zerocopy/impls.rs
1// Copyright 2024 The Fuchsia Authors
2//
3// Licensed under the 2-Clause BSD License <LICENSE-BSD or
4// https://opensource.org/license/bsd-2-clause>, Apache License, Version 2.0
5// <LICENSE-APACHE or https://www.apache.org/licenses/LICENSE-2.0>, or the MIT
6// license <LICENSE-MIT or https://opensource.org/licenses/MIT>, at your option.
7// This file may not be copied, modified, or distributed except according to
8// those terms.
9
10use core::{
11 cell::{Cell, UnsafeCell},
12 mem::MaybeUninit as CoreMaybeUninit,
13 ptr::NonNull,
14};
15
16use super::*;
17
18safety_comment! {
19 /// SAFETY:
20 /// Per the reference [1], "the unit tuple (`()`) ... is guaranteed as a
21 /// zero-sized type to have a size of 0 and an alignment of 1."
22 /// - `Immutable`: `()` self-evidently does not contain any `UnsafeCell`s.
23 /// - `TryFromBytes` (with no validator), `FromZeros`, `FromBytes`: There is
24 /// only one possible sequence of 0 bytes, and `()` is inhabited.
25 /// - `IntoBytes`: Since `()` has size 0, it contains no padding bytes.
26 /// - `Unaligned`: `()` has alignment 1.
27 ///
28 /// [1] https://doc.rust-lang.org/1.81.0/reference/type-layout.html#tuple-layout
29 unsafe_impl!((): Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned);
30 assert_unaligned!(());
31}
32
33safety_comment! {
34 /// SAFETY:
35 /// - `Immutable`: These types self-evidently do not contain any
36 /// `UnsafeCell`s.
37 /// - `TryFromBytes` (with no validator), `FromZeros`, `FromBytes`: all bit
38 /// patterns are valid for numeric types [1]
39 /// - `IntoBytes`: numeric types have no padding bytes [1]
40 /// - `Unaligned` (`u8` and `i8` only): The reference [2] specifies the size
41 /// of `u8` and `i8` as 1 byte. We also know that:
42 /// - Alignment is >= 1 [3]
43 /// - Size is an integer multiple of alignment [4]
44 /// - The only value >= 1 for which 1 is an integer multiple is 1
45 /// Therefore, the only possible alignment for `u8` and `i8` is 1.
46 ///
47 /// [1] Per https://doc.rust-lang.org/1.81.0/reference/types/numeric.html#bit-validity:
48 ///
49 /// For every numeric type, `T`, the bit validity of `T` is equivalent to
50 /// the bit validity of `[u8; size_of::<T>()]`. An uninitialized byte is
51 /// not a valid `u8`.
52 ///
53 /// [2] https://doc.rust-lang.org/1.81.0/reference/type-layout.html#primitive-data-layout
54 ///
55 /// [3] Per https://doc.rust-lang.org/1.81.0/reference/type-layout.html#size-and-alignment:
56 ///
57 /// Alignment is measured in bytes, and must be at least 1.
58 ///
59 /// [4] Per https://doc.rust-lang.org/1.81.0/reference/type-layout.html#size-and-alignment:
60 ///
61 /// The size of a value is always a multiple of its alignment.
62 ///
63 /// TODO(#278): Once we've updated the trait docs to refer to `u8`s rather
64 /// than bits or bytes, update this comment, especially the reference to
65 /// [1].
66 unsafe_impl!(u8: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned);
67 unsafe_impl!(i8: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned);
68 assert_unaligned!(u8, i8);
69 unsafe_impl!(u16: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes);
70 unsafe_impl!(i16: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes);
71 unsafe_impl!(u32: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes);
72 unsafe_impl!(i32: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes);
73 unsafe_impl!(u64: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes);
74 unsafe_impl!(i64: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes);
75 unsafe_impl!(u128: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes);
76 unsafe_impl!(i128: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes);
77 unsafe_impl!(usize: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes);
78 unsafe_impl!(isize: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes);
79 unsafe_impl!(f32: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes);
80 unsafe_impl!(f64: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes);
81 #[cfg(feature = "float-nightly")]
82 unsafe_impl!(#[cfg_attr(doc_cfg, doc(cfg(feature = "float-nightly")))] f16: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes);
83 #[cfg(feature = "float-nightly")]
84 unsafe_impl!(#[cfg_attr(doc_cfg, doc(cfg(feature = "float-nightly")))] f128: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes);
85}
86
87safety_comment! {
88 /// SAFETY:
89 /// - `Immutable`: `bool` self-evidently does not contain any `UnsafeCell`s.
90 /// - `FromZeros`: Valid since "[t]he value false has the bit pattern 0x00"
91 /// [1].
