zerocopy/impls.rs
1// SPDX-License-Identifier: (BSD-2-Clause OR Apache-2.0) OR MIT
2
3// Copyright 2024 The Fuchsia Authors
4//
5// Licensed under the 2-Clause BSD License <LICENSE-BSD or
6// https://opensource.org/license/bsd-2-clause>, Apache License, Version 2.0
7// <LICENSE-APACHE or https://www.apache.org/licenses/LICENSE-2.0>, or the MIT
8// license <LICENSE-MIT or https://opensource.org/licenses/MIT>, at your option.
9// This file may not be copied, modified, or distributed except according to
10// those terms.
11
12use core::{
13 cell::{Cell, UnsafeCell},
14 mem::MaybeUninit as CoreMaybeUninit,
15 ptr::NonNull,
16};
17
18use super::*;
19use crate::pointer::cast::{CastSizedExact, CastUnsized};
20
21// SAFETY: Per the reference [1], "the unit tuple (`()`) ... is guaranteed as a
22// zero-sized type to have a size of 0 and an alignment of 1."
23// - `Immutable`: `()` self-evidently does not contain any `UnsafeCell`s.
24// - `TryFromBytes` (with no validator), `FromZeros`, `FromBytes`: There is only
25// one possible sequence of 0 bytes, and `()` is inhabited.
26// - `IntoBytes`: Since `()` has size 0, it contains no padding bytes.
27// - `Unaligned`: `()` has alignment 1.
28//
29// [1] https://doc.rust-lang.org/1.81.0/reference/type-layout.html#tuple-layout
30#[allow(clippy::multiple_unsafe_ops_per_block)]
31const _: () = unsafe {
32 unsafe_impl!((): Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned);
33 assert_unaligned!(());
34};
35
36// SAFETY:
37// - `Immutable`: These types self-evidently do not contain any `UnsafeCell`s.
38// - `TryFromBytes` (with no validator), `FromZeros`, `FromBytes`: all bit
39// patterns are valid for numeric types [1]
40// - `IntoBytes`: numeric types have no padding bytes [1]
41// - `Unaligned` (`u8` and `i8` only): The reference [2] specifies the size of
42// `u8` and `i8` as 1 byte. We also know that:
43// - Alignment is >= 1 [3]
44// - Size is an integer multiple of alignment [4]
45// - The only value >= 1 for which 1 is an integer multiple is 1 Therefore,
46// the only possible alignment for `u8` and `i8` is 1.
47//
48// [1] Per https://doc.rust-lang.org/1.81.0/reference/types/numeric.html#bit-validity:
49//
50// For every numeric type, `T`, the bit validity of `T` is equivalent to
51// the bit validity of `[u8; size_of::<T>()]`. An uninitialized byte is
52// not a valid `u8`.
53//
54// [2] https://doc.rust-lang.org/1.81.0/reference/type-layout.html#primitive-data-layout
55//
56// [3] Per https://doc.rust-lang.org/1.81.0/reference/type-layout.html#size-and-alignment:
57//
58// Alignment is measured in bytes, and must be at least 1.
59//
60// [4] Per https://doc.rust-lang.org/1.81.0/reference/type-layout.html#size-and-alignment:
61//
62// The size of a value is always a multiple of its alignment.
63//
64// FIXME(#278): Once we've updated the trait docs to refer to `u8`s rather than
65// bits or bytes, update this comment, especially the reference to [1].
66#[allow(clippy::multiple_unsafe_ops_per_block)]
67const _: () = unsafe {
68 unsafe_impl!(u8: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned);
69 unsafe_impl!(i8: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned);
70 assert_unaligned!(u8, i8);
71 unsafe_impl!(u16: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes);
72 unsafe_impl!(i16: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes);
73 unsafe_impl!(u32: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes);
74 unsafe_impl!(i32: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes);
75 unsafe_impl!(u64: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes);
76 unsafe_impl!(i64: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes);
77 unsafe_impl!(u128: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes);
78 unsafe_impl!(i128: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes);
79 unsafe_impl!(usize: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes);
80 unsafe_impl!(isize: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes);
81 unsafe_impl!(f32: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes);
82 unsafe_impl!(f64: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes);
83 #[cfg(feature = "float-nightly")]
84 unsafe_impl!(#[cfg_attr(doc_cfg, doc(cfg(feature = "float-nightly")))] f16: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes);
85 #[cfg(feature = "float-nightly")]
86 unsafe_impl!(#[cfg_attr(doc_cfg, doc(cfg(feature = "float-nightly")))] f128: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes);
87};
88
89// SAFETY:
90// - `Immutable`: `bool` self-evidently does not contain any `UnsafeCell`s.
91// - `FromZeros`: Valid since "[t]he value false has the bit pattern 0x00" [1].
92// - `IntoBytes`: Since "the boolean type has a size and alignment of 1 each"
93// and "The value false has the bit pattern 0x00 and the value true has the
94// bit pattern 0x01" [1]. Thus, the only byte of the bool is always
95// initialized.
96// - `Unaligned`: Per the reference [1], "[a]n object with the boolean type has
97// a size and alignment of 1 each."
98//
99// [1] https://doc.rust-lang.org/1.81.0/reference/types/boolean.html
100#[allow(clippy::multiple_unsafe_ops_per_block)]
101const _: () = unsafe { unsafe_impl!(bool: Immutable, FromZeros, IntoBytes, Unaligned) };
102assert_unaligned!(bool);
103
104// SAFETY: The impl must only return `true` for its argument if the original
105// `Maybe<bool>` refers to a valid `bool`. We only return true if the `u8` value
106// is 0 or 1, and both of these are valid values for `bool` [1].
107//
108// [1] Per https://doc.rust-lang.org/1.81.0/reference/types/boolean.html:
109//
110// The value false has the bit pattern 0x00 and the value true has the bit
111// pattern 0x01.
112const _: () = unsafe {
113 unsafe_impl!(=> TryFromBytes for bool; |byte| {
114 let byte = byte.transmute_with::<u8, invariant::Valid, CastSizedExact, BecauseImmutable>();
115 *byte.unaligned_as_ref() < 2
116 })
117};
118
119// SAFETY:
120// - `Immutable`: `char` self-evidently does not contain any `UnsafeCell`s.
121// - `FromZeros`: Per reference [1], "[a] value of type char is a Unicode scalar
122// value (i.e. a code point that is not a surrogate), represented as a 32-bit
123// unsigned word in the 0x0000 to 0xD7FF or 0xE000 to 0x10FFFF range" which
124// contains 0x0000.
125// - `IntoBytes`: `char` is per reference [1] "represented as a 32-bit unsigned
126// word" (`u32`) which is `IntoBytes`. Note that unlike `u32`, not all bit
127// patterns are valid for `char`.
128//
129// [1] https://doc.rust-lang.org/1.81.0/reference/types/textual.html
130#[allow(clippy::multiple_unsafe_ops_per_block)]
131const _: () = unsafe { unsafe_impl!(char: Immutable, FromZeros, IntoBytes) };
132
133// SAFETY: The impl must only return `true` for its argument if the original
134// `Maybe<char>` refers to a valid `char`. `char::from_u32` guarantees that it
135// returns `None` if its input is not a valid `char` [1].
136//
137// [1] Per https://doc.rust-lang.org/core/primitive.char.html#method.from_u32:
138//
139// `from_u32()` will return `None` if the input is not a valid value for a
140// `char`.
141const _: () = unsafe {
142 unsafe_impl!(=> TryFromBytes for char; |c| {
143 let c = c.transmute_with::<Unalign<u32>, invariant::Valid, CastSizedExact, BecauseImmutable>();
144 let c = c.read().into_inner();
145 char::from_u32(c).is_some()
146 });
147};
148
149// SAFETY: Per the Reference [1], `str` has the same layout as `[u8]`.
150// - `Immutable`: `[u8]` does not contain any `UnsafeCell`s.
151// - `FromZeros`, `IntoBytes`, `Unaligned`: `[u8]` is `FromZeros`, `IntoBytes`,
152// and `Unaligned`.
153//
154// Note that we don't `assert_unaligned!(str)` because `assert_unaligned!` uses
155// `align_of`, which only works for `Sized` types.
156//
157// FIXME(#429): Improve safety proof for `FromZeros` and `IntoBytes`; having the same
158// layout as `[u8]` isn't sufficient.
159//
160// [1] Per https://doc.rust-lang.org/1.81.0/reference/type-layout.html#str-layout:
161//
162// String slices are a UTF-8 representation of characters that have the same
163// layout as slices of type `[u8]`.
164#[allow(clippy::multiple_unsafe_ops_per_block)]
165const _: () = unsafe { unsafe_impl!(str: Immutable, FromZeros, IntoBytes, Unaligned) };
166
167// SAFETY: The impl must only return `true` for its argument if the original
168// `Maybe<str>` refers to a valid `str`. `str::from_utf8` guarantees that it
169// returns `Err` if its input is not a valid `str` [1].
170//
171// [1] Per https://doc.rust-lang.org/core/str/fn.from_utf8.html#errors:
172//
173// Returns `Err` if the slice is not UTF-8.
174const _: () = unsafe {
175 unsafe_impl!(=> TryFromBytes for str; |c| {
176 let c = c.transmute_with::<[u8], invariant::Valid, CastUnsized, BecauseImmutable>();
177 let c = c.unaligned_as_ref();
178 core::str::from_utf8(c).is_ok()
179 })
180};
181
182macro_rules! unsafe_impl_try_from_bytes_for_nonzero {
183 ($($nonzero:ident[$prim:ty]),*) => {
184 $(
185 unsafe_impl!(=> TryFromBytes for $nonzero; |n| {
186 let n = n.transmute_with::<Unalign<$prim>, invariant::Valid, CastSizedExact, BecauseImmutable>();
187 $nonzero::new(n.read().into_inner()).is_some()
188 });
189 )*
190 }
191}
192
193// `NonZeroXxx` is `IntoBytes`, but not `FromZeros` or `FromBytes`.
194//
195// SAFETY:
196// - `IntoBytes`: `NonZeroXxx` has the same layout as its associated primitive.
197// Since it is the same size, this guarantees it has no padding - integers
198// have no padding, and there's no room for padding if it can represent all
199// of the same values except 0.
200// - `Unaligned`: `NonZeroU8` and `NonZeroI8` document that `Option<NonZeroU8>`
201// and `Option<NonZeroI8>` both have size 1. [1] [2] This is worded in a way
202// that makes it unclear whether it's meant as a guarantee, but given the
203// purpose of those types, it's virtually unthinkable that that would ever
204// change. `Option` cannot be smaller than its contained type, which implies
205// that, and `NonZeroX8` are of size 1 or 0. `NonZeroX8` can represent
206// multiple states, so they cannot be 0 bytes, which means that they must be 1
207// byte. The only valid alignment for a 1-byte type is 1.
208//
209// FIXME(#429):
210// - Add quotes from documentation.
211// - Add safety comment for `Immutable`. How can we prove that `NonZeroXxx`
212// doesn't contain any `UnsafeCell`s? It's obviously true, but it's not clear
213// how we'd prove it short of adding text to the stdlib docs that says so
214// explicitly, which likely wouldn't be accepted.
215//
216// [1] Per https://doc.rust-lang.org/1.81.0/std/num/type.NonZeroU8.html:
217//
218// `NonZeroU8` is guaranteed to have the same layout and bit validity as `u8` with
219// the exception that 0 is not a valid instance.
220//
221// [2] Per https://doc.rust-lang.org/1.81.0/std/num/type.NonZeroI8.html:
222//
223// `NonZeroI8` is guaranteed to have the same layout and bit validity as `i8` with
224// the exception that 0 is not a valid instance.
225#[allow(clippy::multiple_unsafe_ops_per_block)]
226const _: () = unsafe {
227 unsafe_impl!(NonZeroU8: Immutable, IntoBytes, Unaligned);
228 unsafe_impl!(NonZeroI8: Immutable, IntoBytes, Unaligned);
229 assert_unaligned!(NonZeroU8, NonZeroI8);
230 unsafe_impl!(NonZeroU16: Immutable, IntoBytes);
231 unsafe_impl!(NonZeroI16: Immutable, IntoBytes);
232 unsafe_impl!(NonZeroU32: Immutable, IntoBytes);
233 unsafe_impl!(NonZeroI32: Immutable, IntoBytes);
234 unsafe_impl!(NonZeroU64: Immutable, IntoBytes);
235 unsafe_impl!(NonZeroI64: Immutable, IntoBytes);
236 unsafe_impl!(NonZeroU128: Immutable, IntoBytes);
237 unsafe_impl!(NonZeroI128: Immutable, IntoBytes);
238 unsafe_impl!(NonZeroUsize: Immutable, IntoBytes);
239 unsafe_impl!(NonZeroIsize: Immutable, IntoBytes);
240 unsafe_impl_try_from_bytes_for_nonzero!(
241 NonZeroU8[u8],
242 NonZeroI8[i8],
243 NonZeroU16[u16],
244 NonZeroI16[i16],
245 NonZeroU32[u32],
246 NonZeroI32[i32],
247 NonZeroU64[u64],
248 NonZeroI64[i64],
249 NonZeroU128[u128],
250 NonZeroI128[i128],
251 NonZeroUsize[usize],
252 NonZeroIsize[isize]
253 );
254};
255
256// SAFETY:
257// - `TryFromBytes` (with no validator), `FromZeros`, `FromBytes`, `IntoBytes`:
258// The Rust compiler reuses `0` value to represent `None`, so
259// `size_of::<Option<NonZeroXxx>>() == size_of::<xxx>()`; see `NonZeroXxx`
260// documentation.
261// - `Unaligned`: `NonZeroU8` and `NonZeroI8` document that `Option<NonZeroU8>`
262// and `Option<NonZeroI8>` both have size 1. [1] [2] This is worded in a way
263// that makes it unclear whether it's meant as a guarantee, but given the
264// purpose of those types, it's virtually unthinkable that that would ever
265// change. The only valid alignment for a 1-byte type is 1.
266//
267// [1] Per https://doc.rust-lang.org/1.81.0/std/num/type.NonZeroU8.html:
268//
269// `Option<NonZeroU8>` is guaranteed to be compatible with `u8`, including in FFI.
270//
271// Thanks to the null pointer optimization, `NonZeroU8` and `Option<NonZeroU8>`
272// are guaranteed to have the same size and alignment:
273//
274// [2] Per https://doc.rust-lang.org/1.81.0/std/num/type.NonZeroI8.html:
275//
276// `Option<NonZeroI8>` is guaranteed to be compatible with `i8`, including in FFI.
