1 // SPDX-License-Identifier: GPL-2.0 2 3 //! Implementation of [`Bounded`], a wrapper around integer types limiting the number of bits 4 //! usable for value representation. 5 6 use core::{ 7 cmp, 8 fmt, 9 ops::{ 10 self, 11 Deref, // 12 }, //, 13 }; 14 15 use kernel::{ 16 num::Integer, 17 prelude::*, // 18 }; 19 20 /// Evaluates to `true` if `$value` can be represented using at most `$n` bits in a `$type`. 21 /// 22 /// `expr` must be of type `type`, or the result will be incorrect. 23 /// 24 /// Can be used in const context. 25 macro_rules! fits_within { 26 ($value:expr, $type:ty, $n:expr) => {{ 27 let shift: u32 = <$type>::BITS - $n; 28 29 // `value` fits within `$n` bits if shifting it left by the number of unused bits, then 30 // right by the same number, doesn't change it. 31 // 32 // This method has the benefit of working for both unsigned and signed values. 33 ($value << shift) >> shift == $value 34 }}; 35 } 36 37 /// Returns `true` if `value` can be represented with at most `N` bits in a `T`. 38 #[inline(always)] 39 fn fits_within<T: Integer>(value: T, num_bits: u32) -> bool { 40 fits_within!(value, T, num_bits) 41 } 42 43 /// An integer value that requires only the `N` less significant bits of the wrapped type to be 44 /// encoded. 45 /// 46 /// This limits the number of usable bits in the wrapped integer type, and thus the stored value to 47 /// a narrower range, which provides guarantees that can be useful when working with in e.g. 48 /// bitfields. 49 /// 50 /// # Invariants 51 /// 52 /// - `N` is greater than `0`. 53 /// - `N` is less than or equal to `T::BITS`. 54 /// - Stored values can be represented with at most `N` bits. 55 /// 56 /// # Examples 57 /// 58 /// The preferred way to create values is through constants and the [`Bounded::new`] family of 59 /// constructors, as they trigger a build error if the type invariants cannot be withheld. 60 /// 61 /// ``` 62 /// use kernel::num::Bounded; 63 /// 64 /// // An unsigned 8-bit integer, of which only the 4 LSBs are used. 65 /// // The value `15` is statically validated to fit that constraint at build time. 66 /// let v = Bounded::<u8, 4>::new::<15>(); 67 /// assert_eq!(v.get(), 15); 68 /// 69 /// // Same using signed values. 70 /// let v = Bounded::<i8, 4>::new::<-8>(); 71 /// assert_eq!(v.get(), -8); 72 /// 73 /// // This doesn't build: a `u8` is smaller than the requested 9 bits. 74 /// // let _ = Bounded::<u8, 9>::new::<10>(); 75 /// 76 /// // This also doesn't build: the requested value doesn't fit within 4 signed bits. 77 /// // let _ = Bounded::<i8, 4>::new::<8>(); 78 /// ``` 79 /// 80 /// Values can also be validated at runtime with [`Bounded::try_new`]. 81 /// 82 /// ``` 83 /// use kernel::num::Bounded; 84 /// 85 /// // This succeeds because `15` can be represented with 4 unsigned bits. 86 /// assert!(Bounded::<u8, 4>::try_new(15).is_some()); 87 /// 88 /// // This fails because `16` cannot be represented with 4 unsigned bits. 89 /// assert!(Bounded::<u8, 4>::try_new(16).is_none()); 90 /// ``` 91 /// 92 /// Non-constant expressions can be validated at build-time thanks to compiler optimizations. This 93 /// should be used with caution, on simple expressions only. 94 /// 95 /// ``` 96 /// use kernel::num::Bounded; 97 /// # fn some_number() -> u32 { 0xffffffff } 98 /// 99 /// // Here the compiler can infer from the mask that the type invariants are not violated, even 100 /// // though the value returned by `some_number` is not statically known. 101 /// let v = Bounded::<u32, 4>::from_expr(some_number() & 0xf); 102 /// ``` 103 /// 104 /// Comparison and arithmetic operations are supported on [`Bounded`]s with a compatible backing 105 /// type, regardless of their number of valid bits. 106 /// 107 /// ``` 108 /// use kernel::num::Bounded; 109 /// 110 /// let v1 = Bounded::<u32, 8>::new::<4>(); 111 /// let v2 = Bounded::<u32, 4>::new::<15>(); 112 /// 113 /// assert!(v1 != v2); 114 /// assert!(v1 < v2); 115 /// assert_eq!