[pointer][WIP] Transmute

gherrit-pr-id: Iad14813bc6d933312bc8d7a1ddcf1aafc7126938

Author: joshlf

src/impls.rs

@@ -417,13 +417,14 @@ mod atomics {
     use super::*;
 
     macro_rules! impl_traits_for_atomics {
-        ($($atomics:ident),* $(,)?) => {
+        ($($atomics:ident [$primitives:ident]),* $(,)?) => {
             $(
+                impl_size_eq!($atomics, $primitives);
                 impl_known_layout!($atomics);
-                impl_for_transparent_wrapper!(=> TryFromBytes for $atomics);
-                impl_for_transparent_wrapper!(=> FromZeros for $atomics);
-                impl_for_transparent_wrapper!(=> FromBytes for $atomics);
-                impl_for_transparent_wrapper!(=> IntoBytes for $atomics);
+                impl_for_transmute_from!(=> TryFromBytes for $atomics [UnsafeCell<$primitives>]);
+                impl_for_transparent_wrapper!(=> FromZeros for $atomics [UnsafeCell<$primitives>]);
+                impl_for_transparent_wrapper!(=> FromBytes for $atomics [UnsafeCell<$primitives>]);
+                impl_for_transparent_wrapper!(=> IntoBytes for $atomics [UnsafeCell<$primitives>]);
             )*
         };
     }
@@ -435,13 +436,14 @@ mod atomics {
 
         use super::*;
 
-        impl_traits_for_atomics!(AtomicU8, AtomicI8);
+        impl_traits_for_atomics!(AtomicU8[u8], AtomicI8[i8]);
 
+        impl_size_eq!(AtomicBool, bool);
         impl_known_layout!(AtomicBool);
 
-        impl_for_transparent_wrapper!(=> TryFromBytes for AtomicBool);
-        impl_for_transparent_wrapper!(=> FromZeros for AtomicBool);
-        impl_for_transparent_wrapper!(=> IntoBytes for AtomicBool);
+        impl_for_transmute_from!(=> TryFromBytes for AtomicBool [UnsafeCell<bool>]);
+        impl_for_transparent_wrapper!(=> FromZeros for AtomicBool [UnsafeCell<bool>]);
+        impl_for_transparent_wrapper!(=> IntoBytes for AtomicBool [UnsafeCell<bool>]);
 
         safety_comment! {
             /// SAFETY:
@@ -469,9 +471,28 @@ mod atomics {
             assert_unaligned!(AtomicBool, AtomicU8, AtomicI8);
 
             /// SAFETY:
-            /// All of these pass an atomic type and that type's native equivalent, as
-            /// required by the macro safety preconditions.
-            unsafe_impl_transparent_wrapper_for_atomic!(AtomicU8 [u8], AtomicI8 [i8], AtomicBool [bool]);
+            /// `AtomicU8`, `AtomicI8`, and `AtomicBool` have the same size and
+            /// bit validity as `u8`, `i8`, and `bool` respectively [1][2][3].
+            ///
+            /// [1] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicU8.html:
+            ///
+            ///   This type has the same size, alignment, and bit validity as
+            ///   the underlying integer type, `u8`.
+            ///
+            /// [2] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicI8.html:
+            ///
+            ///   This type has the same size, alignment, and bit validity as
+            ///   the underlying integer type, `i8`.
+            ///
+            /// [3] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicBool.html:
+            ///
+            ///   This type has the same size, alignment, and bit validity a
+            ///   `bool`.
+            unsafe_impl_transmute_from_for_atomic!(
+                => AtomicU8 [u8],
+                => AtomicI8 [i8],
+                => AtomicBool [bool]
+            );
         }
     }
 
@@ -482,13 +503,23 @@ mod atomics {
 
         use super::*;
 
