clarify safety in RawVec::into_box

rust-lang · Apr 5, 2020 · 6cbe172 · 6cbe172
1 parent 7b657d3
commit 6cbe172
Showing 1 changed file with 6 additions and 3 deletions.
diff --git a/src/liballoc/raw_vec.rs b/src/liballoc/raw_vec.rs
@@ -570,16 +570,19 @@ impl<T> RawVec<T, Global> {
     ///
     /// # Safety
     ///
-    /// `shrink_to_fit(len)` must be called immediately prior to calling this function. This
-    /// implies, that `len` must be smaller than or equal to `self.capacity()`.
+    /// * `len` must be greater than or equal to the most recently requested capacity, and
+    /// * `len` must be less than or equal to `self.capacity()`.
+    ///
+    /// Note, that the requested capacity and `self.capacity()` could differ, as
+    /// an allocator could overallocate and return a greater memory block than requested.
     pub unsafe fn into_box(self, len: usize) -> Box<[MaybeUninit<T>]> {
+        // Sanity-check one half of the safety requirement (we cannot check the other half).
         debug_assert!(
             len <= self.capacity(),
             "`len` must be smaller than or equal to `self.capacity()`"
         );
 
         let me = ManuallyDrop::new(self);
-        // NOTE: not calling `capacity()` here; actually using the real `cap` field!
         let slice = slice::from_raw_parts_mut(me.ptr() as *mut MaybeUninit<T>, len);
         Box::from_raw(slice)
     }