(v1 + v2, 19); 116 /// assert_eq!(v2 % v1, 3); 117 /// ``` 118 /// 119 /// These operations are also supported between a [`Bounded`] and its backing type. 120 /// 121 /// ``` 122 /// use kernel::num::Bounded; 123 /// 124 /// let v = Bounded::<u8, 4>::new::<15>(); 125 /// 126 /// assert!(v == 15); 127 /// assert!(v > 12); 128 /// assert_eq!(v + 5, 20); 129 /// assert_eq!(v / 3, 5); 130 /// ``` 131 /// 132 /// A change of backing types is possible using [`Bounded::cast`], and the number of valid bits can 133 /// be extended or reduced with [`Bounded::extend`] and [`Bounded::try_shrink`]. 134 /// 135 /// ``` 136 /// use kernel::num::Bounded; 137 /// 138 /// let v = Bounded::<u32, 12>::new::<127>(); 139 /// 140 /// // Changes backing type from `u32` to `u16`. 141 /// let _: Bounded<u16, 12> = v.cast(); 142 /// 143 /// // This does not build, as `u8` is smaller than 12 bits. 144 /// // let _: Bounded<u8, 12> = v.cast(); 145 /// 146 /// // We can safely extend the number of bits... 147 /// let _ = v.extend::<15>(); 148 /// 149 /// // ... to the limits of the backing type. This doesn't build as a `u32` cannot contain 33 bits. 150 /// // let _ = v.extend::<33>(); 151 /// 152 /// // Reducing the number of bits is validated at runtime. This works because `127` can be 153 /// // represented with 8 bits. 154 /// assert!(v.try_shrink::<8>().is_some()); 155 /// 156 /// // ... but not with 6, so this fails. 157 /// assert!(v.try_shrink::<6>().is_none()); 158 /// ``` 159 /// 160 /// Infallible conversions from a primitive integer to a large-enough [`Bounded`] are supported. 161 /// 162 /// ``` 163 /// use kernel::num::Bounded; 164 /// 165 /// // This unsigned `Bounded` has 8 bits, so it can represent any `u8`. 166 /// let v = Bounded::<u32, 8>::from(128u8); 167 /// assert_eq!(v.get(), 128); 168 /// 169 /// // This signed `Bounded` has 8 bits, so it can represent any `i8`. 170 /// let v = Bounded::<i32, 8>::from(-128i8); 171 /// assert_eq!(v.get(), -128); 172 /// 173 /// // This doesn't build, as this 6-bit `Bounded` does not have enough capacity to represent a 174 /// // `u8` (regardless of the passed value). 175 /// // let _ = Bounded::<u32, 6>::from(10u8); 176 /// 177 /// // Booleans can be converted into single-bit `Bounded`s. 178 /// 179 /// let v = Bounded::<u64, 1>::from(false); 180 /// assert_eq!(v.get(), 0); 181 /// 182 /// let v = Bounded::<u64, 1>::from(true); 183 /// assert_eq!(v.get(), 1); 184 /// ``` 185 /// 186 /// Infallible conversions from a [`Bounded`] to a primitive integer are also supported, and 187 /// dependent on the number of bits used for value representation, not on the backing type. 188 /// 189 /// ``` 190 /// use kernel::num::Bounded; 191 /// 192 /// // Even though its backing type is `u32`, this `Bounded` only uses 6 bits and thus can safely 193 /// // be converted to a `u8`. 194 /// let v = Bounded::<u32, 6>::new::<63>(); 195 /// assert_eq!(u8::from(v), 63); 196 /// 197 /// // Same using signed values. 198 /// let v = Bounded::<i32, 8>::new::<-128>(); 199 /// assert_eq!(i8::from(v), -128); 200 /// 201 /// // This however does not build, as 10 bits won't fit into a `u8` (regardless of the actually 202 /// // contained value). 203 /// let _v = Bounded::<u32, 10>::new::<10>(); 204 /// // assert_eq!(u8::from(_v), 10); 205 /// 206 /// // Single-bit `Bounded`s can be converted into a boolean. 207 /// let v = Bounded::<u8, 1>::new::<1>(); 208 /// assert_eq!(bool::from(v), true); 209 /// 210 /// let v = Bounded::<u8, 1>::new::<0>(); 211 /// assert_eq!(bool::from(v), false); 212 /// ``` 213 /// 214 /// Fallible conversions from any primitive integer to any [`Bounded`] are also supported using the 215 /// [`TryIntoBounded`] trait. 216 /// 217 /// ``` 218 /// use kernel::num::{Bounded, TryIntoBounded}; 219 /// 220 /// // Succeeds because `128` fits into 8 bits. 221 /// let v: Option<Bounded<u16, 8>> = 128u32.try_into_bounded(); 222 /// assert_eq!