1 // SPDX-License-Identifier: GPL-2.0
2
3 //! Implementation of [`Bounded`], a wrapper around integer types limiting the number of bits
4 //! usable for value representation.
5
6 use core::{
7 cmp,
8 fmt,
9 ops::{
10 self,
11 Deref, //
12 }, //,
13 };
14
15 use kernel::{
16 num::Integer,
17 prelude::*, //
18 };
19
20 /// Evaluates to `true` if `$value` can be represented using at most `$n` bits in a `$type`.
21 ///
22 /// `expr` must be of type `type`, or the result will be incorrect.
23 ///
24 /// Can be used in const context.
25 macro_rules! fits_within {
26 ($value:expr, $type:ty, $n:expr) => {{
27 let shift: u32 = <$type>::BITS - $n;
28
29 // `value` fits within `$n` bits if shifting it left by the number of unused bits, then
30 // right by the same number, doesn't change it.
31 //
32 // This method has the benefit of working for both unsigned and signed values.
33 ($value << shift) >> shift == $value
34 }};
35 }
36
37 /// Returns `true` if `value` can be represented with at most `N` bits in a `T`.
38 #[inline(always)]
fits_within<T: Integer>(value: T, num_bits: u32) -> bool39 fn fits_within<T: Integer>(value: T, num_bits: u32) -> bool {
40 fits_within!(value, T, num_bits)
41 }
42
43 /// An integer value that requires only the `N` less significant bits of the wrapped type to be
44 /// encoded.
45 ///
46 /// This limits the number of usable bits in the wrapped integer type, and thus the stored value to
47 /// a narrower range, which provides guarantees that can be useful when working with in e.g.
48 /// bitfields.
49 ///
50 /// # Invariants
51 ///
52 /// - `N` is greater than `0`.
53 /// - `N` is less than or equal to `T::BITS`.
54 /// - Stored values can be represented with at most `N` bits.
55 ///
56 /// # Examples
57 ///
58 /// The preferred way to create values is through constants and the [`Bounded::new`] family of
59 /// constructors, as they trigger a build error if the type invariants cannot be withheld.
60 ///
61 /// ```
62 /// use kernel::num::Bounded;
63 ///
64 /// // An unsigned 8-bit integer, of which only the 4 LSBs are used.
65 /// // The value `15` is statically validated to fit that constraint at build time.
66 /// let v = Bounded::<u8, 4>::new::<15>();
67 /// assert_eq!(v.get(), 15);
68 ///
69 /// // Same using signed values.
70 /// let v = Bounded::<i8, 4>::new::<-8>();
71 /// assert_eq!(v.get(), -8);
72 ///
73 /// // This doesn't build: a `u8` is smaller than the requested 9 bits.
74 /// // let _ = Bounded::<u8, 9>::new::<10>();
75 ///
76 /// // This also doesn't build: the requested value doesn't fit within 4 signed bits.
77 /// // let _ = Bounded::<i8, 4>::new::<8>();
78 /// ```
79 ///
80 /// Values can also be validated at runtime with [`Bounded::try_new`].
81 ///
82 /// ```
83 /// use kernel::num::Bounded;
84 ///
85 /// // This succeeds because `15` can be represented with 4 unsigned bits.
86 /// assert!(Bounded::<u8, 4>::try_new(15).is_some());
87 ///
88 /// // This fails because `16` cannot be represented with 4 unsigned bits.
89 /// assert!(Bounded::<u8, 4>::try_new(16).is_none());
90 /// ```
91 ///
92 /// Non-constant expressions can be validated at build-time thanks to compiler optimizations. This
93 /// should be used with caution, on simple expressions only.
94 ///
95 /// ```
96 /// use kernel::num::Bounded;
97 /// # fn some_number() -> u32 { 0xffffffff }
98 ///
99 /// // Here the compiler can infer from the mask that the type invariants are not violated, even
100 /// // though the value returned by `some_number` is not statically known.
101 /// let v = Bounded::<u32, 4>::from_expr(some_number() & 0xf);
102 /// ```
103 ///
104 /// Comparison and arithmetic operations are supported on [`Bounded`]s with a compatible backing
105 /// type, regardless of their number of valid bits.
106 ///
107 /// ```
108 /// use kernel::num::Bounded;
109 ///
110 /// let v1 = Bounded::<u32, 8>::new::<4>();
111 /// let v2 = Bounded::<u32, 4>::new::<15>();
112 ///
113 /// assert!(v1 != v2);
114 /// assert!(v1 < v2);
115 /// assert_eq!(v1 + v2, 19);
116 /// assert_eq!(v2 % v1, 3);
117 /// ```
118 ///
119 /// These operations are also supported between a [`Bounded`] and its backing type.
120 ///
121 /// ```
122 /// use kernel::num::Bounded;
123 ///
124 /// let v = Bounded::<u8, 4>::new::<15>();
125 ///
126 /// assert!(v == 15);
127 /// assert!(v > 12);
128 /// assert_eq!(v + 5, 20);
129 /// assert_eq!(v / 3, 5);
130 /// ```
131 ///
132 /// A change of backing types is possible using [`Bounded::cast`], and the number of valid bits can
133 /// be extended or reduced with [`Bounded::extend`] and [`Bounded::try_shrink`].
