src/base/containers/README.md - cobalt - Git at Google

 # base/containers library

 [TOC]

 ## What goes here

 This directory contains some STL-like containers.

 Things should be moved here that are generally applicable across the code base.
 Don't add things here just because you need them in one place and think others
 may someday want something similar. You can put specialized containers in
 your component's directory and we can promote them here later if we feel there
 is broad applicability.

 ### Design and naming

 Containers should adhere as closely to STL as possible. Functions and behaviors
 not present in STL should only be added when they are related to the specific
 data structure implemented by the container.

 For STL-like containers our policy is that they should use STL-like naming even
 when it may conflict with the style guide. So functions and class names should
 be lower case with underscores. Non-STL-like classes and functions should use
 Google naming. Be sure to use the base namespace.

 ## Map and set selection

 ### Usage advice

   * Generally avoid `std::unordered_set` and `std::unordered_map`. In the
     common case, query performance is unlikely to be sufficiently higher than
     `std::map` to make a difference, insert performance is slightly worse, and
     the memory overhead is high. This makes sense mostly for large tables where
     you expect a lot of lookups.

   * Most maps and sets in Chrome are small and contain objects that can be
     moved efficiently. In this case, consider `base::flat_map` and
     `base::flat_set`. You need to be aware of the maximum expected size of
     the container since individual inserts and deletes are O(n), giving O(n^2)
     construction time for the entire map. But because it avoids mallocs in most
     cases, inserts are better or comparable to other containers even for
     several dozen items, and efficiently-moved types are unlikely to have
     performance problems for most cases until you have hundreds of items. If
     your container can be constructed in one shot, the constructor from vector
     gives O(n log n) construction times and it should be strictly better than
     a `std::map`.

   * `base::small_map` has better runtime memory usage without the poor
     mutation performance of large containers that `base::flat_map` has. But this
     advantage is partially offset by additional code size. Prefer in cases
     where you make many objects so that the code/heap tradeoff is good.

   * Use `std::map` and `std::set` if you can't decide. Even if they're not
     great, they're unlikely to be bad or surprising.

 ### Map and set details

 Sizes are on 64-bit platforms. Stable iterators aren't invalidated when the
 container is mutated.

 | Container                                  | Empty size            | Per-item overhead | Stable iterators? |
 |:------------------------------------------ |:--------------------- |:----------------- |:----------------- |
 | `std::map`, `std::set`                     | 16 bytes              | 32 bytes          | Yes               |
 | `std::unordered_map`, `std::unordered_set` | 128 bytes             | 16 - 24 bytes     | No                |
 | `base::flat_map`, `base::flat_set`         | 24 bytes              | 0 (see notes)     | No                |
 | `base::small_map`                          | 24 bytes (see notes)  | 32 bytes          | No                |

 **Takeaways:** `std::unordered_map` and `std::unordered_map` have high
 overhead for small container sizes, so prefer these only for larger workloads.

 Code size comparisons for a block of code (see appendix) on Windows using
 strings as keys.

 | Container            | Code size  |
 |:-------------------- |:---------- |
 | `std::unordered_map` | 1646 bytes |
 | `std::map`           | 1759 bytes |
 | `base::flat_map`     | 1872 bytes |
 | `base::small_map`    | 2410 bytes |

 **Takeaways:** `base::small_map` generates more code because of the inlining of
 both brute-force and red-black tree searching. This makes it less attractive
 for random one-off uses. But if your code is called frequently, the runtime
 memory benefits will be more important. The code sizes of the other maps are
 close enough it's not worth worrying about.

 ### std::map and std::set

 A red-black tree. Each inserted item requires the memory allocation of a node
 on the heap. Each node contains a left pointer, a right pointer, a parent
 pointer, and a "color" for the red-black tree (32 bytes per item on 64-bit
 platforms).

 ### std::unordered\_map and std::unordered\_set

 A hash table. Implemented on Windows as a `std::vector` + `std::list` and in libc++
 as the equivalent of a `std::vector` + a `std::forward_list`. Both implementations
 allocate an 8-entry hash table (containing iterators into the list) on
 initialization, and grow to 64 entries once 8 items are inserted. Above 64
 items, the size doubles every time the load factor exceeds 1.

