1 // SPDX-License-Identifier: GPL-2.0 2 3 //! Implementation of [`Bounded`], a wrapper around integer types limiting the number of bits 4 //! usable for value representation. 5 6 use core::{ 7 cmp, 8 fmt, 9 ops::{ 10 self, 11 Deref, // 12 }, //, 13 }; 14 15 use kernel::{ 16 num::Integer, 17 prelude::*, // 18 }; 19 20 /// Evaluates to `true` if `$value` can be represented using at most `$n` bits in a `$type`. 21 /// 22 /// `expr` must be of type `type`, or the result will be incorrect. 23 /// 24 /// Can be used in const context. 25 macro_rules! fits_within { 26 ($value:expr, $type:ty, $n:expr) => {{ 27 let shift: u32 = <$type>::BITS - $n; 28 29 // `value` fits within `$n` bits if shifting it left by the number of unused bits, then 30 // right by the same number, doesn't change it. 31 // 32 // This method has the benefit of working for both unsigned and signed values. 33 ($value << shift) >> shift == $value 34 }}; 35 } 36 37 /// Returns `true` if `value` can be represented with at most `N` bits in a `T`. 38 #[inline(always)] 39 fn fits_within<T: Integer>(value: T, num_bits: u32) -> bool { 40 fits_within!(value, T, num_bits) 41 } 42 43 /// An integer value that requires only the `N` least significant bits of the wrapped type to be 44 /// encoded. 45 /// 46 /// This limits the number of usable bits in the wrapped integer type, and thus the stored value to 47 /// a narrower range, which provides guarantees that can be useful when working within e.g. 48 /// bitfields. 49 /// 50 /// # Invariants 51 /// 52 /// - `N` is greater than `0`. 53 /// - `N` is less than or equal to `T::BITS`. 54 /// - Stored values can be represented with at most `N` bits. 55 /// 56 /// # Examples 57 /// 58 /// The preferred way to create values is through constants and the [`Bounded::new`] family of 59 /// constructors, as they trigger a build error if the type invariants cannot be upheld. 60 /// 61 /// ``` 62 /// use kernel::num::Bounded; 63 /// 64 /// // An unsigned 8-bit integer, of which only the 4 LSBs are used. 65 /// // The value `15` is statically validated to fit that constraint at build time. 66 /// let v = Bounded::<u8, 4>::new::<15>(); 67 /// assert_eq!(v.get(), 15); 68 /// 69 /// // Same using signed values. 70 /// let v = Bounded::<i8, 4>::new::<-8>(); 71 /// assert_eq!(v.get(), -8); 72 /// 73 /// // This doesn't build: a `u8` is smaller than the requested 9 bits. 74 /// // let _ = Bounded::<u8, 9>::new::<10>(); 75 /// 76 /// // This also doesn't build: the requested value doesn't fit within 4 signed bits. 77 /// // let _ = Bounded::<i8, 4>::new::<8>(); 78 /// ``` 79 /// 80 /// Values can also be validated at runtime with [`Bounded::try_new`]. 81 /// 82 /// ``` 83 /// use kernel::num::Bounded; 84 /// 85 /// // This succeeds because `15` can be represented with 4 unsigned bits. 86 /// assert!(Bounded::<u8, 4>::try_new(15).is_some()); 87 /// 88 /// // This fails because `16` cannot be represented with 4 unsigned bits. 89 /// assert!(Bounded::<u8, 4>::try_new(16).is_none()); 90 /// ``` 91 /// 92 /// Non-constant expressions can be validated at build-time thanks to compiler optimizations. This 93 /// should be used with caution, on simple expressions only. 94 /// 95 /// ``` 96 /// use kernel::num::Bounded; 97 /// # fn some_number() -> u32 { 0xffffffff } 98 /// 99 /// // Here the compiler can infer from the mask that the type invariants are not violated, even 100 /// // though the value returned by `some_number` is not statically known. 101 /// let v = Bounded::<u32, 4>::from_expr(some_number() & 0xf); 102 /// ``` 103 /// 104 /// Comparison and arithmetic operations are supported on [`Bounded`]s with a compatible backing 105 /// type, regardless of their number of valid bits. 106 /// 107 /// ``` 108 /// use kernel::num::Bounded; 109 /// 110 /// let v1 = Bounded::<u32, 8>::new::<4>(); 111 /// let v2 = Bounded::<u32, 4>::new::<15>(); 112 /// 113 /// assert!(v1 != v2); 114 /// assert!(v1 < v2); 115 /// assert_eq!(v1 + v2, 19); 116 /// assert_eq!(v2 % v1, 3); 117 /// ``` 118 /// 119 /// These operations are also supported between a [`Bounded`] and its backing type. 120 /// 121 /// ``` 122 /// use kernel::num::Bounded; 123 /// 124 /// let v = Bounded::<u8, 4>::new::<15>(); 125 /// 126 /// assert!