Add contracts for all functions in Alignment

tautschnig · tautschnig · commit dfd17f1eedd4 · 2025-02-12T22:17:05.000Z
Uses the contracts syntax introduced in #128045.
diff --git a/library/core/src/lib.rs b/library/core/src/lib.rs
@@ -108,6 +108,7 @@
 //
 // Library features:
 // tidy-alphabetical-start
+#![cfg_attr(not(bootstrap), feature(contracts))]
 #![feature(array_ptr_get)]
 #![feature(asm_experimental_arch)]
 #![feature(bigint_helper_methods)]
diff --git a/library/core/src/mem/mod.rs b/library/core/src/mem/mod.rs
@@ -486,6 +486,7 @@ pub const fn align_of<T>() -> usize {
 #[stable(feature = "rust1", since = "1.0.0")]
 #[rustc_const_stable(feature = "const_align_of_val", since = "1.85.0")]
 #[allow(deprecated)]
+#[cfg_attr(not(bootstrap), core::contracts::ensures(|result: &usize| result.is_power_of_two()))]
 pub const fn align_of_val<T: ?Sized>(val: &T) -> usize {
     // SAFETY: val is a reference, so it's a valid raw pointer
     unsafe { intrinsics::min_align_of_val(val) }
diff --git a/library/core/src/ptr/alignment.rs b/library/core/src/ptr/alignment.rs
@@ -43,6 +43,8 @@ impl Alignment {
     #[unstable(feature = "ptr_alignment_type", issue = "102070")]
     #[inline]
     #[must_use]
+    #[cfg_attr(not(bootstrap), core::contracts::ensures(
+            |result: &Alignment| result.as_usize().is_power_of_two()))]
     pub const fn of<T>() -> Self {
         // This can't actually panic since type alignment is always a power of two.
         const { Alignment::new(mem::align_of::<T>()).unwrap() }
@@ -54,6 +56,9 @@ impl Alignment {
     /// Note that `0` is not a power of two, nor a valid alignment.
     #[unstable(feature = "ptr_alignment_type", issue = "102070")]
     #[inline]
+    #[cfg_attr(not(bootstrap), core::contracts::ensures(
+            |result: &Option<Alignment>| align.is_power_of_two() == result.is_some() &&
+            (result.is_none() || result.unwrap().as_usize() == align)))]
     pub const fn new(align: usize) -> Option<Self> {
         if align.is_power_of_two() {
             // SAFETY: Just checked it only has one bit set
@@ -73,6 +78,10 @@ impl Alignment {
     /// It must *not* be zero.
     #[unstable(feature = "ptr_alignment_type", issue = "102070")]
     #[inline]
+    #[cfg_attr(not(bootstrap), core::contracts::requires(align > 0 && (align & (align - 1)) == 0))]
+    #[cfg_attr(not(bootstrap), core::contracts::ensures(
+            |result: &Alignment| result.as_usize() == align &&
+            result.as_usize().is_power_of_two()))]
     pub const unsafe fn new_unchecked(align: usize) -> Self {
         assert_unsafe_precondition!(
             check_language_ub,
@@ -88,13 +97,18 @@ impl Alignment {
     /// Returns the alignment as a [`usize`].
     #[unstable(feature = "ptr_alignment_type", issue = "102070")]
     #[inline]
+    #[cfg_attr(not(bootstrap), core::contracts::ensures(
+            |result: &usize| result.is_power_of_two()))]
     pub const fn as_usize(self) -> usize {
         self.0 as usize
     }
 
     /// Returns the alignment as a <code>[NonZero]<[usize]></code>.
     #[unstable(feature = "ptr_alignment_type", issue = "102070")]
     #[inline]
+    #[cfg_attr(not(bootstrap), core::contracts::ensures(
+            |result: &NonZero<usize>| result.get().is_power_of_two() &&
+            result.get() == self.as_usize()))]
     pub const fn as_nonzero(self) -> NonZero<usize> {
         // This transmutes directly to avoid the UbCheck in `NonZero::new_unchecked`
         // since there's no way for the user to trip that check anyway -- the
@@ -120,6 +134,10 @@ impl Alignment {
     /// ```
     #[unstable(feature = "ptr_alignment_type", issue = "102070")]
     #[inline]
+    #[cfg_attr(not(bootstrap), core::contracts::requires(self.as_usize().is_power_of_two()))]
+    #[cfg_attr(not(bootstrap), core::contracts::ensures(
+            |result: &u32| *result < usize::BITS &&
+            (1usize << *result) == self.as_usize()))]
     pub const fn log2(self) -> u32 {
         self.as_nonzero().trailing_zeros()
     }
@@ -149,6 +167,10 @@ impl Alignment {
     /// ```
     #[unstable(feature = "ptr_alignment_type", issue = "102070")]
     #[inline]
+    #[cfg_attr(not(bootstrap), core::contracts::ensures(
+            |result: &usize| *result > 0 &&
+            *result == !(self.as_usize() -1) &&
+            self.as_usize() & *result == self.as_usize()))]
     pub const fn mask(self) -> usize {
         // SAFETY: The alignment is always nonzero, and therefore decrementing won't overflow.
         !(unsafe { self.as_usize().unchecked_sub(1) })
