1 // Copyright 2015 The Rust Project Developers. See the COPYRIGHT
2 // file at the top-level directory of this distribution and at
3 // http://rust-lang.org/COPYRIGHT.
5 // Licensed under the Apache License, Version 2.0 <LICENSE-APACHE or
6 // http://www.apache.org/licenses/LICENSE-2.0> or the MIT license
7 // <LICENSE-MIT or http://opensource.org/licenses/MIT>, at your
8 // option. This file may not be copied, modified, or distributed
9 // except according to those terms.
11 use core::ptr::Unique;
13 use core::slice::{self, SliceExt};
16 use super::boxed::Box;
20 /// A low-level utility for more ergonomically allocating, reallocating, and deallocating a
21 /// a buffer of memory on the heap without having to worry about all the corner cases
22 /// involved. This type is excellent for building your own data structures like Vec and VecDeque.
25 /// * Produces heap::EMPTY on zero-sized types
26 /// * Produces heap::EMPTY on zero-length allocations
27 /// * Catches all overflows in capacity computations (promotes them to "capacity overflow" panics)
28 /// * Guards against 32-bit systems allocating more than isize::MAX bytes
29 /// * Guards against overflowing your length
31 /// * Avoids freeing heap::EMPTY
32 /// * Contains a ptr::Unique and thus endows the user with all related benefits
34 /// This type does not in anyway inspect the memory that it manages. When dropped it *will*
35 /// free its memory, but it *won't* try to Drop its contents. It is up to the user of RawVec
36 /// to handle the actual things *stored* inside of a RawVec.
38 /// Note that a RawVec always forces its capacity to be usize::MAX for zero-sized types.
39 /// This enables you to use capacity growing logic catch the overflows in your length
40 /// that might occur with zero-sized types.
42 /// However this means that you need to be careful when roundtripping this type
43 /// with a `Box<[T]>`: `cap()` won't yield the len. However `with_capacity`,
44 /// `shrink_to_fit`, and `from_box` will actually set RawVec's private capacity
45 /// field. This allows zero-sized types to not be special-cased by consumers of
47 #[unsafe_no_drop_flag]
48 pub struct RawVec<T> {
54 /// Creates the biggest possible RawVec without allocating. If T has positive
55 /// size, then this makes a RawVec with capacity 0. If T has 0 size, then it
56 /// it makes a RawVec with capacity `usize::MAX`. Useful for implementing
57 /// delayed allocation.
58 pub fn new() -> Self {
60 // !0 is usize::MAX. This branch should be stripped at compile time.
61 let cap = if mem::size_of::<T>() == 0 { !0 } else { 0 };
63 // heap::EMPTY doubles as "unallocated" and "zero-sized allocation"
64 RawVec { ptr: Unique::new(heap::EMPTY as *mut T), cap: cap }
68 /// Creates a RawVec with exactly the capacity and alignment requirements
69 /// for a `[T; cap]`. This is equivalent to calling RawVec::new when `cap` is 0
70 /// or T is zero-sized. Note that if `T` is zero-sized this means you will *not*
71 /// get a RawVec with the requested capacity!
75 /// * Panics if the requested capacity exceeds `usize::MAX` bytes.
76 /// * Panics on 32-bit platforms if the requested capacity exceeds
77 /// `isize::MAX` bytes.
82 pub fn with_capacity(cap: usize) -> Self {
84 let elem_size = mem::size_of::<T>();
86 let alloc_size = cap.checked_mul(elem_size).expect("capacity overflow");
87 alloc_guard(alloc_size);
89 // handles ZSTs and `cap = 0` alike
90 let ptr = if alloc_size == 0 {
91 heap::EMPTY as *mut u8
93 let align = mem::align_of::<T>();
94 let ptr = heap::allocate(alloc_size, align);
95 if ptr.is_null() { oom() }
99 RawVec { ptr: Unique::new(ptr as *mut _), cap: cap }
103 /// Reconstitutes a RawVec from a pointer and capacity.
105 /// # Undefined Behaviour
107 /// The ptr must be allocated, and with the given capacity. The
108 /// capacity cannot exceed `isize::MAX` (only a concern on 32-bit systems).
109 /// If the ptr and capacity come from a RawVec, then this is guaranteed.
110 pub unsafe fn from_raw_parts(ptr: *mut T, cap: usize) -> Self {
111 RawVec { ptr: Unique::new(ptr), cap: cap }
114 /// Converts a `Box<[T]>` into a `RawVec<T>`.
115 pub fn from_box(mut slice: Box<[T]>) -> Self {
117 let result = RawVec::from_raw_parts(slice.as_mut_ptr(), slice.len());
125 /// Gets a raw pointer to the start of the allocation. Note that this is
126 /// heap::EMPTY if `cap = 0` or T is zero-sized. In the former case, you must
128 pub fn ptr(&self) -> *mut T {
132 /// Gets the capacity of the allocation.
134 /// This will always be `usize::MAX` if `T` is zero-sized.
