forbid unsafe impl, restructure

Author: hkratz

portable/src/basic.rs

@@ -115,7 +115,7 @@ pub mod imp {
         /// This implementation requires CPU SIMD features specified by the module it resides in.
         /// It is undefined behavior to call it if the required CPU features are not available.
         #[must_use]
-        unsafe fn new() -> Self
+        fn new() -> Self
         where
             Self: Sized;
 
@@ -124,7 +124,7 @@ pub mod imp {
         /// # Safety
         /// This implementation requires CPU SIMD features specified by the module it resides in.
         /// It is undefined behavior to call it if the required CPU features are not available.
-        unsafe fn update(&mut self, input: &[u8]);
+        fn update(&mut self, input: &[u8]);
 
         /// Finishes the validation and returns `Ok(())` if the input was valid UTF-8.
         ///
@@ -135,7 +135,7 @@ pub mod imp {
         /// # Safety
         /// This implementation requires CPU SIMD features specified by the module it resides in.
         /// It is undefined behavior to call it if the required CPU features are not available.
-        unsafe fn finalize(self) -> core::result::Result<(), basic::Utf8Error>;
+        fn finalize(self) -> core::result::Result<(), basic::Utf8Error>;
     }
 
     /// Like [`Utf8Validator`] this low-level API is for streaming validation of UTF-8 data.
@@ -162,7 +162,7 @@ pub mod imp {
         /// This implementation requires CPU SIMD features specified by the module it resides in.
         /// It is undefined behavior to call it if the required CPU features are not available.
         #[must_use]
-        unsafe fn new() -> Self
+        fn new() -> Self
         where
             Self: Sized;
 
@@ -174,7 +174,7 @@ pub mod imp {
         /// # Safety
         /// This implementation requires CPU SIMD features specified by the module it resides in.
         /// It is undefined behavior to call it if the required CPU features are not available.
-        unsafe fn update_from_chunks(&mut self, input: &[u8]);
+        fn update_from_chunks(&mut self, input: &[u8]);
 
         /// Updates the validator with remaining input if any. There is no restriction on the
         /// data provided.
@@ -188,26 +188,26 @@ pub mod imp {
         /// # Safety
         /// This implementation requires CPU SIMD features specified by the module it resides in.
         /// It is undefined behavior to call it if the required CPU features are not available.
-        unsafe fn finalize(
+        fn finalize(
             self,
             remaining_input: core::option::Option<&[u8]>,
         ) -> core::result::Result<(), basic::Utf8Error>;
     }
 
-    /// Includes the portable SIMD implementations.
-    pub mod portable {
-        /// Includes the validation implementation using 128-bit portable SIMD.
-        pub mod simd128 {
-            pub use crate::implementation::portable::simd128::validate_utf8_basic as validate_utf8;
-            pub use crate::implementation::portable::simd128::ChunkedUtf8ValidatorImp;
-            pub use crate::implementation::portable::simd128::Utf8ValidatorImp;
-        }
-
-        /// Includes the validation implementation using 256-bit portable SIMD.
-        pub mod simd256 {
-            pub use crate::implementation::portable::simd256::validate_utf8_basic as validate_utf8;
-            pub use crate::implementation::portable::simd256::ChunkedUtf8ValidatorImp;
-            pub use crate::implementation::portable::simd256::Utf8ValidatorImp;
-        }
+    /// Best for current target
+    pub use v128 as auto;
+
+    /// Includes the validation implementation using 128-bit portable SIMD.
+    pub mod v128 {
+        pub use crate::implementation::simd::v128::validate_utf8_basic as validate_utf8;
+        pub use crate::implementation::simd::v128::ChunkedUtf8ValidatorImp;
+        pub use crate::implementation::simd::v128::Utf8ValidatorImp;
+    }
+
+    /// Includes the validation implementation using 256-bit portable SIMD.
+    pub mod v256 {
+        pub use crate::implementation::simd::v256::validate_utf8_basic as validate_utf8;
+        pub use crate::implementation::simd::v256::ChunkedUtf8ValidatorImp;
+        pub use crate::implementation::simd::v256::Utf8ValidatorImp;
     }
 }

portable/src/compat.rs

@@ -102,16 +102,16 @@ pub fn from_utf8_mut(input: &mut [u8]) -> Result<&mut str, Utf8Error> {
 /// Allows direct access to the platform-specific unsafe validation implementations.
 #[cfg(feature = "public_imp")]
 pub mod imp {
-    /// FIXME: add docs
-    pub mod portable {
-        /// Includes the validation implementation for 128-bit portable SIMD.
-        pub mod simd128 {
-            pub use crate::implementation::portable::simd128::validate_utf8_compat as validate_utf8;
-        }
+    /// Best for current target FIXME: 256-bit support
+    pub use v128 as auto;
 
