[WIP] Generalize SizeEq to SizeCompat

Co-authored-by: Jack Wrenn <[email protected]>
gherrit-pr-id: I6c793a9620ad75bdc0d26ab7c7cd1a0c7bef1b8b

Author: joshlf

src/impls.rs

@@ -14,7 +14,6 @@ use core::{
 };
 
 use super::*;
-use crate::pointer::PtrInner;
 
 safety_comment! {
     /// SAFETY:
@@ -115,7 +114,7 @@ safety_comment! {
     });
 }
 
-impl_size_eq!(bool, u8);
+impl_size_compat!(bool, u8);
 
 safety_comment! {
     /// SAFETY:
@@ -146,7 +145,7 @@ safety_comment! {
     });
 }
 
-impl_size_eq!(char, Unalign<u32>);
+impl_size_compat!(char, Unalign<u32>);
 
 safety_comment! {
     /// SAFETY:
@@ -180,14 +179,13 @@ safety_comment! {
     });
 }
 
-impl_size_eq!(str, [u8]);
+impl_size_compat!(str, [u8]);
 
 macro_rules! unsafe_impl_try_from_bytes_for_nonzero {
     ($($nonzero:ident[$prim:ty]),*) => {
         $(
             unsafe_impl!(=> TryFromBytes for $nonzero; |n| {
-                impl_size_eq!($nonzero, Unalign<$prim>);
-
+                impl_size_compat!($nonzero, Unalign<$prim>);
                 let n = n.transmute::<Unalign<$prim>, invariant::Valid, _>();
                 $nonzero::new(n.read_unaligned().into_inner()).is_some()
             });
@@ -405,23 +403,27 @@ mod atomics {
     macro_rules! unsafe_impl_transmute_from_for_atomic {
         ($($($tyvar:ident)? => $atomic:ty [$prim:ty]),*) => {
             const _: () = {
-                use core::cell::UnsafeCell;
-                use crate::pointer::{TransmuteFrom, SizeEq, invariant::Valid};
+                use core::{cell::UnsafeCell};
+                use crate::pointer::{TransmuteFrom, PtrInner, SizeCompat, invariant::Valid};
 
                 $(
                     #[allow(unused_unsafe)] // Force the caller to call this macro inside `safety_comment!`.
                     const _: () = unsafe {};
 
-                    // SAFETY: The caller promised that `$atomic` and `$prim` have
-                    // the same size and bit validity.
+                    // SAFETY: The caller promised that `$atomic` and `$prim`
+                    // have the same size and bit validity. As a result of size
+                    // equality, both impls of `SizeCompat::cast_from_raw`
+                    // preserve referent size exactly.
                     unsafe impl<$($tyvar)?> TransmuteFrom<$atomic, Valid, Valid> for $prim {}
-                    // SAFETY: The caller promised that `$atomic` and `$prim` have
-                    // the same size and bit validity.
+                    // SAFETY: The caller promised that `$atomic` and `$prim`
+                    // have the same size and bit validity. As a result of size
+                    // equality, both impls of `SizeCompat::cast_from_raw`
+                    // preserve referent size exactly.
                     unsafe impl<$($tyvar)?> TransmuteFrom<$prim, Valid, Valid> for $atomic {}
 