92 /// - `IntoBytes`: Since "the boolean type has a size and alignment of 1
93 /// each" and "The value false has the bit pattern 0x00 and the value true
94 /// has the bit pattern 0x01" [1]. Thus, the only byte of the bool is
95 /// always initialized.
96 /// - `Unaligned`: Per the reference [1], "[a]n object with the boolean type
97 /// has a size and alignment of 1 each."
98 ///
99 /// [1] https://doc.rust-lang.org/1.81.0/reference/types/boolean.html
100 unsafe_impl!(bool: Immutable, FromZeros, IntoBytes, Unaligned);
101 assert_unaligned!(bool);
102 /// SAFETY:
103 /// The impl must only return `true` for its argument if the original
104 /// `Maybe<bool>` refers to a valid `bool`. We only return true if the `u8`
105 /// value is 0 or 1, and both of these are valid values for `bool` [1].
106 ///
107 /// [1] Per https://doc.rust-lang.org/1.81.0/reference/types/boolean.html:
108 ///
109 /// The value false has the bit pattern 0x00 and the value true has the
110 /// bit pattern 0x01.
111 unsafe_impl!(=> TryFromBytes for bool; |byte| {
112 let byte = byte.transmute::<u8, invariant::Valid, _>();
113 *byte.unaligned_as_ref() < 2
114 });
115}
116
117impl_size_eq!(bool, u8);
118
119safety_comment! {
120 /// SAFETY:
121 /// - `Immutable`: `char` self-evidently does not contain any `UnsafeCell`s.
122 /// - `FromZeros`: Per reference [1], "[a] value of type char is a Unicode
123 /// scalar value (i.e. a code point that is not a surrogate), represented
124 /// as a 32-bit unsigned word in the 0x0000 to 0xD7FF or 0xE000 to
125 /// 0x10FFFF range" which contains 0x0000.
126 /// - `IntoBytes`: `char` is per reference [1] "represented as a 32-bit
127 /// unsigned word" (`u32`) which is `IntoBytes`. Note that unlike `u32`,
128 /// not all bit patterns are valid for `char`.
129 ///
130 /// [1] https://doc.rust-lang.org/1.81.0/reference/types/textual.html
131 unsafe_impl!(char: Immutable, FromZeros, IntoBytes);
132 /// SAFETY:
133 /// The impl must only return `true` for its argument if the original
134 /// `Maybe<char>` refers to a valid `char`. `char::from_u32` guarantees that
135 /// it returns `None` if its input is not a valid `char` [1].
136 ///
137 /// [1] Per https://doc.rust-lang.org/core/primitive.char.html#method.from_u32:
138 ///
139 /// `from_u32()` will return `None` if the input is not a valid value for
140 /// a `char`.
141 unsafe_impl!(=> TryFromBytes for char; |c| {
142 let c = c.transmute::<Unalign<u32>, invariant::Valid, _>();
143 let c = c.read_unaligned().into_inner();
144 char::from_u32(c).is_some()
145 });
146}
147
148impl_size_eq!(char, Unalign<u32>);
149
150safety_comment! {
151 /// SAFETY:
152 /// Per the Reference [1], `str` has the same layout as `[u8]`.
153 /// - `Immutable`: `[u8]` does not contain any `UnsafeCell`s.
154 /// - `FromZeros`, `IntoBytes`, `Unaligned`: `[u8]` is `FromZeros`,
155 /// `IntoBytes`, and `Unaligned`.
156 ///
157 /// Note that we don't `assert_unaligned!(str)` because `assert_unaligned!`
158 /// uses `align_of`, which only works for `Sized` types.
159 ///
160 /// TODO(#429):
161 /// - Add quotes from documentation.
162 /// - Improve safety proof for `FromZeros` and `IntoBytes`; having the same
163 /// layout as `[u8]` isn't sufficient.
164 ///
165 /// [1] https://doc.rust-lang.org/1.81.0/reference/type-layout.html#str-layout
166 unsafe_impl!(str: Immutable, FromZeros, IntoBytes, Unaligned);
167 /// SAFETY:
168 /// The impl must only return `true` for its argument if the original
169 /// `Maybe<str>` refers to a valid `str`. `str::from_utf8` guarantees that
170 /// it returns `Err` if its input is not a valid `str` [1].
171 ///
172 /// [2] Per https://doc.rust-lang.org/core/str/fn.from_utf8.html#errors:
173 ///
174 /// Returns `Err` if the slice is not UTF-8.
175 unsafe_impl!(=> TryFromBytes for str; |c| {
176 let c = c.transmute::<[u8], invariant::Valid, _>();
177 let c = c.unaligned_as_ref();
178 core::str::from_utf8(c).is_ok()
179 });
180}
181
182// SAFETY: `str` and `[u8]` have the same layout [1].
