`CappedString::as_bytes` previously used a wide pointer cast to obtain a
`&[u8]` from the `[MaybeUninit<u8>; N]` buffer; it cast a `*const
[MaybeUninit<u8>]` to a `*const [u8]` as an intermediate step. Although
this seems to be valid and did not cause any UB detected by MIRI, it
seems to be generally accepted that `slice::from_raw_parts` is the
preferred way to transmute slices since it makes explicit the metadata
(length in this case) of the new wide pointer. This is in contrast to
casting with `as`, which implicitly copies the metadata from the old
wide pointer into the new one.
Therefore, this patch replaces the `as *const [u8]` conversion with a
call to `slice::from_raw_parts`.
This patch adds `CappedString::into_fixed` and
`CappedString::into_fixed_max_capacity` to allow for checked conversions
from `CappedString` to `FixedString`.
This patch adds several unit tests for `CappedString`, which are
intended to be run under miri since `CappedString` uses lots of unsafe
code. It also adds documentation and documentation tests for a number of
previously undocumented `CappedString` methods.
Previously, several functions in the implementation of `InliningString`
converted raw pointers to references as part of large blocks of code,
either via deref coercion or via `slice::from_raw_parts`. This created a
risk of Rust inferring reference lifetimes that were too long; this is
bad because it could result in a use-after-free or mutable aliasing.
This patch moves pointer-to-reference conversions in `InliningString` to
dedicated helper functions with explicit or easily-elided lifetimes to
avoid this issue.
This patch also introduces a
`InliningString::take_boxed_buf_invalidating` method, which provides a
way to move the boxed buffer out of an `InliningString` without aliasing
the box's heap allocation (which is not allowed). The `Drop`
implementation is reworked to use this method, as well as
`InliningString::into_boxed_str`.
A debug assertion in `encoding::url::percent_decode_utf8` previously
cast the result of `[u8]::as_ptr` to `*const u8`, which was redundant
because the return type of the `as_ptr` call was already `*const u8`.
This patch removes the redundant cast.
This patch implements the `CappedString::push` and
`CappedString::push_truncating` methods, which are like
`CappedString::push_str` and friends but take a single character rather
than a string slice.
This patch implements `CappedString::push_str` and its truncating
counterpart, `CappedString::push_str_truncating`. These methods provide
a safe API to append additional string data to the end of a
`CappedString`.
This is a work-in-progress and, like the rest of `CappedString`,
requires unit testing.
This patch replaces the logic in `CappedString::new` for copying the
string data into a `[MaybeUninit<u8>]` buffer with a call to
`CappedString::from_raw_ptr`, which performs the same task.
This patch changes the name of the CappedString error type to be more
descriptive, adds inline and must_use annotations to more public
functions, and begins implementing a wider variety of ways to create a
CappedString.
test.sh previously had each of its runs hard-coded; this patch changes
the script to loop over an array of cargo flags instead. This allows new
flags to be added to the array to easily add new runs to the test
script.
CappedString was previously backed by a `[u8; N]`, which required
zeroing the buffer on creation. It now uses a `[MaybeUninit<u8>; N]`,
which does need to be zeroed. This should improve the performance of
creating a new CappedString, at the cost of slightly more unsafe code
required in its implementation.
Additionally, `as_bytes` and `as_bytes_mut` methods were introduced.
These are primarily used internally in the implementation of
CappedString, but are also provided as part of the public API to allow
users to do low-level operations on the underlying buffer backing the
CappedString. `as_bytes_mut` is unsafe, as this method can be used to
violate the UTF-8 property of the CappedString, which is undefined
behaviour.
The unsafe_op_in_unsafe_fn lint was previously set to allow, meaning
that unsafe function calls and operations were allowed within unsafe
functions without a surrounding unsafe block. This patch changes the
lint to deny, for the purpose of making unsafe operations in the
codebase more explicit.
pantonshire