Add some safety comments

calebzulawski · workingjubilee · commit c017b47504c5 · 2021-12-19T15:36:09.000-08:00
diff --git a/crates/core_simd/src/comparisons.rs b/crates/core_simd/src/comparisons.rs
@@ -10,13 +10,17 @@ where
     #[inline]
     #[must_use = "method returns a new mask and does not mutate the original value"]
     pub fn lanes_eq(self, other: Self) -> Mask<T::Mask, LANES> {
+        // Safety: `self` is a vector, and the result of the comparison
+        // is always a valid mask.
         unsafe { Mask::from_int_unchecked(intrinsics::simd_eq(self, other)) }
     }
 
     /// Test if each lane is not equal to the corresponding lane in `other`.
     #[inline]
     #[must_use = "method returns a new mask and does not mutate the original value"]
     pub fn lanes_ne(self, other: Self) -> Mask<T::Mask, LANES> {
+        // Safety: `self` is a vector, and the result of the comparison
+        // is always a valid mask.
         unsafe { Mask::from_int_unchecked(intrinsics::simd_ne(self, other)) }
     }
 }
@@ -30,27 +34,35 @@ where
     #[inline]
     #[must_use = "method returns a new mask and does not mutate the original value"]
     pub fn lanes_lt(self, other: Self) -> Mask<T::Mask, LANES> {
+        // Safety: `self` is a vector, and the result of the comparison
+        // is always a valid mask.
         unsafe { Mask::from_int_unchecked(intrinsics::simd_lt(self, other)) }
     }
 
     /// Test if each lane is greater than the corresponding lane in `other`.
     #[inline]
     #[must_use = "method returns a new mask and does not mutate the original value"]
     pub fn lanes_gt(self, other: Self) -> Mask<T::Mask, LANES> {
+        // Safety: `self` is a vector, and the result of the comparison
+        // is always a valid mask.
         unsafe { Mask::from_int_unchecked(intrinsics::simd_gt(self, other)) }
     }
 
     /// Test if each lane is less than or equal to the corresponding lane in `other`.
     #[inline]
     #[must_use = "method returns a new mask and does not mutate the original value"]
     pub fn lanes_le(self, other: Self) -> Mask<T::Mask, LANES> {
+        // Safety: `self` is a vector, and the result of the comparison
+        // is always a valid mask.
         unsafe { Mask::from_int_unchecked(intrinsics::simd_le(self, other)) }
     }
 
     /// Test if each lane is greater than or equal to the corresponding lane in `other`.
     #[inline]
     #[must_use = "method returns a new mask and does not mutate the original value"]
     pub fn lanes_ge(self, other: Self) -> Mask<T::Mask, LANES> {
+        // Safety: `self` is a vector, and the result of the comparison
+        // is always a valid mask.
         unsafe { Mask::from_int_unchecked(intrinsics::simd_ge(self, other)) }
     }
 }
diff --git a/crates/core_simd/src/masks.rs b/crates/core_simd/src/masks.rs
@@ -41,6 +41,9 @@ mod sealed {
 use sealed::Sealed;
 
 /// Marker trait for types that may be used as SIMD mask elements.
+///
+/// # Safety
+/// Type must be a signed integer.
 pub unsafe trait MaskElement: SimdElement + Sealed {}
 
 macro_rules! impl_element {
@@ -131,6 +134,7 @@ where
     #[inline]
     #[must_use = "method returns a new mask and does not mutate the original value"]
     pub unsafe fn from_int_unchecked(value: Simd<T, LANES>) -> Self {
+        // Safety: the caller must confirm this invariant
         unsafe { Self(mask_impl::Mask::from_int_unchecked(value)) }
     }
 
@@ -143,6 +147,7 @@ where
     #[must_use = "method returns a new mask and does not mutate the original value"]
     pub fn from_int(value: Simd<T, LANES>) -> Self {
         assert!(T::valid(value), "all values must be either 0 or -1",);
+        // Safety: the validity has been checked
         unsafe { Self::from_int_unchecked(value) }
     }
 
