1 // SPDX-License-Identifier: (BSD-2-Clause OR Apache-2.0) OR MIT 2 3 // Copyright 2024 The Fuchsia Authors 4 // 5 // Licensed under the 2-Clause BSD License <LICENSE-BSD or 6 // https://opensource.org/license/bsd-2-clause>, Apache License, Version 2.0 7 // <LICENSE-APACHE or https://www.apache.org/licenses/LICENSE-2.0>, or the MIT 8 // license <LICENSE-MIT or https://opensource.org/licenses/MIT>, at your option. 9 // This file may not be copied, modified, or distributed except according to 10 // those terms. 11 12 use core::{ 13 cell::{Cell, UnsafeCell}, 14 mem::MaybeUninit as CoreMaybeUninit, 15 ptr::NonNull, 16 }; 17 18 use super::*; 19 use crate::pointer::cast::{CastSizedExact, CastUnsized}; 20 21 // SAFETY: Per the reference [1], "the unit tuple (`()`) ... is guaranteed as a 22 // zero-sized type to have a size of 0 and an alignment of 1." 23 // - `Immutable`: `()` self-evidently does not contain any `UnsafeCell`s. 24 // - `TryFromBytes` (with no validator), `FromZeros`, `FromBytes`: There is only 25 // one possible sequence of 0 bytes, and `()` is inhabited. 26 // - `IntoBytes`: Since `()` has size 0, it contains no padding bytes. 27 // - `Unaligned`: `()` has alignment 1. 28 // 29 // [1] https://doc.rust-lang.org/1.81.0/reference/type-layout.html#tuple-layout 30 #[allow(clippy::multiple_unsafe_ops_per_block)] 31 const _: () = unsafe { 32 unsafe_impl!((): Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned); 33 assert_unaligned!(()); 34 }; 35 36 // SAFETY: 37 // - `Immutable`: These types self-evidently do not contain any `UnsafeCell`s. 38 // - `TryFromBytes` (with no validator), `FromZeros`, `FromBytes`: all bit 39 // patterns are valid for numeric types [1] 40 // - `IntoBytes`: numeric types have no padding bytes [1] 41 // - `Unaligned` (`u8` and `i8` only): The reference [2] specifies the size of 42 // `u8` and `i8` as 1 byte. We also know that: 43 // - Alignment is >= 1 [3] 44 // - Size is an integer multiple of alignment [4] 45 // - The only value >= 1 for which 1 is an integer multiple is 1 Therefore, 46 // the only possible alignment for `u8` and `i8` is 1. 47 // 48 // [1] Per https://doc.rust-lang.org/1.81.0/reference/types/numeric.html#bit-validity: 49 // 50 // For every numeric type, `T`, the bit validity of `T` is equivalent to 51 // the bit validity of `[u8; size_of::<T>()]`. An uninitialized byte is 52 // not a valid `u8`. 53 // 54 // [2] https://doc.rust-lang.org/1.81.0/reference/type-layout.html#primitive-data-layout 55 // 56 // [3] Per https://doc.rust-lang.org/1.81.0/reference/type-layout.html#size-and-alignment: 57 // 58 // Alignment is measured in bytes, and must be at least 1. 59 // 60 // [4] Per https://doc.rust-lang.org/1.81.0/reference/type-layout.html#size-and-alignment: 61 // 62 // The size of a value is always a multiple of its alignment. 63 // 64 // FIXME(#278): Once we've updated the trait docs to refer to `u8`s rather than 65 // bits or bytes, update this comment, especially the reference to [1]. 66 #[allow(clippy::multiple_unsafe_ops_per_block)] 67 const _: () = unsafe { 68 unsafe_impl!(u8: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned); 69 unsafe_impl!(i8: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned); 70 assert_unaligned!(u8, i8); 71 unsafe_impl!(u16: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes); 72 unsafe_impl!(i16: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes); 73 unsafe_impl!(u32: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes); 74 unsafe_impl!(i32: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes); 75 unsafe_impl!(u64: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes); 76 unsafe_impl!(i64: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes); 77 unsafe_impl!(u128: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes); 78 unsafe_impl!(i128: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes); 79 unsafe_impl!(usize: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes); 80 unsafe_impl!(isize: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes); 81 unsafe_impl!(f32: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes); 82 unsafe_impl!(f64: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes); 83 #[cfg(feature = "float-nightly")] 84 unsafe_impl!(#[cfg_attr(doc_cfg, doc(cfg(feature = "float-nightly")))] f16: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes); 85 #[cfg(feature = "float-nightly")] 86 unsafe_impl!(#[cfg_attr(doc_cfg, doc(cfg(feature = "float-nightly")))] f128: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes); 87 }; 88 89 // SAFETY: 90 // - `Immutable`: `bool` self-evidently does not contain any `UnsafeCell`s. 91 // - `FromZeros`: Valid since "[t]he value false has the bit pattern 0x00" [1]. 92 // - `IntoBytes`: Since "the boolean type has a size and alignment of 1 each" 93 // and "The value false has the bit pattern 0x00 and the value true has the 94 // bit pattern 0x01" [1]. Thus, the only byte of the bool is always 95 // initialized. 96 // - `Unaligned`: Per the reference [1], "[a]n object with the boolean type has 97 // a size and alignment of 1 each." 98 // 99 // [1] https://doc.rust-lang.org/1.81.0/reference/types/boolean.html 100 #[allow(clippy::multiple_unsafe_ops_per_block)] 101 const _: () = unsafe { unsafe_impl!(bool: Immutable, FromZeros, IntoBytes, Unaligned) }; 102 assert_unaligned!(bool); 103 104 // SAFETY: The impl must only return `true` for its argument if the original 105 // `Maybe<bool>` refers to a valid `bool`. We only return true if the `u8` value 106 // is 0 or 1, and both of these are valid values for `bool` [1]. 107 // 108 // [1] Per https://doc.rust-lang.org/1.81.0/reference/types/boolean.html: 109 // 110 // The value false has the bit pattern 0x00 and the value true has the bit 111 // pattern 0x01. 112 const _: () = unsafe { 113 unsafe_impl!(=> TryFromBytes for bool; |byte| { 114 let byte = byte.transmute_with::<u8, invariant::Valid, CastSizedExact, BecauseImmutable>(); 115 *byte.unaligned_as_ref() < 2 116 }) 117 }; 118 119 // SAFETY: 120 // - `Immutable`: `char` self-evidently does not contain any `UnsafeCell`s. 121 // - `FromZeros`: Per reference [1], "[a] value of type char is a Unicode scalar 122 // value (i.e. a code point that is not a surrogate), represented as a 32-bit 123 // unsigned word in the 0x0000 to 0xD7FF or 0xE000 to 0x10FFFF range" which 124 // contains 0x0000. 125 // - `IntoBytes`: `char` is per reference [1] "represented as a 32-bit unsigned 126 // word" (`u32`) which is `IntoBytes`. Note that unlike `u32`, not all bit 127 // patterns are valid for `char`. 128 // 129 // [1] https://doc.rust-lang.org/1.81.0/reference/types/textual.html 130 #[allow(clippy::multiple_unsafe_ops_per_block)] 131 const _: () = unsafe { unsafe_impl!(char: Immutable, FromZeros, IntoBytes) }; 132 133 // SAFETY: The impl must only return `true` for its argument if the original 134 // `Maybe<char>` refers to a valid `char`. `char::from_u32` guarantees that it 135 // returns `None` if its input is not a valid `char` [1]. 136 // 137 // [1] Per https://doc.rust-lang.org/core/primitive.char.html#method.from_u32: 138 // 139 // `from_u32()` will return `None` if the input is not a valid value for a 140 // `char`. 141 const _: () = unsafe { 142 unsafe_impl!(=> TryFromBytes for char; |c| { 143 let c = c.transmute_with::<Unalign<u32>, invariant::Valid, CastSizedExact, BecauseImmutable>(); 144 let c = c.read().into_inner(); 145 char::from_u32(c).is_some() 146 }); 147 }; 148 149 // SAFETY: Per the Reference [1], `str` has the same layout as `[u8]`. 150 // - `Immutable`: `[u8]` does not contain any `UnsafeCell`s. 151 // - `FromZeros`, `IntoBytes`, `Unaligned`: `[u8]` is `FromZeros`, `IntoBytes`, 152 // and `Unaligned`. 153 // 154 // Note that we don't `assert_unaligned!(str)` because `assert_unaligned!` uses 155 // `align_of`, which only works for `Sized` types. 156 // 157 // FIXME(#429): Improve safety proof for `FromZeros` and `IntoBytes`; having the same 158 // layout as `[u8]` isn't sufficient. 159 // 160 // [1] Per https://doc.rust-lang.org/1.81.0/reference/type-layout.html#str-layout: 161 // 162 // String slices are a UTF-8 representation of characters that have the same 163 // layout as slices of type `[u8]`. 164 #[allow(clippy::multiple_unsafe_ops_per_block)] 165 const _: () = unsafe { unsafe_impl!(str: Immutable, FromZeros, IntoBytes, Unaligned) }; 166 167 // SAFETY: The impl must only return `true` for its argument if the original 168 // `Maybe<str>` refers to a valid `str`. `str::from_utf8` guarantees that it 169 // returns `Err` if its input is not a valid `str` [1]. 170 // 171 // [1] Per https://doc.rust-lang.org/core/str/fn.from_utf8.html#errors: 172 // 173 // Returns `Err` if the slice is not UTF-8. 174 const _: () = unsafe { 175 unsafe_impl!(=> TryFromBytes for str; |c| { 176 let c = c.transmute_with::<[u8], invariant::Valid, CastUnsized, BecauseImmutable>(); 177 let c = c.unaligned_as_ref(); 178 core::str::from_utf8(c).is_ok() 179 }) 180 }; 181 182 macro_rules! unsafe_impl_try_from_bytes_for_nonzero { 183 ($($nonzero:ident[$prim:ty]),*) => { 184 $( 185 unsafe_impl!(=> TryFromBytes for $nonzero; |n| { 186 let n = n.transmute_with::<Unalign<$prim>, invariant::Valid, CastSizedExact, BecauseImmutable>(); 187 $nonzero::new(n.read().into_inner()).is_some() 188 }); 189 )* 190 } 191 } 192 193 // `NonZeroXxx` is `IntoBytes`, but not `FromZeros` or `FromBytes`. 194 // 195 // SAFETY: 196 // - `IntoBytes`: `NonZeroXxx` has the same layout as its associated primitive. 197 // Since it is the same size, this guarantees it has no padding - integers 198 // have no padding, and there's no room for padding if it can represent all 199 // of the same values except 0. 200 // - `Unaligned`: `NonZeroU8` and `NonZeroI8` document that `Option<NonZeroU8>` 201 // and `Option<NonZeroI8>` both have size 1. [1] [2] This is worded in a way 202 // that makes it unclear whether it's meant as a guarantee, but given the 203 // purpose of those types, it's virtually unthinkable that that would ever 204 // change. `Option` cannot be smaller than its contained type, which implies 205 // that, and `NonZeroX8` are of size 1 or 0. `NonZeroX8` can represent 206 // multiple states, so they cannot be 0 bytes, which means that they must be 1 207 // byte. The only valid alignment for a 1-byte type is 1. 208 // 209 // FIXME(#429): 210 // - Add quotes from documentation. 211 // - Add safety comment for `Immutable`. How can we prove that `NonZeroXxx` 212 // doesn't contain any `UnsafeCell`s? It's obviously true, but it's not clear 213 // how we'd prove it short of adding text to the stdlib docs that says so 214 // explicitly, which likely wouldn't be accepted. 215 // 216 // [1] Per https://doc.rust-lang.org/1.81.0/std/num/type.NonZeroU8.html: 217 // 218 // `NonZeroU8` is guaranteed to have the same layout and bit validity as `u8` with 219 // the exception that 0 is not a valid instance. 220 // 221 // [2] Per https://doc.rust-lang.org/1.81.0/std/num/type.NonZeroI8.html: 222 // 223 // `NonZeroI8` is guaranteed to have the same layout and bit validity as `i8` with 224 // the exception that 0 is not a valid instance. 225 #[allow(clippy::multiple_unsafe_ops_per_block)] 226 const _: () = unsafe { 227 unsafe_impl!(NonZeroU8: Immutable, IntoBytes, Unaligned); 228 unsafe_impl!(NonZeroI8: Immutable, IntoBytes, Unaligned); 229 assert_unaligned!(NonZeroU8, NonZeroI8); 230 unsafe_impl!(NonZeroU16: Immutable, IntoBytes); 231 unsafe_impl!(NonZeroI16: Immutable, IntoBytes); 232 unsafe_impl!(NonZeroU32: Immutable, IntoBytes); 233 unsafe_impl!(NonZeroI32: Immutable, IntoBytes); 234 unsafe_impl!(NonZeroU64: Immutable, IntoBytes); 235 unsafe_impl!(NonZeroI64: Immutable, IntoBytes); 236 unsafe_impl!(NonZeroU128: Immutable, IntoBytes); 237 unsafe_impl!(NonZeroI128: Immutable, IntoBytes); 238 unsafe_impl!(NonZeroUsize: Immutable, IntoBytes); 239 unsafe_impl!