(v == 15); 127 /// assert!(v > 12); 128 /// assert_eq!(v + 5, 20); 129 /// assert_eq!(v / 3, 5); 130 /// ``` 131 /// 132 /// A change of backing types is possible using [`Bounded::cast`], and the number of valid bits can 133 /// be extended or reduced with [`Bounded::extend`] and [`Bounded::try_shrink`]. 134 /// 135 /// ``` 136 /// use kernel::num::Bounded; 137 /// 138 /// let v = Bounded::<u32, 12>::new::<127>(); 139 /// 140 /// // Changes backing type from `u32` to `u16`. 141 /// let _: Bounded<u16, 12> = v.cast(); 142 /// 143 /// // This does not build, as `u8` is smaller than 12 bits. 144 /// // let _: Bounded<u8, 12> = v.cast(); 145 /// 146 /// // We can safely extend the number of bits... 147 /// let _ = v.extend::<15>(); 148 /// 149 /// // ... to the limits of the backing type. This doesn't build as a `u32` cannot contain 33 bits. 150 /// // let _ = v.extend::<33>(); 151 /// 152 /// // Reducing the number of bits is validated at runtime. This works because `127` can be 153 /// // represented with 8 bits. 154 /// assert!(v.try_shrink::<8>().is_some()); 155 /// 156 /// // ... but not with 6, so this fails. 157 /// assert!(v.try_shrink::<6>().is_none()); 158 /// ``` 159 /// 160 /// Infallible conversions from a primitive integer to a large-enough [`Bounded`] are supported. 161 /// 162 /// ``` 163 /// use kernel::num::Bounded; 164 /// 165 /// // This unsigned `Bounded` has 8 bits, so it can represent any `u8`. 166 /// let v = Bounded::<u32, 8>::from(128u8); 167 /// assert_eq!(v.get(), 128); 168 /// 169 /// // This signed `Bounded` has 8 bits, so it can represent any `i8`. 170 /// let v = Bounded::<i32, 8>::from(-128i8); 171 /// assert_eq!(v.get(), -128); 172 /// 173 /// // This doesn't build, as this 6-bit `Bounded` does not have enough capacity to represent a 174 /// // `u8` (regardless of the passed value). 175 /// // let _ = Bounded::<u32, 6>::from(10u8); 176 /// 177 /// // Booleans can be converted into single-bit `Bounded`s. 178 /// 179 /// let v = Bounded::<u64, 1>::from(false); 180 /// assert_eq!(v.get(), 0); 181 /// 182 /// let v = Bounded::<u64, 1>::from(true); 183 /// assert_eq!(v.get(), 1); 184 /// ``` 185 /// 186 /// Infallible conversions from a [`Bounded`] to a primitive integer are also supported, and 187 /// dependent on the number of bits used for value representation, not on the backing type. 188 /// 189 /// ``` 190 /// use kernel::num::Bounded; 191 /// 192 /// // Even though its backing type is `u32`, this `Bounded` only uses 6 bits and thus can safely 193 /// // be converted to a `u8`. 194 /// let v = Bounded::<u32, 6>::new::<63>(); 195 /// assert_eq!(u8::from(v), 63); 196 /// 197 /// // Same using signed values. 198 /// let v = Bounded::<i32, 8>::new::<-128>(); 199 /// assert_eq!(i8::from(v), -128); 200 /// 201 /// // This however does not build, as 10 bits won't fit into a `u8` (regardless of the actually 202 /// // contained value). 203 /// let _v = Bounded::<u32, 10>::new::<10>(); 204 /// // assert_eq!(u8::from(_v), 10); 205 /// 206 /// // Single-bit `Bounded`s can be converted into a boolean. 207 /// let v = Bounded::<u8, 1>::new::<1>(); 208 /// assert_eq!(bool::from(v), true); 209 /// 210 /// let v = Bounded::<u8, 1>::new::<0>(); 211 /// assert_eq!(bool::from(v), false); 212 /// ``` 213 /// 214 /// Fallible conversions from any primitive integer to any [`Bounded`] are also supported using the 215 /// [`TryIntoBounded`] trait. 216 /// 217 /// ``` 218 /// use kernel::num::{Bounded, TryIntoBounded}; 219 /// 220 /// // Succeeds because `128` fits into 8 bits. 221 /// let v: Option<Bounded<u16, 8>> = 128u32.try_into_bounded(); 222 /// assert_eq!(v.as_deref().copied(), Some(128)); 223 /// 224 /// // Fails because `128` doesn't fit into 6 bits. 225 /// let v: Option<Bounded<u16, 6>> = 128u32.try_into_bounded(); 226 /// assert_eq!(v, None); 227 /// ``` 228 #[repr(transparent)] 229 #[derive(Clone, Copy, Debug, Default, Hash)] 230 pub struct Bounded<T: Integer, const N: u32>(T); 231 232 /// Validating the value as a const expression cannot be done as a regular method, as the 233 /// arithmetic operations we rely on to check the bounds are not const. Thus, implement 234 /// [`Bounded::new`] using a macro. 