-        impl_traits_for_atomics!(AtomicU16, AtomicI16);
+        impl_traits_for_atomics!(AtomicU16[u16], AtomicI16[i16]);
 
         safety_comment! {
             /// SAFETY:
-            /// All of these pass an atomic type and that type's native equivalent, as
-            /// required by the macro safety preconditions.
-            unsafe_impl_transparent_wrapper_for_atomic!(AtomicU16 [u16], AtomicI16 [i16]);
+            /// `AtomicU16` and `AtomicI16` have the same size and bit validity
+            /// as `u16` and `i16` respectively [1][2].
+            ///
+            /// [1] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicU16.html:
+            ///
+            ///   This type has the same size and bit validity as the underlying
+            ///   integer type, `u16`.
+            ///
+            /// [2] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicI16.html:
+            ///
+            ///   This type has the same size and bit validity as the underlying
+            ///   integer type, `i16`.
+            unsafe_impl_transmute_from_for_atomic!(=> AtomicU16 [u16], => AtomicI16 [i16]);
         }
     }
 
@@ -499,13 +530,23 @@ mod atomics {
 
         use super::*;
 
-        impl_traits_for_atomics!(AtomicU32, AtomicI32);
+        impl_traits_for_atomics!(AtomicU32[u32], AtomicI32[i32]);
 
         safety_comment! {
             /// SAFETY:
-            /// All of these pass an atomic type and that type's native equivalent, as
-            /// required by the macro safety preconditions.
-            unsafe_impl_transparent_wrapper_for_atomic!(AtomicU32 [u32], AtomicI32 [i32]);
+            /// `AtomicU32` and `AtomicI32` have the same size and bit validity
+            /// as `u32` and `i32` respectively [1][2].
+            ///
+            /// [1] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicU32.html:
+            ///
+            ///   This type has the same size and bit validity as the underlying
+            ///   integer type, `u32`.
+            ///
+            /// [2] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicI32.html:
+            ///
+            ///   This type has the same size and bit validity as the underlying
+            ///   integer type, `i32`.
+            unsafe_impl_transmute_from_for_atomic!(=> AtomicU32 [u32], => AtomicI32 [i32]);
         }
     }
 
@@ -516,13 +557,23 @@ mod atomics {
 
         use super::*;
 
-        impl_traits_for_atomics!(AtomicU64, AtomicI64);
+        impl_traits_for_atomics!(AtomicU64[u64], AtomicI64[i64]);
 
         safety_comment! {
             /// SAFETY:
-            /// All of these pass an atomic type and that type's native equivalent, as
-            /// required by the macro safety preconditions.
-            unsafe_impl_transparent_wrapper_for_atomic!(AtomicU64 [u64], AtomicI64 [i64]);
+            /// `AtomicU64` and `AtomicI64` have the same size and bit validity
+            /// as `u64` and `i64` respectively [1][2].
+            ///
+            /// [1] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicU64.html:
+            ///
+            ///   This type has the same size and bit validity as the underlying
+            ///   integer type, `u64`.
+            ///
+            /// [2] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicI64.html:
+            ///
+            ///   This type has the same size and bit validity as the underlying
+            ///   integer type, `i64`.
+            unsafe_impl_transmute_from_for_atomic!(=> AtomicU64 [u64], => AtomicI64 [i64]);
         }
     }
 
@@ -533,21 +584,43 @@ mod atomics {
 
         use super::*;
 
-        impl_traits_for_atomics!(AtomicUsize, AtomicIsize);
+        impl_traits_for_atomics!(AtomicUsize[usize], AtomicIsize[isize]);
 
         impl_known_layout!(T => AtomicPtr<T>);
 
+        // SAFETY: `AtomicPtr<T>` and `*mut T` have the same size [1].
+        //
+        // [1] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicPtr.html:
+        //
+        //   This type has the same size and bit validity as a `*mut T`.
+        unsafe impl<T> crate::pointer::SizeEq<*mut T> for AtomicPtr<T> {}
+        // SAFETY: See previous safety comment.
+        unsafe impl<T> crate::pointer::SizeEq<AtomicPtr<T>> for *mut T {}
+
         // TODO(#170): Implement `FromBytes` and `IntoBytes` once we implement
         // those traits for `*mut T`.
-        impl_for_transparent_wrapper!(T => TryFromBytes for AtomicPtr<T>);
-        impl_for_transparent_wrapper!(T => FromZeros for AtomicPtr<T>);
+        impl_for_transmute_from!(T => TryFromBytes for AtomicPtr<T> [UnsafeCell<*mut T>]);
 
