made StorageWithCapacity unsafe

to rely on post-conditions in unsafe code
moved capacity calculations to it's own module

Author: RustyYato

src/raw.rs

@@ -20,79 +20,18 @@ mod slice;
 mod uninit;
 mod zero_sized;
 
+mod capacity;
+
 #[cfg(any(doc, feature = "alloc"))]
 pub use heap::Heap;
 
 pub use slice::UninitSlice;
 pub use uninit::UninitBuffer;
 pub use zero_sized::ZeroSized;
 
-#[cold]
-#[inline(never)]
-#[cfg(feature = "nightly")]
-const fn capacity_calculation_overflow() -> ! { panic!("Tried to calculate the current capacity, but overflowed") }
-
-#[cold]
-#[inline(never)]
-fn fixed_capacity_reserve_error(capacity: usize, new_capacity: usize) -> ! {
-    panic!(
-        "Tried to reserve {}, but used a fixed capacity storage of {}",
-        new_capacity, capacity
-    )
-}
-
-#[cfg(not(any(
-    target_pointer_width = "8",
-    target_pointer_width = "16",
-    target_pointer_width = "32",
-    target_pointer_width = "64"
-)))]
-compile_error!("Cannot correctly calculate capacity on an 128-bit or larger architecture");
-
-const fn capacity(old_capacity: usize, size_self: usize, size_other: usize) -> usize {
-    #[cfg(target_pointer_width = "8")]
-    type PointerNext = u16;
-    #[cfg(target_pointer_width = "16")]
-    type PointerNext = u32;
-    #[cfg(target_pointer_width = "32")]
-    type PointerNext = u64;
-    #[cfg(target_pointer_width = "64")]
-    type PointerNext = u128;
-
-    let size = (old_capacity as PointerNext) * (size_self as PointerNext) / (size_other as PointerNext);
-
-    #[cfg(not(feature = "nightly"))]
-    {
-        [size as usize][(size > usize::MAX as PointerNext) as usize]
-    }
-
-    #[cfg(feature = "nightly")]
-    {
-        if size > usize::MAX as PointerNext {
-            capacity_calculation_overflow()
-        }
-
-        size as usize
-    }
-}
-
 /// A [`Storage`] that can only contain initialized `Storage::Item`
 pub unsafe trait StorageInit<T>: Storage<T> {}
 
-/// Check if type `U` smaller than `T` and less aligned than `T`
-pub const fn is_compatible<T, U>() -> bool {
-    use core::mem::{align_of, size_of};
-
-    size_of::<T>() >= size_of::<U>() && align_of::<T>() >= align_of::<U>()
-}
-
-/// Check if type `U` is layout identical to `T`
-pub const fn is_identical<T, U>() -> bool {
-    use core::mem::{align_of, size_of};
-
-    size_of::<T>() == size_of::<U>() && align_of::<T>() == align_of::<U>()
-}
-
 /// A type that can hold `T`s, and potentially
 /// reserve space for more `Self::Items`s
 pub unsafe trait Storage<T> {
@@ -143,7 +82,12 @@ pub unsafe trait Storage<T> {
 }
 
 /// A storage that can be initially created with a given capacity
-pub trait StorageWithCapacity<T>: Storage<T> + Default {
+///
+/// # Safety
+///
+/// The storage must have a capacity of at least `capacity` after
+/// `StorageWithCapacity::with_capacity` is called.
+pub unsafe trait StorageWithCapacity<T>: Storage<T> + Default {
     /// Creates a new storage with at least the given storage capacity
     fn with_capacity(capacity: usize) -> Self;
 
@@ -193,7 +137,7 @@ unsafe impl<T, S: ?Sized + Storage<T>> Storage<T> for Box<S> {
 }
 
 #[cfg(feature = "alloc")]
-impl<T, S: ?Sized + StorageWithCapacity<T>> StorageWithCapacity<T> for Box<S> {
+unsafe impl<T, S: ?Sized + StorageWithCapacity<T>> StorageWithCapacity<T> for Box<S> {
     fn with_capacity(capacity: usize) -> Self { Box::new(S::with_capacity(capacity)) }
 