-                    // SAFETY: The caller promised that `$atomic` and `$prim`
-                    // have the same size.
-                    unsafe impl<$($tyvar)?> SizeEq<$atomic> for $prim {
+                    // SAFETY: See inline safety comment.
+                    unsafe impl<$($tyvar)?> SizeCompat<$atomic> for $prim {
+                        #[inline(always)]
                         fn cast_from_raw(a: PtrInner<'_, $atomic>) -> PtrInner<'_, $prim> {
                             // SAFETY: The caller promised that `$atomic` and `$prim`
                             // have the same size. Thus, this cast preserves
@@ -430,29 +432,34 @@ mod atomics {
                         }
                     }
                     // SAFETY: See previous safety comment.
-                    unsafe impl<$($tyvar)?> SizeEq<$prim> for $atomic {
+                    unsafe impl<$($tyvar)?> SizeCompat<$prim> for $atomic {
+                        #[inline(always)]
                         fn cast_from_raw(p: PtrInner<'_, $prim>) -> PtrInner<'_, $atomic> {
                             // SAFETY: See previous safety comment.
                             unsafe { cast!(p) }
                         }
                     }
+
                     // SAFETY: The caller promised that `$atomic` and `$prim`
                     // have the same size. `UnsafeCell<T>` has the same size as
-                    // `T` [1].
+                    // `T` [1]. Thus, this cast preserves address, referent
+                    // size, and provenance.
                     //
                     // [1] Per https://doc.rust-lang.org/1.85.0/std/cell/struct.UnsafeCell.html#memory-layout:
                     //
                     //   `UnsafeCell<T>` has the same in-memory representation as
                     //   its inner type `T`. A consequence of this guarantee is that
                     //   it is possible to convert between `T` and `UnsafeCell<T>`.
-                    unsafe impl<$($tyvar)?> SizeEq<$atomic> for UnsafeCell<$prim> {
+                    unsafe impl<$($tyvar)?> SizeCompat<$atomic> for UnsafeCell<$prim> {
+                        #[inline(always)]
                         fn cast_from_raw(a: PtrInner<'_, $atomic>) -> PtrInner<'_, UnsafeCell<$prim>> {
                             // SAFETY: See previous safety comment.
                             unsafe { cast!(a) }
                         }
                     }
                     // SAFETY: See previous safety comment.
-                    unsafe impl<$($tyvar)?> SizeEq<UnsafeCell<$prim>> for $atomic {
+                    unsafe impl<$($tyvar)?> SizeCompat<UnsafeCell<$prim>> for $atomic {
+                        #[inline(always)]
                         fn cast_from_raw(p: PtrInner<'_, UnsafeCell<$prim>>) -> PtrInner<'_, $atomic> {
                             // SAFETY: See previous safety comment.
                             unsafe { cast!(p) }
@@ -461,7 +468,10 @@ mod atomics {
 
                     // SAFETY: The caller promised that `$atomic` and `$prim`
                     // have the same bit validity. `UnsafeCell<T>` has the same
-                    // bit validity as `T` [1].
+                    // bit validity as `T` [1]. `UnsafeCell<T>` also has the
+                    // same size as `T` [1], and so both impls of
+                    // `SizeCompat::cast_from_raw` preserve referent size
+                    // exactly.
                     //
                     // [1] Per https://doc.rust-lang.org/1.85.0/std/cell/struct.UnsafeCell.html#memory-layout:
                     //

src/pointer/ptr.rs

@@ -16,7 +16,7 @@ use crate::{
     pointer::{
         inner::PtrInner,
         invariant::*,
-        transmute::{MutationCompatible, SizeEq, TransmuteFromPtr},
+        transmute::{MutationCompatible, SizeCompat, TransmuteFromPtr},
     },
     AlignmentError, CastError, CastType, KnownLayout, SizeError, TryFromBytes, ValidityError,
 };
@@ -388,10 +388,10 @@ mod _conversions {
         pub(crate) fn transmute<U, V, R>(self) -> Ptr<'a, U, (I::Aliasing, Unaligned, V)>
         where
             V: Validity,
-            U: TransmuteFromPtr<T, I::Aliasing, I::Validity, V, R> + SizeEq<T> + ?Sized,
+            U: TransmuteFromPtr<T, I::Aliasing, I::Validity, V, R> + SizeCompat<T> + ?Sized,
         {
             // SAFETY:
-            // - `SizeEq::cast_from_raw` promises to preserve address,
+            // - `SizeCompat::cast_from_raw` promises to preserve address,
             //   provenance, and the number of bytes in the referent
             // - If aliasing is `Shared`, then by `U: TransmuteFromPtr<T>`, at
             //   least one of the following holds:
@@ -402,7 +402,7 @@ mod _conversions {
             //     operate on these references simultaneously
             // - By `U: TransmuteFromPtr<T, I::Aliasing, I::Validity, V>`, it is
             //   sound to perform this transmute.
-            unsafe { self.transmute_unchecked(|ptr| SizeEq::cast_from_raw(ptr).as_non_null()) }
+            unsafe { self.transmute_unchecked(|ptr| SizeCompat::cast_from_raw(ptr).as_non_null()) }
         }
 
         #[doc(hidden)]