@@ -161,6 +166,7 @@ where
     #[inline]
     #[must_use = "method returns a new bool and does not mutate the original value"]
     pub unsafe fn test_unchecked(&self, lane: usize) -> bool {
+        // Safety: the caller must confirm this invariant
         unsafe { self.0.test_unchecked(lane) }
     }
 
@@ -172,6 +178,7 @@ where
     #[must_use = "method returns a new bool and does not mutate the original value"]
     pub fn test(&self, lane: usize) -> bool {
         assert!(lane < LANES, "lane index out of range");
+        // Safety: the lane index has been checked
         unsafe { self.test_unchecked(lane) }
     }
 
@@ -181,6 +188,7 @@ where
     /// `lane` must be less than `LANES`.
     #[inline]
     pub unsafe fn set_unchecked(&mut self, lane: usize, value: bool) {
+        // Safety: the caller must confirm this invariant
         unsafe {
             self.0.set_unchecked(lane, value);
         }
@@ -193,6 +201,7 @@ where
     #[inline]
     pub fn set(&mut self, lane: usize, value: bool) {
         assert!(lane < LANES, "lane index out of range");
+        // Safety: the lane index has been checked
         unsafe {
             self.set_unchecked(lane, value);
         }
diff --git a/crates/core_simd/src/masks/bitmask.rs b/crates/core_simd/src/masks/bitmask.rs
@@ -137,6 +137,7 @@ where
     where
         U: MaskElement,
     {
+        // Safety: bitmask layout does not depend on the element width
         unsafe { core::mem::transmute_copy(&self) }
     }
 
diff --git a/crates/core_simd/src/masks/full_masks.rs b/crates/core_simd/src/masks/full_masks.rs
@@ -106,13 +106,15 @@ where
     where
         U: MaskElement,
     {
+        // Safety: masks are simply integer vectors of 0 and -1, and we can cast the element type.
         unsafe { Mask(intrinsics::simd_cast(self.0)) }
     }
 
     #[cfg(feature = "generic_const_exprs")]
     #[inline]
     #[must_use = "method returns a new array and does not mutate the original value"]
     pub fn to_bitmask(self) -> [u8; LaneCount::<LANES>::BITMASK_LEN] {
+        // Safety: IntBitMask is the integer equivalent of the return type.
         unsafe {
             let mut bitmask: [u8; LaneCount::<LANES>::BITMASK_LEN] =
                 intrinsics::simd_bitmask(self.0);
@@ -134,6 +136,7 @@ where
     #[inline]
     #[must_use = "method returns a new mask and does not mutate the original value"]
     pub fn from_bitmask(mut bitmask: [u8; LaneCount::<LANES>::BITMASK_LEN]) -> Self {
+        // Safety: IntBitMask is the integer equivalent of the input type.
         unsafe {
             // There is a bug where LLVM appears to implement this operation with the wrong
             // bit order.
@@ -155,12 +158,14 @@ where
     #[inline]
     #[must_use = "method returns a new bool and does not mutate the original value"]
     pub fn any(self) -> bool {
+        // Safety: use `self` as an integer vector
         unsafe { intrinsics::simd_reduce_any(self.to_int()) }
     }
 