277//
278// Thanks to the null pointer optimization, `NonZeroI8` and `Option<NonZeroI8>`
279// are guaranteed to have the same size and alignment:
280#[allow(clippy::multiple_unsafe_ops_per_block)]
281const _: () = unsafe {
282 unsafe_impl!(Option<NonZeroU8>: TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned);
283 unsafe_impl!(Option<NonZeroI8>: TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned);
284 assert_unaligned!(Option<NonZeroU8>, Option<NonZeroI8>);
285 unsafe_impl!(Option<NonZeroU16>: TryFromBytes, FromZeros, FromBytes, IntoBytes);
286 unsafe_impl!(Option<NonZeroI16>: TryFromBytes, FromZeros, FromBytes, IntoBytes);
287 unsafe_impl!(Option<NonZeroU32>: TryFromBytes, FromZeros, FromBytes, IntoBytes);
288 unsafe_impl!(Option<NonZeroI32>: TryFromBytes, FromZeros, FromBytes, IntoBytes);
289 unsafe_impl!(Option<NonZeroU64>: TryFromBytes, FromZeros, FromBytes, IntoBytes);
290 unsafe_impl!(Option<NonZeroI64>: TryFromBytes, FromZeros, FromBytes, IntoBytes);
291 unsafe_impl!(Option<NonZeroU128>: TryFromBytes, FromZeros, FromBytes, IntoBytes);
292 unsafe_impl!(Option<NonZeroI128>: TryFromBytes, FromZeros, FromBytes, IntoBytes);
293 unsafe_impl!(Option<NonZeroUsize>: TryFromBytes, FromZeros, FromBytes, IntoBytes);
294 unsafe_impl!(Option<NonZeroIsize>: TryFromBytes, FromZeros, FromBytes, IntoBytes);
295};
296
297// SAFETY: While it's not fully documented, the consensus is that `Box<T>` does
298// not contain any `UnsafeCell`s for `T: Sized` [1]. This is not a complete
299// proof, but we are accepting this as a known risk per #1358.
300//
301// [1] https://github.com/rust-lang/unsafe-code-guidelines/issues/492
302#[cfg(feature = "alloc")]
303const _: () = unsafe {
304 unsafe_impl!(
305 #[cfg_attr(doc_cfg, doc(cfg(feature = "alloc")))]
306 T: Sized => Immutable for Box<T>
307 )
308};
309
310// SAFETY: The following types can be transmuted from `[0u8; size_of::<T>()]`. [1]
311//
312// [1] Per https://doc.rust-lang.org/1.89.0/core/option/index.html#representation:
313//
314// Rust guarantees to optimize the following types `T` such that [`Option<T>`]
315// has the same size and alignment as `T`. In some of these cases, Rust
316// further guarantees that `transmute::<_, Option<T>>([0u8; size_of::<T>()])`
317// is sound and produces `Option::<T>::None`. These cases are identified by
318// the second column:
319//
320// | `T` | `transmute::<_, Option<T>>([0u8; size_of::<T>()])` sound? |
321// |-----------------------------------|-----------------------------------------------------------|
322// | [`Box<U>`] | when `U: Sized` |
323// | `&U` | when `U: Sized` |
324// | `&mut U` | when `U: Sized` |
325// | [`ptr::NonNull<U>`] | when `U: Sized` |
326// | `fn`, `extern "C" fn`[^extern_fn] | always |
327//
328// [^extern_fn]: this remains true for `unsafe` variants, any argument/return
329// types, and any other ABI: `[unsafe] extern "abi" fn` (_e.g._, `extern
330// "system" fn`)
331#[allow(clippy::multiple_unsafe_ops_per_block)]
332const _: () = unsafe {
333 #[cfg(feature = "alloc")]
334 unsafe_impl!(
335 #[cfg_attr(doc_cfg, doc(cfg(feature = "alloc")))]
336 T => TryFromBytes for Option<Box<T>>; |c| pointer::is_zeroed(c)
337 );
338 #[cfg(feature = "alloc")]
339 unsafe_impl!(
340 #[cfg_attr(doc_cfg, doc(cfg(feature = "alloc")))]
341 T => FromZeros for Option<Box<T>>
342 );
343 unsafe_impl!(
344 T => TryFromBytes for Option<&'_ T>; |c| pointer::is_zeroed(c)
345 );
346 unsafe_impl!(T => FromZeros for Option<&'_ T>);
347 unsafe_impl!(
348 T => TryFromBytes for Option<&'_ mut T>; |c| pointer::is_zeroed(c)
349 );
350 unsafe_impl!(T => FromZeros for Option<&'_ mut T>);
351 unsafe_impl!(
352 T => TryFromBytes for Option<NonNull<T>>; |c| pointer::is_zeroed(c)
353 );
354 unsafe_impl!(T => FromZeros for Option<NonNull<T>>);
355 unsafe_impl_for_power_set!(A, B, C, D, E, F, G, H, I, J, K, L -> M => FromZeros for opt_fn!(...));
356 unsafe_impl_for_power_set!(
357 A, B, C, D, E, F, G, H, I, J, K, L -> M => TryFromBytes for opt_fn!(...);
358 |c| pointer::is_zeroed(c)
359 );
360 unsafe_impl_for_power_set!(A, B, C, D, E, F, G, H, I, J, K, L -> M => FromZeros for opt_unsafe_fn!(...));
361 unsafe_impl_for_power_set!(
362 A, B, C, D, E, F, G, H, I, J, K, L -> M => TryFromBytes for opt_unsafe_fn!(...);
363 |c| pointer::is_zeroed(c)
364 );
365 unsafe_impl_for_power_set!(A, B, C, D, E, F, G, H, I, J, K, L -> M => FromZeros for opt_extern_c_fn!(...));
366 unsafe_impl_for_power_set!(
367 A, B, C, D, E, F, G, H, I, J, K, L -> M => TryFromBytes for opt_extern_c_fn!(...);
368 |c| pointer::is_zeroed(c)
369 );
370 unsafe_impl_for_power_set!(A, B, C, D, E, F, G, H, I, J, K, L -> M => FromZeros for opt_unsafe_extern_c_fn!(...));
371 unsafe_impl_for_power_set!(
372 A, B, C, D, E, F, G, H, I, J, K, L -> M => TryFromBytes for opt_unsafe_extern_c_fn!(...);
373 |c| pointer::is_zeroed(c)
374 );
375};
376
377// SAFETY: `[unsafe] [extern "C"] fn()` self-evidently do not contain
378// `UnsafeCell`s. This is not a proof, but we are accepting this as a known risk
379// per #1358.
380#[allow(clippy::multiple_unsafe_ops_per_block)]
381const _: () = unsafe {
382 unsafe_impl_for_power_set!(A, B, C, D, E, F, G, H, I, J, K, L -> M => Immutable for opt_fn!(...));
383 unsafe_impl_for_power_set!(A, B, C, D, E, F, G, H, I, J, K, L -> M => Immutable for opt_unsafe_fn!(...));
384 unsafe_impl_for_power_set!(A, B, C, D, E, F, G, H, I, J, K, L -> M => Immutable for opt_extern_c_fn!(...));
385 unsafe_impl_for_power_set!(A, B, C, D, E, F, G, H, I, J, K, L -> M => Immutable for opt_unsafe_extern_c_fn!(...));
386};
387
388#[cfg(all(
389 not(no_zerocopy_target_has_atomics_1_60_0),
390 any(
391 target_has_atomic = "8",
392 target_has_atomic = "16",
393 target_has_atomic = "32",
394 target_has_atomic = "64",
395 target_has_atomic = "ptr"
396 )
397))]
398#[cfg_attr(doc_cfg, doc(cfg(rust = "1.60.0")))]
399mod atomics {
400 use super::*;
401
402 macro_rules! impl_traits_for_atomics {
403 ($($atomics:tt [$primitives:ty]),* $(,)?) => {
404 $(
405 impl_known_layout!($atomics);
406 impl_for_transmute_from!(=> FromZeros for $atomics [$primitives]);
407 impl_for_transmute_from!(=> FromBytes for $atomics [$primitives]);
408 impl_for_transmute_from!(=> TryFromBytes for $atomics [$primitives]);
409 impl_for_transmute_from!(=> IntoBytes for $atomics [$primitives]);
410 )*
411 };
412 }
413
414 /// Implements `TransmuteFrom` for `$atomic`, `$prim`, and
415 /// `UnsafeCell<$prim>`.
416 ///
417 /// # Safety
418 ///
419 /// `$atomic` must have the same size and bit validity as `$prim`.
420 macro_rules! unsafe_impl_transmute_from_for_atomic {
421 ($($($tyvar:ident)? => $atomic:ty [$prim:ty]),*) => {{
422 crate::util::macros::__unsafe();
423
424 use crate::pointer::{SizeEq, TransmuteFrom, invariant::Valid};
425
426 $(
427 // SAFETY: The caller promised that `$atomic` and `$prim` have
428 // the same size and bit validity.
429 unsafe impl<$($tyvar)?> TransmuteFrom<$atomic, Valid, Valid> for $prim {}
430 // SAFETY: The caller promised that `$atomic` and `$prim` have
431 // the same size and bit validity.
432 unsafe impl<$($tyvar)?> TransmuteFrom<$prim, Valid, Valid> for $atomic {}
433
434 impl<$($tyvar)?> SizeEq<ReadOnly<$atomic>> for ReadOnly<$prim> {
435 type CastFrom = $crate::pointer::cast::CastSizedExact;
436 }
437
438 // SAFETY: The caller promised that `$atomic` and `$prim` have
439 // the same bit validity. `UnsafeCell<T>` has the same bit
440 // validity as `T` [1].
441 //
442 // [1] Per https://doc.rust-lang.org/1.85.0/std/cell/struct.UnsafeCell.html#memory-layout:
443 //
444 // `UnsafeCell<T>` has the same in-memory representation as
445 // its inner type `T`. A consequence of this guarantee is that
446 // it is possible to convert between `T` and `UnsafeCell<T>`.
447 unsafe impl<$($tyvar)?> TransmuteFrom<$atomic, Valid, Valid> for core::cell::UnsafeCell<$prim> {}
448 // SAFETY: See previous safety comment.
449 unsafe impl<$($tyvar)?> TransmuteFrom<core::cell::UnsafeCell<$prim>, Valid, Valid> for $atomic {}
450 )*
451 }};
452 }
453
454 #[cfg(target_has_atomic = "8")]
455 #[cfg_attr(doc_cfg, doc(cfg(target_has_atomic = "8")))]
456 mod atomic_8 {
457 use core::sync::atomic::{AtomicBool, AtomicI8, AtomicU8};
458
459 use super::*;
460
461 impl_traits_for_atomics!(AtomicU8[u8], AtomicI8[i8]);
462
463 impl_known_layout!(AtomicBool);
464 impl_for_transmute_from!(=> FromZeros for AtomicBool [bool]);
465 impl_for_transmute_from!(=> TryFromBytes for AtomicBool [bool]);
466 impl_for_transmute_from!(=> IntoBytes for AtomicBool [bool]);
467
468 // SAFETY: Per [1], `AtomicBool`, `AtomicU8`, and `AtomicI8` have the
469 // same size as `bool`, `u8`, and `i8` respectively. Since a type's
470 // alignment cannot be smaller than 1 [2], and since its alignment
471 // cannot be greater than its size [3], the only possible value for the
472 // alignment is 1. Thus, it is sound to implement `Unaligned`.
473 //
474 // [1] Per (for example) https://doc.rust-lang.org/1.81.0/std/sync/atomic/struct.AtomicU8.html:
475 //
476 // This type has the same size, alignment, and bit validity as the
477 // underlying integer type
478 //
479 // [2] Per https://doc.rust-lang.org/1.81.0/reference/type-layout.html#size-and-alignment:
480 //
481 // Alignment is measured in bytes, and must be at least 1.
482 //
483 // [3] Per https://doc.rust-lang.org/1.81.0/reference/type-layout.html#size-and-alignment:
484 //
485 // The size of a value is always a multiple of its alignment.
486 #[allow(clippy::multiple_unsafe_ops_per_block)]
487 const _: () = unsafe {
488 unsafe_impl!(AtomicBool: Unaligned);
489 unsafe_impl!(AtomicU8: Unaligned);
490 unsafe_impl!(AtomicI8: Unaligned);
491 assert_unaligned!(AtomicBool, AtomicU8, AtomicI8);
492 };
493
494 // SAFETY: `AtomicU8`, `AtomicI8`, and `AtomicBool` have the same size
495 // and bit validity as `u8`, `i8`, and `bool` respectively [1][2][3].
496 //
497 // [1] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicU8.html:
498 //
499 // This type has the same size, alignment, and bit validity as the
500 // underlying integer type, `u8`.
501 //
502 // [2] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicI8.html:
503 //
504 // This type has the same size, alignment, and bit validity as the
505 // underlying integer type, `i8`.
506 //
507 // [3] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicBool.html:
508 //
509 // This type has the same size, alignment, and bit validity a `bool`.
510 #[allow(clippy::multiple_unsafe_ops_per_block)]
511 const _: () = unsafe {
512 unsafe_impl_transmute_from_for_atomic!(
513 => AtomicU8 [u8],
514 => AtomicI8 [i8],
515 => AtomicBool [bool]
516 )
517 };
518 }
519
520 #[cfg(target_has_atomic = "16")]
521 #[cfg_attr(doc_cfg, doc(cfg(target_has_atomic = "16")))]
522 mod atomic_16 {
523 use core::sync::atomic::{AtomicI16, AtomicU16};
524
525 use super::*;
526
527 impl_traits_for_atomics!(AtomicU16[u16], AtomicI16[i16]);
528
529 // SAFETY: `AtomicU16` and `AtomicI16` have the same size and bit
530 // validity as `u16` and `i16` respectively [1][2].
531 //
532 // [1] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicU16.html:
533 //
534 // This type has the same size and bit validity as the underlying
535 // integer type, `u16`.
536 //
537 // [2] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicI16.html:
538 //
539 // This type has the same size and bit validity as the underlying
540 // integer type, `i16`.
541 #[allow(clippy::multiple_unsafe_ops_per_block)]
542 const _: () = unsafe {
543 unsafe_impl_transmute_from_for_atomic!(=> AtomicU16 [u16], => AtomicI16 [i16])
544 };
545 }
546
547 #[cfg(target_has_atomic = "32")]
548 #[cfg_attr(doc_cfg, doc(cfg(target_has_atomic = "32")))]
549 mod atomic_32 {
550 use core::sync::atomic::{AtomicI32, AtomicU32};
551
552 use super::*;
553
554 impl_traits_for_atomics!(AtomicU32[u32], AtomicI32[i32]);
555
556 // SAFETY: `AtomicU32` and `AtomicI32` have the same size and bit
557 // validity as `u32` and `i32` respectively [1][2].