183//
184// [1] Per https://doc.rust-lang.org/1.81.0/reference/type-layout.html#str-layout:
185//
186// String slices are a UTF-8 representation of characters that have the same
187// layout as slices of type `[u8]`.
188unsafe impl pointer::SizeEq<str> for [u8] {
189 fn cast_from_raw(s: NonNull<str>) -> NonNull<[u8]> {
190 cast!(s)
191 }
192}
193// SAFETY: See previous safety comment.
194unsafe impl pointer::SizeEq<[u8]> for str {
195 fn cast_from_raw(bytes: NonNull<[u8]>) -> NonNull<str> {
196 cast!(bytes)
197 }
198}
199
200macro_rules! unsafe_impl_try_from_bytes_for_nonzero {
201 ($($nonzero:ident[$prim:ty]),*) => {
202 $(
203 unsafe_impl!(=> TryFromBytes for $nonzero; |n| {
204 unsafe impl pointer::SizeEq<$nonzero> for Unalign<$prim> {
205 fn cast_from_raw(n: NonNull<$nonzero>) -> NonNull<Unalign<$prim>> {
206 cast!(n)
207 }
208 }
209 unsafe impl pointer::SizeEq<Unalign<$prim>> for $nonzero {
210 fn cast_from_raw(p: NonNull<Unalign<$prim>>) -> NonNull<$nonzero> {
211 cast!(p)
212 }
213 }
214
215 let n = n.transmute::<Unalign<$prim>, invariant::Valid, _>();
216 $nonzero::new(n.read_unaligned().into_inner()).is_some()
217 });
218 )*
219 }
220}
221
222safety_comment! {
223 // `NonZeroXxx` is `IntoBytes`, but not `FromZeros` or `FromBytes`.
224 //
225 /// SAFETY:
226 /// - `IntoBytes`: `NonZeroXxx` has the same layout as its associated
227 /// primitive. Since it is the same size, this guarantees it has no
228 /// padding - integers have no padding, and there's no room for padding
229 /// if it can represent all of the same values except 0.
230 /// - `Unaligned`: `NonZeroU8` and `NonZeroI8` document that
231 /// `Option<NonZeroU8>` and `Option<NonZeroI8>` both have size 1. [1] [2]
232 /// This is worded in a way that makes it unclear whether it's meant as a
233 /// guarantee, but given the purpose of those types, it's virtually
234 /// unthinkable that that would ever change. `Option` cannot be smaller
235 /// than its contained type, which implies that, and `NonZeroX8` are of
236 /// size 1 or 0. `NonZeroX8` can represent multiple states, so they cannot
237 /// be 0 bytes, which means that they must be 1 byte. The only valid
238 /// alignment for a 1-byte type is 1.
239 ///
240 /// TODO(#429):
241 /// - Add quotes from documentation.
242 /// - Add safety comment for `Immutable`. How can we prove that `NonZeroXxx`
243 /// doesn't contain any `UnsafeCell`s? It's obviously true, but it's not
244 /// clear how we'd prove it short of adding text to the stdlib docs that
245 /// says so explicitly, which likely wouldn't be accepted.
246 ///
247 /// [1] https://doc.rust-lang.org/1.81.0/std/num/type.NonZeroU8.html
248 ///
249 /// `NonZeroU8` is guaranteed to have the same layout and bit validity as `u8` with
250 /// the exception that 0 is not a valid instance
251 ///
252 /// [2] https://doc.rust-lang.org/1.81.0/std/num/type.NonZeroI8.html
253 /// TODO(https://github.com/rust-lang/rust/pull/104082): Cite documentation
254 /// that layout is the same as primitive layout.
255 unsafe_impl!(NonZeroU8: Immutable, IntoBytes, Unaligned);
256 unsafe_impl!(NonZeroI8: Immutable, IntoBytes, Unaligned);
257 assert_unaligned!(NonZeroU8, NonZeroI8);
258 unsafe_impl!(NonZeroU16: Immutable, IntoBytes);
259 unsafe_impl!(NonZeroI16: Immutable, IntoBytes);
260 unsafe_impl!(NonZeroU32: Immutable, IntoBytes);
261 unsafe_impl!(NonZeroI32: Immutable, IntoBytes);
262 unsafe_impl!(NonZeroU64: Immutable, IntoBytes);
263 unsafe_impl!(NonZeroI64: Immutable, IntoBytes);
264 unsafe_impl!(NonZeroU128: Immutable, IntoBytes);
265 unsafe_impl!(NonZeroI128: Immutable, IntoBytes);
266 unsafe_impl!(NonZeroUsize: Immutable, IntoBytes);
267 unsafe_impl!(NonZeroIsize: Immutable, IntoBytes);
268 unsafe_impl_try_from_bytes_for_nonzero!(
269 NonZeroU8[u8],
270 NonZeroI8[i8],
271 NonZeroU16[u16],
272 NonZeroI16[i16],
273 NonZeroU32[u32],
274 NonZeroI32[i32],
275 NonZeroU64[u64],
276 NonZeroI64[i64],
277 NonZeroU128[u128],
278 NonZeroI128[i128],
279 NonZeroUsize[usize],
280 NonZeroIsize[isize]
281 );
282}
283safety_comment! {
284 /// SAFETY:
285 /// - `TryFromBytes` (with no validator), `FromZeros`, `FromBytes`,
286 /// `IntoBytes`: The Rust compiler reuses `0` value to represent `None`,
287 /// so `size_of::<Option<NonZeroXxx>>() == size_of::<xxx>()`; see
288 /// `NonZeroXxx` documentation.