 The empty size is `sizeof(std::unordered_map)` = 64 + the initial hash table
 size which is 8 pointers. The per-item overhead in the table above counts the
 list node (2 pointers on Windows, 1 pointer in libc++), plus amortizes the hash
 table assuming a 0.5 load factor on average.

 In a microbenchmark on Windows, inserts of 1M integers into a
 `std::unordered_set` took 1.07x the time of `std::set`, and queries took 0.67x
 the time of `std::set`. For a typical 4-entry set (the statistical mode of map
 sizes in the browser), query performance is identical to `std::set` and
 `base::flat_set`. On ARM, `std::unordered_set` performance can be worse because
 integer division to compute the bucket is slow, and a few "less than" operations
 can be faster than computing a hash depending on the key type. The takeaway is
 that you should not default to using unordered maps because "they're faster."

 ### base::flat\_map and base::flat\_set

 A sorted `std::vector`. Seached via binary search, inserts in the middle require
 moving elements to make room. Good cache locality. For large objects and large
 set sizes, `std::vector`'s doubling-when-full strategy can waste memory.

 Supports efficient construction from a vector of items which avoids the O(n^2)
 insertion time of each element separately.

 The per-item overhead will depend on the underlying `std::vector`'s reallocation
 strategy and the memory access pattern. Assuming items are being linearly added,
 one would expect it to be 3/4 full, so per-item overhead will be 0.25 *
 sizeof(T).

 `flat_set` and `flat_map` support a notion of transparent comparisons.
 Therefore you can, for example, lookup `base::StringPiece` in a set of
 `std::strings` without constructing a temporary `std::string`. This
 functionality is based on C++14 extensions to the `std::set`/`std::map`
 interface.

 You can find more information about transparent comparisons in [the `less<void>`
 documentation](https://en.cppreference.com/w/cpp/utility/functional/less_void).

 Example, smart pointer set:

 ```cpp
 // Declare a type alias using base::UniquePtrComparator.
 template <typename T>
 using UniquePtrSet = base::flat_set<std::unique_ptr<T>,
                                     base::UniquePtrComparator>;

 // ...
 // Collect data.
 std::vector<std::unique_ptr<int>> ptr_vec;
 ptr_vec.reserve(5);
 std::generate_n(std::back_inserter(ptr_vec), 5, []{
   return std::make_unique<int>(0);
 });

 // Construct a set.
 UniquePtrSet<int> ptr_set(std::move(ptr_vec), base::KEEP_FIRST_OF_DUPES);

 // Use raw pointers to lookup keys.
 int* ptr = ptr_set.begin()->get();
 EXPECT_TRUE(ptr_set.find(ptr) == ptr_set.begin());
 ```

 Example `flat_map<std::string, int>`:

 ```cpp
 base::flat_map<std::string, int> str_to_int({{"a", 1}, {"c", 2},{"b", 2}},
                                             base::KEEP_FIRST_OF_DUPES);

 // Does not construct temporary strings.
 str_to_int.find("c")->second = 3;
 str_to_int.erase("c");
 EXPECT_EQ(str_to_int.end(), str_to_int.find("c")->second);

 // NOTE: This does construct a temporary string. This happens since if the
 // item is not in the container, then it needs to be constructed, which is
 // something that transparent comparators don't have to guarantee.
 str_to_int["c"] = 3;
 ```

 ### base::small\_map

 A small inline buffer that is brute-force searched that overflows into a full
 `std::map` or `std::unordered_map`. This gives the memory benefit of
 `base::flat_map` for small data sizes without the degenerate insertion
 performance for large container sizes.

 Since instantiations require both code for a `std::map` and a brute-force search
 of the inline container, plus a fancy iterator to cover both cases, code size
 is larger.

 The initial size in the above table is assuming a very small inline table. The
 actual size will be `sizeof(int) + min(sizeof(std::map), sizeof(T) *
 inline_size)`.

 ## Deque

 ### Usage advice

 Chromium code should always use `base::circular_deque` or `base::queue` in
 preference to `std::deque` or `std::queue` due to memory usage and platform
 variation.