134 ///
135 /// ```
136 /// use kernel::num::Bounded;
137 ///
138 /// let v = Bounded::<u32, 12>::new::<127>();
139 ///
140 /// // Changes backing type from `u32` to `u16`.
141 /// let _: Bounded<u16, 12> = v.cast();
142 ///
143 /// // This does not build, as `u8` is smaller than 12 bits.
144 /// // let _: Bounded<u8, 12> = v.cast();
145 ///
146 /// // We can safely extend the number of bits...
147 /// let _ = v.extend::<15>();
148 ///
149 /// // ... to the limits of the backing type. This doesn't build as a `u32` cannot contain 33 bits.
150 /// // let _ = v.extend::<33>();
151 ///
152 /// // Reducing the number of bits is validated at runtime. This works because `127` can be
153 /// // represented with 8 bits.
154 /// assert!(v.try_shrink::<8>().is_some());
155 ///
156 /// // ... but not with 6, so this fails.
157 /// assert!(v.try_shrink::<6>().is_none());
158 /// ```
159 ///
160 /// Infallible conversions from a primitive integer to a large-enough [`Bounded`] are supported.
161 ///
162 /// ```
163 /// use kernel::num::Bounded;
164 ///
165 /// // This unsigned `Bounded` has 8 bits, so it can represent any `u8`.
166 /// let v = Bounded::<u32, 8>::from(128u8);
167 /// assert_eq!(v.get(), 128);
168 ///
169 /// // This signed `Bounded` has 8 bits, so it can represent any `i8`.
170 /// let v = Bounded::<i32, 8>::from(-128i8);
171 /// assert_eq!(v.get(), -128);
172 ///
173 /// // This doesn't build, as this 6-bit `Bounded` does not have enough capacity to represent a
174 /// // `u8` (regardless of the passed value).
175 /// // let _ = Bounded::<u32, 6>::from(10u8);
176 ///
177 /// // Booleans can be converted into single-bit `Bounded`s.
178 ///
179 /// let v = Bounded::<u64, 1>::from(false);
180 /// assert_eq!(v.get(), 0);
181 ///
182 /// let v = Bounded::<u64, 1>::from(true);
183 /// assert_eq!(v.get(), 1);
184 /// ```
185 ///
186 /// Infallible conversions from a [`Bounded`] to a primitive integer are also supported, and
187 /// dependent on the number of bits used for value representation, not on the backing type.
188 ///
189 /// ```
190 /// use kernel::num::Bounded;
191 ///
192 /// // Even though its backing type is `u32`, this `Bounded` only uses 6 bits and thus can safely
193 /// // be converted to a `u8`.
194 /// let v = Bounded::<u32, 6>::new::<63>();
195 /// assert_eq!(u8::from(v), 63);
196 ///
197 /// // Same using signed values.
198 /// let v = Bounded::<i32, 8>::new::<-128>();
199 /// assert_eq!(i8::from(v), -128);
200 ///
201 /// // This however does not build, as 10 bits won't fit into a `u8` (regardless of the actually
202 /// // contained value).
203 /// let _v = Bounded::<u32, 10>::new::<10>();
204 /// // assert_eq!(u8::from(_v), 10);
205 ///
206 /// // Single-bit `Bounded`s can be converted into a boolean.
207 /// let v = Bounded::<u8, 1>::new::<1>();
208 /// assert_eq!(bool::from(v), true);
209 ///
210 /// let v = Bounded::<u8, 1>::new::<0>();
211 /// assert_eq!(bool::from(v), false);
212 /// ```
213 ///
214 /// Fallible conversions from any primitive integer to any [`Bounded`] are also supported using the
215 /// [`TryIntoBounded`] trait.
216 ///
217 /// ```
218 /// use kernel::num::{Bounded, TryIntoBounded};
219 ///
220 /// // Succeeds because `128` fits into 8 bits.
221 /// let v: Option<Bounded<u16, 8>> = 128u32.try_into_bounded();
222 /// assert_eq!(v.as_deref().copied(), Some(128));
223 ///
224 /// // Fails because `128` doesn't fits into 6 bits.
225 /// let v: Option<Bounded<u16, 6>> = 128u32.try_into_bounded();
226 /// assert_eq!(v, None);
227 /// ```
228 #[repr(transparent)]
229 #[derive(Clone, Copy, Debug, Default, Hash)]
230 pub struct Bounded<T: Integer, const N: u32>(T);
231
232 /// Validating the value as a const expression cannot be done as a regular method, as the
233 /// arithmetic operations we rely on to check the bounds are not const. Thus, implement
234 /// [`Bounded::new`] using a macro.
235 macro_rules! impl_const_new {
236 ($($type:ty)*) => {
237 $(
238 impl<const N: u32> Bounded<$type, N> {
239 /// Creates a [`Bounded`] for the constant `VALUE`.