289 /// - `Unaligned`: `NonZeroU8` and `NonZeroI8` document that
290 /// `Option<NonZeroU8>` and `Option<NonZeroI8>` both have size 1. [1] [2]
291 /// This is worded in a way that makes it unclear whether it's meant as a
292 /// guarantee, but given the purpose of those types, it's virtually
293 /// unthinkable that that would ever change. The only valid alignment for
294 /// a 1-byte type is 1.
295 ///
296 /// TODO(#429): Add quotes from documentation.
297 ///
298 /// [1] https://doc.rust-lang.org/stable/std/num/struct.NonZeroU8.html
299 /// [2] https://doc.rust-lang.org/stable/std/num/struct.NonZeroI8.html
300 ///
301 /// TODO(https://github.com/rust-lang/rust/pull/104082): Cite documentation
302 /// for layout guarantees.
303 unsafe_impl!(Option<NonZeroU8>: TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned);
304 unsafe_impl!(Option<NonZeroI8>: TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned);
305 assert_unaligned!(Option<NonZeroU8>, Option<NonZeroI8>);
306 unsafe_impl!(Option<NonZeroU16>: TryFromBytes, FromZeros, FromBytes, IntoBytes);
307 unsafe_impl!(Option<NonZeroI16>: TryFromBytes, FromZeros, FromBytes, IntoBytes);
308 unsafe_impl!(Option<NonZeroU32>: TryFromBytes, FromZeros, FromBytes, IntoBytes);
309 unsafe_impl!(Option<NonZeroI32>: TryFromBytes, FromZeros, FromBytes, IntoBytes);
310 unsafe_impl!(Option<NonZeroU64>: TryFromBytes, FromZeros, FromBytes, IntoBytes);
311 unsafe_impl!(Option<NonZeroI64>: TryFromBytes, FromZeros, FromBytes, IntoBytes);
312 unsafe_impl!(Option<NonZeroU128>: TryFromBytes, FromZeros, FromBytes, IntoBytes);
313 unsafe_impl!(Option<NonZeroI128>: TryFromBytes, FromZeros, FromBytes, IntoBytes);
314 unsafe_impl!(Option<NonZeroUsize>: TryFromBytes, FromZeros, FromBytes, IntoBytes);
315 unsafe_impl!(Option<NonZeroIsize>: TryFromBytes, FromZeros, FromBytes, IntoBytes);
316}
317
318safety_comment! {
319 /// SAFETY:
320 /// While it's not fully documented, the consensus is that `Box<T>` does not
321 /// contain any `UnsafeCell`s for `T: Sized` [1]. This is not a complete
322 /// proof, but we are accepting this as a known risk per #1358.
323 ///
324 /// [1] https://github.com/rust-lang/unsafe-code-guidelines/issues/492
325 #[cfg(feature = "alloc")]
326 unsafe_impl!(
327 #[cfg_attr(doc_cfg, doc(cfg(feature = "alloc")))]
328 T: Sized => Immutable for Box<T>
329 );
330}
331
332safety_comment! {
333 /// SAFETY:
334 /// The following types can be transmuted from `[0u8; size_of::<T>()]`. [1]
335 ///
336 /// [1] Per https://doc.rust-lang.org/nightly/core/option/index.html#representation:
337 ///
338 /// Rust guarantees to optimize the following types `T` such that
339 /// [`Option<T>`] has the same size and alignment as `T`. In some of these
340 /// cases, Rust further guarantees that `transmute::<_, Option<T>>([0u8;
341 /// size_of::<T>()])` is sound and produces `Option::<T>::None`. These
342 /// cases are identified by the second column:
343 ///
344 /// | `T` | `transmute::<_, Option<T>>([0u8; size_of::<T>()])` sound? |
345 /// |-----------------------|-----------------------------------------------------------|
346 /// | [`Box<U>`] | when `U: Sized` |
347 /// | `&U` | when `U: Sized` |
348 /// | `&mut U` | when `U: Sized` |
349 /// | [`ptr::NonNull<U>`] | when `U: Sized` |
350 /// | `fn`, `extern "C" fn` | always |
351 ///
352 /// TODO(#429), TODO(https://github.com/rust-lang/rust/pull/115333): Cite
353 /// the Stable docs once they're available.
