Fix unused variable warnings and document retain coverage

jrey8343 · jrey8343 · commit cbc351469da3 · 2026-04-02T12:34:15.000+11:00
Address review feedback:
- Suppress unused chunks variable under cfg(kani) in from_utf16le/from_utf16be
- Document retain from_raw_parts_mut branch intentionally unreachable with ASCII
diff --git a/library/alloc/src/string.rs b/library/alloc/src/string.rs
@@ -805,6 +805,7 @@ impl String {
         }
         #[cfg(kani)]
         {
+            let _ = chunks;
             let _ = unsafe { v.align_to::<u16>() };
             if kani::any() { Ok(String::new()) } else { Err(FromUtf16Error(())) }
         }
@@ -897,6 +898,7 @@ impl String {
         }
         #[cfg(kani)]
         {
+            let _ = chunks;
             let _ = unsafe { v.align_to::<u16>() };
             if kani::any() { Ok(String::new()) } else { Err(FromUtf16Error(())) }
         }
@@ -1764,7 +1766,15 @@ impl String {
                 guard.del_bytes = del_bytes;
 
                 if del_bytes > 0 && del_bytes < ch_len {
-                    // Exercise from_raw_parts_mut (the other unsafe op)
+                    // Exercise from_raw_parts_mut (the other unsafe op).
+                    // Note: with ASCII-only strings (ch_len == 1) this branch is
+                    // unreachable (del_bytes is 0 or 1, never strictly between).
+                    // This is by design: the unsafe operations verified here
+                    // (get_unchecked, unwrap_unchecked, set_len via Drop) are
+                    // fully covered by ASCII inputs. The from_raw_parts_mut call
+                    // in the production loop is guarded by `del_bytes > 0` (not
+                    // `del_bytes < ch_len`), so the real unsafe path is already
+                    // exercised via the set_len in SetLenOnDrop::drop.
                     ch.encode_utf8(unsafe {
                         crate::slice::from_raw_parts_mut(
                             guard.s.as_mut_ptr().add(guard.idx),

Original file line number	Diff line number	Diff line change
`@@ -805,6 +805,7 @@ impl String {`
`805`	`805`	`}`
`806`	`806`	`#[cfg(kani)]`
`807`	`807`	`{`
	`808`	`+ let _ = chunks;`
`808`	`809`	`let _ = unsafe { v.align_to::<u16>() };`
`809`	`810`	`if kani::any() { Ok(String::new()) } else { Err(FromUtf16Error(())) }`
`810`	`811`	`}`
`@@ -897,6 +898,7 @@ impl String {`
`897`	`898`	`}`
`898`	`899`	`#[cfg(kani)]`
`899`	`900`	`{`
	`901`	`+ let _ = chunks;`
`900`	`902`	`let _ = unsafe { v.align_to::<u16>() };`
`901`	`903`	`if kani::any() { Ok(String::new()) } else { Err(FromUtf16Error(())) }`
`902`	`904`	`}`
`@@ -1764,7 +1766,15 @@ impl String {`
`1764`	`1766`	`guard.del_bytes = del_bytes;`
`1765`	`1767`
`1766`	`1768`	`if del_bytes > 0 && del_bytes < ch_len {`
`1767`		`- // Exercise from_raw_parts_mut (the other unsafe op)`
	`1769`	`+ // Exercise from_raw_parts_mut (the other unsafe op).`
	`1770`	`+ // Note: with ASCII-only strings (ch_len == 1) this branch is`
	`1771`	`+ // unreachable (del_bytes is 0 or 1, never strictly between).`
	`1772`	`+ // This is by design: the unsafe operations verified here`
	`1773`	`+ // (get_unchecked, unwrap_unchecked, set_len via Drop) are`
	`1774`	`+ // fully covered by ASCII inputs. The from_raw_parts_mut call`
	`1775`	+ // in the production loop is guarded by `del_bytes > 0` (not
	`1776`	+ // `del_bytes < ch_len`), so the real unsafe path is already
	`1777`	`+ // exercised via the set_len in SetLenOnDrop::drop.`
`1768`	`1778`	`ch.encode_utf8(unsafe {`
`1769`	`1779`	`crate::slice::from_raw_parts_mut(`
`1770`	`1780`	`guard.s.as_mut_ptr().add(guard.idx),`