(NonZeroIsize: Immutable, IntoBytes); 240 unsafe_impl_try_from_bytes_for_nonzero!( 241 NonZeroU8[u8], 242 NonZeroI8[i8], 243 NonZeroU16[u16], 244 NonZeroI16[i16], 245 NonZeroU32[u32], 246 NonZeroI32[i32], 247 NonZeroU64[u64], 248 NonZeroI64[i64], 249 NonZeroU128[u128], 250 NonZeroI128[i128], 251 NonZeroUsize[usize], 252 NonZeroIsize[isize] 253 ); 254 }; 255 256 // SAFETY: 257 // - `TryFromBytes` (with no validator), `FromZeros`, `FromBytes`, `IntoBytes`: 258 // The Rust compiler reuses `0` value to represent `None`, so 259 // `size_of::<Option<NonZeroXxx>>() == size_of::<xxx>()`; see `NonZeroXxx` 260 // documentation. 261 // - `Unaligned`: `NonZeroU8` and `NonZeroI8` document that `Option<NonZeroU8>` 262 // and `Option<NonZeroI8>` both have size 1. [1] [2] This is worded in a way 263 // that makes it unclear whether it's meant as a guarantee, but given the 264 // purpose of those types, it's virtually unthinkable that that would ever 265 // change. The only valid alignment for a 1-byte type is 1. 266 // 267 // [1] Per https://doc.rust-lang.org/1.81.0/std/num/type.NonZeroU8.html: 268 // 269 // `Option<NonZeroU8>` is guaranteed to be compatible with `u8`, including in FFI. 270 // 271 // Thanks to the null pointer optimization, `NonZeroU8` and `Option<NonZeroU8>` 272 // are guaranteed to have the same size and alignment: 273 // 274 // [2] Per https://doc.rust-lang.org/1.81.0/std/num/type.NonZeroI8.html: 275 // 276 // `Option<NonZeroI8>` is guaranteed to be compatible with `i8`, including in FFI. 277 // 278 // Thanks to the null pointer optimization, `NonZeroI8` and `Option<NonZeroI8>` 279 // are guaranteed to have the same size and alignment: 280 #[allow(clippy::multiple_unsafe_ops_per_block)] 281 const _: () = unsafe { 282 unsafe_impl!(Option<NonZeroU8>: TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned); 283 unsafe_impl!(Option<NonZeroI8>: TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned); 284 assert_unaligned!(Option<NonZeroU8>, Option<NonZeroI8>); 285 unsafe_impl!(Option<NonZeroU16>: TryFromBytes, FromZeros, FromBytes, IntoBytes); 286 unsafe_impl!(Option<NonZeroI16>: TryFromBytes, FromZeros, FromBytes, IntoBytes); 287 unsafe_impl!(Option<NonZeroU32>: TryFromBytes, FromZeros, FromBytes, IntoBytes); 288 unsafe_impl!(Option<NonZeroI32>: TryFromBytes, FromZeros, FromBytes, IntoBytes); 289 unsafe_impl!(Option<NonZeroU64>: TryFromBytes, FromZeros, FromBytes, IntoBytes); 290 unsafe_impl!(Option<NonZeroI64>: TryFromBytes, FromZeros, FromBytes, IntoBytes); 291 unsafe_impl!(Option<NonZeroU128>: TryFromBytes, FromZeros, FromBytes, IntoBytes); 292 unsafe_impl!(Option<NonZeroI128>: TryFromBytes, FromZeros, FromBytes, IntoBytes); 293 unsafe_impl!(Option<NonZeroUsize>: TryFromBytes, FromZeros, FromBytes, IntoBytes); 294 unsafe_impl!(Option<NonZeroIsize>: TryFromBytes, FromZeros, FromBytes, IntoBytes); 295 }; 296 297 // SAFETY: While it's not fully documented, the consensus is that `Box<T>` does 298 // not contain any `UnsafeCell`s for `T: Sized` [1]. This is not a complete 299 // proof, but we are accepting this as a known risk per #1358. 300 // 301 // [1] https://github.com/rust-lang/unsafe-code-guidelines/issues/492 302 #[cfg(feature = "alloc")] 303 const _: () = unsafe { 304 unsafe_impl!( 305 #[cfg_attr(doc_cfg, doc(cfg(feature = "alloc")))] 306 T: Sized => Immutable for Box<T> 307 ) 308 }; 309 310 // SAFETY: The following types can be transmuted from `[0u8; size_of::<T>()]`. [1] 311 // 312 // [1] Per https://doc.rust-lang.org/1.89.0/core/option/index.html#representation: 313 // 314 // Rust guarantees to optimize the following types `T` such that [`Option<T>`] 315 // has the same size and alignment as `T`. In some of these cases, Rust 316 // further guarantees that `transmute::<_, Option<T>>([0u8; size_of::<T>()])` 317 // is sound and produces `Option::<T>::None`. These cases are identified by 318 // the second column: 319 // 320 // | `T` | `transmute::<_, Option<T>>([0u8; size_of::<T>()])` sound? | 321 // |-----------------------------------|-----------------------------------------------------------| 322 // | [`Box<U>`] | when `U: Sized` | 323 // | `&U` | when `U: Sized` | 324 // | `&mut U` | when `U: Sized` | 325 // | [`ptr::NonNull<U>`] | when `U: Sized` | 326 // | `fn`, `extern "C" fn`[^extern_fn] | always | 327 // 328 // [^extern_fn]: this remains true for `unsafe` variants, any argument/return 329 // types, and any other ABI: `[unsafe] extern "abi" fn` (_e.g._, `extern 330 // "system" fn`) 331 #[allow(clippy::multiple_unsafe_ops_per_block)] 332 const _: () = unsafe { 333 #[cfg(feature = "alloc")] 334 unsafe_impl!( 335 #[cfg_attr(doc_cfg, doc(cfg(feature = "alloc")))] 336 T => TryFromBytes for Option<Box<T>>; |c| pointer::is_zeroed(c) 337 ); 338 #[cfg(feature = "alloc")] 339 unsafe_impl!( 340 #[cfg_attr(doc_cfg, doc(cfg(feature = "alloc")))] 341 T => FromZeros for Option<Box<T>> 342 ); 343 unsafe_impl!( 344 T => TryFromBytes for Option<&'_ T>; |c| pointer::is_zeroed(c) 345 ); 346 unsafe_impl!(T => FromZeros for Option<&'_ T>); 347 unsafe_impl!( 348 T => TryFromBytes for Option<&'_ mut T>; |c| pointer::is_zeroed(c) 349 ); 350 unsafe_impl!(T => FromZeros for Option<&'_ mut T>); 351 unsafe_impl!( 352 T => TryFromBytes for Option<NonNull<T>>; |c| pointer::is_zeroed(c) 353 ); 354 unsafe_impl!(T => FromZeros for Option<NonNull<T>>); 355 unsafe_impl_for_power_set!(A, B, C, D, E, F, G, H, I, J, K, L -> M => FromZeros for opt_fn!(...)); 356 unsafe_impl_for_power_set!( 357 A, B, C, D, E, F, G, H, I, J, K, L -> M => TryFromBytes for opt_fn!(...); 358 |c| pointer::is_zeroed(c) 359 ); 360 unsafe_impl_for_power_set!(A, B, C, D, E, F, G, H, I, J, K, L -> M => FromZeros for opt_unsafe_fn!(...)); 361 unsafe_impl_for_power_set!( 362 A, B, C, D, E, F, G, H, I, J, K, L -> M => TryFromBytes for opt_unsafe_fn!(...); 363 |c| pointer::is_zeroed(c) 364 ); 365 unsafe_impl_for_power_set!(A, B, C, D, E, F, G, H, I, J, K, L -> M => FromZeros for opt_extern_c_fn!(...)); 366 unsafe_impl_for_power_set!( 367 A, B, C, D, E, F, G, H, I, J, K, L -> M => TryFromBytes for opt_extern_c_fn!(...); 368 |c| pointer::is_zeroed(c) 369 ); 370 unsafe_impl_for_power_set!(A, B, C, D, E, F, G, H, I, J, K, L -> M => FromZeros for opt_unsafe_extern_c_fn!(...)); 371 unsafe_impl_for_power_set!( 372 A, B, C, D, E, F, G, H, I, J, K, L -> M => TryFromBytes for opt_unsafe_extern_c_fn!(...); 373 |c| pointer::is_zeroed(c) 374 ); 375 }; 376 377 // SAFETY: `[unsafe] [extern "C"] fn()` self-evidently do not contain 378 // `UnsafeCell`s. This is not a proof, but we are accepting this as a known risk 379 // per #1358. 380 #[allow(clippy::multiple_unsafe_ops_per_block)] 381 const _: () = unsafe { 382 unsafe_impl_for_power_set!(A, B, C, D, E, F, G, H, I, J, K, L -> M => Immutable for opt_fn!(...)); 383 unsafe_impl_for_power_set!(A, B, C, D, E, F, G, H, I, J, K, L -> M => Immutable for opt_unsafe_fn!(...)); 384 unsafe_impl_for_power_set!(A, B, C, D, E, F, G, H, I, J, K, L -> M => Immutable for opt_extern_c_fn!(...)); 385 unsafe_impl_for_power_set!(A, B, C, D, E, F, G, H, I, J, K, L -> M => Immutable for opt_unsafe_extern_c_fn!(...)); 386 }; 387 388 #[cfg(all( 389 not(no_zerocopy_target_has_atomics_1_60_0), 390 any( 391 target_has_atomic = "8", 392 target_has_atomic = "16", 393 target_has_atomic = "32", 394 target_has_atomic = "64", 395 target_has_atomic = "ptr" 396 ) 397 ))] 398 #[cfg_attr(doc_cfg, doc(cfg(rust = "1.60.0")))] 399 mod atomics { 400 use super::*; 401 402 macro_rules! impl_traits_for_atomics { 403 ($($atomics:tt [$primitives:ty]),* $(,)?) => { 404 $( 405 impl_known_layout!($atomics); 406 impl_for_transmute_from!(=> FromZeros for $atomics [$primitives]); 407 impl_for_transmute_from!(=> FromBytes for $atomics [$primitives]); 408 impl_for_transmute_from!(=> TryFromBytes for $atomics [$primitives]); 409 impl_for_transmute_from!(=> IntoBytes for $atomics [$primitives]); 410 )* 411 }; 412 } 413 414 /// Implements `TransmuteFrom` for `$atomic`, `$prim`, and 415 /// `UnsafeCell<$prim>`. 416 /// 417 /// # Safety 418 /// 419 /// `$atomic` must have the same size and bit validity as `$prim`. 420 macro_rules! unsafe_impl_transmute_from_for_atomic { 421 ($($($tyvar:ident)? => $atomic:ty [$prim:ty]),*) => {{ 422 crate::util::macros::__unsafe(); 423 424 use crate::pointer::{SizeEq, TransmuteFrom, invariant::Valid}; 425 426 $( 427 // SAFETY: The caller promised that `$atomic` and `$prim` have 428 // the same size and bit validity. 429 unsafe impl<$($tyvar)?> TransmuteFrom<$atomic, Valid, Valid> for $prim {} 430 // SAFETY: The caller promised that `$atomic` and `$prim` have 431 // the same size and bit validity. 432 unsafe impl<$($tyvar)?> TransmuteFrom<$prim, Valid, Valid> for $atomic {} 433 434 impl<$($tyvar)?> SizeEq<ReadOnly<$atomic>> for ReadOnly<$prim> { 435 type CastFrom = $crate::pointer::cast::CastSizedExact; 436 } 437 438 // SAFETY: The caller promised that `$atomic` and `$prim` have 439 // the same bit validity. `UnsafeCell<T>` has the same bit 440 // validity as `T` [1]. 441 // 442 // [1] Per https://doc.rust-lang.org/1.85.0/std/cell/struct.UnsafeCell.html#memory-layout: 443 // 444 // `UnsafeCell<T>` has the same in-memory representation as 445 // its inner type `T`. A consequence of this guarantee is that 446 // it is possible to convert between `T` and `UnsafeCell<T>`. 447 unsafe impl<$($tyvar)?> TransmuteFrom<$atomic, Valid, Valid> for core::cell::UnsafeCell<$prim> {} 448 // SAFETY: See previous safety comment. 449 unsafe impl<$($tyvar)?> TransmuteFrom<core::cell::UnsafeCell<$prim>, Valid, Valid> for $atomic {} 450 )* 451 }}; 452 } 453 454 #[cfg(target_has_atomic = "8")] 455 #[cfg_attr(doc_cfg, doc(cfg(target_has_atomic = "8")))] 456 mod atomic_8 { 457 use core::sync::atomic::{AtomicBool, AtomicI8, AtomicU8}; 458 459 use super::*; 460 461 impl_traits_for_atomics!(AtomicU8[u8], AtomicI8[i8]); 462 463 impl_known_layout!(AtomicBool); 464 impl_for_transmute_from!(=> FromZeros for AtomicBool [bool]); 465 impl_for_transmute_from!(=> TryFromBytes for AtomicBool [bool]); 466 impl_for_transmute_from!(=> IntoBytes for AtomicBool [bool]); 467 468 // SAFETY: Per [1], `AtomicBool`, `AtomicU8`, and `AtomicI8` have the 469 // same size as `bool`, `u8`, and `i8` respectively. Since a type's 470 // alignment cannot be smaller than 1 [2], and since its alignment 471 // cannot be greater than its size [3], the only possible value for the 472 // alignment is 1. Thus, it is sound to implement `Unaligned`. 473 // 474 // [1] Per (for example) https://doc.rust-lang.org/1.81.0/std/sync/atomic/struct.AtomicU8.html: 475 // 476 // This type has the same size, alignment, and bit validity as the 477 // underlying integer type 478 // 479 // [2] Per https://doc.rust-lang.org/1.81.0/reference/type-layout.html#size-and-alignment: 480 // 481 // Alignment is measured in bytes, and must be at least 1. 482 // 483 // [3] Per https://doc.rust-lang.org/1.81.0/reference/type-layout.html#size-and-alignment: 484 // 485 // The size of a value is always a multiple of its alignment. 486 #[allow(clippy::multiple_unsafe_ops_per_block)] 487 const _: () = unsafe { 488 unsafe_impl!(AtomicBool: Unaligned); 489 unsafe_impl!(AtomicU8: Unaligned); 490 unsafe_impl!(AtomicI8: Unaligned); 491 assert_unaligned!(AtomicBool, AtomicU8, AtomicI8); 492 }; 493 494 // SAFETY: `AtomicU8`, `AtomicI8`, and `AtomicBool` have the same size 495 // and bit validity as `u8`, `i8`, and `bool` respectively [1][2][3]. 496 // 497 // [1] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicU8.html: 498 // 499 // This type has the same size, alignment, and bit validity as the 500 // underlying integer type, `u8`. 501 // 502 // [2] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicI8.html: 503 // 504 // This type has the same size, alignment, and bit validity as the 505 // underlying integer type, `i8`. 