Audit itoa
adetaylor opened this issue · comments
itoa
has fast functions for printing integers. It's a dependency of serde_json
so is included in lots of things. It's by the awesome dtolnay so I suspect it's unlikely we can add safety, but maybe we can identify patterns that can be better supported in future Rust.
Uses of unsafe:
- Creating a 40-byte long buffer which starts uninitialized, then is filled in using (mostly)
ptr::copy_nonoverlapping
to assemble the string representation of the integer, from right to left. - Creating a slice from that data and length.
- Converting that slice to a string without UTF8 checks.
- Some of the above is duplicated for i128s.
Given the need to initialize the string from right to left for performance, the only options I see would be:
- Use a vec (or a String), then reverse it, which would presumably be slower.
- Invent a new buffer type that maintains a bitmap of which bytes are initialized and/or are valid UTF8. That would presumably add runtime overhead too, except in cases of remarkable compiler optimization.
I wonder if the need for that latter type has shown up anywhere else in safety-dance's audits? Or if anyone has any better ideas?
If you only write byte values 0..=127
then it's impossible to not be valid utf8
and making a new buffer type for this would be pretty trivial since you only need push, not all general buffer methods