558 //
559 // [1] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicU32.html:
560 //
561 // This type has the same size and bit validity as the underlying
562 // integer type, `u32`.
563 //
564 // [2] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicI32.html:
565 //
566 // This type has the same size and bit validity as the underlying
567 // integer type, `i32`.
568 #[allow(clippy::multiple_unsafe_ops_per_block)]
569 const _: () = unsafe {
570 unsafe_impl_transmute_from_for_atomic!(=> AtomicU32 [u32], => AtomicI32 [i32])
571 };
572 }
573
574 #[cfg(target_has_atomic = "64")]
575 #[cfg_attr(doc_cfg, doc(cfg(target_has_atomic = "64")))]
576 mod atomic_64 {
577 use core::sync::atomic::{AtomicI64, AtomicU64};
578
579 use super::*;
580
581 impl_traits_for_atomics!(AtomicU64[u64], AtomicI64[i64]);
582
583 // SAFETY: `AtomicU64` and `AtomicI64` have the same size and bit
584 // validity as `u64` and `i64` respectively [1][2].
585 //
586 // [1] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicU64.html:
587 //
588 // This type has the same size and bit validity as the underlying
589 // integer type, `u64`.
590 //
591 // [2] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicI64.html:
592 //
593 // This type has the same size and bit validity as the underlying
594 // integer type, `i64`.
595 #[allow(clippy::multiple_unsafe_ops_per_block)]
596 const _: () = unsafe {
597 unsafe_impl_transmute_from_for_atomic!(=> AtomicU64 [u64], => AtomicI64 [i64])
598 };
599 }
600
601 #[cfg(target_has_atomic = "ptr")]
602 #[cfg_attr(doc_cfg, doc(cfg(target_has_atomic = "ptr")))]
603 mod atomic_ptr {
604 use core::sync::atomic::{AtomicIsize, AtomicPtr, AtomicUsize};
605
606 use super::*;
607
608 impl_traits_for_atomics!(AtomicUsize[usize], AtomicIsize[isize]);
609
610 // FIXME(#170): Implement `FromBytes` and `IntoBytes` once we implement
611 // those traits for `*mut T`.
612 impl_known_layout!(T => AtomicPtr<T>);
613 impl_for_transmute_from!(T => TryFromBytes for AtomicPtr<T> [*mut T]);
614 impl_for_transmute_from!(T => FromZeros for AtomicPtr<T> [*mut T]);
615
616 // SAFETY: `AtomicUsize` and `AtomicIsize` have the same size and bit
617 // validity as `usize` and `isize` respectively [1][2].
618 //
619 // [1] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicUsize.html:
620 //
621 // This type has the same size and bit validity as the underlying
622 // integer type, `usize`.
623 //
624 // [2] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicIsize.html:
625 //
626 // This type has the same size and bit validity as the underlying
627 // integer type, `isize`.
628 #[allow(clippy::multiple_unsafe_ops_per_block)]
629 const _: () = unsafe {
630 unsafe_impl_transmute_from_for_atomic!(=> AtomicUsize [usize], => AtomicIsize [isize])
631 };
632
633 // SAFETY: Per
634 // https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicPtr.html:
635 //
636 // This type has the same size and bit validity as a `*mut T`.
637 #[allow(clippy::multiple_unsafe_ops_per_block)]
638 const _: () = unsafe { unsafe_impl_transmute_from_for_atomic!(T => AtomicPtr<T> [*mut T]) };
639 }
640}
641
642// SAFETY: Per reference [1]: "For all T, the following are guaranteed:
643// size_of::<PhantomData<T>>() == 0 align_of::<PhantomData<T>>() == 1". This
644// gives:
645// - `Immutable`: `PhantomData` has no fields.
646// - `TryFromBytes` (with no validator), `FromZeros`, `FromBytes`: There is only
647// one possible sequence of 0 bytes, and `PhantomData` is inhabited.
648// - `IntoBytes`: Since `PhantomData` has size 0, it contains no padding bytes.
649// - `Unaligned`: Per the preceding reference, `PhantomData` has alignment 1.
650//
651// [1] https://doc.rust-lang.org/1.81.0/std/marker/struct.PhantomData.html#layout-1
652#[allow(clippy::multiple_unsafe_ops_per_block)]
653const _: () = unsafe {
654 unsafe_impl!(T: ?Sized => Immutable for PhantomData<T>);
655 unsafe_impl!(T: ?Sized => TryFromBytes for PhantomData<T>);
656 unsafe_impl!(T: ?Sized => FromZeros for PhantomData<T>);
657 unsafe_impl!(T: ?Sized => FromBytes for PhantomData<T>);
658 unsafe_impl!(T: ?Sized => IntoBytes for PhantomData<T>);
659 unsafe_impl!(T: ?Sized => Unaligned for PhantomData<T>);
660 assert_unaligned!(PhantomData<()>, PhantomData<u8>, PhantomData<u64>);
661};
662
663impl_for_transmute_from!(T: TryFromBytes => TryFromBytes for Wrapping<T>[T]);
664impl_for_transmute_from!(T: FromZeros => FromZeros for Wrapping<T>[T]);
665impl_for_transmute_from!(T: FromBytes => FromBytes for Wrapping<T>[T]);
666impl_for_transmute_from!(T: IntoBytes => IntoBytes for Wrapping<T>[T]);
667assert_unaligned!(Wrapping<()>, Wrapping<u8>);
668
669// SAFETY: Per [1], `Wrapping<T>` has the same layout as `T`. Since its single
670// field (of type `T`) is public, it would be a breaking change to add or remove
671// fields. Thus, we know that `Wrapping<T>` contains a `T` (as opposed to just
672// having the same size and alignment as `T`) with no pre- or post-padding.
673// Thus, `Wrapping<T>` must have `UnsafeCell`s covering the same byte ranges as
674// `Inner = T`.
675//
676// [1] Per https://doc.rust-lang.org/1.81.0/std/num/struct.Wrapping.html#layout-1:
677//
678// `Wrapping<T>` is guaranteed to have the same layout and ABI as `T`
679const _: () = unsafe { unsafe_impl!(T: Immutable => Immutable for Wrapping<T>) };
680
681// SAFETY: Per [1] in the preceding safety comment, `Wrapping<T>` has the same
682// alignment as `T`.
683const _: () = unsafe { unsafe_impl!(T: Unaligned => Unaligned for Wrapping<T>) };
684
685// SAFETY: `TryFromBytes` (with no validator), `FromZeros`, `FromBytes`:
686// `MaybeUninit<T>` has no restrictions on its contents.
687#[allow(clippy::multiple_unsafe_ops_per_block)]
688const _: () = unsafe {
689 unsafe_impl!(T => TryFromBytes for CoreMaybeUninit<T>);
690 unsafe_impl!(T => FromZeros for CoreMaybeUninit<T>);
691 unsafe_impl!(T => FromBytes for CoreMaybeUninit<T>);
692};
693
694// SAFETY: `MaybeUninit<T>` has `UnsafeCell`s covering the same byte ranges as
695// `Inner = T`. This is not explicitly documented, but it can be inferred. Per
696// [1], `MaybeUninit<T>` has the same size as `T`. Further, note the signature
697// of `MaybeUninit::assume_init_ref` [2]:
698//
699// pub unsafe fn assume_init_ref(&self) -> &T
700//
701// If the argument `&MaybeUninit<T>` and the returned `&T` had `UnsafeCell`s at
702// different offsets, this would be unsound. Its existence is proof that this is
703// not the case.
704//
705// [1] Per https://doc.rust-lang.org/1.81.0/std/mem/union.MaybeUninit.html#layout-1:
706//
707// `MaybeUninit<T>` is guaranteed to have the same size, alignment, and ABI as
708// `T`.
709//
710// [2] https://doc.rust-lang.org/1.81.0/std/mem/union.MaybeUninit.html#method.assume_init_ref
711const _: () = unsafe { unsafe_impl!(T: Immutable => Immutable for CoreMaybeUninit<T>) };
712
713// SAFETY: Per [1] in the preceding safety comment, `MaybeUninit<T>` has the
714// same alignment as `T`.
715const _: () = unsafe { unsafe_impl!(T: Unaligned => Unaligned for CoreMaybeUninit<T>) };
716assert_unaligned!(CoreMaybeUninit<()>, CoreMaybeUninit<u8>);
717
718// SAFETY: `ManuallyDrop<T>` has the same layout as `T` [1]. This strongly
719// implies, but does not guarantee, that it contains `UnsafeCell`s covering the
720// same byte ranges as in `T`. However, it also implements `Defer<Target = T>`
721// [2], which provides the ability to convert `&ManuallyDrop<T> -> &T`. This,
722// combined with having the same size as `T`, implies that `ManuallyDrop<T>`
723// exactly contains a `T` with the same fields and `UnsafeCell`s covering the
724// same byte ranges, or else the `Deref` impl would permit safe code to obtain
725// different shared references to the same region of memory with different
726// `UnsafeCell` coverage, which would in turn permit interior mutation that
727// would violate the invariants of a shared reference.
728//
729// [1] Per https://doc.rust-lang.org/1.85.0/std/mem/struct.ManuallyDrop.html:
730//
731// `ManuallyDrop<T>` is guaranteed to have the same layout and bit validity as
732// `T`
733//
734// [2] https://doc.rust-lang.org/1.85.0/std/mem/struct.ManuallyDrop.html#impl-Deref-for-ManuallyDrop%3CT%3E
735const _: () = unsafe { unsafe_impl!(T: ?Sized + Immutable => Immutable for ManuallyDrop<T>) };
736
737impl_for_transmute_from!(T: ?Sized + TryFromBytes => TryFromBytes for ManuallyDrop<T>[T]);
738impl_for_transmute_from!(T: ?Sized + FromZeros => FromZeros for ManuallyDrop<T>[T]);
739impl_for_transmute_from!(T: ?Sized + FromBytes => FromBytes for ManuallyDrop<T>[T]);
740impl_for_transmute_from!(T: ?Sized + IntoBytes => IntoBytes for ManuallyDrop<T>[T]);
741// SAFETY: `ManuallyDrop<T>` has the same layout as `T` [1], and thus has the
742// same alignment as `T`.
743//
744// [1] Per https://doc.rust-lang.org/1.81.0/std/mem/struct.ManuallyDrop.html:
745//
746// `ManuallyDrop<T>` is guaranteed to have the same layout and bit validity as
747// `T`
748const _: () = unsafe { unsafe_impl!(T: ?Sized + Unaligned => Unaligned for ManuallyDrop<T>) };
749assert_unaligned!(ManuallyDrop<()>, ManuallyDrop<u8>);
750
751const _: () = {
752 #[allow(
753 non_camel_case_types,
754 missing_copy_implementations,
755 missing_debug_implementations,
756 missing_docs
757 )]
758 pub enum value {}
759
760 // SAFETY: See safety comment on `ProjectToTag`.
761 unsafe impl<T: ?Sized> HasTag for ManuallyDrop<T> {
762 #[inline]
763 fn only_derive_is_allowed_to_implement_this_trait()
764 where
765 Self: Sized,
766 {
767 }
768
769 type Tag = ();
770
771 // SAFETY: It is trivially sound to project any pointer to a pointer to
772 // a type of size zero and alignment 1 (which `()` is [1]). Such a
773 // pointer will trivially satisfy its aliasing and validity requirements
774 // (since it has a zero-sized referent), and its alignment requirement
775 // (since it is aligned to 1).
776 //
777 // [1] Per https://doc.rust-lang.org/1.92.0/reference/type-layout.html#r-layout.tuple.unit:
778 //
779 // [T]he unit tuple (`()`)... is guaranteed as a zero-sized type to
780 // have a size of 0 and an alignment of 1.
781 type ProjectToTag = crate::pointer::cast::CastToUnit;
782 }
783
784 // SAFETY: `ManuallyDrop<T>` has a field of type `T` at offset `0` without
785 // any safety invariants beyond those of `T`. Its existence is not
786 // explicitly documented, but it can be inferred; per [1] `ManuallyDrop<T>`
787 // has the same size and bit validity as `T`. This field is not literally
788 // public, but is effectively so; the field can be transparently:
789 //
790 // - initialized via `ManuallyDrop::new`
791 // - moved via `ManuallyDrop::into_inner`
792 // - referenced via `ManuallyDrop::deref`
793 // - exclusively referenced via `ManuallyDrop::deref_mut`
794 //
795 // We call this field `value`, both because that is both the name of this
796 // private field, and because it is the name it is referred to in the public
797 // documentation of `ManuallyDrop::new`, `ManuallyDrop::into_inner`,
798 // `ManuallyDrop::take` and `ManuallyDrop::drop`.
799 unsafe impl<T: ?Sized>
800 HasField<value, { crate::STRUCT_VARIANT_ID }, { crate::ident_id!(value) }>
801 for ManuallyDrop<T>
802 {
803 #[inline]
804 fn only_derive_is_allowed_to_implement_this_trait()
805 where
806 Self: Sized,
807 {
808 }
809
810 type Type = T;
811
812 #[inline(always)]
813 fn project(slf: PtrInner<'_, Self>) -> *mut T {
814 // SAFETY: `ManuallyDrop<T>` has the same layout and bit validity as
815 // `T` [1].
816 //
817 // [1] Per https://doc.rust-lang.org/1.85.0/std/mem/struct.ManuallyDrop.html:
818 //
819 // `ManuallyDrop<T>` is guaranteed to have the same layout and bit
820 // validity as `T`
821 #[allow(clippy::as_conversions)]
822 return slf.as_ptr() as *mut T;
823 }
824 }
825};
826
827impl_for_transmute_from!(T: ?Sized + TryFromBytes => TryFromBytes for Cell<T>[T]);
828impl_for_transmute_from!(T: ?Sized + FromZeros => FromZeros for Cell<T>[T]);
829impl_for_transmute_from!(T: ?Sized + FromBytes => FromBytes for Cell<T>[T]);
830impl_for_transmute_from!(T: ?Sized + IntoBytes => IntoBytes for Cell<T>[T]);
831// SAFETY: `Cell<T>` has the same in-memory representation as `T` [1], and thus
832// has the same alignment as `T`.
833//
834// [1] Per https://doc.rust-lang.org/1.81.0/core/cell/struct.Cell.html#memory-layout:
835//
836// `Cell<T>` has the same in-memory representation as its inner type `T`.
