1 // Copyright 2023 The Fuchsia Authors 2 // 3 // Licensed under a BSD-style license <LICENSE-BSD>, Apache License, Version 2.0 4 // <LICENSE-APACHE or https://www.apache.org/licenses/LICENSE-2.0>, or the MIT 5 // license <LICENSE-MIT or https://opensource.org/licenses/MIT>, at your option. 6 // This file may not be copied, modified, or distributed except according to 7 // those terms. 8 9 use core::{fmt, hash::Hash}; 10 11 use super::*; 12 use crate::pointer::{invariant::Valid, SizeEq, TransmuteFrom}; 13 14 /// A type with no alignment requirement. 15 /// 16 /// An `Unalign` wraps a `T`, removing any alignment requirement. `Unalign<T>` 17 /// has the same size and bit validity as `T`, but not necessarily the same 18 /// alignment [or ABI]. This is useful if a type with an alignment requirement 19 /// needs to be read from a chunk of memory which provides no alignment 20 /// guarantees. 21 /// 22 /// Since `Unalign` has no alignment requirement, the inner `T` may not be 23 /// properly aligned in memory. There are five ways to access the inner `T`: 24 /// - by value, using [`get`] or [`into_inner`] 25 /// - by reference inside of a callback, using [`update`] 26 /// - fallibly by reference, using [`try_deref`] or [`try_deref_mut`]; these can 27 /// fail if the `Unalign` does not satisfy `T`'s alignment requirement at 28 /// runtime 29 /// - unsafely by reference, using [`deref_unchecked`] or 30 /// [`deref_mut_unchecked`]; it is the caller's responsibility to ensure that 31 /// the `Unalign` satisfies `T`'s alignment requirement 32 /// - (where `T: Unaligned`) infallibly by reference, using [`Deref::deref`] or 33 /// [`DerefMut::deref_mut`] 34 /// 35 /// [or ABI]: https://github.com/google/zerocopy/issues/164 36 /// [`get`]: Unalign::get 37 /// [`into_inner`]: Unalign::into_inner 38 /// [`update`]: Unalign::update 39 /// [`try_deref`]: Unalign::try_deref 40 /// [`try_deref_mut`]: Unalign::try_deref_mut 41 /// [`deref_unchecked`]: Unalign::deref_unchecked 42 /// [`deref_mut_unchecked`]: Unalign::deref_mut_unchecked 43 /// 44 /// # Example 45 /// 46 /// In this example, we need `EthernetFrame` to have no alignment requirement - 47 /// and thus implement [`Unaligned`]. `EtherType` is `#[repr(u16)]` and so 48 /// cannot implement `Unaligned`. We use `Unalign` to relax `EtherType`'s 49 /// alignment requirement so that `EthernetFrame` has no alignment requirement 50 /// and can implement `Unaligned`. 51 /// 52 /// ```rust 53 /// use zerocopy::*; 54 /// # use zerocopy_derive::*; 55 /// # #[derive(FromBytes, KnownLayout, Immutable, Unaligned)] #[repr(C)] struct Mac([u8; 6]); 56 /// 57 /// # #[derive(PartialEq, Copy, Clone, Debug)] 58 /// #[derive(TryFromBytes, KnownLayout, Immutable)] 59 /// #[repr(u16)] 60 /// enum EtherType { 61 /// Ipv4 = 0x0800u16.to_be(), 62 /// Arp = 0x0806u16.to_be(), 63 /// Ipv6 = 0x86DDu16.to_be(), 64 /// # /* 65 /// ... 66 /// # */ 67 /// } 68 /// 69 /// #[derive(TryFromBytes, KnownLayout, Immutable, Unaligned)] 70 /// #[repr(C)] 71 /// struct EthernetFrame { 72 /// src: Mac, 73 /// dst: Mac, 74 /// ethertype: Unalign<EtherType>, 75 /// payload: [u8], 76 /// } 77 /// 78 /// let bytes = &[ 79 /// # 0, 1, 2, 3, 4, 5, 80 /// # 6, 7, 8, 9, 10, 11, 81 /// # /* 82 /// ... 83 /// # */ 84 /// 0x86, 0xDD, // EtherType 85 /// 0xDE, 0xAD, 0xBE, 0xEF // Payload 86 /// ][..]; 87 /// 88 /// // PANICS: Guaranteed not to panic because `bytes` is of the right 89 /// // length, has the right contents, and `EthernetFrame` has no 90 /// // alignment requirement. 91 /// let packet = EthernetFrame::try_ref_from_bytes(&bytes).unwrap(); 92 /// 93 /// assert_eq!(packet.ethertype.get(), EtherType::Ipv6); 94 /// assert_eq!(packet.payload, [0xDE, 0xAD, 0xBE, 0xEF]); 95 /// ``` 96 /// 97 /// # Safety 98 /// 99 /// `Unalign<T>` is guaranteed to have the same size and bit validity as `T`, 100 /// and to have [`UnsafeCell`]s covering the same byte ranges as `T`. 101 /// `Unalign<T>` is guaranteed to have alignment 1. 102 // NOTE: This type is sound to use with types that need to be dropped. The 103 // reason is that the compiler-generated drop code automatically moves all 104 // values to aligned memory slots before dropping them in-place. This is not 105 // well-documented, but it's hinted at in places like [1] and [2]. However, this 106 // also means that `T` must be `Sized`; unless something changes, we can never 107 // support unsized `T`. [3] 108 // 109 // [1] https://github.com/rust-lang/rust/issues/54148#issuecomment-420529646 110 // [2] https://github.com/google/zerocopy/pull/126#discussion_r1018512323 111 // [3] https://github.com/google/zerocopy/issues/209 112 #[allow(missing_debug_implementations)] 113 #[derive(Default, Copy)] 114 #[cfg_attr(any(feature = "derive", test), derive(Immutable, FromBytes, IntoBytes, Unaligned))] 115 #[repr(C, packed)] 116 pub struct Unalign<T>(T); 117 118 // We do not use `derive(KnownLayout)` on `Unalign`, because the derive is not 119 // smart enough to realize that `Unalign<T>` is always sized and thus emits a 120 // `KnownLayout` impl bounded on `T: KnownLayout.