zerovec/varzerovec/

components.rs

// This file is part of ICU4X. For terms of use, please see the file
// called LICENSE at the top level of the ICU4X source tree
// (online at: https://github.com/unicode-org/icu4x/blob/main/LICENSE ).

use super::VarZeroVecFormatError;
use crate::ule::*;
use core::cmp::Ordering;
use core::convert::TryFrom;
use core::marker::PhantomData;
use core::mem;
use core::ops::Range;

/// This trait allows switching between different possible internal
/// representations of VarZeroVec.
///
/// Currently this crate supports three formats: [`Index8`], [`Index16`] and [`Index32`],
/// with [`Index16`] being the default for all [`VarZeroVec`](super::VarZeroVec)
/// types unless explicitly specified otherwise.
///
/// Do not implement this trait, its internals may be changed in the future,
/// and all of its associated items are hidden from the docs.
pub trait VarZeroVecFormat: 'static + Sized {
    /// The type to use for the indexing array
    ///
    /// Safety: must be a ULE for which all byte sequences are allowed
    #[doc(hidden)]
    type Index: IntegerULE;
    /// The type to use for the length segment
    ///
    /// Safety: must be a ULE for which all byte sequences are allowed
    #[doc(hidden)]
    type Len: IntegerULE;
}

/// This trait represents various ULE types that can be used to represent an integer
///
/// Do not implement this trait, its internals may be changed in the future,
/// and all of its associated items are hidden from the docs.
#[allow(clippy::missing_safety_doc)] // no safety section for you, don't implement this trait period
#[doc(hidden)]
pub unsafe trait IntegerULE: ULE {
    /// The error to show when unable to construct a vec
    #[doc(hidden)]
    const TOO_LARGE_ERROR: &'static str;

    /// Safety: must be sizeof(self)
    #[doc(hidden)]
    const SIZE: usize;

    /// Safety: must be maximum integral value represented here
    #[doc(hidden)]
    const MAX_VALUE: u32;

    /// Safety: Must roundtrip with from_usize and represent the correct
    /// integral value
    #[doc(hidden)]
    fn iule_to_usize(self) -> usize;

    #[doc(hidden)]
    fn iule_from_usize(x: usize) -> Option<Self>;

    /// Safety: Should always convert a buffer into an array of Self with the correct length
    #[doc(hidden)]
    #[cfg(feature = "alloc")]
    fn iule_from_bytes_unchecked_mut(bytes: &mut [u8]) -> &mut [Self];
}

/// This is a [`VarZeroVecFormat`] that stores u8s in the index array, and a u8 for a length.
///
/// Will have a smaller data size, but it's *extremely* likely for larger arrays
/// to be unrepresentable (and error on construction). Should probably be used
/// for known-small arrays, where all but the last field are known-small.
#[derive(Copy, Clone, Debug, Hash, PartialEq, Eq, PartialOrd, Ord)]
#[allow(clippy::exhaustive_structs)] // marker
pub struct Index8;

/// This is a [`VarZeroVecFormat`] that stores u16s in the index array, and a u16 for a length.
///
/// Will have a smaller data size, but it's more likely for larger arrays
/// to be unrepresentable (and error on construction)
///
/// This is the default index size used by all [`VarZeroVec`](super::VarZeroVec) types.
#[derive(Copy, Clone, Debug, Hash, PartialEq, Eq, PartialOrd, Ord)]
#[allow(clippy::exhaustive_structs)] // marker
pub struct Index16;