135 pub fn cap(&self) -> usize {
136 if mem::size_of::<T>() == 0 { !0 } else { self.cap }
139 /// Doubles the size of the type's backing allocation. This is common enough
140 /// to want to do that it's easiest to just have a dedicated method. Slightly
141 /// more efficient logic can be provided for this than the general case.
143 /// This function is ideal for when pushing elements one-at-a-time because
144 /// you don't need to incur the costs of the more general computations
145 /// reserve needs to do to guard against overflow. You do however need to
146 /// manually check if your `len == cap`.
150 /// * Panics if T is zero-sized on the assumption that you managed to exhaust
151 /// all `usize::MAX` slots in your imaginary buffer.
152 /// * Panics on 32-bit platforms if the requested capacity exceeds
153 /// `isize::MAX` bytes.
162 /// struct MyVec<T> {
167 /// impl<T> MyVec<T> {
168 /// pub fn push(&mut self, elem: T) {
169 /// if self.len == self.buf.cap() { self.buf.double(); }
170 /// // double would have aborted or panicked if the len exceeded
171 /// // `isize::MAX` so this is safe to do unchecked now.
173 /// ptr::write(self.buf.ptr().offset(self.len as isize), elem);
181 pub fn double(&mut self) {
183 let elem_size = mem::size_of::<T>();
185 // since we set the capacity to usize::MAX when elem_size is
186 // 0, getting to here necessarily means the RawVec is overfull.
187 assert!(elem_size != 0, "capacity overflow");
189 let align = mem::align_of::<T>();
191 let (new_cap, ptr) = if self.cap == 0 {
192 // skip to 4 because tiny Vec's are dumb; but not if that would cause overflow
193 let new_cap = if elem_size > (!0) / 8 { 1 } else { 4 };
194 let ptr = heap::allocate(new_cap * elem_size, align);
197 // Since we guarantee that we never allocate more than isize::MAX bytes,
198 // `elem_size * self.cap <= isize::MAX` as a precondition, so this can't overflow
199 let new_cap = 2 * self.cap;
200 let new_alloc_size = new_cap * elem_size;
201 alloc_guard(new_alloc_size);
202 let ptr = heap::reallocate(self.ptr() as *mut _,
203 self.cap * elem_size,
209 // If allocate or reallocate fail, we'll get `null` back
210 if ptr.is_null() { oom() }
212 self.ptr = Unique::new(ptr as *mut _);
217 /// Ensures that the buffer contains at least enough space to hold
218 /// `used_cap + needed_extra_cap` elements. If it doesn't already,
219 /// will reallocate the minimum possible amount of memory necessary.
220 /// Generally this will be exactly the amount of memory necessary,
221 /// but in principle the allocator is free to give back more than
224 /// If `used_cap` exceeds `self.cap()`, this may fail to actually allocate
225 /// the requested space. This is not really unsafe, but the unsafe
226 /// code *you* write that relies on the behaviour of this function may break.
230 /// * Panics if the requested capacity exceeds `usize::MAX` bytes.
231 /// * Panics on 32-bit platforms if the requested capacity exceeds
232 /// `isize::MAX` bytes.
237 pub fn reserve_exact(&mut self, used_cap: usize, needed_extra_cap: usize) {
239 let elem_size = mem::size_of::<T>();
240 let align = mem::align_of::<T>();
242 // NOTE: we don't early branch on ZSTs here because we want this
243 // to actually catch "asking for more than usize::MAX" in that case.
244 // If we make it past the first branch then we are guaranteed to
247 // Don't actually need any more capacity.
248 // Wrapping in case they gave a bad `used_cap`.
249 if self.cap().wrapping_sub(used_cap) >= needed_extra_cap { return; }
251 // Nothing we can really do about these checks :(
252 let new_cap = used_cap.checked_add(needed_extra_cap).expect("capacity overflow");
253 let new_alloc_size = new_cap.checked_mul(elem_size).expect("capacity overflow");
254 alloc_guard(new_alloc_size);
256 let ptr = if self.cap == 0 {
257 heap::allocate(new_alloc_size, align)
259 heap::reallocate(self.ptr() as *mut _,
260 self.cap * elem_size,
265 // If allocate or reallocate fail, we'll get `null` back
266 if ptr.is_null() { oom() }
268 self.ptr = Unique::new(ptr as *mut _);
273 /// Ensures that the buffer contains at least enough space to hold
274 /// `used_cap + needed_extra_cap` elements. If it doesn't already have
275 /// enough capacity, will reallocate enough space plus comfortable slack
276 /// space to get amortized `O(1)` behaviour. Will limit this behaviour
277 /// if it would needlessly cause itself to panic.
279 /// If `used_cap` exceeds `self.cap()`, this may fail to actually allocate
280 /// the requested space. This is not really unsafe, but the unsafe
281 /// code *you* write that relies on the behaviour of this function may break.