 The `base::circular_deque` implementation (and the `base::queue` which uses it)
 provide performance consistent across platforms that better matches most
 programmer's expectations on performance (it doesn't waste as much space as
 libc++ and doesn't do as many heap allocations as MSVC). It also generates less
 code tham `std::queue`: using it across the code base saves several hundred
 kilobytes.

 Since `base::deque` does not have stable iterators and it will move the objects
 it contains, it may not be appropriate for all uses. If you need these,
 consider using a `std::list` which will provide constant time insert and erase.

 ### std::deque and std::queue

 The implementation of `std::deque` varies considerably which makes it hard to
 reason about. All implementations use a sequence of data blocks referenced by
 an array of pointers. The standard guarantees random access, amortized
 constant operations at the ends, and linear mutations in the middle.

 In Microsoft's implementation, each block is the smaller of 16 bytes or the
 size of the contained element. This means in practice that every expansion of
 the deque of non-trivial classes requires a heap allocation. libc++ (on Android
 and Mac) uses 4K blocks which eliminates the problem of many heap allocations,
 but generally wastes a large amount of space (an Android analysis revealed more
 than 2.5MB wasted space from deque alone, resulting in some optimizations).
 libstdc++ uses an intermediate-size 512-byte buffer.

 Microsoft's implementation never shrinks the deque capacity, so the capacity
 will always be the maximum number of elements ever contained. libstdc++
 deallocates blocks as they are freed. libc++ keeps up to two empty blocks.

 ### base::circular_deque and base::queue

 A deque implemented as a circular buffer in an array. The underlying array will
 grow like a `std::vector` while the beginning and end of the deque will move
 around. The items will wrap around the underlying buffer so the storage will
 not be contiguous, but fast random access iterators are still possible.

 When the underlying buffer is filled, it will be reallocated and the constents
 moved (like a `std::vector`). The underlying buffer will be shrunk if there is
 too much wasted space (_unlike_ a `std::vector`). As a result, iterators are
 not stable across mutations.

 ## Stack

 `std::stack` is like `std::queue` in that it is a wrapper around an underlying
 container. The default container is `std::deque` so everything from the deque
 section applies.

 Chromium provides `base/containers/stack.h` which defines `base::stack` that
 should be used in preference to `std::stack`. This changes the underlying
 container to `base::circular_deque`. The result will be very similar to
 manually specifying a `std::vector` for the underlying implementation except
 that the storage will shrink when it gets too empty (vector will never
 reallocate to a smaller size).

 Watch out: with some stack usage patterns it's easy to depend on unstable
 behavior:

 ```cpp
 base::stack<Foo> stack;
 for (...) {
   Foo& current = stack.top();
   DoStuff();  // May call stack.push(), say if writing a parser.
   current.done = true;  // Current may reference deleted item!
 }
 ```

 ## Safety

 Code throughout Chromium, running at any level of privilege, may directly or
 indirectly depend on these containers. Much calling code implicitly or
 explicitly assumes that these containers are safe, and won't corrupt memory.
 Unfortunately, [such assumptions have not always proven
 true](https://bugs.chromium.org/p/chromium/issues/detail?id=817982).

 Therefore, we are making an effort to ensure basic safety in these classes so
 that callers' assumptions are true. In particular, we are adding bounds checks,
 arithmetic overflow checks, and checks for internal invariants to the base
 containers where necessary. Here, safety means that the implementation will
 `CHECK`.

 As of 8 August 2018, we have added checks to the following classes:

 - `base::StringPiece`
 - `base::span`
 - `base::Optional`
 - `base::RingBuffer`
 - `base::small_map`

 Ultimately, all base containers will have these checks.

 ### Safety, completeness, and efficiency

 Safety checks can affect performance at the micro-scale, although they do not
 always. On a larger scale, if we can have confidence that these fundamental
 classes and templates are minimally safe, we can sometimes avoid the security
 requirement to sandbox code that (for example) processes untrustworthy inputs.
 Sandboxing is a relatively heavyweight response to memory safety problems, and
 in our experience not all callers can afford to pay it.