     #[inline]
     #[must_use = "method returns a new vector and does not mutate the original value"]
     pub fn all(self) -> bool {
+        // Safety: use `self` as an integer vector
         unsafe { intrinsics::simd_reduce_all(self.to_int()) }
     }
 }
@@ -184,6 +189,7 @@ where
     #[inline]
     #[must_use = "method returns a new mask and does not mutate the original value"]
     fn bitand(self, rhs: Self) -> Self {
+        // Safety: `self` is an integer vector
         unsafe { Self(intrinsics::simd_and(self.0, rhs.0)) }
     }
 }
@@ -197,6 +203,7 @@ where
     #[inline]
     #[must_use = "method returns a new mask and does not mutate the original value"]
     fn bitor(self, rhs: Self) -> Self {
+        // Safety: `self` is an integer vector
         unsafe { Self(intrinsics::simd_or(self.0, rhs.0)) }
     }
 }
@@ -210,6 +217,7 @@ where
     #[inline]
     #[must_use = "method returns a new mask and does not mutate the original value"]
     fn bitxor(self, rhs: Self) -> Self {
+        // Safety: `self` is an integer vector
         unsafe { Self(intrinsics::simd_xor(self.0, rhs.0)) }
     }
 }
diff --git a/crates/core_simd/src/math.rs b/crates/core_simd/src/math.rs
@@ -22,6 +22,7 @@ macro_rules! impl_uint_arith {
             /// ```
             #[inline]
             pub fn saturating_add(self, second: Self) -> Self {
+                // Safety: `self` is a vector
                 unsafe { simd_saturating_add(self, second) }
             }
 
@@ -41,6 +42,7 @@ macro_rules! impl_uint_arith {
             /// assert_eq!(sat, Simd::splat(0));
             #[inline]
             pub fn saturating_sub(self, second: Self) -> Self {
+                // Safety: `self` is a vector
                 unsafe { simd_saturating_sub(self, second) }
             }
         })+
@@ -68,6 +70,7 @@ macro_rules! impl_int_arith {
             /// ```
             #[inline]
             pub fn saturating_add(self, second: Self) -> Self {
+                // Safety: `self` is a vector
                 unsafe { simd_saturating_add(self, second) }
             }
 
@@ -87,6 +90,7 @@ macro_rules! impl_int_arith {
             /// assert_eq!(sat, Simd::from_array([MIN, MIN, MIN, 0]));
             #[inline]
             pub fn saturating_sub(self, second: Self) -> Self {
+                // Safety: `self` is a vector
                 unsafe { simd_saturating_sub(self, second) }
             }
 
diff --git a/crates/core_simd/src/ops.rs b/crates/core_simd/src/ops.rs
@@ -112,6 +112,7 @@ macro_rules! impl_op {
 
                 #[inline]
                 fn $trait_fn(self, rhs: Self) -> Self::Output {
+                    // Safety: `self` is a vector
                     unsafe {
                         intrinsics::$intrinsic(self, rhs)
                     }
@@ -169,6 +170,8 @@ macro_rules! impl_unsigned_int_ops {
                                 .any(|(x,y)| *x == <$scalar>::MIN && *y == -1 as _) {
                             panic!("attempt to divide with overflow");
                         }
+                        // Safety: `self` is a vector, and the lanes have been checked for
+                        // division by zero and overflow
                         unsafe { intrinsics::simd_div(self, rhs) }
                     }
                 }
@@ -198,6 +201,8 @@ macro_rules! impl_unsigned_int_ops {
                                 .any(|(x,y)| *x == <$scalar>::MIN && *y == -1 as _) {
                             panic!("attempt to calculate the remainder with overflow");
                         }
+                        // Safety: `self` is a vector, and the lanes have been checked for
+                        // division by zero and overflow
                         unsafe { intrinsics::simd_rem(self, rhs) }
                     }
                 }
@@ -221,6 +226,8 @@ macro_rules! impl_unsigned_int_ops {
                         {
                             panic!("attempt to shift left with overflow");
                         }
+                        // Safety: `self` is a vector, and the shift argument has been checked for
+                        // overflow
                         unsafe { intrinsics::simd_shl(self, rhs) }
                     }
                 }
@@ -243,6 +250,8 @@ macro_rules! impl_unsigned_int_ops {
                         {
                             panic!("attempt to shift with overflow");
                         }
+                        // Safety: `self` is a vector, and the shift argument has been checked for
+                        // overflow
                         unsafe { intrinsics::simd_shr(self, rhs) }
                     }
                 }
diff --git a/crates/core_simd/src/reduction.rs b/crates/core_simd/src/reduction.rs
@@ -14,24 +14,28 @@ macro_rules! impl_integer_reductions {
             /// Horizontal wrapping add.  Returns the sum of the lanes of the vector, with wrapping addition.
             #[inline]
             pub fn horizontal_sum(self) -> $scalar {
+                // Safety: `self` is an integer vector
                 unsafe { simd_reduce_add_ordered(self, 0) }
             }
 
