Rollup merge of #69209 - Mark-Simulacrum:strip-unsafe, r=dtolnay

Miscellaneous cleanup to formatting

Each commit stands alone.

This pull request will also resolve #58320.

Author: Dylan-DPC

src/libcore/fmt/float.rs

@@ -29,7 +29,6 @@ where
             *num,
             sign,
             precision,
-            false,
             buf.get_mut(),
             parts.get_mut(),
         );
@@ -59,7 +58,6 @@ where
             *num,
             sign,
             precision,
-            false,
             buf.get_mut(),
             parts.get_mut(),
         );

src/libcore/fmt/mod.rs

@@ -238,16 +238,8 @@ pub struct Formatter<'a> {
 // NB. Argument is essentially an optimized partially applied formatting function,
 // equivalent to `exists T.(&T, fn(&T, &mut Formatter<'_>) -> Result`.
 
-struct Void {
-    _priv: (),
-    /// Erases all oibits, because `Void` erases the type of the object that
-    /// will be used to produce formatted output. Since we do not know what
-    /// oibits the real types have (and they can have any or none), we need to
-    /// take the most conservative approach and forbid all oibits.
-    ///
-    /// It was added after #45197 showed that one could share a `!Sync`
-    /// object across threads by passing it into `format_args!`.
-    _oibit_remover: PhantomData<*mut dyn Fn()>,
+extern "C" {
+    type Opaque;
 }
 
 /// This struct represents the generic "argument" which is taken by the Xprintf
@@ -259,16 +251,23 @@ struct Void {
 #[unstable(feature = "fmt_internals", reason = "internal to format_args!", issue = "none")]
 #[doc(hidden)]
 pub struct ArgumentV1<'a> {
-    value: &'a Void,
-    formatter: fn(&Void, &mut Formatter<'_>) -> Result,
+    value: &'a Opaque,
+    formatter: fn(&Opaque, &mut Formatter<'_>) -> Result,
 }
 
-impl<'a> ArgumentV1<'a> {
-    #[inline(never)]
-    fn show_usize(x: &usize, f: &mut Formatter<'_>) -> Result {
-        Display::fmt(x, f)
-    }
+// This gurantees a single stable value for the function pointer associated with
+// indices/counts in the formatting infrastructure.
+//
+// Note that a function defined as such would not be correct as functions are
+// always tagged unnamed_addr with the current lowering to LLVM IR, so their
+// address is not considered important to LLVM and as such the as_usize cast
+// could have been miscompiled. In practice, we never call as_usize on non-usize
+// containing data (as a matter of static generation of the formatting
+// arguments), so this is merely an additional check.
+#[unstable(feature = "fmt_internals", reason = "internal to format_args!", issue = "none")]
+static USIZE_MARKER: fn(&usize, &mut Formatter<'_>) -> Result = |_, _| loop {};
 
+impl<'a> ArgumentV1<'a> {
     #[doc(hidden)]
     #[unstable(feature = "fmt_internals", reason = "internal to format_args!", issue = "none")]
     pub fn new<'b, T>(x: &'b T, f: fn(&T, &mut Formatter<'_>) -> Result) -> ArgumentV1<'b> {
@@ -278,11 +277,13 @@ impl<'a> ArgumentV1<'a> {
     #[doc(hidden)]
     #[unstable(feature = "fmt_internals", reason = "internal to format_args!", issue = "none")]
     pub fn from_usize(x: &usize) -> ArgumentV1<'_> {
-        ArgumentV1::new(x, ArgumentV1::show_usize)
+        ArgumentV1::new(x, USIZE_MARKER)
     }
 
     fn as_usize(&self) -> Option<usize> {
-        if self.formatter as usize == ArgumentV1::show_usize as usize {
+        if self.formatter as usize == USIZE_MARKER as usize {
+            // SAFETY: The `formatter` field is only set to USIZE_MARKER if
+            // the value is a usize, so this is safe
             Some(unsafe { *(self.value as *const _ as *const usize) })
         } else {
             None
@@ -1356,11 +1357,11 @@ impl<'a> Formatter<'a> {
             let mut align = old_align;
             if self.sign_aware_zero_pad() {
                 // a sign always goes first
-                let sign = unsafe { str::from_utf8_unchecked(formatted.sign) };
+                let sign = formatted.sign;
                 self.buf.write_str(sign)?;
 
