Skip to content

slice: Remove some uses of unsafe in first/last chunk methods #139145

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Apr 3, 2025
Merged

slice: Remove some uses of unsafe in first/last chunk methods #139145

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
94 changes: 34 additions & 60 deletions library/core/src/slice/mod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -382,16 +382,11 @@ impl<T> [T] {
#[stable(feature = "slice_first_last_chunk", since = "1.77.0")]
#[rustc_const_stable(feature = "slice_first_last_chunk", since = "1.77.0")]
pub const fn split_first_chunk<const N: usize>(&self) -> Option<(&[T; N], &[T])> {
if self.len() < N {
None
} else {
// SAFETY: We manually verified the bounds of the split.
let (first, tail) = unsafe { self.split_at_unchecked(N) };
let Some((first, tail)) = self.split_at_checked(N) else { return None };
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The code for all of these can be made more concise by using ?:

Suggested change
let Some((first, tail)) = self.split_at_checked(N) else { return None };
let (first, tail) = self.split_at_checked(N)?;

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These functions are const fn so I don't believe ? is available to use.

That results in the following error:

error[E0015]: `?` is not allowed on `Option<(&[T], &[T])>` in constant functions
   --> library\core\src\slice\mod.rs:385:29
    |
385 |         let (first, tail) = self.split_at_checked(N)?;
    |                             ^^^^^^^^^^^^^^^^^^^^^^^^^
    |
    = note: calls in constant functions are limited to constant functions, tuple structs and tuple variants

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point! I'd forgotten about that.


// SAFETY: We explicitly check for the correct number of elements,
// and do not let the references outlive the slice.
Some((unsafe { &*(first.as_ptr().cast::<[T; N]>()) }, tail))
}
// SAFETY: We explicitly check for the correct number of elements,
// and do not let the references outlive the slice.
Some((unsafe { &*(first.as_ptr().cast::<[T; N]>()) }, tail))
}

/// Returns a mutable array reference to the first `N` items in the slice and the remaining
Expand Down Expand Up @@ -419,17 +414,12 @@ impl<T> [T] {
pub const fn split_first_chunk_mut<const N: usize>(
&mut self,
) -> Option<(&mut [T; N], &mut [T])> {
if self.len() < N {
None
} else {
// SAFETY: We manually verified the bounds of the split.
let (first, tail) = unsafe { self.split_at_mut_unchecked(N) };
let Some((first, tail)) = self.split_at_mut_checked(N) else { return None };

// SAFETY: We explicitly check for the correct number of elements,
// do not let the reference outlive the slice,
// and enforce exclusive mutability of the chunk by the split.
Some((unsafe { &mut *(first.as_mut_ptr().cast::<[T; N]>()) }, tail))
}
// SAFETY: We explicitly check for the correct number of elements,
// do not let the reference outlive the slice,
// and enforce exclusive mutability of the chunk by the split.
Some((unsafe { &mut *(first.as_mut_ptr().cast::<[T; N]>()) }, tail))
}

/// Returns an array reference to the last `N` items in the slice and the remaining slice.
Expand All @@ -452,16 +442,12 @@ impl<T> [T] {
#[stable(feature = "slice_first_last_chunk", since = "1.77.0")]
#[rustc_const_stable(feature = "slice_first_last_chunk", since = "1.77.0")]
pub const fn split_last_chunk<const N: usize>(&self) -> Option<(&[T], &[T; N])> {
if self.len() < N {
None
} else {
// SAFETY: We manually verified the bounds of the split.
let (init, last) = unsafe { self.split_at_unchecked(self.len() - N) };
let Some(index) = self.len().checked_sub(N) else { return None };
let (init, last) = self.split_at(index);

// SAFETY: We explicitly check for the correct number of elements,
// and do not let the references outlive the slice.
Some((init, unsafe { &*(last.as_ptr().cast::<[T; N]>()) }))
}
// SAFETY: We explicitly check for the correct number of elements,
// and do not let the references outlive the slice.
Some((init, unsafe { &*(last.as_ptr().cast::<[T; N]>()) }))
}

/// Returns a mutable array reference to the last `N` items in the slice and the remaining
Expand Down Expand Up @@ -489,17 +475,13 @@ impl<T> [T] {
pub const fn split_last_chunk_mut<const N: usize>(
&mut self,
) -> Option<(&mut [T], &mut [T; N])> {
if self.len() < N {
None
} else {
// SAFETY: We manually verified the bounds of the split.
let (init, last) = unsafe { self.split_at_mut_unchecked(self.len() - N) };
let Some(index) = self.len().checked_sub(N) else { return None };
let (init, last) = self.split_at_mut(index);