-        /// Includes the validation implementation for 256-bit portable SIMD.
-        pub mod simd256 {
-            pub use crate::implementation::portable::simd256::validate_utf8_compat as validate_utf8;
-        }
+    /// Includes the validation implementation for 128-bit portable SIMD.
+    pub mod v128 {
+        pub use crate::implementation::simd::v128::validate_utf8_compat as validate_utf8;
+    }
+
+    /// Includes the validation implementation for 256-bit portable SIMD.
+    pub mod v256 {
+        pub use crate::implementation::simd::v256::validate_utf8_compat as validate_utf8;
     }
 }

portable/src/implementation/helpers.rs

@@ -37,16 +37,6 @@ pub(crate) fn get_compat_error(input: &[u8], failing_block_pos: usize) -> Utf8Er
     validate_utf8_at_offset(input, offset).unwrap_err()
 }
 
-#[allow(dead_code)] // only used if there is a SIMD implementation
-#[inline]
-pub(crate) unsafe fn memcpy_unaligned_nonoverlapping_inline_opt_lt_64(
-    src: *const u8,
-    dest: *mut u8,
-    len: usize,
-) {
-    src.copy_to_nonoverlapping(dest, len);
-}
-
 pub(crate) const SIMD_CHUNK_SIZE: usize = 64;
 
 #[repr(C, align(32))]

portable/src/implementation/mod.rs

@@ -1,12 +1,12 @@
 //! Contains UTF-8 validation implementations.
 
-pub(crate) mod helpers;
+#![forbid(unsafe_code)]
 
-// UTF-8 validation function types
-pub(crate) mod portable;
+pub(crate) mod helpers;
+pub(crate) mod simd;
 
 #[inline]
-pub(crate) unsafe fn validate_utf8_basic(input: &[u8]) -> Result<(), crate::basic::Utf8Error> {
+pub(crate) fn validate_utf8_basic(input: &[u8]) -> Result<(), crate::basic::Utf8Error> {
     if input.len() < helpers::SIMD_CHUNK_SIZE {
         return validate_utf8_basic_fallback(input);
     }
@@ -15,27 +15,27 @@ pub(crate) unsafe fn validate_utf8_basic(input: &[u8]) -> Result<(), crate::basi
 }
 
 #[inline(never)]
-unsafe fn validate_utf8_basic_simd(input: &[u8]) -> Result<(), crate::basic::Utf8Error> {
+fn validate_utf8_basic_simd(input: &[u8]) -> Result<(), crate::basic::Utf8Error> {
     #[cfg(not(feature = "simd256"))]
-    return portable::algorithm_safe::validate_utf8_basic(input);
+    return simd::v128::validate_utf8_basic(input);
     #[cfg(feature = "simd256")]
-    return portable::simd256::validate_utf8_basic(input);
+    return simd::v256::validate_utf8_basic(input);
 }
 
 #[inline]
-pub(crate) unsafe fn validate_utf8_compat(input: &[u8]) -> Result<(), crate::compat::Utf8Error> {
+pub(crate) fn validate_utf8_compat(input: &[u8]) -> Result<(), crate::compat::Utf8Error> {
     if input.len() < helpers::SIMD_CHUNK_SIZE {
         return validate_utf8_compat_fallback(input);
     }
 
     validate_utf8_compat_simd(input)
 }
 
-unsafe fn validate_utf8_compat_simd(input: &[u8]) -> Result<(), crate::compat::Utf8Error> {
+fn validate_utf8_compat_simd(input: &[u8]) -> Result<(), crate::compat::Utf8Error> {
     #[cfg(not(feature = "simd256"))]
-    return portable::algorithm_safe::validate_utf8_compat(input);
+    return simd::v128::validate_utf8_compat(input);
     #[cfg(feature = "simd256")]
-    return portable::simd256::validate_utf8_compat(input);
+    return simd::v256::validate_utf8_compat(input);
 }
 
 // fallback method implementations

portable/src/implementation/portable/mod.rs

@@ -658,11 +658,6 @@ where
 ///
 /// # Errors
 /// Returns the zero-sized [`basic::Utf8Error`] on failure.
-///
-/// # Safety
-/// This function is inherently unsafe because it is compiled with SIMD extensions
-/// enabled. Make sure that the CPU supports it before calling.
-///
 #[inline]
 pub fn validate_utf8_basic(input: &[u8]) -> core::result::Result<(), basic::Utf8Error> {
     Utf8CheckAlgorithm::<16, 4>::validate_utf8_basic(input)
@@ -672,11 +667,6 @@ pub fn validate_utf8_basic(input: &[u8]) -> core::result::Result<(), basic::Utf8
 ///
 /// # Errors
 /// Returns [`compat::Utf8Error`] with detailed error information on failure.
-///
-/// # Safety
-/// This function is inherently unsafe because it is compiled with SIMD extensions
-/// enabled. Make sure that the CPU supports it before calling.
-///
 #[inline]
 pub fn validate_utf8_compat(input: &[u8]) -> core::result::Result<(), compat::Utf8Error> {
     Utf8CheckAlgorithm::<16, 4>::validate_utf8_compat_simd0(input)
@@ -698,7 +688,7 @@ pub struct Utf8ValidatorImp {
 #[cfg(feature = "public_imp")]
 impl Utf8ValidatorImp {
     #[inline]
-    unsafe fn update_from_incomplete_data(&mut self) {
+    fn update_from_incomplete_data(&mut self) {
         let simd_input = SimdInput::new(&self.incomplete_data);
         self.algorithm.check_utf8(&simd_input);
         self.incomplete_len = 0;
@@ -709,7 +699,7 @@ impl Utf8ValidatorImp {
 impl basic::imp::Utf8Validator for Utf8ValidatorImp {
     #[inline]
     #[must_use]
-    unsafe fn new() -> Self {
+    fn new() -> Self {
         Self {
             algorithm: Utf8CheckAlgorithm::<16, 4>::new(),
             incomplete_data: [0; 64],
@@ -718,17 +708,15 @@ impl basic::imp::Utf8Validator for Utf8ValidatorImp {
     }
 