/// This is a [`VarZeroVecFormat`] that stores u32s in the index array, and a u32 for a length.
/// Will have a larger data size, but will support large arrays without
/// problems.
#[derive(Copy, Clone, Debug, Hash, PartialEq, Eq, PartialOrd, Ord)]
#[allow(clippy::exhaustive_structs)] // marker
pub struct Index32;

impl VarZeroVecFormat for Index8 {
    type Index = u8;
    type Len = u8;
}

impl VarZeroVecFormat for Index16 {
    type Index = RawBytesULE<2>;
    type Len = RawBytesULE<2>;
}

impl VarZeroVecFormat for Index32 {
    type Index = RawBytesULE<4>;
    type Len = RawBytesULE<4>;
}

unsafe impl IntegerULE for u8 {
    const TOO_LARGE_ERROR: &'static str = "Attempted to build VarZeroVec out of elements that \
                                     cumulatively are larger than a u8 in size";
    const SIZE: usize = mem::size_of::<Self>();
    const MAX_VALUE: u32 = u8::MAX as u32;
    #[inline]
    fn iule_to_usize(self) -> usize {
        self as usize
    }
    #[inline]
    fn iule_from_usize(u: usize) -> Option<Self> {
        u8::try_from(u).ok()
    }
    #[inline]
    #[cfg(feature = "alloc")]
    fn iule_from_bytes_unchecked_mut(bytes: &mut [u8]) -> &mut [Self] {
        bytes
    }
}

unsafe impl IntegerULE for RawBytesULE<2> {
    const TOO_LARGE_ERROR: &'static str = "Attempted to build VarZeroVec out of elements that \
                                     cumulatively are larger than a u16 in size";
    const SIZE: usize = mem::size_of::<Self>();
    const MAX_VALUE: u32 = u16::MAX as u32;
    #[inline]
    fn iule_to_usize(self) -> usize {
        self.as_unsigned_int() as usize
    }
    #[inline]
    fn iule_from_usize(u: usize) -> Option<Self> {
        u16::try_from(u).ok().map(u16::to_unaligned)
    }
    #[inline]
    #[cfg(feature = "alloc")]
    fn iule_from_bytes_unchecked_mut(bytes: &mut [u8]) -> &mut [Self] {
        Self::from_bytes_unchecked_mut(bytes)
    }
}

unsafe impl IntegerULE for RawBytesULE<4> {
    const TOO_LARGE_ERROR: &'static str = "Attempted to build VarZeroVec out of elements that \
                                     cumulatively are larger than a u32 in size";
    const SIZE: usize = mem::size_of::<Self>();
    const MAX_VALUE: u32 = u32::MAX;
    #[inline]
    fn iule_to_usize(self) -> usize {
        self.as_unsigned_int() as usize
    }
    #[inline]
    fn iule_from_usize(u: usize) -> Option<Self> {
        u32::try_from(u).ok().map(u32::to_unaligned)
    }
    #[inline]
    #[cfg(feature = "alloc")]
    fn iule_from_bytes_unchecked_mut(bytes: &mut [u8]) -> &mut [Self] {
        Self::from_bytes_unchecked_mut(bytes)
    }
}

/// A more parsed version of `VarZeroSlice`. This type is where most of the VarZeroVec
/// internal representation code lies.
///
/// This is *basically* an `&'a [u8]` to a zero copy buffer, but split out into
/// the buffer components. Logically this is capable of behaving as
/// a `&'a [T::VarULE]`, but since `T::VarULE` is unsized that type does not actually
/// exist.
///
/// See [`VarZeroVecComponents::parse_bytes()`] for information on the internal invariants involved
#[derive(Debug)]
pub struct VarZeroVecComponents<'a, T: ?Sized, F> {
    /// The number of elements
    len: u32,
    /// The list of indices into the `things` slice
    /// Since the first element is always at things[0], the first element of the indices array is for the *second* element
    indices: &'a [u8],
    /// The contiguous list of `T::VarULE`s
    things: &'a [u8],
    marker: PhantomData<(&'a T, F)>,
}