240 ///
241 /// Fails at build time if `VALUE` cannot be represented with `N` bits.
242 ///
243 /// This method should be preferred to [`Self::from_expr`] whenever possible.
244 ///
245 /// # Examples
246 ///
247 /// ```
248 /// use kernel::num::Bounded;
249 ///
250 #[doc = ::core::concat!(
251 "let v = Bounded::<",
252 ::core::stringify!($type),
253 ", 4>::new::<7>();")]
254 /// assert_eq!(v.get(), 7);
255 /// ```
256 pub const fn new<const VALUE: $type>() -> Self {
257 // Statically assert that `VALUE` fits within the set number of bits.
258 const {
259 assert!(fits_within!(VALUE, $type, N));
260 }
261
262 // INVARIANT: `fits_within` confirmed that `VALUE` can be represented within
263 // `N` bits.
264 Self::__new(VALUE)
265 }
266 }
267 )*
268 };
269 }
270
271 impl_const_new!(
272 u8 u16 u32 u64 usize
273 i8 i16 i32 i64 isize
274 );
275
276 impl<T, const N: u32> Bounded<T, N>
277 where
278 T: Integer,
279 {
280 /// Private constructor enforcing the type invariants.
281 ///
282 /// All instances of [`Bounded`] must be created through this method as it enforces most of the
283 /// type invariants.
284 ///
285 /// The caller remains responsible for checking, either statically or dynamically, that `value`
286 /// can be represented as a `T` using at most `N` bits.
__new(value: T) -> Self287 const fn __new(value: T) -> Self {
288 // Enforce the type invariants.
289 const {
290 // `N` cannot be zero.
291 assert!(N != 0);
292 // The backing type is at least as large as `N` bits.
293 assert!(N <= T::BITS);
294 }
295
296 Self(value)
297 }
298
299 /// Attempts to turn `value` into a `Bounded` using `N` bits.
300 ///
301 /// Returns [`None`] if `value` doesn't fit within `N` bits.
302 ///
303 /// # Examples
304 ///
305 /// ```
306 /// use kernel::num::Bounded;
307 ///
308 /// let v = Bounded::<u8, 1>::try_new(1);
309 /// assert_eq!(v.as_deref().copied(), Some(1));
310 ///
311 /// let v = Bounded::<i8, 4>::try_new(-2);
312 /// assert_eq!(v.as_deref().copied(), Some(-2));
313 ///
314 /// // `0x1ff` doesn't fit into 8 unsigned bits.
315 /// let v = Bounded::<u32, 8>::try_new(0x1ff);
316 /// assert_eq!(v, None);
317 ///
318 /// // The range of values representable with 4 bits is `[-8..=7]`. The following tests these
319 /// // limits.
320 /// let v = Bounded::<i8, 4>::try_new(-8);
321 /// assert_eq!(v.map(Bounded::get), Some(-8));
322 /// let v = Bounded::<i8, 4>::try_new(-9);
323 /// assert_eq!(v, None);
324 /// let v = Bounded::<i8, 4>::try_new(7);
325 /// assert_eq!(v.map(Bounded::get), Some(7));
326 /// let v = Bounded::<i8, 4>::try_new(8);
327 /// assert_eq!(v, None);
328 /// ```
try_new(value: T) -> Option<Self>329 pub fn try_new(value: T) -> Option<Self> {
330 fits_within(value, N).then(|| {
331 // INVARIANT: `fits_within` confirmed that `value` can be represented within `N` bits.
332 Self::__new(value)
333 })
334 }
335
336 /// Checks that `expr` is valid for this type at compile-time and build a new value.
337 ///
338 /// This relies on [`build_assert!`] and guaranteed optimization to perform validation at
339 /// compile-time. If `expr` cannot be proved to be within the requested bounds at compile-time,
340 /// use the fallible [`Self::try_new`] instead.
341 ///
342 /// Limit this to simple, easily provable expressions, and prefer one of the [`Self::new`]
343 /// constructors whenever possible as they statically validate the value instead of relying on
344 /// compiler optimizations.
345 ///
346 /// # Examples
347 ///
348 /// ```
349 /// use kernel::num::Bounded;
350 /// # fn some_number() -> u32 { 0xffffffff }
351 ///
352 /// // Some undefined number.
353 /// let v: u32 = some_number();
354 ///
355 /// // Triggers a build error as `v` cannot be asserted to fit within 4 bits...
356 /// // let _ = Bounded::<u32, 4>::from_expr(v);
357 ///
358 /// // ... but this works as the compiler can assert the range from the mask.
359 /// let _ = Bounded::<u32, 4>::from_expr(v & 0xf);
360 ///
361 /// // These expressions are simple enough to be proven correct, but since they are static the
362 /// // `new` constructor should be preferred.
363 /// assert_eq!(Bounded::<u8, 1>::from_expr(1).get(), 1);
364 /// assert_eq!(Bounded::<u16, 8>::from_expr(0xff).get(), 0xff);
365 /// ```
366 #[inline(always)]
from_expr(expr: T) -> Self367 pub fn from_expr(expr: T) -> Self {
368 crate::build_assert!(
369 fits_within(expr, N),
370 "Requested value larger than maximal representable value."