506 // 507 // [3] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicBool.html: 508 // 509 // This type has the same size, alignment, and bit validity a `bool`. 510 #[allow(clippy::multiple_unsafe_ops_per_block)] 511 const _: () = unsafe { 512 unsafe_impl_transmute_from_for_atomic!( 513 => AtomicU8 [u8], 514 => AtomicI8 [i8], 515 => AtomicBool [bool] 516 ) 517 }; 518 } 519 520 #[cfg(target_has_atomic = "16")] 521 #[cfg_attr(doc_cfg, doc(cfg(target_has_atomic = "16")))] 522 mod atomic_16 { 523 use core::sync::atomic::{AtomicI16, AtomicU16}; 524 525 use super::*; 526 527 impl_traits_for_atomics!(AtomicU16[u16], AtomicI16[i16]); 528 529 // SAFETY: `AtomicU16` and `AtomicI16` have the same size and bit 530 // validity as `u16` and `i16` respectively [1][2]. 531 // 532 // [1] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicU16.html: 533 // 534 // This type has the same size and bit validity as the underlying 535 // integer type, `u16`. 536 // 537 // [2] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicI16.html: 538 // 539 // This type has the same size and bit validity as the underlying 540 // integer type, `i16`. 541 #[allow(clippy::multiple_unsafe_ops_per_block)] 542 const _: () = unsafe { 543 unsafe_impl_transmute_from_for_atomic!(=> AtomicU16 [u16], => AtomicI16 [i16]) 544 }; 545 } 546 547 #[cfg(target_has_atomic = "32")] 548 #[cfg_attr(doc_cfg, doc(cfg(target_has_atomic = "32")))] 549 mod atomic_32 { 550 use core::sync::atomic::{AtomicI32, AtomicU32}; 551 552 use super::*; 553 554 impl_traits_for_atomics!(AtomicU32[u32], AtomicI32[i32]); 555 556 // SAFETY: `AtomicU32` and `AtomicI32` have the same size and bit 557 // validity as `u32` and `i32` respectively [1][2]. 558 // 559 // [1] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicU32.html: 560 // 561 // This type has the same size and bit validity as the underlying 562 // integer type, `u32`. 563 // 564 // [2] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicI32.html: 565 // 566 // This type has the same size and bit validity as the underlying 567 // integer type, `i32`. 568 #[allow(clippy::multiple_unsafe_ops_per_block)] 569 const _: () = unsafe { 570 unsafe_impl_transmute_from_for_atomic!(=> AtomicU32 [u32], => AtomicI32 [i32]) 571 }; 572 } 573 574 #[cfg(target_has_atomic = "64")] 575 #[cfg_attr(doc_cfg, doc(cfg(target_has_atomic = "64")))] 576 mod atomic_64 { 577 use core::sync::atomic::{AtomicI64, AtomicU64}; 578 579 use super::*; 580 581 impl_traits_for_atomics!(AtomicU64[u64], AtomicI64[i64]); 582 583 // SAFETY: `AtomicU64` and `AtomicI64` have the same size and bit 584 // validity as `u64` and `i64` respectively [1][2]. 585 // 586 // [1] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicU64.html: 587 // 588 // This type has the same size and bit validity as the underlying 589 // integer type, `u64`. 590 // 591 // [2] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicI64.html: 592 // 593 // This type has the same size and bit validity as the underlying 594 // integer type, `i64`. 595 #[allow(clippy::multiple_unsafe_ops_per_block)] 596 const _: () = unsafe { 597 unsafe_impl_transmute_from_for_atomic!(=> AtomicU64 [u64], => AtomicI64 [i64]) 598 }; 599 } 600 601 #[cfg(target_has_atomic = "ptr")] 602 #[cfg_attr(doc_cfg, doc(cfg(target_has_atomic = "ptr")))] 603 mod atomic_ptr { 604 use core::sync::atomic::{AtomicIsize, AtomicPtr, AtomicUsize}; 605 606 use super::*; 607 608 impl_traits_for_atomics!(AtomicUsize[usize], AtomicIsize[isize]); 609 610 // FIXME(#170): Implement `FromBytes` and `IntoBytes` once we implement 611 // those traits for `*mut T`. 612 impl_known_layout!(T => AtomicPtr<T>); 613 impl_for_transmute_from!(T => TryFromBytes for AtomicPtr<T> [*mut T]); 614 impl_for_transmute_from!(T => FromZeros for AtomicPtr<T> [*mut T]); 615 616 // SAFETY: `AtomicUsize` and `AtomicIsize` have the same size and bit 617 // validity as `usize` and `isize` respectively [1][2]. 618 // 619 // [1] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicUsize.html: 620 // 621 // This type has the same size and bit validity as the underlying 622 // integer type, `usize`. 623 // 624 // [2] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicIsize.html: 625 // 626 // This type has the same size and bit validity as the underlying 627 // integer type, `isize`. 628 #[allow(clippy::multiple_unsafe_ops_per_block)] 629 const _: () = unsafe { 630 unsafe_impl_transmute_from_for_atomic!(=> AtomicUsize [usize], => AtomicIsize [isize]) 631 }; 632 633 // SAFETY: Per 634 // https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicPtr.html: 635 // 636 // This type has the same size and bit validity as a `*mut T`. 637 #[allow(clippy::multiple_unsafe_ops_per_block)] 638 const _: () = unsafe { unsafe_impl_transmute_from_for_atomic!(T => AtomicPtr<T> [*mut T]) }; 639 } 640 } 641 642 // SAFETY: Per reference [1]: "For all T, the following are guaranteed: 643 // size_of::<PhantomData<T>>() == 0 align_of::<PhantomData<T>>() == 1". This 644 // gives: 645 // - `Immutable`: `PhantomData` has no fields. 646 // - `TryFromBytes` (with no validator), `FromZeros`, `FromBytes`: There is only 647 // one possible sequence of 0 bytes, and `PhantomData` is inhabited. 648 // - `IntoBytes`: Since `PhantomData` has size 0, it contains no padding bytes. 649 // - `Unaligned`: Per the preceding reference, `PhantomData` has alignment 1. 650 // 651 // [1] https://doc.rust-lang.org/1.81.0/std/marker/struct.PhantomData.html#layout-1 652 #[allow(clippy::multiple_unsafe_ops_per_block)] 653 const _: () = unsafe { 654 unsafe_impl!(T: ?Sized => Immutable for PhantomData<T>); 655 unsafe_impl!(T: ?Sized => TryFromBytes for PhantomData<T>); 656 unsafe_impl!(T: ?Sized => FromZeros for PhantomData<T>); 657 unsafe_impl!(T: ?Sized => FromBytes for PhantomData<T>); 658 unsafe_impl!(T: ?Sized => IntoBytes for PhantomData<T>); 659 unsafe_impl!(T: ?Sized => Unaligned for PhantomData<T>); 660 assert_unaligned!(PhantomData<()>, PhantomData<u8>, PhantomData<u64>); 661 }; 662 663 impl_for_transmute_from!(T: TryFromBytes => TryFromBytes for Wrapping<T>[T]); 664 impl_for_transmute_from!(T: FromZeros => FromZeros for Wrapping<T>[T]); 665 impl_for_transmute_from!(T: FromBytes => FromBytes for Wrapping<T>[T]); 666 impl_for_transmute_from!(T: IntoBytes => IntoBytes for Wrapping<T>[T]); 667 assert_unaligned!(Wrapping<()>, Wrapping<u8>); 668 669 // SAFETY: Per [1], `Wrapping<T>` has the same layout as `T`. Since its single 670 // field (of type `T`) is public, it would be a breaking change to add or remove 671 // fields. Thus, we know that `Wrapping<T>` contains a `T` (as opposed to just 672 // having the same size and alignment as `T`) with no pre- or post-padding. 673 // Thus, `Wrapping<T>` must have `UnsafeCell`s covering the same byte ranges as 674 // `Inner = T`. 675 // 676 // [1] Per https://doc.rust-lang.org/1.81.0/std/num/struct.Wrapping.html#layout-1: 677 // 678 // `Wrapping<T>` is guaranteed to have the same layout and ABI as `T` 679 const _: () = unsafe { unsafe_impl!(T: Immutable => Immutable for Wrapping<T>) }; 680 681 // SAFETY: Per [1] in the preceding safety comment, `Wrapping<T>` has the same 682 // alignment as `T`. 683 const _: () = unsafe { unsafe_impl!(T: Unaligned => Unaligned for Wrapping<T>) }; 684 685 // SAFETY: `TryFromBytes` (with no validator), `FromZeros`, `FromBytes`: 686 // `MaybeUninit<T>` has no restrictions on its contents. 687 #[allow(clippy::multiple_unsafe_ops_per_block)] 688 const _: () = unsafe { 689 unsafe_impl!(T => TryFromBytes for CoreMaybeUninit<T>); 690 unsafe_impl!(T => FromZeros for CoreMaybeUninit<T>); 691 unsafe_impl!(T => FromBytes for CoreMaybeUninit<T>); 692 }; 693 694 // SAFETY: `MaybeUninit<T>` has `UnsafeCell`s covering the same byte ranges as 695 // `Inner = T`. This is not explicitly documented, but it can be inferred. Per 696 // [1], `MaybeUninit<T>` has the same size as `T`. Further, note the signature 697 // of `MaybeUninit::assume_init_ref` [2]: 698 // 699 // pub unsafe fn assume_init_ref(&self) -> &T 700 // 701 // If the argument `&MaybeUninit<T>` and the returned `&T` had `UnsafeCell`s at 702 // different offsets, this would be unsound. Its existence is proof that this is 703 // not the case. 704 // 705 // [1] Per https://doc.rust-lang.org/1.81.0/std/mem/union.MaybeUninit.html#layout-1: 706 // 707 // `MaybeUninit<T>` is guaranteed to have the same size, alignment, and ABI as 708 // `T`. 709 // 710 // [2] https://doc.rust-lang.org/1.81.0/std/mem/union.MaybeUninit.html#method.assume_init_ref 711 const _: () = unsafe { unsafe_impl!(T: Immutable => Immutable for CoreMaybeUninit<T>) }; 712 713 // SAFETY: Per [1] in the preceding safety comment, `MaybeUninit<T>` has the 714 // same alignment as `T`. 715 const _: () = unsafe { unsafe_impl!(T: Unaligned => Unaligned for CoreMaybeUninit<T>) }; 716 assert_unaligned!(CoreMaybeUninit<()>, CoreMaybeUninit<u8>); 717 718 // SAFETY: `ManuallyDrop<T>` has the same layout as `T` [1]. This strongly 719 // implies, but does not guarantee, that it contains `UnsafeCell`s covering the 720 // same byte ranges as in `T`. However, it also implements `Defer<Target = T>` 721 // [2], which provides the ability to convert `&ManuallyDrop<T> -> &T`. This, 722 // combined with having the same size as `T`, implies that `ManuallyDrop<T>` 723 // exactly contains a `T` with the same fields and `UnsafeCell`s covering the 724 // same byte ranges, or else the `Deref` impl would permit safe code to obtain 725 // different shared references to the same region of memory with different 726 // `UnsafeCell` coverage, which would in turn permit interior mutation that 727 // would violate the invariants of a shared reference. 728 // 729 // [1] Per https://doc.rust-lang.org/1.85.0/std/mem/struct.ManuallyDrop.html: 730 // 731 // `ManuallyDrop<T>` is guaranteed to have the same layout and bit validity as 732 // `T` 733 // 734 // [2] https://doc.rust-lang.org/1.85.0/std/mem/struct.ManuallyDrop.html#impl-Deref-for-ManuallyDrop%3CT%3E 735 const _: () = unsafe { unsafe_impl!(T: ?Sized + Immutable => Immutable for ManuallyDrop<T>) }; 736 737 impl_for_transmute_from!(T: ?Sized + TryFromBytes => TryFromBytes for ManuallyDrop<T>[T]); 738 impl_for_transmute_from!(T: ?Sized + FromZeros => FromZeros for ManuallyDrop<T>[T]); 739 impl_for_transmute_from!(T: ?Sized + FromBytes => FromBytes for ManuallyDrop<T>[T]); 740 impl_for_transmute_from!(T: ?Sized + IntoBytes => IntoBytes for ManuallyDrop<T>[T]); 741 // SAFETY: `ManuallyDrop<T>` has the same layout as `T` [1], and thus has the 742 // same alignment as `T`. 743 // 744 // [1] Per https://doc.rust-lang.org/1.81.0/std/mem/struct.ManuallyDrop.html: 745 // 746 // `ManuallyDrop<T>` is guaranteed to have the same layout and bit validity as 747 // `T` 748 const _: () = unsafe { unsafe_impl!(T: ?Sized + Unaligned => Unaligned for ManuallyDrop<T>) }; 749 assert_unaligned!(ManuallyDrop<()>, ManuallyDrop<u8>); 750 751 const _: () = { 752 #[allow( 753 non_camel_case_types, 754 missing_copy_implementations, 755 missing_debug_implementations, 756 missing_docs 757 )] 758 pub enum value {} 759 760 // SAFETY: See safety comment on `ProjectToTag`. 761 unsafe impl<T: ?Sized> HasTag for ManuallyDrop<T> { 762 #[inline] 763 fn only_derive_is_allowed_to_implement_this_trait() 764 where 765 Self: Sized, 766 { 767 } 768 769 type Tag = (); 770 771 // SAFETY: It is trivially sound to project any pointer to a pointer to 772 // a type of size zero and alignment 1 (which `()` is [1]). Such a 773 // pointer will trivially satisfy its aliasing and validity requirements 774 // (since it has a zero-sized referent), and its alignment requirement 775 // (since it is aligned to 1). 776 // 777 // [1] Per https://doc.rust-lang.org/1.92.0/reference/type-layout.html#r-layout.tuple.unit: 778 // 779 // [T]he unit tuple (`()`)... is guaranteed as a zero-sized type to 780 // have a size of 0 and an alignment of 1. 