(v.as_deref().copied(), Some(128)); 223 /// 224 /// // Fails because `128` doesn't fits into 6 bits. 225 /// let v: Option<Bounded<u16, 6>> = 128u32.try_into_bounded(); 226 /// assert_eq!(v, None); 227 /// ``` 228 #[repr(transparent)] 229 #[derive(Clone, Copy, Debug, Default, Hash)] 230 pub struct Bounded<T: Integer, const N: u32>(T); 231 232 /// Validating the value as a const expression cannot be done as a regular method, as the 233 /// arithmetic operations we rely on to check the bounds are not const. Thus, implement 234 /// [`Bounded::new`] using a macro. 235 macro_rules! impl_const_new { 236 ($($type:ty)*) => { 237 $( 238 impl<const N: u32> Bounded<$type, N> { 239 /// Creates a [`Bounded`] for the constant `VALUE`. 240 /// 241 /// Fails at build time if `VALUE` cannot be represented with `N` bits. 242 /// 243 /// This method should be preferred to [`Self::from_expr`] whenever possible. 244 /// 245 /// # Examples 246 /// 247 /// ``` 248 /// use kernel::num::Bounded; 249 /// 250 #[doc = ::core::concat!( 251 "let v = Bounded::<", 252 ::core::stringify!($type), 253 ", 4>::new::<7>();")] 254 /// assert_eq!(v.get(), 7); 255 /// ``` 256 pub const fn new<const VALUE: $type>() -> Self { 257 // Statically assert that `VALUE` fits within the set number of bits. 258 const { 259 assert!(fits_within!(VALUE, $type, N)); 260 } 261 262 // INVARIANT: `fits_within` confirmed that `VALUE` can be represented within 263 // `N` bits. 264 Self::__new(VALUE) 265 } 266 } 267 )* 268 }; 269 } 270 271 impl_const_new!( 272 u8 u16 u32 u64 usize 273 i8 i16 i32 i64 isize 274 ); 275 276 impl<T, const N: u32> Bounded<T, N> 277 where 278 T: Integer, 279 { 280 /// Private constructor enforcing the type invariants. 281 /// 282 /// All instances of [`Bounded`] must be created through this method as it enforces most of the 283 /// type invariants. 284 /// 285 /// The caller remains responsible for checking, either statically or dynamically, that `value` 286 /// can be represented as a `T` using at most `N` bits. 287 const fn __new(value: T) -> Self { 288 // Enforce the type invariants. 289 const { 290 // `N` cannot be zero. 291 assert!(N != 0); 292 // The backing type is at least as large as `N` bits. 293 assert!(N <= T::BITS); 294 } 295 296 Self(value) 297 } 298 299 /// Attempts to turn `value` into a `Bounded` using `N` bits. 300 /// 301 /// Returns [`None`] if `value` doesn't fit within `N` bits. 302 /// 303 /// # Examples 304 /// 305 /// ``` 306 /// use kernel::num::Bounded; 307 /// 308 /// let v = Bounded::<u8, 1>::try_new(1); 309 /// assert_eq!(v.as_deref().copied(), Some(1)); 310 /// 311 /// let v = Bounded::<i8, 4>::try_new(-2); 312 /// assert_eq!(v.as_deref().copied(), Some(-2)); 313 /// 314 /// // `0x1ff` doesn't fit into 8 unsigned bits. 315 /// let v = Bounded::<u32, 8>::try_new(0x1ff); 316 /// assert_eq!(v, None); 317 /// 318 /// // The range of values representable with 4 bits is `[-8..=7]`. The following tests these 319 /// // limits. 320 /// let v = Bounded::<i8, 4>::try_new(-8); 321 /// assert_eq!(v.map(Bounded::get), Some(-8)); 322 /// let v = Bounded::<i8, 4>::try_new(-9); 323 /// assert_eq!(v, None); 324 /// let v = Bounded::<i8, 4>::try_new(7); 325 /// assert_eq!(v.map(Bounded::get), Some(7)); 326 /// let v = Bounded::<i8, 4>::try_new(8); 327 /// assert_eq!(v, None); 328 /// ``` 329 pub fn try_new(value: T) -> Option<Self> { 330 fits_within(value, N).then(|| { 331 // INVARIANT: `fits_within` confirmed that `value` can be represented within `N` bits. 332 Self::__new(value) 333 }) 334 } 335 336 /// Checks that `expr` is valid for this type at compile-time and build a new value. 337 /// 338 /// This relies on [`build_assert!`] and guaranteed optimization to perform validation at 339 /// compile-time. If `expr` cannot be proved to be within the requested bounds at compile-time, 340 /// use the fallible [`Self::try_new`] instead. 