             /// Horizontal wrapping multiply.  Returns the product of the lanes of the vector, with wrapping multiplication.
             #[inline]
             pub fn horizontal_product(self) -> $scalar {
+                // Safety: `self` is an integer vector
                 unsafe { simd_reduce_mul_ordered(self, 1) }
             }
 
             /// Horizontal maximum.  Returns the maximum lane in the vector.
             #[inline]
             pub fn horizontal_max(self) -> $scalar {
+                // Safety: `self` is an integer vector
                 unsafe { simd_reduce_max(self) }
             }
 
             /// Horizontal minimum.  Returns the minimum lane in the vector.
             #[inline]
             pub fn horizontal_min(self) -> $scalar {
+                // Safety: `self` is an integer vector
                 unsafe { simd_reduce_min(self) }
             }
         }
@@ -63,6 +67,7 @@ macro_rules! impl_float_reductions {
                 if cfg!(all(target_arch = "x86", not(target_feature = "sse2"))) {
                     self.as_array().iter().sum()
                 } else {
+                    // Safety: `self` is a float vector
                     unsafe { simd_reduce_add_ordered(self, 0.) }
                 }
             }
@@ -74,6 +79,7 @@ macro_rules! impl_float_reductions {
                 if cfg!(all(target_arch = "x86", not(target_feature = "sse2"))) {
                     self.as_array().iter().product()
                 } else {
+                    // Safety: `self` is a float vector
                     unsafe { simd_reduce_mul_ordered(self, 1.) }
                 }
             }
@@ -84,6 +90,7 @@ macro_rules! impl_float_reductions {
             /// return either.  This function will not return `NaN` unless all lanes are `NaN`.
             #[inline]
             pub fn horizontal_max(self) -> $scalar {
+                // Safety: `self` is a float vector
                 unsafe { simd_reduce_max(self) }
             }
 
@@ -93,6 +100,7 @@ macro_rules! impl_float_reductions {
             /// return either.  This function will not return `NaN` unless all lanes are `NaN`.
             #[inline]
             pub fn horizontal_min(self) -> $scalar {
+                // Safety: `self` is a float vector
                 unsafe { simd_reduce_min(self) }
             }
         }
diff --git a/crates/core_simd/src/round.rs b/crates/core_simd/src/round.rs
@@ -14,27 +14,31 @@ macro_rules! implement {
             #[must_use = "method returns a new vector and does not mutate the original value"]
             #[inline]
             pub fn ceil(self) -> Self {
+                // Safety: `self` is a vector
                 unsafe { intrinsics::simd_ceil(self) }
             }
 
             /// Returns the largest integer value less than or equal to each lane.
             #[must_use = "method returns a new vector and does not mutate the original value"]
             #[inline]
             pub fn floor(self) -> Self {
+                // Safety: `self` is a vector
                 unsafe { intrinsics::simd_floor(self) }
             }
 
             /// Rounds to the nearest integer value. Ties round toward zero.
             #[must_use = "method returns a new vector and does not mutate the original value"]
             #[inline]
             pub fn round(self) -> Self {
+                // Safety: `self` is a vector
                 unsafe { intrinsics::simd_round(self) }
             }
 
             /// Returns the floating point's integer value, with its fractional part removed.
             #[must_use = "method returns a new vector and does not mutate the original value"]
             #[inline]
             pub fn trunc(self) -> Self {
+                // Safety: `self` is a vector
                 unsafe { intrinsics::simd_trunc(self) }
             }
 
@@ -61,13 +65,15 @@ macro_rules! implement {
             /// * Be representable in the return type, after truncating off its fractional part
             #[inline]
             pub unsafe fn to_int_unchecked(self) -> Simd<$int_type, LANES> {
+                // Safety: the caller must check the invariants
                 unsafe { intrinsics::simd_cast(self) }
             }
 