 (However, where affordable, privilege separation and reduction remain Chrome
 Security Team's first approach to a variety of safety and security problems.)

 One can also imagine that the safety checks should be passed on to callers who
 require safety. There are several problems with that approach:

 - Not all authors of all call sites will always
   - know when they need safety
   - remember to write the checks
   - write the checks correctly
   - write the checks maximally efficiently, considering
     - space
     - time
     - object code size
 - These classes typically do not document themselves as being unsafe
 - Some call sites have their requirements change over time
   - Code that gets moved from a low-privilege process into a high-privilege
     process
   - Code that changes from accepting inputs from only trustworthy sources to
     accepting inputs from all sources
 - Putting the checks in every call site results in strictly larger object code
   than centralizing them in the callee

 Therefore, the minimal checks that we are adding to these base classes are the
 most efficient and effective way to achieve the beginning of the safety that we
 need. (Note that we cannot account for undefined behavior in callers.)

 ## Appendix

 ### Code for map code size comparison

 This just calls insert and query a number of times, with `printf`s that prevent
 things from being dead-code eliminated.

 ```cpp
 TEST(Foo, Bar) {
   base::small_map<std::map<std::string, Flubber>> foo;
   foo.insert(std::make_pair("foo", Flubber(8, "bar")));
   foo.insert(std::make_pair("bar", Flubber(8, "bar")));
   foo.insert(std::make_pair("foo1", Flubber(8, "bar")));
   foo.insert(std::make_pair("bar1", Flubber(8, "bar")));
   foo.insert(std::make_pair("foo", Flubber(8, "bar")));
   foo.insert(std::make_pair("bar", Flubber(8, "bar")));
   auto found = foo.find("asdf");
   printf("Found is %d\n", (int)(found == foo.end()));
   found = foo.find("foo");
   printf("Found is %d\n", (int)(found == foo.end()));
   found = foo.find("bar");
   printf("Found is %d\n", (int)(found == foo.end()));
   found = foo.find("asdfhf");
   printf("Found is %d\n", (int)(found == foo.end()));
   found = foo.find("bar1");
   printf("Found is %d\n", (int)(found == foo.end()));
 }
 ```
	# base/containers library

	[TOC]

	## What goes here

	This directory contains some STL-like containers.

	Things should be moved here that are generally applicable across the code base.
	Don't add things here just because you need them in one place and think others
	may someday want something similar. You can put specialized containers in
	your component's directory and we can promote them here later if we feel there
	is broad applicability.

	### Design and naming

	Containers should adhere as closely to STL as possible. Functions and behaviors
	not present in STL should only be added when they are related to the specific
	data structure implemented by the container.

	For STL-like containers our policy is that they should use STL-like naming even
	when it may conflict with the style guide. So functions and class names should
	be lower case with underscores. Non-STL-like classes and functions should use
	Google naming. Be sure to use the base namespace.

	## Map and set selection

	### Usage advice

	* Generally avoid `std::unordered_set` and `std::unordered_map`. In the
	common case, query performance is unlikely to be sufficiently higher than
	`std::map` to make a difference, insert performance is slightly worse, and
	the memory overhead is high. This makes sense mostly for large tables where
	you expect a lot of lookups.

	* Most maps and sets in Chrome are small and contain objects that can be
	moved efficiently. In this case, consider `base::flat_map` and
	`base::flat_set`. You need to be aware of the maximum expected size of
	the container since individual inserts and deletes are O(n), giving O(n^2)
	construction time for the entire map. But because it avoids mallocs in most
	cases, inserts are better or comparable to other containers even for
	several dozen items, and efficiently-moved types are unlikely to have
	performance problems for most cases until you have hundreds of items. If
	your container can be constructed in one shot, the constructor from vector
	gives O(n log n) construction times and it should be strictly better than
	a `std::map`.

	* `base::small_map` has better runtime memory usage without the poor
	mutation performance of large containers that `base::flat_map` has. But this
	advantage is partially offset by additional code size. Prefer in cases
	where you make many objects so that the code/heap tradeoff is good.

	* Use `std::map` and `std::set` if you can't decide. Even if they're not
	great, they're unlikely to be bad or surprising.