     #[doc(hidden)]

src/raw/alloc.rs

@@ -1,13 +1,13 @@
 use crate::raw::{AllocError, Storage, StorageWithCapacity};
 
 unsafe impl<T: Copy, const N: usize> crate::raw::StorageInit<T> for [T; N] {}
-impl<T: Default + Copy, const N: usize> StorageWithCapacity<T> for [T; N]
+unsafe impl<T: Default + Copy, const N: usize> StorageWithCapacity<T> for [T; N]
 where
     Self: Default,
 {
     fn with_capacity(capacity: usize) -> Self {
         if capacity > N {
-            crate::raw::fixed_capacity_reserve_error(N, capacity)
+            crate::raw::capacity::fixed_capacity_reserve_error(N, capacity)
         }
 
         Self::default()
@@ -37,7 +37,7 @@ unsafe impl<T: Copy, const N: usize> Storage<T> for [T; N] {
 
     fn reserve(&mut self, capacity: usize) {
         if capacity > N {
-            crate::raw::fixed_capacity_reserve_error(N, capacity)
+            crate::raw::capacity::fixed_capacity_reserve_error(N, capacity)
         }
     }
 

src/raw/array.rs

@@ -0,0 +1,74 @@
+#[cold]
+#[inline(never)]
+#[cfg(feature = "nightly")]
+pub(in crate::raw) const fn capacity_calculation_overflow() -> ! {
+    panic!("Tried to calculate the current capacity, but overflowed")
+}
+
+#[cold]
+#[inline(never)]
+pub(in crate::raw) fn fixed_capacity_reserve_error(capacity: usize, new_capacity: usize) -> ! {
+    panic!(
+        "Tried to reserve {}, but used a fixed capacity storage of {}",
+        new_capacity, capacity
+    )
+}
+
+#[cfg(not(any(
+    target_pointer_width = "8",
+    target_pointer_width = "16",
+    target_pointer_width = "32",
+    target_pointer_width = "64"
+)))]
+compile_error!("Cannot correctly calculate capacity on an 128-bit or larger architecture");
+
+pub(in crate::raw) enum Round {
+    Up,
+    Down,
+}
+
+pub(in crate::raw) const fn capacity(old_capacity: usize, size_self: usize, size_other: usize, round: Round) -> usize {
+    #[cfg(target_pointer_width = "8")]
+    type PointerNext = u16;
+    #[cfg(target_pointer_width = "16")]
+    type PointerNext = u32;
+    #[cfg(target_pointer_width = "32")]
+    type PointerNext = u64;
+    #[cfg(target_pointer_width = "64")]
+    type PointerNext = u128;
+
+    if size_other == 0 {
+        return usize::MAX
+    }
+
+    let size = (old_capacity as PointerNext) * (size_self as PointerNext);
+
+    let size = match round {
+        // this can't overflow
+        //
+        // old_capacity : n-bit number   0..pow2(n)
+        // size_self    : n-bit number   0..pow2(n)
+        // size_other   : n-bit number   1..pow2(n)
+        // PointerNext  : 2*n-bit number 0..pow2(n)
+        //
+        // size = 0..=(pow2(n)-1) * 0..=(pow2(n)-1)
+        //      = 0..=(pow2(n) * pow2(n) - 2 * pow2(n) - 1)
+        //      = 0..=(pow2(2 * n) - 2 * pow2(n) - 1)
+        //
+        // size + size_other - 1 = 0..=(pow2(2 * n) - 2 * pow2(n) - 1) + 1..=pow2(n) - 1..=1
+        //                       = 0..=(pow2(2 * n) - 2 * pow2(n) - 1) + 0..=pow2(n)
+        //                       = 0..=(pow2(2 * n) - 2 * pow2(n) - 1 + pow2(n))
+        //                       = 0..=(pow2(2 * n) - pow2(n) - 1) < pow2(2 * n)
+        //
+        Round::Up => size.wrapping_add(size_other as PointerNext).wrapping_sub(1),
+        Round::Down => size,
+    };
+
+    // this can't overflow pow2(n)
+    //
+    // size = 0..=(pow2(2 * n) - pow2(n) - 1)
+    // size / size_other = 0..=(pow2(2 * n) - pow2(n) - 1) / pow2(n)
+    //                   = 0..=(pow2(n) - 1 - 1 / pow2(n)) < pow2(n)
+    //
+    (size / (size_other as PointerNext)) as usize
+}

src/raw/capacity.rs

@@ -1,4 +1,7 @@
-use crate::raw::{AllocError, Storage, StorageWithCapacity};
+use crate::raw::{
+    capacity::{capacity, Round},
+    AllocError, Storage, StorageWithCapacity,
+};
 
 use core::{
     alloc::Layout,
@@ -116,21 +119,21 @@ impl<T, A: AllocRef + Default> Default for Heap<T, A> {
 unsafe impl<T, U, A: ?Sized + AllocRef> Storage<U> for Heap<T, A> {
     const IS_ALIGNED: bool = align_of::<T>() >= align_of::<U>();
 