// #[derive()] won't work here since we do not want it to be
// bound on T: Copy
impl<'a, T: ?Sized, F> Copy for VarZeroVecComponents<'a, T, F> {}
impl<'a, T: ?Sized, F> Clone for VarZeroVecComponents<'a, T, F> {
    fn clone(&self) -> Self {
        *self
    }
}

impl<'a, T: VarULE + ?Sized, F> Default for VarZeroVecComponents<'a, T, F> {
    #[inline]
    fn default() -> Self {
        Self::new()
    }
}

impl<'a, T: VarULE + ?Sized, F> VarZeroVecComponents<'a, T, F> {
    #[inline]
    pub fn new() -> Self {
        Self {
            len: 0,
            indices: &[],
            things: &[],
            marker: PhantomData,
        }
    }
}
impl<'a, T: VarULE + ?Sized, F: VarZeroVecFormat> VarZeroVecComponents<'a, T, F> {
    /// Construct a new VarZeroVecComponents, checking invariants about the overall buffer size:
    ///
    /// - There must be either zero or at least four bytes (if four, this is the "length" parsed as a usize)
    /// - There must be at least `4*(length - 1) + 4` bytes total, to form the array `indices` of indices
    /// - `0..indices[0]` must index into a valid section of
    ///   `things` (the data after `indices`), such that it parses to a `T::VarULE`
    /// - `indices[i - 1]..indices[i]` must index into a valid section of
    ///   `things` (the data after `indices`), such that it parses to a `T::VarULE`
    /// - `indices[len - 2]..things.len()` must index into a valid section of
    ///   `things`, such that it parses to a `T::VarULE`
    #[inline]
    pub fn parse_bytes(slice: &'a [u8]) -> Result<Self, VarZeroVecFormatError> {
        // The empty VZV is special-cased to the empty slice
        if slice.is_empty() {
            return Ok(VarZeroVecComponents {
                len: 0,
                indices: &[],
                things: &[],
                marker: PhantomData,
            });
        }
        let len_bytes = slice
            .get(0..F::Len::SIZE)
            .ok_or(VarZeroVecFormatError::Metadata)?;
        let len_ule =
            F::Len::parse_bytes_to_slice(len_bytes).map_err(|_| VarZeroVecFormatError::Metadata)?;

        let len = len_ule
            .first()
            .ok_or(VarZeroVecFormatError::Metadata)?
            .iule_to_usize();

        let rest = slice
            .get(F::Len::SIZE..)
            .ok_or(VarZeroVecFormatError::Metadata)?;
        let len_u32 = u32::try_from(len).map_err(|_| VarZeroVecFormatError::Metadata);
        // We pass down the rest of the invariants
        Self::parse_bytes_with_length(len_u32?, rest)
    }

    /// Construct a new VarZeroVecComponents, checking invariants about the overall buffer size:
    ///
    /// - There must be at least `4*len` bytes total, to form the array `indices` of indices.
    /// - `indices[i]..indices[i+1]` must index into a valid section of
    ///   `things` (the data after `indices`), such that it parses to a `T::VarULE`
    /// - `indices[len - 1]..things.len()` must index into a valid section of
    ///   `things`, such that it parses to a `T::VarULE`
    #[inline]
    pub fn parse_bytes_with_length(
        len: u32,
        slice: &'a [u8],
    ) -> Result<Self, VarZeroVecFormatError> {
        let len_minus_one = len.checked_sub(1);
        // The empty VZV is special-cased to the empty slice
        let Some(len_minus_one) = len_minus_one else {
            return Ok(VarZeroVecComponents {
                len: 0,
                indices: &[],
                things: &[],
                marker: PhantomData,
            });
        };
        // The indices array is one element shorter since the first index is always 0,
        // so we use len_minus_one
        let indices_bytes = slice
            .get(..F::Index::SIZE * (len_minus_one as usize))
            .ok_or(VarZeroVecFormatError::Metadata)?;
        let things = slice
            .get(F::Index::SIZE * (len_minus_one as usize)..)
            .ok_or(VarZeroVecFormatError::Metadata)?;

        let borrowed = VarZeroVecComponents {
            len,
            indices: indices_bytes,
            things,
            marker: PhantomData,
        };

        borrowed.check_indices_and_things()?;