                 // remove the sign from the formatted parts
-                formatted.sign = b"";
+                formatted.sign = "";
                 width = width.saturating_sub(sign.len());
                 align = rt::v1::Alignment::Right;
                 self.fill = '0';
@@ -1392,7 +1393,7 @@ impl<'a> Formatter<'a> {
         }
 
         if !formatted.sign.is_empty() {
-            write_bytes(self.buf, formatted.sign)?;
+            self.buf.write_str(formatted.sign)?;
         }
         for part in formatted.parts {
             match *part {

src/libcore/fmt/num.rs

@@ -369,11 +369,11 @@ macro_rules! impl_Exp {
                 flt2dec::Part::Copy(exp_slice)
             ];
             let sign = if !is_nonnegative {
-                &b"-"[..]
+                "-"
             } else if f.sign_plus() {
-                &b"+"[..]
+                "+"
             } else {
-                &b""[..]
+                ""
             };
             let formatted = flt2dec::Formatted{sign, parts};
             f.pad_formatted_parts(&formatted)

src/libcore/num/flt2dec/mod.rs

@@ -237,7 +237,7 @@ impl<'a> Part<'a> {
 #[derive(Clone)]
 pub struct Formatted<'a> {
     /// A byte slice representing a sign, either `""`, `"-"` or `"+"`.
-    pub sign: &'static [u8],
+    pub sign: &'static str,
     /// Formatted parts to be rendered after a sign and optional zero padding.
     pub parts: &'a [Part<'a>],
 }
@@ -259,7 +259,7 @@ impl<'a> Formatted<'a> {
         if out.len() < self.sign.len() {
             return None;
         }
-        out[..self.sign.len()].copy_from_slice(self.sign);
+        out[..self.sign.len()].copy_from_slice(self.sign.as_bytes());
 
         let mut written = self.sign.len();
         for part in self.parts {
@@ -402,38 +402,38 @@ pub enum Sign {
 }
 
 /// Returns the static byte string corresponding to the sign to be formatted.
-/// It can be either `b""`, `b"+"` or `b"-"`.
-fn determine_sign(sign: Sign, decoded: &FullDecoded, negative: bool) -> &'static [u8] {
+/// It can be either `""`, `"+"` or `"-"`.
+fn determine_sign(sign: Sign, decoded: &FullDecoded, negative: bool) -> &'static str {
     match (*decoded, sign) {
-        (FullDecoded::Nan, _) => b"",
-        (FullDecoded::Zero, Sign::Minus) => b"",
+        (FullDecoded::Nan, _) => "",
+        (FullDecoded::Zero, Sign::Minus) => "",
         (FullDecoded::Zero, Sign::MinusRaw) => {
             if negative {
-                b"-"
+                "-"
             } else {
-                b""
+                ""
             }
         }
-        (FullDecoded::Zero, Sign::MinusPlus) => b"+",
+        (FullDecoded::Zero, Sign::MinusPlus) => "+",
         (FullDecoded::Zero, Sign::MinusPlusRaw) => {
             if negative {
-                b"-"
+                "-"
             } else {
-                b"+"
+                "+"
             }
         }
         (_, Sign::Minus) | (_, Sign::MinusRaw) => {
             if negative {
-                b"-"
+                "-"
             } else {
-                b""
+                ""
             }
         }
         (_, Sign::MinusPlus) | (_, Sign::MinusPlusRaw) => {
             if negative {
-                b"-"
+                "-"
             } else {
-                b"+"
+                "+"
             }
         }
     }
@@ -462,7 +462,6 @@ pub fn to_shortest_str<'a, T, F>(
     v: T,
     sign: Sign,
     frac_digits: usize,
-    _upper: bool,
     buf: &'a mut [u8],
     parts: &'a mut [Part<'a>],
 ) -> Formatted<'a>
@@ -679,7 +678,6 @@ pub fn to_exact_fixed_str<'a, T, F>(
     v: T,
     sign: Sign,
     frac_digits: usize,
-    _upper: bool,
     buf: &'a mut [u8],
     parts: &'a mut [Part<'a>],
 ) -> Formatted<'a>