354 #[cfg(feature = "alloc")]
355 unsafe_impl!(
356 #[cfg_attr(doc_cfg, doc(cfg(feature = "alloc")))]
357 T => TryFromBytes for Option<Box<T>>; |c| pointer::is_zeroed(c)
358 );
359 #[cfg(feature = "alloc")]
360 unsafe_impl!(
361 #[cfg_attr(doc_cfg, doc(cfg(feature = "alloc")))]
362 T => FromZeros for Option<Box<T>>
363 );
364 unsafe_impl!(
365 T => TryFromBytes for Option<&'_ T>; |c| pointer::is_zeroed(c)
366 );
367 unsafe_impl!(T => FromZeros for Option<&'_ T>);
368 unsafe_impl!(
369 T => TryFromBytes for Option<&'_ mut T>; |c| pointer::is_zeroed(c)
370 );
371 unsafe_impl!(T => FromZeros for Option<&'_ mut T>);
372 unsafe_impl!(
373 T => TryFromBytes for Option<NonNull<T>>; |c| pointer::is_zeroed(c)
374 );
375 unsafe_impl!(T => FromZeros for Option<NonNull<T>>);
376 unsafe_impl_for_power_set!(A, B, C, D, E, F, G, H, I, J, K, L -> M => FromZeros for opt_fn!(...));
377 unsafe_impl_for_power_set!(
378 A, B, C, D, E, F, G, H, I, J, K, L -> M => TryFromBytes for opt_fn!(...);
379 |c| pointer::is_zeroed(c)
380 );
381 unsafe_impl_for_power_set!(A, B, C, D, E, F, G, H, I, J, K, L -> M => FromZeros for opt_extern_c_fn!(...));
382 unsafe_impl_for_power_set!(
383 A, B, C, D, E, F, G, H, I, J, K, L -> M => TryFromBytes for opt_extern_c_fn!(...);
384 |c| pointer::is_zeroed(c)
385 );
386}
387
388safety_comment! {
389 /// SAFETY:
390 /// `fn()` and `extern "C" fn()` self-evidently do not contain
391 /// `UnsafeCell`s. This is not a proof, but we are accepting this as a known
392 /// risk per #1358.
393 unsafe_impl_for_power_set!(A, B, C, D, E, F, G, H, I, J, K, L -> M => Immutable for opt_fn!(...));
394 unsafe_impl_for_power_set!(A, B, C, D, E, F, G, H, I, J, K, L -> M => Immutable for opt_extern_c_fn!(...));
395}
396
397#[cfg(all(
398 zerocopy_target_has_atomics_1_60_0,
399 any(
400 target_has_atomic = "8",
401 target_has_atomic = "16",
402 target_has_atomic = "32",
403 target_has_atomic = "64",
404 target_has_atomic = "ptr"
405 )
406))]
407#[cfg_attr(doc_cfg, doc(cfg(rust = "1.60.0")))]
408mod atomics {
409 use super::*;
410
411 macro_rules! impl_traits_for_atomics {
412 ($($atomics:ident [$primitives:ident]),* $(,)?) => {
413 $(
414 impl_known_layout!($atomics);
415 impl_for_transmute_from!(=> TryFromBytes for $atomics [UnsafeCell<$primitives>]);
416 impl_for_transmute_from!(=> FromZeros for $atomics [UnsafeCell<$primitives>]);
417 impl_for_transmute_from!(=> FromBytes for $atomics [UnsafeCell<$primitives>]);
418 impl_for_transmute_from!(=> IntoBytes for $atomics [UnsafeCell<$primitives>]);
419 )*
420 };
421 }
422
423 /// Implements `TransmuteFrom` for `$atomic`, `$prim`, and
424 /// `UnsafeCell<$prim>`.
425 ///
426 /// # Safety
427 ///
428 /// `$atomic` must have the same size and bit validity as `$prim`.
429 macro_rules! unsafe_impl_transmute_from_for_atomic {
430 ($($($tyvar:ident)? => $atomic:ty [$prim:ty]),*) => {
431 const _: () = {
432 use core::{cell::UnsafeCell, ptr::NonNull};
433 use crate::pointer::{TransmuteFrom, SizeEq, invariant::Valid};
434
435 $(
436 #[allow(unused_unsafe)] // Force the caller to call this macro inside `safety_comment!`.