     #[inline]
-    unsafe fn update(&mut self, mut input: &[u8]) {
+    fn update(&mut self, mut input: &[u8]) {
         use crate::implementation::helpers::SIMD_CHUNK_SIZE;
         if input.is_empty() {
             return;
         }
         if self.incomplete_len != 0 {
             let to_copy = core::cmp::min(SIMD_CHUNK_SIZE - self.incomplete_len, input.len());
-            self.incomplete_data
-                .as_mut_ptr()
-                .add(self.incomplete_len)
-                .copy_from_nonoverlapping(input.as_ptr(), to_copy);
+            self.incomplete_data[self.incomplete_len..self.incomplete_len + to_copy]
+                .copy_from_slice(&input[..to_copy]);
             if self.incomplete_len + to_copy == SIMD_CHUNK_SIZE {
                 self.update_from_incomplete_data();
                 input = &input[to_copy..];
@@ -747,15 +735,13 @@ impl basic::imp::Utf8Validator for Utf8ValidatorImp {
         }
         if idx < len {
             let to_copy = len - idx;
-            self.incomplete_data
-                .as_mut_ptr()
-                .copy_from_nonoverlapping(input.as_ptr().add(idx), to_copy);
+            self.incomplete_data[..to_copy].copy_from_slice(&input[idx..idx + to_copy]);
             self.incomplete_len = to_copy;
         }
     }
 
     #[inline]
-    unsafe fn finalize(mut self) -> core::result::Result<(), basic::Utf8Error> {
+    fn finalize(mut self) -> core::result::Result<(), basic::Utf8Error> {
         if self.incomplete_len != 0 {
             for i in &mut self.incomplete_data[self.incomplete_len..] {
                 *i = 0;
@@ -785,14 +771,14 @@ pub struct ChunkedUtf8ValidatorImp {
 impl basic::imp::ChunkedUtf8Validator for ChunkedUtf8ValidatorImp {
     #[inline]
     #[must_use]
-    unsafe fn new() -> Self {
+    fn new() -> Self {
         Self {
             algorithm: Utf8CheckAlgorithm::<16, 4>::new(),
         }
     }
 
     #[inline]
-    unsafe fn update_from_chunks(&mut self, input: &[u8]) {
+    fn update_from_chunks(&mut self, input: &[u8]) {
         use crate::implementation::helpers::SIMD_CHUNK_SIZE;
 
         assert!(
@@ -806,7 +792,7 @@ impl basic::imp::ChunkedUtf8Validator for ChunkedUtf8ValidatorImp {
     }
 
     #[inline]
-    unsafe fn finalize(
+    fn finalize(
         mut self,
         remaining_input: core::option::Option<&[u8]>,
     ) -> core::result::Result<(), basic::Utf8Error> {
@@ -823,10 +809,7 @@ impl basic::imp::ChunkedUtf8Validator for ChunkedUtf8ValidatorImp {
                 if rem > 0 {
                     remaining_input = &remaining_input[chunks_lim..];
                     let mut tmpbuf = TempSimdChunk::new();
-                    tmpbuf
-                        .0
-                        .as_mut_ptr()
-                        .copy_from_nonoverlapping(remaining_input.as_ptr(), remaining_input.len());
+                    tmpbuf.0[..remaining_input.len()].copy_from_slice(remaining_input);
                     let simd_input = SimdInput::new(&tmpbuf.0);
                     self.algorithm.check_utf8(&simd_input);
                 }
@@ -840,3 +823,21 @@ impl basic::imp::ChunkedUtf8Validator for ChunkedUtf8ValidatorImp {
         }
     }
 }
+
+pub(crate) mod v128 {
+    pub use super::validate_utf8_basic;
+    pub use super::validate_utf8_compat;
+    #[cfg(feature = "public_imp")]
+    pub use super::ChunkedUtf8ValidatorImp;
+    #[cfg(feature = "public_imp")]
+    pub use super::Utf8ValidatorImp;
+}
+
+pub(crate) mod v256 {
+    pub use super::validate_utf8_basic;
+    pub use super::validate_utf8_compat;
+    #[cfg(feature = "public_imp")]
+    pub use super::ChunkedUtf8ValidatorImp;
+    #[cfg(feature = "public_imp")]
+    pub use super::Utf8ValidatorImp;
+}