(Writing this down quickly, so I don’t have time to dig up any of the citations mentioned).
It seems slightly insane to me that
Vec::set_len doesn’t panic if the length is set past the allocated capacity. I find it very, very hard to imagine a world where this is useful (and, if it is, is a failing of
Vec's other public APIs). I have vague memory of rather unpleasant bugs that have come up due to sloppy use of
set_len in the standard library…
This API, as it stands, is so spectacularly unsafe (since it might cause
drop to read unallocated memory!) that there isn’t even an equivalent for C++'s
std::vector. I think it should either be removed (which would be unpleasant) or made so that pushing the length past reserved capacity is an unconditional panic. (Given that all array slicing is similarly instrumented, I don’t think this will be a performance regression, and will only break code that is breaking invariants in
To elaborate on “spectacularly, hilariously dangerous”, being able to set set_len past the end of the allocated space opens us up to buffer overflows, whose prevention is one of Rust’s selling points. You never ever ever ever ever ever ever ever want to be able to look at unallocated memory, unless you’re something exotic like an allocator.