837const _: () = unsafe { unsafe_impl!(T: ?Sized + Unaligned => Unaligned for Cell<T>) };
838
839impl_for_transmute_from!(T: ?Sized + FromZeros => FromZeros for UnsafeCell<T>[T]);
840impl_for_transmute_from!(T: ?Sized + FromBytes => FromBytes for UnsafeCell<T>[T]);
841impl_for_transmute_from!(T: ?Sized + IntoBytes => IntoBytes for UnsafeCell<T>[T]);
842// SAFETY: `UnsafeCell<T>` has the same in-memory representation as `T` [1], and
843// thus has the same alignment as `T`.
844//
845// [1] Per https://doc.rust-lang.org/1.81.0/core/cell/struct.UnsafeCell.html#memory-layout:
846//
847// `UnsafeCell<T>` has the same in-memory representation as its inner type
848// `T`.
849const _: () = unsafe { unsafe_impl!(T: ?Sized + Unaligned => Unaligned for UnsafeCell<T>) };
850assert_unaligned!(UnsafeCell<()>, UnsafeCell<u8>);
851
852// SAFETY: See safety comment in `is_bit_valid` impl.
853unsafe impl<T: TryFromBytes + ?Sized> TryFromBytes for UnsafeCell<T> {
854 #[allow(clippy::missing_inline_in_public_items)]
855 fn only_derive_is_allowed_to_implement_this_trait()
856 where
857 Self: Sized,
858 {
859 }
860
861 #[inline(always)]
862 fn is_bit_valid<A>(candidate: Maybe<'_, Self, A>) -> bool
863 where
864 A: invariant::Alignment,
865 {
866 T::is_bit_valid(candidate.transmute::<_, _, BecauseImmutable>())
867 }
868}
869
870// SAFETY: Per the reference [1]:
871//
872// An array of `[T; N]` has a size of `size_of::<T>() * N` and the same
873// alignment of `T`. Arrays are laid out so that the zero-based `nth` element
874// of the array is offset from the start of the array by `n * size_of::<T>()`
875// bytes.
876//
877// ...
878//
879// Slices have the same layout as the section of the array they slice.
880//
881// In other words, the layout of a `[T]` or `[T; N]` is a sequence of `T`s laid
882// out back-to-back with no bytes in between. Therefore, `[T]` or `[T; N]` are
883// `Immutable`, `TryFromBytes`, `FromZeros`, `FromBytes`, and `IntoBytes` if `T`
884// is (respectively). Furthermore, since an array/slice has "the same alignment
885// of `T`", `[T]` and `[T; N]` are `Unaligned` if `T` is.
886//
887// Note that we don't `assert_unaligned!` for slice types because
888// `assert_unaligned!` uses `align_of`, which only works for `Sized` types.
889//
890// [1] https://doc.rust-lang.org/1.81.0/reference/type-layout.html#array-layout
891#[allow(clippy::multiple_unsafe_ops_per_block)]
892const _: () = unsafe {
893 unsafe_impl!(const N: usize, T: Immutable => Immutable for [T; N]);
894 unsafe_impl!(const N: usize, T: TryFromBytes => TryFromBytes for [T; N]; |c| {
895 let c: Ptr<'_, [ReadOnly<T>; N], _> = c.cast::<_, crate::pointer::cast::CastSized, _>();
896 let c: Ptr<'_, [ReadOnly<T>], _> = c.as_slice();
897 let c: Ptr<'_, ReadOnly<[T]>, _> = c.cast::<_, crate::pointer::cast::CastUnsized, _>();
898
899 // Note that this call may panic, but it would still be sound even if it
900 // did. `is_bit_valid` does not promise that it will not panic (in fact,
901 // it explicitly warns that it's a possibility), and we have not
902 // violated any safety invariants that we must fix before returning.
903 <[T] as TryFromBytes>::is_bit_valid(c)
904 });
905 unsafe_impl!(const N: usize, T: FromZeros => FromZeros for [T; N]);
906 unsafe_impl!(const N: usize, T: FromBytes => FromBytes for [T; N]);
907 unsafe_impl!(const N: usize, T: IntoBytes => IntoBytes for [T; N]);
908 unsafe_impl!(const N: usize, T: Unaligned => Unaligned for [T; N]);
909 assert_unaligned!([(); 0], [(); 1], [u8; 0], [u8; 1]);
910 unsafe_impl!(T: Immutable => Immutable for [T]);
911 unsafe_impl!(T: TryFromBytes => TryFromBytes for [T]; |c| {
912 let c: Ptr<'_, [ReadOnly<T>], _> = c.cast::<_, crate::pointer::cast::CastUnsized, _>();
913
914 // SAFETY: Per the reference [1]:
915 //
916 // An array of `[T; N]` has a size of `size_of::<T>() * N` and the
917 // same alignment of `T`. Arrays are laid out so that the zero-based
918 // `nth` element of the array is offset from the start of the array by
919 // `n * size_of::<T>()` bytes.
920 //
921 // ...
922 //
923 // Slices have the same layout as the section of the array they slice.
924 //
925 // In other words, the layout of a `[T] is a sequence of `T`s laid out
926 // back-to-back with no bytes in between. If all elements in `candidate`
927 // are `is_bit_valid`, so too is `candidate`.
928 //
929 // Note that any of the below calls may panic, but it would still be
930 // sound even if it did. `is_bit_valid` does not promise that it will
931 // not panic (in fact, it explicitly warns that it's a possibility), and
932 // we have not violated any safety invariants that we must fix before
933 // returning.
934 c.iter().all(<T as TryFromBytes>::is_bit_valid)
935 });
936 unsafe_impl!(T: FromZeros => FromZeros for [T]);
937 unsafe_impl!(T: FromBytes => FromBytes for [T]);
938 unsafe_impl!(T: IntoBytes => IntoBytes for [T]);
939 unsafe_impl!(T: Unaligned => Unaligned for [T]);
940};
941
942// SAFETY:
943// - `Immutable`: Raw pointers do not contain any `UnsafeCell`s.
944// - `FromZeros`: For thin pointers (note that `T: Sized`), the zero pointer is
945// considered "null". [1] No operations which require provenance are legal on
946// null pointers, so this is not a footgun.
947// - `TryFromBytes`: By the same reasoning as for `FromZeroes`, we can implement
948// `TryFromBytes` for thin pointers provided that
949// [`TryFromByte::is_bit_valid`] only produces `true` for zeroed bytes.
950//
951// NOTE(#170): Implementing `FromBytes` and `IntoBytes` for raw pointers would
952// be sound, but carries provenance footguns. We want to support `FromBytes` and
953// `IntoBytes` for raw pointers eventually, but we are holding off until we can
954// figure out how to address those footguns.
955//
956// [1] Per https://doc.rust-lang.org/1.81.0/std/ptr/fn.null.html:
957//
958// Creates a null raw pointer.
959//
960// This function is equivalent to zero-initializing the pointer:
961// `MaybeUninit::<*const T>::zeroed().assume_init()`.
962//
963// The resulting pointer has the address 0.
964#[allow(clippy::multiple_unsafe_ops_per_block)]
965const _: () = unsafe {
966 unsafe_impl!(T: ?Sized => Immutable for *const T);
967 unsafe_impl!(T: ?Sized => Immutable for *mut T);
968 unsafe_impl!(T => TryFromBytes for *const T; |c| pointer::is_zeroed(c));
969 unsafe_impl!(T => FromZeros for *const T);
970 unsafe_impl!(T => TryFromBytes for *mut T; |c| pointer::is_zeroed(c));
971 unsafe_impl!(T => FromZeros for *mut T);
972};
973
974// SAFETY: `NonNull<T>` self-evidently does not contain `UnsafeCell`s. This is
975// not a proof, but we are accepting this as a known risk per #1358.
976const _: () = unsafe { unsafe_impl!(T: ?Sized => Immutable for NonNull<T>) };
977
978// SAFETY: Reference types do not contain any `UnsafeCell`s.
979#[allow(clippy::multiple_unsafe_ops_per_block)]
980const _: () = unsafe {
981 unsafe_impl!(T: ?Sized => Immutable for &'_ T);
982 unsafe_impl!(T: ?Sized => Immutable for &'_ mut T);
983};
984
985// SAFETY: `Option` is not `#[non_exhaustive]` [1], which means that the types
986// in its variants cannot change, and no new variants can be added. `Option<T>`
987// does not contain any `UnsafeCell`s outside of `T`. [1]
988//
989// [1] https://doc.rust-lang.org/core/option/enum.Option.html
990const _: () = unsafe { unsafe_impl!(T: Immutable => Immutable for Option<T>) };
991
992mod tuples {
993 use super::*;
994
995 /// Generates various trait implementations for tuples.
996 ///
997 /// # Safety
998 ///
999 /// `impl_tuple!` should be provided name-number pairs, where each number is
1000 /// the ordinal of the preceding type name.
1001 macro_rules! impl_tuple {
1002 // Entry point.
1003 ($($T:ident $I:tt),+ $(,)?) => {
1004 crate::util::macros::__unsafe();
1005 impl_tuple!(@all [] [$($T $I)+]);
1006 };
1007
1008 // Build up the set of tuple types (i.e., `(A,)`, `(A, B)`, `(A, B, C)`,
1009 // etc.) Trait implementations that do not depend on field index may be
1010 // added to this branch.
1011 (@all [$($head_T:ident $head_I:tt)*] [$next_T:ident $next_I:tt $($tail:tt)*]) => {
1012 // SAFETY: If all fields of the tuple `Self` are `Immutable`, so too is `Self`.
1013 unsafe_impl!($($head_T: Immutable,)* $next_T: Immutable => Immutable for ($($head_T,)* $next_T,));
1014
1015 // SAFETY: If all fields in `c` are `is_bit_valid`, so too is `c`.
1016 unsafe_impl!($($head_T: TryFromBytes,)* $next_T: TryFromBytes => TryFromBytes for ($($head_T,)* $next_T,); |c| {
1017 let mut c = c;
1018 $(TryFromBytes::is_bit_valid(into_inner!(c.reborrow().project::<_, { crate::STRUCT_VARIANT_ID }, { crate::ident_id!($head_I) }>())) &&)*
1019 TryFromBytes::is_bit_valid(into_inner!(c.reborrow().project::<_, { crate::STRUCT_VARIANT_ID }, { crate::ident_id!($next_I) }>()))
1020 });
1021
1022 // SAFETY: If all fields in `Self` are `FromZeros`, so too is `Self`.
1023 unsafe_impl!($($head_T: FromZeros,)* $next_T: FromZeros => FromZeros for ($($head_T,)* $next_T,));
1024
1025 // SAFETY: If all fields in `Self` are `FromBytes`, so too is `Self`.
1026 unsafe_impl!($($head_T: FromBytes,)* $next_T: FromBytes => FromBytes for ($($head_T,)* $next_T,));
1027
1028 // SAFETY: See safety comment on `ProjectToTag`.
1029 unsafe impl<$($head_T,)* $next_T> crate::HasTag for ($($head_T,)* $next_T,) {
1030 #[inline]
1031 fn only_derive_is_allowed_to_implement_this_trait()
1032 where
1033 Self: Sized
1034 {}
1035
1036 type Tag = ();
1037
1038 // SAFETY: It is trivially sound to project any pointer to a
1039 // pointer to a type of size zero and alignment 1 (which `()` is
1040 // [1]). Such a pointer will trivially satisfy its aliasing and
1041 // validity requirements (since it has a zero-sized referent),
1042 // and its alignment requirement (since it is aligned to 1).
1043 //
1044 // [1] Per https://doc.rust-lang.org/1.92.0/reference/type-layout.html#r-layout.tuple.unit:
1045 //
1046 // [T]he unit tuple (`()`)... is guaranteed as a zero-sized
1047 // type to have a size of 0 and an alignment of 1.
1048 type ProjectToTag = crate::pointer::cast::CastToUnit;
1049 }
1050
1051 // Generate impls that depend on tuple index.
1052 impl_tuple!(@variants
1053 [$($head_T $head_I)* $next_T $next_I]
1054 []
1055 [$($head_T $head_I)* $next_T $next_I]
1056 );
1057
1058 // Recurse to next tuple size
1059 impl_tuple!(@all [$($head_T $head_I)* $next_T $next_I] [$($tail)*]);
1060 };
1061 (@all [$($head_T:ident $head_I:tt)*] []) => {};
1062
1063 // Emit trait implementations that depend on field index.
1064 (@variants
1065 // The full tuple definition in type–index pairs.
1066 [$($AllT:ident $AllI:tt)+]
1067 // Types before the current index.
1068 [$($BeforeT:ident)*]
1069 // The types and indices at and after the current index.
1070 [$CurrT:ident $CurrI:tt $($AfterT:ident $AfterI:tt)*]
1071 ) => {
1072 // SAFETY:
1073 // - `Self` is a struct (albeit anonymous), so `VARIANT_ID` is
1074 // `STRUCT_VARIANT_ID`.
1075 // - `$CurrI` is the field at index `$CurrI`, so `FIELD_ID` is
1076 // `zerocopy::ident_id!($CurrI)`
1077 // - `()` has the same visibility as the `.$CurrI` field (ie, `.0`,
1078 // `.1`, etc)
1079 // - `Type` has the same type as `$CurrI`; i.e., `$CurrT`.
1080 unsafe impl<$($AllT),+> crate::HasField<
1081 (),
1082 { crate::STRUCT_VARIANT_ID },
1083 { crate::ident_id!($CurrI)}
1084 > for ($($AllT,)+) {
1085 #[inline]
1086 fn only_derive_is_allowed_to_implement_this_trait()
1087 where
1088 Self: Sized
1089 {}
1090
1091 type Type = $CurrT;
1092
1093 #[inline(always)]
1094 fn project(slf: crate::PtrInner<'_, Self>) -> *mut Self::Type {
1095 let slf = slf.as_non_null().as_ptr();
1096 // SAFETY: `PtrInner` promises it references either a zero-sized
1097 // byte range, or else will reference a byte range that is
1098 // entirely contained within an allocated object. In either
1099 // case, this guarantees that `(*slf).$CurrI` is in-bounds of
1100 // `slf`.
1101 unsafe { core::ptr::addr_of_mut!((*slf).$CurrI) }
1102 }
1103 }
1104
1105 // SAFETY: See comments on items.
