Explain that size_hint cannot be trusted

[stepancheg]

• size_hint() cannot be relied upon to perform memory unsafe operations

Same applies to len() function of ExactSizeIterator trait.

[rust-highfive]

r? @alexcrichton

(rust_highfive has picked a reviewer for you, use r? to override)

[steveklabnik]

Hmm, we don't usually document these kinds of things. I'm not sure this is something we want to require. I'm not opposed, exactly, but I'd like to hear what @rust-lang/libs has to say

[stepancheg]

@steveklabnik Vec::extend_desugared calls size_hint() in loop. I think either Iterator should declare to be cheap or Vec shouldn't rely on that. I think former is better.

[bluss]

Cheaper than a call to next doesn't sound necessary if you already say size_hint should be cheap.

Extend only calls size_hint when reallocating, and since vector allocation growth is exponential, size_hint is only called log(n) times for extending O(n) elements.

[stepancheg]

@bluss yes, you are right about log(n). I don't know how to say better.

• just "cheap" is vague
• O(n) is unacceptable
• O(1) is probably two strict
• O(n / log(n)) is too complicated

I should probably drop Performance section.

[Gankra]

We have a lot of interfaces which are intuitively expected to be cheap; it's not clear to me that mentioning this yields significant dividends. Although I do think that the documentation for size_hint should emphasize it's a very "opportunistic" thing. That is, if there isn't a simple way
to determine the size_hint, it's not worth overloading. In particular this is relevant in terms of how much you can expect a size_hint to be accurate given a concrete implementor. slice iterator? Probably good. Filter? Probably not.

Also, Iterator::next can take an unbounded amount of time in terms of its length with things like iterator adaptors (may execute arbitrary functions) and collections like HashMap (expected O(cap/len) per element).

[stepancheg]

@gankro

it's not clear to me that mentioning this yields significant dividends

It answers the question: given arbitrary iterator, how often can I call size_hint without making iteration slower than linear?

[steveklabnik]

Thanks @stepancheg ! Just a few grammar nits and a question for the libs team.

[stepancheg]

Updated grammar, waiting to hear about performance requirements.

[bluss]

spelling: otherwise

I'd like to use the phrase provide a correct estimation. It may hurt performance or break the trait's protocol.

[stepancheg]

Updated the patch, dropped "Performance" section, renamed "Safety" to "Implementation notes", changed couple of phrases after bluss@ comments.

[Gankra]

the declared

[Gankra]

I kinda get what you're saying here, but it's maybe trying to compact too much information. My suggestion:

size_hint is primarily intended to be used for optimizations such as reserving space for the elements of the iterator. One may assert that the bounds on the size_hint are accurate, but this is not advisable. It's incorrect to assume that size_hint is correct to e.g. omit bounds checks in unsafe code. Implementing size_hint incorrectly should not lead to memory safety violations.

[stepancheg]

Partially applied your version.

[Gankra]

Do we want to clarify that the default is correct for all iterators?

[stepancheg]

Added

    /// The default implementation returns `(0, None)` which is correct
    /// for any iterator.

[Gankra]

👍 this is really solid now.

[Gankra]

@bors r+ rollup

Nice stuff!

[bors]

📌 Commit f6f99ce has been approved by Gankro

[bors]

⌛ Testing commit f6f99ce with merge 5b4986f...

[bors]

☀️ Test successful - auto-linux-32-nopt-t, auto-linux-32-opt, auto-linux-64-debug-opt, auto-linux-64-nopt-t, auto-linux-64-opt, auto-linux-64-x-android-t, auto-linux-cross-opt, auto-linux-musl-64-opt, auto-mac-32-opt, auto-mac-64-nopt-t, auto-mac-64-opt, auto-win-gnu-32-nopt-t, auto-win-gnu-32-opt, auto-win-gnu-64-nopt-t, auto-win-gnu-64-opt, auto-win-msvc-32-opt, auto-win-msvc-64-opt