#Is this a valid use of unsafe?

Is there a safe way to do the following without losing performance? All the safe variants required me to allocate/copy and return a String.

fn convert_seconds_to_hhmmssmmm(
    time_buffer: &mut [u8; 12],
    seconds: f64,
    millisecond_separator: u8,
) -> &str {
    let seconds_truncated = seconds as u64;
    let milliseconds = (seconds.fract() * 1000.0) as u64;
    let hours = seconds_truncated / 3600;
    let minutes = (seconds_truncated / 60) % 60;
    let seconds_remaining = seconds_truncated % 60;

    time_buffer[2] = b':';
    time_buffer[5] = b':';
    time_buffer[8] = millisecond_separator;

    time_buffer[0] += (hours / 10) as u8;
    time_buffer[1] += (hours % 10) as u8;
    time_buffer[3] += (minutes / 10) as u8;
    time_buffer[4] += (minutes % 10) as u8;
    time_buffer[6] += (seconds_remaining / 10) as u8;
    time_buffer[7] += (seconds_remaining % 10) as u8;
    time_buffer[9] += (milliseconds / 100) as u8;
    time_buffer[10] += ((milliseconds / 10) % 10) as u8;
    time_buffer[11] += (milliseconds % 10) as u8;

    unsafe { std::str::from_utf8_unchecked(time_buffer) }
}
```

What are you expecting people to pass in for time_buffer?

let mut time_buffer = [b'0'; 12];

i mean theres std::str::from_utf8

Expecting them to pass you an empty array of bytes for you to write to and then return a reference to feels very strange to me

also im confused it looks like ur not converting them to the ascii version of the numbers

It's not

Because the caller could pass in anything, and you could end up with invalid utf8

You are right

Does the output &str's liftime get tied to time_buffer in any way? Or are you going to get a hanging reference if time_buffer gets deallocated before the &str

?eval b'0'

48```

yes, due to elision rules

Yes, it can only be tied to the buffer.

Lifetimes aren't an issue here

Neat

The unsafe here is only to promise that the bytes are infact valid utf8

That's the only requirement for that function

Would it be possible to just return a [u8; 12]?

I eventually pass it into format

Ok(format!("{id}\n{start} --> {end}\n{text}\n\n",))

So I guess not.

If it's going into fmt then the overhead of the utf8 check should be negligible

tbh why not have a dedicated struct instead of a byte array

Why?

Also I'm pretty sure the compiler can optimize out the utf8 check

clarity, ergonomics, and doesnt really have a perf penalty

you can also just impl Display instead of doing this

I have other texts I’d like to interpolate into the final string, so I can’t do that.

?

that doesnt really change anything with what i said

You are asking why I am doing format! no?

no

im asking why have a time_buffer byte array

So I can modify the delimiter?

The millisecond separator

a byte array isnt required for that

I want to do it without copying or allocating

yea, which doesnt require a byte array

afaik, Display only has methods that return a String, and thats an allocation.

no it doesnt

String is stored on the heap no?

I'm not sure what you're looking at, but it's not fmt::Display https://doc.rust-lang.org/std/fmt/trait.Display.html

Yeah but that trait doesn't need Strings at all

Infact it exists on core, where there is no heap

I’ll look into it

struct TimeRepr {
    hour: u8,
    minute: u8,
    second: u8,
    milliseconds: u8
}

impl TimeRepr {
    fn from_seconds(seconds: f64) -> Self {
        // parse seconds
    }
}

impl Display for TimeRepr {
    fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error> {
        write!(f, "{}:{}:{}:{}", self.hour, self.minute, self.second, self.milliseconds);
    }
}

tada

And this doesn’t allocate?

no

well, format! allocates

but you can just use other stuff that doesnt allocate

But it doesn’t know hour, minute, second at compile time

hm?

neither is your code

Whether this code allocates depends on what you're writing into.

That’s why I had thought unsafe was the only way

hm?

With write!(), you can write some Display thingy into stuff

the unsafe doesnt make it know the hour etc at compile time

winston is saying that they know at compile time how many digits their number has.

It doesn’t but it allows you to sidestep Rust and force no allocations

And therefore can limit the string length.

How is this possible if Rust cannot guarantee the length of the string it is writing?

Or are you saying it always allocates, in that case I misunderstood.

How this is done depends on what you're writing into.
For example, if you use https://docs.rs/arrayvec/latest/arrayvec/struct.ArrayString.html, then it will error at run time if the array size is not enough.

i wonder, does stdout allocates

crazy if true

Implementing Display does not tell rust whether you want allocation or not. It tells rust that, if someone gives some way to write some bytes, then you can turn the TimeRepr into a series of byte-writing operations.

So, whether it allocates or not depends on which byte-writing operation you provide to it.

You can use anything that implements std::fmt::Write as a way to write bytes.

And ArrayString implements this Write trait in a way that doesn't allocate.

You can use the write!() macro to write stuff that implement Display into anything that implements Write

I see, so I might still have to use unsafe if I really want zero allocation, but the responsibility is pushed down the line.

Well, the arrayvec crate has implemented stuff for you in the ArrayString type. I don't know if it uses unsafe, but you don't have to use unsafe to do this.

You can just use this preexisting crate

Will do, thank you

I think if anything, it’s much more readable.

I think so, since it does buffering

Of course you can always make a syscall write to stdout directly and have zero allocations

maybe aliasing

This might be a ridiculous microoptimization: but I'm pretty sure it will be faster to set the time buffer indices with = instead of += because you avoid a memory dependency and the compiler can probably optimize it better

No that's perfectly reasonable

It would also fix the soundness issue

also

run cargo-miri to find ub