371 );
372
373 // INVARIANT: `fits_within` confirmed that `expr` can be represented within `N` bits.
374 Self::__new(expr)
375 }
376
377 /// Returns the wrapped value as the backing type.
378 ///
379 /// # Examples
380 ///
381 /// ```
382 /// use kernel::num::Bounded;
383 ///
384 /// let v = Bounded::<u32, 4>::new::<7>();
385 /// assert_eq!(v.get(), 7u32);
386 /// ```
get(self) -> T387 pub fn get(self) -> T {
388 *self.deref()
389 }
390
391 /// Increases the number of bits usable for `self`.
392 ///
393 /// This operation cannot fail.
394 ///
395 /// # Examples
396 ///
397 /// ```
398 /// use kernel::num::Bounded;
399 ///
400 /// let v = Bounded::<u32, 4>::new::<7>();
401 /// let larger_v = v.extend::<12>();
402 /// // The contained values are equal even though `larger_v` has a bigger capacity.
403 /// assert_eq!(larger_v, v);
404 /// ```
extend<const M: u32>(self) -> Bounded<T, M>405 pub const fn extend<const M: u32>(self) -> Bounded<T, M> {
406 const {
407 assert!(
408 M >= N,
409 "Requested number of bits is less than the current representation."
410 );
411 }
412
413 // INVARIANT: The value did fit within `N` bits, so it will all the more fit within
414 // the larger `M` bits.
415 Bounded::__new(self.0)
416 }
417
418 /// Attempts to shrink the number of bits usable for `self`.
419 ///
420 /// Returns [`None`] if the value of `self` cannot be represented within `M` bits.
421 ///
422 /// # Examples
423 ///
424 /// ```
425 /// use kernel::num::Bounded;
426 ///
427 /// let v = Bounded::<u32, 12>::new::<7>();
428 ///
429 /// // `7` can be represented using 3 unsigned bits...
430 /// let smaller_v = v.try_shrink::<3>();
431 /// assert_eq!(smaller_v.as_deref().copied(), Some(7));
432 ///
433 /// // ... but doesn't fit within `2` bits.
434 /// assert_eq!(v.try_shrink::<2>(), None);
435 /// ```
try_shrink<const M: u32>(self) -> Option<Bounded<T, M>>436 pub fn try_shrink<const M: u32>(self) -> Option<Bounded<T, M>> {
437 Bounded::<T, M>::try_new(self.get())
438 }
439
440 /// Casts `self` into a [`Bounded`] backed by a different storage type, but using the same
441 /// number of valid bits.
442 ///
443 /// Both `T` and `U` must be of same signedness, and `U` must be at least as large as
444 /// `N` bits, or a build error will occur.
445 ///
446 /// # Examples
447 ///
448 /// ```
449 /// use kernel::num::Bounded;
450 ///
451 /// let v = Bounded::<u32, 12>::new::<127>();
452 ///
453 /// let u16_v: Bounded<u16, 12> = v.cast();
454 /// assert_eq!(u16_v.get(), 127);
455 ///
456 /// // This won't build: a `u8` is smaller than the required 12 bits.
457 /// // let _: Bounded<u8, 12> = v.cast();
458 /// ```
cast<U>(self) -> Bounded<U, N> where U: TryFrom<T> + Integer, T: Integer, U: Integer<Signedness = T::Signedness>,459 pub fn cast<U>(self) -> Bounded<U, N>
460 where
461 U: TryFrom<T> + Integer,
462 T: Integer,
463 U: Integer<Signedness = T::Signedness>,
464 {
465 // SAFETY: The converted value is represented using `N` bits, `U` can contain `N` bits, and
466 // `U` and `T` have the same sign, hence this conversion cannot fail.
467 let value = unsafe { U::try_from(self.get()).unwrap_unchecked() };
468
469 // INVARIANT: Although the backing type has changed, the value is still represented within
470 // `N` bits, and with the same signedness.
471 Bounded::__new(value)
472 }
473 }
474
475 impl<T, const N: u32> Deref for Bounded<T, N>
476 where
477 T: Integer,
478 {
479 type Target = T;
480
deref(&self) -> &Self::Target481 fn deref(&self) -> &Self::Target {
482 // Enforce the invariant to inform the compiler of the bounds of the value.
483 if !fits_within(self.0, N) {
484 // SAFETY: Per the `Bounded` invariants, `fits_within` can never return `false` on the
485 // value of a valid instance.
486 unsafe { core::hint::unreachable_unchecked() }
487 }
488
489 &self.0
490 }
491 }
492
493 /// Trait similar to [`TryInto`] but for [`Bounded`], to avoid conflicting implementations.
494 ///
495 /// # Examples
496 ///
497 /// ```
498 /// use kernel::num::{Bounded, TryIntoBounded};
499 ///
500 /// // Succeeds because `128` fits into 8 bits.
