From 6cbe1726a70bac498bd46dc08c868f094117675c Mon Sep 17 00:00:00 2001
From: Ralf Jung <post@ralfj.de>
Date: Sat, 4 Apr 2020 19:32:21 +0200
Subject: [PATCH] clarify safety in RawVec::into_box

---
 src/liballoc/raw_vec.rs | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/liballoc/raw_vec.rs b/src/liballoc/raw_vec.rs
index 12e32fd9d35..7ac67870eb7 100644
--- a/src/liballoc/raw_vec.rs
+++ b/src/liballoc/raw_vec.rs
@@ -570,16 +570,19 @@ impl<T> RawVec<T, Global> {
     ///
     /// # Safety
     ///
-    /// `shrink_to_fit(len)` must be called immediately prior to calling this function. This
-    /// implies, that `len` must be smaller than or equal to `self.capacity()`.
+    /// * `len` must be greater than or equal to the most recently requested capacity, and
+    /// * `len` must be less than or equal to `self.capacity()`.
+    ///
+    /// Note, that the requested capacity and `self.capacity()` could differ, as
+    /// an allocator could overallocate and return a greater memory block than requested.
     pub unsafe fn into_box(self, len: usize) -> Box<[MaybeUninit<T>]> {
+        // Sanity-check one half of the safety requirement (we cannot check the other half).
         debug_assert!(
             len <= self.capacity(),
             "`len` must be smaller than or equal to `self.capacity()`"
         );
 
         let me = ManuallyDrop::new(self);
-        // NOTE: not calling `capacity()` here; actually using the real `cap` field!
         let slice = slice::from_raw_parts_mut(me.ptr() as *mut MaybeUninit<T>, len);
         Box::from_raw(slice)
     }