1 // Copyright 2023 The Fuchsia Authors 2 // 3 // Licensed under a BSD-style license <LICENSE-BSD>, Apache License, Version 2.0 4 // <LICENSE-APACHE or https://www.apache.org/licenses/LICENSE-2.0>, or the MIT 5 // license <LICENSE-MIT or https://opensource.org/licenses/MIT>, at your option. 6 // This file may not be copied, modified, or distributed except according to 7 // those terms. 8 9 //! Abstractions over raw pointers. 10 11 #![allow(missing_docs)] 12 13 mod inner; 14 pub mod invariant; 15 mod ptr; 16 pub mod transmute; 17 18 pub use inner::PtrInner; 19 pub use invariant::{BecauseExclusive, BecauseImmutable, Read}; 20 pub use ptr::{Ptr, TryWithError}; 21 pub use transmute::*; 22 23 use crate::wrappers::ReadOnly; 24 25 /// A shorthand for a maybe-valid, maybe-aligned reference. Used as the argument 26 /// to [`TryFromBytes::is_bit_valid`]. 27 /// 28 /// [`TryFromBytes::is_bit_valid`]: crate::TryFromBytes::is_bit_valid 29 pub type Maybe<'a, T, Alignment = invariant::Unaligned> = 30 Ptr<'a, ReadOnly<T>, (invariant::Shared, Alignment, invariant::Initialized)>; 31 32 /// Checks if the referent is zeroed. 33 pub(crate) fn is_zeroed<T, I>(ptr: Ptr<'_, T, I>) -> bool 34 where 35 T: crate::Immutable + crate::KnownLayout, 36 I: invariant::Invariants<Validity = invariant::Initialized>, 37 I::Aliasing: invariant::Reference, 38 { 39 ptr.as_bytes().as_ref().iter().all( 40 #[inline(always)] 41 |&byte| byte == 0, 42 ) 43 } 44 45 pub mod cast { 46 use core::{marker::PhantomData, mem}; 47 48 use crate::{ 49 layout::{SizeInfo, TrailingSliceLayout}, 50 HasField, KnownLayout, PtrInner, 51 }; 52 53 /// A pointer cast or projection. 54 /// 55 /// # Safety 56 /// 57 /// The implementation of `project` must satisfy its safety post-condition. 58 pub unsafe trait Project<Src: ?Sized, Dst: ?Sized> { 59 /// Projects a pointer from `Src` to `Dst`. 60 /// 61 /// Users should generally not call `project` directly, and instead 62 /// should use high-level APIs like [`PtrInner::project`] or 63 /// [`Ptr::project`]. 64 /// 65 /// [`Ptr::project`]: crate::pointer::Ptr::project 66 /// 67 /// # Safety 68 /// 69 /// The returned pointer refers to a non-strict subset of the bytes of 70 /// `src`'s referent, and has the same provenance as `src`. 71 fn project(src: PtrInner<'_, Src>) -> *mut Dst; 72 } 73 74 /// A [`Project`] which preserves the address of the referent – a pointer 75 /// cast. 76 /// 77 /// # Safety 78 /// 79 /// A `Cast` projection must preserve the address of the referent. It may 80 /// shrink the set of referent bytes, and it may change the referent's type. 81 pub unsafe trait Cast<Src: ?Sized, Dst: ?Sized>: Project<Src, Dst> {} 82 83 /// A [`Cast`] which does not shrink the set of referent bytes. 84 /// 85 /// # Safety 86 /// 87 /// A `CastExact` projection must preserve the set of referent bytes. 88 pub unsafe trait CastExact<Src: ?Sized, Dst: ?Sized>: Cast<Src, Dst> {} 89 90 /// A no-op pointer cast. 91 #[derive(Default, Copy, Clone)] 92 #[allow(missing_debug_implementations)] 93 pub struct IdCast; 94 95 // SAFETY: `project` returns its argument unchanged, and so it is a 96 // provenance-preserving projection which preserves the set of referent 97 // bytes. 98 unsafe impl<T: ?Sized> Project<T, T> for IdCast { 99 #[inline(always)] 100 fn project(src: PtrInner<'_, T>) -> *mut T { 101 src.as_ptr() 102 } 103 } 104 105 // SAFETY: The `Project::project` impl preserves referent address. 106 unsafe impl<T: ?Sized> Cast<T, T> for IdCast {} 107 108 // SAFETY: The `Project::project` impl preserves referent size. 109 unsafe impl<T: ?Sized> CastExact<T, T> for IdCast {} 110 111 /// A pointer cast which preserves or shrinks the set of referent bytes of 112 /// a statically-sized referent. 113 /// 114 /// # Safety 115 /// 116 /// The implementation of [`Project`] uses a compile-time assertion to 117 /// guarantee that `Dst` is no larger than `Src`. Thus, `CastSized` has a 118 /// sound implementation of [`Project`] for all `Src` and `Dst` – the caller 119 /// may pass any `Src` and `Dst` without being responsible for soundness. 