341 /// 342 /// Limit this to simple, easily provable expressions, and prefer one of the [`Self::new`] 343 /// constructors whenever possible as they statically validate the value instead of relying on 344 /// compiler optimizations. 345 /// 346 /// # Examples 347 /// 348 /// ``` 349 /// use kernel::num::Bounded; 350 /// # fn some_number() -> u32 { 0xffffffff } 351 /// 352 /// // Some undefined number. 353 /// let v: u32 = some_number(); 354 /// 355 /// // Triggers a build error as `v` cannot be asserted to fit within 4 bits... 356 /// // let _ = Bounded::<u32, 4>::from_expr(v); 357 /// 358 /// // ... but this works as the compiler can assert the range from the mask. 359 /// let _ = Bounded::<u32, 4>::from_expr(v & 0xf); 360 /// 361 /// // These expressions are simple enough to be proven correct, but since they are static the 362 /// // `new` constructor should be preferred. 363 /// assert_eq!(Bounded::<u8, 1>::from_expr(1).get(), 1); 364 /// assert_eq!(Bounded::<u16, 8>::from_expr(0xff).get(), 0xff); 365 /// ``` 366 #[inline(always)] 367 pub fn from_expr(expr: T) -> Self { 368 crate::build_assert!( 369 fits_within(expr, N), 370 "Requested value larger than maximal representable value." 371 ); 372 373 // INVARIANT: `fits_within` confirmed that `expr` can be represented within `N` bits. 374 Self::__new(expr) 375 } 376 377 /// Returns the wrapped value as the backing type. 378 /// 379 /// # Examples 380 /// 381 /// ``` 382 /// use kernel::num::Bounded; 383 /// 384 /// let v = Bounded::<u32, 4>::new::<7>(); 385 /// assert_eq!(v.get(), 7u32); 386 /// ``` 387 pub fn get(self) -> T { 388 *self.deref() 389 } 390 391 /// Increases the number of bits usable for `self`. 392 /// 393 /// This operation cannot fail. 394 /// 395 /// # Examples 396 /// 397 /// ``` 398 /// use kernel::num::Bounded; 399 /// 400 /// let v = Bounded::<u32, 4>::new::<7>(); 401 /// let larger_v = v.extend::<12>(); 402 /// // The contained values are equal even though `larger_v` has a bigger capacity. 403 /// assert_eq!(larger_v, v); 404 /// ``` 405 pub const fn extend<const M: u32>(self) -> Bounded<T, M> { 406 const { 407 assert!( 408 M >= N, 409 "Requested number of bits is less than the current representation." 410 ); 411 } 412 413 // INVARIANT: The value did fit within `N` bits, so it will all the more fit within 414 // the larger `M` bits. 415 Bounded::__new(self.0) 416 } 417 418 /// Attempts to shrink the number of bits usable for `self`. 419 /// 420 /// Returns [`None`] if the value of `self` cannot be represented within `M` bits. 421 /// 422 /// # Examples 423 /// 424 /// ``` 425 /// use kernel::num::Bounded; 426 /// 427 /// let v = Bounded::<u32, 12>::new::<7>(); 428 /// 429 /// // `7` can be represented using 3 unsigned bits... 430 /// let smaller_v = v.try_shrink::<3>(); 431 /// assert_eq!(smaller_v.as_deref().copied(), Some(7)); 432 /// 433 /// // ... but doesn't fit within `2` bits. 434 /// assert_eq!(v.try_shrink::<2>(), None); 435 /// ``` 436 pub fn try_shrink<const M: u32>(self) -> Option<Bounded<T, M>> { 437 Bounded::<T, M>::try_new(self.get()) 438 } 439 440 /// Casts `self` into a [`Bounded`] backed by a different storage type, but using the same 441 /// number of valid bits. 442 /// 443 /// Both `T` and `U` must be of same signedness, and `U` must be at least as large as 444 /// `N` bits, or a build error will occur. 445 /// 446 /// # Examples 447 /// 448 /// ``` 449 /// use kernel::num::Bounded; 450 /// 451 /// let v = Bounded::<u32, 12>::new::<127>(); 452 /// 453 /// let u16_v: Bounded<u16, 12> = v.cast(); 454 /// assert_eq!(u16_v.get(), 127); 455 /// 456 /// // This won't build: a `u8` is smaller than the required 12 bits. 457 /// // let _: Bounded<u8, 12> = v.cast(); 458 /// ``` 459 pub fn cast<U>(self) -> Bounded<U, N> 460 where 461 U: TryFrom<T> + Integer, 462 T: Integer, 463 U: Integer<Signedness = T::Signedness>, 464 { 465 // SAFETY: The converted value is represented using `N` bits, `U` can contain `N` bits, and 466 // `U` and `T` have the same sign, hence this conversion cannot fail. 467 let value = unsafe { U::try_from(self.get()).unwrap_unchecked() }; 468 469 // INVARIANT: Although the backing type has changed, the value is still represented within 470 // `N` bits, and with the same signedness. 