LGTM. I'm ok with the perf hit.

Most of the removal of unsafe code and simplification is because I don't want to check for overflow everywhere. It's messy, and we can let boundary checks or .reserve() do the work most of the time. However we may need a better plan. What do we really want to do for the v.reserve(X + Y) case. Ignore the overflow in addition and handle it in bounds checks? Change the "size_t" type to something that always uses checked addition?

Bounds checking sounds like a good candidate for a __builtin_expect-style function that hints to the branch predictor to assume we'll almost always not overflow when resizing. Do we have anything like that in the compiler, and if not, how hard would it be to add it?

More importantly: how much impact would it actually have?

On Wed, Sep 11, 2013 at 6:25 PM, Erick Tryzelaar
notifications@github.comwrote:

Bounds checking sounds like a good candidate for a __builtin_expecthttp://llvm.org/docs/BranchWeightMetadata.html-style
function that hints to the branch predictor to assume we'll almost always
not overflow when resizing. Do we have anything like that in the compiler,
and if not, how hard would it be to add it?

—
Reply to this email directly or view it on GitHubhttps://github.com//pull/9108#issuecomment-24281515
.

+1 to branch prediction hints; conversation that convinced me at https://botbot.me/mozilla/rust/msg/5945880/

I'm very skeptical of branch prediction hints generally. It's not uncommon to annotate them incorrectly, or for them to be useless.

I have a feeling that LLVM's branch prediction hints don't do much when you aren't optimizing for size.

it's not an important part. More important would be to reduce the number of places we need to check for overflow

Rebased to avoid conflicts (new name of Option::unwrap_or).

I changed .reserve_additional to check the vec capacity before doing anything; I think this is an improvement that puts the failure case (in this case overflow) inside a branch that is only taken seldomly.

I changed vec::bytes::push_bytes to not use .mut_slice() but to use ptr::copy_memory directly. As the commit log says, It's good to avoid overhead and use a tad more unsafe code since much of str will depend on this function.

With these changes, it looks like the StrVector method .connect() is faster with its safe implementation on top of the change series, than its unsafe implementation before.

I'm not sure if I'm benchmarking this correctly. It could be that .connect() just optimizes to the point of invalidating the benchmark with the changes, but that's a win in itself..

with local rustc --opt-level=3 -Z no-monomorphic-collapse --test std.rs

before
test str::bench::bench_connect ... bench: 333 ns/iter (+/- 2)
test str::bench::bench_push_str ... bench: 163 ns/iter (+/- 4)

after
test str::bench::bench_connect ... bench: 178 ns/iter (+/- 3)
test str::bench::bench_push_str ... bench: 162 ns/iter (+/- 2)

I'm not sure if the benchmarks should stay in the PR, but apart from that I think this change is ready for review & merge.

Regarding branch predicition, since the overflow check is now inside a rarely taken if, it's less of an issue. I'd guess that using CheckedAdd we give enough information already to llvm to adjust branch prediction.

Updated the PR text (because this information will show in the merge message, so I want it to be correct)

Now the stage2 bench is done for before and after:

before:
test str::bench::bench_connect ... bench: 302 ns/iter (+/- 7)
test str::bench::bench_push_str ... bench: 140 ns/iter (+/- 3)

after
test str::bench::bench_connect ... bench: 225 ns/iter (+/- 24)
test str::bench::bench_push_str ... bench: 139 ns/iter (+/- 2)

This looks good to me! Sad to see a positive diff stat, but I guess that's what happens when you write tests :)

r+ with my comment

Incorporated your suggestion, also found one place where as_owned_vec could be used (as_mut_buf), so those are the changes squashed into the std::str: Fix overflow.. commit.