1106 unsafe impl<Aliasing, Alignment, $($AllT),+> crate::ProjectField<
1107 (),
1108 (Aliasing, Alignment, crate::invariant::Uninit),
1109 { crate::STRUCT_VARIANT_ID },
1110 { crate::ident_id!($CurrI)}
1111 > for ($($AllT,)+)
1112 where
1113 Aliasing: crate::invariant::Aliasing,
1114 Alignment: crate::invariant::Alignment,
1115 {
1116 #[inline]
1117 fn only_derive_is_allowed_to_implement_this_trait()
1118 where
1119 Self: Sized
1120 {}
1121
1122 // SAFETY: Tuples are product types whose fields are
1123 // well-aligned, so projection preserves both the alignment and
1124 // validity invariants of the outer pointer.
1125 type Invariants = (Aliasing, Alignment, crate::invariant::Uninit);
1126
1127 // SAFETY: Tuples are product types and so projection is infallible;
1128 type Error = core::convert::Infallible;
1129 }
1130
1131 // SAFETY: See comments on items.
1132 unsafe impl<Aliasing, Alignment, $($AllT),+> crate::ProjectField<
1133 (),
1134 (Aliasing, Alignment, crate::invariant::Initialized),
1135 { crate::STRUCT_VARIANT_ID },
1136 { crate::ident_id!($CurrI)}
1137 > for ($($AllT,)+)
1138 where
1139 Aliasing: crate::invariant::Aliasing,
1140 Alignment: crate::invariant::Alignment,
1141 {
1142 #[inline]
1143 fn only_derive_is_allowed_to_implement_this_trait()
1144 where
1145 Self: Sized
1146 {}
1147
1148 // SAFETY: Tuples are product types whose fields are
1149 // well-aligned, so projection preserves both the alignment and
1150 // validity invariants of the outer pointer.
1151 type Invariants = (Aliasing, Alignment, crate::invariant::Initialized);
1152
1153 // SAFETY: Tuples are product types and so projection is infallible;
1154 type Error = core::convert::Infallible;
1155 }
1156
1157 // SAFETY: See comments on items.
1158 unsafe impl<Aliasing, Alignment, $($AllT),+> crate::ProjectField<
1159 (),
1160 (Aliasing, Alignment, crate::invariant::Valid),
1161 { crate::STRUCT_VARIANT_ID },
1162 { crate::ident_id!($CurrI)}
1163 > for ($($AllT,)+)
1164 where
1165 Aliasing: crate::invariant::Aliasing,
1166 Alignment: crate::invariant::Alignment,
1167 {
1168 #[inline]
1169 fn only_derive_is_allowed_to_implement_this_trait()
1170 where
1171 Self: Sized
1172 {}
1173
1174 // SAFETY: Tuples are product types whose fields are
1175 // well-aligned, so projection preserves both the alignment and
1176 // validity invariants of the outer pointer.
1177 type Invariants = (Aliasing, Alignment, crate::invariant::Valid);
1178
1179 // SAFETY: Tuples are product types and so projection is infallible;
1180 type Error = core::convert::Infallible;
1181 }
1182
1183 // Recurse to the next index.
1184 impl_tuple!(@variants [$($AllT $AllI)+] [$($BeforeT)* $CurrT] [$($AfterT $AfterI)*]);
1185 };
1186 (@variants [$($AllT:ident $AllI:tt)+] [$($BeforeT:ident)*] []) => {};
1187 }
1188
1189 // SAFETY: `impl_tuple` is provided name-number pairs, where number is the
1190 // ordinal of the name.
1191 #[allow(clippy::multiple_unsafe_ops_per_block)]
1192 const _: () = unsafe {
1193 impl_tuple! {
1194 A 0,
1195 B 1,
1196 C 2,
1197 D 3,
1198 E 4,
1199 F 5,
1200 G 6,
1201 H 7,
1202 I 8,
1203 J 9,
1204 K 10,
1205 L 11,
1206 M 12,
1207 N 13,
1208 O 14,
1209 P 15,
1210 Q 16,
1211 R 17,
1212 S 18,
1213 T 19,
1214 U 20,
1215 V 21,
1216 W 22,
1217 X 23,
1218 Y 24,
1219 Z 25,
1220 };
1221 };
1222}
1223
1224// SIMD support
1225//
1226// Per the Unsafe Code Guidelines Reference [1]:
1227//
1228// Packed SIMD vector types are `repr(simd)` homogeneous tuple-structs
1229// containing `N` elements of type `T` where `N` is a power-of-two and the
1230// size and alignment requirements of `T` are equal:
1231//
1232// ```rust
1233// #[repr(simd)]
1234// struct Vector<T, N>(T_0, ..., T_(N - 1));
1235// ```
1236//
1237// ...
1238//
1239// The size of `Vector` is `N * size_of::<T>()` and its alignment is an
1240// implementation-defined function of `T` and `N` greater than or equal to
1241// `align_of::<T>()`.
1242//
1243// ...
1244//
1245// Vector elements are laid out in source field order, enabling random access
1246// to vector elements by reinterpreting the vector as an array:
1247//
1248// ```rust
1249// union U {
1250// vec: Vector<T, N>,
1251// arr: [T; N]
1252// }
1253//
1254// assert_eq!(size_of::<Vector<T, N>>(), size_of::<[T; N]>());
1255// assert!(align_of::<Vector<T, N>>() >= align_of::<[T; N]>());
1256//
1257// unsafe {
1258// let u = U { vec: Vector<T, N>(t_0, ..., t_(N - 1)) };
1259//
1260// assert_eq!(u.vec.0, u.arr[0]);
1261// // ...
1262// assert_eq!(u.vec.(N - 1), u.arr[N - 1]);
1263// }
1264// ```
1265//
1266// Given this background, we can observe that:
1267// - The size and bit pattern requirements of a SIMD type are equivalent to the
1268// equivalent array type. Thus, for any SIMD type whose primitive `T` is
1269// `Immutable`, `TryFromBytes`, `FromZeros`, `FromBytes`, or `IntoBytes`, that
1270// SIMD type is also `Immutable`, `TryFromBytes`, `FromZeros`, `FromBytes`, or
1271// `IntoBytes` respectively.
1272// - Since no upper bound is placed on the alignment, no SIMD type can be
1273// guaranteed to be `Unaligned`.
1274//
1275// Also per [1]:
1276//
1277// This chapter represents the consensus from issue #38. The statements in
1278// here are not (yet) "guaranteed" not to change until an RFC ratifies them.
1279//
1280// See issue #38 [2]. While this behavior is not technically guaranteed, the
1281// likelihood that the behavior will change such that SIMD types are no longer
1282// `TryFromBytes`, `FromZeros`, `FromBytes`, or `IntoBytes` is next to zero, as
1283// that would defeat the entire purpose of SIMD types. Nonetheless, we put this
1284// behavior behind the `simd` Cargo feature, which requires consumers to opt
1285// into this stability hazard.
1286//
1287// [1] https://rust-lang.github.io/unsafe-code-guidelines/layout/packed-simd-vectors.html
1288// [2] https://github.com/rust-lang/unsafe-code-guidelines/issues/38
1289#[cfg(feature = "simd")]
1290#[cfg_attr(doc_cfg, doc(cfg(feature = "simd")))]
1291mod simd {
1292 /// Defines a module which implements `TryFromBytes`, `FromZeros`,
1293 /// `FromBytes`, and `IntoBytes` for a set of types from a module in
1294 /// `core::arch`.
1295 ///
1296 /// `$arch` is both the name of the defined module and the name of the
1297 /// module in `core::arch`, and `$typ` is the list of items from that module
1298 /// to implement `FromZeros`, `FromBytes`, and `IntoBytes` for.
1299 #[allow(unused_macros)] // `allow(unused_macros)` is needed because some
1300 // target/feature combinations don't emit any impls
1301 // and thus don't use this macro.
1302 macro_rules! simd_arch_mod {
1303 ($(#[cfg $cfg:tt])* $(#[cfg_attr $cfg_attr:tt])? $arch:ident, $mod:ident, $($typ:ident),*) => {
1304 $(#[cfg $cfg])*
1305 #[cfg_attr(doc_cfg, doc(cfg $($cfg)*))]
1306 $(#[cfg_attr $cfg_attr])?
1307 mod $mod {
1308 use core::arch::$arch::{$($typ),*};
1309
1310 use crate::*;
1311 impl_known_layout!($($typ),*);
1312 // SAFETY: See comment on module definition for justification.
1313 #[allow(clippy::multiple_unsafe_ops_per_block)]
1314 const _: () = unsafe {
1315 $( unsafe_impl!($typ: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes); )*
1316 };
1317 }
1318 };
1319 }
1320
1321 #[rustfmt::skip]
1322 const _: () = {
1323 simd_arch_mod!(
1324 #[cfg(target_arch = "x86")]
1325 x86, x86, __m128, __m128d, __m128i, __m256, __m256d, __m256i
1326 );
1327 #[cfg(not(no_zerocopy_simd_x86_avx12_1_89_0))]
1328 simd_arch_mod!(
1329 #[cfg(target_arch = "x86")]
1330 #[cfg_attr(doc_cfg, doc(cfg(rust = "1.89.0")))]
1331 x86, x86_nightly, __m512bh, __m512, __m512d, __m512i
1332 );
1333 simd_arch_mod!(
1334 #[cfg(target_arch = "x86_64")]
1335 x86_64, x86_64, __m128, __m128d, __m128i, __m256, __m256d, __m256i
1336 );
1337 #[cfg(not(no_zerocopy_simd_x86_avx12_1_89_0))]
1338 simd_arch_mod!(
1339 #[cfg(target_arch = "x86_64")]
1340 #[cfg_attr(doc_cfg, doc(cfg(rust = "1.89.0")))]
1341 x86_64, x86_64_nightly, __m512bh, __m512, __m512d, __m512i
1342 );
1343 simd_arch_mod!(
1344 #[cfg(target_arch = "wasm32")]
1345 wasm32, wasm32, v128
1346 );
1347 simd_arch_mod!(
1348 #[cfg(all(feature = "simd-nightly", target_arch = "powerpc"))]
1349 powerpc, powerpc, vector_bool_long, vector_double, vector_signed_long, vector_unsigned_long
1350 );
1351 simd_arch_mod!(
1352 #[cfg(all(feature = "simd-nightly", target_arch = "powerpc64"))]
1353 powerpc64, powerpc64, vector_bool_long, vector_double, vector_signed_long, vector_unsigned_long
1354 );
1355 // NOTE: NEON intrinsics were broken on big-endian platforms from their stabilization up to
1356 // Rust 1.87. (Context in https://github.com/rust-lang/stdarch/issues/1484). Support is
1357 // split in two different version ranges on top of the base configuration, requiring either
1358 // little endian or the more recent version to be detected as well.
1359 #[cfg(not(no_zerocopy_aarch64_simd_1_59_0))]
1360 simd_arch_mod!(
1361 #[cfg(all(
1362 target_arch = "aarch64",
1363 any(
1364 target_endian = "little",
1365 not(no_zerocopy_aarch64_simd_be_1_87_0)
1366 )
1367 ))]
1368 #[cfg_attr(
1369 doc_cfg,
1370 doc(cfg(all(target_arch = "aarch64", any(
1371 all(rust = "1.59.0", target_endian = "little"),
1372 rust = "1.87.0",
1373 ))))
1374 )]
1375 aarch64, aarch64, float32x2_t, float32x4_t, float64x1_t, float64x2_t, int8x8_t, int8x8x2_t,
1376 int8x8x3_t, int8x8x4_t, int8x16_t, int8x16x2_t, int8x16x3_t, int8x16x4_t, int16x4_t,
1377 int16x8_t, int32x2_t, int32x4_t, int64x1_t, int64x2_t, poly8x8_t, poly8x8x2_t, poly8x8x3_t,
1378 poly8x8x4_t, poly8x16_t, poly8x16x2_t, poly8x16x3_t, poly8x16x4_t, poly16x4_t, poly16x8_t,
1379 poly64x1_t, poly64x2_t, uint8x8_t, uint8x8x2_t, uint8x8x3_t, uint8x8x4_t, uint8x16_t,
1380 uint8x16x2_t, uint8x16x3_t, uint8x16x4_t, uint16x4_t, uint16x4x2_t, uint16x4x3_t,
1381 uint16x4x4_t, uint16x8_t, uint32x2_t, uint32x4_t, uint64x1_t, uint64x2_t
1382 );
1383 };
1384}
1385
1386#[cfg(test)]
1387mod tests {
1388 use super::*;
1389
1390 #[test]
1391 fn test_impls() {
1392 // A type that can supply test cases for testing
1393 // `TryFromBytes::is_bit_valid`. All types passed to `assert_impls!`
1394 // must implement this trait; that macro uses it to generate runtime
1395 // tests for `TryFromBytes` impls.
1396 //
1397 // All `T: FromBytes` types are provided with a blanket impl. Other
1398 // types must implement `TryFromBytesTestable` directly (ie using
1399 // `impl_try_from_bytes_testable!`).
1400 trait TryFromBytesTestable {
1401 fn with_passing_test_cases<F: Fn(Box<ReadOnly<Self>>)>(f: F);
1402 fn with_failing_test_cases<F: Fn(&mut [u8])>(f: F);
1403 }
1404
1405 impl<T: FromBytes> TryFromBytesTestable for T {
1406 fn with_passing_test_cases<F: Fn(Box<ReadOnly<Self>>)>(f: F) {
1407 // Test with a zeroed value.
1408 f(ReadOnly::<Self>::new_box_zeroed().unwrap());
1409
1410 let ffs = {
1411 let mut t = ReadOnly::new(Self::new_zeroed());
1412 let ptr: *mut T = ReadOnly::as_mut(&mut t);
1413 // SAFETY: `T: FromBytes`
1414 unsafe { ptr::write_bytes(ptr.cast::<u8>(), 0xFF, mem::size_of::<T>()) };
1415 t
1416 };
1417
1418 // Test with a value initialized with 0xFF.
1419 f(Box::new(ffs));
1420 }
1421
1422 fn with_failing_test_cases<F: Fn(&mut [u8])>(_f: F) {}
1423 }
1424
1425 macro_rules! impl_try_from_bytes_testable_for_null_pointer_optimization {
1426 ($($tys:ty),*) => {
1427 $(
1428 impl TryFromBytesTestable for Option<$tys> {
1429 fn with_passing_test_cases<F: Fn(Box<ReadOnly<Self>>)>(f: F) {
1430 // Test with a zeroed value.