` This is overly restrictive. 121 impl_known_layout!(T => Unalign<T>); 122 123 // FIXME(https://github.com/rust-lang/rust-clippy/issues/16087): Move these 124 // attributes below the comment once this Clippy bug is fixed. 125 #[cfg_attr( 126 all(__ZEROCOPY_INTERNAL_USE_ONLY_NIGHTLY_FEATURES_IN_TESTS, any(feature = "derive", test)), 127 expect(unused_unsafe) 128 )] 129 #[cfg_attr( 130 all( 131 not(__ZEROCOPY_INTERNAL_USE_ONLY_NIGHTLY_FEATURES_IN_TESTS), 132 any(feature = "derive", test) 133 ), 134 allow(unused_unsafe) 135 )] 136 // SAFETY: 137 // - `Unalign<T>` promises to have alignment 1, and so we don't require that `T: 138 // Unaligned`. 139 // - `Unalign<T>` has the same bit validity as `T`, and so it is `FromZeros`, 140 // `FromBytes`, or `IntoBytes` exactly when `T` is as well. 141 // - `Immutable`: `Unalign<T>` has the same fields as `T`, so it permits 142 // interior mutation exactly when `T` does. 143 // - `TryFromBytes`: `Unalign<T>` has the same the same bit validity as `T`, so 144 // `T::is_bit_valid` is a sound implementation of `is_bit_valid`. 145 // 146 #[allow(clippy::multiple_unsafe_ops_per_block)] 147 const _: () = unsafe { 148 impl_or_verify!(T => Unaligned for Unalign<T>); 149 impl_or_verify!(T: Immutable => Immutable for Unalign<T>); 150 impl_or_verify!( 151 T: TryFromBytes => TryFromBytes for Unalign<T>; 152 |c| T::is_bit_valid(c.transmute::<_, _, BecauseImmutable>()) 153 ); 154 impl_or_verify!(T: FromZeros => FromZeros for Unalign<T>); 155 impl_or_verify!(T: FromBytes => FromBytes for Unalign<T>); 156 impl_or_verify!(T: IntoBytes => IntoBytes for Unalign<T>); 157 }; 158 159 // Note that `Unalign: Clone` only if `T: Copy`. Since the inner `T` may not be 160 // aligned, there's no way to safely call `T::clone`, and so a `T: Clone` bound 161 // is not sufficient to implement `Clone` for `Unalign`. 162 impl<T: Copy> Clone for Unalign<T> { 163 #[inline(always)] 164 fn clone(&self) -> Unalign<T> { 165 *self 166 } 167 } 168 169 impl<T> Unalign<T> { 170 /// Constructs a new `Unalign`. 171 #[inline(always)] 172 pub const fn new(val: T) -> Unalign<T> { 173 Unalign(val) 174 } 175 176 /// Consumes `self`, returning the inner `T`. 177 #[inline(always)] 178 pub const fn into_inner(self) -> T { 179 // SAFETY: Since `Unalign` is `#[repr(C, packed)]`, it has the same size 180 // and bit validity as `T`. 181 // 182 // We do this instead of just destructuring in order to prevent 183 // `Unalign`'s `Drop::drop` from being run, since dropping is not 184 // supported in `const fn`s. 185 // 186 // FIXME(https://github.com/rust-lang/rust/issues/73255): Destructure 187 // instead of using unsafe. 188 unsafe { crate::util::transmute_unchecked(self) } 189 } 190 191 /// Attempts to return a reference to the wrapped `T`, failing if `self` is 192 /// not properly aligned. 193 /// 194 /// If `self` does not satisfy `align_of::<T>()`, then `try_deref` returns 195 /// `Err`. 196 /// 197 /// If `T: Unaligned`, then `Unalign<T>` implements [`Deref`], and callers 198 /// may prefer [`Deref::deref`], which is infallible. 199 #[inline(always)] 200 pub fn try_deref(&self) -> Result<&T, AlignmentError<&Self, T>> { 201 let inner = Ptr::from_ref(self).transmute(); 202 match inner.try_into_aligned() { 203 Ok(aligned) => Ok(aligned.as_ref()), 204 Err(err) => Err(err.map_src( 205 #[inline(always)] 206 |src| src.into_unalign().as_ref(), 207 )), 208 } 209 } 210 211 /// Attempts to return a mutable reference to the wrapped `T`, failing if 212 /// `self` is not properly aligned. 213 /// 214 /// If `self` does not satisfy `align_of::<T>()`, then `try_deref` returns 215 /// `Err`. 216 /// 217 /// If `T: Unaligned`, then `Unalign<T>` implements [`DerefMut`], and 218 /// callers may prefer [`DerefMut::deref_mut`], which is infallible. 219 #[inline(always)] 220 pub fn try_deref_mut(&mut self) -> Result<&mut T, AlignmentError<&mut Self, T>> { 221 let inner = Ptr::from_mut(self).transmute::<_, _, (_, (_, _))>(); 222 match inner.try_into_aligned() { 223 Ok(aligned) => Ok(aligned.as_mut()), 224 Err(err) => Err(err.map_src(|src| src.into_unalign().as_mut())), 225 } 226 } 227 228 /// Returns a reference to the wrapped `T` without checking alignment. 229 /// 230 /// If `T: Unaligned`, then `Unalign<T>` implements[ `Deref`], and callers 231 /// may prefer [`Deref::deref`], which is safe. 232 /// 233 /// # Safety 234 /// 235 /// The caller must guarantee that `self` satisfies `align_of::<T>()`. 236 #[inline(always)] 237 pub const unsafe fn deref_unchecked(&self) -> &T { 238 // SAFETY: `Unalign<T>` is `repr(transparent)`, so there is a valid `T` 239 // at the same memory location as `self`. It has no alignment guarantee, 240 // but the caller has promised that `self` is properly aligned, so we 241 // know that it is sound to create a reference to `T` at this memory 242 // location. 