501 /// let v: Option<Bounded<u16, 8>> = 128u32.try_into_bounded();
502 /// assert_eq!(v.as_deref().copied(), Some(128));
503 ///
504 /// // Fails because `128` doesn't fits into 6 bits.
505 /// let v: Option<Bounded<u16, 6>> = 128u32.try_into_bounded();
506 /// assert_eq!(v, None);
507 /// ```
508 pub trait TryIntoBounded<T: Integer, const N: u32> {
509 /// Attempts to convert `self` into a [`Bounded`] using `N` bits.
510 ///
511 /// Returns [`None`] if `self` does not fit into the target type.
try_into_bounded(self) -> Option<Bounded<T, N>>512 fn try_into_bounded(self) -> Option<Bounded<T, N>>;
513 }
514
515 /// Any integer value can be attempted to be converted into a [`Bounded`] of any size.
516 impl<T, U, const N: u32> TryIntoBounded<T, N> for U
517 where
518 T: Integer,
519 U: TryInto<T>,
520 {
try_into_bounded(self) -> Option<Bounded<T, N>>521 fn try_into_bounded(self) -> Option<Bounded<T, N>> {
522 self.try_into().ok().and_then(Bounded::try_new)
523 }
524 }
525
526 // Comparisons between `Bounded`s.
527
528 impl<T, U, const N: u32, const M: u32> PartialEq<Bounded<U, M>> for Bounded<T, N>
529 where
530 T: Integer,
531 U: Integer,
532 T: PartialEq<U>,
533 {
eq(&self, other: &Bounded<U, M>) -> bool534 fn eq(&self, other: &Bounded<U, M>) -> bool {
535 self.get() == other.get()
536 }
537 }
538
539 impl<T, const N: u32> Eq for Bounded<T, N> where T: Integer {}
540
541 impl<T, U, const N: u32, const M: u32> PartialOrd<Bounded<U, M>> for Bounded<T, N>
542 where
543 T: Integer,
544 U: Integer,
545 T: PartialOrd<U>,
546 {
partial_cmp(&self, other: &Bounded<U, M>) -> Option<cmp::Ordering>547 fn partial_cmp(&self, other: &Bounded<U, M>) -> Option<cmp::Ordering> {
548 self.get().partial_cmp(&other.get())
549 }
550 }
551
552 impl<T, const N: u32> Ord for Bounded<T, N>
553 where
554 T: Integer,
555 T: Ord,
556 {
cmp(&self, other: &Self) -> cmp::Ordering557 fn cmp(&self, other: &Self) -> cmp::Ordering {
558 self.get().cmp(&other.get())
559 }
560 }
561
562 // Comparisons between a `Bounded` and its backing type.
563
564 impl<T, const N: u32> PartialEq<T> for Bounded<T, N>
565 where
566 T: Integer,
567 T: PartialEq,
568 {
eq(&self, other: &T) -> bool569 fn eq(&self, other: &T) -> bool {
570 self.get() == *other
571 }
572 }
573
574 impl<T, const N: u32> PartialOrd<T> for Bounded<T, N>
575 where
576 T: Integer,
577 T: PartialOrd,
578 {
partial_cmp(&self, other: &T) -> Option<cmp::Ordering>579 fn partial_cmp(&self, other: &T) -> Option<cmp::Ordering> {
580 self.get().partial_cmp(other)
581 }
582 }
583
584 // Implementations of `core::ops` for two `Bounded` with the same backing type.
585
586 impl<T, const N: u32, const M: u32> ops::Add<Bounded<T, M>> for Bounded<T, N>
587 where
588 T: Integer,
589 T: ops::Add<Output = T>,
590 {
591 type Output = T;
592
add(self, rhs: Bounded<T, M>) -> Self::Output593 fn add(self, rhs: Bounded<T, M>) -> Self::Output {
594 self.get() + rhs.get()
595 }
596 }
597
598 impl<T, const N: u32, const M: u32> ops::BitAnd<Bounded<T, M>> for Bounded<T, N>
599 where
600 T: Integer,
601 T: ops::BitAnd<Output = T>,
602 {
603 type Output = T;
604
bitand(self, rhs: Bounded<T, M>) -> Self::Output605 fn bitand(self, rhs: Bounded<T, M>) -> Self::Output {
606 self.get() & rhs.get()
607 }
608 }
609
610 impl<T, const N: u32, const M: u32> ops::BitOr<Bounded<T, M>> for Bounded<T, N>
611 where
612 T: Integer,
613 T: ops::BitOr<Output = T>,
614 {
615 type Output = T;
616
bitor(self, rhs: Bounded<T, M>) -> Self::Output617 fn bitor(self, rhs: Bounded<T, M>) -> Self::Output {
618 self.get() | rhs.get()
619 }
620 }
621
622 impl<T, const N: u32, const M: u32> ops::BitXor<Bounded<T, M>> for Bounded<T, N>
623 where
624 T: Integer,
625 T: ops::BitXor<Output = T>,
626 {
627 type Output = T;
628
bitxor(self, rhs: Bounded<T, M>) -> Self::Output629 fn bitxor(self, rhs: Bounded<T, M>) -> Self::Output {
630 self.get() ^ rhs.get()
631 }
632 }
633