        Ok(borrowed)
    }

    /// Construct a [`VarZeroVecComponents`] from a byte slice that has previously
    /// successfully returned a [`VarZeroVecComponents`] when passed to
    /// [`VarZeroVecComponents::parse_bytes()`]. Will return the same
    /// object as one would get from calling [`VarZeroVecComponents::parse_bytes()`].
    ///
    /// # Safety
    /// The bytes must have previously successfully run through
    /// [`VarZeroVecComponents::parse_bytes()`]
    pub unsafe fn from_bytes_unchecked(slice: &'a [u8]) -> Self {
        // The empty VZV is special-cased to the empty slice
        if slice.is_empty() {
            return VarZeroVecComponents {
                len: 0,
                indices: &[],
                things: &[],
                marker: PhantomData,
            };
        }
        let (len_bytes, data_bytes) = unsafe { slice.split_at_unchecked(F::Len::SIZE) };
        // Safety: F::Len allows all byte sequences
        let len_ule = F::Len::slice_from_bytes_unchecked(len_bytes);

        let len = len_ule.get_unchecked(0).iule_to_usize();
        let len_u32 = len as u32;

        // Safety: This method requires the bytes to have passed through `parse_bytes()`
        // whereas we're calling something that asks for `parse_bytes_with_length()`.
        // The two methods perform similar validation, with parse_bytes() validating an additional
        // 4-byte `length` header.
        Self::from_bytes_unchecked_with_length(len_u32, data_bytes)
    }

    /// Construct a [`VarZeroVecComponents`] from a byte slice that has previously
    /// successfully returned a [`VarZeroVecComponents`] when passed to
    /// [`VarZeroVecComponents::parse_bytes()`]. Will return the same
    /// object as one would get from calling [`VarZeroVecComponents::parse_bytes()`].
    ///
    /// # Safety
    /// The len,bytes must have previously successfully run through
    /// [`VarZeroVecComponents::parse_bytes_with_length()`]
    pub unsafe fn from_bytes_unchecked_with_length(len: u32, slice: &'a [u8]) -> Self {
        let len_minus_one = len.checked_sub(1);
        // The empty VZV is special-cased to the empty slice
        let Some(len_minus_one) = len_minus_one else {
            return VarZeroVecComponents {
                len: 0,
                indices: &[],
                things: &[],
                marker: PhantomData,
            };
        };
        // The indices array is one element shorter since the first index is always 0,
        // so we use len_minus_one
        let indices_bytes = slice.get_unchecked(..F::Index::SIZE * (len_minus_one as usize));
        let things = slice.get_unchecked(F::Index::SIZE * (len_minus_one as usize)..);

        VarZeroVecComponents {
            len,
            indices: indices_bytes,
            things,
            marker: PhantomData,
        }
    }

    /// Get the number of elements in this vector
    #[inline]
    pub fn len(self) -> usize {
        self.len as usize
    }

    /// Returns `true` if the vector contains no elements.
    #[inline]
    pub fn is_empty(self) -> bool {
        self.len == 0
    }

    /// Get the idx'th element out of this slice. Returns `None` if out of bounds.
    #[inline]
    pub fn get(self, idx: usize) -> Option<&'a T> {
        if idx >= self.len() {
            return None;
        }
        Some(unsafe { self.get_unchecked(idx) })
    }

    /// Get the idx'th element out of this slice. Does not bounds check.
    ///
    /// Safety:
    /// - `idx` must be in bounds (`idx < self.len()`)
    #[inline]
    pub(crate) unsafe fn get_unchecked(self, idx: usize) -> &'a T {
        let range = self.get_things_range(idx);
        let things_slice = self.things.get_unchecked(range);
        T::from_bytes_unchecked(things_slice)
    }

