Function creusot_contracts::std::hint::unreachable_unchecked
1.27.0 (const: 1.57.0) · source · pub const unsafe fn unreachable_unchecked() -> !
Expand description
Informs the compiler that the site which is calling this function is not reachable, possibly enabling further optimizations.
§Safety
Reaching this function is Undefined Behavior.
As the compiler assumes that all forms of Undefined Behavior can never
happen, it will eliminate all branches in the surrounding code that it can
determine will invariably lead to a call to unreachable_unchecked()
.
If the assumptions embedded in using this function turn out to be wrong -
that is, if the site which is calling unreachable_unchecked()
is actually
reachable at runtime - the compiler may have generated nonsensical machine
instructions for this situation, including in seemingly unrelated code,
causing difficult-to-debug problems.
Use this function sparingly. Consider using the unreachable!
macro,
which may prevent some optimizations but will safely panic in case it is
actually reached at runtime. Benchmark your code to find out if using
unreachable_unchecked()
comes with a performance benefit.
§Examples
unreachable_unchecked()
can be used in situations where the compiler
can’t prove invariants that were previously established. Such situations
have a higher chance of occurring if those invariants are upheld by
external code that the compiler can’t analyze.
fn prepare_inputs(divisors: &mut Vec<u32>) {
// Note to future-self when making changes: The invariant established
// here is NOT checked in `do_computation()`; if this changes, you HAVE
// to change `do_computation()`.
divisors.retain(|divisor| *divisor != 0)
}
/// # Safety
/// All elements of `divisor` must be non-zero.
unsafe fn do_computation(i: u32, divisors: &[u32]) -> u32 {
divisors.iter().fold(i, |acc, divisor| {
// Convince the compiler that a division by zero can't happen here
// and a check is not needed below.
if *divisor == 0 {
// Safety: `divisor` can't be zero because of `prepare_inputs`,
// but the compiler does not know about this. We *promise*
// that we always call `prepare_inputs`.
std::hint::unreachable_unchecked()
}
// The compiler would normally introduce a check here that prevents
// a division by zero. However, if `divisor` was zero, the branch
// above would reach what we explicitly marked as unreachable.
// The compiler concludes that `divisor` can't be zero at this point
// and removes the - now proven useless - check.
acc / divisor
})
}
let mut divisors = vec![2, 0, 4];
prepare_inputs(&mut divisors);
let result = unsafe {
// Safety: prepare_inputs() guarantees that divisors is non-zero
do_computation(100, &divisors)
};
assert_eq!(result, 12);
While using unreachable_unchecked()
is perfectly sound in the following
example, as the compiler is able to prove that a division by zero is not
possible, benchmarking reveals that unreachable_unchecked()
provides
no benefit over using unreachable!
, while the latter does not introduce
the possibility of Undefined Behavior.
fn div_1(a: u32, b: u32) -> u32 {
use std::hint::unreachable_unchecked;
// `b.saturating_add(1)` is always positive (not zero),
// hence `checked_div` will never return `None`.
// Therefore, the else branch is unreachable.
a.checked_div(b.saturating_add(1))
.unwrap_or_else(|| unsafe { unreachable_unchecked() })
}
assert_eq!(div_1(7, 0), 7);
assert_eq!(div_1(9, 1), 4);
assert_eq!(div_1(11, u32::MAX), 0);