safemem/
lib.rs

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
//! Safe wrappers for memory-accessing functions like `std::ptr::copy()`.

#![cfg_attr(not(feature = "std"), no_std)]

#[cfg(not(feature = "std"))]
extern crate core as std;
use std::ptr;

macro_rules! idx_check (
    ($slice:expr, $idx:expr) => {
        assert!($idx < $slice.len(),
            concat!("`", stringify!($idx), "` ({}) out of bounds. Length: {}"),
            $idx, $slice.len());
    }
);

macro_rules! len_check (
    ($slice:expr, $start:ident, $len:ident) => {
        assert!(
            $start.checked_add($len)
                .expect(concat!("Overflow evaluating ", stringify!($start + $len)))
                <= $slice.len(),
            "Length {} starting at {} is out of bounds (slice len {}).", $len, $start, $slice.len()
        )
    }
);

/// Copy `len` elements from `src_idx` to `dest_idx`. Ranges may overlap.
///
/// Safe wrapper for `memmove()`/`std::ptr::copy()`.
///
/// ###Panics
/// * If either `src_idx` or `dest_idx` are out of bounds, or if either of these plus `len` is out of
/// bounds.
/// * If `src_idx + len` or `dest_idx + len` overflows.
pub fn copy_over<T: Copy>(slice: &mut [T], src_idx: usize, dest_idx: usize, len: usize) {
    if slice.len() == 0 { return; }

    idx_check!(slice, src_idx);
    idx_check!(slice, dest_idx);
    len_check!(slice, src_idx, len);
    len_check!(slice, dest_idx, len);

    // At any point a Rust reference exists, the compiler is free to do this.
    // So we explicitely add it to be caught by miri.
    #[cfg(miri)]
    slice.iter().copied().for_each(drop);

    let ptr = slice.as_mut_ptr();

    unsafe {
        ptr::copy(ptr.offset(src_idx as isize), ptr.offset(dest_idx as isize), len);
    }
}

/// Safe wrapper for `std::ptr::write_bytes()`/`memset()`.
pub fn write_bytes(slice: &mut [u8], byte: u8) {
    unsafe {
        ptr::write_bytes(slice.as_mut_ptr(), byte, slice.len());
    }
}

/// Prepend `elems` to `vec`, resizing if necessary.
///
/// ### Panics
///
/// If `vec.len() + elems.len()` overflows.
#[cfg(feature = "std")]
pub fn prepend<T: Copy>(elems: &[T], vec: &mut Vec<T>) {
    let elems_len = elems.len(); // `<= isize::MAX as usize`
    if elems_len == 0 { return; }

    let old_len = vec.len(); // `<= isize::MAX as usize`
    if old_len == 0 {
        // Prepend = append: delegate to Rust's stdlib implementation.
        vec.extend_from_slice(elems);
    } else {
        // Our overflow check occurs here, no need to do it ourselves.
        vec.reserve(elems_len);
        let ptr = vec.as_mut_ptr();
        unsafe {
            // Move the old elements down to the end.
            ptr::copy(
                ptr,
                ptr.offset(elems_len as isize),
                old_len,
            );
            // Copy the input elements to the start
            ptr::copy_nonoverlapping(
                elems.as_ptr(),
                ptr,
                elems_len,
            );
            // Set the len *after* having initialized the elements.
            vec.set_len(old_len + elems_len);
        }
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    #[should_panic]
    fn bounds_check() {
        let mut arr = [0i32, 1, 2, 3, 4, 5];

        copy_over(&mut arr, 2, 1, 7);
    }

    #[test]
    fn copy_empty() {
        let mut arr: [i32; 0] = [];

        copy_over(&mut arr, 0, 0, 0);
    }

    #[test]
    #[cfg(feature = "std")]
    fn prepend_empty() {
        let mut vec: Vec<i32> = vec![];
        prepend(&[1, 2, 3], &mut vec);
    }

    #[test]
    #[cfg(feature = "std")]
    fn prepend_i32() {
        let mut vec = vec![3, 4, 5];
        prepend(&[1, 2], &mut vec);
        assert_eq!(vec, &[1, 2, 3, 4, 5]);
    }

    /// Detect potential uninit values when running miri
    #[test]
    #[cfg(all(
        feature = "std",
        miri,
    ))]
    fn prepend_bool() {
        prepend(&[true], &mut vec![false]);
    }
}