    /// Get the range in `things` for the element at `idx`. Does not bounds check.
    ///
    /// Safety:
    /// - `idx` must be in bounds (`idx < self.len()`)
    #[inline]
    pub(crate) unsafe fn get_things_range(self, idx: usize) -> Range<usize> {
        let start = if let Some(idx_minus_one) = idx.checked_sub(1) {
            self.indices_slice()
                .get_unchecked(idx_minus_one)
                .iule_to_usize()
        } else {
            0
        };
        let end = if idx + 1 == self.len() {
            self.things.len()
        } else {
            self.indices_slice().get_unchecked(idx).iule_to_usize()
        };
        debug_assert!(start <= end);
        start..end
    }

    /// Get the size, in bytes, of the indices array
    pub(crate) unsafe fn get_indices_size(self) -> usize {
        self.indices.len()
    }

    /// Check the internal invariants of VarZeroVecComponents:
    ///
    /// - `indices[i]..indices[i+1]` must index into a valid section of
    ///   `things`, such that it parses to a `T::VarULE`
    /// - `indices[len - 1]..things.len()` must index into a valid section of
    ///   `things`, such that it parses to a `T::VarULE`
    /// - `indices` is monotonically increasing
    ///
    /// This method is NOT allowed to call any other methods on VarZeroVecComponents since all other methods
    /// assume that the slice has been passed through check_indices_and_things
    #[inline]
    #[allow(clippy::len_zero)] // more explicit to enforce safety invariants
    fn check_indices_and_things(self) -> Result<(), VarZeroVecFormatError> {
        if self.len() == 0 {
            if self.things.len() > 0 {
                return Err(VarZeroVecFormatError::Metadata);
            } else {
                return Ok(());
            }
        }
        let indices_slice = self.indices_slice();
        assert_eq!(self.len(), indices_slice.len() + 1);
        // Safety: i is in bounds (assertion above)
        let mut start = 0;
        for i in 0..self.len() {
            // The indices array is offset by 1: indices[0] is the end of the first
            // element and the start of the next, since the start of the first element
            // is always things[0]. So to get the end we get element `i`.
            let end = if let Some(end) = indices_slice.get(i) {
                end.iule_to_usize()
            } else {
                // This only happens at i = self.len() - 1 = indices_slice.len() + 1 - 1
                // = indices_slice.len(). This is the last `end`, which is always the size of
                // `things` and thus never stored in the array
                self.things.len()
            };

            if start > end {
                return Err(VarZeroVecFormatError::Metadata);
            }
            if end > self.things.len() {
                return Err(VarZeroVecFormatError::Metadata);
            }
            // Safety: start..end is a valid range in self.things
            let bytes = unsafe { self.things.get_unchecked(start..end) };
            T::parse_bytes(bytes).map_err(VarZeroVecFormatError::Values)?;
            start = end;
        }
        Ok(())
    }

    /// Create an iterator over the Ts contained in VarZeroVecComponents
    #[inline]
    pub fn iter(self) -> VarZeroSliceIter<'a, T, F> {
        VarZeroSliceIter::new(self)
    }

    #[cfg(feature = "alloc")]
    pub fn to_vec(self) -> alloc::vec::Vec<alloc::boxed::Box<T>> {
        self.iter().map(T::to_boxed).collect()
    }

    #[inline]
    fn indices_slice(&self) -> &'a [F::Index] {
        unsafe { F::Index::slice_from_bytes_unchecked(self.indices) }
    }

    // Dump a debuggable representation of this type
    #[allow(unused)] // useful for debugging
    #[cfg(feature = "alloc")]
    pub(crate) fn dump(&self) -> alloc::string::String {
        let indices = self
            .indices_slice()
            .iter()
            .copied()
            .map(IntegerULE::iule_to_usize)
            .collect::<alloc::vec::Vec<_>>();
        alloc::format!("VarZeroVecComponents {{ indices: {indices:?} }}")
    }
}

