libm: Replace div! with unchecked_div_*

`div!` looks innocuous but is actually unsafe. Replace it with function
calls that require us to actually use `unsafe`, and add the precondition
notes. These can likely be removed completely in the near future.

There is one case in `rem_pio2_large` and one in `exp2` where
preconditions aren't as easy to define, but fortunately it seems like we
are able to just use regular division there without affecting codegen.

Author: tgross35

libm/src/math/exp2.rs

@@ -380,7 +380,7 @@ pub fn exp2(mut x: f64) -> f64 {
     let mut i0 = ui as u32;
     i0 = i0.wrapping_add(TBLSIZE as u32 / 2);
     let ku = i0 / TBLSIZE as u32 * TBLSIZE as u32;
-    let ki = div!(ku as i32, TBLSIZE as i32);
+    let ki = (ku as i32) / TBLSIZE as i32;
     i0 %= TBLSIZE as u32;
     let uf = f64::from_bits(ui) - redux;
     let mut z = x - uf;

libm/src/math/lgamma_r.rs

@@ -79,6 +79,7 @@
  */
 
 use super::{floor, k_cos, k_sin, log};
+use crate::support::unchecked_div_i32;
 
 const PI: f64 = 3.14159265358979311600e+00; /* 0x400921FB, 0x54442D18 */
 const A0: f64 = 7.72156649015328655494e-02; /* 0x3FB3C467, 0xE37DB0C8 */
@@ -152,7 +153,8 @@ fn sin_pi(mut x: f64) -> f64 {
     x = 2.0 * (x * 0.5 - floor(x * 0.5)); /* x mod 2.0 */
 
     n = (x * 4.0) as i32;
-    n = div!(n + 1, 2);
+    // SAFETY: nonzero divisor, nonnegative dividend (`n < 8`).
+    n = unsafe { unchecked_div_i32(n + 1, 2) };
     x -= (n as f64) * 0.5;
     x *= PI;
 

libm/src/math/lgammaf_r.rs

@@ -14,6 +14,7 @@
  */
 
 use super::{floorf, k_cosf, k_sinf, logf};
+use crate::support::unchecked_div_isize;
 
 const PI: f32 = 3.1415927410e+00; /* 0x40490fdb */
 const A0: f32 = 7.7215664089e-02; /* 0x3d9e233f */
@@ -88,7 +89,8 @@ fn sin_pi(mut x: f32) -> f32 {
     x = 2.0 * (x * 0.5 - floorf(x * 0.5)); /* x mod 2.0 */
 
     n = (x * 4.0) as isize;
-    n = div!(n + 1, 2);
+    // SAFETY: nonzero divisor, nonnegative dividend (`n < 8`).
+    n = unsafe { unchecked_div_isize(n + 1, 2) };
     y = (x as f64) - (n as f64) * 0.5;
     y *= 3.14159265358979323846;
     match n {

libm/src/math/mod.rs

@@ -58,24 +58,6 @@ macro_rules! i {
     };
 }
 
-// Temporary macro to avoid panic codegen for division (in debug mode too). At
-// the time of this writing this is only used in a few places, and once
-// rust-lang/rust#72751 is fixed then this macro will no longer be necessary and
-// the native `/` operator can be used and panics won't be codegen'd.
-#[cfg(any(debug_assertions, not(intrinsics_enabled)))]
-macro_rules! div {
-    ($a:expr, $b:expr) => {
-        $a / $b
-    };
-}
-
-#[cfg(all(not(debug_assertions), intrinsics_enabled))]
-macro_rules! div {
-    ($a:expr, $b:expr) => {
-        unsafe { core::intrinsics::unchecked_div($a, $b) }
-    };
-}
-
 // `support` may be public for testing
 #[macro_use]
 #[cfg(feature = "unstable-public-internals")]

libm/src/math/rem_pio2_large.rs

@@ -255,7 +255,7 @@ pub(crate) fn rem_pio2_large(x: &[f64], y: &mut [f64], e0: i32, prec: usize) ->
 
     /* determine jx,jv,q0, note that 3>q0 */
     let jx = nx - 1;
-    let mut jv = div!(e0 - 3, 24);
+    let mut jv = (e0 - 3) / 24;
     if jv < 0 {
         jv = 0;
     }

libm/src/math/support/mod.rs

@@ -37,3 +37,36 @@ pub fn cold_path() {
     #[cfg(intrinsics_enabled)]
     core::hint::cold_path();
 }
+
+/// # Safety
+///
+/// `y` must not be zero and the result must not overflow (`x > i32::MIN`).
+pub unsafe fn unchecked_div_i32(x: i32, y: i32) -> i32 {
+    cfg_if! {
+        if #[cfg(all(not(debug_assertions), intrinsics_enabled))] {
+            // Temporary macro to avoid panic codegen for division (in debug mode too). At
+            // the time of this writing this is only used in a few places, and once
+            // rust-lang/rust#72751 is fixed then this macro will no longer be necessary and
+            // the native `/` operator can be used and panics won't be codegen'd.
+            //
+            // Note: I am not sure whether the above comment is still up to date, we need
+            // to double check whether panics are elided where we use this.
+            unsafe { core::intrinsics::unchecked_div(x, y) }
+        } else {
+            x / y
+        }
+    }
+}
+
+/// # Safety
+///
+/// `y` must not be zero and the result must not overflow (`x > isize::MIN`).
+pub unsafe fn unchecked_div_isize(x: isize, y: isize) -> isize {
+    cfg_if! {
+        if #[cfg(all(not(debug_assertions), intrinsics_enabled))] {
+            unsafe { core::intrinsics::unchecked_div(x, y) }
+        } else {
+            x / y
+        }
+    }
+}

libm/src/math/tgamma.rs

@@ -23,6 +23,7 @@ Gamma(x)*Gamma(-x) = -pi/(x sin(pi x))
 most ideas and constants are from boost and python
 */
 use super::{exp, floor, k_cos, k_sin, pow};
+use crate::support::unchecked_div_isize;
 
 const PI: f64 = 3.141592653589793238462643383279502884;
 
@@ -37,7 +38,8 @@ fn sinpi(mut x: f64) -> f64 {
 
     /* reduce x into [-.25,.25] */
     n = (4.0 * x) as isize;
-    n = div!(n + 1, 2);
+    // SAFETY: nonzero divisor, nonnegative dividend (`n < 8`).
+    n = unsafe { unchecked_div_isize(n + 1, 2) };
     x -= (n as f64) * 0.5;
 
     x *= PI;