Complete our safety mitigations in the float writers.

Alexhuszagh · Alexhuszagh · commit a2667d598106 · 2024-09-14T16:42:53.000-05:00
Performance enhancements will soon follow to restore any lost
performance in some cases which impacted it up to 3%.
diff --git a/CHANGELOG b/CHANGELOG
@@ -38,6 +38,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - Support for mips (MIPS), mipsel (MIPS LE), mips64 (MIPS64 BE), and mips64el (MIPS64 LE) on Linux.
 - All `_unchecked` API methods, since the performance benefits are dubious and it makes safety invariant checking much harder.
+- The `safe` and `nightly` features, since ASM is now supported by the MSRV on stable and opt-in for memory-safe indexing is no longer relevant.
 
 ## [0.8.5] 2022-06-06
 
diff --git a/README.md b/README.md
@@ -139,8 +139,6 @@ Lexical is highly customizable, and contains numerous other optional features:
     <blockquote>With format enabled, the number format is dictated through bitflags and masks packed into a <code>u128</code>. These dictate the valid syntax of parsed and written numbers, including enabling digit separators, requiring integer or fraction digits, and toggling case-sensitive exponent characters.</blockquote>
 - **compact**: &ensp; Optimize for binary size at the expense of performance.
     <blockquote>This minimizes the use of pre-computed tables, producing significantly smaller binaries.</blockquote>
-- **safe**: &ensp; Requires all array indexing to be bounds-checked.
-    <blockquote>This has limited impact for number parsers, since they use safe indexing except where indexing without bounds checking and can general be shown to be sound. The number writers frequently use unsafe indexing, since we can easily over-estimate the number of digits in the output due to the fixed-length input. We use comprehensive fuzzing, UB detection via miri, and proving local safe invariants to ensure correctness without impacting performance.</blockquote>
 - **f16**: &ensp; Add support for numeric conversions to-and-from 16-bit floats.
     <blockquote>Adds <code>f16</code>, a half-precision IEEE-754 floating-point type, and <code>bf16</code>, the Brain Float 16 type, and numeric conversions to-and-from these floats. Note that since these are storage formats, and therefore do not have native arithmetic operations, all conversions are done using an intermediate <code>f32</code>.</blockquote>
 
diff --git a/lexical-benchmark/parse-float/Cargo.toml b/lexical-benchmark/parse-float/Cargo.toml
@@ -30,7 +30,6 @@ power-of-two = ["lexical-util/power-of-two", "lexical-parse-float/power-of-two"]
 format = ["lexical-util/format", "lexical-parse-float/format"]
 compact = ["lexical-util/compact", "lexical-parse-float/compact"]
 asm = []
-nightly = ["lexical-parse-float/nightly"]
 integers = ["lexical-util/integers"]
 floats = ["lexical-util/floats"]
 json = []
diff --git a/lexical-benchmark/parse-float/denormal30.rs b/lexical-benchmark/parse-float/denormal30.rs
@@ -1,8 +1,3 @@
-// Inline ASM was stabilized in 1.59.0.
-// FIXME: Remove when the MSRV for Rustc >= 1.59.0.
-#![allow(stable_features)]
-#![cfg_attr(feature = "nightly", feature(asm))]
-
 mod black_box;
 use black_box::black_box;
 use lexical_parse_float::FromLexical;
diff --git a/lexical-benchmark/parse-float/denormal6400.rs b/lexical-benchmark/parse-float/denormal6400.rs
@@ -1,8 +1,3 @@
-// Inline ASM was stabilized in 1.59.0.
-// FIXME: Remove when the MSRV for Rustc >= 1.59.0.
-#![allow(stable_features)]
-#![cfg_attr(feature = "nightly", feature(asm))]
-
 mod black_box;
 use black_box::black_box;
 use lexical_parse_float::FromLexical;
diff --git a/lexical-core/Cargo.toml b/lexical-core/Cargo.toml
@@ -100,23 +100,6 @@ compact = [
     "lexical-parse-integer?/compact",
     "lexical-parse-float?/compact"
 ]
-# Ensure only safe indexing is used.
-# This is only relevant for the number writers, since the parsers
-# are memory safe by default (and only use memory unsafety when
-# is the trivial to prove correct).
-safe = [
-    "lexical-write-integer?/safe",
-    "lexical-write-float?/safe",
-    "lexical-parse-integer?/safe",
-    "lexical-parse-float?/safe"
-]
-# Add support for nightly-only features.
-nightly = [
-    "lexical-write-integer?/nightly",
-    "lexical-write-float?/nightly",
-    "lexical-parse-integer?/nightly",
-    "lexical-parse-float?/nightly"
-]
 # Enable support for 16-bit floats.
 f16 = [
     "lexical-util/f16",
diff --git a/lexical-parse-float/Cargo.toml b/lexical-parse-float/Cargo.toml
@@ -68,11 +68,6 @@ compact = [
     "lexical-util/compact",
     "lexical-parse-integer/compact"
 ]
-# Ensure only safe indexing is used. This is effectively a no-op, since all
-# examples of potential memory unsafety are trivial to prove safe.
-safe = ["lexical-parse-integer/safe"]
-# Add support for nightly-only features.
-nightly = ["lexical-parse-integer/nightly"]
 # Enable support for 16-bit floats.
 f16 = ["lexical-util/f16"]
 
