panic_bounds_check elimination from format buffer

Author: pascaldekloe

library/core/src/fmt/num.rs

@@ -239,7 +239,7 @@ macro_rules! impl_Display {
                 const MAX_DEC_N: usize = $unsigned::MAX.ilog(10) as usize + 1;
                 let mut buf = [MaybeUninit::<u8>::uninit(); MAX_DEC_N];
                 // Leading zero count & write index in buf.
-                let mut offset = MAX_DEC_N;
+                let mut offset = buf.len();
                 // Consume decimals from working copy until none left.
                 let mut remain = self;
 
@@ -248,34 +248,45 @@ macro_rules! impl_Display {
                 #[allow(overflowing_literals)]
                 #[allow(unused_comparisons)]
                 while offset >= 4 && remain > 999 {
+                    // SAFETY: Offset from the initial buf.len() gets deducted
+                    // with underflow checks exclusively.
+                    unsafe { core::hint::assert_unchecked(offset <= buf.len()) }
+                    offset -= 4;
+
                     let quad = remain % 100_00;
                     remain /= 100_00;
                     let p1 = (quad / 100) as usize * 2;
                     let p2 = (quad % 100) as usize * 2;
-                    offset -= 4;
                     buf[offset + 0].write(DEC_DIGITS_LUT[p1 + 0]);
                     buf[offset + 1].write(DEC_DIGITS_LUT[p1 + 1]);
                     buf[offset + 2].write(DEC_DIGITS_LUT[p2 + 0]);
                     buf[offset + 3].write(DEC_DIGITS_LUT[p2 + 1]);
                 }
 
                 // Format per two digits from the lookup table.
-                while offset >= 2 && remain > 9 {
+                if offset >= 2 && remain > 9 {
+                    // SAFETY: Offset from the initial buf.len() gets deducted
+                    // with underflow checks exclusively.
+                    unsafe { core::hint::assert_unchecked(offset <= buf.len()) }
+                    offset -= 2;
+
                     let p = (remain % 100) as usize * 2;
                     remain /= 100;
-                    offset -= 2;
                     buf[offset + 0].write(DEC_DIGITS_LUT[p + 0]);
                     buf[offset + 1].write(DEC_DIGITS_LUT[p + 1]);
                 }
 
                 // Format the last remaining digit, if any.
                 if offset != 0 && remain != 0 || offset == MAX_DEC_N {
+                    // SAFETY: Offset from the initial buf.len() gets deducted
+                    // with underflow checks exclusively.
+                    unsafe { core::hint::assert_unchecked(offset <= buf.len()) }
+                    offset -= 1;
+
                     // Either the compiler sees that remain < 10, or it prevents
                     // a boundary check up next.
                     let p = (remain % 10) as usize * 2;
                     // not used: remain = 0;
-
-                    offset -= 1;
                     buf[offset].write(DEC_DIGITS_LUT[p + 1]);
                 }