         safety_comment! {
             /// SAFETY:
-            /// This passes an atomic type and that type's native equivalent, as
-            /// required by the macro safety preconditions.
-            unsafe_impl_transparent_wrapper_for_atomic!(AtomicUsize [usize], AtomicIsize [isize]);
-            unsafe_impl_transparent_wrapper_for_atomic!(T => AtomicPtr<T> [*mut T]);
+            /// `AtomicUsize` and `AtomicIsize` have the same size and bit
+            /// validity as `usize` and `isize` respectively [1][2].
+            ///
+            /// [1] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicUsize.html:
+            ///
+            ///   This type has the same size and bit validity as the underlying
+            ///   integer type, `usize`.
+            ///
+            /// [2] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicIsize.html:
+            ///
+            ///   This type has the same size and bit validity as the underlying
+            ///   integer type, `isize`.
+            unsafe_impl_transmute_from_for_atomic!(=> AtomicUsize [usize], => AtomicIsize [isize]);
+            /// SAFETY:
+            /// Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicPtr.html:
+            ///
+            ///   This type has the same size and bit validity as a `*mut T`.
+            unsafe_impl_transmute_from_for_atomic!(T => AtomicPtr<T> [*mut T]);
         }
     }
 }
@@ -577,39 +650,76 @@ safety_comment! {
     assert_unaligned!(PhantomData<()>, PhantomData<u8>, PhantomData<u64>);
 }
 
-impl_for_transparent_wrapper!(T: Immutable => Immutable for Wrapping<T>);
-impl_for_transparent_wrapper!(T: TryFromBytes => TryFromBytes for Wrapping<T>);
-impl_for_transparent_wrapper!(T: FromZeros => FromZeros for Wrapping<T>);
-impl_for_transparent_wrapper!(T: FromBytes => FromBytes for Wrapping<T>);
-impl_for_transparent_wrapper!(T: IntoBytes => IntoBytes for Wrapping<T>);
-impl_for_transparent_wrapper!(T: Unaligned => Unaligned for Wrapping<T>);
+impl_for_transmute_from!(T: TryFromBytes => TryFromBytes for Wrapping<T>[T]);
+impl_for_transparent_wrapper!(T: FromZeros => FromZeros for Wrapping<T>[T]);
+impl_for_transparent_wrapper!(T: FromBytes => FromBytes for Wrapping<T>[T]);
+impl_for_transparent_wrapper!(T: IntoBytes => IntoBytes for Wrapping<T>[T]);
 assert_unaligned!(Wrapping<()>, Wrapping<u8>);
 
+safety_comment! {
+    /// SAFETY: TODO
+    unsafe_impl!(T: Immutable => Immutable for Wrapping<T>);
+    unsafe_impl!(T: Unaligned => Unaligned for Wrapping<T>);
+}
+
 safety_comment! {
     /// SAFETY:
     /// `TryFromBytes` (with no validator), `FromZeros`, `FromBytes`:
     /// `MaybeUninit<T>` has no restrictions on its contents.
     unsafe_impl!(T => TryFromBytes for CoreMaybeUninit<T>);
     unsafe_impl!(T => FromZeros for CoreMaybeUninit<T>);
     unsafe_impl!(T => FromBytes for CoreMaybeUninit<T>);
+    /// SAFETY: TODO
+    unsafe_impl!(T: Immutable => Immutable for CoreMaybeUninit<T>);
+    unsafe_impl!(T: Unaligned => Unaligned for CoreMaybeUninit<T>);
 }
-
-impl_for_transparent_wrapper!(T: Immutable => Immutable for CoreMaybeUninit<T>);
-impl_for_transparent_wrapper!(T: Unaligned => Unaligned for CoreMaybeUninit<T>);
 assert_unaligned!(CoreMaybeUninit<()>, CoreMaybeUninit<u8>);
 