235 macro_rules! impl_const_new { 236 ($($type:ty)*) => { 237 $( 238 impl<const N: u32> Bounded<$type, N> { 239 /// Creates a [`Bounded`] for the constant `VALUE`. 240 /// 241 /// Fails at build time if `VALUE` cannot be represented with `N` bits. 242 /// 243 /// This method should be preferred to [`Self::from_expr`] whenever possible. 244 /// 245 /// # Examples 246 /// 247 /// ``` 248 /// use kernel::num::Bounded; 249 /// 250 #[doc = ::core::concat!( 251 "let v = Bounded::<", 252 ::core::stringify!($type), 253 ", 4>::new::<7>();")] 254 /// assert_eq!(v.get(), 7); 255 /// ``` 256 pub const fn new<const VALUE: $type>() -> Self { 257 // Statically assert that `VALUE` fits within the set number of bits. 258 const { 259 assert!(fits_within!(VALUE, $type, N)); 260 } 261 262 // SAFETY: `fits_within` confirmed that `VALUE` can be represented within 263 // `N` bits. 264 unsafe { Self::__new(VALUE) } 265 } 266 } 267 )* 268 }; 269 } 270 271 impl_const_new!( 272 u8 u16 u32 u64 usize 273 i8 i16 i32 i64 isize 274 ); 275 276 impl<T, const N: u32> Bounded<T, N> 277 where 278 T: Integer, 279 { 280 /// Private constructor enforcing the type invariants. 281 /// 282 /// All instances of [`Bounded`] must be created through this method as it enforces most of the 283 /// type invariants. 284 /// 285 /// # Safety 286 /// 287 /// The caller must ensure that `value` can be represented within `N` bits. 288 const unsafe fn __new(value: T) -> Self { 289 // Enforce the type invariants. 290 const { 291 // `N` cannot be zero. 292 assert!(N != 0); 293 // The backing type is at least as large as `N` bits. 294 assert!(N <= T::BITS); 295 } 296 297 // INVARIANT: The caller ensures `value` fits within `N` bits. 298 Self(value) 299 } 300 301 /// Attempts to turn `value` into a `Bounded` using `N` bits. 302 /// 303 /// Returns [`None`] if `value` doesn't fit within `N` bits. 304 /// 305 /// # Examples 306 /// 307 /// ``` 308 /// use kernel::num::Bounded; 309 /// 310 /// let v = Bounded::<u8, 1>::try_new(1); 311 /// assert_eq!(v.as_deref().copied(), Some(1)); 312 /// 313 /// let v = Bounded::<i8, 4>::try_new(-2); 314 /// assert_eq!(v.as_deref().copied(), Some(-2)); 315 /// 316 /// // `0x1ff` doesn't fit into 8 unsigned bits. 317 /// let v = Bounded::<u32, 8>::try_new(0x1ff); 318 /// assert_eq!(v, None); 319 /// 320 /// // The range of values representable with 4 bits is `[-8..=7]`. The following tests these 321 /// // limits. 322 /// let v = Bounded::<i8, 4>::try_new(-8); 323 /// assert_eq!(v.map(Bounded::get), Some(-8)); 324 /// let v = Bounded::<i8, 4>::try_new(-9); 325 /// assert_eq!(v, None); 326 /// let v = Bounded::<i8, 4>::try_new(7); 327 /// assert_eq!(v.map(Bounded::get), Some(7)); 328 /// let v = Bounded::<i8, 4>::try_new(8); 329 /// assert_eq!(v, None); 330 /// ``` 331 pub fn try_new(value: T) -> Option<Self> { 332 fits_within(value, N).then(|| { 333 // SAFETY: `fits_within` confirmed that `value` can be represented within `N` bits. 334 unsafe { Self::__new(value) } 335 }) 336 } 337 338 /// Checks that `expr` is valid for this type at compile-time and build a new value. 339 /// 340 /// This relies on [`build_assert!`] and guaranteed optimization to perform validation at 341 /// compile-time. If `expr` cannot be proved to be within the requested bounds at compile-time, 342 /// use the fallible [`Self::try_new`] instead. 343 /// 344 /// Limit this to simple, easily provable expressions, and prefer one of the [`Self::new`] 345 /// constructors whenever possible as they statically validate the value instead of relying on 346 /// compiler optimizations. 347 /// 348 /// # Examples 349 /// 350 /// ``` 351 /// use kernel::num::Bounded; 352 /// # fn some_number() -> u32 { 0xffffffff } 353 /// 354 /// // Some undefined number. 355 /// let v: u32 = some_number(); 356 /// 357 /// // Triggers a build error as `v` cannot be asserted to fit within 4 bits... 358 /// // let _ = Bounded::<u32, 4>::from_expr(v); 359 /// 360 /// // ... but this works as the compiler can assert the range from the mask. 361 /// let _ = Bounded::<u32, 4>::from_expr(v & 0xf); 362 /// 363 /// // These expressions are simple enough to be proven correct, but since they are static the 364 /// // `new` constructor should be preferred. 365 /// assert_eq!