/// An iterator over VarZeroSlice
#[derive(Debug)]
pub struct VarZeroSliceIter<'a, T: ?Sized, F = Index16> {
    components: VarZeroVecComponents<'a, T, F>,
    index: usize,
    // Safety invariant: must be a valid index into the data segment of `components`, or an index at the end
    // i.e. start_index <= components.things.len()
    //
    // It must be a valid index into the `things` array of components, coming from `components.indices_slice()`
    start_index: usize,
}

impl<'a, T: VarULE + ?Sized, F: VarZeroVecFormat> VarZeroSliceIter<'a, T, F> {
    fn new(c: VarZeroVecComponents<'a, T, F>) -> Self {
        Self {
            components: c,
            index: 0,
            // Invariant upheld, 0 is always a valid index-or-end
            start_index: 0,
        }
    }
}
impl<'a, T: VarULE + ?Sized, F: VarZeroVecFormat> Iterator for VarZeroSliceIter<'a, T, F> {
    type Item = &'a T;

    fn next(&mut self) -> Option<Self::Item> {
        // Note: the indices array doesn't contain 0 or len, we need to specially handle those edges. The 0 is handled
        // by start_index, and the len is handled by the code for `end`.

        if self.index >= self.components.len() {
            return None;
        }

        // Invariant established: self.index is in bounds for self.components.len(),
        // which means it is in bounds for self.components.indices_slice() since that has the same length

        let end = if self.index + 1 == self.components.len() {
            // We don't store the end index since it is computable, so the last element should use self.components.things.len()
            self.components.things.len()
        } else {
            // Safety: self.index was known to be in bounds from the bounds check above.
            unsafe {
                self.components
                    .indices_slice()
                    .get_unchecked(self.index)
                    .iule_to_usize()
            }
        };
        // Invariant established: end has the same invariant as self.start_index since it comes from indices_slice, which is guaranteed
        // to only contain valid indexes

        let item = unsafe {
            // Safety: self.start_index and end both have in-range invariants, plus they are valid indices from indices_slice
            // which means we can treat this data as a T
            T::from_bytes_unchecked(self.components.things.get_unchecked(self.start_index..end))
        };
        self.index += 1;
        // Invariant upheld: end has the same invariant as self.start_index
        self.start_index = end;
        Some(item)
    }

    fn size_hint(&self) -> (usize, Option<usize>) {
        let remainder = self.components.len() - self.index;
        (remainder, Some(remainder))
    }
}

impl<'a, T: VarULE + ?Sized, F: VarZeroVecFormat> ExactSizeIterator for VarZeroSliceIter<'a, T, F> {
    fn len(&self) -> usize {
        self.components.len() - self.index
    }
}

impl<'a, T, F> VarZeroVecComponents<'a, T, F>
where
    T: VarULE,
    T: ?Sized,
    T: Ord,
    F: VarZeroVecFormat,
{
    /// Binary searches a sorted `VarZeroVecComponents<T>` for the given element. For more information, see
    /// the primitive function [`binary_search`](slice::binary_search).
    pub fn binary_search(&self, needle: &T) -> Result<usize, usize> {
        self.binary_search_by(|probe| probe.cmp(needle))
    }

    pub fn binary_search_in_range(
        &self,
        needle: &T,
        range: Range<usize>,
    ) -> Option<Result<usize, usize>> {
        self.binary_search_in_range_by(|probe| probe.cmp(needle), range)
    }
}

impl<'a, T, F> VarZeroVecComponents<'a, T, F>
where
    T: VarULE,
    T: ?Sized,
    F: VarZeroVecFormat,
{
    /// Binary searches a sorted `VarZeroVecComponents<T>` for the given predicate. For more information, see
    /// the primitive function [`binary_search_by`](slice::binary_search_by).
    pub fn binary_search_by(&self, predicate: impl FnMut(&T) -> Ordering) -> Result<usize, usize> {
        // Safety: 0 and len are in range
        unsafe { self.binary_search_in_range_unchecked(predicate, 0..self.len()) }
    }