283 /// This is ideal for implementing a bulk-push operation like `extend`.
287 /// * Panics if the requested capacity exceeds `usize::MAX` bytes.
288 /// * Panics on 32-bit platforms if the requested capacity exceeds
289 /// `isize::MAX` bytes.
298 /// struct MyVec<T> {
303 /// impl<T> MyVec<T> {
304 /// pub fn push_all(&mut self, elems: &[T]) {
305 /// self.buf.reserve(self.len, elems.len());
306 /// // reserve would have aborted or panicked if the len exceeded
307 /// // `isize::MAX` so this is safe to do unchecked now.
310 /// ptr::write(self.buf.ptr().offset(self.len as isize), x.clone());
317 pub fn reserve(&mut self, used_cap: usize, needed_extra_cap: usize) {
319 let elem_size = mem::size_of::<T>();
320 let align = mem::align_of::<T>();
322 // NOTE: we don't early branch on ZSTs here because we want this
323 // to actually catch "asking for more than usize::MAX" in that case.
324 // If we make it past the first branch then we are guaranteed to
327 // Don't actually need any more capacity.
328 // Wrapping in case they give a bas `used_cap`
329 if self.cap().wrapping_sub(used_cap) >= needed_extra_cap { return; }
331 // Nothing we can really do about these checks :(
332 let new_cap = used_cap.checked_add(needed_extra_cap)
333 .and_then(|cap| cap.checked_mul(2))
334 .expect("capacity overflow");
335 let new_alloc_size = new_cap.checked_mul(elem_size).expect("capacity overflow");
336 // FIXME: may crash and burn on over-reserve
337 alloc_guard(new_alloc_size);
339 let ptr = if self.cap == 0 {
340 heap::allocate(new_alloc_size, align)
342 heap::reallocate(self.ptr() as *mut _,
343 self.cap * elem_size,
348 // If allocate or reallocate fail, we'll get `null` back
349 if ptr.is_null() { oom() }
351 self.ptr = Unique::new(ptr as *mut _);
356 /// Shrinks the allocation down to the specified amount. If the given amount
357 /// is 0, actually completely deallocates.
361 /// Panics if the given amount is *larger* than the current capacity.
366 pub fn shrink_to_fit(&mut self, amount: usize) {
367 let elem_size = mem::size_of::<T>();
368 let align = mem::align_of::<T>();
370 // Set the `cap` because they might be about to promote to a `Box<[T]>`
376 // This check is my waterloo; it's the only thing Vec wouldn't have to do.
377 assert!(self.cap >= amount, "Tried to shrink to a larger capacity");
380 mem::replace(self, RawVec::new());
381 } else if self.cap != amount {
383 // Overflow check is unnecessary as the vector is already at
385 let ptr = heap::reallocate(self.ptr() as *mut _,
386 self.cap * elem_size,
389 if ptr.is_null() { oom() }
390 self.ptr = Unique::new(ptr as *mut _);
396 /// Converts the entire buffer into `Box<[T]>`.
398 /// While it is not *strictly* Undefined Behaviour to call
399 /// this procedure while some of the RawVec is unintialized,
400 /// it cetainly makes it trivial to trigger it.
402 /// Note that this will correctly reconstitute any `cap` changes
403 /// that may have been performed. (see description of type for details)
404 pub unsafe fn into_box(self) -> Box<[T]> {
405 // NOTE: not calling `cap()` here, actually using the real `cap` field!
406 let slice = slice::from_raw_parts_mut(self.ptr(), self.cap);
407 let output: Box<[T]> = Box::from_raw(slice);
412 /// This is a stupid name in the hopes that someone will find this in the
413 /// not too distant future and remove it with the rest of
414 /// #[unsafe_no_drop_flag]
415 pub fn unsafe_no_drop_flag_needs_drop(&self) -> bool {
416 self.cap != mem::POST_DROP_USIZE
420 impl<T> Drop for RawVec<T> {
421 /// Frees the memory owned by the RawVec *without* trying to Drop its contents.
423 let elem_size = mem::size_of::<T>();
424 if elem_size != 0 && self.cap != 0 && self.unsafe_no_drop_flag_needs_drop() {
425 let align = mem::align_of::<T>();
427 let num_bytes = elem_size * self.cap;
429 heap::deallocate(*self.ptr as *mut _, num_bytes, align);
437 // We need to guarantee the following:
438 // * We don't ever allocate `> isize::MAX` byte-size objects
439 // * We don't overflow `usize::MAX` and actually allocate too little
441 // On 64-bit we just need to check for overflow since trying to allocate
442 // `> isize::MAX` bytes will surely fail. On 32-bit we need to add an extra
443 // guard for this in case we're running on a platform which can use all 4GB in
444 // user-space. e.g. PAE or x32
447 fn alloc_guard(alloc_size: usize) {
448 if core::usize::BITS < 64 {
449 assert!(alloc_size <= ::core::isize::MAX as usize, "capacity overflow");
projects / rust.git / blob