	### Map and set details

	Sizes are on 64-bit platforms. Stable iterators aren't invalidated when the
	container is mutated.

	\| Container \| Empty size \| Per-item overhead \| Stable iterators? \|
	\|:------------------------------------------ \|:--------------------- \|:----------------- \|:----------------- \|
	\| `std::map`, `std::set` \| 16 bytes \| 32 bytes \| Yes \|
	\| `std::unordered_map`, `std::unordered_set` \| 128 bytes \| 16 - 24 bytes \| No \|
	\| `base::flat_map`, `base::flat_set` \| 24 bytes \| 0 (see notes) \| No \|
	\| `base::small_map` \| 24 bytes (see notes) \| 32 bytes \| No \|

	Takeaways: `std::unordered_map` and `std::unordered_map` have high
	overhead for small container sizes, so prefer these only for larger workloads.

	Code size comparisons for a block of code (see appendix) on Windows using
	strings as keys.

	\| Container \| Code size \|
	\|:-------------------- \|:---------- \|
	\| `std::unordered_map` \| 1646 bytes \|
	\| `std::map` \| 1759 bytes \|
	\| `base::flat_map` \| 1872 bytes \|
	\| `base::small_map` \| 2410 bytes \|

	Takeaways: `base::small_map` generates more code because of the inlining of
	both brute-force and red-black tree searching. This makes it less attractive
	for random one-off uses. But if your code is called frequently, the runtime
	memory benefits will be more important. The code sizes of the other maps are
	close enough it's not worth worrying about.

	### std::map and std::set

	A red-black tree. Each inserted item requires the memory allocation of a node
	on the heap. Each node contains a left pointer, a right pointer, a parent
	pointer, and a "color" for the red-black tree (32 bytes per item on 64-bit
	platforms).

	### std::unordered\_map and std::unordered\_set

	A hash table. Implemented on Windows as a `std::vector` + `std::list` and in libc++
	as the equivalent of a `std::vector` + a `std::forward_list`. Both implementations
	allocate an 8-entry hash table (containing iterators into the list) on
	initialization, and grow to 64 entries once 8 items are inserted. Above 64
	items, the size doubles every time the load factor exceeds 1.

	The empty size is `sizeof(std::unordered_map)` = 64 + the initial hash table
	size which is 8 pointers. The per-item overhead in the table above counts the
	list node (2 pointers on Windows, 1 pointer in libc++), plus amortizes the hash
	table assuming a 0.5 load factor on average.

	In a microbenchmark on Windows, inserts of 1M integers into a
	`std::unordered_set` took 1.07x the time of `std::set`, and queries took 0.67x
	the time of `std::set`. For a typical 4-entry set (the statistical mode of map
	sizes in the browser), query performance is identical to `std::set` and
	`base::flat_set`. On ARM, `std::unordered_set` performance can be worse because
	integer division to compute the bucket is slow, and a few "less than" operations
	can be faster than computing a hash depending on the key type. The takeaway is
	that you should not default to using unordered maps because "they're faster."

	### base::flat\_map and base::flat\_set

	A sorted `std::vector`. Seached via binary search, inserts in the middle require
	moving elements to make room. Good cache locality. For large objects and large
	set sizes, `std::vector`'s doubling-when-full strategy can waste memory.

	Supports efficient construction from a vector of items which avoids the O(n^2)
	insertion time of each element separately.

	The per-item overhead will depend on the underlying `std::vector`'s reallocation
	strategy and the memory access pattern. Assuming items are being linearly added,
	one would expect it to be 3/4 full, so per-item overhead will be 0.25 *
	sizeof(T).

	`flat_set` and `flat_map` support a notion of transparent comparisons.
	Therefore you can, for example, lookup `base::StringPiece` in a set of
	`std::strings` without constructing a temporary `std::string`. This
	functionality is based on C++14 extensions to the `std::set`/`std::map`
	interface.

	You can find more information about transparent comparisons in [the `less<void>`
	documentation](https://en.cppreference.com/w/cpp/utility/functional/less_void).