437 const _: () = unsafe {};
438
439 // SAFETY: The caller promised that `$atomic` and `$prim` have
440 // the same size and bit validity.
441 unsafe impl<$($tyvar)?> TransmuteFrom<$atomic, Valid, Valid> for $prim {}
442 // SAFETY: The caller promised that `$atomic` and `$prim` have
443 // the same size and bit validity.
444 unsafe impl<$($tyvar)?> TransmuteFrom<$prim, Valid, Valid> for $atomic {}
445
446 // SAFETY: THe caller promised that `$atomic` and `$prim`
447 // have the same size.
448 unsafe impl<$($tyvar)?> SizeEq<$atomic> for $prim {
449 fn cast_from_raw(a: NonNull<$atomic>) -> NonNull<$prim> {
450 cast!(a)
451 }
452 }
453 // SAFETY: THe caller promised that `$atomic` and `$prim`
454 // have the same size.
455 unsafe impl<$($tyvar)?> SizeEq<$prim> for $atomic {
456 fn cast_from_raw(p: NonNull<$prim>) -> NonNull<$atomic> {
457 cast!(p)
458 }
459 }
460 // SAFETY: The caller promised that `$atomic` and `$prim`
461 // have the same size. `UnsafeCell<T>` has the same size as
462 // `T` [1].
463 //
464 // [1] Per https://doc.rust-lang.org/1.85.0/std/cell/struct.UnsafeCell.html#memory-layout:
465 //
466 // `UnsafeCell<T>` has the same in-memory representation as
467 // its inner type `T`. A consequence of this guarantee is that
468 // it is possible to convert between `T` and `UnsafeCell<T>`.
469 unsafe impl<$($tyvar)?> SizeEq<$atomic> for UnsafeCell<$prim> {
470 fn cast_from_raw(a: NonNull<$atomic>) -> NonNull<UnsafeCell<$prim>> {
471 cast!(a)
472 }
473 }
474 // SAFETY: See previous safety comment.
475 unsafe impl<$($tyvar)?> SizeEq<UnsafeCell<$prim>> for $atomic {
476 fn cast_from_raw(p: NonNull<UnsafeCell<$prim>>) -> NonNull<$atomic> {
477 cast!(p)
478 }
479 }
480
481 // SAFETY: The caller promised that `$atomic` and `$prim`
482 // have the same bit validity. `UnsafeCell<T>` has the same
483 // bit validity as `T` [1].
484 //
485 // [1] Per https://doc.rust-lang.org/1.85.0/std/cell/struct.UnsafeCell.html#memory-layout:
486 //
487 // `UnsafeCell<T>` has the same in-memory representation as
488 // its inner type `T`. A consequence of this guarantee is that
489 // it is possible to convert between `T` and `UnsafeCell<T>`.
490 unsafe impl<$($tyvar)?> TransmuteFrom<$atomic, Valid, Valid> for core::cell::UnsafeCell<$prim> {}
491 // SAFETY: See previous safety comment.
492 unsafe impl<$($tyvar)?> TransmuteFrom<core::cell::UnsafeCell<$prim>, Valid, Valid> for $atomic {}
493 )*
494 };
495 };
496 }
497
498 #[cfg(target_has_atomic = "8")]
499 #[cfg_attr(doc_cfg, doc(cfg(target_has_atomic = "8")))]
500 mod atomic_8 {
501 use core::sync::atomic::{AtomicBool, AtomicI8, AtomicU8};
502
503 use super::*;
504
505 impl_traits_for_atomics!(AtomicU8[u8], AtomicI8[i8]);
506
507 impl_known_layout!(AtomicBool);
508
509 impl_for_transmute_from!(=> TryFromBytes for AtomicBool [UnsafeCell<bool>]);
510 impl_for_transmute_from!(=> FromZeros for AtomicBool [UnsafeCell<bool>]);
511 impl_for_transmute_from!(=> IntoBytes for AtomicBool [UnsafeCell<bool>]);
512
513 safety_comment! {
514 /// SAFETY:
515 /// Per [1], `AtomicBool`, `AtomicU8`, and `AtomicI8` have the same
516 /// size as `bool`, `u8`, and `i8` respectively. Since a type's
517 /// alignment cannot be smaller than 1 [2], and since its alignment
518 /// cannot be greater than its size [3], the only possible value for
519 /// the alignment is 1. Thus, it is sound to implement `Unaligned`.
520 ///
521 /// [1] Per (for example) https://doc.rust-lang.org/1.81.0/std/sync/atomic/struct.AtomicU8.html:
522 ///
523 /// This type has the same size, alignment, and bit validity as
524 /// the underlying integer type
525 ///
526 /// [2] Per https://doc.rust-lang.org/1.81.0/reference/type-layout.html#size-and-alignment:
527 ///
528 /// Alignment is measured in bytes, and must be at least 1.