243 // 244 // We use `mem::transmute` instead of `&*self.get_ptr()` because 245 // dereferencing pointers is not stable in `const` on our current MSRV 246 // (1.56 as of this writing). 247 unsafe { mem::transmute(self) } 248 } 249 250 /// Returns a mutable reference to the wrapped `T` without checking 251 /// alignment. 252 /// 253 /// If `T: Unaligned`, then `Unalign<T>` implements[ `DerefMut`], and 254 /// callers may prefer [`DerefMut::deref_mut`], which is safe. 255 /// 256 /// # Safety 257 /// 258 /// The caller must guarantee that `self` satisfies `align_of::<T>()`. 259 #[inline(always)] 260 pub unsafe fn deref_mut_unchecked(&mut self) -> &mut T { 261 // SAFETY: `self.get_mut_ptr()` returns a raw pointer to a valid `T` at 262 // the same memory location as `self`. It has no alignment guarantee, 263 // but the caller has promised that `self` is properly aligned, so we 264 // know that the pointer itself is aligned, and thus that it is sound to 265 // create a reference to a `T` at this memory location. 266 unsafe { &mut *self.get_mut_ptr() } 267 } 268 269 /// Gets an unaligned raw pointer to the inner `T`. 270 /// 271 /// # Safety 272 /// 273 /// The returned raw pointer is not necessarily aligned to 274 /// `align_of::<T>()`. Most functions which operate on raw pointers require 275 /// those pointers to be aligned, so calling those functions with the result 276 /// of `get_ptr` will result in undefined behavior if alignment is not 277 /// guaranteed using some out-of-band mechanism. In general, the only 278 /// functions which are safe to call with this pointer are those which are 279 /// explicitly documented as being sound to use with an unaligned pointer, 280 /// such as [`read_unaligned`]. 281 /// 282 /// Even if the caller is permitted to mutate `self` (e.g. they have 283 /// ownership or a mutable borrow), it is not guaranteed to be sound to 284 /// write through the returned pointer. If writing is required, prefer 285 /// [`get_mut_ptr`] instead. 286 /// 287 /// [`read_unaligned`]: core::ptr::read_unaligned 288 /// [`get_mut_ptr`]: Unalign::get_mut_ptr 289 #[inline(always)] 290 pub const fn get_ptr(&self) -> *const T { 291 ptr::addr_of!(self.0) 292 } 293 294 /// Gets an unaligned mutable raw pointer to the inner `T`. 295 /// 296 /// # Safety 297 /// 298 /// The returned raw pointer is not necessarily aligned to 299 /// `align_of::<T>()`. Most functions which operate on raw pointers require 300 /// those pointers to be aligned, so calling those functions with the result 301 /// of `get_ptr` will result in undefined behavior if alignment is not 302 /// guaranteed using some out-of-band mechanism. In general, the only 303 /// functions which are safe to call with this pointer are those which are 304 /// explicitly documented as being sound to use with an unaligned pointer, 305 /// such as [`read_unaligned`]. 306 /// 307 /// [`read_unaligned`]: core::ptr::read_unaligned 308 // FIXME(https://github.com/rust-lang/rust/issues/57349): Make this `const`. 309 #[inline(always)] 310 pub fn get_mut_ptr(&mut self) -> *mut T { 311 ptr::addr_of_mut!(self.0) 312 } 313 314 /// Sets the inner `T`, dropping the previous value. 315 // FIXME(https://github.com/rust-lang/rust/issues/57349): Make this `const`. 316 #[inline(always)] 317 pub fn set(&mut self, t: T) { 318 *self = Unalign::new(t); 319 } 320 321 /// Updates the inner `T` by calling a function on it. 322 /// 323 /// If [`T: Unaligned`], then `Unalign<T>` implements [`DerefMut`], and that 324 /// impl should be preferred over this method when performing updates, as it 325 /// will usually be faster and more ergonomic. 326 /// 327 /// For large types, this method may be expensive, as it requires copying 328 /// `2 * size_of::<T>()` bytes. \[1\] 329 /// 330 /// \[1\] Since the inner `T` may not be aligned, it would not be sound to 331 /// invoke `f` on it directly. Instead, `update` moves it into a 332 /// properly-aligned location in the local stack frame, calls `f` on it, and 333 /// then moves it back to its original location in `self`. 334 /// 335 /// [`T: Unaligned`]: Unaligned 336 #[inline] 337 pub fn update<O, F: FnOnce(&mut T) -> O>(&mut self, f: F) -> O { 338 if mem::align_of::<T>() == 1 { 339 // While we advise callers to use `DerefMut` when `T: Unaligned`, 340 // not all callers will be able to guarantee `T: Unaligned` in all 341 // cases. In particular, callers who are themselves providing an API 342 // which is generic over `T` may sometimes be called by *their* 343 // callers with `T` such that `align_of::<T>() == 1`, but cannot 344 // guarantee this in the general case. Thus, this optimization may 345 // sometimes be helpful. 346 347 // SAFETY: Since `T`'s alignment is 1, `self` satisfies its 348 // alignment by definition. 