1431 f(Box::new(ReadOnly::new(None)));
1432 }
1433
1434 fn with_failing_test_cases<F: Fn(&mut [u8])>(f: F) {
1435 for pos in 0..mem::size_of::<Self>() {
1436 let mut bytes = [0u8; mem::size_of::<Self>()];
1437 bytes[pos] = 0x01;
1438 f(&mut bytes[..]);
1439 }
1440 }
1441 }
1442 )*
1443 };
1444 }
1445
1446 // Implements `TryFromBytesTestable`.
1447 macro_rules! impl_try_from_bytes_testable {
1448 // Base case for recursion (when the list of types has run out).
1449 (=> @success $($success_case:expr),* $(, @failure $($failure_case:expr),*)?) => {};
1450 // Implements for type(s) with no type parameters.
1451 ($ty:ty $(,$tys:ty)* => @success $($success_case:expr),* $(, @failure $($failure_case:expr),*)?) => {
1452 impl TryFromBytesTestable for $ty {
1453 impl_try_from_bytes_testable!(
1454 @methods @success $($success_case),*
1455 $(, @failure $($failure_case),*)?
1456 );
1457 }
1458 impl_try_from_bytes_testable!($($tys),* => @success $($success_case),* $(, @failure $($failure_case),*)?);
1459 };
1460 // Implements for multiple types with no type parameters.
1461 ($($($ty:ty),* => @success $($success_case:expr), * $(, @failure $($failure_case:expr),*)?;)*) => {
1462 $(
1463 impl_try_from_bytes_testable!($($ty),* => @success $($success_case),* $(, @failure $($failure_case),*)*);
1464 )*
1465 };
1466 // Implements only the methods; caller must invoke this from inside
1467 // an impl block.
1468 (@methods @success $($success_case:expr),* $(, @failure $($failure_case:expr),*)?) => {
1469 fn with_passing_test_cases<F: Fn(Box<ReadOnly<Self>>)>(_f: F) {
1470 $(
1471 let bx = Box::<Self>::from($success_case);
1472 let ro: Box<ReadOnly<_>> = {
1473 let raw = Box::into_raw(bx);
1474 // SAFETY: `ReadOnly<T>` has the same layout and bit
1475 // validity as `T`.
1476 #[allow(clippy::as_conversions)]
1477 unsafe { Box::from_raw(raw as *mut _) }
1478 };
1479 _f(ro);
1480 )*
1481 }
1482
1483 fn with_failing_test_cases<F: Fn(&mut [u8])>(_f: F) {
1484 $($(
1485 let mut case = $failure_case;
1486 _f(case.as_mut_bytes());
1487 )*)?
1488 }
1489 };
1490 }
1491
1492 impl_try_from_bytes_testable_for_null_pointer_optimization!(
1493 Box<UnsafeCell<NotZerocopy>>,
1494 &'static UnsafeCell<NotZerocopy>,
1495 &'static mut UnsafeCell<NotZerocopy>,
1496 NonNull<UnsafeCell<NotZerocopy>>,
1497 fn(),
1498 FnManyArgs,
1499 extern "C" fn(),
1500 ECFnManyArgs
1501 );
1502
1503 macro_rules! bx {
1504 ($e:expr) => {
1505 Box::new($e)
1506 };
1507 }
1508
1509 // Note that these impls are only for types which are not `FromBytes`.
1510 // `FromBytes` types are covered by a preceding blanket impl.
1511 impl_try_from_bytes_testable!(
1512 bool => @success true, false,
1513 @failure 2u8, 3u8, 0xFFu8;
1514 char => @success '\u{0}', '\u{D7FF}', '\u{E000}', '\u{10FFFF}',
1515 @failure 0xD800u32, 0xDFFFu32, 0x110000u32;
1516 str => @success "", "hello", "❤️🧡💛💚💙💜",
1517 @failure [0, 159, 146, 150];
1518 [u8] => @success vec![].into_boxed_slice(), vec![0, 1, 2].into_boxed_slice();
1519 NonZeroU8, NonZeroI8, NonZeroU16, NonZeroI16, NonZeroU32,
1520 NonZeroI32, NonZeroU64, NonZeroI64, NonZeroU128, NonZeroI128,
1521 NonZeroUsize, NonZeroIsize
1522 => @success Self::new(1).unwrap(),
1523 // Doing this instead of `0` ensures that we always satisfy
1524 // the size and alignment requirements of `Self` (whereas `0`
1525 // may be any integer type with a different size or alignment
1526 // than some `NonZeroXxx` types).
1527 @failure Option::<Self>::None;
1528 [bool; 0] => @success [];
1529 [bool; 1]
1530 => @success [true], [false],
1531 @failure [2u8], [3u8], [0xFFu8];
1532 [bool]
1533 => @success vec![true, false].into_boxed_slice(), vec![false, true].into_boxed_slice(),
1534 @failure [2u8], [3u8], [0xFFu8], [0u8, 1u8, 2u8];
1535 Unalign<bool>
1536 => @success Unalign::new(false), Unalign::new(true),
1537 @failure 2u8, 0xFFu8;
1538 ManuallyDrop<bool>
1539 => @success ManuallyDrop::new(false), ManuallyDrop::new(true),
1540 @failure 2u8, 0xFFu8;
1541 ManuallyDrop<[u8]>
1542 => @success bx!(ManuallyDrop::new([])), bx!(ManuallyDrop::new([0u8])), bx!(ManuallyDrop::new([0u8, 1u8]));
1543 ManuallyDrop<[bool]>
1544 => @success bx!(ManuallyDrop::new([])), bx!(ManuallyDrop::new([false])), bx!(ManuallyDrop::new([false, true])),
1545 @failure [2u8], [3u8], [0xFFu8], [0u8, 1u8, 2u8];
1546 ManuallyDrop<[UnsafeCell<u8>]>
1547 => @success bx!(ManuallyDrop::new([UnsafeCell::new(0)])), bx!(ManuallyDrop::new([UnsafeCell::new(0), UnsafeCell::new(1)]));
1548 ManuallyDrop<[UnsafeCell<bool>]>
1549 => @success bx!(ManuallyDrop::new([UnsafeCell::new(false)])), bx!(ManuallyDrop::new([UnsafeCell::new(false), UnsafeCell::new(true)])),
1550 @failure [2u8], [3u8], [0xFFu8], [0u8, 1u8, 2u8];
1551 Wrapping<bool>
1552 => @success Wrapping(false), Wrapping(true),
1553 @failure 2u8, 0xFFu8;
1554 *const NotZerocopy
1555 => @success ptr::null::<NotZerocopy>(),
1556 @failure [0x01; mem::size_of::<*const NotZerocopy>()];
1557 *mut NotZerocopy
1558 => @success ptr::null_mut::<NotZerocopy>(),
1559 @failure [0x01; mem::size_of::<*mut NotZerocopy>()];
1560 );
1561
1562 // Use the trick described in [1] to allow us to call methods
1563 // conditional on certain trait bounds.
1564 //
1565 // In all of these cases, methods return `Option<R>`, where `R` is the
1566 // return type of the method we're conditionally calling. The "real"
1567 // implementations (the ones defined in traits using `&self`) return
1568 // `Some`, and the default implementations (the ones defined as inherent
1569 // methods using `&mut self`) return `None`.
1570 //
1571 // [1] https://github.com/dtolnay/case-studies/blob/master/autoref-specialization/README.md
1572 mod autoref_trick {
1573 use super::*;
1574
1575 pub(super) struct AutorefWrapper<T: ?Sized>(pub(super) PhantomData<T>);
1576
1577 pub(super) trait TestIsBitValidShared<T: ?Sized> {
1578 #[allow(clippy::needless_lifetimes)]
1579 fn test_is_bit_valid_shared<'ptr>(&self, candidate: Maybe<'ptr, T>)
1580 -> Option<bool>;
1581 }
1582
1583 impl<T: TryFromBytes + Immutable + ?Sized> TestIsBitValidShared<T> for AutorefWrapper<T> {
1584 #[allow(clippy::needless_lifetimes)]
1585 fn test_is_bit_valid_shared<'ptr>(
1586 &self,
1587 candidate: Maybe<'ptr, T>,
1588 ) -> Option<bool> {
1589 Some(T::is_bit_valid(candidate))
1590 }
1591 }
1592
1593 pub(super) trait TestTryFromRef<T: ?Sized> {
1594 #[allow(clippy::needless_lifetimes)]
1595 fn test_try_from_ref<'bytes>(
1596 &self,
1597 bytes: &'bytes [u8],
1598 ) -> Option<Option<&'bytes T>>;
1599 }
1600
1601 impl<T: TryFromBytes + Immutable + KnownLayout + ?Sized> TestTryFromRef<T> for AutorefWrapper<T> {
1602 #[allow(clippy::needless_lifetimes)]
1603 fn test_try_from_ref<'bytes>(
1604 &self,
1605 bytes: &'bytes [u8],
1606 ) -> Option<Option<&'bytes T>> {
1607 Some(T::try_ref_from_bytes(bytes).ok())
1608 }
1609 }
1610
1611 pub(super) trait TestTryFromMut<T: ?Sized> {
1612 #[allow(clippy::needless_lifetimes)]
1613 fn test_try_from_mut<'bytes>(
1614 &self,
1615 bytes: &'bytes mut [u8],
1616 ) -> Option<Option<&'bytes mut T>>;
1617 }
1618
1619 impl<T: TryFromBytes + IntoBytes + KnownLayout + ?Sized> TestTryFromMut<T> for AutorefWrapper<T> {
1620 #[allow(clippy::needless_lifetimes)]
1621 fn test_try_from_mut<'bytes>(
1622 &self,
1623 bytes: &'bytes mut [u8],
1624 ) -> Option<Option<&'bytes mut T>> {
1625 Some(T::try_mut_from_bytes(bytes).ok())
1626 }
1627 }
1628
1629 pub(super) trait TestTryReadFrom<T> {
1630 fn test_try_read_from(&self, bytes: &[u8]) -> Option<Option<T>>;
1631 }
1632
1633 impl<T: TryFromBytes> TestTryReadFrom<T> for AutorefWrapper<T> {
1634 fn test_try_read_from(&self, bytes: &[u8]) -> Option<Option<T>> {
1635 Some(T::try_read_from_bytes(bytes).ok())
1636 }
1637 }
1638
1639 pub(super) trait TestAsBytes<T: ?Sized> {
1640 #[allow(clippy::needless_lifetimes)]
1641 fn test_as_bytes<'slf, 't>(&'slf self, t: &'t ReadOnly<T>) -> Option<&'t [u8]>;
1642 }
1643
1644 impl<T: IntoBytes + Immutable + ?Sized> TestAsBytes<T> for AutorefWrapper<T> {
1645 #[allow(clippy::needless_lifetimes)]
1646 fn test_as_bytes<'slf, 't>(&'slf self, t: &'t ReadOnly<T>) -> Option<&'t [u8]> {
1647 Some(t.as_bytes())
1648 }
1649 }
1650 }
1651
1652 use autoref_trick::*;
1653
1654 // Asserts that `$ty` is one of a list of types which are allowed to not
1655 // provide a "real" implementation for `$fn_name`. Since the
1656 // `autoref_trick` machinery fails silently, this allows us to ensure
1657 // that the "default" impls are only being used for types which we
1658 // expect.
1659 //
1660 // Note that, since this is a runtime test, it is possible to have an
1661 // allowlist which is too restrictive if the function in question is
1662 // never called for a particular type. For example, if `as_bytes` is not
1663 // supported for a particular type, and so `test_as_bytes` returns
1664 // `None`, methods such as `test_try_from_ref` may never be called for
1665 // that type. As a result, it's possible that, for example, adding
1666 // `as_bytes` support for a type would cause other allowlist assertions
1667 // to fail. This means that allowlist assertion failures should not
1668 // automatically be taken as a sign of a bug.
1669 macro_rules! assert_on_allowlist {
1670 ($fn_name:ident($ty:ty) $(: $($tys:ty),*)?) => {{
1671 use core::any::TypeId;
1672
1673 let allowlist: &[TypeId] = &[ $($(TypeId::of::<$tys>()),*)? ];
1674 let allowlist_names: &[&str] = &[ $($(stringify!($tys)),*)? ];
1675
1676 let id = TypeId::of::<$ty>();
1677 assert!(allowlist.contains(&id), "{} is not on allowlist for {}: {:?}", stringify!($ty), stringify!($fn_name), allowlist_names);
1678 }};
1679 }
1680
1681 // Asserts that `$ty` implements any `$trait` and doesn't implement any
1682 // `!$trait`. Note that all `$trait`s must come before any `!$trait`s.
1683 //
1684 // For `T: TryFromBytes`, uses `TryFromBytesTestable` to test success
1685 // and failure cases.
1686 macro_rules! assert_impls {
1687 ($ty:ty: TryFromBytes) => {
1688 // "Default" implementations that match the "real"
1689 // implementations defined in the `autoref_trick` module above.