529 ///
530 /// [3] Per https://doc.rust-lang.org/1.81.0/reference/type-layout.html#size-and-alignment:
531 ///
532 /// The size of a value is always a multiple of its alignment.
533 unsafe_impl!(AtomicBool: Unaligned);
534 unsafe_impl!(AtomicU8: Unaligned);
535 unsafe_impl!(AtomicI8: Unaligned);
536 assert_unaligned!(AtomicBool, AtomicU8, AtomicI8);
537
538 /// SAFETY:
539 /// `AtomicU8`, `AtomicI8`, and `AtomicBool` have the same size and
540 /// bit validity as `u8`, `i8`, and `bool` respectively [1][2][3].
541 ///
542 /// [1] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicU8.html:
543 ///
544 /// This type has the same size, alignment, and bit validity as
545 /// the underlying integer type, `u8`.
546 ///
547 /// [2] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicI8.html:
548 ///
549 /// This type has the same size, alignment, and bit validity as
550 /// the underlying integer type, `i8`.
551 ///
552 /// [3] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicBool.html:
553 ///
554 /// This type has the same size, alignment, and bit validity a
555 /// `bool`.
556 unsafe_impl_transmute_from_for_atomic!(
557 => AtomicU8 [u8],
558 => AtomicI8 [i8],
559 => AtomicBool [bool]
560 );
561 }
562 }
563
564 #[cfg(target_has_atomic = "16")]
565 #[cfg_attr(doc_cfg, doc(cfg(target_has_atomic = "16")))]
566 mod atomic_16 {
567 use core::sync::atomic::{AtomicI16, AtomicU16};
568
569 use super::*;
570
571 impl_traits_for_atomics!(AtomicU16[u16], AtomicI16[i16]);
572
573 safety_comment! {
574 /// SAFETY:
575 /// `AtomicU16` and `AtomicI16` have the same size and bit validity
576 /// as `u16` and `i16` respectively [1][2].
577 ///
578 /// [1] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicU16.html:
579 ///
580 /// This type has the same size and bit validity as the underlying
581 /// integer type, `u16`.
582 ///
583 /// [2] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicI16.html:
584 ///
585 /// This type has the same size and bit validity as the underlying
586 /// integer type, `i16`.
587 unsafe_impl_transmute_from_for_atomic!(=> AtomicU16 [u16], => AtomicI16 [i16]);
588 }
589 }
590
591 #[cfg(target_has_atomic = "32")]
592 #[cfg_attr(doc_cfg, doc(cfg(target_has_atomic = "32")))]
593 mod atomic_32 {
594 use core::sync::atomic::{AtomicI32, AtomicU32};
595
596 use super::*;
597
598 impl_traits_for_atomics!(AtomicU32[u32], AtomicI32[i32]);
599
600 safety_comment! {
601 /// SAFETY:
602 /// `AtomicU32` and `AtomicI32` have the same size and bit validity
603 /// as `u32` and `i32` respectively [1][2].
604 ///
605 /// [1] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicU32.html:
606 ///
607 /// This type has the same size and bit validity as the underlying
608 /// integer type, `u32`.
609 ///
610 /// [2] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicI32.html:
611 ///
612 /// This type has the same size and bit validity as the underlying
613 /// integer type, `i32`.
614 unsafe_impl_transmute_from_for_atomic!(=> AtomicU32 [u32], => AtomicI32 [i32]);
615 }
616 }
617
618 #[cfg(target_has_atomic = "64")]
619 #[cfg_attr(doc_cfg, doc(cfg(target_has_atomic = "64")))]
620 mod atomic_64 {
621 use core::sync::atomic::{AtomicI64, AtomicU64};
622
623 use super::*;
624
625 impl_traits_for_atomics!(AtomicU64[u64], AtomicI64[i64]);
626
627 safety_comment! {
628 /// SAFETY:
629 /// `AtomicU64` and `AtomicI64` have the same size and bit validity
630 /// as `u64` and `i64` respectively [1][2].
631 ///
632 /// [1] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicU64.html:
633 ///
634 /// This type has the same size and bit validity as the underlying
635 /// integer type, `u64`.
636 ///
637 /// [2] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicI64.html:
638 ///
639 /// This type has the same size and bit validity as the underlying
640 /// integer type, `i64`.