-    fn capacity(&self) -> usize { crate::raw::capacity(self.capacity, size_of::<T>(), size_of::<U>()) }
+    fn capacity(&self) -> usize { capacity(self.capacity, size_of::<T>(), size_of::<U>(), Round::Down) }
 
     fn as_ptr(&self) -> *const U { self.ptr.as_ptr().cast() }
 
     fn as_mut_ptr(&mut self) -> *mut U { self.ptr.as_ptr().cast() }
 
     fn reserve(&mut self, new_capacity: usize) {
-        let new_capacity = crate::raw::capacity(new_capacity, size_of::<U>(), size_of::<T>());
+        let new_capacity = capacity(new_capacity, size_of::<U>(), size_of::<T>(), Round::Up);
         if self.capacity < new_capacity {
             let _ = self.reserve_slow(new_capacity, OnFailure::Abort);
         }
     }
 
     fn try_reserve(&mut self, new_capacity: usize) -> Result<(), AllocError> {
-        let new_capacity = crate::raw::capacity(new_capacity, size_of::<U>(), size_of::<T>());
+        let new_capacity = capacity(new_capacity, size_of::<U>(), size_of::<T>(), Round::Up);
         if self.capacity < new_capacity {
             self.reserve_slow(new_capacity, OnFailure::Error)
         } else {
@@ -163,8 +166,10 @@ impl<T, A: Default + AllocRef> Heap<T, A> {
     }
 }
 
-impl<T, U, A: Default + AllocRef> StorageWithCapacity<U> for Heap<T, A> {
-    fn with_capacity(capacity: usize) -> Self { Self::with_capacity(capacity) }
+unsafe impl<T, U, A: Default + AllocRef> StorageWithCapacity<U> for Heap<T, A> {
+    fn with_capacity(cap: usize) -> Self {
+        Self::with_capacity(capacity(cap, size_of::<U>(), size_of::<T>(), Round::Up))
+    }
 }
 
 impl<T, A: ?Sized + AllocRef> Heap<T, A> {

src/raw/heap/nightly.rs

@@ -1,4 +1,7 @@
-use crate::raw::{AllocError, Storage, StorageWithCapacity};
+use crate::raw::{
+    capacity::{capacity, Round},
+    AllocError, Storage, StorageWithCapacity,
+};
 
 use core::{
     alloc::Layout,
@@ -67,21 +70,21 @@ impl<T> Default for Heap<T> {
 unsafe impl<T, U> Storage<U> for Heap<T> {
     const IS_ALIGNED: bool = align_of::<T>() >= align_of::<U>();
 
-    fn capacity(&self) -> usize { self.capacity }
+    fn capacity(&self) -> usize { capacity(self.capacity, size_of::<T>(), size_of::<U>(), Round::Down) }
 
     fn as_ptr(&self) -> *const U { self.ptr.as_ptr().cast() }
 
     fn as_mut_ptr(&mut self) -> *mut U { self.ptr.as_ptr().cast() }
 
     fn reserve(&mut self, new_capacity: usize) {
-        let new_capacity = crate::raw::capacity(new_capacity, size_of::<U>(), size_of::<T>());
+        let new_capacity = capacity(new_capacity, size_of::<U>(), size_of::<T>(), Round::Up);
         if self.capacity < new_capacity {
             let _ = self.reserve_slow(new_capacity, OnFailure::Abort);
         }
     }
 
     fn try_reserve(&mut self, new_capacity: usize) -> Result<(), AllocError> {
-        let new_capacity = crate::raw::capacity(new_capacity, size_of::<U>(), size_of::<T>());
+        let new_capacity = capacity(new_capacity, size_of::<U>(), size_of::<T>(), Round::Up);
         if self.capacity < new_capacity {
             self.reserve_slow(new_capacity, OnFailure::Error)
         } else {
@@ -151,8 +154,10 @@ impl<T> Heap<T> {
     }
 }
 
