FROMGIT: rust: alloc: replace Vec::set_len with inc_len

Rename `set_len` to `inc_len` and simplify its safety contract. Note that the usage in `CString::try_from_fmt` remains correct as the receiver is known to have `len == 0`. Reviewed-by: Alice Ryhl <aliceryhl@google.com> Signed-off-by: Tamir Duberstein <tamird@gmail.com> Link: https://lore.kernel.org/r/20250416-vec-set-len-v4-4-112b222604cd@gmail.com Signed-off-by: Danilo Krummrich <dakr@kernel.org> Bug: 414994413 (cherry picked from commit 88d5d6a38d5161228fbfe017eb94d777d5e8a0e4 https://github.com/Rust-for-Linux/linux.git alloc-next) Change-Id: If8c9311fed95246e2329818589e0c9104d5d0685 Signed-off-by: Alice Ryhl <aliceryhl@google.com>
2025-04-16 13:15:43 -04:00
parent 597ebe7c32
commit 04d685ecf9
3 changed files with 14 additions and 15 deletions
@@ -185,20 +185,19 @@ where
        self.len
    }
-    /// Forcefully sets `self.len` to `new_len`.
+    /// Increments `self.len` by `additional`.
    ///
    /// # Safety
    ///
-    /// - `new_len` must be less than or equal to [`Self::capacity`].
+    /// - `additional` must be less than or equal to `self.capacity - self.len`.
-    /// - If `new_len` is greater than `self.len`, all elements within the interval
+    /// - All elements within the interval [`self.len`,`self.len + additional`) must be initialized.
    ///   [`self.len`,`new_len`) must be initialized.
    #[inline]
-    pub unsafe fn set_len(&mut self, new_len: usize) {
+    pub unsafe fn inc_len(&mut self, additional: usize) {
-        debug_assert!(new_len <= self.capacity());
+        // Guaranteed by the type invariant to never underflow.
-
+        debug_assert!(additional <= self.capacity() - self.len());
-        // INVARIANT: By the safety requirements of this method `new_len` represents the exact
+        // INVARIANT: By the safety requirements of this method this represents the exact number of
-        // number of elements stored within `self`.
+        // elements stored within `self`.
-        self.len = new_len;
+        self.len += additional;
    }
    /// Decreases `self.len` by `count`.
@@ -317,7 +316,7 @@ where
        // SAFETY: We just initialised the first spare entry, so it is safe to increase the length
        // by 1. We also know that the new length is <= capacity because of the previous call to
        // `reserve` above.
-        unsafe { self.set_len(self.len() + 1) };
+        unsafe { self.inc_len(1) };
        Ok(())
    }
@@ -521,7 +520,7 @@ impl<T: Clone, A: Allocator> Vec<T, A> {
        // SAFETY:
        // - `self.len() + n < self.capacity()` due to the call to reserve above,
        // - the loop and the line above initialized the next `n` elements.
-        unsafe { self.set_len(self.len() + n) };
+        unsafe { self.inc_len(n) };
        Ok(())
    }
@@ -552,7 +551,7 @@ impl<T: Clone, A: Allocator> Vec<T, A> {
        //   the length by the same number.
        // - `self.len() + other.len() <= self.capacity()` is guaranteed by the preceding `reserve`
        //   call.
-        unsafe { self.set_len(self.len() + other.len()) };
+        unsafe { self.inc_len(other.len()) };
        Ok(())
    }
@@ -832,7 +832,7 @@ impl CString {
        // SAFETY: The number of bytes that can be written to `f` is bounded by `size`, which is
        // `buf`'s capacity. The contents of the buffer have been initialised by writes to `f`.
-        unsafe { buf.set_len(f.bytes_written()) };
+        unsafe { buf.inc_len(f.bytes_written()) };
        // Check that there are no `NUL` bytes before the end.
        // SAFETY: The buffer is valid for read because `f.bytes_written()` is bounded by `size`
@@ -291,7 +291,7 @@ impl UserSliceReader {
        // SAFETY: Since the call to `read_raw` was successful, so the next `len` bytes of the
        // vector have been initialized.
-        unsafe { buf.set_len(buf.len() + len) };
+        unsafe { buf.inc_len(len) };
        Ok(())
    }