471 Bounded::__new(value) 472 } 473 } 474 475 impl<T, const N: u32> Deref for Bounded<T, N> 476 where 477 T: Integer, 478 { 479 type Target = T; 480 481 fn deref(&self) -> &Self::Target { 482 // Enforce the invariant to inform the compiler of the bounds of the value. 483 if !fits_within(self.0, N) { 484 // SAFETY: Per the `Bounded` invariants, `fits_within` can never return `false` on the 485 // value of a valid instance. 486 unsafe { core::hint::unreachable_unchecked() } 487 } 488 489 &self.0 490 } 491 } 492 493 /// Trait similar to [`TryInto`] but for [`Bounded`], to avoid conflicting implementations. 494 /// 495 /// # Examples 496 /// 497 /// ``` 498 /// use kernel::num::{Bounded, TryIntoBounded}; 499 /// 500 /// // Succeeds because `128` fits into 8 bits. 501 /// let v: Option<Bounded<u16, 8>> = 128u32.try_into_bounded(); 502 /// assert_eq!(v.as_deref().copied(), Some(128)); 503 /// 504 /// // Fails because `128` doesn't fits into 6 bits. 505 /// let v: Option<Bounded<u16, 6>> = 128u32.try_into_bounded(); 506 /// assert_eq!(v, None); 507 /// ``` 508 pub trait TryIntoBounded<T: Integer, const N: u32> { 509 /// Attempts to convert `self` into a [`Bounded`] using `N` bits. 510 /// 511 /// Returns [`None`] if `self` does not fit into the target type. 512 fn try_into_bounded(self) -> Option<Bounded<T, N>>; 513 } 514 515 /// Any integer value can be attempted to be converted into a [`Bounded`] of any size. 516 impl<T, U, const N: u32> TryIntoBounded<T, N> for U 517 where 518 T: Integer, 519 U: TryInto<T>, 520 { 521 fn try_into_bounded(self) -> Option<Bounded<T, N>> { 522 self.try_into().ok().and_then(Bounded::try_new) 523 } 524 } 525 526 // Comparisons between `Bounded`s. 527 528 impl<T, U, const N: u32, const M: u32> PartialEq<Bounded<U, M>> for Bounded<T, N> 529 where 530 T: Integer, 531 U: Integer, 532 T: PartialEq<U>, 533 { 534 fn eq(&self, other: &Bounded<U, M>) -> bool { 535 self.get() == other.get() 536 } 537 } 538 539 impl<T, const N: u32> Eq for Bounded<T, N> where T: Integer {} 540 541 impl<T, U, const N: u32, const M: u32> PartialOrd<Bounded<U, M>> for Bounded<T, N> 542 where 543 T: Integer, 544 U: Integer, 545 T: PartialOrd<U>, 546 { 547 fn partial_cmp(&self, other: &Bounded<U, M>) -> Option<cmp::Ordering> { 548 self.get().partial_cmp(&other.get()) 549 } 550 } 551 552 impl<T, const N: u32> Ord for Bounded<T, N> 553 where 554 T: Integer, 555 T: Ord, 556 { 557 fn cmp(&self, other: &Self) -> cmp::Ordering { 558 self.get().cmp(&other.get()) 559 } 560 } 561 562 // Comparisons between a `Bounded` and its backing type. 563 564 impl<T, const N: u32> PartialEq<T> for Bounded<T, N> 565 where 566 T: Integer, 567 T: PartialEq, 568 { 569 fn eq(&self, other: &T) -> bool { 570 self.get() == *other 571 } 572 } 573 574 impl<T, const N: u32> PartialOrd<T> for Bounded<T, N> 575 where 576 T: Integer, 577 T: PartialOrd, 578 { 579 fn partial_cmp(&self, other: &T) -> Option<cmp::Ordering> { 580 self.get().partial_cmp(other) 581 } 582 } 583 584 // Implementations of `core::ops` for two `Bounded` with the same backing type. 585 586 impl<T, const N: u32, const M: u32> ops::Add<Bounded<T, M>> for Bounded<T, N> 587 where 588 T: Integer, 589 T: ops::Add<Output = T>, 590 { 591 type Output = T; 592 593 fn add(self, rhs: Bounded<T, M>) -> Self::Output { 594 self.get() + rhs.get() 595 } 596 } 597 598 impl<T, const N: u32, const M: u32> ops::BitAnd<Bounded<T, M>> for Bounded<T, N> 599 where 600 T: Integer, 601 T: ops::BitAnd<Output = T>, 602 { 603 type Output = T; 604 605 fn bitand(self, rhs: Bounded<T, M>) -> Self::Output { 606 self.get() & rhs.get() 607 } 608 } 609 610 impl<T, const N: u32, const M: u32> ops::BitOr<Bounded<T, M>> for Bounded<T, N> 611 where 612 