349 let t = unsafe { self.deref_mut_unchecked() }; 350 return f(t); 351 } 352 353 // On drop, this moves `copy` out of itself and uses `ptr::write` to 354 // overwrite `slf`. 355 struct WriteBackOnDrop<T> { 356 copy: ManuallyDrop<T>, 357 slf: *mut Unalign<T>, 358 } 359 360 impl<T> Drop for WriteBackOnDrop<T> { 361 fn drop(&mut self) { 362 // SAFETY: We never use `copy` again as required by 363 // `ManuallyDrop::take`. 364 let copy = unsafe { ManuallyDrop::take(&mut self.copy) }; 365 // SAFETY: `slf` is the raw pointer value of `self`. We know it 366 // is valid for writes and properly aligned because `self` is a 367 // mutable reference, which guarantees both of these properties. 368 unsafe { ptr::write(self.slf, Unalign::new(copy)) }; 369 } 370 } 371 372 // SAFETY: We know that `self` is valid for reads, properly aligned, and 373 // points to an initialized `Unalign<T>` because it is a mutable 374 // reference, which guarantees all of these properties. 375 // 376 // Since `T: !Copy`, it would be unsound in the general case to allow 377 // both the original `Unalign<T>` and the copy to be used by safe code. 378 // We guarantee that the copy is used to overwrite the original in the 379 // `Drop::drop` impl of `WriteBackOnDrop`. So long as this `drop` is 380 // called before any other safe code executes, soundness is upheld. 381 // While this method can terminate in two ways (by returning normally or 382 // by unwinding due to a panic in `f`), in both cases, `write_back` is 383 // dropped - and its `drop` called - before any other safe code can 384 // execute. 385 let copy = unsafe { ptr::read(self) }.into_inner(); 386 let mut write_back = WriteBackOnDrop { copy: ManuallyDrop::new(copy), slf: self }; 387 388 let ret = f(&mut write_back.copy); 389 390 drop(write_back); 391 ret 392 } 393 } 394 395 impl<T: Copy> Unalign<T> { 396 /// Gets a copy of the inner `T`. 397 // FIXME(https://github.com/rust-lang/rust/issues/57349): Make this `const`. 398 #[inline(always)] 399 pub fn get(&self) -> T { 400 let Unalign(val) = *self; 401 val 402 } 403 } 404 405 impl<T: Unaligned> Deref for Unalign<T> { 406 type Target = T; 407 408 #[inline(always)] 409 fn deref(&self) -> &T { 410 Ptr::from_ref(self).transmute().bikeshed_recall_aligned().as_ref() 411 } 412 } 413 414 impl<T: Unaligned> DerefMut for Unalign<T> { 415 #[inline(always)] 416 fn deref_mut(&mut self) -> &mut T { 417 Ptr::from_mut(self).transmute::<_, _, (_, (_, _))>().bikeshed_recall_aligned().as_mut() 418 } 419 } 420 421 impl<T: Unaligned + PartialOrd> PartialOrd<Unalign<T>> for Unalign<T> { 422 #[inline(always)] 423 fn partial_cmp(&self, other: &Unalign<T>) -> Option<Ordering> { 424 PartialOrd::partial_cmp(self.deref(), other.deref()) 425 } 426 } 427 428 impl<T: Unaligned + Ord> Ord for Unalign<T> { 429 #[inline(always)] 430 fn cmp(&self, other: &Unalign<T>) -> Ordering { 431 Ord::cmp(self.deref(), other.deref()) 432 } 433 } 434 435 impl<T: Unaligned + PartialEq> PartialEq<Unalign<T>> for Unalign<T> { 436 #[inline(always)] 437 fn eq(&self, other: &Unalign<T>) -> bool { 438 PartialEq::eq(self.deref(), other.deref()) 439 } 440 } 441 442 impl<T: Unaligned + Eq> Eq for Unalign<T> {} 443 444 impl<T: Unaligned + Hash> Hash for Unalign<T> { 445 #[inline(always)] 446 fn hash<H>(&self, state: &mut H) 447 where 448 H: Hasher, 449 { 450 self.deref().hash(state); 451 } 452 } 453 454 impl<T: Unaligned + Debug> Debug for Unalign<T> { 455 #[inline(always)] 456 fn fmt(&self, f: &mut Formatter<'_>) -> fmt::Result { 457 Debug::fmt(self.deref(), f) 458 } 459 } 460 461 impl<T: Unaligned + Display> Display for Unalign<T> { 462 #[inline(always)] 463 fn fmt(&self, f: &mut Formatter<'_>) -> fmt::Result { 464 Display::fmt(self.deref(), f) 465 } 466 } 467 468 /// A wrapper type to construct uninitialized instances of `T`. 469 /// 470 /// `MaybeUninit` is identical to the [standard library 471 /// `MaybeUninit`][core-maybe-uninit] type except that it supports unsized 472 /// types. 473 /// 474 /// # Layout 475 /// 476 /// The same layout guarantees and caveats apply to `MaybeUninit<T>` as apply to 477 /// the [standard library `MaybeUninit`][core-maybe-uninit] with one exception: 478 /// for `T: !Sized`, there is no single value for `T`'s size. Instead, for such 479 /// types, the following are guaranteed: 480 /// - Every [valid size][valid-size] for `T` is a valid size for 481 /// `MaybeUninit<T>` and vice versa 482 /// - Given `t: *const T` and `m: *const MaybeUninit<T>` with identical fat 483 /// pointer metadata, `t` and `m` address the same number of bytes (and 484 /// likewise for `*mut`) 485 /// 486 /// [core-maybe-uninit]: core::mem::MaybeUninit 487 /// [valid-size]: crate::KnownLayout#what-is-a-valid-size 488 #[repr(transparent)] 489 #[doc(hidden)] 490 pub struct MaybeUninit<T: ?Sized + KnownLayout>( 491 // SAFETY: `MaybeUninit<T>` has the same size as `T`, because (by invariant 492 // on `T::MaybeUninit`) `T::MaybeUninit` has `T::LAYOUT` identical to `T`, 493 // and because (invariant on `T::LAYOUT`) we can trust that `LAYOUT` 494 // accurately reflects the layout of `T`. By invariant on `T::MaybeUninit`, 495 // it admits uninitialized bytes in all positions. Because `MaybeUninit` is 496 // marked `repr(transparent)`, these properties additionally hold true for 497 // `Self`. 