Reduce uses of uninitialized arrays

[kornelski]

I'm trying to remove UB of Aligned::uninitialized() — #1572

[kornelski]

CI fails due to #3263

[kornelski]

Any comments for this PR? Is the direction good? Can it be merged despite the CI issue?

[lu-zero]

Lots of fixes should land since they are good. I hope we'll fix the dav1d situation so we can have back the tests :/

[codecov]

Codecov Report

Attention: 2 lines in your changes are missing coverage. Please review.

Files	Coverage Δ
src/asm/shared/predict.rs	99.33% <100.00%> (-0.03%)	⬇️
src/asm/shared/transform/inverse.rs	100.00% <100.00%> (ø)
src/asm/x86/quantize.rs	98.62% <100.00%> (+0.01%)	⬆️
src/asm/x86/transform/forward.rs	97.84% <100.00%> (+0.01%)	⬆️
src/context/block_unit.rs	93.71% <100.00%> (-0.01%)	⬇️
src/context/mod.rs	91.00% <100.00%> (-0.09%)	⬇️
src/context/transform_unit.rs	89.78% <100.00%> (ø)
src/quantize/mod.rs	97.28% <100.00%> (+0.03%)	⬆️
src/transform/forward.rs	100.00% <100.00%> (ø)
src/transform/mod.rs	90.71% <100.00%> (+0.05%)	⬆️
... and 2 more

📢 Thoughts on this report? Let us know!.

[barrbrain]

If all the changes in this PR were like this file, I would approve it in a heartbeat.
This is the pattern we should be following to avoid undefined behavior and double initialization.

[kornelski]

I don't understand the comment. Does that mean other files than inverse.rs are not acceptable? What do I need to change?

[kornelski]

BTW, I've wanted to use a pattern of:

let initialized = function(&mut maybe_uninit);

but that required reliably tracking the length inside the function, which would regress performance. This lead me to try some loop optimizations like #3262 but I found it wasn't always possible to have guaranteed length for free. Plus there's A LOT of uninitialized to deal with.

There are more functions using which I haven't converted yet, because I'm not actually sure they fully initialize their data!

[barrbrain]

Firstly, thank you for detailing the current sites of potential undefined behavior. Everything that maintains the current intent can be merged. Any changes that replace uninitialized() with zero-fill should be dropped and can be addressed in a follow-up PR.

BTW, I've wanted to use a pattern of:

let initialized = function(&mut maybe_uninit);

I have recently tackled this issue in a toy project:
https://github.com/barrbrain/sudoku/blob/main/src/lib.rs#L27-L40
Some care is required with ownership semantics when crossing the unsafe boundary. This pattern is well defined:
https://github.com/barrbrain/sudoku/blob/main/src/lib.rs#L355-L356
I will see if we can add some infrastructure to ease converting the current code to well-defined.

[lu-zero]

Once MaybeUninit::uninit_array hits stable I guess a lot would be easier.
Probably we could change some Vec in Box<[]> to make more evident that the size is fixed meanwhile.

(also, thank you again for taking care of this :))

[kornelski]

The only cases of zero-fill (I assume you mean from_fn(|| 0)) are in benchmarks, outside of the benchmarked section. I assume they're not important, since they're neither in the library, nor performance-critical. So I've just changed them for simplicity and determinism.

[barrbrain]

Looks good to me. Sorry that I missed the zero-fill changes were limited to tests and benchmarks.