781 type ProjectToTag = crate::pointer::cast::CastToUnit; 782 } 783 784 // SAFETY: `ManuallyDrop<T>` has a field of type `T` at offset `0` without 785 // any safety invariants beyond those of `T`. Its existence is not 786 // explicitly documented, but it can be inferred; per [1] `ManuallyDrop<T>` 787 // has the same size and bit validity as `T`. This field is not literally 788 // public, but is effectively so; the field can be transparently: 789 // 790 // - initialized via `ManuallyDrop::new` 791 // - moved via `ManuallyDrop::into_inner` 792 // - referenced via `ManuallyDrop::deref` 793 // - exclusively referenced via `ManuallyDrop::deref_mut` 794 // 795 // We call this field `value`, both because that is both the name of this 796 // private field, and because it is the name it is referred to in the public 797 // documentation of `ManuallyDrop::new`, `ManuallyDrop::into_inner`, 798 // `ManuallyDrop::take` and `ManuallyDrop::drop`. 799 unsafe impl<T: ?Sized> 800 HasField<value, { crate::STRUCT_VARIANT_ID }, { crate::ident_id!(value) }> 801 for ManuallyDrop<T> 802 { 803 #[inline] 804 fn only_derive_is_allowed_to_implement_this_trait() 805 where 806 Self: Sized, 807 { 808 } 809 810 type Type = T; 811 812 #[inline(always)] 813 fn project(slf: PtrInner<'_, Self>) -> *mut T { 814 // SAFETY: `ManuallyDrop<T>` has the same layout and bit validity as 815 // `T` [1]. 816 // 817 // [1] Per https://doc.rust-lang.org/1.85.0/std/mem/struct.ManuallyDrop.html: 818 // 819 // `ManuallyDrop<T>` is guaranteed to have the same layout and bit 820 // validity as `T` 821 #[allow(clippy::as_conversions)] 822 return slf.as_ptr() as *mut T; 823 } 824 } 825 }; 826 827 impl_for_transmute_from!(T: ?Sized + TryFromBytes => TryFromBytes for Cell<T>[T]); 828 impl_for_transmute_from!(T: ?Sized + FromZeros => FromZeros for Cell<T>[T]); 829 impl_for_transmute_from!(T: ?Sized + FromBytes => FromBytes for Cell<T>[T]); 830 impl_for_transmute_from!(T: ?Sized + IntoBytes => IntoBytes for Cell<T>[T]); 831 // SAFETY: `Cell<T>` has the same in-memory representation as `T` [1], and thus 832 // has the same alignment as `T`. 833 // 834 // [1] Per https://doc.rust-lang.org/1.81.0/core/cell/struct.Cell.html#memory-layout: 835 // 836 // `Cell<T>` has the same in-memory representation as its inner type `T`. 837 const _: () = unsafe { unsafe_impl!(T: ?Sized + Unaligned => Unaligned for Cell<T>) }; 838 839 impl_for_transmute_from!(T: ?Sized + FromZeros => FromZeros for UnsafeCell<T>[T]); 840 impl_for_transmute_from!(T: ?Sized + FromBytes => FromBytes for UnsafeCell<T>[T]); 841 impl_for_transmute_from!(T: ?Sized + IntoBytes => IntoBytes for UnsafeCell<T>[T]); 842 // SAFETY: `UnsafeCell<T>` has the same in-memory representation as `T` [1], and 843 // thus has the same alignment as `T`. 844 // 845 // [1] Per https://doc.rust-lang.org/1.81.0/core/cell/struct.UnsafeCell.html#memory-layout: 846 // 847 // `UnsafeCell<T>` has the same in-memory representation as its inner type 848 // `T`. 849 const _: () = unsafe { unsafe_impl!(T: ?Sized + Unaligned => Unaligned for UnsafeCell<T>) }; 850 assert_unaligned!(UnsafeCell<()>, UnsafeCell<u8>); 851 852 // SAFETY: See safety comment in `is_bit_valid` impl. 853 unsafe impl<T: TryFromBytes + ?Sized> TryFromBytes for UnsafeCell<T> { 854 #[allow(clippy::missing_inline_in_public_items)] 855 fn only_derive_is_allowed_to_implement_this_trait() 856 where 857 Self: Sized, 858 { 859 } 860 861 #[inline(always)] 862 fn is_bit_valid<A>(candidate: Maybe<'_, Self, A>) -> bool 863 where 864 A: invariant::Alignment, 865 { 866 T::is_bit_valid(candidate.transmute::<_, _, BecauseImmutable>()) 867 } 868 } 869 870 // SAFETY: Per the reference [1]: 871 // 872 // An array of `[T; N]` has a size of `size_of::<T>() * N` and the same 873 // alignment of `T`. Arrays are laid out so that the zero-based `nth` element 874 // of the array is offset from the start of the array by `n * size_of::<T>()` 875 // bytes. 876 // 877 // ... 878 // 879 // Slices have the same layout as the section of the array they slice. 880 // 881 // In other words, the layout of a `[T]` or `[T; N]` is a sequence of `T`s laid 882 // out back-to-back with no bytes in between. Therefore, `[T]` or `[T; N]` are 883 // `Immutable`, `TryFromBytes`, `FromZeros`, `FromBytes`, and `IntoBytes` if `T` 884 // is (respectively). Furthermore, since an array/slice has "the same alignment 885 // of `T`", `[T]` and `[T; N]` are `Unaligned` if `T` is. 886 // 887 // Note that we don't `assert_unaligned!` for slice types because 888 // `assert_unaligned!` uses `align_of`, which only works for `Sized` types. 889 // 890 // [1] https://doc.rust-lang.org/1.81.0/reference/type-layout.html#array-layout 891 #[allow(clippy::multiple_unsafe_ops_per_block)] 892 const _: () = unsafe { 893 unsafe_impl!(const N: usize, T: Immutable => Immutable for [T; N]); 894 unsafe_impl!(const N: usize, T: TryFromBytes => TryFromBytes for [T; N]; |c| { 895 let c: Ptr<'_, [ReadOnly<T>; N], _> = c.cast::<_, crate::pointer::cast::CastSized, _>(); 896 let c: Ptr<'_, [ReadOnly<T>], _> = c.as_slice(); 897 let c: Ptr<'_, ReadOnly<[T]>, _> = c.cast::<_, crate::pointer::cast::CastUnsized, _>(); 898 899 // Note that this call may panic, but it would still be sound even if it 900 // did. `is_bit_valid` does not promise that it will not panic (in fact, 901 // it explicitly warns that it's a possibility), and we have not 902 // violated any safety invariants that we must fix before returning. 903 <[T] as TryFromBytes>::is_bit_valid(c) 904 }); 905 unsafe_impl!(const N: usize, T: FromZeros => FromZeros for [T; N]); 906 unsafe_impl!(const N: usize, T: FromBytes => FromBytes for [T; N]); 907 unsafe_impl!(const N: usize, T: IntoBytes => IntoBytes for [T; N]); 908 unsafe_impl!(const N: usize, T: Unaligned => Unaligned for [T; N]); 909 assert_unaligned!([(); 0], [(); 1], [u8; 0], [u8; 1]); 910 unsafe_impl!(T: Immutable => Immutable for [T]); 911 unsafe_impl!(T: TryFromBytes => TryFromBytes for [T]; |c| { 912 let c: Ptr<'_, [ReadOnly<T>], _> = c.cast::<_, crate::pointer::cast::CastUnsized, _>(); 913 914 // SAFETY: Per the reference [1]: 915 // 916 // An array of `[T; N]` has a size of `size_of::<T>() * N` and the 917 // same alignment of `T`. Arrays are laid out so that the zero-based 918 // `nth` element of the array is offset from the start of the array by 919 // `n * size_of::<T>()` bytes. 920 // 921 // ... 922 // 923 // Slices have the same layout as the section of the array they slice. 924 // 925 // In other words, the layout of a `[T] is a sequence of `T`s laid out 926 // back-to-back with no bytes in between. If all elements in `candidate` 927 // are `is_bit_valid`, so too is `candidate`. 928 // 929 // Note that any of the below calls may panic, but it would still be 930 // sound even if it did. `is_bit_valid` does not promise that it will 931 // not panic (in fact, it explicitly warns that it's a possibility), and 932 // we have not violated any safety invariants that we must fix before 933 // returning. 934 c.iter().all(<T as TryFromBytes>::is_bit_valid) 935 }); 936 unsafe_impl!(T: FromZeros => FromZeros for [T]); 937 unsafe_impl!(T: FromBytes => FromBytes for [T]); 938 unsafe_impl!(T: IntoBytes => IntoBytes for [T]); 939 unsafe_impl!(T: Unaligned => Unaligned for [T]); 940 }; 941 942 // SAFETY: 943 // - `Immutable`: Raw pointers do not contain any `UnsafeCell`s. 944 // - `FromZeros`: For thin pointers (note that `T: Sized`), the zero pointer is 945 // considered "null". [1] No operations which require provenance are legal on 946 // null pointers, so this is not a footgun. 947 // - `TryFromBytes`: By the same reasoning as for `FromZeroes`, we can implement 948 // `TryFromBytes` for thin pointers provided that 949 // [`TryFromByte::is_bit_valid`] only produces `true` for zeroed bytes. 950 // 951 // NOTE(#170): Implementing `FromBytes` and `IntoBytes` for raw pointers would 952 // be sound, but carries provenance footguns. We want to support `FromBytes` and 953 // `IntoBytes` for raw pointers eventually, but we are holding off until we can 954 // figure out how to address those footguns. 955 // 956 // [1] Per https://doc.rust-lang.org/1.81.0/std/ptr/fn.null.html: 957 // 958 // Creates a null raw pointer. 959 // 960 // This function is equivalent to zero-initializing the pointer: 961 // `MaybeUninit::<*const T>::zeroed().assume_init()`. 962 // 963 // The resulting pointer has the address 0. 964 #[allow(clippy::multiple_unsafe_ops_per_block)] 965 const _: () = unsafe { 966 unsafe_impl!(T: ?Sized => Immutable for *const T); 967 unsafe_impl!(T: ?Sized => Immutable for *mut T); 968 unsafe_impl!(T => TryFromBytes for *const T; |c| pointer::is_zeroed(c)); 969 unsafe_impl!(T => FromZeros for *const T); 970 unsafe_impl!(T => TryFromBytes for *mut T; |c| pointer::is_zeroed(c)); 971 unsafe_impl!(T => FromZeros for *mut T); 972 }; 973 974 // SAFETY: `NonNull<T>` self-evidently does not contain `UnsafeCell`s. This is 975 // not a proof, but we are accepting this as a known risk per #1358. 976 const _: () = unsafe { unsafe_impl!(T: ?Sized => Immutable for NonNull<T>) }; 977 978 // SAFETY: Reference types do not contain any `UnsafeCell`s. 979 #[allow(clippy::multiple_unsafe_ops_per_block)] 980 const _: () = unsafe { 981 unsafe_impl!(T: ?Sized => Immutable for &'_ T); 982 unsafe_impl!(T: ?Sized => Immutable for &'_ mut T); 983 }; 984 985 // SAFETY: `Option` is not `#[non_exhaustive]` [1], which means that the types 986 // in its variants cannot change, and no new variants can be added. `Option<T>` 987 // does not contain any `UnsafeCell`s outside of `T`. [1] 988 // 989 // [1] https://doc.rust-lang.org/core/option/enum.Option.html 990 const _: () = unsafe { unsafe_impl!(T: Immutable => Immutable for Option<T>) }; 991 992 mod tuples { 993 use super::*; 994 995 /// Generates various trait implementations for tuples. 996 /// 997 /// # Safety 998 /// 999 /// `impl_tuple!` should be provided name-number pairs, where each number is 1000 /// the ordinal of the preceding type name. 1001 macro_rules! impl_tuple { 1002 // Entry point. 1003 ($($T:ident $I:tt),+ $(,)?) => { 1004 crate::util::macros::__unsafe(); 1005 impl_tuple!(@all [] [$($T $I)+]); 1006 }; 1007 1008 // Build up the set of tuple types (i.e., `(A,)`, `(A, B)`, `(A, B, C)`, 1009 // etc.) Trait implementations that do not depend on field index may be 1010 // added to this branch. 1011 (@all [$($head_T:ident $head_I:tt)*] [$next_T:ident $next_I:tt $($tail:tt)*]) => { 1012 // SAFETY: If all fields of the tuple `Self` are `Immutable`, so too is `Self`. 1013 unsafe_impl!($($head_T: Immutable,)* $next_T: Immutable => Immutable for ($($head_T,)* $next_T,)); 1014 1015 // SAFETY: If all fields in `c` are `is_bit_valid`, so too is `c`. 1016 unsafe_impl!($($head_T: TryFromBytes,)* $next_T: TryFromBytes => TryFromBytes for ($($head_T,)* $next_T,); |c| { 1017 let mut c = c; 1018 $(TryFromBytes::is_bit_valid(into_inner!(c.reborrow().project::<_, { crate::STRUCT_VARIANT_ID }, { crate::ident_id!($head_I) }>())) &&)* 1019 TryFromBytes::is_bit_valid(into_inner!(c.reborrow().project::<_, { crate::STRUCT_VARIANT_ID }, { crate::ident_id!($next_I) }>())) 1020 }); 1021 1022 // SAFETY: If all fields in `Self` are `FromZeros`, so too is `Self`. 1023 unsafe_impl!($($head_T: FromZeros,)* $next_T: FromZeros => FromZeros for ($($head_T,)* $next_T,)); 1024 1025 // SAFETY: If all fields in `Self` are `FromBytes`, so too is `Self`. 1026 unsafe_impl!($($head_T: FromBytes,)* $next_T: FromBytes => FromBytes for ($($head_T,)* $next_T,)); 1027 1028 // SAFETY: See safety comment on `ProjectToTag`. 