T: Integer, 613 T: ops::BitOr<Output = T>, 614 { 615 type Output = T; 616 617 fn bitor(self, rhs: Bounded<T, M>) -> Self::Output { 618 self.get() | rhs.get() 619 } 620 } 621 622 impl<T, const N: u32, const M: u32> ops::BitXor<Bounded<T, M>> for Bounded<T, N> 623 where 624 T: Integer, 625 T: ops::BitXor<Output = T>, 626 { 627 type Output = T; 628 629 fn bitxor(self, rhs: Bounded<T, M>) -> Self::Output { 630 self.get() ^ rhs.get() 631 } 632 } 633 634 impl<T, const N: u32, const M: u32> ops::Div<Bounded<T, M>> for Bounded<T, N> 635 where 636 T: Integer, 637 T: ops::Div<Output = T>, 638 { 639 type Output = T; 640 641 fn div(self, rhs: Bounded<T, M>) -> Self::Output { 642 self.get() / rhs.get() 643 } 644 } 645 646 impl<T, const N: u32, const M: u32> ops::Mul<Bounded<T, M>> for Bounded<T, N> 647 where 648 T: Integer, 649 T: ops::Mul<Output = T>, 650 { 651 type Output = T; 652 653 fn mul(self, rhs: Bounded<T, M>) -> Self::Output { 654 self.get() * rhs.get() 655 } 656 } 657 658 impl<T, const N: u32, const M: u32> ops::Rem<Bounded<T, M>> for Bounded<T, N> 659 where 660 T: Integer, 661 T: ops::Rem<Output = T>, 662 { 663 type Output = T; 664 665 fn rem(self, rhs: Bounded<T, M>) -> Self::Output { 666 self.get() % rhs.get() 667 } 668 } 669 670 impl<T, const N: u32, const M: u32> ops::Sub<Bounded<T, M>> for Bounded<T, N> 671 where 672 T: Integer, 673 T: ops::Sub<Output = T>, 674 { 675 type Output = T; 676 677 fn sub(self, rhs: Bounded<T, M>) -> Self::Output { 678 self.get() - rhs.get() 679 } 680 } 681 682 // Implementations of `core::ops` between a `Bounded` and its backing type. 683 684 impl<T, const N: u32> ops::Add<T> for Bounded<T, N> 685 where 686 T: Integer, 687 T: ops::Add<Output = T>, 688 { 689 type Output = T; 690 691 fn add(self, rhs: T) -> Self::Output { 692 self.get() + rhs 693 } 694 } 695 696 impl<T, const N: u32> ops::BitAnd<T> for Bounded<T, N> 697 where 698 T: Integer, 699 T: ops::BitAnd<Output = T>, 700 { 701 type Output = T; 702 703 fn bitand(self, rhs: T) -> Self::Output { 704 self.get() & rhs 705 } 706 } 707 708 impl<T, const N: u32> ops::BitOr<T> for Bounded<T, N> 709 where 710 T: Integer, 711 T: ops::BitOr<Output = T>, 712 { 713 type Output = T; 714 715 fn bitor(self, rhs: T) -> Self::Output { 716 self.get() | rhs 717 } 718 } 719 720 impl<T, const N: u32> ops::BitXor<T> for Bounded<T, N> 721 where 722 T: Integer, 723 T: ops::BitXor<Output = T>, 724 { 725 type Output = T; 726 727 fn bitxor(self, rhs: T) -> Self::Output { 728 self.get() ^ rhs 729 } 730 } 731 732 impl<T, const N: u32> ops::Div<T> for Bounded<T, N> 733 where 734 T: Integer, 735 T: ops::Div<Output = T>, 736 { 737 type Output = T; 738 739 fn div(self, rhs: T) -> Self::Output { 740 self.get() / rhs 741 } 742 } 743 744 impl<T, const N: u32> ops::Mul<T> for Bounded<T, N> 745 where 746 T: Integer, 747 T: ops::Mul<Output = T>, 748 { 749 type Output = T; 750 751 fn mul(self, rhs: T) -> Self::Output { 752 self.get() * rhs 753 } 754 } 755 756 impl<T, const N: u32> ops::Neg for Bounded<T, N> 757 where 758 T: Integer, 759 T: ops::Neg<Output = T>, 760 { 761 type Output = T; 762 763 fn neg(self) -> Self::Output { 764 -self.get() 765 } 766 } 767 768 impl<T, const N: u32> ops::Not for Bounded<T, N> 769 where 770 T: Integer, 771 T: ops::Not<Output = T>, 772 { 773 type Output = T; 774 775 fn not(self) -> Self::Output { 776 !self.get() 777 } 778 } 779 780 impl<T, const N: u32> ops::Rem<T> for Bounded<T, N> 781 where 782 T: Integer, 783 T: ops::Rem<Output = T>, 784 { 785 type Output = T; 786 787 fn rem(self, rhs: T) -> Self::Output { 788 self.get() % rhs 789 } 790 } 791 792 impl<T, const N: u32> ops::Sub<T> for Bounded<T, N> 793 where 794 T: Integer, 795 T: ops::Sub<Output = T>, 796 { 797 type Output = T; 798 799 fn sub(self, rhs: T) -> Self::Output { 800 self.get() - rhs 801 } 802 } 803 804 // Proxy implementations of `core::fmt`. 