             /// Creates a floating-point vector from an integer vector.  Rounds values that are
             /// not exactly representable.
             #[inline]
             pub fn round_from_int(value: Simd<$int_type, LANES>) -> Self {
+                // Safety: conversion from integer to float vectors is safe
                 unsafe { intrinsics::simd_cast(value) }
             }
         }
diff --git a/crates/core_simd/src/swizzle.rs b/crates/core_simd/src/swizzle.rs
@@ -95,6 +95,7 @@ pub trait Swizzle<const INPUT_LANES: usize, const OUTPUT_LANES: usize> {
         LaneCount<INPUT_LANES>: SupportedLaneCount,
         LaneCount<OUTPUT_LANES>: SupportedLaneCount,
     {
+        // Safety: `vector` is a vector, and `INDEX_IMPL` is a const array of u32.
         unsafe { intrinsics::simd_shuffle(vector, vector, Self::INDEX_IMPL) }
     }
 }
@@ -119,6 +120,7 @@ pub trait Swizzle2<const INPUT_LANES: usize, const OUTPUT_LANES: usize> {
         LaneCount<INPUT_LANES>: SupportedLaneCount,
         LaneCount<OUTPUT_LANES>: SupportedLaneCount,
     {
+        // Safety: `first` and `second` are vectors, and `INDEX_IMPL` is a const array of u32.
         unsafe { intrinsics::simd_shuffle(first, second, Self::INDEX_IMPL) }
     }
 }
diff --git a/crates/core_simd/src/to_bytes.rs b/crates/core_simd/src/to_bytes.rs
@@ -8,12 +8,14 @@ macro_rules! impl_to_bytes {
             /// Return the memory representation of this integer as a byte array in native byte
             /// order.
             pub fn to_ne_bytes(self) -> crate::simd::Simd<u8, {{ $size * LANES }}> {
+                // Safety: transmuting between vectors is safe
                 unsafe { core::mem::transmute_copy(&self) }
             }
 
             /// Create a native endian integer value from its memory representation as a byte array
             /// in native endianness.
             pub fn from_ne_bytes(bytes: crate::simd::Simd<u8, {{ $size * LANES }}>) -> Self {
+                // Safety: transmuting between vectors is safe
                 unsafe { core::mem::transmute_copy(&bytes) }
             }
         }
diff --git a/crates/core_simd/src/vector.rs b/crates/core_simd/src/vector.rs
diff --git a/crates/core_simd/src/vector/float.rs b/crates/core_simd/src/vector/float.rs
diff --git a/crates/core_simd/src/vector/ptr.rs b/crates/core_simd/src/vector/ptr.rs
diff --git a/crates/core_simd/src/vendor.rs b/crates/core_simd/src/vendor.rs

