From 7ebf34a74e400b551866e608ba5ff90be65924bb Mon Sep 17 00:00:00 2001
From: Tony Arcieri <bascule@gmail.com>
Date: Fri, 1 Nov 2024 18:30:30 -0600
Subject: [PATCH] const-oid: eliminate `split_high_bits` side effects

Prefer panicking instead so underflow bugs aren't silent
---
 const-oid/src/encoder.rs | 26 +++++++++++++++++---------
 1 file changed, 17 insertions(+), 9 deletions(-)

diff --git a/const-oid/src/encoder.rs b/const-oid/src/encoder.rs
index 3076a3499..1ee47d3d3 100644
--- a/const-oid/src/encoder.rs
+++ b/const-oid/src/encoder.rs
@@ -126,21 +126,29 @@ const fn base128_len(arc: Arc) -> usize {
 /// Split the highest 7-bits of an [`Arc`] from the rest of an arc.
 ///
 /// Returns: `(hi, lo)`
-// TODO(tarcieri): always use checked arithmetic
-#[allow(clippy::arithmetic_side_effects)]
+#[inline]
 const fn split_high_bits(arc: Arc) -> (u8, Arc) {
     if arc < 0x80 {
         return (arc as u8, 0);
     }
 
-    let hi_bit = 32 - arc.leading_zeros();
+    let hi_bit = match 32u32.checked_sub(arc.leading_zeros()) {
+        Some(bit) => bit,
+        None => unreachable!(),
+    };
+
     let hi_bit_mod7 = hi_bit % 7;
-    let upper_bit_pos = hi_bit
-        - if hi_bit > 0 && hi_bit_mod7 == 0 {
-            7
-        } else {
-            hi_bit_mod7
-        };
+    let upper_bit_offset = if hi_bit > 0 && hi_bit_mod7 == 0 {
+        7
+    } else {
+        hi_bit_mod7
+    };
+
+    let upper_bit_pos = match hi_bit.checked_sub(upper_bit_offset) {
+        Some(bit) => bit,
+        None => unreachable!(),
+    };
+
     let upper_bits = arc >> upper_bit_pos;
     let lower_bits = arc ^ (upper_bits << upper_bit_pos);
     (upper_bits as u8, lower_bits)