805 806 impl<T, const N: u32> fmt::Display for Bounded<T, N> 807 where 808 T: Integer, 809 T: fmt::Display, 810 { 811 fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { 812 self.get().fmt(f) 813 } 814 } 815 816 impl<T, const N: u32> fmt::Binary for Bounded<T, N> 817 where 818 T: Integer, 819 T: fmt::Binary, 820 { 821 fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { 822 self.get().fmt(f) 823 } 824 } 825 826 impl<T, const N: u32> fmt::LowerExp for Bounded<T, N> 827 where 828 T: Integer, 829 T: fmt::LowerExp, 830 { 831 fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { 832 self.get().fmt(f) 833 } 834 } 835 836 impl<T, const N: u32> fmt::LowerHex for Bounded<T, N> 837 where 838 T: Integer, 839 T: fmt::LowerHex, 840 { 841 fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { 842 self.get().fmt(f) 843 } 844 } 845 846 impl<T, const N: u32> fmt::Octal for Bounded<T, N> 847 where 848 T: Integer, 849 T: fmt::Octal, 850 { 851 fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { 852 self.get().fmt(f) 853 } 854 } 855 856 impl<T, const N: u32> fmt::UpperExp for Bounded<T, N> 857 where 858 T: Integer, 859 T: fmt::UpperExp, 860 { 861 fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { 862 self.get().fmt(f) 863 } 864 } 865 866 impl<T, const N: u32> fmt::UpperHex for Bounded<T, N> 867 where 868 T: Integer, 869 T: fmt::UpperHex, 870 { 871 fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { 872 self.get().fmt(f) 873 } 874 } 875 876 /// Implements `$trait` for all [`Bounded`] types represented using `$num_bits`. 877 /// 878 /// This is used to declare size properties as traits that we can constrain against in impl blocks. 879 macro_rules! impl_size_rule { 880 ($trait:ty, $($num_bits:literal)*) => { 881 $( 882 impl<T> $trait for Bounded<T, $num_bits> where T: Integer {} 883 )* 884 }; 885 } 886 887 /// Local trait expressing the fact that a given [`Bounded`] has at least `N` bits used for value 888 /// representation. 889 trait AtLeastXBits<const N: usize> {} 890 891 /// Implementations for infallibly converting a primitive type into a [`Bounded`] that can contain 892 /// it. 893 /// 894 /// Put into their own module for readability, and to avoid cluttering the rustdoc of the parent 895 /// module. 896 mod atleast_impls { 897 use super::*; 898 899 // Number of bits at least as large as 64. 900 impl_size_rule!(AtLeastXBits<64>, 64); 901 902 // Anything 64 bits or more is also larger than 32. 903 impl<T> AtLeastXBits<32> for T where T: AtLeastXBits<64> {} 904 // Other numbers of bits at least as large as 32. 905 impl_size_rule!(AtLeastXBits<32>, 906 32 33 34 35 36 37 38 39 907 40 41 42 43 44 45 46 47 908 48 49 50 51 52 53 54 55 909 56 57 58 59 60 61 62 63 910 ); 911 912 // Anything 32 bits or more is also larger than 16. 913 impl<T> AtLeastXBits<16> for T where T: AtLeastXBits<32> {} 914 // Other numbers of bits at least as large as 16. 915 impl_size_rule!(AtLeastXBits<16>, 916 16 17 18 19 20 21 22 23 917 24 25 26 27 28 29 30 31 918 ); 919 920 // Anything 16 bits or more is also larger than 8. 921 impl<T> AtLeastXBits<8> for T where T: AtLeastXBits<16> {} 922 // Other numbers of bits at least as large as 8. 923 impl_size_rule!(AtLeastXBits<8>, 8 9 10 11 12 13 14 15); 924 } 925 926 /// Generates `From` implementations from a primitive type into a [`Bounded`] with 927 /// enough bits to store any value of that type. 928 /// 929 /// Note: The only reason for having this macro is that if we pass `$type` as a generic 930 /// parameter, we cannot use it in the const context of [`AtLeastXBits`]'s generic parameter. This 931 /// can be fixed once the `generic_const_exprs` feature is usable, and this macro replaced by a 932 /// regular `impl` block. 933 macro_rules! impl_from_primitive { 934 ($($type:ty)*) => { 935 $( 936 #[doc = ::core::concat!( 937 "Conversion from a [`", 938 ::core::stringify!