Original file line number	Diff line number	Diff line change
`@@ -137,6 +137,7 @@ where`
`137`	`137`	`where`
`138`	`138`	`U: MaskElement,`
`139`	`139`	`{`
	`140`	`+ // Safety: bitmask layout does not depend on the element width`
`140`	`141`	`unsafe { core::mem::transmute_copy(&self) }`
`141`	`142`	`}`
`142`	`143`
Original file line number	Diff line number	Diff line change
`@@ -106,13 +106,15 @@ where`
`106`	`106`	`where`
`107`	`107`	`U: MaskElement,`
`108`	`108`	`{`
	`109`	`+ // Safety: masks are simply integer vectors of 0 and -1, and we can cast the element type.`
`109`	`110`	`unsafe { Mask(intrinsics::simd_cast(self.0)) }`
`110`	`111`	`}`
`111`	`112`
`112`	`113`	`#[cfg(feature = "generic_const_exprs")]`
`113`	`114`	`#[inline]`
`114`	`115`	`#[must_use = "method returns a new array and does not mutate the original value"]`
`115`	`116`	`pub fn to_bitmask(self) -> [u8; LaneCount::<LANES>::BITMASK_LEN] {`
	`117`	`+ // Safety: IntBitMask is the integer equivalent of the return type.`
`116`	`118`	`unsafe {`
`117`	`119`	`let mut bitmask: [u8; LaneCount::<LANES>::BITMASK_LEN] =`
`118`	`120`	`intrinsics::simd_bitmask(self.0);`
`@@ -134,6 +136,7 @@ where`
`134`	`136`	`#[inline]`
`135`	`137`	`#[must_use = "method returns a new mask and does not mutate the original value"]`
`136`	`138`	`pub fn from_bitmask(mut bitmask: [u8; LaneCount::<LANES>::BITMASK_LEN]) -> Self {`
	`139`	`+ // Safety: IntBitMask is the integer equivalent of the input type.`
`137`	`140`	`unsafe {`
`138`	`141`	`// There is a bug where LLVM appears to implement this operation with the wrong`
`139`	`142`	`// bit order.`
`@@ -155,12 +158,14 @@ where`
`155`	`158`	`#[inline]`
`156`	`159`	`#[must_use = "method returns a new bool and does not mutate the original value"]`
`157`	`160`	`pub fn any(self) -> bool {`
	`161`	+ // Safety: use `self` as an integer vector
`158`	`162`	`unsafe { intrinsics::simd_reduce_any(self.to_int()) }`
`159`	`163`	`}`
`160`	`164`
`161`	`165`	`#[inline]`
`162`	`166`	`#[must_use = "method returns a new vector and does not mutate the original value"]`
`163`	`167`	`pub fn all(self) -> bool {`
	`168`	+ // Safety: use `self` as an integer vector
`164`	`169`	`unsafe { intrinsics::simd_reduce_all(self.to_int()) }`
`165`	`170`	`}`
`166`	`171`	`}`
`@@ -184,6 +189,7 @@ where`
`184`	`189`	`#[inline]`
`185`	`190`	`#[must_use = "method returns a new mask and does not mutate the original value"]`
`186`	`191`	`fn bitand(self, rhs: Self) -> Self {`
	`192`	+ // Safety: `self` is an integer vector
`187`	`193`	`unsafe { Self(intrinsics::simd_and(self.0, rhs.0)) }`
`188`	`194`	`}`
`189`	`195`	`}`
`@@ -197,6 +203,7 @@ where`
`197`	`203`	`#[inline]`
`198`	`204`	`#[must_use = "method returns a new mask and does not mutate the original value"]`
`199`	`205`	`fn bitor(self, rhs: Self) -> Self {`
	`206`	+ // Safety: `self` is an integer vector
`200`	`207`	`unsafe { Self(intrinsics::simd_or(self.0, rhs.0)) }`
`201`	`208`	`}`
`202`	`209`	`}`
`@@ -210,6 +217,7 @@ where`
`210`	`217`	`#[inline]`
`211`	`218`	`#[must_use = "method returns a new mask and does not mutate the original value"]`
`212`	`219`	`fn bitxor(self, rhs: Self) -> Self {`
	`220`	+ // Safety: `self` is an integer vector