498 T::MaybeUninit, 499 ); 500 501 #[doc(hidden)] 502 impl<T: ?Sized + KnownLayout> MaybeUninit<T> { 503 /// Constructs a `MaybeUninit<T>` initialized with the given value. 504 #[inline(always)] 505 pub fn new(val: T) -> Self 506 where 507 T: Sized, 508 Self: Sized, 509 { 510 // SAFETY: It is valid to transmute `val` to `MaybeUninit<T>` because it 511 // is both valid to transmute `val` to `T::MaybeUninit`, and it is valid 512 // to transmute from `T::MaybeUninit` to `MaybeUninit<T>`. 513 // 514 // First, it is valid to transmute `val` to `T::MaybeUninit` because, by 515 // invariant on `T::MaybeUninit`: 516 // - For `T: Sized`, `T` and `T::MaybeUninit` have the same size. 517 // - All byte sequences of the correct size are valid values of 518 // `T::MaybeUninit`. 519 // 520 // Second, it is additionally valid to transmute from `T::MaybeUninit` 521 // to `MaybeUninit<T>`, because `MaybeUninit<T>` is a 522 // `repr(transparent)` wrapper around `T::MaybeUninit`. 523 // 524 // These two transmutes are collapsed into one so we don't need to add a 525 // `T::MaybeUninit: Sized` bound to this function's `where` clause. 526 unsafe { crate::util::transmute_unchecked(val) } 527 } 528 529 /// Constructs an uninitialized `MaybeUninit<T>`. 530 #[must_use] 531 #[inline(always)] 532 pub fn uninit() -> Self 533 where 534 T: Sized, 535 Self: Sized, 536 { 537 let uninit = CoreMaybeUninit::<T>::uninit(); 538 // SAFETY: It is valid to transmute from `CoreMaybeUninit<T>` to 539 // `MaybeUninit<T>` since they both admit uninitialized bytes in all 540 // positions, and they have the same size (i.e., that of `T`). 541 // 542 // `MaybeUninit<T>` has the same size as `T`, because (by invariant on 543 // `T::MaybeUninit`) `T::MaybeUninit` has `T::LAYOUT` identical to `T`, 544 // and because (invariant on `T::LAYOUT`) we can trust that `LAYOUT` 545 // accurately reflects the layout of `T`. 546 // 547 // `CoreMaybeUninit<T>` has the same size as `T` [1] and admits 548 // uninitialized bytes in all positions. 549 // 550 // [1] Per https://doc.rust-lang.org/1.81.0/std/mem/union.MaybeUninit.html#layout-1: 551 // 552 // `MaybeUninit<T>` is guaranteed to have the same size, alignment, 553 // and ABI as `T` 554 unsafe { crate::util::transmute_unchecked(uninit) } 555 } 556 557 /// Creates a `Box<MaybeUninit<T>>`. 558 /// 559 /// This function is useful for allocating large, uninit values on the heap 560 /// without ever creating a temporary instance of `Self` on the stack. 561 /// 562 /// # Errors 563 /// 564 /// Returns an error on allocation failure. Allocation failure is guaranteed 565 /// never to cause a panic or an abort. 566 #[cfg(feature = "alloc")] 567 #[inline] 568 pub fn new_boxed_uninit(meta: T::PointerMetadata) -> Result<Box<Self>, AllocError> { 569 // SAFETY: `alloc::alloc::alloc_zeroed` is a valid argument of 570 // `new_box`. The referent of the pointer returned by `alloc` (and, 571 // consequently, the `Box` derived from it) is a valid instance of 572 // `Self`, because `Self` is `MaybeUninit` and thus admits arbitrary 573 // (un)initialized bytes. 574 unsafe { crate::util::new_box(meta, alloc::alloc::alloc) } 575 } 576 577 /// Extracts the value from the `MaybeUninit<T>` container. 578 /// 579 /// # Safety 580 /// 581 /// The caller must ensure that `self` is in an bit-valid state. Depending 582 /// on subsequent use, it may also need to be in a library-valid state. 583 #[inline(always)] 584 pub unsafe fn assume_init(self) -> T 585 where 586 T: Sized, 587 Self: Sized, 588 { 589 // SAFETY: The caller guarantees that `self` is in an bit-valid state. 590 unsafe { crate::util::transmute_unchecked(self) } 591 } 592 } 593 594 impl<T: ?Sized + KnownLayout> fmt::Debug for MaybeUninit<T> { 595 #[inline] 596 fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { 597 f.pad(core::any::type_name::<Self>()) 598 } 599 } 600 601 #[allow(unreachable_pub)] // False positive on MSRV 602 #[doc(hidden)] 603 pub use read_only_def::*; 604 mod read_only_def { 605 /// A read-only wrapper. 606 /// 607 /// A `ReadOnly<T>` disables any interior mutability in `T`, ensuring that 608 /// a `&ReadOnly<T>` is genuinely read-only. Thus, `ReadOnly<T>` is 609 /// [`Immutable`] regardless of whether `T` is. 610 /// 611 /// Note that `&mut ReadOnly<T>` still permits mutation – the read-only 612 /// property only applies to shared references. 613 /// 614 /// [`Immutable`]: crate::Immutable 615 #[repr(transparent)] 616 pub struct ReadOnly<T: ?Sized> { 617 // INVARIANT: `inner` is never mutated through a `&ReadOnly<T>` 618 // reference. 