diff --git a/lexical-parse-float/src/bigint.rs b/lexical-parse-float/src/bigint.rs
@@ -18,14 +18,6 @@ use crate::table::get_large_int_power;
 /// # Safety
 ///
 /// Safe if `index < array.len()`.
-#[cfg(feature = "safe")]
-macro_rules! index_unchecked {
-    ($x:ident[$i:expr]) => {
-        $x[$i]
-    };
-}
-
-#[cfg(not(feature = "safe"))]
 macro_rules! index_unchecked {
     ($x:ident[$i:expr]) => {
         // SAFETY: safe if `index < array.len()`.
diff --git a/lexical-parse-float/src/fpu.rs b/lexical-parse-float/src/fpu.rs
@@ -6,7 +6,6 @@
 //!
 //! It is therefore also subject to a Apache2.0/MIT license.
 
-#![cfg(feature = "nightly")]
 #![doc(hidden)]
 
 pub use fpu_precision::set_precision;
diff --git a/lexical-parse-float/src/libm.rs b/lexical-parse-float/src/libm.rs
@@ -28,19 +28,6 @@
 /// # Safety
 ///
 /// Safe if `index < array.len()`.
-#[cfg(feature = "safe")]
-macro_rules! i {
-    ($x:ident, $i:expr) => {
-        $x[$i]
-    };
-}
-
-/// Index an array without bounds checking.
-///
-/// # Safety
-///
-/// Safe if `index < array.len()`.
-#[cfg(not(feature = "safe"))]
 macro_rules! i {
     ($x:ident, $i:expr) => {
         unsafe { *$x.get_unchecked($i) }
diff --git a/lexical-parse-float/src/number.rs b/lexical-parse-float/src/number.rs
@@ -8,7 +8,6 @@
 use lexical_util::format::NumberFormat;
 
 use crate::float::RawFloat;
-#[cfg(feature = "nightly")]
 use crate::fpu::set_precision;
 
 /// Representation of a number as the significant digits and exponent.
@@ -65,7 +64,6 @@ impl<'a> Number<'a> {
         // function takes care of setting the precision on architectures which
         // require setting it by changing the global state (like the control word of the
         // x87 FPU).
-        #[cfg(feature = "nightly")]
         let _cw = set_precision::<F>();
 
         if self.is_fast_path::<F, FORMAT>() {
@@ -105,7 +103,6 @@ impl<'a> Number<'a> {
         let format = NumberFormat::<FORMAT> {};
         debug_assert!(format.mantissa_radix() == format.exponent_base());
 
-        #[cfg(feature = "nightly")]
         let _cw = set_precision::<F>();
 
         let radix = format.radix();
diff --git a/lexical-parse-integer/Cargo.toml b/lexical-parse-integer/Cargo.toml
@@ -46,11 +46,6 @@ radix = ["lexical-util/radix", "power-of-two"]
 format = ["lexical-util/format"]
 # Reduce code size at the cost of performance.
 compact = ["lexical-util/compact"]
-# Ensure only safe indexing is used. This is a no-op, since all
-# examples of potential memory unsafety are trivial to prove safe.
-safe = []
-# Add support for nightly-only features.
-nightly = []
 
 # Internal only features.
 # Enable the lint checks.
diff --git a/lexical-write-float/Cargo.toml b/lexical-write-float/Cargo.toml
@@ -67,12 +67,6 @@ compact = [
     "lexical-util/compact",
     "lexical-write-integer/compact"
 ]
-# Ensure only safe indexing is used.
-# This is not enabled by default for writers, due to the performance
-# costs, and since input can be easily validated to avoid buffer overwrites.
-safe = ["lexical-write-integer/safe"]
-# Add support for nightly-only features.
-nightly = ["lexical-write-integer/nightly"]
 # Enable support for 16-bit floats.
 f16 = ["lexical-util/f16"]
 
diff --git a/lexical-write-float/src/index.rs b/lexical-write-float/src/index.rs
@@ -8,17 +8,8 @@
 #![doc(hidden)]
 