-impl_for_transparent_wrapper!(T: ?Sized + Immutable => Immutable for ManuallyDrop<T>);
-impl_for_transparent_wrapper!(T: ?Sized + TryFromBytes => TryFromBytes for ManuallyDrop<T>);
-impl_for_transparent_wrapper!(T: ?Sized + FromZeros => FromZeros for ManuallyDrop<T>);
-impl_for_transparent_wrapper!(T: ?Sized + FromBytes => FromBytes for ManuallyDrop<T>);
-impl_for_transparent_wrapper!(T: ?Sized + IntoBytes => IntoBytes for ManuallyDrop<T>);
-impl_for_transparent_wrapper!(T: ?Sized + Unaligned => Unaligned for ManuallyDrop<T>);
+safety_comment! {
+    /// SAFETY: TODO
+    unsafe_impl!(T: ?Sized + Immutable => Immutable for ManuallyDrop<T>);
+}
+
+// SAFETY: See inline safety comment justifying that the implementation of
+// `is_bit_valid`is sound.
+unsafe impl<T: ?Sized + TryFromBytes> TryFromBytes for ManuallyDrop<T> {
+    #[allow(clippy::missing_inline_in_public_items)]
+    fn only_derive_is_allowed_to_implement_this_trait() {}
+
+    #[inline(always)]
+    fn is_bit_valid<A: crate::pointer::invariant::Reference>(
+        candidate: Maybe<'_, Self, A>,
+    ) -> bool {
+        // SAFETY: `ManuallyDrop<T>` and `T` have the same size [1], so this
+        // cast preserves size. It also preserves provenance.
+        //
+        // [1] Per https://doc.rust-lang.org/1.85.0/std/mem/struct.ManuallyDrop.html:
+        //
+        //   `ManuallyDrop<T>` is guaranteed to have the same layout and bit
+        //   validity as `T`
+        let c: Maybe<'_, T, A> = unsafe { candidate.cast_unsized(|p| cast!(p => NonNull<_>)) };
+
+        // SAFETY: `ManuallyDrop<T>` and `T` have the same bit validity [1], so
+        // this is a sound implementation of `ManuallyDrop::is_bit_valid`.
+        //
+        // [1] Per https://doc.rust-lang.org/1.85.0/std/mem/struct.ManuallyDrop.html:
+        //
+        //   `ManuallyDrop<T>` is guaranteed to have the same layout and bit
+        //   validity as `T`
+        <T as TryFromBytes>::is_bit_valid(c)
+    }
+}
+
+impl_for_transparent_wrapper!(T: ?Sized + FromZeros => FromZeros for ManuallyDrop<T>[T]);
+impl_for_transparent_wrapper!(T: ?Sized + FromBytes => FromBytes for ManuallyDrop<T>[T]);
+impl_for_transparent_wrapper!(T: ?Sized + IntoBytes => IntoBytes for ManuallyDrop<T>[T]);
+unsafe_impl!(T: ?Sized + Unaligned => Unaligned for ManuallyDrop<T>);
 assert_unaligned!(ManuallyDrop<()>, ManuallyDrop<u8>);
 
-impl_for_transparent_wrapper!(T: ?Sized + FromZeros => FromZeros for UnsafeCell<T>);
-impl_for_transparent_wrapper!(T: ?Sized + FromBytes => FromBytes for UnsafeCell<T>);
-impl_for_transparent_wrapper!(T: ?Sized + IntoBytes => IntoBytes for UnsafeCell<T>);
-impl_for_transparent_wrapper!(T: ?Sized + Unaligned => Unaligned for UnsafeCell<T>);
+impl_for_transparent_wrapper!(T: ?Sized + FromZeros => FromZeros for UnsafeCell<T>[T]);
+impl_for_transparent_wrapper!(T: ?Sized + FromBytes => FromBytes for UnsafeCell<T>[T]);
+impl_for_transparent_wrapper!(T: ?Sized + IntoBytes => IntoBytes for UnsafeCell<T>[T]);
+unsafe_impl!(T: ?Sized + Unaligned => Unaligned for UnsafeCell<T>);
 assert_unaligned!(UnsafeCell<()>, UnsafeCell<u8>);
 
 // SAFETY: See safety comment in `is_bit_valid` impl.