1029 unsafe impl<$($head_T,)* $next_T> crate::HasTag for ($($head_T,)* $next_T,) { 1030 #[inline] 1031 fn only_derive_is_allowed_to_implement_this_trait() 1032 where 1033 Self: Sized 1034 {} 1035 1036 type Tag = (); 1037 1038 // SAFETY: It is trivially sound to project any pointer to a 1039 // pointer to a type of size zero and alignment 1 (which `()` is 1040 // [1]). Such a pointer will trivially satisfy its aliasing and 1041 // validity requirements (since it has a zero-sized referent), 1042 // and its alignment requirement (since it is aligned to 1). 1043 // 1044 // [1] Per https://doc.rust-lang.org/1.92.0/reference/type-layout.html#r-layout.tuple.unit: 1045 // 1046 // [T]he unit tuple (`()`)... is guaranteed as a zero-sized 1047 // type to have a size of 0 and an alignment of 1. 1048 type ProjectToTag = crate::pointer::cast::CastToUnit; 1049 } 1050 1051 // Generate impls that depend on tuple index. 1052 impl_tuple!(@variants 1053 [$($head_T $head_I)* $next_T $next_I] 1054 [] 1055 [$($head_T $head_I)* $next_T $next_I] 1056 ); 1057 1058 // Recurse to next tuple size 1059 impl_tuple!(@all [$($head_T $head_I)* $next_T $next_I] [$($tail)*]); 1060 }; 1061 (@all [$($head_T:ident $head_I:tt)*] []) => {}; 1062 1063 // Emit trait implementations that depend on field index. 1064 (@variants 1065 // The full tuple definition in type–index pairs. 1066 [$($AllT:ident $AllI:tt)+] 1067 // Types before the current index. 1068 [$($BeforeT:ident)*] 1069 // The types and indices at and after the current index. 1070 [$CurrT:ident $CurrI:tt $($AfterT:ident $AfterI:tt)*] 1071 ) => { 1072 // SAFETY: 1073 // - `Self` is a struct (albeit anonymous), so `VARIANT_ID` is 1074 // `STRUCT_VARIANT_ID`. 1075 // - `$CurrI` is the field at index `$CurrI`, so `FIELD_ID` is 1076 // `zerocopy::ident_id!($CurrI)` 1077 // - `()` has the same visibility as the `.$CurrI` field (ie, `.0`, 1078 // `.1`, etc) 1079 // - `Type` has the same type as `$CurrI`; i.e., `$CurrT`. 1080 unsafe impl<$($AllT),+> crate::HasField< 1081 (), 1082 { crate::STRUCT_VARIANT_ID }, 1083 { crate::ident_id!($CurrI)} 1084 > for ($($AllT,)+) { 1085 #[inline] 1086 fn only_derive_is_allowed_to_implement_this_trait() 1087 where 1088 Self: Sized 1089 {} 1090 1091 type Type = $CurrT; 1092 1093 #[inline(always)] 1094 fn project(slf: crate::PtrInner<'_, Self>) -> *mut Self::Type { 1095 let slf = slf.as_non_null().as_ptr(); 1096 // SAFETY: `PtrInner` promises it references either a zero-sized 1097 // byte range, or else will reference a byte range that is 1098 // entirely contained within an allocated object. In either 1099 // case, this guarantees that `(*slf).$CurrI` is in-bounds of 1100 // `slf`. 1101 unsafe { core::ptr::addr_of_mut!((*slf).$CurrI) } 1102 } 1103 } 1104 1105 // SAFETY: See comments on items. 1106 unsafe impl<Aliasing, Alignment, $($AllT),+> crate::ProjectField< 1107 (), 1108 (Aliasing, Alignment, crate::invariant::Uninit), 1109 { crate::STRUCT_VARIANT_ID }, 1110 { crate::ident_id!($CurrI)} 1111 > for ($($AllT,)+) 1112 where 1113 Aliasing: crate::invariant::Aliasing, 1114 Alignment: crate::invariant::Alignment, 1115 { 1116 #[inline] 1117 fn only_derive_is_allowed_to_implement_this_trait() 1118 where 1119 Self: Sized 1120 {} 1121 1122 // SAFETY: Tuples are product types whose fields are 1123 // well-aligned, so projection preserves both the alignment and 1124 // validity invariants of the outer pointer. 1125 type Invariants = (Aliasing, Alignment, crate::invariant::Uninit); 1126 1127 // SAFETY: Tuples are product types and so projection is infallible; 1128 type Error = core::convert::Infallible; 1129 } 1130 1131 // SAFETY: See comments on items. 1132 unsafe impl<Aliasing, Alignment, $($AllT),+> crate::ProjectField< 1133 (), 1134 (Aliasing, Alignment, crate::invariant::Initialized), 1135 { crate::STRUCT_VARIANT_ID }, 1136 { crate::ident_id!($CurrI)} 1137 > for ($($AllT,)+) 1138 where 1139 Aliasing: crate::invariant::Aliasing, 1140 Alignment: crate::invariant::Alignment, 1141 { 1142 #[inline] 1143 fn only_derive_is_allowed_to_implement_this_trait() 1144 where 1145 Self: Sized 1146 {} 1147 1148 // SAFETY: Tuples are product types whose fields are 1149 // well-aligned, so projection preserves both the alignment and 1150 // validity invariants of the outer pointer. 1151 type Invariants = (Aliasing, Alignment, crate::invariant::Initialized); 1152 1153 // SAFETY: Tuples are product types and so projection is infallible; 1154 type Error = core::convert::Infallible; 1155 } 1156 1157 // SAFETY: See comments on items. 1158 unsafe impl<Aliasing, Alignment, $($AllT),+> crate::ProjectField< 1159 (), 1160 (Aliasing, Alignment, crate::invariant::Valid), 1161 { crate::STRUCT_VARIANT_ID }, 1162 { crate::ident_id!($CurrI)} 1163 > for ($($AllT,)+) 1164 where 1165 Aliasing: crate::invariant::Aliasing, 1166 Alignment: crate::invariant::Alignment, 1167 { 1168 #[inline] 1169 fn only_derive_is_allowed_to_implement_this_trait() 1170 where 1171 Self: Sized 1172 {} 1173 1174 // SAFETY: Tuples are product types whose fields are 1175 // well-aligned, so projection preserves both the alignment and 1176 // validity invariants of the outer pointer. 1177 type Invariants = (Aliasing, Alignment, crate::invariant::Valid); 1178 1179 // SAFETY: Tuples are product types and so projection is infallible; 1180 type Error = core::convert::Infallible; 1181 } 1182 1183 // Recurse to the next index. 1184 impl_tuple!(@variants [$($AllT $AllI)+] [$($BeforeT)* $CurrT] [$($AfterT $AfterI)*]); 1185 }; 1186 (@variants [$($AllT:ident $AllI:tt)+] [$($BeforeT:ident)*] []) => {}; 1187 } 1188 1189 // SAFETY: `impl_tuple` is provided name-number pairs, where number is the 1190 // ordinal of the name. 1191 #[allow(clippy::multiple_unsafe_ops_per_block)] 1192 const _: () = unsafe { 1193 impl_tuple! { 1194 A 0, 1195 B 1, 1196 C 2, 1197 D 3, 1198 E 4, 1199 F 5, 1200 G 6, 1201 H 7, 1202 I 8, 1203 J 9, 1204 K 10, 1205 L 11, 1206 M 12, 1207 N 13, 1208 O 14, 1209 P 15, 1210 Q 16, 1211 R 17, 1212 S 18, 1213 T 19, 1214 U 20, 1215 V 21, 1216 W 22, 1217 X 23, 1218 Y 24, 1219 Z 25, 1220 }; 1221 }; 1222 } 1223 1224 // SIMD support 1225 // 1226 // Per the Unsafe Code Guidelines Reference [1]: 1227 // 1228 // Packed SIMD vector types are `repr(simd)` homogeneous tuple-structs 1229 // containing `N` elements of type `T` where `N` is a power-of-two and the 1230 // size and alignment requirements of `T` are equal: 1231 // 1232 // ```rust 1233 // #[repr(simd)] 1234 // struct Vector<T, N>(T_0, ..., T_(N - 1)); 1235 // ``` 1236 // 1237 // ... 1238 // 1239 // The size of `Vector` is `N * size_of::<T>()` and its alignment is an 1240 // implementation-defined function of `T` and `N` greater than or equal to 1241 // `align_of::<T>()`. 1242 // 1243 // ... 1244 // 1245 // Vector elements are laid out in source field order, enabling random access 1246 // to vector elements by reinterpreting the vector as an array: 1247 // 1248 // ```rust 1249 // union U { 1250 // vec: Vector<T, N>, 1251 // arr: [T; N] 1252 // } 1253 // 1254 // assert_eq!(size_of::<Vector<T, N>>(), size_of::<[T; N]>()); 1255 // assert!(align_of::<Vector<T, N>>() >= align_of::<[T; N]>()); 1256 // 1257 // unsafe { 1258 // let u = U { vec: Vector<T, N>(t_0, ..., t_(N - 1)) }; 1259 // 1260 // assert_eq!(u.vec.0, u.arr[0]); 1261 // // ... 1262 // assert_eq!(u.vec.(N - 1), u.arr[N - 1]); 1263 // } 1264 // ``` 1265 // 1266 // Given this background, we can observe that: 1267 // - The size and bit pattern requirements of a SIMD type are equivalent to the 1268 // equivalent array type. Thus, for any SIMD type whose primitive `T` is 1269 // `Immutable`, `TryFromBytes`, `FromZeros`, `FromBytes`, or `IntoBytes`, that 1270 // SIMD type is also `Immutable`, `TryFromBytes`, `FromZeros`, `FromBytes`, or 1271 // `IntoBytes` respectively. 1272 // - Since no upper bound is placed on the alignment, no SIMD type can be 1273 // guaranteed to be `Unaligned`. 1274 // 1275 // Also per [1]: 1276 // 1277 // This chapter represents the consensus from issue #38. The statements in 1278 // here are not (yet) "guaranteed" not to change until an RFC ratifies them. 1279 // 1280 // See issue #38 [2]. While this behavior is not technically guaranteed, the 1281 // likelihood that the behavior will change such that SIMD types are no longer 1282 // `TryFromBytes`, `FromZeros`, `FromBytes`, or `IntoBytes` is next to zero, as 1283 // that would defeat the entire purpose of SIMD types. Nonetheless, we put this 1284 // behavior behind the `simd` Cargo feature, which requires consumers to opt 1285 // into this stability hazard. 1286 // 1287 // [1] https://rust-lang.github.io/unsafe-code-guidelines/layout/packed-simd-vectors.html 1288 // [2] https://github.com/rust-lang/unsafe-code-guidelines/issues/38 1289 #[cfg(feature = "simd")] 1290 #[cfg_attr(doc_cfg, doc(cfg(feature = "simd")))] 1291 mod simd { 1292 /// Defines a module which implements `TryFromBytes`, `FromZeros`, 1293 /// `FromBytes`, and `IntoBytes` for a set of types from a module in 1294 /// `core::arch`. 1295 /// 1296 /// `$arch` is both the name of the defined module and the name of the 1297 /// module in `core::arch`, and `$typ` is the list of items from that module 1298 /// to implement `FromZeros`, `FromBytes`, and `IntoBytes` for. 1299 #[allow(unused_macros)] // `allow(unused_macros)` is needed because some 1300 // target/feature combinations don't emit any impls 1301 // and thus don't use this macro. 1302 macro_rules! simd_arch_mod { 1303 ($(#[cfg $cfg:tt])* $(#[cfg_attr $cfg_attr:tt])? $arch:ident, $mod:ident, $($typ:ident),*) => { 1304 $(#[cfg $cfg])* 1305 #[cfg_attr(doc_cfg, doc(cfg $($cfg)*))] 1306 $(#[cfg_attr $cfg_attr])? 1307 mod $mod { 1308 use core::arch::$arch::{$($typ),*}; 1309 1310 use crate::*; 1311 impl_known_layout!($($typ),*); 1312 // SAFETY: See comment on module definition for justification. 1313 #[allow(clippy::multiple_unsafe_ops_per_block)] 1314 const _: () = unsafe { 1315 $( unsafe_impl!($typ: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes); )* 1316 }; 1317 } 1318 }; 1319 } 1320 1321 #[rustfmt::skip] 1322 const _: () = { 1323 simd_arch_mod!( 1324 #[cfg(target_arch = "x86")] 1325 x86, x86, __m128, __m128d, __m128i, __m256, __m256d, __m256i 1326 ); 1327 #[cfg(not(no_zerocopy_simd_x86_avx12_1_89_0))] 1328 simd_arch_mod!( 1329 #[cfg(target_arch = "x86")] 1330 #[cfg_attr(doc_cfg, doc(cfg(rust = "1.89.0")))] 1331 x86, x86_nightly, __m512bh, __m512, __m512d, __m512i 1332 ); 1333 simd_arch_mod!( 1334 #[cfg(target_arch = "x86_64")] 1335 x86_64, x86_64, __m128, __m128d, __m128i, __m256, __m256d, __m256i 1336 ); 1337 #[cfg(not(no_zerocopy_simd_x86_avx12_1_89_0))] 1338 simd_arch_mod!( 1339 #[cfg(target_arch = "x86_64")] 1340 #[cfg_attr(doc_cfg, doc(cfg(rust = "1.89.0")))] 1341 x86_64, x86_64_nightly, __m512bh, __m512, __m512d, __m512i 1342 ); 1343 simd_arch_mod!( 1344 #[cfg(target_arch = "wasm32")] 1345 wasm32, wasm32, v128 1346 ); 1347 simd_arch_mod!( 1348 #[cfg(all(feature = "simd-nightly", target_arch = "powerpc"))] 1349 powerpc, powerpc, vector_bool_long, vector_double, vector_signed_long, vector_unsigned_long 1350 ); 1351 simd_arch_mod!( 1352 #[cfg(all(feature = "simd-nightly", target_arch = "powerpc64"))] 1353 powerpc64, powerpc64, vector_bool_long, vector_double, vector_signed_long, vector_unsigned_long 1354 ); 1355 // NOTE: NEON intrinsics were broken on big-endian platforms from their stabilization up to 1356 // Rust 1.87. (Context in https://github.com/rust-lang/stdarch/issues/1484). Support is 1357 // split in two different version ranges on top of the base configuration, requiring either 1358 // little endian or the more recent version to be detected as well. 1359 #[cfg(not(no_zerocopy_aarch64_simd_1_59_0))] 1360 simd_arch_mod!