634 impl<T, const N: u32, const M: u32> ops::Div<Bounded<T, M>> for Bounded<T, N>
635 where
636 T: Integer,
637 T: ops::Div<Output = T>,
638 {
639 type Output = T;
640
div(self, rhs: Bounded<T, M>) -> Self::Output641 fn div(self, rhs: Bounded<T, M>) -> Self::Output {
642 self.get() / rhs.get()
643 }
644 }
645
646 impl<T, const N: u32, const M: u32> ops::Mul<Bounded<T, M>> for Bounded<T, N>
647 where
648 T: Integer,
649 T: ops::Mul<Output = T>,
650 {
651 type Output = T;
652
mul(self, rhs: Bounded<T, M>) -> Self::Output653 fn mul(self, rhs: Bounded<T, M>) -> Self::Output {
654 self.get() * rhs.get()
655 }
656 }
657
658 impl<T, const N: u32, const M: u32> ops::Rem<Bounded<T, M>> for Bounded<T, N>
659 where
660 T: Integer,
661 T: ops::Rem<Output = T>,
662 {
663 type Output = T;
664
rem(self, rhs: Bounded<T, M>) -> Self::Output665 fn rem(self, rhs: Bounded<T, M>) -> Self::Output {
666 self.get() % rhs.get()
667 }
668 }
669
670 impl<T, const N: u32, const M: u32> ops::Sub<Bounded<T, M>> for Bounded<T, N>
671 where
672 T: Integer,
673 T: ops::Sub<Output = T>,
674 {
675 type Output = T;
676
sub(self, rhs: Bounded<T, M>) -> Self::Output677 fn sub(self, rhs: Bounded<T, M>) -> Self::Output {
678 self.get() - rhs.get()
679 }
680 }
681
682 // Implementations of `core::ops` between a `Bounded` and its backing type.
683
684 impl<T, const N: u32> ops::Add<T> for Bounded<T, N>
685 where
686 T: Integer,
687 T: ops::Add<Output = T>,
688 {
689 type Output = T;
690
add(self, rhs: T) -> Self::Output691 fn add(self, rhs: T) -> Self::Output {
692 self.get() + rhs
693 }
694 }
695
696 impl<T, const N: u32> ops::BitAnd<T> for Bounded<T, N>
697 where
698 T: Integer,
699 T: ops::BitAnd<Output = T>,
700 {
701 type Output = T;
702
bitand(self, rhs: T) -> Self::Output703 fn bitand(self, rhs: T) -> Self::Output {
704 self.get() & rhs
705 }
706 }
707
708 impl<T, const N: u32> ops::BitOr<T> for Bounded<T, N>
709 where
710 T: Integer,
711 T: ops::BitOr<Output = T>,
712 {
713 type Output = T;
714
bitor(self, rhs: T) -> Self::Output715 fn bitor(self, rhs: T) -> Self::Output {
716 self.get() | rhs
717 }
718 }
719
720 impl<T, const N: u32> ops::BitXor<T> for Bounded<T, N>
721 where
722 T: Integer,
723 T: ops::BitXor<Output = T>,
724 {
725 type Output = T;
726
bitxor(self, rhs: T) -> Self::Output727 fn bitxor(self, rhs: T) -> Self::Output {
728 self.get() ^ rhs
729 }
730 }
731
732 impl<T, const N: u32> ops::Div<T> for Bounded<T, N>
733 where
734 T: Integer,
735 T: ops::Div<Output = T>,
736 {
737 type Output = T;
738
div(self, rhs: T) -> Self::Output739 fn div(self, rhs: T) -> Self::Output {
740 self.get() / rhs
741 }
742 }
743
744 impl<T, const N: u32> ops::Mul<T> for Bounded<T, N>
745 where
746 T: Integer,
747 T: ops::Mul<Output = T>,
748 {
749 type Output = T;
750
mul(self, rhs: T) -> Self::Output751 fn mul(self, rhs: T) -> Self::Output {
752 self.get() * rhs
753 }
754 }
755
756 impl<T, const N: u32> ops::Neg for Bounded<T, N>
757 where
758 T: Integer,
759 T: ops::Neg<Output = T>,
760 {
761 type Output = T;
762
neg(self) -> Self::Output763 fn neg(self) -> Self::Output {
764 -self.get()
765 }
766 }
767
768 impl<T, const N: u32> ops::Not for Bounded<T, N>
769 where
770 T: Integer,
771 T: ops::Not<Output = T>,
772 {
773 type Output = T;
774
not(self) -> Self::Output775 fn not(self) -> Self::Output {
776 !self.get()
777 }
778 }
779
780 impl<T, const N: u32> ops::Rem<T> for Bounded<T, N>
781 where
782 T: Integer,
783 T: ops::Rem<Output = T>,
784 {
785 type Output = T;
786
rem(self, rhs: T) -> Self::Output787 fn rem(self, rhs: T) -> Self::Output {
788 self.get() % rhs
789 }
790 }
791
792 impl<T, const N: u32> ops::Sub<T> for Bounded<T, N>
793 where
794 T: Integer,
795 T: ops::Sub<Output = T>,
796 {
797 type Output = T;
798
sub(self, rhs: T) -> Self::Output799 fn sub(self, rhs: T) -> Self::Output {
800 self.get() - rhs
801 }
802 }
803
804 // Proxy implementations of `core::fmt`.