(Bounded::<u8, 1>::from_expr(1).get(), 1); 366 /// assert_eq!(Bounded::<u16, 8>::from_expr(0xff).get(), 0xff); 367 /// ``` 368 // Always inline to optimize out error path of `build_assert`. 369 #[inline(always)] 370 pub fn from_expr(expr: T) -> Self { 371 crate::build_assert!( 372 fits_within(expr, N), 373 "Requested value larger than maximal representable value." 374 ); 375 376 // SAFETY: `fits_within` confirmed that `expr` can be represented within `N` bits. 377 unsafe { Self::__new(expr) } 378 } 379 380 /// Returns the wrapped value as the backing type. 381 /// 382 /// This is similar to the [`Deref`] implementation, but doesn't enforce the size invariant of 383 /// the [`Bounded`], which might produce slightly less optimal code. 384 /// 385 /// # Examples 386 /// 387 /// ``` 388 /// use kernel::num::Bounded; 389 /// 390 /// let v = Bounded::<u32, 4>::new::<7>(); 391 /// assert_eq!(v.get(), 7u32); 392 /// ``` 393 pub const fn get(self) -> T { 394 self.0 395 } 396 397 /// Increases the number of bits usable for `self`. 398 /// 399 /// This operation cannot fail. 400 /// 401 /// # Examples 402 /// 403 /// ``` 404 /// use kernel::num::Bounded; 405 /// 406 /// let v = Bounded::<u32, 4>::new::<7>(); 407 /// let larger_v = v.extend::<12>(); 408 /// // The contained values are equal even though `larger_v` has a bigger capacity. 409 /// assert_eq!(larger_v, v); 410 /// ``` 411 pub const fn extend<const M: u32>(self) -> Bounded<T, M> { 412 const { 413 assert!( 414 M >= N, 415 "Requested number of bits is less than the current representation." 416 ); 417 } 418 419 // SAFETY: The value did fit within `N` bits, so it will all the more fit within 420 // the larger `M` bits. 421 unsafe { Bounded::__new(self.0) } 422 } 423 424 /// Attempts to shrink the number of bits usable for `self`. 425 /// 426 /// Returns [`None`] if the value of `self` cannot be represented within `M` bits. 427 /// 428 /// # Examples 429 /// 430 /// ``` 431 /// use kernel::num::Bounded; 432 /// 433 /// let v = Bounded::<u32, 12>::new::<7>(); 434 /// 435 /// // `7` can be represented using 3 unsigned bits... 436 /// let smaller_v = v.try_shrink::<3>(); 437 /// assert_eq!(smaller_v.as_deref().copied(), Some(7)); 438 /// 439 /// // ... but doesn't fit within `2` bits. 440 /// assert_eq!(v.try_shrink::<2>(), None); 441 /// ``` 442 pub fn try_shrink<const M: u32>(self) -> Option<Bounded<T, M>> { 443 Bounded::<T, M>::try_new(self.get()) 444 } 445 446 /// Casts `self` into a [`Bounded`] backed by a different storage type, but using the same 447 /// number of valid bits. 448 /// 449 /// Both `T` and `U` must be of same signedness, and `U` must be at least as large as 450 /// `N` bits, or a build error will occur. 451 /// 452 /// # Examples 453 /// 454 /// ``` 455 /// use kernel::num::Bounded; 456 /// 457 /// let v = Bounded::<u32, 12>::new::<127>(); 458 /// 459 /// let u16_v: Bounded<u16, 12> = v.cast(); 460 /// assert_eq!(u16_v.get(), 127); 461 /// 462 /// // This won't build: a `u8` is smaller than the required 12 bits. 463 /// // let _: Bounded<u8, 12> = v.cast(); 464 /// ``` 465 pub fn cast<U>(self) -> Bounded<U, N> 466 where 467 U: TryFrom<T> + Integer, 468 T: Integer, 469 U: Integer<Signedness = T::Signedness>, 470 { 471 // SAFETY: The converted value is represented using `N` bits, `U` can contain `N` bits, and 472 // `U` and `T` have the same sign, hence this conversion cannot fail. 473 let value = unsafe { U::try_from(self.get()).unwrap_unchecked() }; 474 475 // SAFETY: Although the backing type has changed, the value is still represented within 476 // `N` bits, and with the same signedness. 477 unsafe { Bounded::__new(value) } 478 } 479 480 /// Right-shifts `self` by `SHIFT` and returns the result as a `Bounded<_, RES>`, where `RES >= 481 /// N - SHIFT`. 482 /// 483 /// # Examples 484 /// 485 /// ``` 486 /// use kernel::num::Bounded; 487 /// 488 /// let v = Bounded::<u32, 16>::new::<0xff00>(); 489 /// let v_shifted: Bounded::<u32, 8> = v.shr::<8, _>(); 490 /// 491 /// assert_eq!(v_shifted.get(), 0xff); 492 /// ``` 493 pub fn shr<const SHIFT: u32, const RES: u32>(self) -> Bounded<T, RES> { 494 const { assert!(RES + SHIFT >= N) } 495 496 // SAFETY: We shift the value right by `SHIFT`, reducing the number of bits needed to 497 // represent the shifted value by as much, and just asserted that `RES >= N - SHIFT`. 