120 #[allow(missing_debug_implementations, missing_copy_implementations)] 121 pub enum CastSized {} 122 123 // SAFETY: By the `static_assert!`, `Dst` is no larger than `Src`, 124 // and so all casts preserve or shrink the set of referent bytes. All 125 // operations preserve provenance. 126 unsafe impl<Src, Dst> Project<Src, Dst> for CastSized { 127 #[inline(always)] 128 fn project(src: PtrInner<'_, Src>) -> *mut Dst { 129 static_assert!(Src, Dst => mem::size_of::<Src>() >= mem::size_of::<Dst>()); 130 src.as_ptr().cast::<Dst>() 131 } 132 } 133 134 // SAFETY: The `Project::project` impl preserves referent address. 135 unsafe impl<Src, Dst> Cast<Src, Dst> for CastSized {} 136 137 /// A pointer cast which preserves the set of referent bytes of a 138 /// statically-sized referent. 139 /// 140 /// # Safety 141 /// 142 /// The implementation of [`Project`] uses a compile-time assertion to 143 /// guarantee that `Dst` has the same size as `Src`. Thus, `CastSizedExact` 144 /// has a sound implementation of [`Project`] for all `Src` and `Dst` – the 145 /// caller may pass any `Src` and `Dst` without being responsible for 146 /// soundness. 147 #[allow(missing_debug_implementations, missing_copy_implementations)] 148 pub enum CastSizedExact {} 149 150 // SAFETY: By the `static_assert!`, `Dst` has the same size as `Src`, 151 // and so all casts preserve the set of referent bytes. All operations 152 // preserve provenance. 153 unsafe impl<Src, Dst> Project<Src, Dst> for CastSizedExact { 154 #[inline(always)] 155 fn project(src: PtrInner<'_, Src>) -> *mut Dst { 156 static_assert!(Src, Dst => mem::size_of::<Src>() == mem::size_of::<Dst>()); 157 src.as_ptr().cast::<Dst>() 158 } 159 } 160 161 // SAFETY: The `Project::project_raw` impl preserves referent address. 162 unsafe impl<Src, Dst> Cast<Src, Dst> for CastSizedExact {} 163 164 // SAFETY: By the `static_assert!`, `Project::project_raw` impl preserves 165 // referent size. 166 unsafe impl<Src, Dst> CastExact<Src, Dst> for CastSizedExact {} 167 168 /// A pointer cast which preserves or shrinks the set of referent bytes of 169 /// a dynamically-sized referent. 170 /// 171 /// # Safety 172 /// 173 /// The implementation of [`Project`] uses a compile-time assertion to 174 /// guarantee that the cast preserves the set of referent bytes. Thus, 175 /// `CastUnsized` has a sound implementation of [`Project`] for all `Src` 176 /// and `Dst` – the caller may pass any `Src` and `Dst` without being 177 /// responsible for soundness. 178 #[allow(missing_debug_implementations, missing_copy_implementations)] 179 pub enum CastUnsized {} 180 181 // SAFETY: By the `static_assert!`, `Src` and `Dst` are either: 182 // - Both sized and equal in size 183 // - Both slice DSTs with the same trailing slice offset and element size 184 // and with align_of::<Src>() == align_of::<Dst>(). These ensure that any 185 // given pointer metadata encodes the same size for both `Src` and `Dst` 186 // (note that the alignment is required as it affects the amount of 187 // trailing padding). Thus, `project` preserves the set of referent bytes. 188 unsafe impl<Src, Dst> Project<Src, Dst> for CastUnsized 189 where 190 Src: ?Sized + KnownLayout, 191 Dst: ?Sized + KnownLayout<PointerMetadata = Src::PointerMetadata>, 192 { 193 #[inline(always)] 194 fn project(src: PtrInner<'_, Src>) -> *mut Dst { 195 // FIXME: Do we want this to support shrinking casts as well? If so, 196 // we'll need to remove the `CastExact` impl. 197 static_assert!(Src: ?Sized + KnownLayout, Dst: ?Sized + KnownLayout => { 198 let src = <Src as KnownLayout>::LAYOUT; 199 let dst = <Dst as KnownLayout>::LAYOUT; 200 match (src.size_info, dst.size_info) { 201 (SizeInfo::Sized { size: src_size }, SizeInfo::Sized { size: dst_size }) => src_size == dst_size, 202 ( 203 SizeInfo::SliceDst(TrailingSliceLayout { offset: src_offset, elem_size: src_elem_size }), 204 SizeInfo::SliceDst(TrailingSliceLayout { offset: dst_offset, elem_size: dst_elem_size }) 205 ) => src.align.get() == dst.align.get() && src_offset == dst_offset && src_elem_size == dst_elem_size, 206 _ => false, 207 } 208 }); 209 210 let metadata = Src::pointer_to_metadata(src.as_ptr()); 211 Dst::raw_from_ptr_len(src.as_non_null().cast::<u8>(), metadata).as_ptr() 212 } 213 } 214 215 // SAFETY: The `Project::project` impl preserves referent address. 