    // Binary search within a range.
    // Values returned are relative to the range start!
    pub fn binary_search_in_range_by(
        &self,
        predicate: impl FnMut(&T) -> Ordering,
        range: Range<usize>,
    ) -> Option<Result<usize, usize>> {
        if range.end > self.len() {
            return None;
        }
        if range.end < range.start {
            return None;
        }
        // Safety: We bounds checked above: end is in-bounds or len, and start is <= end
        let range_absolute =
            unsafe { self.binary_search_in_range_unchecked(predicate, range.clone()) };
        // The values returned are relative to the range start
        Some(
            range_absolute
                .map(|o| o - range.start)
                .map_err(|e| e - range.start),
        )
    }

    /// Safety: range must be in range for the slice (start <= len, end <= len, start <= end)
    unsafe fn binary_search_in_range_unchecked(
        &self,
        mut predicate: impl FnMut(&T) -> Ordering,
        range: Range<usize>,
    ) -> Result<usize, usize> {
        // Function invariant: size is always end - start
        let mut start = range.start;
        let mut end = range.end;
        let mut size;

        // Loop invariant: 0 <= start < end <= len
        // This invariant is initialized by the function safety invariants and the loop condition
        while start < end {
            size = end - start;
            // This establishes mid < end (which implies mid < len)
            // size is end - start. start + size is end (which is <= len).
            // mid = start + size/2 will be less than end
            let mid = start + size / 2;

            // Safety: mid is < end <= len, so in-range
            let cmp = predicate(self.get_unchecked(mid));

            match cmp {
                Ordering::Less => {
                    // This retains the loop invariant since it
                    // increments start, and we already have 0 <= start
                    // start < end is enforced by the loop condition
                    start = mid + 1;
                }
                Ordering::Greater => {
                    // mid < end, so this decreases end.
                    // This means end <= len is still true, and
                    // end > start is enforced by the loop condition
                    end = mid;
                }
                Ordering::Equal => return Ok(mid),
            }
        }
        Err(start)
    }
}

/// Collects the bytes for a VarZeroSlice into a Vec.
#[cfg(feature = "alloc")]
pub fn get_serializable_bytes_non_empty<T, A, F>(elements: &[A]) -> Option<alloc::vec::Vec<u8>>
where
    T: VarULE + ?Sized,
    A: EncodeAsVarULE<T>,
    F: VarZeroVecFormat,
{
    debug_assert!(!elements.is_empty());
    let len = compute_serializable_len::<T, A, F>(elements)?;
    debug_assert!(
        len >= F::Len::SIZE as u32,
        "Must have at least F::Len::SIZE bytes to hold the length of the vector"
    );
    let mut output = alloc::vec![0u8; len as usize];
    write_serializable_bytes::<T, A, F>(elements, &mut output);
    Some(output)
}

/// Writes the bytes for a VarZeroLengthlessSlice into an output buffer.
/// Usable for a VarZeroSlice if you first write the length bytes.
///
/// Every byte in the buffer will be initialized after calling this function.
///
/// # Panics
///
/// Panics if the buffer is not exactly the correct length.
pub fn write_serializable_bytes_without_length<T, A, F>(elements: &[A], output: &mut [u8])
where
    T: VarULE + ?Sized,
    A: EncodeAsVarULE<T>,
    F: VarZeroVecFormat,
{
    assert!(elements.len() <= F::Len::MAX_VALUE as usize);
    if elements.is_empty() {
        return;
    }

    // idx_offset = offset from the start of the buffer for the next index
    let mut idx_offset: usize = 0;
    // first_dat_offset = offset from the start of the buffer of the first data block
    let first_dat_offset: usize = idx_offset + (elements.len() - 1) * F::Index::SIZE;
    // dat_offset = offset from the start of the buffer of the next data block
    let mut dat_offset: usize = first_dat_offset;

    for (i, element) in elements.iter().enumerate() {
        let element_len = element.encode_var_ule_len();