805
806 impl<T, const N: u32> fmt::Display for Bounded<T, N>
807 where
808 T: Integer,
809 T: fmt::Display,
810 {
fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result811 fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
812 self.get().fmt(f)
813 }
814 }
815
816 impl<T, const N: u32> fmt::Binary for Bounded<T, N>
817 where
818 T: Integer,
819 T: fmt::Binary,
820 {
fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result821 fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
822 self.get().fmt(f)
823 }
824 }
825
826 impl<T, const N: u32> fmt::LowerExp for Bounded<T, N>
827 where
828 T: Integer,
829 T: fmt::LowerExp,
830 {
fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result831 fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
832 self.get().fmt(f)
833 }
834 }
835
836 impl<T, const N: u32> fmt::LowerHex for Bounded<T, N>
837 where
838 T: Integer,
839 T: fmt::LowerHex,
840 {
fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result841 fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
842 self.get().fmt(f)
843 }
844 }
845
846 impl<T, const N: u32> fmt::Octal for Bounded<T, N>
847 where
848 T: Integer,
849 T: fmt::Octal,
850 {
fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result851 fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
852 self.get().fmt(f)
853 }
854 }
855
856 impl<T, const N: u32> fmt::UpperExp for Bounded<T, N>
857 where
858 T: Integer,
859 T: fmt::UpperExp,
860 {
fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result861 fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
862 self.get().fmt(f)
863 }
864 }
865
866 impl<T, const N: u32> fmt::UpperHex for Bounded<T, N>
867 where
868 T: Integer,
869 T: fmt::UpperHex,
870 {
fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result871 fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
872 self.get().fmt(f)
873 }
874 }
875
876 /// Implements `$trait` for all [`Bounded`] types represented using `$num_bits`.
877 ///
878 /// This is used to declare size properties as traits that we can constrain against in impl blocks.
879 macro_rules! impl_size_rule {
880 ($trait:ty, $($num_bits:literal)*) => {
881 $(
882 impl<T> $trait for Bounded<T, $num_bits> where T: Integer {}
883 )*
884 };
885 }
886
887 /// Local trait expressing the fact that a given [`Bounded`] has at least `N` bits used for value
888 /// representation.
889 trait AtLeastXBits<const N: usize> {}
890
891 /// Implementations for infallibly converting a primitive type into a [`Bounded`] that can contain
892 /// it.
893 ///
894 /// Put into their own module for readability, and to avoid cluttering the rustdoc of the parent
895 /// module.
896 mod atleast_impls {
897 use super::*;
898
899 // Number of bits at least as large as 64.
900 impl_size_rule!(AtLeastXBits<64>, 64);
901
902 // Anything 64 bits or more is also larger than 32.
903 impl<T> AtLeastXBits<32> for T where T: AtLeastXBits<64> {}
904 // Other numbers of bits at least as large as 32.
905 impl_size_rule!(AtLeastXBits<32>,
906 32 33 34 35 36 37 38 39
907 40 41 42 43 44 45 46 47
908 48 49 50 51 52 53 54 55
909 56 57 58 59 60 61 62 63
910 );
911
912 // Anything 32 bits or more is also larger than 16.
913 impl<T> AtLeastXBits<16> for T where T: AtLeastXBits<32> {}
914 // Other numbers of bits at least as large as 16.
915 impl_size_rule!(AtLeastXBits<16>,
916 16 17 18 19 20 21 22 23
917 24 25 26 27 28 29 30 31
918 );
919
920 // Anything 16 bits or more is also larger than 8.
921 impl<T> AtLeastXBits<8> for T where T: AtLeastXBits<16> {}
922 // Other numbers of bits at least as large as 8.
923 impl_size_rule!(AtLeastXBits<8>, 8 9 10 11 12 13 14 15);
924 }
925
926 /// Generates `From` implementations from a primitive type into a [`Bounded`] with
927 /// enough bits to store any value of that type.
928 ///
929 /// Note: The only reason for having this macro is that if we pass `$type` as a generic
930 /// parameter, we cannot use it in the const context of [`AtLeastXBits`]'s generic parameter. This
931 /// can be fixed once the `generic_const_exprs` feature is usable, and this macro replaced by a
932 /// regular `impl` block.
933 macro_rules! impl_from_primitive {
934 ($($type:ty)*) => {
935 $(
936 #[doc = ::core::concat!(
937 "Conversion from a [`",
938 ::core::stringify!($type),
939 "`] into a [`Bounded`] of same signedness with enough bits to store it.")]