// SAFETY: We explicitly check for the correct number of elements,
// do not let the reference outlive the slice,
// and enforce exclusive mutability of the chunk by the split.
Some((init, unsafe { &mut *(last.as_mut_ptr().cast::<[T; N]>()) }))
}
// SAFETY: We explicitly check for the correct number of elements,
// do not let the reference outlive the slice,
// and enforce exclusive mutability of the chunk by the split.
Some((init, unsafe { &mut *(last.as_mut_ptr().cast::<[T; N]>()) }))
}

/// Returns an array reference to the last `N` items in the slice.
Expand All @@ -522,17 +504,13 @@ impl<T> [T] {
#[stable(feature = "slice_first_last_chunk", since = "1.77.0")]
#[rustc_const_stable(feature = "const_slice_last_chunk", since = "1.80.0")]
pub const fn last_chunk<const N: usize>(&self) -> Option<&[T; N]> {
if self.len() < N {
None
} else {
// SAFETY: We manually verified the bounds of the slice.
// FIXME(const-hack): Without const traits, we need this instead of `get_unchecked`.
let last = unsafe { self.split_at_unchecked(self.len() - N).1 };
// FIXME(const-hack): Without const traits, we need this instead of `get`.
let Some(index) = self.len().checked_sub(N) else { return None };
let (_, last) = self.split_at(index);

// SAFETY: We explicitly check for the correct number of elements,
// and do not let the references outlive the slice.
Some(unsafe { &*(last.as_ptr().cast::<[T; N]>()) })
}
// SAFETY: We explicitly check for the correct number of elements,
// and do not let the references outlive the slice.
Some(unsafe { &*(last.as_ptr().cast::<[T; N]>()) })
}

/// Returns a mutable array reference to the last `N` items in the slice.
Expand All @@ -556,18 +534,14 @@ impl<T> [T] {
#[stable(feature = "slice_first_last_chunk", since = "1.77.0")]
#[rustc_const_stable(feature = "const_slice_first_last_chunk", since = "1.83.0")]
pub const fn last_chunk_mut<const N: usize>(&mut self) -> Option<&mut [T; N]> {
if self.len() < N {
None
} else {
// SAFETY: We manually verified the bounds of the slice.
// FIXME(const-hack): Without const traits, we need this instead of `get_unchecked`.
let last = unsafe { self.split_at_mut_unchecked(self.len() - N).1 };

// SAFETY: We explicitly check for the correct number of elements,
// do not let the reference outlive the slice,
// and require exclusive access to the entire slice to mutate the chunk.
Some(unsafe { &mut *(last.as_mut_ptr().cast::<[T; N]>()) })
}
// FIXME(const-hack): Without const traits, we need this instead of `get`.
let Some(index) = self.len().checked_sub(N) else { return None };
let (_, last) = self.split_at_mut(index);

// SAFETY: We explicitly check for the correct number of elements,
// do not let the reference outlive the slice,
// and require exclusive access to the entire slice to mutate the chunk.
Some(unsafe { &mut *(last.as_mut_ptr().cast::<[T; N]>()) })
}

/// Returns a reference to an element or subslice depending on the type of
Expand Down
24 changes: 24 additions & 0 deletions tests/codegen/slice-split-at.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
//@ compile-flags: -Copt-level=3
#![crate_type = "lib"]

// Check that no panic is generated in `split_at` when calculating the index for
// the tail chunk using `checked_sub`.
//
// Tests written for refactored implementations of:
// `<[T]>::{split_last_chunk, split_last_chunk_mut, last_chunk, last_chunk_mut}`

// CHECK-LABEL: @split_at_last_chunk
#[no_mangle]
pub fn split_at_last_chunk(s: &[u8], chunk_size: usize) -> Option<(&[u8], &[u8])> {
// CHECK-NOT: panic
let Some(index) = s.len().checked_sub(chunk_size) else { return None };
Some(s.split_at(index))
}

// CHECK-LABEL: @split_at_mut_last_chunk
#[no_mangle]
pub fn split_at_mut_last_chunk(s: &mut [u8], chunk_size: usize) -> Option<(&mut [u8], &mut [u8])> {
// CHECK-NOT: panic
let Some(index) = s.len().checked_sub(chunk_size) else { return None };
Some(s.split_at_mut(index))
}
Loading