( 1361 #[cfg(all( 1362 target_arch = "aarch64", 1363 any( 1364 target_endian = "little", 1365 not(no_zerocopy_aarch64_simd_be_1_87_0) 1366 ) 1367 ))] 1368 #[cfg_attr( 1369 doc_cfg, 1370 doc(cfg(all(target_arch = "aarch64", any( 1371 all(rust = "1.59.0", target_endian = "little"), 1372 rust = "1.87.0", 1373 )))) 1374 )] 1375 aarch64, aarch64, float32x2_t, float32x4_t, float64x1_t, float64x2_t, int8x8_t, int8x8x2_t, 1376 int8x8x3_t, int8x8x4_t, int8x16_t, int8x16x2_t, int8x16x3_t, int8x16x4_t, int16x4_t, 1377 int16x8_t, int32x2_t, int32x4_t, int64x1_t, int64x2_t, poly8x8_t, poly8x8x2_t, poly8x8x3_t, 1378 poly8x8x4_t, poly8x16_t, poly8x16x2_t, poly8x16x3_t, poly8x16x4_t, poly16x4_t, poly16x8_t, 1379 poly64x1_t, poly64x2_t, uint8x8_t, uint8x8x2_t, uint8x8x3_t, uint8x8x4_t, uint8x16_t, 1380 uint8x16x2_t, uint8x16x3_t, uint8x16x4_t, uint16x4_t, uint16x4x2_t, uint16x4x3_t, 1381 uint16x4x4_t, uint16x8_t, uint32x2_t, uint32x4_t, uint64x1_t, uint64x2_t 1382 ); 1383 }; 1384 } 1385 1386 #[cfg(test)] 1387 mod tests { 1388 use super::*; 1389 1390 #[test] 1391 fn test_impls() { 1392 // A type that can supply test cases for testing 1393 // `TryFromBytes::is_bit_valid`. All types passed to `assert_impls!` 1394 // must implement this trait; that macro uses it to generate runtime 1395 // tests for `TryFromBytes` impls. 1396 // 1397 // All `T: FromBytes` types are provided with a blanket impl. Other 1398 // types must implement `TryFromBytesTestable` directly (ie using 1399 // `impl_try_from_bytes_testable!`). 1400 trait TryFromBytesTestable { 1401 fn with_passing_test_cases<F: Fn(Box<ReadOnly<Self>>)>(f: F); 1402 fn with_failing_test_cases<F: Fn(&mut [u8])>(f: F); 1403 } 1404 1405 impl<T: FromBytes> TryFromBytesTestable for T { 1406 fn with_passing_test_cases<F: Fn(Box<ReadOnly<Self>>)>(f: F) { 1407 // Test with a zeroed value. 1408 f(ReadOnly::<Self>::new_box_zeroed().unwrap()); 1409 1410 let ffs = { 1411 let mut t = ReadOnly::new(Self::new_zeroed()); 1412 let ptr: *mut T = ReadOnly::as_mut(&mut t); 1413 // SAFETY: `T: FromBytes` 1414 unsafe { ptr::write_bytes(ptr.cast::<u8>(), 0xFF, mem::size_of::<T>()) }; 1415 t 1416 }; 1417 1418 // Test with a value initialized with 0xFF. 1419 f(Box::new(ffs)); 1420 } 1421 1422 fn with_failing_test_cases<F: Fn(&mut [u8])>(_f: F) {} 1423 } 1424 1425 macro_rules! impl_try_from_bytes_testable_for_null_pointer_optimization { 1426 ($($tys:ty),*) => { 1427 $( 1428 impl TryFromBytesTestable for Option<$tys> { 1429 fn with_passing_test_cases<F: Fn(Box<ReadOnly<Self>>)>(f: F) { 1430 // Test with a zeroed value. 1431 f(Box::new(ReadOnly::new(None))); 1432 } 1433 1434 fn with_failing_test_cases<F: Fn(&mut [u8])>(f: F) { 1435 for pos in 0..mem::size_of::<Self>() { 1436 let mut bytes = [0u8; mem::size_of::<Self>()]; 1437 bytes[pos] = 0x01; 1438 f(&mut bytes[..]); 1439 } 1440 } 1441 } 1442 )* 1443 }; 1444 } 1445 1446 // Implements `TryFromBytesTestable`. 1447 macro_rules! impl_try_from_bytes_testable { 1448 // Base case for recursion (when the list of types has run out). 1449 (=> @success $($success_case:expr),* $(, @failure $($failure_case:expr),*)?) => {}; 1450 // Implements for type(s) with no type parameters. 1451 ($ty:ty $(,$tys:ty)* => @success $($success_case:expr),* $(, @failure $($failure_case:expr),*)?) => { 1452 impl TryFromBytesTestable for $ty { 1453 impl_try_from_bytes_testable!( 1454 @methods @success $($success_case),* 1455 $(, @failure $($failure_case),*)? 1456 ); 1457 } 1458 impl_try_from_bytes_testable!($($tys),* => @success $($success_case),* $(, @failure $($failure_case),*)?); 1459 }; 1460 // Implements for multiple types with no type parameters. 1461 ($($($ty:ty),* => @success $($success_case:expr), * $(, @failure $($failure_case:expr),*)?;)*) => { 1462 $( 1463 impl_try_from_bytes_testable!($($ty),* => @success $($success_case),* $(, @failure $($failure_case),*)*); 1464 )* 1465 }; 1466 // Implements only the methods; caller must invoke this from inside 1467 // an impl block. 1468 (@methods @success $($success_case:expr),* $(, @failure $($failure_case:expr),*)?) => { 1469 fn with_passing_test_cases<F: Fn(Box<ReadOnly<Self>>)>(_f: F) { 1470 $( 1471 let bx = Box::<Self>::from($success_case); 1472 let ro: Box<ReadOnly<_>> = { 1473 let raw = Box::into_raw(bx); 1474 // SAFETY: `ReadOnly<T>` has the same layout and bit 1475 // validity as `T`. 1476 #[allow(clippy::as_conversions)] 1477 unsafe { Box::from_raw(raw as *mut _) } 1478 }; 1479 _f(ro); 1480 )* 1481 } 1482 1483 fn with_failing_test_cases<F: Fn(&mut [u8])>(_f: F) { 1484 $($( 1485 let mut case = $failure_case; 1486 _f(case.as_mut_bytes()); 1487 )*)? 1488 } 1489 }; 1490 } 1491 1492 impl_try_from_bytes_testable_for_null_pointer_optimization!( 1493 Box<UnsafeCell<NotZerocopy>>, 1494 &'static UnsafeCell<NotZerocopy>, 1495 &'static mut UnsafeCell<NotZerocopy>, 1496 NonNull<UnsafeCell<NotZerocopy>>, 1497 fn(), 1498 FnManyArgs, 1499 extern "C" fn(), 1500 ECFnManyArgs 1501 ); 1502 1503 macro_rules! bx { 1504 ($e:expr) => { 1505 Box::new($e) 1506 }; 1507 } 1508 1509 // Note that these impls are only for types which are not `FromBytes`. 1510 // `FromBytes` types are covered by a preceding blanket impl. 1511 impl_try_from_bytes_testable!( 1512 bool => @success true, false, 1513 @failure 2u8, 3u8, 0xFFu8; 1514 char => @success '\u{0}', '\u{D7FF}', '\u{E000}', '\u{10FFFF}', 1515 @failure 0xD800u32, 0xDFFFu32, 0x110000u32; 1516 str => @success "", "hello", "❤️����������", 1517 @failure [0, 159, 146, 150]; 1518 [u8] => @success vec![].into_boxed_slice(), vec![0, 1, 2].into_boxed_slice(); 1519 NonZeroU8, NonZeroI8, NonZeroU16, NonZeroI16, NonZeroU32, 1520 NonZeroI32, NonZeroU64, NonZeroI64, NonZeroU128, NonZeroI128, 1521 NonZeroUsize, NonZeroIsize 1522 => @success Self::new(1).unwrap(), 1523 // Doing this instead of `0` ensures that we always satisfy 1524 // the size and alignment requirements of `Self` (whereas `0` 1525 // may be any integer type with a different size or alignment 1526 // than some `NonZeroXxx` types). 1527 @failure Option::<Self>::None; 1528 [bool; 0] => @success []; 1529 [bool; 1] 1530 => @success [true], [false], 1531 @failure [2u8], [3u8], [0xFFu8]; 1532 [bool] 1533 => @success vec![true, false].into_boxed_slice(), vec![false, true].into_boxed_slice(), 1534 @failure [2u8], [3u8], [0xFFu8], [0u8, 1u8, 2u8]; 1535 Unalign<bool> 1536 => @success Unalign::new(false), Unalign::new(true), 1537 @failure 2u8, 0xFFu8; 1538 ManuallyDrop<bool> 1539 => @success ManuallyDrop::new(false), ManuallyDrop::new(true), 1540 @failure 2u8, 0xFFu8; 1541 ManuallyDrop<[u8]> 1542 => @success bx!(ManuallyDrop::new([])), bx!(ManuallyDrop::new([0u8])), bx!(ManuallyDrop::new([0u8, 1u8])); 1543 ManuallyDrop<[bool]> 1544 => @success bx!(ManuallyDrop::new([])), bx!(ManuallyDrop::new([false])), bx!(ManuallyDrop::new([false, true])), 1545 @failure [2u8], [3u8], [0xFFu8], [0u8, 1u8, 2u8]; 1546 ManuallyDrop<[UnsafeCell<u8>]> 1547 => @success bx!(ManuallyDrop::new([UnsafeCell::new(0)])), bx!(ManuallyDrop::new([UnsafeCell::new(0), UnsafeCell::new(1)])); 1548 ManuallyDrop<[UnsafeCell<bool>]> 1549 => @success bx!(ManuallyDrop::new([UnsafeCell::new(false)])), bx!(ManuallyDrop::new([UnsafeCell::new(false), UnsafeCell::new(true)])), 1550 @failure [2u8], [3u8], [0xFFu8], [0u8, 1u8, 2u8]; 1551 Wrapping<bool> 1552 => @success Wrapping(false), Wrapping(true), 1553 @failure 2u8, 0xFFu8; 1554 *const NotZerocopy 1555 => @success ptr::null::<NotZerocopy>(), 1556 @failure [0x01; mem::size_of::<*const NotZerocopy>()]; 1557 *mut NotZerocopy 1558 => @success ptr::null_mut::<NotZerocopy>(), 1559 @failure [0x01; mem::size_of::<*mut NotZerocopy>()]; 1560 ); 1561 1562 // Use the trick described in [1] to allow us to call methods 1563 // conditional on certain trait bounds. 1564 // 1565 // In all of these cases, methods return `Option<R>`, where `R` is the 1566 // return type of the method we're conditionally calling. The "real" 1567 // implementations (the ones defined in traits using `&self`) return 1568 // `Some`, and the default implementations (the ones defined as inherent 1569 // methods using `&mut self`) return `None`. 1570 // 1571 // [1] https://github.com/dtolnay/case-studies/blob/master/autoref-specialization/README.md 1572 mod autoref_trick { 1573 use super::*; 1574 1575 pub(super) struct AutorefWrapper<T: ?Sized>(pub(super) PhantomData<T>); 1576 1577 pub(super) trait TestIsBitValidShared<T: ?Sized> { 1578 #[allow(clippy::needless_lifetimes)] 1579 fn test_is_bit_valid_shared<'ptr>(&self, candidate: Maybe<'ptr, T>) 1580 -> Option<bool>; 1581 } 1582 1583 impl<T: TryFromBytes + Immutable + ?Sized> TestIsBitValidShared<T> for AutorefWrapper<T> { 1584 #[allow(clippy::needless_lifetimes)] 1585 fn test_is_bit_valid_shared<'ptr>( 1586 &self, 1587 candidate: Maybe<'ptr, T>, 1588 ) -> Option<bool> { 1589 Some(T::is_bit_valid(candidate)) 1590 } 1591 } 1592 1593 pub(super) trait TestTryFromRef<T: ?Sized> { 1594 #[allow(clippy::needless_lifetimes)] 1595 fn test_try_from_ref<'bytes>( 1596 &self, 1597 bytes: &'bytes [u8], 1598 ) -> Option<Option<&'bytes T>>; 1599 } 1600 1601 impl<T: TryFromBytes + Immutable + KnownLayout + ?Sized> TestTryFromRef<T> for AutorefWrapper<T> { 1602 #[allow(clippy::needless_lifetimes)] 1603 fn test_try_from_ref<'bytes>( 1604 &self, 1605 bytes: &'bytes [u8], 1606 ) -> Option<Option<&'bytes T>> { 1607 Some(T::try_ref_from_bytes(bytes).ok()) 1608 } 1609 } 1610 1611 pub(super) trait TestTryFromMut<T: ?Sized> { 1612 #[allow(clippy::needless_lifetimes)] 1613 fn test_try_from_mut<'bytes>( 1614 &self, 1615 bytes: &'bytes mut [u8], 1616 ) -> Option<Option<&'bytes mut T>>; 1617 } 1618 1619 impl<T: TryFromBytes + IntoBytes + KnownLayout + ?Sized> TestTryFromMut<T> for AutorefWrapper<T> { 1620 #[allow(clippy::needless_lifetimes)] 1621 fn test_try_from_mut<'bytes>( 1622 &self, 1623 bytes: &'bytes mut [u8], 1624 ) -> Option<Option<&'bytes mut T>> { 1625 Some(T::try_mut_from_bytes(bytes).ok()) 1626 } 1627 } 1628 1629 pub(super) trait TestTryReadFrom<T> { 1630 fn test_try_read_from(&self, bytes: &[u8]) -> Option<Option<T>>; 1631 } 1632 1633 impl<T: TryFromBytes> TestTryReadFrom<T> for AutorefWrapper<T> { 1634 fn test_try_read_from(&self, bytes: &[u8]) -> Option<Option<T>> { 1635 Some(T::try_read_from_bytes(bytes).ok()) 1636 } 1637 } 1638 1639 pub(super) trait TestAsBytes<T: ?Sized> { 1640 #[allow(clippy::needless_lifetimes)] 1641 fn test_as_bytes<'slf, 't>(&'slf self, t: &'t ReadOnly<T>) -> Option<&'t [u8]>; 1642 } 1643 1644 impl<T: IntoBytes + Immutable + ?Sized> TestAsBytes<T> for AutorefWrapper<T> { 1645 #[allow(clippy::needless_lifetimes)] 1646 fn test_as_bytes<'slf, 't>(&'slf self, t: &'t ReadOnly<T>) -> Option<&'t [u8]> { 1647 Some(t.as_bytes()) 1648 } 1649 } 1650 } 1651 1652 use autoref_trick::*; 1653 1654 // Asserts that `$ty` is one of a list of types which are allowed to not 1655 // provide a "real" implementation for `$fn_name`. Since the 1656 // `autoref_trick` machinery fails silently, this allows us to ensure 1657 // that the "default" impls are only being used for types which we 1658 // expect. 1659 // 1660 // Note that, since this is a runtime test, it is possible to have an 1661 // allowlist which is too restrictive if the function in question is 1662 // never called for a particular type. For example, if `as_bytes` is not 1663 // supported for a particular type, and so `test_as_bytes` returns 1664 // `None`, methods such as `test_try_from_ref` may never be called for 1665 // that type. As a result, it's possible that, for example, adding 1666 // `as_bytes` support for a type would cause other allowlist assertions 1667 // to fail. This means that allowlist assertion failures should not 1668 // automatically be taken as a sign of a bug. 1669 macro_rules! assert_on_allowlist { 1670 ($fn_name:ident($ty:ty) $(: $($tys:ty),*)?) => {{ 1671 use core::any::TypeId; 1672 1673 let allowlist: &[TypeId] = &[ $($(TypeId::of::<$tys>()),*)? ]; 1674 let allowlist_names: &[&str] = &[ $($(stringify!($tys)),*)? ]; 1675 1676 let id = TypeId::of::<$ty>(); 1677 assert!(allowlist.contains(&id), "{} is not on allowlist for {}: {:?}", stringify!($ty), stringify!($fn_name), allowlist_names); 1678 }}; 1679 } 1680 1681 // Asserts that `$ty` implements any `$trait` and doesn't implement any 1682 // `!