safemem/lib.rs
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143
//! Safe wrappers for memory-accessing functions like `std::ptr::copy()`.
#![cfg_attr(not(feature = "std"), no_std)]
#[cfg(not(feature = "std"))]
extern crate core as std;
use std::ptr;
macro_rules! idx_check (
($slice:expr, $idx:expr) => {
assert!($idx < $slice.len(),
concat!("`", stringify!($idx), "` ({}) out of bounds. Length: {}"),
$idx, $slice.len());
}
);
macro_rules! len_check (
($slice:expr, $start:ident, $len:ident) => {
assert!(
$start.checked_add($len)
.expect(concat!("Overflow evaluating ", stringify!($start + $len)))
<= $slice.len(),
"Length {} starting at {} is out of bounds (slice len {}).", $len, $start, $slice.len()
)
}
);
/// Copy `len` elements from `src_idx` to `dest_idx`. Ranges may overlap.
///
/// Safe wrapper for `memmove()`/`std::ptr::copy()`.
///
/// ###Panics
/// * If either `src_idx` or `dest_idx` are out of bounds, or if either of these plus `len` is out of
/// bounds.
/// * If `src_idx + len` or `dest_idx + len` overflows.
pub fn copy_over<T: Copy>(slice: &mut [T], src_idx: usize, dest_idx: usize, len: usize) {
if slice.len() == 0 { return; }
idx_check!(slice, src_idx);
idx_check!(slice, dest_idx);
len_check!(slice, src_idx, len);
len_check!(slice, dest_idx, len);
// At any point a Rust reference exists, the compiler is free to do this.
// So we explicitely add it to be caught by miri.
#[cfg(miri)]
slice.iter().copied().for_each(drop);
let ptr = slice.as_mut_ptr();
unsafe {
ptr::copy(ptr.offset(src_idx as isize), ptr.offset(dest_idx as isize), len);
}
}
/// Safe wrapper for `std::ptr::write_bytes()`/`memset()`.
pub fn write_bytes(slice: &mut [u8], byte: u8) {
unsafe {
ptr::write_bytes(slice.as_mut_ptr(), byte, slice.len());
}
}
/// Prepend `elems` to `vec`, resizing if necessary.
///
/// ### Panics
///
/// If `vec.len() + elems.len()` overflows.
#[cfg(feature = "std")]
pub fn prepend<T: Copy>(elems: &[T], vec: &mut Vec<T>) {
let elems_len = elems.len(); // `<= isize::MAX as usize`
if elems_len == 0 { return; }
let old_len = vec.len(); // `<= isize::MAX as usize`
if old_len == 0 {
// Prepend = append: delegate to Rust's stdlib implementation.
vec.extend_from_slice(elems);
} else {
// Our overflow check occurs here, no need to do it ourselves.
vec.reserve(elems_len);
let ptr = vec.as_mut_ptr();
unsafe {
// Move the old elements down to the end.
ptr::copy(
ptr,
ptr.offset(elems_len as isize),
old_len,
);
// Copy the input elements to the start
ptr::copy_nonoverlapping(
elems.as_ptr(),
ptr,
elems_len,
);
// Set the len *after* having initialized the elements.
vec.set_len(old_len + elems_len);
}
}
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
#[should_panic]
fn bounds_check() {
let mut arr = [0i32, 1, 2, 3, 4, 5];
copy_over(&mut arr, 2, 1, 7);
}
#[test]
fn copy_empty() {
let mut arr: [i32; 0] = [];
copy_over(&mut arr, 0, 0, 0);
}
#[test]
#[cfg(feature = "std")]
fn prepend_empty() {
let mut vec: Vec<i32> = vec![];
prepend(&[1, 2, 3], &mut vec);
}
#[test]
#[cfg(feature = "std")]
fn prepend_i32() {
let mut vec = vec![3, 4, 5];
prepend(&[1, 2], &mut vec);
assert_eq!(vec, &[1, 2, 3, 4, 5]);
}
/// Detect potential uninit values when running miri
#[test]
#[cfg(all(
feature = "std",
miri,
))]
fn prepend_bool() {
prepend(&[true], &mut vec![false]);
}
}