940 impl<T, const N: u32> From<$type> for Bounded<T, N>
941 where
942 $type: Integer,
943 T: Integer<Signedness = <$type as Integer>::Signedness> + From<$type>,
944 Self: AtLeastXBits<{ <$type as Integer>::BITS as usize }>,
945 {
946 fn from(value: $type) -> Self {
947 // INVARIANT: The trait bound on `Self` guarantees that `N` bits is
948 // enough to hold any value of the source type.
949 Self::__new(T::from(value))
950 }
951 }
952 )*
953 }
954 }
955
956 impl_from_primitive!(
957 u8 u16 u32 u64 usize
958 i8 i16 i32 i64 isize
959 );
960
961 /// Local trait expressing the fact that a given [`Bounded`] fits into a primitive type of `N` bits,
962 /// provided they have the same signedness.
963 trait FitsInXBits<const N: usize> {}
964
965 /// Implementations for infallibly converting a [`Bounded`] into a primitive type that can contain
966 /// it.
967 ///
968 /// Put into their own module for readability, and to avoid cluttering the rustdoc of the parent
969 /// module.
970 mod fits_impls {
971 use super::*;
972
973 // Number of bits that fit into a 8-bits primitive.
974 impl_size_rule!(FitsInXBits<8>, 1 2 3 4 5 6 7 8);
975
976 // Anything that fits into 8 bits also fits into 16.
977 impl<T> FitsInXBits<16> for T where T: FitsInXBits<8> {}
978 // Other number of bits that fit into a 16-bits primitive.
979 impl_size_rule!(FitsInXBits<16>, 9 10 11 12 13 14 15 16);
980
981 // Anything that fits into 16 bits also fits into 32.
982 impl<T> FitsInXBits<32> for T where T: FitsInXBits<16> {}
983 // Other number of bits that fit into a 32-bits primitive.
984 impl_size_rule!(FitsInXBits<32>,
985 17 18 19 20 21 22 23 24
986 25 26 27 28 29 30 31 32
987 );
988
989 // Anything that fits into 32 bits also fits into 64.
990 impl<T> FitsInXBits<64> for T where T: FitsInXBits<32> {}
991 // Other number of bits that fit into a 64-bits primitive.
992 impl_size_rule!(FitsInXBits<64>,
993 33 34 35 36 37 38 39 40
994 41 42 43 44 45 46 47 48
995 49 50 51 52 53 54 55 56
996 57 58 59 60 61 62 63 64
997 );
998 }
999
1000 /// Generates [`From`] implementations from a [`Bounded`] into a primitive type that is
1001 /// guaranteed to contain it.
1002 ///
1003 /// Note: The only reason for having this macro is that if we pass `$type` as a generic
1004 /// parameter, we cannot use it in the const context of `AtLeastXBits`'s generic parameter. This
1005 /// can be fixed once the `generic_const_exprs` feature is usable, and this macro replaced by a
1006 /// regular `impl` block.
1007 macro_rules! impl_into_primitive {
1008 ($($type:ty)*) => {
1009 $(
1010 #[doc = ::core::concat!(
1011 "Conversion from a [`Bounded`] with no more bits than a [`",
1012 ::core::stringify!($type),
1013 "`] and of same signedness into [`",
1014 ::core::stringify!($type),
1015 "`]")]
1016 impl<T, const N: u32> From<Bounded<T, N>> for $type
1017 where
1018 $type: Integer + TryFrom<T>,
1019 T: Integer<Signedness = <$type as Integer>::Signedness>,
1020 Bounded<T, N>: FitsInXBits<{ <$type as Integer>::BITS as usize }>,
1021 {
1022 fn from(value: Bounded<T, N>) -> $type {
1023 // SAFETY: The trait bound on `Bounded` ensures that any value it holds (which
1024 // is constrained to `N` bits) can fit into the destination type, so this
1025 // conversion cannot fail.
1026 unsafe { <$type>::try_from(value.get()).unwrap_unchecked() }
1027 }
1028 }
1029 )*
1030 }
1031 }
1032
1033 impl_into_primitive!(
1034 u8 u16 u32 u64 usize
1035 i8 i16 i32 i64 isize
1036 );
1037
1038 // Single-bit `Bounded`s can be converted from/to a boolean.
1039
1040 impl<T> From<Bounded<T, 1>> for bool
1041 where
1042 T: Integer + Zeroable,
1043 {
from(value: Bounded<T, 1>) -> Self1044 fn from(value: Bounded<T, 1>) -> Self {
1045 value.get() != Zeroable::zeroed()
1046 }
1047 }
1048
1049 impl<T, const N: u32> From<bool> for Bounded<T, N>
1050 where
1051 T: Integer + From<bool>,
1052 {
from(value: bool) -> Self1053 fn from(value: bool) -> Self {
1054 // INVARIANT: A boolean can be represented using a single bit, and thus fits within any
1055 // integer type for any `N` > 0.
1056 Self::__new(T::from(value))
1057 }
1058 }
1059