docs(allocator/vec): correct safety comments for RawVec::append_elements (#11072)

overlookmotel · overlookmotel · commit 7c84a56ca269 · 2025-05-17T10:16:00.000Z
Follow-on after #10884. The original safety conditions aren't required any more, because of the change made to `Vec::reserve` in #10884 - `reserve` will panic if `other.len` or `self.len + other.len` exceeds `u32::MAX`. So nothing can go wrong if these conditions aren't satisfied. Which is lucky, because `append` doesn't do anything to make sure `self.len + other.len <= u32::MAX`! `append_elements` originally had no safety docs at all (naughty bumpalo!). So add some.
diff --git a/crates/oxc_allocator/src/vec2/mod.rs b/crates/oxc_allocator/src/vec2/mod.rs
@@ -1627,6 +1627,7 @@ impl<'bump, T: 'bump> Vec<'bump, T> {
     #[inline]
     pub fn append(&mut self, other: &mut Self) {
         unsafe {
+            // SAFETY: The elements in `other` are made inaccessible by `other.set_len(0)` straight after
             self.append_elements(other.as_slice() as _);
             other.set_len(0);
         }
@@ -1636,21 +1637,21 @@ impl<'bump, T: 'bump> Vec<'bump, T> {
     ///
     /// # SAFETY
     ///
-    /// The caller must ensure that the length of buffer passed in is less than or
-    /// equal to `u32::MAX`.
-    /// The length of the `Self` and `other` buffer add up to must be less than or
-    /// equal to `u32::MAX`.
+    /// Elements from `other` will be copied into `self`'s buffer.
+    /// Caller must ensure either that `T` is `Copy`, or the elements of `other` are not accessible
+    /// except by the pointer `other`, and that they are not read after this call.
     #[inline]
     #[expect(clippy::cast_possible_truncation)]
     unsafe fn append_elements(&mut self, other: *const [T]) {
         let count = (*other).len();
         self.reserve(count);
         let len = self.len();
         ptr::copy_nonoverlapping(other as *const T, self.as_mut_ptr().add(len), count);
-        // `unwrap_unchecked()` is okay because that caller needs to ensure that
-        // the length of the buffer passed in is less than or equal to `u32::MAX`,
-        // otherwise it is UB.
-        self.buf.len = self.buf.len.checked_add(count as u32).unwrap_unchecked()
+        // `count` cannot be `> u32::MAX`, so `count as u32` cannot truncate `count`.
+        // `self.buf.len + count` cannot be `> u32::MAX`.
+        // If either of these conditions was violated, `self.reserve(count)` above would have panicked.
+        // So this addition cannot wrap around.
+        self.buf.len += count as u32;
     }
 
     /// Creates a draining iterator that removes the specified range in the vector