$trait`. Note that all `$trait`s must come before any `!$trait`s. 1683 // 1684 // For `T: TryFromBytes`, uses `TryFromBytesTestable` to test success 1685 // and failure cases. 1686 macro_rules! assert_impls { 1687 ($ty:ty: TryFromBytes) => { 1688 // "Default" implementations that match the "real" 1689 // implementations defined in the `autoref_trick` module above. 1690 #[allow(unused, non_local_definitions)] 1691 impl AutorefWrapper<$ty> { 1692 #[allow(clippy::needless_lifetimes)] 1693 fn test_is_bit_valid_shared<'ptr>( 1694 &mut self, 1695 candidate: Maybe<'ptr, $ty>, 1696 ) -> Option<bool> { 1697 assert_on_allowlist!( 1698 test_is_bit_valid_shared($ty): 1699 ManuallyDrop<UnsafeCell<()>>, 1700 ManuallyDrop<[UnsafeCell<u8>]>, 1701 ManuallyDrop<[UnsafeCell<bool>]>, 1702 CoreMaybeUninit<NotZerocopy>, 1703 CoreMaybeUninit<UnsafeCell<()>>, 1704 Wrapping<UnsafeCell<()>> 1705 ); 1706 1707 None 1708 } 1709 1710 #[allow(clippy::needless_lifetimes)] 1711 fn test_try_from_ref<'bytes>(&mut self, _bytes: &'bytes [u8]) -> Option<Option<&'bytes $ty>> { 1712 assert_on_allowlist!( 1713 test_try_from_ref($ty): 1714 ManuallyDrop<[UnsafeCell<bool>]> 1715 ); 1716 1717 None 1718 } 1719 1720 #[allow(clippy::needless_lifetimes)] 1721 fn test_try_from_mut<'bytes>(&mut self, _bytes: &'bytes mut [u8]) -> Option<Option<&'bytes mut $ty>> { 1722 assert_on_allowlist!( 1723 test_try_from_mut($ty): 1724 Option<Box<UnsafeCell<NotZerocopy>>>, 1725 Option<&'static UnsafeCell<NotZerocopy>>, 1726 Option<&'static mut UnsafeCell<NotZerocopy>>, 1727 Option<NonNull<UnsafeCell<NotZerocopy>>>, 1728 Option<fn()>, 1729 Option<FnManyArgs>, 1730 Option<extern "C" fn()>, 1731 Option<ECFnManyArgs>, 1732 *const NotZerocopy, 1733 *mut NotZerocopy 1734 ); 1735 1736 None 1737 } 1738 1739 fn test_try_read_from(&mut self, _bytes: &[u8]) -> Option<Option<&$ty>> { 1740 assert_on_allowlist!( 1741 test_try_read_from($ty): 1742 str, 1743 ManuallyDrop<[u8]>, 1744 ManuallyDrop<[bool]>, 1745 ManuallyDrop<[UnsafeCell<bool>]>, 1746 [u8], 1747 [bool] 1748 ); 1749 1750 None 1751 } 1752 1753 fn test_as_bytes(&mut self, _t: &ReadOnly<$ty>) -> Option<&[u8]> { 1754 assert_on_allowlist!( 1755 test_as_bytes($ty): 1756 Option<&'static UnsafeCell<NotZerocopy>>, 1757 Option<&'static mut UnsafeCell<NotZerocopy>>, 1758 Option<NonNull<UnsafeCell<NotZerocopy>>>, 1759 Option<Box<UnsafeCell<NotZerocopy>>>, 1760 Option<fn()>, 1761 Option<FnManyArgs>, 1762 Option<extern "C" fn()>, 1763 Option<ECFnManyArgs>, 1764 CoreMaybeUninit<u8>, 1765 CoreMaybeUninit<NotZerocopy>, 1766 CoreMaybeUninit<UnsafeCell<()>>, 1767 ManuallyDrop<UnsafeCell<()>>, 1768 ManuallyDrop<[UnsafeCell<u8>]>, 1769 ManuallyDrop<[UnsafeCell<bool>]>, 1770 Wrapping<UnsafeCell<()>>, 1771 *const NotZerocopy, 1772 *mut NotZerocopy 1773 ); 1774 1775 None 1776 } 1777 } 1778 1779 <$ty as TryFromBytesTestable>::with_passing_test_cases(|mut val| { 1780 // FIXME(#494): These tests only get exercised for types 1781 // which are `IntoBytes`. Once we implement #494, we should 1782 // be able to support non-`IntoBytes` types by zeroing 1783 // padding. 1784 1785 // We define `w` and `ww` since, in the case of the inherent 1786 // methods, Rust thinks they're both borrowed mutably at the 1787 // same time (given how we use them below). If we just 1788 // defined a single `w` and used it for multiple operations, 1789 // this would conflict. 1790 // 1791 // We `#[allow(unused_mut]` for the cases where the "real" 1792 // impls are used, which take `&self`. 1793 #[allow(unused_mut)] 1794 let (mut w, mut ww) = (AutorefWrapper::<$ty>(PhantomData), AutorefWrapper::<$ty>(PhantomData)); 1795 1796 let c = Ptr::from_ref(&*val); 1797 let c = c.forget_aligned(); 1798 // SAFETY: FIXME(#899): This is unsound. `$ty` is not 1799 // necessarily `IntoBytes`, but that's the corner we've 1800 // backed ourselves into by using `Ptr::from_ref`. 1801 let c = unsafe { c.assume_initialized() }; 1802 let res = w.test_is_bit_valid_shared(c); 1803 if let Some(res) = res { 1804 assert!(res, "{}::is_bit_valid (shared `Ptr`): got false, expected true", stringify!($ty)); 1805 } 1806 1807 let c = Ptr::from_mut(&mut *val); 1808 let c = c.forget_aligned(); 1809 // SAFETY: FIXME(#899): This is unsound. `$ty` is not 1810 // necessarily `IntoBytes`, but that's the corner we've 1811 // backed ourselves into by using `Ptr::from_ref`. 1812 let mut c = unsafe { c.assume_initialized() }; 1813 let res = <$ty as TryFromBytes>::is_bit_valid(c.reborrow_shared()); 1814 assert!(res, "{}::is_bit_valid (exclusive `Ptr`): got false, expected true", stringify!($ty)); 1815 1816 // `bytes` is `Some(val.as_bytes())` if `$ty: IntoBytes + 1817 // Immutable` and `None` otherwise. 1818 let bytes = w.test_as_bytes(&*val); 1819 1820 // The inner closure returns 1821 // `Some($ty::try_ref_from_bytes(bytes))` if `$ty: 1822 // Immutable` and `None` otherwise. 1823 let res = bytes.and_then(|bytes| ww.test_try_from_ref(bytes)); 1824 if let Some(res) = res { 1825 assert!(res.is_some(), "{}::try_ref_from_bytes: got `None`, expected `Some`", stringify!($ty)); 1826 } 1827 1828 if let Some(bytes) = bytes { 1829 // We need to get a mutable byte slice, and so we clone 1830 // into a `Vec`. However, we also need these bytes to 1831 // satisfy `$ty`'s alignment requirement, which isn't 1832 // guaranteed for `Vec<u8>`. In order to get around 1833 // this, we create a `Vec` which is twice as long as we 1834 // need. There is guaranteed to be an aligned byte range 1835 // of size `size_of_val(val)` within that range. 1836 let val = &*val; 1837 let size = mem::size_of_val(val); 1838 let align = mem::align_of_val(val); 1839 1840 let mut vec = bytes.to_vec(); 1841 vec.extend(bytes); 1842 let slc = vec.as_slice(); 1843 let offset = slc.as_ptr().align_offset(align); 1844 let bytes_mut = &mut vec.as_mut_slice()[offset..offset+size]; 1845 bytes_mut.copy_from_slice(bytes); 1846 1847 let res = ww.test_try_from_mut(bytes_mut); 1848 if let Some(res) = res { 1849 assert!(res.is_some(), "{}::try_mut_from_bytes: got `None`, expected `Some`", stringify!($ty)); 1850 } 1851 } 1852 1853 let res = bytes.and_then(|bytes| ww.test_try_read_from(bytes)); 1854 if let Some(res) = res { 1855 assert!(res.is_some(), "{}::try_read_from_bytes: got `None`, expected `Some`", stringify!($ty)); 1856 } 1857 }); 1858 #[allow(clippy::as_conversions)] 1859 <$ty as TryFromBytesTestable>::with_failing_test_cases(|c| { 1860 #[allow(unused_mut)] // For cases where the "real" impls are used, which take `&self`. 1861 let mut w = AutorefWrapper::<$ty>(PhantomData); 1862 1863 // This is `Some($ty::try_ref_from_bytes(c))` if `$ty: 1864 // Immutable` and `None` otherwise. 1865 let res = w.test_try_from_ref(c); 1866 if let Some(res) = res { 1867 assert!(res.is_none(), "{}::try_ref_from_bytes({:?}): got Some, expected None", stringify!($ty), c); 1868 } 1869 1870 let res = w.test_try_from_mut(c); 1871 if let Some(res) = res { 1872 assert!(res.is_none(), "{}::try_mut_from_bytes({:?}): got Some, expected None", stringify!($ty), c); 1873 } 1874 1875 1876 let res = w.test_try_read_from(c); 1877 if let Some(res) = res { 1878 assert!(res.is_none(), "{}::try_read_from_bytes({:?}): got Some, expected None", stringify!($ty), c); 1879 } 1880 }); 1881 1882 #[allow(dead_code)] 1883 const _: () = { static_assertions::assert_impl_all!($ty: TryFromBytes); }; 1884 }; 1885 ($ty:ty: $trait:ident) => { 1886 #[allow(dead_code)] 1887 const _: () = { static_assertions::assert_impl_all!($ty: $trait); }; 1888 }; 1889 ($ty:ty: !$trait:ident) => { 1890 #[allow(dead_code)] 1891 const _: () = { static_assertions::assert_not_impl_any!($ty: $trait); }; 1892 }; 1893 ($ty:ty: $($trait:ident),* $(,)? $(!$negative_trait:ident),*) => { 1894 $( 1895 assert_impls!($ty: $trait); 1896 )* 1897 1898 $( 1899 assert_impls!($ty: !$negative_trait); 1900 )* 1901 }; 1902 } 1903 1904 // NOTE: The negative impl assertions here are not necessarily 1905 // prescriptive. They merely serve as change detectors to make sure 1906 // we're aware of what trait impls are getting added with a given 1907 // change. Of course, some impls would be invalid (e.g., `bool: 1908 // FromBytes`), and so this change detection is very important. 1909 1910 assert_impls!( 1911 (): KnownLayout, 1912 Immutable, 1913 TryFromBytes, 1914 FromZeros, 1915 FromBytes, 1916 IntoBytes, 1917 Unaligned 1918 ); 1919 assert_impls!( 1920 u8: KnownLayout, 1921 Immutable, 1922 TryFromBytes, 1923 FromZeros, 1924 FromBytes, 1925 IntoBytes, 1926 Unaligned 1927 ); 1928 assert_impls!( 1929 i8: KnownLayout, 1930 Immutable, 1931 TryFromBytes, 1932 FromZeros, 1933 FromBytes, 1934 IntoBytes, 1935 Unaligned 1936 ); 1937 assert_impls!( 1938 u16: KnownLayout, 1939 Immutable, 1940 TryFromBytes, 1941 FromZeros, 1942 FromBytes, 1943 IntoBytes, 1944 !Unaligned 1945 ); 1946 assert_impls!( 1947 i16: KnownLayout, 1948 Immutable, 1949 TryFromBytes, 1950 FromZeros, 1951 FromBytes, 1952 IntoBytes, 1953 !Unaligned 1954 ); 1955 assert_impls!( 1956 u32: KnownLayout, 1957 Immutable, 1958 TryFromBytes, 1959 FromZeros, 1960 FromBytes, 1961 IntoBytes, 1962 !Unaligned 1963 ); 1964 assert_impls!( 1965 i32: KnownLayout, 1966 Immutable, 1967 TryFromBytes, 1968 FromZeros, 1969 FromBytes, 1970 IntoBytes, 1971 !Unaligned 1972 ); 1973 assert_impls!( 1974 u64: KnownLayout, 1975 Immutable, 1976 TryFromBytes, 1977 FromZeros, 1978 FromBytes, 1979 IntoBytes, 1980 !Unaligned 1981 ); 1982 assert_impls!( 1983 i64: KnownLayout, 1984 Immutable, 1985 TryFromBytes, 1986 FromZeros, 1987 FromBytes, 1988 IntoBytes, 1989 !Unaligned 1990 ); 1991 assert_impls!( 1992 u128: KnownLayout, 1993 Immutable, 1994 TryFromBytes, 1995 FromZeros, 1996 FromBytes, 1997 IntoBytes, 1998 !Unaligned 1999 ); 2000 assert_impls!( 2001 i128: KnownLayout, 2002 Immutable, 2003 TryFromBytes, 2004 FromZeros, 2005 FromBytes, 2006 IntoBytes, 2007 !Unaligned 2008 ); 2009 assert_impls!( 2010 usize: KnownLayout, 2011 Immutable, 2012 TryFromBytes, 2013 FromZeros, 2014 FromBytes, 2015 IntoBytes, 2016 !Unaligned 2017 ); 2018 assert_impls!( 2019 isize: KnownLayout, 2020 Immutable, 2021 TryFromBytes, 2022 FromZeros, 2023 FromBytes, 2024 IntoBytes, 2025 !Unaligned 2026 ); 2027 #[cfg(feature = "float-nightly")] 2028 assert_impls!( 2029 f16: KnownLayout, 2030 Immutable, 2031 TryFromBytes, 2032 FromZeros, 2033 FromBytes, 2034 IntoBytes, 2035 !Unaligned 2036 ); 2037 assert_impls!( 2038 f32: KnownLayout, 2039 Immutable, 2040 TryFromBytes, 2041 FromZeros, 2042 FromBytes, 2043 IntoBytes, 2044 !Unaligned 2045 ); 2046 assert_impls!( 2047 f64: KnownLayout, 2048 Immutable, 2049 TryFromBytes, 2050 FromZeros, 2051 FromBytes, 2052 IntoBytes, 2053 !Unaligned 2054 ); 2055 #[cfg(feature = "float-nightly")] 2056 assert_impls!( 2057 f128: KnownLayout, 2058 Immutable, 2059 TryFromBytes, 2060 FromZeros, 2061 FromBytes, 2062 IntoBytes, 2063 !Unaligned 2064 ); 2065 assert_impls!( 2066 bool: KnownLayout, 2067 Immutable, 2068 TryFromBytes, 2069 FromZeros, 2070 IntoBytes, 2071 Unaligned, 2072 !FromBytes 2073 ); 2074 assert_impls!( 2075 char: KnownLayout, 2076 Immutable, 2077 TryFromBytes, 2078 FromZeros, 2079 IntoBytes, 2080 !FromBytes, 2081 !Unaligned 2082 ); 2083 assert_impls!( 2084 str: KnownLayout, 2085 Immutable, 2086 TryFromBytes, 2087 FromZeros, 2088 IntoBytes, 2089 Unaligned, 2090 !FromBytes 2091 ); 2092 2093 assert_impls!( 2094 NonZeroU8: KnownLayout, 2095 Immutable, 2096 TryFromBytes, 2097 IntoBytes, 2098 Unaligned, 2099 !FromZeros, 2100 !FromBytes 2101 ); 2102 assert_impls!( 2103 NonZeroI8: KnownLayout, 2104 Immutable, 2105 TryFromBytes, 2106 IntoBytes, 2107 Unaligned, 2108 !FromZeros, 2109 !FromBytes 2110 ); 2111 assert_impls!( 2112 NonZeroU16: KnownLayout, 2113 Immutable, 2114 TryFromBytes, 2115 IntoBytes, 2116 !FromBytes, 2117 !Unaligned 2118 ); 2119 assert_impls!( 2120 NonZeroI16: KnownLayout, 2121 Immutable, 2122 TryFromBytes, 2123 IntoBytes, 2124 !FromBytes, 2125 !Unaligned 2126 ); 2127 assert_impls!