From 91ba6e83269d307ec026081953ef917dd6b8d93f Mon Sep 17 00:00:00 2001
From: David Tolnay <dtolnay@gmail.com>
Date: Thu, 6 Oct 2022 15:08:37 -0700
Subject: [PATCH] Add no-panic feature to confirm no panicking codepaths

---
 .github/workflows/ci.yml | 2 ++
 Cargo.toml               | 3 +++
 src/lib.rs               | 6 ++++++
 src/udiv128.rs           | 5 +++++
 4 files changed, 16 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a2a9d22..e399cef 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -30,6 +30,8 @@ jobs:
       - run: cargo build --no-default-features
       - run: cargo test --tests --no-default-features
       - run: cargo test --tests --no-default-features --release
+      - run: cargo build --tests --features no-panic --release
+        if: matrix.rust == 'nightly'
       - run: cargo bench --no-run
         if: matrix.rust == 'nightly'
 
diff --git a/Cargo.toml b/Cargo.toml
index b3a0cbd..8fee058 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -12,5 +12,8 @@ license = "MIT OR Apache-2.0"
 repository = "https://github.com/dtolnay/itoa"
 rust-version = "1.36"
 
+[dependencies]
+no-panic = { version = "0.1", optional = true }
+
 [package.metadata.docs.rs]
 targets = ["x86_64-unknown-linux-gnu"]
diff --git a/src/lib.rs b/src/lib.rs
index 002156c..86da3ad 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -43,6 +43,8 @@ mod udiv128;
 
 use core::mem::{self, MaybeUninit};
 use core::{ptr, slice, str};
+#[cfg(feature = "no-panic")]
+use no_panic::no_panic;
 
 /// A correctly sized stack allocation for the formatted integer to be written
 /// into.
@@ -76,6 +78,7 @@ impl Buffer {
     /// This is a cheap operation; you don't need to worry about reusing buffers
     /// for efficiency.
     #[inline]
+    #[cfg_attr(feature = "no-panic", no_panic)]
     pub fn new() -> Buffer {
         let bytes = [MaybeUninit::<u8>::uninit(); I128_MAX_LEN];
         Buffer { bytes }
@@ -83,6 +86,7 @@ impl Buffer {
 
     /// Print an integer into this buffer and return a reference to its string
     /// representation within the buffer.
+    #[cfg_attr(feature = "no-panic", no_panic)]
     pub fn format<I: Integer>(&mut self, i: I) -> &str {
         i.write(unsafe {
             &mut *(&mut self.bytes as *mut [MaybeUninit<u8>; I128_MAX_LEN]
@@ -122,6 +126,7 @@ macro_rules! impl_Integer {
 
             #[allow(unused_comparisons)]
             #[inline]
+            #[cfg_attr(feature = "no-panic", no_panic)]
             fn write(self, buf: &mut [MaybeUninit<u8>; $max_len]) -> &str {
                 let is_nonnegative = self >= 0;
                 let mut n = if is_nonnegative {
@@ -223,6 +228,7 @@ macro_rules! impl_Integer128 {
 
             #[allow(unused_comparisons)]
             #[inline]
+            #[cfg_attr(feature = "no-panic", no_panic)]
             fn write(self, buf: &mut [MaybeUninit<u8>; $max_len]) -> &str {
                 let is_nonnegative = self >= 0;
                 let n = if is_nonnegative {
diff --git a/src/udiv128.rs b/src/udiv128.rs
index df53eb5..0587047 100644
--- a/src/udiv128.rs
+++ b/src/udiv128.rs
@@ -1,5 +1,9 @@
+#[cfg(feature = "no-panic")]
+use no_panic::no_panic;
+
 /// Multiply unsigned 128 bit integers, return upper 128 bits of the result
 #[inline]
+#[cfg_attr(feature = "no-panic", no_panic)]
 fn u128_mulhi(x: u128, y: u128) -> u128 {
     let x_lo = x as u64;
     let x_hi = (x >> 64) as u64;
@@ -26,6 +30,7 @@ fn u128_mulhi(x: u128, y: u128) -> u128 {
 ///   Implementation, 1994, pp. 61–72
 ///
 #[inline]
+#[cfg_attr(feature = "no-panic", no_panic)]
 pub fn udivmod_1e19(n: u128) -> (u128, u64) {
     let d = 10_000_000_000_000_000_000_u64; // 10^19