($type), 939 "`] into a [`Bounded`] of same signedness with enough bits to store it.")] 940 impl<T, const N: u32> From<$type> for Bounded<T, N> 941 where 942 $type: Integer, 943 T: Integer<Signedness = <$type as Integer>::Signedness> + From<$type>, 944 Self: AtLeastXBits<{ <$type as Integer>::BITS as usize }>, 945 { 946 fn from(value: $type) -> Self { 947 // INVARIANT: The trait bound on `Self` guarantees that `N` bits is 948 // enough to hold any value of the source type. 949 Self::__new(T::from(value)) 950 } 951 } 952 )* 953 } 954 } 955 956 impl_from_primitive!( 957 u8 u16 u32 u64 usize 958 i8 i16 i32 i64 isize 959 ); 960 961 /// Local trait expressing the fact that a given [`Bounded`] fits into a primitive type of `N` bits, 962 /// provided they have the same signedness. 963 trait FitsInXBits<const N: usize> {} 964 965 /// Implementations for infallibly converting a [`Bounded`] into a primitive type that can contain 966 /// it. 967 /// 968 /// Put into their own module for readability, and to avoid cluttering the rustdoc of the parent 969 /// module. 970 mod fits_impls { 971 use super::*; 972 973 // Number of bits that fit into a 8-bits primitive. 974 impl_size_rule!(FitsInXBits<8>, 1 2 3 4 5 6 7 8); 975 976 // Anything that fits into 8 bits also fits into 16. 977 impl<T> FitsInXBits<16> for T where T: FitsInXBits<8> {} 978 // Other number of bits that fit into a 16-bits primitive. 979 impl_size_rule!(FitsInXBits<16>, 9 10 11 12 13 14 15 16); 980 981 // Anything that fits into 16 bits also fits into 32. 982 impl<T> FitsInXBits<32> for T where T: FitsInXBits<16> {} 983 // Other number of bits that fit into a 32-bits primitive. 984 impl_size_rule!(FitsInXBits<32>, 985 17 18 19 20 21 22 23 24 986 25 26 27 28 29 30 31 32 987 ); 988 989 // Anything that fits into 32 bits also fits into 64. 990 impl<T> FitsInXBits<64> for T where T: FitsInXBits<32> {} 991 // Other number of bits that fit into a 64-bits primitive. 992 impl_size_rule!(FitsInXBits<64>, 993 33 34 35 36 37 38 39 40 994 41 42 43 44 45 46 47 48 995 49 50 51 52 53 54 55 56 996 57 58 59 60 61 62 63 64 997 ); 998 } 999 1000 /// Generates [`From`] implementations from a [`Bounded`] into a primitive type that is 1001 /// guaranteed to contain it. 1002 /// 1003 /// Note: The only reason for having this macro is that if we pass `$type` as a generic 1004 /// parameter, we cannot use it in the const context of `AtLeastXBits`'s generic parameter. This 1005 /// can be fixed once the `generic_const_exprs` feature is usable, and this macro replaced by a 1006 /// regular `impl` block. 1007 macro_rules! impl_into_primitive { 1008 ($($type:ty)*) => { 1009 $( 1010 #[doc = ::core::concat!( 1011 "Conversion from a [`Bounded`] with no more bits than a [`", 1012 ::core::stringify!($type), 1013 "`] and of same signedness into [`", 1014 ::core::stringify!($type), 1015 "`]")] 1016 impl<T, const N: u32> From<Bounded<T, N>> for $type 1017 where 1018 $type: Integer + TryFrom<T>, 1019 T: Integer<Signedness = <$type as Integer>::Signedness>, 1020 Bounded<T, N>: FitsInXBits<{ <$type as Integer>::BITS as usize }>, 1021 { 1022 fn from(value: Bounded<T, N>) -> $type { 1023 // SAFETY: The trait bound on `Bounded` ensures that any value it holds (which 1024 // is constrained to `N` bits) can fit into the destination type, so this 1025 // conversion cannot fail. 1026 unsafe { <$type>::try_from(value.get()).unwrap_unchecked() } 1027 } 1028 } 1029 )* 1030 } 1031 } 1032 1033 impl_into_primitive!( 1034 u8 u16 u32 u64 usize 1035 i8 i16 i32 i64 isize 1036 ); 1037 1038 // Single-bit `Bounded`s can be converted from/to a boolean. 1039 1040 impl<T> From<Bounded<T, 1>> for bool 1041 where 1042 T: Integer + Zeroable, 1043 { 1044 fn from(value: Bounded<T, 1>) -> Self { 1045 value.get() != Zeroable::zeroed() 1046 } 1047 } 1048 1049 impl<T, const N: u32> From<bool> for Bounded<T, N> 1050 where 1051 T: Integer + From<bool>, 1052 { 1053 fn from(value: bool) -> Self { 1054 // INVARIANT: A boolean can be represented using a single bit, and thus fits within any 1055 // integer type for any `N` > 0. 1056 Self::__new(T::from(value)) 1057 } 1058 } 1059