Use unchecked indexing in integer _fmt_inner to keep bounds checks elided

blackms · blackms · commit 18e150a0077f · 2026-04-14T15:47:57.000+02:00
The `_fmt_inner` helper in `core::fmt::num` wrote into its
`MaybeUninit&lt;u8&gt;` buffer through regular `[]` indexing and then relied
on surrounding `core::hint::assert_unchecked` hints to convince LLVM to
elide the resulting bounds checks. Under `-Copt-level=z` with fat LTO
(and other configurations where the range information fails to
propagate) the hints were dropped and the optimizer left a
`panic_bounds_check` call on the hot integer-formatting path.

Switch the per-pair buffer writes to `get_unchecked_mut` / `get_unchecked`
on both `buf` and `DECIMAL_PAIRS`, with SAFETY comments that reestablish
the invariants from the preceding `assert_unchecked` hints. The
existing `assert_unchecked`s are retained because they still document
the `offset`/`buf.len()` invariants and help downstream codegen.

Also add a codegen-llvm regression test that checks the `Display` path
for `usize` and `u64` does not contain any `panic_bounds_check`, with a
paired sanity check to make sure the symbol itself is still emitted by
the compiler for a real out-of-bounds index.
diff --git a/library/core/src/fmt/num.rs b/library/core/src/fmt/num.rs
@@ -210,10 +210,18 @@ macro_rules! impl_Display {
                     remain /= scale;
                     let pair1 = (quad / 100) as usize;
                     let pair2 = (quad % 100) as usize;
-                    buf[offset + 0].write(DECIMAL_PAIRS[pair1 * 2 + 0]);
-                    buf[offset + 1].write(DECIMAL_PAIRS[pair1 * 2 + 1]);
-                    buf[offset + 2].write(DECIMAL_PAIRS[pair2 * 2 + 0]);
-                    buf[offset + 3].write(DECIMAL_PAIRS[pair2 * 2 + 1]);
+                    // SAFETY: `offset + 4 <= buf.len()` by the asserts above, and
+                    // `pair1, pair2 < 100` so every `DECIMAL_PAIRS` index is `< 200`
+                    // which is the exact length of `DECIMAL_PAIRS`. Using unchecked
+                    // indexing here avoids relying on LLVM to elide the bounds
+                    // checks, which can regress under `opt-level=z` + fat LTO
+                    // (see https://github.com/rust-lang/rust/issues/152061).
+                    unsafe {
+                        buf.get_unchecked_mut(offset).write(*DECIMAL_PAIRS.get_unchecked(pair1 * 2));
+                        buf.get_unchecked_mut(offset + 1).write(*DECIMAL_PAIRS.get_unchecked(pair1 * 2 + 1));
+                        buf.get_unchecked_mut(offset + 2).write(*DECIMAL_PAIRS.get_unchecked(pair2 * 2));
+                        buf.get_unchecked_mut(offset + 3).write(*DECIMAL_PAIRS.get_unchecked(pair2 * 2 + 1));
+                    }
                 }
 
                 // Format per two digits from the lookup table.
@@ -228,8 +236,14 @@ macro_rules! impl_Display {
 
                     let pair = (remain % 100) as usize;
                     remain /= 100;
-                    buf[offset + 0].write(DECIMAL_PAIRS[pair * 2 + 0]);
-                    buf[offset + 1].write(DECIMAL_PAIRS[pair * 2 + 1]);
+                    // SAFETY: `offset + 2 <= buf.len()` by the asserts above, and
+                    // `pair < 100` so the `DECIMAL_PAIRS` indices are `< 200`.
+                    // See the comment in the outer loop for why this uses unchecked
+                    // indexing instead of regular `[]` (rust-lang/rust#152061).
+                    unsafe {
+                        buf.get_unchecked_mut(offset).write(*DECIMAL_PAIRS.get_unchecked(pair * 2));
+                        buf.get_unchecked_mut(offset + 1).write(*DECIMAL_PAIRS.get_unchecked(pair * 2 + 1));
+                    }
                 }
 
                 // Format the last remaining digit, if any.
@@ -242,10 +256,14 @@ macro_rules! impl_Display {
                     unsafe { core::hint::assert_unchecked(offset <= buf.len()) }
                     offset -= 1;
 
-                    // Either the compiler sees that remain < 10, or it prevents
-                    // a boundary check up next.
                     let last = (remain & 15) as usize;
-                    buf[offset].write(DECIMAL_PAIRS[last * 2 + 1]);
+                    // SAFETY: `offset < buf.len()` by the asserts above, and
+                    // `last < 16` so `last * 2 + 1 < 32 < 200 == DECIMAL_PAIRS.len()`.
+                    // See the comment in the outer loop for why this uses unchecked
+                    // indexing instead of regular `[]` (rust-lang/rust#152061).
+                    unsafe {
+                        buf.get_unchecked_mut(offset).write(*DECIMAL_PAIRS.get_unchecked(last * 2 + 1));
+                    }
                     // not used: remain = 0;
                 }
 
diff --git a/tests/codegen-llvm/issues/fmt-display-no-bounds-check-152061.rs b/tests/codegen-llvm/issues/fmt-display-no-bounds-check-152061.rs
@@ -0,0 +1,46 @@
+//@ compile-flags: -Copt-level=3
+// Regression test for https://github.com/rust-lang/rust/issues/152061.
+//
+// `impl fmt::Display` for integers lowered through `_fmt_inner` in
+// `library/core/src/fmt/num.rs` used to leave a `panic_bounds_check`
+// path in optimized LLVM IR when LLVM failed to propagate the
+// `assume`-based range information across LTO / `opt-level=z`
+// boundaries. The implementation was rewritten to use
+// `get_unchecked{_mut}` for the buffer writes, so the `panic_bounds_check`
+// path must not appear regardless of the optimizer's propagation.
+
+#![crate_type = "lib"]
+
+use std::fmt::Write;
+
+pub struct NoopWriter;
+impl Write for NoopWriter {
+    fn write_str(&mut self, _s: &str) -> std::fmt::Result {
+        Ok(())
+    }
+}
+
+// CHECK-LABEL: @format_usize
+#[no_mangle]
+pub fn format_usize(w: &mut NoopWriter, x: usize) {
+    // The Display path through `_fmt_inner` must not emit a bounds check.
+    // CHECK-NOT: panic_bounds_check
+    let _ = write!(w, "{}", x);
+}
+
+// CHECK-LABEL: @format_u64
+#[no_mangle]
+pub fn format_u64(w: &mut NoopWriter, x: u64) {
+    // CHECK-NOT: panic_bounds_check
+    let _ = write!(w, "{}", x);
+}
+
+// Sanity check: make sure `panic_bounds_check` is still the symbol LLVM
+// emits for a non-elidable out-of-bounds index, so the `CHECK-NOT`s
+// above are guarding against something real and cannot pass vacuously.
+// CHECK-LABEL: @test_check
+#[no_mangle]
+pub fn test_check(arr: &[u8], i: usize) -> u8 {
+    // CHECK: panic_bounds_check
+    arr[i]
+}