619 inner: T, 620 } 621 622 impl<T> ReadOnly<T> { 623 /// Creates a new `ReadOnly`. 624 #[must_use] 625 #[inline(always)] 626 pub const fn new(t: T) -> ReadOnly<T> { 627 ReadOnly { inner: t } 628 } 629 630 /// Returns the inner value. 631 #[must_use] 632 #[inline(always)] 633 pub fn into_inner(r: ReadOnly<T>) -> T { 634 r.inner 635 } 636 } 637 638 impl<T: ?Sized> ReadOnly<T> { 639 #[inline(always)] 640 pub(crate) fn as_mut(r: &mut ReadOnly<T>) -> &mut T { 641 // SAFETY: `r: &mut ReadOnly`, so this doesn't violate the invariant 642 // that `inner` is never mutated through a `&ReadOnly<T>` reference. 643 &mut r.inner 644 } 645 646 /// # Safety 647 /// 648 /// The caller promises not to mutate the referent (i.e., via interior 649 /// mutation). 650 pub(crate) const unsafe fn as_ref_unchecked(r: &ReadOnly<T>) -> &T { 651 // SAFETY: The caller promises not to mutate the referent. 652 &r.inner 653 } 654 } 655 } 656 657 // SAFETY: `ReadOnly<T>` is a `#[repr(transparent)` wrapper around `T`. 658 const _: () = unsafe { 659 unsafe_impl_known_layout!(T: ?Sized + KnownLayout => #[repr(T)] ReadOnly<T>); 660 }; 661 662 #[allow(clippy::multiple_unsafe_ops_per_block)] 663 // SAFETY: 664 // - `ReadOnly<T>` has the same alignment as `T`, and so it is `Unaligned` 665 // exactly when `T` is as well. 666 // - `ReadOnly<T>` has the same bit validity as `T`, and so this `is_bit_valid` 667 // implementation is correct, and thus the `TryFromBytes` impl is sound. 668 // - `ReadOnly<T>` has the same bit validity as `T`, and so it is `FromZeros`, 669 // `FromBytes`, and `IntoBytes` exactly when `T` is as well. 670 const _: () = unsafe { 671 unsafe_impl!(T: ?Sized + Unaligned => Unaligned for ReadOnly<T>); 672 unsafe_impl!( 673 T: ?Sized + TryFromBytes => TryFromBytes for ReadOnly<T>; 674 |c| T::is_bit_valid(c.cast::<_, <ReadOnly<T> as SizeEq<ReadOnly<ReadOnly<T>>>>::CastFrom, _>()) 675 ); 676 unsafe_impl!(T: ?Sized + FromZeros => FromZeros for ReadOnly<T>); 677 unsafe_impl!(T: ?Sized + FromBytes => FromBytes for ReadOnly<T>); 678 unsafe_impl!(T: ?Sized + IntoBytes => IntoBytes for ReadOnly<T>); 679 }; 680 681 // SAFETY: By invariant, `inner` is never mutated through a `&ReadOnly<T>` 682 // reference. 683 const _: () = unsafe { 684 unsafe_impl!(T: ?Sized => Immutable for ReadOnly<T>); 685 }; 686 687 const _: () = { 688 use crate::pointer::cast::CastExact; 689 690 // SAFETY: `ReadOnly<T>` has the same layout as `T`. 691 define_cast!(unsafe { pub CastFromReadOnly<T: ?Sized> = ReadOnly<T> => T}); 692 // SAFETY: `ReadOnly<T>` has the same layout as `T`. 693 unsafe impl<T: ?Sized> CastExact<ReadOnly<T>, T> for CastFromReadOnly {} 694 // SAFETY: `ReadOnly<T>` has the same layout as `T`. 695 define_cast!(unsafe { pub CastToReadOnly<T: ?Sized> = T => ReadOnly<T>}); 696 // SAFETY: `ReadOnly<T>` has the same layout as `T`. 697 unsafe impl<T: ?Sized> CastExact<T, ReadOnly<T>> for CastToReadOnly {} 698 699 impl<T: ?Sized> SizeEq<ReadOnly<T>> for T { 700 type CastFrom = CastFromReadOnly; 701 } 702 703 impl<T: ?Sized> SizeEq<T> for ReadOnly<T> { 704 type CastFrom = CastToReadOnly; 705 } 706 }; 707 708 // SAFETY: `ReadOnly<T>` is a `#[repr(transparent)]` wrapper around `T`, and so 709 // it has the same bit validity as `T`. 710 unsafe impl<T: ?Sized> TransmuteFrom<T, Valid, Valid> for ReadOnly<T> {} 711 712 // SAFETY: `ReadOnly<T>` is a `#[repr(transparent)]` wrapper around `T`, and so 713 // it has the same bit validity as `T`. 714 unsafe impl<T: ?Sized> TransmuteFrom<ReadOnly<T>, Valid, Valid> for T {} 715 716 impl<'a, T: ?Sized + Immutable> From<&'a T> for &'a ReadOnly<T> { 717 #[inline(always)] 718 fn from(t: &'a T) -> &'a ReadOnly<T> { 719 let ro = Ptr::from_ref(t).transmute::<_, _, (_, _)>(); 720 // SAFETY: `ReadOnly<T>` has the same alignment as `T`, and 721 // `Ptr::from_ref` produces an aligned `Ptr`. 722 let ro = unsafe { ro.assume_alignment() }; 723 ro.as_ref() 724 } 725 } 726 727 impl<T: ?Sized + Immutable> Deref for ReadOnly<T> { 728 type Target = T; 729 730 #[inline(always)] 731 fn deref(&self) -> &Self::Target { 732 // SAFETY: By `T: Immutable`, `&T` doesn't permit interior mutation. 733 unsafe { ReadOnly::as_ref_unchecked(self) } 734 } 735 } 736 737 impl<T: ?Sized + Immutable> DerefMut for ReadOnly<T> { 738 #[inline(always)] 739 fn deref_mut(&mut self) -> &mut Self::Target { 740 ReadOnly::as_mut(self) 741 } 742 } 743 744 impl<T: ?Sized + Immutable + Debug> Debug for ReadOnly<T> { 745 #[inline(always)] 746 fn fmt(&self, f: &mut Formatter<'_>) -> fmt::Result { 747 self.deref().fmt(f) 748 } 749 } 750 751 // SAFETY: See safety comment on `ProjectToTag`. 