`213`	`221`	`unsafe { Self(intrinsics::simd_xor(self.0, rhs.0)) }`
`214`	`222`	`}`
`215`	`223`	`}`
Original file line number	Diff line number	Diff line change
`@@ -112,6 +112,7 @@ macro_rules! impl_op {`
`112`	`112`
`113`	`113`	`#[inline]`
`114`	`114`	`fn $trait_fn(self, rhs: Self) -> Self::Output {`
	`115`	+ // Safety: `self` is a vector
`115`	`116`	`unsafe {`
`116`	`117`	`intrinsics::$intrinsic(self, rhs)`
`117`	`118`	`}`
`@@ -169,6 +170,8 @@ macro_rules! impl_unsigned_int_ops {`
`169`	`170`	`.any(\|(x,y)\| x == <$scalar>::MIN && y == -1 as _) {`
`170`	`171`	`panic!("attempt to divide with overflow");`
`171`	`172`	`}`
	`173`	+ // Safety: `self` is a vector, and the lanes have been checked for
	`174`	`+ // division by zero and overflow`
`172`	`175`	`unsafe { intrinsics::simd_div(self, rhs) }`
`173`	`176`	`}`
`174`	`177`	`}`
`@@ -198,6 +201,8 @@ macro_rules! impl_unsigned_int_ops {`
`198`	`201`	`.any(\|(x,y)\| x == <$scalar>::MIN && y == -1 as _) {`
`199`	`202`	`panic!("attempt to calculate the remainder with overflow");`
`200`	`203`	`}`
	`204`	+ // Safety: `self` is a vector, and the lanes have been checked for
	`205`	`+ // division by zero and overflow`
`201`	`206`	`unsafe { intrinsics::simd_rem(self, rhs) }`
`202`	`207`	`}`
`203`	`208`	`}`
`@@ -221,6 +226,8 @@ macro_rules! impl_unsigned_int_ops {`
`221`	`226`	`{`
`222`	`227`	`panic!("attempt to shift left with overflow");`
`223`	`228`	`}`
	`229`	+ // Safety: `self` is a vector, and the shift argument has been checked for
	`230`	`+ // overflow`
`224`	`231`	`unsafe { intrinsics::simd_shl(self, rhs) }`
`225`	`232`	`}`
`226`	`233`	`}`
`@@ -243,6 +250,8 @@ macro_rules! impl_unsigned_int_ops {`
`243`	`250`	`{`
`244`	`251`	`panic!("attempt to shift with overflow");`
`245`	`252`	`}`
	`253`	+ // Safety: `self` is a vector, and the shift argument has been checked for
	`254`	`+ // overflow`
`246`	`255`	`unsafe { intrinsics::simd_shr(self, rhs) }`
`247`	`256`	`}`
`248`	`257`	`}`
Original file line number	Diff line number	Diff line change
`@@ -14,24 +14,28 @@ macro_rules! impl_integer_reductions {`
`14`	`14`	`/// Horizontal wrapping add. Returns the sum of the lanes of the vector, with wrapping addition.`
`15`	`15`	`#[inline]`
`16`	`16`	`pub fn horizontal_sum(self) -> $scalar {`
	`17`	+ // Safety: `self` is an integer vector
`17`	`18`	`unsafe { simd_reduce_add_ordered(self, 0) }`
`18`	`19`	`}`
`19`	`20`
`20`	`21`	`/// Horizontal wrapping multiply. Returns the product of the lanes of the vector, with wrapping multiplication.`
`21`	`22`	`#[inline]`
`22`	`23`	`pub fn horizontal_product(self) -> $scalar {`
	`24`	+ // Safety: `self` is an integer vector
`23`	`25`	`unsafe { simd_reduce_mul_ordered(self, 1) }`
`24`	`26`	`}`
`25`	`27`
`26`	`28`	`/// Horizontal maximum. Returns the maximum lane in the vector.`
`27`	`29`	`#[inline]`
`28`	`30`	`pub fn horizontal_max(self) -> $scalar {`
	`31`	+ // Safety: `self` is an integer vector
`29`	`32`	`unsafe { simd_reduce_max(self) }`
`30`	`33`	`}`
`31`	`34`
`32`	`35`	`/// Horizontal minimum. Returns the minimum lane in the vector.`
`33`	`36`	`#[inline]`
`34`	`37`	`pub fn horizontal_min(self) -> $scalar {`
	`38`	+ // Safety: `self` is an integer vector