src/lib.rs

@@ -805,6 +805,14 @@ pub unsafe trait KnownLayout {
         // resulting size would not fit in a `usize`.
         meta.size_for_metadata(Self::LAYOUT)
     }
+
+    fn cast_from_raw<P: KnownLayout<PointerMetadata = Self::PointerMetadata> + ?Sized>(
+        ptr: NonNull<P>,
+    ) -> NonNull<Self> {
+        let data = ptr.cast::<u8>();
+        let meta = P::pointer_to_metadata(ptr.as_ptr());
+        Self::raw_from_ptr_len(data, meta)
+    }
 }
 
 /// The metadata associated with a [`KnownLayout`] type.
@@ -2843,15 +2851,15 @@ unsafe fn try_read_from<S, T: TryFromBytes>(
     // We use `from_mut` despite not mutating via `c_ptr` so that we don't need
     // to add a `T: Immutable` bound.
     let c_ptr = Ptr::from_mut(&mut candidate);
-    let c_ptr = c_ptr.transparent_wrapper_into_inner();
     // SAFETY: `c_ptr` has no uninitialized sub-ranges because it derived from
     // `candidate`, which the caller promises is entirely initialized. Since
     // `candidate` is a `MaybeUninit`, it has no validity requirements, and so
-    // no values written to `c_ptr` can violate its validity. Since `c_ptr` has
-    // `Exclusive` aliasing, no mutations may happen except via `c_ptr` so long
-    // as it is live, so we don't need to worry about the fact that `c_ptr` may
-    // have more restricted validity than `candidate`.
+    // no values written to an `Initialized` `c_ptr` can violate its validity.
+    // Since `c_ptr` has `Exclusive` aliasing, no mutations may happen except
+    // via `c_ptr` so long as it is live, so we don't need to worry about the
+    // fact that `c_ptr` may have more restricted validity than `candidate`.
     let c_ptr = unsafe { c_ptr.assume_validity::<invariant::Initialized>() };
+    let c_ptr = c_ptr.transmute();
 
     // This call may panic. If that happens, it doesn't cause any soundness
     // issues, as we have not generated any invalid state which we need to
@@ -2861,7 +2869,7 @@ unsafe fn try_read_from<S, T: TryFromBytes>(
     // calling `try_into_valid` (and thus `is_bit_valid`) with a shared
     // pointer when `Self: !Immutable`. Since `Self: Immutable`, this panic
     // condition will not happen.
-    if !T::is_bit_valid(c_ptr.forget_aligned()) {
+    if !util::SizedKnownLayout::<T>::is_bit_valid(c_ptr.forget_aligned()) {
         return Err(ValidityError::new(source).into());
     }
 
@@ -4258,7 +4266,9 @@ pub unsafe trait FromBytes: FromZeros {
         let source = Ptr::from_mut(source);
         let maybe_slf = source.try_cast_into_no_leftover::<_, BecauseImmutable>(Some(count));
         match maybe_slf {
-            Ok(slf) => Ok(slf.bikeshed_recall_valid().as_mut()),
+            Ok(slf) => Ok(slf
+                .bikeshed_recall_valid::<(_, (_, (BecauseExclusive, BecauseExclusive)))>()
+                .as_mut()),
             Err(err) => Err(err.map_src(|s| s.as_mut())),
         }
     }
@@ -4728,7 +4738,7 @@ fn ref_from_prefix_suffix<T: FromBytes + KnownLayout + Immutable + ?Sized>(
 /// If there are insufficient bytes, or if that affix of `source` is not
 /// appropriately aligned, this returns `Err`.
 #[inline(always)]
-fn mut_from_prefix_suffix<T: FromBytes + KnownLayout + ?Sized>(
+fn mut_from_prefix_suffix<T: FromBytes + IntoBytes + KnownLayout + ?Sized>(
     source: &mut [u8],
     meta: Option<T::PointerMetadata>,
     cast_type: CastType,

src/pointer/mod.rs

@@ -12,11 +12,15 @@ mod inner;
 #[doc(hidden)]
 pub mod invariant;
 mod ptr;
+mod transmute;
 
 #[doc(hidden)]
-pub use invariant::{BecauseExclusive, BecauseImmutable, Read};
+pub(crate) use transmute::*;
 #[doc(hidden)]
-pub use ptr::Ptr;
+pub use {
+    invariant::{BecauseExclusive, BecauseImmutable, Read},
+    ptr::Ptr,
+};
 
 use crate::Unaligned;