752 unsafe impl<T: HasTag + ?Sized> HasTag for ReadOnly<T> { 753 #[allow(clippy::missing_inline_in_public_items)] 754 fn only_derive_is_allowed_to_implement_this_trait() 755 where 756 Self: Sized, 757 { 758 } 759 760 type Tag = T::Tag; 761 762 // SAFETY: `<T as SizeEq<ReadOnly<T>>>::CastFrom` is a no-op projection that 763 // produces a pointer with the same referent. By invariant, for any `Ptr<'_, 764 // T, I>` it is sound to use `T::ProjectToTag` to project to a `Ptr<'_, 765 // T::Tag, I>`. Since `ReadOnly<T>` has the same layout and validity as `T`, 766 // the same is true of projecting from a `Ptr<'_, ReadOnly<T>, I>`. 767 type ProjectToTag = crate::pointer::cast::TransitiveProject< 768 T, 769 <T as SizeEq<ReadOnly<T>>>::CastFrom, 770 T::ProjectToTag, 771 >; 772 } 773 774 // SAFETY: `ReadOnly<T>` is a `#[repr(transparent)]` wrapper around `T`, and so 775 // has the same fields at the same offsets. Thus, it satisfies the safety 776 // invariants of `HasField<Field, VARIANT_ID, FIELD_ID>` for field `f` exactly 777 // when `T` does, as guaranteed by the `T: HasField` bound: 778 // - If `VARIANT_ID` is `STRUCT_VARIANT_ID` or `UNION_VARIANT_ID`, then `T` has 779 // the layout of a struct or union type. Since `ReadOnly<T>` is a transparent 780 // wrapper around `T`, it does too. Otherwise, if `VARIANT_ID` is an enum 781 // variant index, then `T` has the layout of an enum type, and `ReadOnly<T>` 782 // does too. 783 // - By `T: HasField<_, _, FIELD_ID>`: 784 // - `T` has a field `f` with name `n` such that 785 // `FIELD_ID = zerocopy::ident_id!(n)` or at index `i` such that 786 // `FIELD_ID = zerocopy::ident_id!(i)`. 787 // - `Field` has the same visibility as `f`. 788 // - `T::Type` has the same type as `f`. Thus, `ReadOnly<T::Type>` has the 789 // same type as `f`, wrapped in `ReadOnly`. 790 // 791 // `project` satisfies its post-condition – namely, that the returned pointer 792 // refers to a non-strict subset of the bytes of `slf`'s referent, and has the 793 // same provenance as `slf` – because all intermediate operations satisfy those 794 // same conditions. 795 unsafe impl<T, Field, const VARIANT_ID: i128, const FIELD_ID: i128> 796 HasField<Field, VARIANT_ID, FIELD_ID> for ReadOnly<T> 797 where 798 T: HasField<Field, VARIANT_ID, FIELD_ID> + ?Sized, 799 { 800 #[allow(clippy::missing_inline_in_public_items)] 801 fn only_derive_is_allowed_to_implement_this_trait() 802 where 803 Self: Sized, 804 { 805 } 806 807 type Type = ReadOnly<T::Type>; 808 809 #[inline(always)] 810 fn project(slf: PtrInner<'_, Self>) -> *mut ReadOnly<T::Type> { 811 slf.project::<_, <T as SizeEq<ReadOnly<T>>>::CastFrom>() 812 .project::<_, crate::pointer::cast::Projection<Field, VARIANT_ID, FIELD_ID>>() 813 .project::<_, <ReadOnly<T::Type> as SizeEq<T::Type>>::CastFrom>() 814 .as_non_null() 815 .as_ptr() 816 } 817 } 818 819 // SAFETY: `ReadOnly<T>` is a `#[repr(transparent)]` wrapper around `T`, and so 820 // has the same fields at the same offsets. `is_projectable` simply delegates to 821 // `T::is_projectable`, which is sound because a `Ptr<'_, ReadOnly<T>, I>` will 822 // be projectable exactly when a `Ptr<'_, T, I>` referent is. 823 unsafe impl<T, Field, I, const VARIANT_ID: i128, const FIELD_ID: i128> 824 ProjectField<Field, I, VARIANT_ID, FIELD_ID> for ReadOnly<T> 825 where 826 T: ProjectField<Field, I, VARIANT_ID, FIELD_ID> + ?Sized, 827 I: invariant::Invariants, 828 { 829 #[allow(clippy::missing_inline_in_public_items)] 830 fn only_derive_is_allowed_to_implement_this_trait() 831 where 832 Self: Sized, 833 { 834 } 835 836 type Invariants = T::Invariants; 837 838 type Error = T::Error; 839 840 #[inline(always)] 841 fn is_projectable<'a>(ptr: Ptr<'a, Self::Tag, I>) -> Result<(), Self::Error> { 842 T::is_projectable(ptr) 843 } 844 } 845 846 #[cfg(test)] 847 mod tests { 848 use core::panic::AssertUnwindSafe; 849 850 use super::*; 851 use crate::util::testutil::*; 852 853 #[test] 854 fn test_unalign() { 855 // Test methods that don't depend on alignment. 856 let mut u = Unalign::new(AU64(123)); 857 assert_eq!(u.get(), AU64(123)); 858 assert_eq!(u.into_inner(), AU64(123)); 859 assert_eq!(u.get_ptr(), <*const _>::cast::<AU64>(&u)); 860 assert_eq!(u.get_mut_ptr(), <*mut _>::cast::<AU64>(&mut u)); 861 u.set(AU64(321)); 862 assert_eq!(u.get(), AU64(321)); 863 864 // Test methods that depend on alignment (when alignment is satisfied). 865 let mut u: Align<_, AU64> = Align::new(Unalign::new(AU64(123))); 866 assert_eq!(u.t.try_deref().unwrap(), &AU64(123)); 867 assert_eq!(u.t.try_deref_mut().unwrap(), &mut AU64(123)); 868 // SAFETY: The `Align<_, AU64>` guarantees proper alignment. 869 assert_eq!(unsafe { u.t.deref_unchecked() }, &AU64(123)); 870 // SAFETY: The `Align<_, AU64>` guarantees proper alignment. 871 assert_eq!(unsafe { u.t.deref_mut_unchecked() }, &mut AU64(123)); 872 *u.t.try_deref_mut().unwrap() = AU64(321); 873 assert_eq!(u.t.get(), AU64(321)); 874 875 // Test methods that depend on alignment (when alignment is not 876 // satisfied). 877 let mut u: ForceUnalign<_, AU64> = ForceUnalign::new(Unalign::new(AU64(123))); 878 assert!(matches!