Updated SAFETY comment to address underflow

Eugene Shamis · Eugene Shamis · commit 47f60d7ad0d5 · 2024-11-04T12:36:24.000-05:00
diff --git a/core/src/fmt/num.rs b/core/src/fmt/num.rs
@@ -88,8 +88,9 @@ unsafe trait GenericRadix: Sized {
                 };
             }
         }
-        // SAFETY: `curr` is initialized to `buf.len()` and is only decremented,
-        // so it is always in bounds.
+        // SAFETY: `curr` is initialized to `buf.len()` and is only decremented, so it can't overflow. It is
+        // decremented exactly once for each digit. Since u128 is the widest fixed width integer format dupported,
+        // the maximum number of digits (bits) is 128 for base-2, so `curr` won't underflow as well.
         let buf = unsafe { buf.get_unchecked(curr..) };
         // SAFETY: The only chars in `buf` are created by `Self::digit` which are assumed to be
         // valid UTF-8

Original file line number	Diff line number	Diff line change
`@@ -88,8 +88,9 @@ unsafe trait GenericRadix: Sized {`
`88`	`88`	`};`
`89`	`89`	`}`
`90`	`90`	`}`
`91`		- // SAFETY: `curr` is initialized to `buf.len()` and is only decremented,
`92`		`- // so it is always in bounds.`
	`91`	+ // SAFETY: `curr` is initialized to `buf.len()` and is only decremented, so it can't overflow. It is
	`92`	`+ // decremented exactly once for each digit. Since u128 is the widest fixed width integer format dupported,`
	`93`	+ // the maximum number of digits (bits) is 128 for base-2, so `curr` won't underflow as well.
`93`	`94`	`let buf = unsafe { buf.get_unchecked(curr..) };`
`94`	`95`	// SAFETY: The only chars in `buf` are created by `Self::digit` which are assumed to be
`95`	`96`	`// valid UTF-8`