 /// Index a buffer, without bounds checking.
-#[cfg(not(feature = "safe"))]
 macro_rules! index_unchecked {
     ($x:ident[$i:expr]) => {
         *$x.get_unchecked($i)
     };
 }
-
-/// Index a buffer, with bounds checking.
-#[cfg(feature = "safe")]
-macro_rules! index_unchecked {
-    ($x:ident[$i:expr]) => {
-        $x[$i]
-    };
-}
diff --git a/lexical-write-float/src/write.rs b/lexical-write-float/src/write.rs
@@ -186,7 +186,7 @@ macro_rules! write_float_as_f32 {
     ($($t:ty)*) => ($(
         impl WriteFloat for $t {
             #[inline(always)]
-            fn write_float<const FORMAT: u128>(self, bytes: &mut [u8], options: &Options) -> &mut [u8]
+            fn write_float<const FORMAT: u128>(self, bytes: &mut [u8], options: &Options) -> usize
             {
                 // SAFETY: safe if `bytes` is large enough to hold the written bytes.
                 self.as_f32().write_float::<FORMAT>(bytes, options)
diff --git a/lexical-write-integer/Cargo.toml b/lexical-write-integer/Cargo.toml
@@ -46,12 +46,6 @@ radix = ["lexical-util/radix", "power-of-two"]
 format = ["lexical-util/format"]
 # Reduce code size at the cost of performance.
 compact = ["lexical-util/compact"]
-# Ensure only safe indexing is used.
-# This is not enabled by default for writers, due to the performance
-# costs, and since input can be easily validated to avoid buffer overwrites.
-safe = []
-# Add support for nightly-only features.
-nightly = []
 
 # Internal only features.
 # Enable the lint checks.
diff --git a/lexical-write-integer/src/index.rs b/lexical-write-integer/src/index.rs
@@ -8,26 +8,16 @@
 #![cfg_attr(feature = "compact", allow(unused_macros, unused_macro_rules))]
 #![doc(hidden)]
 
-#[cfg(not(feature = "safe"))]
 macro_rules! index_unchecked {
     ($x:ident[$i:expr]) => {
         *$x.get_unchecked($i)
     };
 }
 
-/// Index a buffer, with bounds checking.
-#[cfg(feature = "safe")]
-macro_rules! index_unchecked {
-    ($x:ident[$i:expr]) => {
-        $x[$i]
-    };
-}
-
 /// Index a buffer and get a mutable reference, without bounds checking.
 // The `($x:ident[$i:expr] = $y:ident[$j:expr])` is not used with `compact`.
 // The newer version of the lint is `unused_macro_rules`, but this isn't
 // supported until nightly-2022-05-12.
-#[cfg(not(feature = "safe"))]
 #[allow(unknown_lints, unused_macro_rules)]
 macro_rules! index_unchecked_mut {
     ($x:ident[$i:expr]) => {
@@ -40,7 +30,6 @@ macro_rules! index_unchecked_mut {
 }
 
 /// Fill a slice with a value, without bounds checking.
-#[cfg(not(feature = "safe"))]
 macro_rules! slice_fill_unchecked {
     ($slc:expr, $value:expr) => {
         // Get the length first to avoid stacked borrows, since we might
@@ -49,27 +38,3 @@ macro_rules! slice_fill_unchecked {
         core::ptr::write_bytes($slc.as_mut_ptr(), $value, len)
     };
 }
-
-/// Fill a slice with a value, with bounds checking.
-#[cfg(feature = "safe")]
-macro_rules! slice_fill_unchecked {
-    ($slc:expr, $value:expr) => {
-        $slc.fill($value)
-    };
-}
-
-/// Index a buffer and get a mutable reference, with bounds checking.
-// The `($x:ident[$i:expr] = $y:ident[$j:expr])` is not used with `compact`.
-// The newer version of the lint is `unused_macro_rules`, but this isn't
-// supported until nightly-2022-05-12.
-#[cfg(feature = "safe")]
-#[allow(unknown_lints, unused_macro_rules)]
-macro_rules! index_unchecked_mut {
-    ($x:ident[$i:expr]) => {
-        $x[$i]
-    };
-
-    ($x:ident[$i:expr] = $y:ident[$j:expr]) => {
-        $x[$i] = $y[$j]
-    };
-}
diff --git a/lexical/Cargo.toml b/lexical/Cargo.toml
@@ -27,8 +27,6 @@ path = "../lexical-core"
 default = ["std", "write-integers", "write-floats", "parse-integers", "parse-floats"]
 # Use the standard library.
 std = ["lexical-core/std"]
-# Add support for nightly-only features.
-nightly = ["lexical-core/nightly"]
 # Add support for writing integers.
 write-integers = ["lexical-core/write-integers", "write", "integers"]
 # Add support for writing floats.