(u.t.try_deref(), Err(AlignmentError { .. }))); 879 assert!(matches!(u.t.try_deref_mut(), Err(AlignmentError { .. }))); 880 881 // Test methods that depend on `T: Unaligned`. 882 let mut u = Unalign::new(123u8); 883 assert_eq!(u.try_deref(), Ok(&123)); 884 assert_eq!(u.try_deref_mut(), Ok(&mut 123)); 885 assert_eq!(u.deref(), &123); 886 assert_eq!(u.deref_mut(), &mut 123); 887 *u = 21; 888 assert_eq!(u.get(), 21); 889 890 // Test that some `Unalign` functions and methods are `const`. 891 const _UNALIGN: Unalign<u64> = Unalign::new(0); 892 const _UNALIGN_PTR: *const u64 = _UNALIGN.get_ptr(); 893 const _U64: u64 = _UNALIGN.into_inner(); 894 // Make sure all code is considered "used". 895 // 896 // FIXME(https://github.com/rust-lang/rust/issues/104084): Remove this 897 // attribute. 898 #[allow(dead_code)] 899 const _: () = { 900 let x: Align<_, AU64> = Align::new(Unalign::new(AU64(123))); 901 // Make sure that `deref_unchecked` is `const`. 902 // 903 // SAFETY: The `Align<_, AU64>` guarantees proper alignment. 904 let au64 = unsafe { x.t.deref_unchecked() }; 905 match au64 { 906 AU64(123) => {} 907 _ => const_unreachable!(), 908 } 909 }; 910 } 911 912 #[test] 913 fn test_unalign_update() { 914 let mut u = Unalign::new(AU64(123)); 915 u.update(|a| a.0 += 1); 916 assert_eq!(u.get(), AU64(124)); 917 918 // Test that, even if the callback panics, the original is still 919 // correctly overwritten. Use a `Box` so that Miri is more likely to 920 // catch any unsoundness (which would likely result in two `Box`es for 921 // the same heap object, which is the sort of thing that Miri would 922 // probably catch). 923 let mut u = Unalign::new(Box::new(AU64(123))); 924 let res = std::panic::catch_unwind(AssertUnwindSafe(|| { 925 u.update(|a| { 926 a.0 += 1; 927 panic!(); 928 }) 929 })); 930 assert!(res.is_err()); 931 assert_eq!(u.into_inner(), Box::new(AU64(124))); 932 933 // Test the align_of::<T>() == 1 optimization. 934 let mut u = Unalign::new([0u8, 1]); 935 u.update(|a| a[0] += 1); 936 assert_eq!(u.get(), [1u8, 1]); 937 } 938 939 #[test] 940 fn test_unalign_copy_clone() { 941 // Test that `Copy` and `Clone` do not cause soundness issues. This test 942 // is mainly meant to exercise UB that would be caught by Miri. 943 944 // `u.t` is definitely not validly-aligned for `AU64`'s alignment of 8. 945 let u = ForceUnalign::<_, AU64>::new(Unalign::new(AU64(123))); 946 #[allow(clippy::clone_on_copy)] 947 let v = u.t.clone(); 948 let w = u.t; 949 assert_eq!(u.t.get(), v.get()); 950 assert_eq!(u.t.get(), w.get()); 951 assert_eq!(v.get(), w.get()); 952 } 953 954 #[test] 955 fn test_unalign_trait_impls() { 956 let zero = Unalign::new(0u8); 957 let one = Unalign::new(1u8); 958 959 assert!(zero < one); 960 assert_eq!(PartialOrd::partial_cmp(&zero, &one), Some(Ordering::Less)); 961 assert_eq!(Ord::cmp(&zero, &one), Ordering::Less); 962 963 assert_ne!(zero, one); 964 assert_eq!(zero, zero); 965 assert!(!PartialEq::eq(&zero, &one)); 966 assert!(PartialEq::eq(&zero, &zero)); 967 968 fn hash<T: Hash>(t: &T) -> u64 { 969 let mut h = std::collections::hash_map::DefaultHasher::new(); 970 t.hash(&mut h); 971 h.finish() 972 } 973 974 assert_eq!(hash(&zero), hash(&0u8)); 975 assert_eq!(hash(&one), hash(&1u8)); 976 977 assert_eq!(format!("{:?}", zero), format!("{:?}", 0u8)); 978 assert_eq!(format!("{:?}", one), format!("{:?}", 1u8)); 979 assert_eq!(format!("{}", zero), format!("{}", 0u8)); 980 assert_eq!(format!("{}", one), format!("{}", 1u8)); 981 } 982 983 #[test] 984 #[allow(clippy::as_conversions)] 985 fn test_maybe_uninit() { 986 // int 987 { 988 let input = 42; 989 let uninit = MaybeUninit::new(input); 990 // SAFETY: `uninit` is in an initialized state 991 let output = unsafe { uninit.assume_init() }; 992 assert_eq!(input, output); 993 } 994 995 // thin ref 996 { 997 let input = 42; 998 let uninit = MaybeUninit::new(&input); 999 // SAFETY: `uninit` is in an initialized state 1000 let output = unsafe { uninit.assume_init() }; 1001 assert_eq!(&input as *const _, output as *const _); 1002 assert_eq!(input, *output); 1003 } 1004 1005 // wide ref 1006 { 1007 let input = [1, 2, 3, 4]; 1008 let uninit = MaybeUninit::new(&input[..]); 1009 // SAFETY: `uninit` is in an initialized state 1010 let output = unsafe { uninit.assume_init() }; 1011 assert_eq!(&input[..] as *const _, output as *const _); 1012 assert_eq!(input, *output); 1013 } 1014 } 1015 #[test] 1016 fn test_maybe_uninit_uninit() { 1017 let _uninit = MaybeUninit::<u8>::uninit(); 1018 // Cannot check value, but can check it compiles and runs 1019 } 1020 1021 #[test] 1022 #[cfg(feature = "alloc")] 1023 fn test_maybe_uninit_new_boxed_uninit() { 1024 let _boxed = MaybeUninit::<u8>::new_boxed_uninit(()).unwrap(); 1025 } 1026 1027 #[test] 1028 fn test_maybe_uninit_debug() { 1029 let uninit = MaybeUninit::<u8>::uninit(); 1030 assert!(format!("{:?}", uninit).contains("MaybeUninit")); 1031 } 1032 } 1033