`35`	`39`	`unsafe { simd_reduce_min(self) }`
`36`	`40`	`}`
`37`	`41`	`}`
`@@ -63,6 +67,7 @@ macro_rules! impl_float_reductions {`
`63`	`67`	`if cfg!(all(target_arch = "x86", not(target_feature = "sse2"))) {`
`64`	`68`	`self.as_array().iter().sum()`
`65`	`69`	`} else {`
	`70`	+ // Safety: `self` is a float vector
`66`	`71`	`unsafe { simd_reduce_add_ordered(self, 0.) }`
`67`	`72`	`}`
`68`	`73`	`}`
`@@ -74,6 +79,7 @@ macro_rules! impl_float_reductions {`
`74`	`79`	`if cfg!(all(target_arch = "x86", not(target_feature = "sse2"))) {`
`75`	`80`	`self.as_array().iter().product()`
`76`	`81`	`} else {`
	`82`	+ // Safety: `self` is a float vector
`77`	`83`	`unsafe { simd_reduce_mul_ordered(self, 1.) }`
`78`	`84`	`}`
`79`	`85`	`}`
`@@ -84,6 +90,7 @@ macro_rules! impl_float_reductions {`
`84`	`90`	/// return either. This function will not return `NaN` unless all lanes are `NaN`.
`85`	`91`	`#[inline]`
`86`	`92`	`pub fn horizontal_max(self) -> $scalar {`
	`93`	+ // Safety: `self` is a float vector
`87`	`94`	`unsafe { simd_reduce_max(self) }`
`88`	`95`	`}`
`89`	`96`
`@@ -93,6 +100,7 @@ macro_rules! impl_float_reductions {`
`93`	`100`	/// return either. This function will not return `NaN` unless all lanes are `NaN`.
`94`	`101`	`#[inline]`
`95`	`102`	`pub fn horizontal_min(self) -> $scalar {`
	`103`	+ // Safety: `self` is a float vector
`96`	`104`	`unsafe { simd_reduce_min(self) }`
`97`	`105`	`}`
`98`	`106`	`}`
Original file line number	Diff line number	Diff line change
`@@ -95,6 +95,7 @@ pub trait Swizzle<const INPUT_LANES: usize, const OUTPUT_LANES: usize> {`
`95`	`95`	`LaneCount<INPUT_LANES>: SupportedLaneCount,`
`96`	`96`	`LaneCount<OUTPUT_LANES>: SupportedLaneCount,`
`97`	`97`	`{`
	`98`	+ // Safety: `vector` is a vector, and `INDEX_IMPL` is a const array of u32.
`98`	`99`	`unsafe { intrinsics::simd_shuffle(vector, vector, Self::INDEX_IMPL) }`
`99`	`100`	`}`
`100`	`101`	`}`
`@@ -119,6 +120,7 @@ pub trait Swizzle2<const INPUT_LANES: usize, const OUTPUT_LANES: usize> {`
`119`	`120`	`LaneCount<INPUT_LANES>: SupportedLaneCount,`
`120`	`121`	`LaneCount<OUTPUT_LANES>: SupportedLaneCount,`
`121`	`122`	`{`
	`123`	+ // Safety: `first` and `second` are vectors, and `INDEX_IMPL` is a const array of u32.
`122`	`124`	`unsafe { intrinsics::simd_shuffle(first, second, Self::INDEX_IMPL) }`
`123`	`125`	`}`
`124`	`126`	`}`
Original file line number	Diff line number	Diff line change
`@@ -8,12 +8,14 @@ macro_rules! impl_to_bytes {`
`8`	`8`	`/// Return the memory representation of this integer as a byte array in native byte`
`9`	`9`	`/// order.`
`10`	`10`	`pub fn to_ne_bytes(self) -> crate::simd::Simd<u8, {{ $size * LANES }}> {`
	`11`	`+ // Safety: transmuting between vectors is safe`
`11`	`12`	`unsafe { core::mem::transmute_copy(&self) }`
`12`	`13`	`}`
`13`	`14`
`14`	`15`	`/// Create a native endian integer value from its memory representation as a byte array`
`15`	`16`	`/// in native endianness.`
`16`	`17`	`pub fn from_ne_bytes(bytes: crate::simd::Simd<u8, {{ $size * LANES }}>) -> Self {`
	`18`	`+ // Safety: transmuting between vectors is safe`
`17`	`19`	`unsafe { core::mem::transmute_copy(&bytes) }`
`18`	`20`	`}`
`19`	`21`	`}`