vec: with_capacity: check for overflow #10417
Conversation
| let alloc = capacity * mem::nonzero_size_of::<T>(); | ||
| let ptr = malloc_raw(alloc + mem::size_of::<Vec<()>>()) as *mut Vec<()>; | ||
| let alloc = capacity.checked_mul(&mem::nonzero_size_of::<T>()) | ||
| .expect("with_capacity: vector size overflowed"); |
There was a problem hiding this comment.
Should this be a failure, or an abort? (Also, does the managed branch need checks too?)
There was a problem hiding this comment.
reserve doesn't need checks, see line 1414. reserve_raw in at_vec also checks for overflow.
| @@ -186,7 +186,11 @@ pub fn with_capacity<T>(capacity: uint) -> ~[T] { | |||
| vec | |||
| } else { | |||
| let alloc = capacity * mem::nonzero_size_of::<T>(); | |||
| let ptr = malloc_raw(alloc + mem::size_of::<Vec<()>>()) as *mut Vec<()>; | |||
| let size = alloc + mem::size_of::<Vec<()>>(); | |||
| if alloc / mem::nonzero_size_of::<T>() != capacity || size < alloc { | |||
There was a problem hiding this comment.
Isn't this check incorrect, because the header is included in alloc?
There was a problem hiding this comment.
No. The header comes from size_of::<Vec<()>>. This is the same code used
for overflow handling elsewhere. cc @thestinger
On Mon, Nov 11, 2013 at 6:23 AM, Huon Wilson notifications@git.luolix.topwrote:
In src/libstd/vec.rs:
@@ -186,7 +186,11 @@ pub fn with_capacity(capacity: uint) -> ~[T] {
vec
} else {
let alloc = capacity * mem::nonzero_size_of::();
let ptr = malloc_raw(alloc + mem::size_of::<Vec<()>>()) as *mut Vec<()>;let size = alloc + mem::size_of::<Vec<()>>();if alloc / mem::nonzero_size_of::<T>() != capacity || size < alloc {Isn't this check incorrect, because the header is included in alloc?
—
Reply to this email directly or view it on GitHubhttps://github.com//pull/10417/files#r7556668
.
There was a problem hiding this comment.
Oh, of course... it's alloc / ... not size / ....
|
@cmr Division is slow (it may take 20-100x the time of other arithmetic ops depending on CPU), so it seems a bad idea to use it. Why not just use checked_mul() and then checked_add() which are generally far faster, and also make the intent totally clear? |
|
@thestinger ? I imagine it's because rust simply didn't have checked_* On Mon, Nov 11, 2013 at 8:39 AM, bill-myers notifications@git.luolix.topwrote:
|
|
@bill-myers the division is by a compile-time constant, so it will almost certainly be optimised to some combination of a shift and a multiplication (but only when optimisations are on). |
|
@huonw It's still going to be less efficient, since optimizing a division by non-power-of-two constant to a multiplication is not that easy (that is, you need a multiplication by multiplicative inverse and a loop, or an extending multiplication, shifts and other tricks); with checked_mul() you just check the carry flag or that the high part of extended multiplication is 0 |
|
@bill-myers that is true (i.e. it becomes a short series of multiplications + shifts... in fact, just checking now, LLVM optimises |
Suppress the triggering of some lints in derived structures Fixes rust-lang#10185 Fixes rust-lang#10417 For `integer_arithmetic`, `arithmetic_side_effects` and `shadow_reuse`. * ~~Not sure how to test these use-cases so feel free to point any method or any related PR.~~ --- changelog: FP: [`integer_arithmetic`], [`arithmetic_side_effects`]: No longer lint inside proc macros [rust-lang#10203](rust-lang/rust-clippy#10203) <!-- changelog_checked -->
Fixes #10271