1690 #[allow(unused, non_local_definitions)]
1691 impl AutorefWrapper<$ty> {
1692 #[allow(clippy::needless_lifetimes)]
1693 fn test_is_bit_valid_shared<'ptr>(
1694 &mut self,
1695 candidate: Maybe<'ptr, $ty>,
1696 ) -> Option<bool> {
1697 assert_on_allowlist!(
1698 test_is_bit_valid_shared($ty):
1699 ManuallyDrop<UnsafeCell<()>>,
1700 ManuallyDrop<[UnsafeCell<u8>]>,
1701 ManuallyDrop<[UnsafeCell<bool>]>,
1702 CoreMaybeUninit<NotZerocopy>,
1703 CoreMaybeUninit<UnsafeCell<()>>,
1704 Wrapping<UnsafeCell<()>>
1705 );
1706
1707 None
1708 }
1709
1710 #[allow(clippy::needless_lifetimes)]
1711 fn test_try_from_ref<'bytes>(&mut self, _bytes: &'bytes [u8]) -> Option<Option<&'bytes $ty>> {
1712 assert_on_allowlist!(
1713 test_try_from_ref($ty):
1714 ManuallyDrop<[UnsafeCell<bool>]>
1715 );
1716
1717 None
1718 }
1719
1720 #[allow(clippy::needless_lifetimes)]
1721 fn test_try_from_mut<'bytes>(&mut self, _bytes: &'bytes mut [u8]) -> Option<Option<&'bytes mut $ty>> {
1722 assert_on_allowlist!(
1723 test_try_from_mut($ty):
1724 Option<Box<UnsafeCell<NotZerocopy>>>,
1725 Option<&'static UnsafeCell<NotZerocopy>>,
1726 Option<&'static mut UnsafeCell<NotZerocopy>>,
1727 Option<NonNull<UnsafeCell<NotZerocopy>>>,
1728 Option<fn()>,
1729 Option<FnManyArgs>,
1730 Option<extern "C" fn()>,
1731 Option<ECFnManyArgs>,
1732 *const NotZerocopy,
1733 *mut NotZerocopy
1734 );
1735
1736 None
1737 }
1738
1739 fn test_try_read_from(&mut self, _bytes: &[u8]) -> Option<Option<&$ty>> {
1740 assert_on_allowlist!(
1741 test_try_read_from($ty):
1742 str,
1743 ManuallyDrop<[u8]>,
1744 ManuallyDrop<[bool]>,
1745 ManuallyDrop<[UnsafeCell<bool>]>,
1746 [u8],
1747 [bool]
1748 );
1749
1750 None
1751 }
1752
1753 fn test_as_bytes(&mut self, _t: &ReadOnly<$ty>) -> Option<&[u8]> {
1754 assert_on_allowlist!(
1755 test_as_bytes($ty):
1756 Option<&'static UnsafeCell<NotZerocopy>>,
1757 Option<&'static mut UnsafeCell<NotZerocopy>>,
1758 Option<NonNull<UnsafeCell<NotZerocopy>>>,
1759 Option<Box<UnsafeCell<NotZerocopy>>>,
1760 Option<fn()>,
1761 Option<FnManyArgs>,
1762 Option<extern "C" fn()>,
1763 Option<ECFnManyArgs>,
1764 CoreMaybeUninit<u8>,
1765 CoreMaybeUninit<NotZerocopy>,
1766 CoreMaybeUninit<UnsafeCell<()>>,
1767 ManuallyDrop<UnsafeCell<()>>,
1768 ManuallyDrop<[UnsafeCell<u8>]>,
1769 ManuallyDrop<[UnsafeCell<bool>]>,
1770 Wrapping<UnsafeCell<()>>,
1771 *const NotZerocopy,
1772 *mut NotZerocopy
1773 );
1774
1775 None
1776 }
1777 }
1778
1779 <$ty as TryFromBytesTestable>::with_passing_test_cases(|mut val| {
1780 // FIXME(#494): These tests only get exercised for types
1781 // which are `IntoBytes`. Once we implement #494, we should
1782 // be able to support non-`IntoBytes` types by zeroing
1783 // padding.
1784
1785 // We define `w` and `ww` since, in the case of the inherent
1786 // methods, Rust thinks they're both borrowed mutably at the
1787 // same time (given how we use them below). If we just
1788 // defined a single `w` and used it for multiple operations,
1789 // this would conflict.
1790 //
1791 // We `#[allow(unused_mut]` for the cases where the "real"
1792 // impls are used, which take `&self`.
1793 #[allow(unused_mut)]
1794 let (mut w, mut ww) = (AutorefWrapper::<$ty>(PhantomData), AutorefWrapper::<$ty>(PhantomData));
1795
1796 let c = Ptr::from_ref(&*val);
1797 let c = c.forget_aligned();
1798 // SAFETY: FIXME(#899): This is unsound. `$ty` is not
1799 // necessarily `IntoBytes`, but that's the corner we've
1800 // backed ourselves into by using `Ptr::from_ref`.
1801 let c = unsafe { c.assume_initialized() };
1802 let res = w.test_is_bit_valid_shared(c);
1803 if let Some(res) = res {
1804 assert!(res, "{}::is_bit_valid (shared `Ptr`): got false, expected true", stringify!($ty));
1805 }
1806
1807 let c = Ptr::from_mut(&mut *val);
1808 let c = c.forget_aligned();
1809 // SAFETY: FIXME(#899): This is unsound. `$ty` is not
1810 // necessarily `IntoBytes`, but that's the corner we've
1811 // backed ourselves into by using `Ptr::from_ref`.
1812 let mut c = unsafe { c.assume_initialized() };
1813 let res = <$ty as TryFromBytes>::is_bit_valid(c.reborrow_shared());
1814 assert!(res, "{}::is_bit_valid (exclusive `Ptr`): got false, expected true", stringify!($ty));
1815
1816 // `bytes` is `Some(val.as_bytes())` if `$ty: IntoBytes +
1817 // Immutable` and `None` otherwise.
1818 let bytes = w.test_as_bytes(&*val);
1819
1820 // The inner closure returns
1821 // `Some($ty::try_ref_from_bytes(bytes))` if `$ty:
1822 // Immutable` and `None` otherwise.
1823 let res = bytes.and_then(|bytes| ww.test_try_from_ref(bytes));
1824 if let Some(res) = res {
1825 assert!(res.is_some(), "{}::try_ref_from_bytes: got `None`, expected `Some`", stringify!($ty));
1826 }
1827
1828 if let Some(bytes) = bytes {
1829 // We need to get a mutable byte slice, and so we clone
1830 // into a `Vec`. However, we also need these bytes to
1831 // satisfy `$ty`'s alignment requirement, which isn't
1832 // guaranteed for `Vec<u8>`. In order to get around
1833 // this, we create a `Vec` which is twice as long as we
1834 // need. There is guaranteed to be an aligned byte range
1835 // of size `size_of_val(val)` within that range.
1836 let val = &*val;
1837 let size = mem::size_of_val(val);
1838 let align = mem::align_of_val(val);
1839
1840 let mut vec = bytes.to_vec();
1841 vec.extend(bytes);
1842 let slc = vec.as_slice();
1843 let offset = slc.as_ptr().align_offset(align);
1844 let bytes_mut = &mut vec.as_mut_slice()[offset..offset+size];
1845 bytes_mut.copy_from_slice(bytes);
1846
1847 let res = ww.test_try_from_mut(bytes_mut);
1848 if let Some(res) = res {
1849 assert!(res.is_some(), "{}::try_mut_from_bytes: got `None`, expected `Some`", stringify!($ty));
1850 }
1851 }
1852
1853 let res = bytes.and_then(|bytes| ww.test_try_read_from(bytes));
1854 if let Some(res) = res {
1855 assert!(res.is_some(), "{}::try_read_from_bytes: got `None`, expected `Some`", stringify!($ty));
1856 }
1857 });
1858 #[allow(clippy::as_conversions)]
1859 <$ty as TryFromBytesTestable>::with_failing_test_cases(|c| {
1860 #[allow(unused_mut)] // For cases where the "real" impls are used, which take `&self`.
1861 let mut w = AutorefWrapper::<$ty>(PhantomData);
1862
1863 // This is `Some($ty::try_ref_from_bytes(c))` if `$ty:
1864 // Immutable` and `None` otherwise.
1865 let res = w.test_try_from_ref(c);
1866 if let Some(res) = res {
1867 assert!(res.is_none(), "{}::try_ref_from_bytes({:?}): got Some, expected None", stringify!($ty), c);
1868 }
1869
1870 let res = w.test_try_from_mut(c);
1871 if let Some(res) = res {
1872 assert!(res.is_none(), "{}::try_mut_from_bytes({:?}): got Some, expected None", stringify!($ty), c);
1873 }
1874
1875
1876 let res = w.test_try_read_from(c);
1877 if let Some(res) = res {
1878 assert!(res.is_none(), "{}::try_read_from_bytes({:?}): got Some, expected None", stringify!($ty), c);
1879 }
1880 });
1881
1882 #[allow(dead_code)]
1883 const _: () = { static_assertions::assert_impl_all!($ty: TryFromBytes); };
1884 };
1885 ($ty:ty: $trait:ident) => {
1886 #[allow(dead_code)]
1887 const _: () = { static_assertions::assert_impl_all!($ty: $trait); };
1888 };
1889 ($ty:ty: !$trait:ident) => {
1890 #[allow(dead_code)]
1891 const _: () = { static_assertions::assert_not_impl_any!($ty: $trait); };
1892 };
1893 ($ty:ty: $($trait:ident),* $(,)? $(!$negative_trait:ident),*) => {
1894 $(
1895 assert_impls!($ty: $trait);
1896 )*
1897
1898 $(
1899 assert_impls!($ty: !$negative_trait);
1900 )*
1901 };
1902 }
1903
1904 // NOTE: The negative impl assertions here are not necessarily
1905 // prescriptive. They merely serve as change detectors to make sure
1906 // we're aware of what trait impls are getting added with a given
1907 // change. Of course, some impls would be invalid (e.g., `bool:
1908 // FromBytes`), and so this change detection is very important.
1909
1910 assert_impls!(
1911 (): KnownLayout,
1912 Immutable,
1913 TryFromBytes,
1914 FromZeros,
1915 FromBytes,
1916 IntoBytes,
1917 Unaligned
1918 );
1919 assert_impls!(
1920 u8: KnownLayout,
1921 Immutable,
1922 TryFromBytes,
1923 FromZeros,
1924 FromBytes,
1925 IntoBytes,
1926 Unaligned
1927 );
1928 assert_impls!(
1929 i8: KnownLayout,
1930 Immutable,
1931 TryFromBytes,
1932 FromZeros,
1933 FromBytes,
1934 IntoBytes,
1935 Unaligned
1936 );
1937 assert_impls!(
1938 u16: KnownLayout,
1939 Immutable,
1940 TryFromBytes,
1941 FromZeros,
1942 FromBytes,
1943 IntoBytes,
1944 !Unaligned
1945 );
1946 assert_impls!(
1947 i16: KnownLayout,
1948 Immutable,
1949 TryFromBytes,
1950 FromZeros,
1951 FromBytes,
1952 IntoBytes,
1953 !Unaligned
1954 );
1955 assert_impls!(
1956 u32: KnownLayout,
1957 Immutable,
1958 TryFromBytes,
1959 FromZeros,
1960 FromBytes,
1961 IntoBytes,
1962 !Unaligned
1963 );
1964 assert_impls!(
1965 i32: KnownLayout,
1966 Immutable,
1967 TryFromBytes,
1968 FromZeros,
1969 FromBytes,
1970 IntoBytes,
1971 !Unaligned
1972 );
1973 assert_impls!(
1974 u64: KnownLayout,
1975 Immutable,
1976 TryFromBytes,
1977 FromZeros,
1978 FromBytes,
1979 IntoBytes,
1980 !Unaligned
1981 );
1982 assert_impls!(
1983 i64: KnownLayout,
1984 Immutable,
1985 TryFromBytes,
1986 FromZeros,
1987 FromBytes,
1988 IntoBytes,
1989 !Unaligned
1990 );
1991 assert_impls!(
1992 u128: KnownLayout,
1993 Immutable,
1994 TryFromBytes,
1995 FromZeros,
1996 FromBytes,
1997 IntoBytes,
1998 !Unaligned
1999 );
2000 assert_impls!(
2001 i128: KnownLayout,
2002 Immutable,
2003 TryFromBytes,
2004 FromZeros,
2005 FromBytes,
2006 IntoBytes,
2007 !Unaligned
2008 );
2009 assert_impls!(
2010 usize: KnownLayout,
2011 Immutable,
2012 TryFromBytes,
2013 FromZeros,
2014 FromBytes,
2015 IntoBytes,
2016 !Unaligned
2017 );
2018 assert_impls!(
2019 isize: KnownLayout,
2020 Immutable,
2021 TryFromBytes,
2022 FromZeros,
2023 FromBytes,
2024 IntoBytes,
2025 !Unaligned
2026 );
2027 #[cfg(feature = "float-nightly")]
2028 assert_impls!(
2029 f16: KnownLayout,
2030 Immutable,
2031 TryFromBytes,
2032 FromZeros,
2033 FromBytes,
2034 IntoBytes,
2035 !Unaligned
2036 );
2037 assert_impls!(
2038 f32: KnownLayout,
2039 Immutable,
2040 TryFromBytes,
2041 FromZeros,
2042 FromBytes,
2043 IntoBytes,
2044 !Unaligned
2045 );
2046 assert_impls!(
2047 f64: KnownLayout,
2048 Immutable,
2049 TryFromBytes,
2050 FromZeros,
2051 FromBytes,
2052 IntoBytes,
2053 !Unaligned
2054 );
2055 #[cfg(feature = "float-nightly")]
2056 assert_impls!(
2057 f128: KnownLayout,
2058 Immutable,
2059 TryFromBytes,
2060 FromZeros,
2061 FromBytes,
2062 IntoBytes,
2063 !Unaligned
2064 );
2065 assert_impls!(
2066 bool: KnownLayout,
2067 Immutable,
2068 TryFromBytes,
2069 FromZeros,
2070 IntoBytes,
2071 Unaligned,
2072 !FromBytes
2073 );
2074 assert_impls!(
2075 char: KnownLayout,
2076 Immutable,
2077 TryFromBytes,
2078 FromZeros,
2079 IntoBytes,
2080 !FromBytes,
2081 !Unaligned
2082 );
2083 assert_impls!(
2084 str: KnownLayout,
2085 Immutable,
2086 TryFromBytes,
2087 FromZeros,
2088 IntoBytes,
2089 Unaligned,
2090 !FromBytes
2091 );
2092
2093 assert_impls!(
2094 NonZeroU8: KnownLayout,
2095 Immutable,
2096 TryFromBytes,
2097 IntoBytes,
2098 Unaligned,
2099 !FromZeros,
2100 !FromBytes
2101 );
2102 assert_impls!(
2103 NonZeroI8: KnownLayout,
2104 Immutable,
2105 TryFromBytes,
2106 IntoBytes,
2107 Unaligned,
2108 !FromZeros,
2109 !FromBytes
2110 );
2111 assert_impls!(
2112 NonZeroU16: KnownLayout,
2113 Immutable,
2114 TryFromBytes,
2115 IntoBytes,
2116 !FromBytes,
2117 !Unaligned
2118 );
2119 assert_impls!(
2120 NonZeroI16: KnownLayout,
2121 Immutable,
2122 TryFromBytes,
2123 IntoBytes,
2124 !FromBytes,
2125 !Unaligned
2126 );
2127 assert_impls!(
2128 NonZeroU32: KnownLayout,
2129 Immutable,
2130 TryFromBytes,
2131 IntoBytes,
2132 !FromBytes,
2133 !Unaligned
2134 );
2135 assert_impls!(
2136 NonZeroI32: KnownLayout,
2137 Immutable,
2138 TryFromBytes,
2139 IntoBytes,
2140 !FromBytes,
2141 !Unaligned
2142 );
2143 assert_impls!(
2144 NonZeroU64: KnownLayout,
2145 Immutable,
2146 TryFromBytes,
2147 IntoBytes,
2148 !FromBytes,
2149 !Unaligned
2150 );
2151 assert_impls!(
2152 NonZeroI64: KnownLayout,
2153 Immutable,
2154 TryFromBytes,
2155 IntoBytes,
2156 !FromBytes,
2157 !Unaligned
2158 );
2159 assert_impls!(
2160 NonZeroU128: KnownLayout,
2161 Immutable,
2162 TryFromBytes,
2163 IntoBytes,
2164 !FromBytes,
2165 !Unaligned
2166 );
2167 assert_impls!(
2168 NonZeroI128: KnownLayout,
2169 Immutable,
2170 TryFromBytes,
2171 IntoBytes,
2172 !FromBytes,
2173 !Unaligned
2174 );
2175 assert_impls!(
2176 NonZeroUsize: KnownLayout,
2177 Immutable,
2178 TryFromBytes,
2179 IntoBytes,
2180 !FromBytes,
2181 !Unaligned
2182 );
2183 assert_impls!(
2184 NonZeroIsize: KnownLayout,
2185 Immutable,
2186 TryFromBytes,
2187 IntoBytes,
2188 !FromBytes,
2189 !Unaligned
2190 );
2191
2192 assert_impls!(Option<NonZeroU8>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned);
2193 assert_impls!(Option<NonZeroI8>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned);
2194 assert_impls!(Option<NonZeroU16>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, !Unaligned);
2195 assert_impls!(Option<NonZeroI16>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, !Unaligned);
2196 assert_impls!(Option<NonZeroU32>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, !Unaligned);
2197 assert_impls!(Option<NonZeroI32>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, !Unaligned);
2198 assert_impls!(Option<NonZeroU64>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, !Unaligned);
2199 assert_impls!(Option<NonZeroI64>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, !Unaligned);
2200 assert_impls!(Option<NonZeroU128>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, !Unaligned);
2201 assert_impls!(Option<NonZeroI128>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, !Unaligned);
2202 assert_impls!(Option<NonZeroUsize>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, !Unaligned);
2203 assert_impls!(Option<NonZeroIsize>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, !Unaligned);
2204
2205 // Implements none of the ZC traits.