498 unsafe { Bounded::__new(self.0 >> SHIFT) } 499 } 500 501 /// Left-shifts `self` by `SHIFT` and returns the result as a `Bounded<_, RES>`, where `RES >= 502 /// N + SHIFT`. 503 /// 504 /// # Examples 505 /// 506 /// ``` 507 /// use kernel::num::Bounded; 508 /// 509 /// let v = Bounded::<u32, 8>::new::<0xff>(); 510 /// let v_shifted: Bounded::<u32, 16> = v.shl::<8, _>(); 511 /// 512 /// assert_eq!(v_shifted.get(), 0xff00); 513 /// ``` 514 pub fn shl<const SHIFT: u32, const RES: u32>(self) -> Bounded<T, RES> { 515 const { assert!(RES >= N + SHIFT) } 516 517 // SAFETY: We shift the value left by `SHIFT`, augmenting the number of bits needed to 518 // represent the shifted value by as much, and just asserted that `RES >= N + SHIFT`. 519 unsafe { Bounded::__new(self.0 << SHIFT) } 520 } 521 } 522 523 impl<T, const N: u32> Deref for Bounded<T, N> 524 where 525 T: Integer, 526 { 527 type Target = T; 528 529 fn deref(&self) -> &Self::Target { 530 // Enforce the invariant to inform the compiler of the bounds of the value. 531 if !fits_within(self.0, N) { 532 // SAFETY: Per the `Bounded` invariants, `fits_within` can never return `false` on the 533 // value of a valid instance. 534 unsafe { core::hint::unreachable_unchecked() } 535 } 536 537 &self.0 538 } 539 } 540 541 /// Trait similar to [`TryInto`] but for [`Bounded`], to avoid conflicting implementations. 542 /// 543 /// # Examples 544 /// 545 /// ``` 546 /// use kernel::num::{Bounded, TryIntoBounded}; 547 /// 548 /// // Succeeds because `128` fits into 8 bits. 549 /// let v: Option<Bounded<u16, 8>> = 128u32.try_into_bounded(); 550 /// assert_eq!(v.as_deref().copied(), Some(128)); 551 /// 552 /// // Fails because `128` doesn't fit into 6 bits. 553 /// let v: Option<Bounded<u16, 6>> = 128u32.try_into_bounded(); 554 /// assert_eq!(v, None); 555 /// ``` 556 pub trait TryIntoBounded<T: Integer, const N: u32> { 557 /// Attempts to convert `self` into a [`Bounded`] using `N` bits. 558 /// 559 /// Returns [`None`] if `self` does not fit into the target type. 560 fn try_into_bounded(self) -> Option<Bounded<T, N>>; 561 } 562 563 /// Any integer value can be attempted to be converted into a [`Bounded`] of any size. 564 impl<T, U, const N: u32> TryIntoBounded<T, N> for U 565 where 566 T: Integer, 567 U: TryInto<T>, 568 { 569 fn try_into_bounded(self) -> Option<Bounded<T, N>> { 570 self.try_into().ok().and_then(Bounded::try_new) 571 } 572 } 573 574 // Comparisons between `Bounded`s. 575 576 impl<T, U, const N: u32, const M: u32> PartialEq<Bounded<U, M>> for Bounded<T, N> 577 where 578 T: Integer, 579 U: Integer, 580 T: PartialEq<U>, 581 { 582 fn eq(&self, other: &Bounded<U, M>) -> bool { 583 self.get() == other.get() 584 } 585 } 586 587 impl<T, const N: u32> Eq for Bounded<T, N> where T: Integer {} 588 589 impl<T, U, const N: u32, const M: u32> PartialOrd<Bounded<U, M>> for Bounded<T, N> 590 where 591 T: Integer, 592 U: Integer, 593 T: PartialOrd<U>, 594 { 595 fn partial_cmp(&self, other: &Bounded<U, M>) -> Option<cmp::Ordering> { 596 self.get().partial_cmp(&other.get()) 597 } 598 } 599 600 impl<T, const N: u32> Ord for Bounded<T, N> 601 where 602 T: Integer, 603 T: Ord, 604 { 605 fn cmp(&self, other: &Self) -> cmp::Ordering { 606 self.get().cmp(&other.get()) 607 } 608 } 609 610 // Comparisons between a `Bounded` and its backing type. 611 612 impl<T, const N: u32> PartialEq<T> for Bounded<T, N> 613 where 614 T: Integer, 615 T: PartialEq, 616 { 617 fn eq(&self, other: &T) -> bool { 618 self.get() == *other 619 } 620 } 621 622 impl<T, const N: u32> PartialOrd<T> for Bounded<T, N> 623 where 624 T: Integer, 625 T: PartialOrd, 626 { 627 fn partial_cmp(&self, other: &T) -> Option<cmp::Ordering> { 628 self.get().partial_cmp(other) 629 } 630 } 631 632 // Implementations of `core::ops` for two `Bounded` with the same backing type. 633 634 impl<T, const N: u32, const M: u32> ops::Add<Bounded<T, M>> for Bounded<T, N> 635 where 636 T: Integer, 637 T: ops::Add<Output = T>, 638 { 639 type Output = T; 640 641 fn add(self, rhs: Bounded<T, M>) -> Self::Output { 642 self.get() + rhs.get() 643 } 644 } 645 646 impl<T, const N: u32, const M: u32> ops::BitAnd<Bounded<T, M>> for