	Example, smart pointer set:

	```cpp
	// Declare a type alias using base::UniquePtrComparator.
	template <typename T>
	using UniquePtrSet = base::flat_set<std::unique_ptr<T>,
	base::UniquePtrComparator>;

	// ...
	// Collect data.
	std::vector<std::unique_ptr<int>> ptr_vec;
	ptr_vec.reserve(5);
	std::generate_n(std::back_inserter(ptr_vec), 5, []{
	return std::make_unique<int>(0);
	});

	// Construct a set.
	UniquePtrSet<int> ptr_set(std::move(ptr_vec), base::KEEP_FIRST_OF_DUPES);

	// Use raw pointers to lookup keys.
	int* ptr = ptr_set.begin()->get();
	EXPECT_TRUE(ptr_set.find(ptr) == ptr_set.begin());
	```

	Example `flat_map<std::string, int>`:

	```cpp
	base::flat_map<std::string, int> str_to_int({{"a", 1}, {"c", 2},{"b", 2}},
	base::KEEP_FIRST_OF_DUPES);

	// Does not construct temporary strings.
	str_to_int.find("c")->second = 3;
	str_to_int.erase("c");
	EXPECT_EQ(str_to_int.end(), str_to_int.find("c")->second);

	// NOTE: This does construct a temporary string. This happens since if the
	// item is not in the container, then it needs to be constructed, which is
	// something that transparent comparators don't have to guarantee.
	str_to_int["c"] = 3;
	```

	### base::small\_map

	A small inline buffer that is brute-force searched that overflows into a full
	`std::map` or `std::unordered_map`. This gives the memory benefit of
	`base::flat_map` for small data sizes without the degenerate insertion
	performance for large container sizes.

	Since instantiations require both code for a `std::map` and a brute-force search
	of the inline container, plus a fancy iterator to cover both cases, code size
	is larger.

	The initial size in the above table is assuming a very small inline table. The
	actual size will be `sizeof(int) + min(sizeof(std::map), sizeof(T) *
	inline_size)`.

	## Deque

	### Usage advice

	Chromium code should always use `base::circular_deque` or `base::queue` in
	preference to `std::deque` or `std::queue` due to memory usage and platform
	variation.

	The `base::circular_deque` implementation (and the `base::queue` which uses it)
	provide performance consistent across platforms that better matches most
	programmer's expectations on performance (it doesn't waste as much space as
	libc++ and doesn't do as many heap allocations as MSVC). It also generates less
	code tham `std::queue`: using it across the code base saves several hundred
	kilobytes.

	Since `base::deque` does not have stable iterators and it will move the objects
	it contains, it may not be appropriate for all uses. If you need these,
	consider using a `std::list` which will provide constant time insert and erase.

	### std::deque and std::queue

	The implementation of `std::deque` varies considerably which makes it hard to
	reason about. All implementations use a sequence of data blocks referenced by
	an array of pointers. The standard guarantees random access, amortized
	constant operations at the ends, and linear mutations in the middle.

	In Microsoft's implementation, each block is the smaller of 16 bytes or the
	size of the contained element. This means in practice that every expansion of
	the deque of non-trivial classes requires a heap allocation. libc++ (on Android
	and Mac) uses 4K blocks which eliminates the problem of many heap allocations,
	but generally wastes a large amount of space (an Android analysis revealed more
	than 2.5MB wasted space from deque alone, resulting in some optimizations).
	libstdc++ uses an intermediate-size 512-byte buffer.

	Microsoft's implementation never shrinks the deque capacity, so the capacity
	will always be the maximum number of elements ever contained. libstdc++
	deallocates blocks as they are freed. libc++ keeps up to two empty blocks.

	### base::circular_deque and base::queue

	A deque implemented as a circular buffer in an array. The underlying array will
	grow like a `std::vector` while the beginning and end of the deque will move
	around. The items will wrap around the underlying buffer so the storage will
	not be contiguous, but fast random access iterators are still possible.

	When the underlying buffer is filled, it will be reallocated and the constents
	moved (like a `std::vector`). The underlying buffer will be shrunk if there is
	too much wasted space (_unlike_ a `std::vector`). As a result, iterators are
	not stable across mutations.