-impl<T, U> StorageWithCapacity<U> for Heap<T> {
-    fn with_capacity(capacity: usize) -> Self { Self::with_capacity(capacity) }
+unsafe impl<T, U> StorageWithCapacity<U> for Heap<T> {
+    fn with_capacity(cap: usize) -> Self {
+        Self::with_capacity(capacity(cap, size_of::<U>(), size_of::<T>(), Round::Up))
+    }
 }
 
 impl<T> Heap<T> {

src/raw/heap/stable.rs

@@ -1,4 +1,7 @@
-use crate::raw::{AllocError, Storage};
+use crate::raw::{
+    capacity::{capacity, fixed_capacity_reserve_error, Round},
+    AllocError, Storage,
+};
 
 use core::mem::{align_of, size_of, MaybeUninit};
 
@@ -40,16 +43,16 @@ impl<T> UninitSlice<T> {
 unsafe impl<T, U> Storage<U> for UninitSlice<T> {
     const IS_ALIGNED: bool = align_of::<T>() >= align_of::<U>();
 
-    fn capacity(&self) -> usize { crate::raw::capacity(self.0.len(), size_of::<T>(), size_of::<U>()) }
+    fn capacity(&self) -> usize { capacity(self.0.len(), size_of::<T>(), size_of::<U>(), Round::Down) }
 
     fn as_ptr(&self) -> *const U { self.0.as_ptr().cast() }
 
     fn as_mut_ptr(&mut self) -> *mut U { self.0.as_mut_ptr().cast() }
 
     fn reserve(&mut self, new_capacity: usize) {
-        let new_capacity = crate::raw::capacity(new_capacity, size_of::<U>(), size_of::<T>());
+        let new_capacity = capacity(new_capacity, size_of::<U>(), size_of::<T>(), Round::Up);
         if new_capacity > self.0.len() {
-            crate::raw::fixed_capacity_reserve_error(self.0.len(), new_capacity)
+            fixed_capacity_reserve_error(self.0.len(), new_capacity)
         }
     }
 
@@ -74,7 +77,7 @@ unsafe impl<T: Copy> Storage<T> for [T] {
 
     fn reserve(&mut self, capacity: usize) {
         if capacity > self.len() {
-            crate::raw::fixed_capacity_reserve_error(self.len(), capacity)
+            fixed_capacity_reserve_error(self.len(), capacity)
         }
     }
 

src/raw/slice.rs

@@ -84,11 +84,11 @@ impl<T, A> Clone for UninitBuffer<T, A> {
     fn clone(&self) -> Self { Self::default() }
 }
 
-impl<U, T, A> StorageWithCapacity<U> for UninitBuffer<T, A> {
+unsafe impl<U, T, A> StorageWithCapacity<U> for UninitBuffer<T, A> {
     fn with_capacity(capacity: usize) -> Self {
         let max_capacity = size::<U, T, A>();
         if capacity > max_capacity {
-            crate::raw::fixed_capacity_reserve_error(max_capacity, capacity)
+            crate::raw::capacity::fixed_capacity_reserve_error(max_capacity, capacity)
         }
 
         Self::default()
@@ -119,7 +119,7 @@ unsafe impl<U, T, A> Storage<U> for UninitBuffer<T, A> {
     fn reserve(&mut self, new_capacity: usize) {
         let capacity = size::<U, T, A>();
         if new_capacity > capacity {
-            crate::raw::fixed_capacity_reserve_error(capacity, new_capacity)
+            crate::raw::capacity::fixed_capacity_reserve_error(capacity, new_capacity)
         }
     }
 

src/raw/uninit.rs

@@ -59,7 +59,7 @@ unsafe impl<T> Storage<T> for ZeroSized<T> {
     fn capacity(&self) -> usize { usize::MAX }
 }
 
-impl<T> StorageWithCapacity<T> for ZeroSized<T> {
+unsafe impl<T> StorageWithCapacity<T> for ZeroSized<T> {
     #[inline]
     fn with_capacity(_: usize) -> Self { Self::NEW }
 }