Bounded<T, N> 647 where 648 T: Integer, 649 T: ops::BitAnd<Output = T>, 650 { 651 type Output = T; 652 653 fn bitand(self, rhs: Bounded<T, M>) -> Self::Output { 654 self.get() & rhs.get() 655 } 656 } 657 658 impl<T, const N: u32, const M: u32> ops::BitOr<Bounded<T, M>> for Bounded<T, N> 659 where 660 T: Integer, 661 T: ops::BitOr<Output = T>, 662 { 663 type Output = T; 664 665 fn bitor(self, rhs: Bounded<T, M>) -> Self::Output { 666 self.get() | rhs.get() 667 } 668 } 669 670 impl<T, const N: u32, const M: u32> ops::BitXor<Bounded<T, M>> for Bounded<T, N> 671 where 672 T: Integer, 673 T: ops::BitXor<Output = T>, 674 { 675 type Output = T; 676 677 fn bitxor(self, rhs: Bounded<T, M>) -> Self::Output { 678 self.get() ^ rhs.get() 679 } 680 } 681 682 impl<T, const N: u32, const M: u32> ops::Div<Bounded<T, M>> for Bounded<T, N> 683 where 684 T: Integer, 685 T: ops::Div<Output = T>, 686 { 687 type Output = T; 688 689 fn div(self, rhs: Bounded<T, M>) -> Self::Output { 690 self.get() / rhs.get() 691 } 692 } 693 694 impl<T, const N: u32, const M: u32> ops::Mul<Bounded<T, M>> for Bounded<T, N> 695 where 696 T: Integer, 697 T: ops::Mul<Output = T>, 698 { 699 type Output = T; 700 701 fn mul(self, rhs: Bounded<T, M>) -> Self::Output { 702 self.get() * rhs.get() 703 } 704 } 705 706 impl<T, const N: u32, const M: u32> ops::Rem<Bounded<T, M>> for Bounded<T, N> 707 where 708 T: Integer, 709 T: ops::Rem<Output = T>, 710 { 711 type Output = T; 712 713 fn rem(self, rhs: Bounded<T, M>) -> Self::Output { 714 self.get() % rhs.get() 715 } 716 } 717 718 impl<T, const N: u32, const M: u32> ops::Sub<Bounded<T, M>> for Bounded<T, N> 719 where 720 T: Integer, 721 T: ops::Sub<Output = T>, 722 { 723 type Output = T; 724 725 fn sub(self, rhs: Bounded<T, M>) -> Self::Output { 726 self.get() - rhs.get() 727 } 728 } 729 730 // Implementations of `core::ops` between a `Bounded` and its backing type. 731 732 impl<T, const N: u32> ops::Add<T> for Bounded<T, N> 733 where 734 T: Integer, 735 T: ops::Add<Output = T>, 736 { 737 type Output = T; 738 739 fn add(self, rhs: T) -> Self::Output { 740 self.get() + rhs 741 } 742 } 743 744 impl<T, const N: u32> ops::BitAnd<T> for Bounded<T, N> 745 where 746 T: Integer, 747 T: ops::BitAnd<Output = T>, 748 { 749 type Output = T; 750 751 fn bitand(self, rhs: T) -> Self::Output { 752 self.get() & rhs 753 } 754 } 755 756 impl<T, const N: u32> ops::BitOr<T> for Bounded<T, N> 757 where 758 T: Integer, 759 T: ops::BitOr<Output = T>, 760 { 761 type Output = T; 762 763 fn bitor(self, rhs: T) -> Self::Output { 764 self.get() | rhs 765 } 766 } 767 768 impl<T, const N: u32> ops::BitXor<T> for Bounded<T, N> 769 where 770 T: Integer, 771 T: ops::BitXor<Output = T>, 772 { 773 type Output = T; 774 775 fn bitxor(self, rhs: T) -> Self::Output { 776 self.get() ^ rhs 777 } 778 } 779 780 impl<T, const N: u32> ops::Div<T> for Bounded<T, N> 781 where 782 T: Integer, 783 T: ops::Div<Output = T>, 784 { 785 type Output = T; 786 787 fn div(self, rhs: T) -> Self::Output { 788 self.get() / rhs 789 } 790 } 791 792 impl<T, const N: u32> ops::Mul<T> for Bounded<T, N> 793 where 794 T: Integer, 795 T: ops::Mul<Output = T>, 796 { 797 type Output = T; 798 799 fn mul(self, rhs: T) -> Self::Output { 800 self.get() * rhs 801 } 802 } 803 804 impl<T, const N: u32> ops::Neg for Bounded<T, N> 805 where 806 T: Integer, 807 T: ops::Neg<Output = T>, 808 { 809 type Output = T; 810 811 fn neg(self) -> Self::Output { 812 -self.get() 813 } 814 } 815 816 impl<T, const N: u32> ops::Not for Bounded<T, N> 817 where 818 T: Integer, 819 T: ops::Not<Output = T>, 820 { 821 type Output = T; 822 823 fn not(self) -> Self::Output { 824 !self.get() 825 } 826 } 827 828 impl<T, const N: u32> ops::Rem<T> for Bounded<T, N> 829 where 830 T: Integer, 831 T: ops::Rem<Output = T>, 832 { 833 type Output = T; 834 835 fn rem(self, rhs: T) -> Self::Output { 836 self.get() % rhs 837 } 838 } 839 840 impl<T, const N: u32> ops::Sub<T> for Bounded<T, N> 841 where 842 T: Integer, 843 T: ops::Sub<Output = T>, 844 { 845 type Output = T; 846 847 fn sub(self, rhs: T) -> Self::Output { 848 self.get() - rhs 849 } 850 } 851 852 // Proxy implementations of `core::fmt`. 