216 unsafe impl<Src, Dst> Cast<Src, Dst> for CastUnsized 217 where 218 Src: ?Sized + KnownLayout, 219 Dst: ?Sized + KnownLayout<PointerMetadata = Src::PointerMetadata>, 220 { 221 } 222 223 // SAFETY: By the `static_assert!` in `Project::project`, `Src` and `Dst` 224 // are either: 225 // - Both sized and equal in size 226 // - Both slice DSTs with the same alignment, trailing slice offset, and 227 // element size. These ensure that any given pointer metadata encodes the 228 // same size for both `Src` and `Dst` (note that the alignment is required 229 // as it affects the amount of trailing padding). 230 unsafe impl<Src, Dst> CastExact<Src, Dst> for CastUnsized 231 where 232 Src: ?Sized + KnownLayout, 233 Dst: ?Sized + KnownLayout<PointerMetadata = Src::PointerMetadata>, 234 { 235 } 236 237 /// A field projection 238 /// 239 /// A `Projection` is a [`Project`] which implements projection by 240 /// delegating to an implementation of [`HasField::project`]. 241 #[allow(missing_debug_implementations, missing_copy_implementations)] 242 pub struct Projection<F: ?Sized, const VARIANT_ID: i128, const FIELD_ID: i128> { 243 _never: core::convert::Infallible, 244 _phantom: PhantomData<F>, 245 } 246 247 // SAFETY: `HasField::project` has the same safety post-conditions as 248 // `Project::project`. 249 unsafe impl<T: ?Sized, F, const VARIANT_ID: i128, const FIELD_ID: i128> Project<T, T::Type> 250 for Projection<F, VARIANT_ID, FIELD_ID> 251 where 252 T: HasField<F, VARIANT_ID, FIELD_ID>, 253 { 254 #[inline(always)] 255 fn project(src: PtrInner<'_, T>) -> *mut T::Type { 256 T::project(src) 257 } 258 } 259 260 // SAFETY: All `repr(C)` union fields exist at offset 0 within the union [1], 261 // and so any union projection is actually a cast (ie, preserves address). 262 // 263 // [1] Per 264 // https://doc.rust-lang.org/1.92.0/reference/type-layout.html#reprc-unions, 265 // it's not *technically* guaranteed that non-maximally-sized fields 266 // are at offset 0, but it's clear that this is the intention of `repr(C)` 267 // unions. It says: 268 // 269 // > A union declared with `#[repr(C)]` will have the same size and 270 // > alignment as an equivalent C union declaration in the C language for 271 // > the target platform. 272 // 273 // Note that this only mentions size and alignment, not layout. However, 274 // C unions *do* guarantee that all fields start at offset 0. [2] 275 // 276 // This is also reinforced by 277 // https://doc.rust-lang.org/1.92.0/reference/items/unions.html#r-items.union.fields.offset: 278 // 279 // > Fields might have a non-zero offset (except when the C 280 // > representation is used); in that case the bits starting at the 281 // > offset of the fields are read 282 // 283 // [2] Per https://port70.net/~nsz/c/c11/n1570.html#6.7.2.1p16: 284 // 285 // > The size of a union is sufficient to contain the largest of its 286 // > members. The value of at most one of the members can be stored in a 287 // > union object at any time. A pointer to a union object, suitably 288 // > converted, points to each of its members (or if a member is a 289 // > bit-field, then to the unit in which it resides), and vice versa. 290 // 291 // FIXME(https://github.com/rust-lang/unsafe-code-guidelines/issues/595): 292 // Cite the documentation once it's updated. 293 unsafe impl<T: ?Sized, F, const FIELD_ID: i128> Cast<T, T::Type> 294 for Projection<F, { crate::REPR_C_UNION_VARIANT_ID }, FIELD_ID> 295 where 296 T: HasField<F, { crate::REPR_C_UNION_VARIANT_ID }, FIELD_ID>, 297 { 298 } 299 300 /// A transitive sequence of projections. 301 /// 302 /// Given `TU: Project` and `UV: Project`, `TransitiveProject<_, TU, UV>` is 303 /// a [`Project`] which projects by applying `TU` followed by `UV`. 