Use unchecked indexing in integer _fmt_inner to keep bounds checks elided

blackms · blackms · commit d3b2e82873c1 · 2026-04-14T23:27:40.000+02:00
The `_fmt_inner` helper in `core::fmt::num` wrote into its
`MaybeUninit&lt;u8&gt;` buffer through regular `[]` indexing and then relied
on surrounding `core::hint::assert_unchecked` hints to convince LLVM to
elide the resulting bounds checks. Under `-Copt-level=z` with fat LTO
(and other configurations where the range information fails to
propagate) the hints were dropped and the optimizer left a
`panic_bounds_check` call on the hot integer-formatting path.

Switch the per-pair buffer writes to `get_unchecked_mut` / `get_unchecked`
on both `buf` and `DECIMAL_PAIRS`. Each `unsafe` block carries a short
rationale comment (why unchecked indexing) and a tight `SAFETY` comment
stating the invariants (`offset + N &lt;= buf.len()`, and the numeric bound
on the `DECIMAL_PAIRS` index). The existing `assert_unchecked`s are
retained because they still document the `offset` / `buf.len()`
invariants and help downstream codegen for the rest of the routine.

Also add a codegen-llvm regression test with `opt-3` and `opt-z`
revisions that checks the `Display` path for `usize` and `u64` does
not contain any `panic_bounds_check`, with a paired sanity check to
make sure the symbol itself is still emitted by the compiler for a
real out-of-bounds index so the `CHECK-NOT`s cannot pass vacuously.
diff --git a/library/core/src/fmt/num.rs b/library/core/src/fmt/num.rs
@@ -210,10 +210,19 @@ macro_rules! impl_Display {
                     remain /= scale;
                     let pair1 = (quad / 100) as usize;
                     let pair2 = (quad % 100) as usize;
-                    buf[offset + 0].write(DECIMAL_PAIRS[pair1 * 2 + 0]);
-                    buf[offset + 1].write(DECIMAL_PAIRS[pair1 * 2 + 1]);
-                    buf[offset + 2].write(DECIMAL_PAIRS[pair2 * 2 + 0]);
-                    buf[offset + 3].write(DECIMAL_PAIRS[pair2 * 2 + 1]);
+                    // Unchecked indexing here avoids relying on LLVM to elide the
+                    // bounds checks from the surrounding `assert_unchecked` hints;
+                    // this regressed under `opt-level=z` + fat LTO on LLVM 21
+                    // (see rust-lang/rust#152061).
+                    //
+                    // SAFETY: `offset + 4 <= buf.len()`, and `pair1, pair2 < 100`
+                    // so all `DECIMAL_PAIRS` indices are `< 200 == DECIMAL_PAIRS.len()`.
+                    unsafe {
+                        buf.get_unchecked_mut(offset).write(*DECIMAL_PAIRS.get_unchecked(pair1 * 2));
+                        buf.get_unchecked_mut(offset + 1).write(*DECIMAL_PAIRS.get_unchecked(pair1 * 2 + 1));
+                        buf.get_unchecked_mut(offset + 2).write(*DECIMAL_PAIRS.get_unchecked(pair2 * 2));
+                        buf.get_unchecked_mut(offset + 3).write(*DECIMAL_PAIRS.get_unchecked(pair2 * 2 + 1));
+                    }
                 }
 
                 // Format per two digits from the lookup table.
@@ -228,8 +237,14 @@ macro_rules! impl_Display {
 
                     let pair = (remain % 100) as usize;
                     remain /= 100;
-                    buf[offset + 0].write(DECIMAL_PAIRS[pair * 2 + 0]);
-                    buf[offset + 1].write(DECIMAL_PAIRS[pair * 2 + 1]);
+                    // See the outer loop for the rationale (rust-lang/rust#152061).
+                    //
+                    // SAFETY: `offset + 2 <= buf.len()`, and `pair < 100` so the
+                    // `DECIMAL_PAIRS` indices are `< 200 == DECIMAL_PAIRS.len()`.
+                    unsafe {
+                        buf.get_unchecked_mut(offset).write(*DECIMAL_PAIRS.get_unchecked(pair * 2));
+                        buf.get_unchecked_mut(offset + 1).write(*DECIMAL_PAIRS.get_unchecked(pair * 2 + 1));
+                    }
                 }
 
                 // Format the last remaining digit, if any.
@@ -242,10 +257,14 @@ macro_rules! impl_Display {
                     unsafe { core::hint::assert_unchecked(offset <= buf.len()) }
                     offset -= 1;
 
-                    // Either the compiler sees that remain < 10, or it prevents
-                    // a boundary check up next.
                     let last = (remain & 15) as usize;
-                    buf[offset].write(DECIMAL_PAIRS[last * 2 + 1]);
+                    // See the outer loop for the rationale (rust-lang/rust#152061).
+                    //
+                    // SAFETY: `offset < buf.len()`, and `last < 16` so
+                    // `last * 2 + 1 < 32 < 200 == DECIMAL_PAIRS.len()`.
+                    unsafe {
+                        buf.get_unchecked_mut(offset).write(*DECIMAL_PAIRS.get_unchecked(last * 2 + 1));
+                    }
                     // not used: remain = 0;
                 }
 
diff --git a/tests/codegen-llvm/issues/fmt-display-no-bounds-check-152061.rs b/tests/codegen-llvm/issues/fmt-display-no-bounds-check-152061.rs
@@ -0,0 +1,48 @@
+//@ revisions: opt-3 opt-z
+//@[opt-3] compile-flags: -Copt-level=3
+//@[opt-z] compile-flags: -Copt-level=z
+// Regression test for https://github.com/rust-lang/rust/issues/152061.
+//
+// `impl fmt::Display` for integers, lowered through `_fmt_inner` in
+// `library/core/src/fmt/num.rs`, used to leave a `panic_bounds_check`
+// path in optimised LLVM IR when LLVM failed to propagate the
+// `assume`-based range information (notably under `opt-level=z` + fat
+// LTO with LLVM 21). The implementation was rewritten to use
+// `get_unchecked{_mut}` for the buffer writes, so the `panic_bounds_check`
+// path must not appear regardless of the optimiser's propagation.
+
+#![crate_type = "lib"]
+
+use std::fmt::Write;
+
+pub struct NoopWriter;
+impl Write for NoopWriter {
+    fn write_str(&mut self, _s: &str) -> std::fmt::Result {
+        Ok(())
+    }
+}
+
+// CHECK-LABEL: @format_usize
+#[no_mangle]
+pub fn format_usize(w: &mut NoopWriter, x: usize) {
+    // The Display path through `_fmt_inner` must not emit a bounds check.
+    // CHECK-NOT: panic_bounds_check
+    let _ = write!(w, "{}", x);
+}
+
+// CHECK-LABEL: @format_u64
+#[no_mangle]
+pub fn format_u64(w: &mut NoopWriter, x: u64) {
+    // CHECK-NOT: panic_bounds_check
+    let _ = write!(w, "{}", x);
+}
+
+// Sanity check: make sure `panic_bounds_check` is still the symbol LLVM
+// emits for a non-elidable out-of-bounds index, so the `CHECK-NOT`s
+// above are guarding against something real and cannot pass vacuously.
+// CHECK-LABEL: @test_check
+#[no_mangle]
+pub fn test_check(arr: &[u8], i: usize) -> u8 {
+    // CHECK: panic_bounds_check
+    arr[i]
+}