853 854 impl<T, const N: u32> fmt::Display for Bounded<T, N> 855 where 856 T: Integer, 857 T: fmt::Display, 858 { 859 fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { 860 self.get().fmt(f) 861 } 862 } 863 864 impl<T, const N: u32> fmt::Binary for Bounded<T, N> 865 where 866 T: Integer, 867 T: fmt::Binary, 868 { 869 fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { 870 self.get().fmt(f) 871 } 872 } 873 874 impl<T, const N: u32> fmt::LowerExp for Bounded<T, N> 875 where 876 T: Integer, 877 T: fmt::LowerExp, 878 { 879 fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { 880 self.get().fmt(f) 881 } 882 } 883 884 impl<T, const N: u32> fmt::LowerHex for Bounded<T, N> 885 where 886 T: Integer, 887 T: fmt::LowerHex, 888 { 889 fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { 890 self.get().fmt(f) 891 } 892 } 893 894 impl<T, const N: u32> fmt::Octal for Bounded<T, N> 895 where 896 T: Integer, 897 T: fmt::Octal, 898 { 899 fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { 900 self.get().fmt(f) 901 } 902 } 903 904 impl<T, const N: u32> fmt::UpperExp for Bounded<T, N> 905 where 906 T: Integer, 907 T: fmt::UpperExp, 908 { 909 fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { 910 self.get().fmt(f) 911 } 912 } 913 914 impl<T, const N: u32> fmt::UpperHex for Bounded<T, N> 915 where 916 T: Integer, 917 T: fmt::UpperHex, 918 { 919 fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { 920 self.get().fmt(f) 921 } 922 } 923 924 /// Implements `$trait` for all [`Bounded`] types represented using `$num_bits`. 925 /// 926 /// This is used to declare size properties as traits that we can constrain against in impl blocks. 927 macro_rules! impl_size_rule { 928 ($trait:ty, $($num_bits:literal)*) => { 929 $( 930 impl<T> $trait for Bounded<T, $num_bits> where T: Integer {} 931 )* 932 }; 933 } 934 935 /// Local trait expressing the fact that a given [`Bounded`] has at least `N` bits used for value 936 /// representation. 937 trait AtLeastXBits<const N: usize> {} 938 939 /// Implementations for infallibly converting a primitive type into a [`Bounded`] that can contain 940 /// it. 941 /// 942 /// Put into their own module for readability, and to avoid cluttering the rustdoc of the parent 943 /// module. 944 mod atleast_impls { 945 use super::*; 946 947 // Number of bits at least as large as 64. 948 impl_size_rule!(AtLeastXBits<64>, 64); 949 950 // Anything 64 bits or more is also larger than 32. 951 impl<T> AtLeastXBits<32> for T where T: AtLeastXBits<64> {} 952 // Other numbers of bits at least as large as 32. 953 impl_size_rule!(AtLeastXBits<32>, 954 32 33 34 35 36 37 38 39 955 40 41 42 43 44 45 46 47 956 48 49 50 51 52 53 54 55 957 56 57 58 59 60 61 62 63 958 ); 959 960 // Anything 32 bits or more is also larger than 16. 961 impl<T> AtLeastXBits<16> for T where T: AtLeastXBits<32> {} 962 // Other numbers of bits at least as large as 16. 963 impl_size_rule!(AtLeastXBits<16>, 964 16 17 18 19 20 21 22 23 965 24 25 26 27 28 29 30 31 966 ); 967 968 // Anything 16 bits or more is also larger than 8. 969 impl<T> AtLeastXBits<8> for T where T: AtLeastXBits<16> {} 970 // Other numbers of bits at least as large as 8. 971 impl_size_rule!(AtLeastXBits<8>, 8 9 10 11 12 13 14 15); 972 } 973 974 /// Generates `From` implementations from a primitive type into a [`Bounded`] with 975 /// enough bits to store any value of that type. 976 /// 977 /// Note: The only reason for having this macro is that if we pass `$type` as a generic 978 /// parameter, we cannot use it in the const context of [`AtLeastXBits`]'s generic parameter. This 979 /// can be fixed once the `generic_const_exprs` feature is usable, and this macro replaced by a 980 /// regular `impl` block. 981 macro_rules! impl_from_primitive { 982 ($($type:ty)*) => { 983 $( 984 #[doc = ::core::concat!( 985 "Conversion from a [`", 986 ::core::stringify!($type), 987 "`] into a [`Bounded`] of same signedness with enough bits to store it.")] 988 impl<T, const N: u32> From<$type> for Bounded<T, N> 989 where 990 $type: Integer, 991 T: Integer<Signedness = <$type as Integer>::Signedness> + From<$type>, 992 Self: AtLeastXBits<{ <$type as Integer>::BITS as usize }>, 993 { 994 fn from(value: $type) -> Self { 995 // SAFETY: The trait bound on `Self` guarantees that `N` bits is 996 // enough to hold any value of the source type. 997 unsafe { Self::__new(T::from(value)) } 998 } 999 } 1000 )* 1001 } 1002 } 1003 1004 impl_from_primitive!