *self.buffer_range(a_range), &mut *self.buffer_range(b_range)) }
Expand Down Expand Up @@ -1223,19 +1223,28 @@ impl<T, A: Allocator> VecDeque<T, A> {

/// Given a range into the logical buffer of the deque, this function
/// return two ranges into the physical buffer that correspond to
/// the given range.
fn slice_ranges<R>(&self, range: R) -> (Range<usize>, Range<usize>)
/// the given range. The `len` parameter should usually just be `self.len`;
/// the reason it's passed explicitly is that if the deque is wrapped in
/// a `Drain`, then `self.len` is not actually the length of the deque.
///
/// # Safety
///
/// This function is always safe to call. For the resulting ranges to be valid
/// ranges into the physical buffer, the caller must ensure that the result of
/// calling `slice::range(range, ..len)` represents a valid range into the
/// logical buffer, and that all elements in that range are initialized.
fn slice_ranges<R>(&self, range: R, len: usize) -> (Range<usize>, Range<usize>)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe it would be a bit clearer if this were a free function that takes range, capacity, len as arguments instead of the awkward mix where it takes the capacity from self but the len is fed in externally.

Copy link
Member Author

@Sp00ph Sp00ph Feb 20, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure that'd actually simplify things. It would always be incorrect to call slice_ranges with a capacity that's not just self.capacity(), whereas len doesn't have the same restriction. Making it a free function would also make both the implementation and the call sites more lengthy and probably less readable (e.g. it couldn't use self.to_physical_idx) and might introduce more chances to accidentally mix up two arguments of the same type.

where
R: RangeBounds<usize>,
{
let Range { start, end } = slice::range(range, ..self.len);
let Range { start, end } = slice::range(range, ..len);
let len = end - start;

if len == 0 {
(0..0, 0..0)
} else {
// `slice::range` guarantees that `start <= end <= self.len`.
// because `len != 0`, we know that `start < end`, so `start < self.len`
// `slice::range` guarantees that `start <= end <= len`.
// because `len != 0`, we know that `start < end`, so `start < len`
// and the indexing is valid.
let wrapped_start = self.to_physical_idx(start);

Expand Down Expand Up @@ -1281,7 +1290,7 @@ impl<T, A: Allocator> VecDeque<T, A> {
where
R: RangeBounds<usize>,
{
let (a_range, b_range) = self.slice_ranges(range);
let (a_range, b_range) = self.slice_ranges(range, self.len);
// SAFETY: The ranges returned by `slice_ranges`
// are valid ranges into the physical buffer, so
// it's ok to pass them to `buffer_range` and
Expand Down Expand Up @@ -1321,7 +1330,7 @@ impl<T, A: Allocator> VecDeque<T, A> {
where
R: RangeBounds<usize>,
{
let (a_range, b_range) = self.slice_ranges(range);
let (a_range, b_range) = self.slice_ranges(range, self.len);
// SAFETY: The ranges returned by `slice_ranges`
// are valid ranges into the physical buffer, so
// it's ok to pass them to `buffer_range` and
Expand Down