2206 struct NotZerocopy;
2207
2208 #[rustfmt::skip]
2209 type FnManyArgs = fn(
2210 NotZerocopy, u8, u8, u8, u8, u8, u8, u8, u8, u8, u8, u8,
2211 ) -> (NotZerocopy, NotZerocopy);
2212
2213 // Allowed, because we're not actually using this type for FFI.
2214 #[allow(improper_ctypes_definitions)]
2215 #[rustfmt::skip]
2216 type ECFnManyArgs = extern "C" fn(
2217 NotZerocopy, u8, u8, u8, u8, u8, u8, u8, u8, u8, u8, u8,
2218 ) -> (NotZerocopy, NotZerocopy);
2219
2220 #[cfg(feature = "alloc")]
2221 assert_impls!(Option<Box<UnsafeCell<NotZerocopy>>>: KnownLayout, Immutable, TryFromBytes, FromZeros, !FromBytes, !IntoBytes, !Unaligned);
2222 assert_impls!(Option<Box<[UnsafeCell<NotZerocopy>]>>: KnownLayout, !Immutable, !TryFromBytes, !FromZeros, !FromBytes, !IntoBytes, !Unaligned);
2223 assert_impls!(Option<&'static UnsafeCell<NotZerocopy>>: KnownLayout, Immutable, TryFromBytes, FromZeros, !FromBytes, !IntoBytes, !Unaligned);
2224 assert_impls!(Option<&'static [UnsafeCell<NotZerocopy>]>: KnownLayout, Immutable, !TryFromBytes, !FromZeros, !FromBytes, !IntoBytes, !Unaligned);
2225 assert_impls!(Option<&'static mut UnsafeCell<NotZerocopy>>: KnownLayout, Immutable, TryFromBytes, FromZeros, !FromBytes, !IntoBytes, !Unaligned);
2226 assert_impls!(Option<&'static mut [UnsafeCell<NotZerocopy>]>: KnownLayout, Immutable, !TryFromBytes, !FromZeros, !FromBytes, !IntoBytes, !Unaligned);
2227 assert_impls!(Option<NonNull<UnsafeCell<NotZerocopy>>>: KnownLayout, TryFromBytes, FromZeros, Immutable, !FromBytes, !IntoBytes, !Unaligned);
2228 assert_impls!(Option<NonNull<[UnsafeCell<NotZerocopy>]>>: KnownLayout, Immutable, !TryFromBytes, !FromZeros, !FromBytes, !IntoBytes, !Unaligned);
2229 assert_impls!(Option<fn()>: KnownLayout, Immutable, TryFromBytes, FromZeros, !FromBytes, !IntoBytes, !Unaligned);
2230 assert_impls!(Option<FnManyArgs>: KnownLayout, Immutable, TryFromBytes, FromZeros, !FromBytes, !IntoBytes, !Unaligned);
2231 assert_impls!(Option<extern "C" fn()>: KnownLayout, Immutable, TryFromBytes, FromZeros, !FromBytes, !IntoBytes, !Unaligned);
2232 assert_impls!(Option<ECFnManyArgs>: KnownLayout, Immutable, TryFromBytes, FromZeros, !FromBytes, !IntoBytes, !Unaligned);
2233
2234 assert_impls!(PhantomData<NotZerocopy>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned);
2235 assert_impls!(PhantomData<UnsafeCell<()>>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned);
2236 assert_impls!(PhantomData<[u8]>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned);
2237
2238 assert_impls!(ManuallyDrop<u8>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned);
2239 // This test is important because it allows us to test our hand-rolled
2240 // implementation of `<ManuallyDrop<T> as TryFromBytes>::is_bit_valid`.
2241 assert_impls!(ManuallyDrop<bool>: KnownLayout, Immutable, TryFromBytes, FromZeros, IntoBytes, Unaligned, !FromBytes);
2242 assert_impls!(ManuallyDrop<[u8]>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned);
2243 // This test is important because it allows us to test our hand-rolled
2244 // implementation of `<ManuallyDrop<T> as TryFromBytes>::is_bit_valid`.
2245 assert_impls!(ManuallyDrop<[bool]>: KnownLayout, Immutable, TryFromBytes, FromZeros, IntoBytes, Unaligned, !FromBytes);
2246 assert_impls!(ManuallyDrop<NotZerocopy>: !Immutable, !TryFromBytes, !KnownLayout, !FromZeros, !FromBytes, !IntoBytes, !Unaligned);
2247 assert_impls!(ManuallyDrop<[NotZerocopy]>: KnownLayout, !Immutable, !TryFromBytes, !FromZeros, !FromBytes, !IntoBytes, !Unaligned);
2248 assert_impls!(ManuallyDrop<UnsafeCell<()>>: KnownLayout, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned, !Immutable);
2249 assert_impls!(ManuallyDrop<[UnsafeCell<u8>]>: KnownLayout, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned, !Immutable);
2250 assert_impls!(ManuallyDrop<[UnsafeCell<bool>]>: KnownLayout, TryFromBytes, FromZeros, IntoBytes, Unaligned, !Immutable, !FromBytes);
2251
2252 assert_impls!(CoreMaybeUninit<u8>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, Unaligned, !IntoBytes);
2253 assert_impls!(CoreMaybeUninit<NotZerocopy>: KnownLayout, TryFromBytes, FromZeros, FromBytes, !Immutable, !IntoBytes, !Unaligned);
2254 assert_impls!(CoreMaybeUninit<UnsafeCell<()>>: KnownLayout, TryFromBytes, FromZeros, FromBytes, Unaligned, !Immutable, !IntoBytes);
2255
2256 assert_impls!(Wrapping<u8>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned);
2257 // This test is important because it allows us to test our hand-rolled
2258 // implementation of `<Wrapping<T> as TryFromBytes>::is_bit_valid`.
2259 assert_impls!(Wrapping<bool>: KnownLayout, Immutable, TryFromBytes, FromZeros, IntoBytes, Unaligned, !FromBytes);
2260 assert_impls!(Wrapping<NotZerocopy>: KnownLayout, !Immutable, !TryFromBytes, !FromZeros, !FromBytes, !IntoBytes, !Unaligned);
2261 assert_impls!(Wrapping<UnsafeCell<()>>: KnownLayout, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned, !Immutable);
2262
2263 assert_impls!(Unalign<u8>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned);
2264 // This test is important because it allows us to test our hand-rolled
2265 // implementation of `<Unalign<T> as TryFromBytes>::is_bit_valid`.
2266 assert_impls!(Unalign<bool>: KnownLayout, Immutable, TryFromBytes, FromZeros, IntoBytes, Unaligned, !FromBytes);
2267 assert_impls!(Unalign<NotZerocopy>: KnownLayout, Unaligned, !Immutable, !TryFromBytes, !FromZeros, !FromBytes, !IntoBytes);
2268
2269 assert_impls!(
2270 [u8]: KnownLayout,
2271 Immutable,
2272 TryFromBytes,
2273 FromZeros,
2274 FromBytes,
2275 IntoBytes,
2276 Unaligned
2277 );
2278 assert_impls!(
2279 [bool]: KnownLayout,
2280 Immutable,
2281 TryFromBytes,
2282 FromZeros,
2283 IntoBytes,
2284 Unaligned,
2285 !FromBytes
2286 );
2287 assert_impls!([NotZerocopy]: KnownLayout, !Immutable, !TryFromBytes, !FromZeros, !FromBytes, !IntoBytes, !Unaligned);
2288 assert_impls!(
2289 [u8; 0]: KnownLayout,
2290 Immutable,
2291 TryFromBytes,
2292 FromZeros,
2293 FromBytes,
2294 IntoBytes,
2295 Unaligned,
2296 );
2297 assert_impls!(
2298 [NotZerocopy; 0]: KnownLayout,
2299 !Immutable,
2300 !TryFromBytes,
2301 !FromZeros,
2302 !FromBytes,
2303 !IntoBytes,
2304 !Unaligned
2305 );
2306 assert_impls!(
2307 [u8; 1]: KnownLayout,
2308 Immutable,
2309 TryFromBytes,
2310 FromZeros,
2311 FromBytes,
2312 IntoBytes,
2313 Unaligned,
2314 );
2315 assert_impls!(
2316 [NotZerocopy; 1]: KnownLayout,
2317 !Immutable,
2318 !TryFromBytes,
2319 !FromZeros,
2320 !FromBytes,
2321 !IntoBytes,
2322 !Unaligned
2323 );
2324
2325 assert_impls!(*const NotZerocopy: KnownLayout, Immutable, TryFromBytes, FromZeros, !FromBytes, !IntoBytes, !Unaligned);
2326 assert_impls!(*mut NotZerocopy: KnownLayout, Immutable, TryFromBytes, FromZeros, !FromBytes, !IntoBytes, !Unaligned);
2327 assert_impls!(*const [NotZerocopy]: KnownLayout, Immutable, !TryFromBytes, !FromZeros, !FromBytes, !IntoBytes, !Unaligned);
2328 assert_impls!(*mut [NotZerocopy]: KnownLayout, Immutable, !TryFromBytes, !FromZeros, !FromBytes, !IntoBytes, !Unaligned);
2329 assert_impls!(*const dyn Debug: KnownLayout, Immutable, !TryFromBytes, !FromZeros, !FromBytes, !IntoBytes, !Unaligned);
2330 assert_impls!(*mut dyn Debug: KnownLayout, Immutable, !TryFromBytes, !FromZeros, !FromBytes, !IntoBytes, !Unaligned);
2331
2332 #[cfg(feature = "simd")]
2333 {
2334 #[allow(unused_macros)]
2335 macro_rules! test_simd_arch_mod {
2336 ($arch:ident, $($typ:ident),*) => {
2337 {
2338 use core::arch::$arch::{$($typ),*};
2339 use crate::*;
2340 $( assert_impls!($typ: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, !Unaligned); )*
2341 }
2342 };
2343 }
2344 #[cfg(target_arch = "x86")]
2345 test_simd_arch_mod!(x86, __m128, __m128d, __m128i, __m256, __m256d, __m256i);
2346
2347 #[cfg(all(not(no_zerocopy_simd_x86_avx12_1_89_0), target_arch = "x86"))]
2348 test_simd_arch_mod!(x86, __m512bh, __m512, __m512d, __m512i);
2349
2350 #[cfg(target_arch = "x86_64")]
2351 test_simd_arch_mod!(x86_64, __m128, __m128d, __m128i, __m256, __m256d, __m256i);
2352
2353 #[cfg(all(not(no_zerocopy_simd_x86_avx12_1_89_0), target_arch = "x86_64"))]
2354 test_simd_arch_mod!(x86_64, __m512bh, __m512, __m512d, __m512i);
2355
2356 #[cfg(target_arch = "wasm32")]
2357 test_simd_arch_mod!(wasm32, v128);
2358
2359 #[cfg(all(feature = "simd-nightly", target_arch = "powerpc"))]
2360 test_simd_arch_mod!(
2361 powerpc,
2362 vector_bool_long,
2363 vector_double,
2364 vector_signed_long,
2365 vector_unsigned_long
2366 );
2367
2368 #[cfg(all(feature = "simd-nightly", target_arch = "powerpc64"))]
2369 test_simd_arch_mod!(
2370 powerpc64,
2371 vector_bool_long,
2372 vector_double,
2373 vector_signed_long,
2374 vector_unsigned_long
2375 );
2376 #[cfg(all(target_arch = "aarch64", not(no_zerocopy_aarch64_simd_1_59_0)))]
2377 #[rustfmt::skip]
2378 test_simd_arch_mod!(
2379 aarch64, float32x2_t, float32x4_t, float64x1_t, float64x2_t, int8x8_t, int8x8x2_t,
2380 int8x8x3_t, int8x8x4_t, int8x16_t, int8x16x2_t, int8x16x3_t, int8x16x4_t, int16x4_t,
2381 int16x8_t, int32x2_t, int32x4_t, int64x1_t, int64x2_t, poly8x8_t, poly8x8x2_t, poly8x8x3_t,
2382 poly8x8x4_t, poly8x16_t, poly8x16x2_t, poly8x16x3_t, poly8x16x4_t, poly16x4_t, poly16x8_t,
2383 poly64x1_t, poly64x2_t, uint8x8_t, uint8x8x2_t, uint8x8x3_t, uint8x8x4_t, uint8x16_t,
2384 uint8x16x2_t, uint8x16x3_t, uint8x16x4_t, uint16x4_t, uint16x4x2_t, uint16x4x3_t,
2385 uint16x4x4_t, uint16x8_t, uint32x2_t, uint32x4_t, uint64x1_t, uint64x2_t
2386 );
2387 }
2388 }
2389}