	## Stack

	`std::stack` is like `std::queue` in that it is a wrapper around an underlying
	container. The default container is `std::deque` so everything from the deque
	section applies.

	Chromium provides `base/containers/stack.h` which defines `base::stack` that
	should be used in preference to `std::stack`. This changes the underlying
	container to `base::circular_deque`. The result will be very similar to
	manually specifying a `std::vector` for the underlying implementation except
	that the storage will shrink when it gets too empty (vector will never
	reallocate to a smaller size).

	Watch out: with some stack usage patterns it's easy to depend on unstable
	behavior:

	```cpp
	base::stack<Foo> stack;
	for (...) {
	Foo& current = stack.top();
	DoStuff(); // May call stack.push(), say if writing a parser.
	current.done = true; // Current may reference deleted item!
	}
	```

	## Safety

	Code throughout Chromium, running at any level of privilege, may directly or
	indirectly depend on these containers. Much calling code implicitly or
	explicitly assumes that these containers are safe, and won't corrupt memory.
	Unfortunately, [such assumptions have not always proven
	true](https://bugs.chromium.org/p/chromium/issues/detail?id=817982).

	Therefore, we are making an effort to ensure basic safety in these classes so
	that callers' assumptions are true. In particular, we are adding bounds checks,
	arithmetic overflow checks, and checks for internal invariants to the base
	containers where necessary. Here, safety means that the implementation will
	`CHECK`.

	As of 8 August 2018, we have added checks to the following classes:

	- `base::StringPiece`
	- `base::span`
	- `base::Optional`
	- `base::RingBuffer`
	- `base::small_map`

	Ultimately, all base containers will have these checks.

	### Safety, completeness, and efficiency

	Safety checks can affect performance at the micro-scale, although they do not
	always. On a larger scale, if we can have confidence that these fundamental
	classes and templates are minimally safe, we can sometimes avoid the security
	requirement to sandbox code that (for example) processes untrustworthy inputs.
	Sandboxing is a relatively heavyweight response to memory safety problems, and
	in our experience not all callers can afford to pay it.

	(However, where affordable, privilege separation and reduction remain Chrome
	Security Team's first approach to a variety of safety and security problems.)

	One can also imagine that the safety checks should be passed on to callers who
	require safety. There are several problems with that approach:

	- Not all authors of all call sites will always
	- know when they need safety
	- remember to write the checks
	- write the checks correctly
	- write the checks maximally efficiently, considering
	- space
	- time
	- object code size
	- These classes typically do not document themselves as being unsafe
	- Some call sites have their requirements change over time
	- Code that gets moved from a low-privilege process into a high-privilege
	process
	- Code that changes from accepting inputs from only trustworthy sources to
	accepting inputs from all sources
	- Putting the checks in every call site results in strictly larger object code
	than centralizing them in the callee

	Therefore, the minimal checks that we are adding to these base classes are the
	most efficient and effective way to achieve the beginning of the safety that we
	need. (Note that we cannot account for undefined behavior in callers.)

	## Appendix

	### Code for map code size comparison

	This just calls insert and query a number of times, with `printf`s that prevent
	things from being dead-code eliminated.

	```cpp
	TEST(Foo, Bar) {
	base::small_map<std::map<std::string, Flubber>> foo;
	foo.insert(std::make_pair("foo", Flubber(8, "bar")));
	foo.insert(std::make_pair("bar", Flubber(8, "bar")));
	foo.insert(std::make_pair("foo1", Flubber(8, "bar")));
	foo.insert(std::make_pair("bar1", Flubber(8, "bar")));
	foo.insert(std::make_pair("foo", Flubber(8, "bar")));
	foo.insert(std::make_pair("bar", Flubber(8, "bar")));
	auto found = foo.find("asdf");
	printf("Found is %d\n", (int)(found == foo.end()));
	found = foo.find("foo");
	printf("Found is %d\n", (int)(found == foo.end()));
	found = foo.find("bar");
	printf("Found is %d\n", (int)(found == foo.end()));
	found = foo.find("asdfhf");
	printf("Found is %d\n", (int)(found == foo.end()));
	found = foo.find("bar1");
	printf("Found is %d\n", (int)(found == foo.end()));
	}
	```