304 /// 305 /// If `TU: Cast` and `UV: Cast`, then `TransitiveProject<_, TU, UV>: Cast`. 306 #[allow(missing_debug_implementations)] 307 pub struct TransitiveProject<U: ?Sized, TU, UV> { 308 _never: core::convert::Infallible, 309 _projections: PhantomData<(TU, UV)>, 310 // On our MSRV (1.56), the debuginfo for a tuple containing both an 311 // uninhabited type and a DST causes an ICE. We split `U` from `TU` and 312 // `UV` to avoid this situation. 313 _u: PhantomData<U>, 314 } 315 316 // SAFETY: Since `TU::project` and `UV::project` are each 317 // provenance-preserving operations which preserve or shrink the set of 318 // referent bytes, so is their composition. 319 unsafe impl<T, U, V, TU, UV> Project<T, V> for TransitiveProject<U, TU, UV> 320 where 321 T: ?Sized, 322 U: ?Sized, 323 V: ?Sized, 324 TU: Project<T, U>, 325 UV: Project<U, V>, 326 { 327 #[inline(always)] 328 fn project(t: PtrInner<'_, T>) -> *mut V { 329 t.project::<_, TU>().project::<_, UV>().as_ptr() 330 } 331 } 332 333 // SAFETY: Since the `Project::project` impl delegates to `TU::project` and 334 // `UV::project`, and since `TU` and `UV` are `Cast`, the `Project::project` 335 // impl preserves the address of the referent. 336 unsafe impl<T, U, V, TU, UV> Cast<T, V> for TransitiveProject<U, TU, UV> 337 where 338 T: ?Sized, 339 U: ?Sized, 340 V: ?Sized, 341 TU: Cast<T, U>, 342 UV: Cast<U, V>, 343 { 344 } 345 346 // SAFETY: Since the `Project::project` impl delegates to `TU::project` and 347 // `UV::project`, and since `TU` and `UV` are `CastExact`, the `Project::project` 348 // impl preserves the set of referent bytes. 349 unsafe impl<T, U, V, TU, UV> CastExact<T, V> for TransitiveProject<U, TU, UV> 350 where 351 T: ?Sized, 352 U: ?Sized, 353 V: ?Sized, 354 TU: CastExact<T, U>, 355 UV: CastExact<U, V>, 356 { 357 } 358 359 /// A cast from `T` to `[u8]`. 360 #[allow(missing_copy_implementations, missing_debug_implementations)] 361 pub struct AsBytesCast; 362 363 // SAFETY: `project` constructs a pointer with the same address as `src` 364 // and with a referent of the same size as `*src`. It does this using 365 // provenance-preserving operations. 366 // 367 // FIXME(https://github.com/rust-lang/unsafe-code-guidelines/issues/594): 368 // Technically, this proof assumes that `*src` is contiguous (the same is 369 // true of other proofs in this codebase). Is this guaranteed anywhere? 370 unsafe impl<T: ?Sized + KnownLayout> Project<T, [u8]> for AsBytesCast { 371 #[inline(always)] 372 fn project(src: PtrInner<'_, T>) -> *mut [u8] { 373 let bytes = match T::size_of_val_raw(src.as_non_null()) { 374 Some(bytes) => bytes, 375 // SAFETY: `KnownLayout::size_of_val_raw` promises to always 376 // return `Some` so long as the resulting size fits in a 377 // `usize`. By invariant on `PtrInner`, `src` refers to a range 378 // of bytes whose size fits in an `isize`, which implies that it 379 // also fits in a `usize`. 380 None => unsafe { core::hint::unreachable_unchecked() }, 381 }; 382 383 core::ptr::slice_from_raw_parts_mut(src.as_ptr().cast::<u8>(), bytes) 384 } 385 } 386 387 // SAFETY: The `Project::project` impl preserves referent address. 388 unsafe impl<T: ?Sized + KnownLayout> Cast<T, [u8]> for AsBytesCast {} 389 390 // SAFETY: The `Project::project` impl preserves the set of referent bytes. 391 unsafe impl<T: ?Sized + KnownLayout> CastExact<T, [u8]> for AsBytesCast {} 392 393 /// A cast from any type to `()`. 394 #[allow(missing_copy_implementations, missing_debug_implementations)] 395 pub struct CastToUnit; 396 397 // SAFETY: The `project` implementation projects to a subset of its 398 // argument's referent using provenance-preserving operations. 399 unsafe impl<T: ?Sized> Project<T, ()> for CastToUnit { 400 #[inline(always)] 401 fn project(src: PtrInner<'_, T>) -> *mut () { 402 src.as_ptr().cast::<()>() 403 } 404 } 405 406 // SAFETY: The `project` implementation preserves referent address. 407 unsafe impl<T: ?Sized> Cast<T, ()> for CastToUnit {} 408 } 409