Add contracts for all functions in Alignment

tautschnig · tautschnig · commit d46f86866c55 · 2025-02-05T12:20:34.000Z
Uses the contracts syntax introduced in #128045.
diff --git a/library/core/src/ptr/alignment.rs b/library/core/src/ptr/alignment.rs
@@ -2,6 +2,8 @@ use crate::num::NonZero;
 use crate::ub_checks::assert_unsafe_precondition;
 use crate::{cmp, fmt, hash, mem, num};
 
+#![feature(contracts)]
+
 /// A type storing a `usize` which is a power of two, and thus
 /// represents a possible alignment in the Rust abstract machine.
 ///
@@ -43,6 +45,8 @@ impl Alignment {
     #[unstable(feature = "ptr_alignment_type", issue = "102070")]
     #[inline]
     #[must_use]
+    #[contracts::requires(mem::align_of::<T>().is_power_of_two())]
+    #[contracts::ensures(|result| result.as_usize().is_power_of_two())]
     pub const fn of<T>() -> Self {
         // This can't actually panic since type alignment is always a power of two.
         const { Alignment::new(mem::align_of::<T>()).unwrap() }
@@ -54,6 +58,8 @@ impl Alignment {
     /// Note that `0` is not a power of two, nor a valid alignment.
     #[unstable(feature = "ptr_alignment_type", issue = "102070")]
     #[inline]
+    #[contracts::ensures(|result| align.is_power_of_two() == result.is_some())]
+    #[contracts::ensures(|result| result.is_none() || result.unwrap().as_usize() == align)]
     pub const fn new(align: usize) -> Option<Self> {
         if align.is_power_of_two() {
             // SAFETY: Just checked it only has one bit set
@@ -73,6 +79,9 @@ impl Alignment {
     /// It must *not* be zero.
     #[unstable(feature = "ptr_alignment_type", issue = "102070")]
     #[inline]
+    #[contracts::requires(align > 0 && (align & (align - 1)) == 0)]
+    #[contracts::ensures(|result| result.as_usize() == align)]
+    #[contracts::ensures(|result| result.as_usize().is_power_of_two())]
     pub const unsafe fn new_unchecked(align: usize) -> Self {
         assert_unsafe_precondition!(
             check_language_ub,
@@ -88,13 +97,16 @@ impl Alignment {
     /// Returns the alignment as a [`usize`].
     #[unstable(feature = "ptr_alignment_type", issue = "102070")]
     #[inline]
+    #[contracts::ensures(|result| result.is_power_of_two())]
     pub const fn as_usize(self) -> usize {
         self.0 as usize
     }
 
     /// Returns the alignment as a <code>[NonZero]<[usize]></code>.
     #[unstable(feature = "ptr_alignment_type", issue = "102070")]
     #[inline]
+    #[contracts::ensures(|result| result.get().is_power_of_two())]
+    #[contracts::ensures(|result| result.get() == self.as_usize())]
     pub const fn as_nonzero(self) -> NonZero<usize> {
         // This transmutes directly to avoid the UbCheck in `NonZero::new_unchecked`
         // since there's no way for the user to trip that check anyway -- the
@@ -120,6 +132,9 @@ impl Alignment {
     /// ```
     #[unstable(feature = "ptr_alignment_type", issue = "102070")]
     #[inline]
+    #[contracts::requires(self.as_usize().is_power_of_two())]
+    #[contracts::ensures(|result| (*result as usize) < mem::size_of::<usize>() * 8)]
+    #[contracts::ensures(|result| 1usize << *result == self.as_usize())]
     pub const fn log2(self) -> u32 {
         self.as_nonzero().trailing_zeros()
     }
@@ -149,6 +164,9 @@ impl Alignment {
     /// ```
     #[unstable(feature = "ptr_alignment_type", issue = "102070")]
     #[inline]
+    #[contracts::ensures(|result| *result > 0)]
+    #[contracts::ensures(|result| *result == !(self.as_usize() -1))]
+    #[contracts::ensures(|result| self.as_usize() & *result == self.as_usize())]
     pub const fn mask(self) -> usize {
         // SAFETY: The alignment is always nonzero, and therefore decrementing won't overflow.
         !(unsafe { self.as_usize().unchecked_sub(1) })