( 1005 u8 u16 u32 u64 usize 1006 i8 i16 i32 i64 isize 1007 ); 1008 1009 /// Local trait expressing the fact that a given [`Bounded`] fits into a primitive type of `N` bits, 1010 /// provided they have the same signedness. 1011 trait FitsInXBits<const N: usize> {} 1012 1013 /// Implementations for infallibly converting a [`Bounded`] into a primitive type that can contain 1014 /// it. 1015 /// 1016 /// Put into their own module for readability, and to avoid cluttering the rustdoc of the parent 1017 /// module. 1018 mod fits_impls { 1019 use super::*; 1020 1021 // Number of bits that fit into a 8-bits primitive. 1022 impl_size_rule!(FitsInXBits<8>, 1 2 3 4 5 6 7 8); 1023 1024 // Anything that fits into 8 bits also fits into 16. 1025 impl<T> FitsInXBits<16> for T where T: FitsInXBits<8> {} 1026 // Other number of bits that fit into a 16-bits primitive. 1027 impl_size_rule!(FitsInXBits<16>, 9 10 11 12 13 14 15 16); 1028 1029 // Anything that fits into 16 bits also fits into 32. 1030 impl<T> FitsInXBits<32> for T where T: FitsInXBits<16> {} 1031 // Other number of bits that fit into a 32-bits primitive. 1032 impl_size_rule!(FitsInXBits<32>, 1033 17 18 19 20 21 22 23 24 1034 25 26 27 28 29 30 31 32 1035 ); 1036 1037 // Anything that fits into 32 bits also fits into 64. 1038 impl<T> FitsInXBits<64> for T where T: FitsInXBits<32> {} 1039 // Other number of bits that fit into a 64-bits primitive. 1040 impl_size_rule!(FitsInXBits<64>, 1041 33 34 35 36 37 38 39 40 1042 41 42 43 44 45 46 47 48 1043 49 50 51 52 53 54 55 56 1044 57 58 59 60 61 62 63 64 1045 ); 1046 } 1047 1048 /// Generates [`From`] implementations from a [`Bounded`] into a primitive type that is 1049 /// guaranteed to contain it. 1050 /// 1051 /// Note: The only reason for having this macro is that if we pass `$type` as a generic 1052 /// parameter, we cannot use it in the const context of `AtLeastXBits`'s generic parameter. This 1053 /// can be fixed once the `generic_const_exprs` feature is usable, and this macro replaced by a 1054 /// regular `impl` block. 1055 macro_rules! impl_into_primitive { 1056 ($($type:ty)*) => { 1057 $( 1058 #[doc = ::core::concat!( 1059 "Conversion from a [`Bounded`] with no more bits than a [`", 1060 ::core::stringify!($type), 1061 "`] and of same signedness into [`", 1062 ::core::stringify!($type), 1063 "`]")] 1064 impl<T, const N: u32> From<Bounded<T, N>> for $type 1065 where 1066 $type: Integer + TryFrom<T>, 1067 T: Integer<Signedness = <$type as Integer>::Signedness>, 1068 Bounded<T, N>: FitsInXBits<{ <$type as Integer>::BITS as usize }>, 1069 { 1070 fn from(value: Bounded<T, N>) -> $type { 1071 // SAFETY: The trait bound on `Bounded` ensures that any value it holds (which 1072 // is constrained to `N` bits) can fit into the destination type, so this 1073 // conversion cannot fail. 1074 unsafe { <$type>::try_from(value.get()).unwrap_unchecked() } 1075 } 1076 } 1077 )* 1078 } 1079 } 1080 1081 impl_into_primitive!( 1082 u8 u16 u32 u64 usize 1083 i8 i16 i32 i64 isize 1084 ); 1085 1086 // Single-bit `Bounded`s can be converted from/to a boolean. 1087 1088 impl<T> From<Bounded<T, 1>> for bool 1089 where 1090 T: Integer + Zeroable, 1091 { 1092 fn from(value: Bounded<T, 1>) -> Self { 1093 value.get() != Zeroable::zeroed() 1094 } 1095 } 1096 1097 impl<T, const N: u32> From<bool> for Bounded<T, N> 1098 where 1099 T: Integer + From<bool>, 1100 { 1101 fn from(value: bool) -> Self { 1102 // SAFETY: A boolean can be represented using a single bit, and thus fits within any 1103 // integer type for any `N` > 0. 1104 unsafe { Self::__new(T::from(value)) } 1105 } 1106 } 1107 1108 impl<T> Bounded<T, 1> 1109 where 1110 T: Integer + Zeroable, 1111 { 1112 /// Converts this [`Bounded`] into a [`bool`]. 1113 /// 1114 /// This is a shorter way of writing `bool::from(self)`. 1115 /// 1116 /// # Examples 1117 /// 1118 /// ``` 1119 /// use kernel::num::Bounded; 1120 /// 1121 /// assert_eq!(Bounded::<u8, 1>::new::<0>().into_bool(), false); 1122 /// assert_eq!(Bounded::<u8, 1>::new::<1>().into_bool(), true); 1123 /// ``` 1124 pub fn into_bool(self) -> bool { 1125 self.into() 1126 } 1127 } 1128