        // The first index is always 0. We don't write it, or update the idx offset.
        if i != 0 {
            let idx_limit = idx_offset + F::Index::SIZE;
            #[allow(clippy::indexing_slicing)] // Function contract allows panicky behavior
            let idx_slice = &mut output[idx_offset..idx_limit];
            // VZV expects data offsets to be stored relative to the first data block
            let idx = dat_offset - first_dat_offset;
            assert!(idx <= F::Index::MAX_VALUE as usize);
            #[allow(clippy::expect_used)] // this function is explicitly panicky
            let bytes_to_write = F::Index::iule_from_usize(idx).expect(F::Index::TOO_LARGE_ERROR);
            idx_slice.copy_from_slice(ULE::slice_as_bytes(&[bytes_to_write]));

            idx_offset = idx_limit;
        }

        let dat_limit = dat_offset + element_len;
        #[allow(clippy::indexing_slicing)] // Function contract allows panicky behavior
        let dat_slice = &mut output[dat_offset..dat_limit];
        element.encode_var_ule_write(dat_slice);
        debug_assert_eq!(T::validate_bytes(dat_slice), Ok(()));
        dat_offset = dat_limit;
    }

    debug_assert_eq!(idx_offset, F::Index::SIZE * (elements.len() - 1));
    assert_eq!(dat_offset, output.len());
}

/// Writes the bytes for a VarZeroSlice into an output buffer.
///
/// Every byte in the buffer will be initialized after calling this function.
///
/// # Panics
///
/// Panics if the buffer is not exactly the correct length.
pub fn write_serializable_bytes<T, A, F>(elements: &[A], output: &mut [u8])
where
    T: VarULE + ?Sized,
    A: EncodeAsVarULE<T>,
    F: VarZeroVecFormat,
{
    if elements.is_empty() {
        return;
    }
    assert!(elements.len() <= F::Len::MAX_VALUE as usize);
    #[allow(clippy::expect_used)] // This function is explicitly panicky
    let num_elements_ule = F::Len::iule_from_usize(elements.len()).expect(F::Len::TOO_LARGE_ERROR);
    #[allow(clippy::indexing_slicing)] // Function contract allows panicky behavior
    output[0..F::Len::SIZE].copy_from_slice(ULE::slice_as_bytes(&[num_elements_ule]));

    #[allow(clippy::indexing_slicing)] // Function contract allows panicky behavior
    write_serializable_bytes_without_length::<T, A, F>(elements, &mut output[F::Len::SIZE..]);
}

pub fn compute_serializable_len_without_length<T, A, F>(elements: &[A]) -> Option<u32>
where
    T: VarULE + ?Sized,
    A: EncodeAsVarULE<T>,
    F: VarZeroVecFormat,
{
    let elements_len = elements.len();
    let Some(elements_len_minus_one) = elements_len.checked_sub(1) else {
        // Empty vec is optimized to an empty byte representation
        return Some(0);
    };
    let idx_len: u32 = u32::try_from(elements_len_minus_one)
        .ok()?
        .checked_mul(F::Index::SIZE as u32)?;
    let data_len: u32 = elements
        .iter()
        .map(|v| u32::try_from(v.encode_var_ule_len()).ok())
        .try_fold(0u32, |s, v| s.checked_add(v?))?;
    let ret = idx_len.checked_add(data_len);
    if let Some(r) = ret {
        if r >= F::Index::MAX_VALUE {
            return None;
        }
    }
    ret
}

pub fn compute_serializable_len<T, A, F>(elements: &[A]) -> Option<u32>
where
    T: VarULE + ?Sized,
    A: EncodeAsVarULE<T>,
    F: VarZeroVecFormat,
{
    compute_serializable_len_without_length::<T, A, F>(elements).map(|x| x + F::Len::SIZE as u32)
}