( 2128 NonZeroU32: KnownLayout, 2129 Immutable, 2130 TryFromBytes, 2131 IntoBytes, 2132 !FromBytes, 2133 !Unaligned 2134 ); 2135 assert_impls!( 2136 NonZeroI32: KnownLayout, 2137 Immutable, 2138 TryFromBytes, 2139 IntoBytes, 2140 !FromBytes, 2141 !Unaligned 2142 ); 2143 assert_impls!( 2144 NonZeroU64: KnownLayout, 2145 Immutable, 2146 TryFromBytes, 2147 IntoBytes, 2148 !FromBytes, 2149 !Unaligned 2150 ); 2151 assert_impls!( 2152 NonZeroI64: KnownLayout, 2153 Immutable, 2154 TryFromBytes, 2155 IntoBytes, 2156 !FromBytes, 2157 !Unaligned 2158 ); 2159 assert_impls!( 2160 NonZeroU128: KnownLayout, 2161 Immutable, 2162 TryFromBytes, 2163 IntoBytes, 2164 !FromBytes, 2165 !Unaligned 2166 ); 2167 assert_impls!( 2168 NonZeroI128: KnownLayout, 2169 Immutable, 2170 TryFromBytes, 2171 IntoBytes, 2172 !FromBytes, 2173 !Unaligned 2174 ); 2175 assert_impls!( 2176 NonZeroUsize: KnownLayout, 2177 Immutable, 2178 TryFromBytes, 2179 IntoBytes, 2180 !FromBytes, 2181 !Unaligned 2182 ); 2183 assert_impls!( 2184 NonZeroIsize: KnownLayout, 2185 Immutable, 2186 TryFromBytes, 2187 IntoBytes, 2188 !FromBytes, 2189 !Unaligned 2190 ); 2191 2192 assert_impls!(Option<NonZeroU8>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned); 2193 assert_impls!(Option<NonZeroI8>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned); 2194 assert_impls!(Option<NonZeroU16>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, !Unaligned); 2195 assert_impls!(Option<NonZeroI16>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, !Unaligned); 2196 assert_impls!(Option<NonZeroU32>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, !Unaligned); 2197 assert_impls!(Option<NonZeroI32>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, !Unaligned); 2198 assert_impls!(Option<NonZeroU64>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, !Unaligned); 2199 assert_impls!(Option<NonZeroI64>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, !Unaligned); 2200 assert_impls!(Option<NonZeroU128>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, !Unaligned); 2201 assert_impls!(Option<NonZeroI128>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, !Unaligned); 2202 assert_impls!(Option<NonZeroUsize>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, !Unaligned); 2203 assert_impls!(Option<NonZeroIsize>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, !Unaligned); 2204 2205 // Implements none of the ZC traits. 2206 struct NotZerocopy; 2207 2208 #[rustfmt::skip] 2209 type FnManyArgs = fn( 2210 NotZerocopy, u8, u8, u8, u8, u8, u8, u8, u8, u8, u8, u8, 2211 ) -> (NotZerocopy, NotZerocopy); 2212 2213 // Allowed, because we're not actually using this type for FFI. 2214 #[allow(improper_ctypes_definitions)] 2215 #[rustfmt::skip] 2216 type ECFnManyArgs = extern "C" fn( 2217 NotZerocopy, u8, u8, u8, u8, u8, u8, u8, u8, u8, u8, u8, 2218 ) -> (NotZerocopy, NotZerocopy); 2219 2220 #[cfg(feature = "alloc")] 2221 assert_impls!(Option<Box<UnsafeCell<NotZerocopy>>>: KnownLayout, Immutable, TryFromBytes, FromZeros, !FromBytes, !IntoBytes, !Unaligned); 2222 assert_impls!(Option<Box<[UnsafeCell<NotZerocopy>]>>: KnownLayout, !Immutable, !TryFromBytes, !FromZeros, !FromBytes, !IntoBytes, !Unaligned); 2223 assert_impls!(Option<&'static UnsafeCell<NotZerocopy>>: KnownLayout, Immutable, TryFromBytes, FromZeros, !FromBytes, !IntoBytes, !Unaligned); 2224 assert_impls!(Option<&'static [UnsafeCell<NotZerocopy>]>: KnownLayout, Immutable, !TryFromBytes, !FromZeros, !FromBytes, !IntoBytes, !Unaligned); 2225 assert_impls!(Option<&'static mut UnsafeCell<NotZerocopy>>: KnownLayout, Immutable, TryFromBytes, FromZeros, !FromBytes, !IntoBytes, !Unaligned); 2226 assert_impls!(Option<&'static mut [UnsafeCell<NotZerocopy>]>: KnownLayout, Immutable, !TryFromBytes, !FromZeros, !FromBytes, !IntoBytes, !Unaligned); 2227 assert_impls!(Option<NonNull<UnsafeCell<NotZerocopy>>>: KnownLayout, TryFromBytes, FromZeros, Immutable, !FromBytes, !IntoBytes, !Unaligned); 2228 assert_impls!(Option<NonNull<[UnsafeCell<NotZerocopy>]>>: KnownLayout, Immutable, !TryFromBytes, !FromZeros, !FromBytes, !IntoBytes, !Unaligned); 2229 assert_impls!(Option<fn()>: KnownLayout, Immutable, TryFromBytes, FromZeros, !FromBytes, !IntoBytes, !Unaligned); 2230 assert_impls!(Option<FnManyArgs>: KnownLayout, Immutable, TryFromBytes, FromZeros, !FromBytes, !IntoBytes, !Unaligned); 2231 assert_impls!(Option<extern "C" fn()>: KnownLayout, Immutable, TryFromBytes, FromZeros, !FromBytes, !IntoBytes, !Unaligned); 2232 assert_impls!(Option<ECFnManyArgs>: KnownLayout, Immutable, TryFromBytes, FromZeros, !FromBytes, !IntoBytes, !Unaligned); 2233 2234 assert_impls!(PhantomData<NotZerocopy>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned); 2235 assert_impls!(PhantomData<UnsafeCell<()>>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned); 2236 assert_impls!(PhantomData<[u8]>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned); 2237 2238 assert_impls!(ManuallyDrop<u8>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned); 2239 // This test is important because it allows us to test our hand-rolled 2240 // implementation of `<ManuallyDrop<T> as TryFromBytes>::is_bit_valid`. 2241 assert_impls!(ManuallyDrop<bool>: KnownLayout, Immutable, TryFromBytes, FromZeros, IntoBytes, Unaligned, !FromBytes); 2242 assert_impls!(ManuallyDrop<[u8]>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned); 2243 // This test is important because it allows us to test our hand-rolled 2244 // implementation of `<ManuallyDrop<T> as TryFromBytes>::is_bit_valid`. 2245 assert_impls!(ManuallyDrop<[bool]>: KnownLayout, Immutable, TryFromBytes, FromZeros, IntoBytes, Unaligned, !FromBytes); 2246 assert_impls!(ManuallyDrop<NotZerocopy>: !Immutable, !TryFromBytes, !KnownLayout, !FromZeros, !FromBytes, !IntoBytes, !Unaligned); 2247 assert_impls!(ManuallyDrop<[NotZerocopy]>: KnownLayout, !Immutable, !TryFromBytes, !FromZeros, !FromBytes, !IntoBytes, !Unaligned); 2248 assert_impls!(ManuallyDrop<UnsafeCell<()>>: KnownLayout, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned, !Immutable); 2249 assert_impls!(ManuallyDrop<[UnsafeCell<u8>]>: KnownLayout, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned, !Immutable); 2250 assert_impls!(ManuallyDrop<[UnsafeCell<bool>]>: KnownLayout, TryFromBytes, FromZeros, IntoBytes, Unaligned, !Immutable, !FromBytes); 2251 2252 assert_impls!(CoreMaybeUninit<u8>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, Unaligned, !IntoBytes); 2253 assert_impls!(CoreMaybeUninit<NotZerocopy>: KnownLayout, TryFromBytes, FromZeros, FromBytes, !Immutable, !IntoBytes, !Unaligned); 2254 assert_impls!(CoreMaybeUninit<UnsafeCell<()>>: KnownLayout, TryFromBytes, FromZeros, FromBytes, Unaligned, !Immutable, !IntoBytes); 2255 2256 assert_impls!(Wrapping<u8>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned); 2257 // This test is important because it allows us to test our hand-rolled 2258 // implementation of `<Wrapping<T> as TryFromBytes>::is_bit_valid`. 2259 assert_impls!(Wrapping<bool>: KnownLayout, Immutable, TryFromBytes, FromZeros, IntoBytes, Unaligned, !FromBytes); 2260 assert_impls!(Wrapping<NotZerocopy>: KnownLayout, !Immutable, !TryFromBytes, !FromZeros, !FromBytes, !IntoBytes, !Unaligned); 2261 assert_impls!(Wrapping<UnsafeCell<()>>: KnownLayout, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned, !Immutable); 2262 2263 assert_impls!(Unalign<u8>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned); 2264 // This test is important because it allows us to test our hand-rolled 2265 // implementation of `<Unalign<T> as TryFromBytes>::is_bit_valid`. 2266 assert_impls!(Unalign<bool>: KnownLayout, Immutable, TryFromBytes, FromZeros, IntoBytes, Unaligned, !FromBytes); 2267 assert_impls!(Unalign<NotZerocopy>: KnownLayout, Unaligned, !Immutable, !TryFromBytes, !FromZeros, !FromBytes, !IntoBytes); 2268 2269 assert_impls!( 2270 [u8]: KnownLayout, 2271 Immutable, 2272 TryFromBytes, 2273 FromZeros, 2274 FromBytes, 2275 IntoBytes, 2276 Unaligned 2277 ); 2278 assert_impls!( 2279 [bool]: KnownLayout, 2280 Immutable, 2281 TryFromBytes, 2282 FromZeros, 2283 IntoBytes, 2284 Unaligned, 2285 !FromBytes 2286 ); 2287 assert_impls!([NotZerocopy]: KnownLayout, !Immutable, !TryFromBytes, !FromZeros, !FromBytes, !IntoBytes, !Unaligned); 2288 assert_impls!( 2289 [u8; 0]: KnownLayout, 2290 Immutable, 2291 TryFromBytes, 2292 FromZeros, 2293 FromBytes, 2294 IntoBytes, 2295 Unaligned, 2296 ); 2297 assert_impls!( 2298 [NotZerocopy; 0]: KnownLayout, 2299 !Immutable, 2300 !TryFromBytes, 2301 !FromZeros, 2302 !FromBytes, 2303 !IntoBytes, 2304 !Unaligned 2305 ); 2306 assert_impls!( 2307 [u8; 1]: KnownLayout, 2308 Immutable, 2309 TryFromBytes, 2310 FromZeros, 2311 FromBytes, 2312 IntoBytes, 2313 Unaligned, 2314 ); 2315 assert_impls!( 2316 [NotZerocopy; 1]: KnownLayout, 2317 !Immutable, 2318 !TryFromBytes, 2319 !FromZeros, 2320 !FromBytes, 2321 !IntoBytes, 2322 !Unaligned 2323 ); 2324 2325 assert_impls!(*const NotZerocopy: KnownLayout, Immutable, TryFromBytes, FromZeros, !FromBytes, !IntoBytes, !Unaligned); 2326 assert_impls!(*mut NotZerocopy: KnownLayout, Immutable, TryFromBytes, FromZeros, !FromBytes, !IntoBytes, !Unaligned); 2327 assert_impls!(*const [NotZerocopy]: KnownLayout, Immutable, !TryFromBytes, !FromZeros, !FromBytes, !IntoBytes, !Unaligned); 2328 assert_impls!(*mut [NotZerocopy]: KnownLayout, Immutable, !TryFromBytes, !FromZeros, !FromBytes, !IntoBytes, !Unaligned); 2329 assert_impls!(*const dyn Debug: KnownLayout, Immutable, !TryFromBytes, !FromZeros, !FromBytes, !IntoBytes, !Unaligned); 2330 assert_impls!(*mut dyn Debug: KnownLayout, Immutable, !TryFromBytes, !FromZeros, !FromBytes, !IntoBytes, !Unaligned); 2331 2332 #[cfg(feature = "simd")] 2333 { 2334 #[allow(unused_macros)] 2335 macro_rules! test_simd_arch_mod { 2336 ($arch:ident, $($typ:ident),*) => { 2337 { 2338 use core::arch::$arch::{$($typ),*}; 2339 use crate::*; 2340 $( assert_impls!($typ: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, !Unaligned); )* 2341 } 2342 }; 2343 } 2344 #[cfg(target_arch = "x86")] 2345 test_simd_arch_mod!(x86, __m128, __m128d, __m128i, __m256, __m256d, __m256i); 2346 2347 #[cfg(all(not(no_zerocopy_simd_x86_avx12_1_89_0), target_arch = "x86"))] 2348 test_simd_arch_mod!(x86, __m512bh, __m512, __m512d, __m512i); 2349 2350 #[cfg(target_arch = "x86_64")] 2351 test_simd_arch_mod!(x86_64, __m128, __m128d, __m128i, __m256, __m256d, __m256i); 2352 2353 #[cfg(all(not(no_zerocopy_simd_x86_avx12_1_89_0), target_arch = "x86_64"))] 2354 test_simd_arch_mod!(x86_64, __m512bh, __m512, __m512d, __m512i); 2355 2356 #[cfg(target_arch = "wasm32")] 2357 test_simd_arch_mod!(wasm32, v128); 2358 2359 #[cfg(all(feature = "simd-nightly", target_arch = "powerpc"))] 2360 test_simd_arch_mod!( 2361 powerpc, 2362 vector_bool_long, 2363 vector_double, 2364 vector_signed_long, 2365 vector_unsigned_long 2366 ); 2367 2368 #[cfg(all(feature = "simd-nightly", target_arch = "powerpc64"))] 2369 test_simd_arch_mod!( 2370 powerpc64, 2371 vector_bool_long, 2372 vector_double, 2373 vector_signed_long, 2374 vector_unsigned_long 2375 ); 2376 #[cfg(all(target_arch = "aarch64", not(no_zerocopy_aarch64_simd_1_59_0)))] 2377 #[rustfmt::skip] 2378 test_simd_arch_mod!( 2379 aarch64, float32x2_t, float32x4_t, float64x1_t, float64x2_t, int8x8_t, int8x8x2_t, 2380 int8x8x3_t, int8x8x4_t, int8x16_t, int8x16x2_t, int8x16x3_t, int8x16x4_t, int16x4_t, 2381 int16x8_t, int32x2_t, int32x4_t, int64x1_t, int64x2_t, poly8x8_t, poly8x8x2_t, poly8x8x3_t, 2382 poly8x8x4_t, poly8x16_t, poly8x16x2_t, poly8x16x3_t, poly8x16x4_t, poly16x4_t, poly16x8_t, 2383 poly64x1_t, poly64x2_t, uint8x8_t, uint8x8x2_t, uint8x8x3_t, uint8x8x4_t, uint8x16_t, 2384 uint8x16x2_t, uint8x16x3_t, uint8x16x4_t, uint16x4_t, uint16x4x2_t, uint16x4x3_t, 2385 uint16x4x4_t, uint16x8_t, uint32x2_t, uint32x4_t, uint64x1_t, uint64x2_t 2386 ); 2387 } 2388 } 2389 } 2390