641 unsafe_impl_transmute_from_for_atomic!(=> AtomicU64 [u64], => AtomicI64 [i64]);
642 }
643 }
644
645 #[cfg(target_has_atomic = "ptr")]
646 #[cfg_attr(doc_cfg, doc(cfg(target_has_atomic = "ptr")))]
647 mod atomic_ptr {
648 use core::sync::atomic::{AtomicIsize, AtomicPtr, AtomicUsize};
649
650 use super::*;
651
652 impl_traits_for_atomics!(AtomicUsize[usize], AtomicIsize[isize]);
653
654 impl_known_layout!(T => AtomicPtr<T>);
655
656 // TODO(#170): Implement `FromBytes` and `IntoBytes` once we implement
657 // those traits for `*mut T`.
658 impl_for_transmute_from!(T => TryFromBytes for AtomicPtr<T> [UnsafeCell<*mut T>]);
659 impl_for_transmute_from!(T => FromZeros for AtomicPtr<T> [UnsafeCell<*mut T>]);
660
661 safety_comment! {
662 /// SAFETY:
663 /// `AtomicUsize` and `AtomicIsize` have the same size and bit
664 /// validity as `usize` and `isize` respectively [1][2].
665 ///
666 /// [1] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicUsize.html:
667 ///
668 /// This type has the same size and bit validity as the underlying
669 /// integer type, `usize`.
670 ///
671 /// [2] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicIsize.html:
672 ///
673 /// This type has the same size and bit validity as the underlying
674 /// integer type, `isize`.
675 unsafe_impl_transmute_from_for_atomic!(=> AtomicUsize [usize], => AtomicIsize [isize]);
676 /// SAFETY:
677 /// Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicPtr.html:
678 ///
679 /// This type has the same size and bit validity as a `*mut T`.
680 unsafe_impl_transmute_from_for_atomic!(T => AtomicPtr<T> [*mut T]);
681 }
682 }
683}
684
685safety_comment! {
686 /// SAFETY:
687 /// Per reference [1]:
688 /// "For all T, the following are guaranteed:
689 /// size_of::<PhantomData<T>>() == 0
690 /// align_of::<PhantomData<T>>() == 1".
691 /// This gives:
692 /// - `Immutable`: `PhantomData` has no fields.
693 /// - `TryFromBytes` (with no validator), `FromZeros`, `FromBytes`: There is
694 /// only one possible sequence of 0 bytes, and `PhantomData` is inhabited.
695 /// - `IntoBytes`: Since `PhantomData` has size 0, it contains no padding
696 /// bytes.
697 /// - `Unaligned`: Per the preceding reference, `PhantomData` has alignment
698 /// 1.
699 ///
700 /// [1] https://doc.rust-lang.org/1.81.0/std/marker/struct.PhantomData.html#layout-1
701 unsafe_impl!(T: ?Sized => Immutable for PhantomData<T>);
702 unsafe_impl!(T: ?Sized => TryFromBytes for PhantomData<T>);
703 unsafe_impl!(T: ?Sized => FromZeros for PhantomData<T>);
704 unsafe_impl!(T: ?Sized => FromBytes for PhantomData<T>);
705 unsafe_impl!(T: ?Sized => IntoBytes for PhantomData<T>);
706 unsafe_impl!(T: ?Sized => Unaligned for PhantomData<T>);
707 assert_unaligned!(PhantomData<()>, PhantomData<u8>, PhantomData<u64>);
708}
709
710impl_for_transmute_from!(T: TryFromBytes => TryFromBytes for Wrapping<T>[<T>]);
711impl_for_transmute_from!(T: FromZeros => FromZeros for Wrapping<T>[<T>]);
712impl_for_transmute_from!(T: FromBytes => FromBytes for Wrapping<T>[<T>]);
713impl_for_transmute_from!(T: IntoBytes => IntoBytes for Wrapping<T>[<T>]);
714assert_unaligned!(Wrapping<()>, Wrapping<u8>);
715
716safety_comment! {
717 /// SAFETY:
718 /// Per [1], `Wrapping<T>` has the same layout as `T`. Since its single
719 /// field (of type `T`) is public, it would be a breaking change to add or
720 /// remove fields. Thus, we know that `Wrapping<T>` contains a `T` (as
721 /// opposed to just having the same size and alignment as `T`) with no pre-
722 /// or post-padding. Thus, `Wrapping<T>` must have `UnsafeCell`s covering
723 /// the same byte ranges as `Inner = T`.
724 ///
725 /// [1] Per https://doc.rust-lang.org/1.81.0/std/num/struct.Wrapping.html#layout-1:
726 ///
727 /// `Wrapping<T>` is guaranteed to have the same layout and ABI as `T`
728 unsafe_impl!(T: Immutable => Immutable for Wrapping<T>);
729 /// SAFETY:
730 /// Per [1] in the preceding safety comment, `Wrapping<T>` has the same
731 /// alignment as `T`.
732 unsafe_impl!(T: Unaligned => Unaligned for Wrapping<T>);
733}
734
735safety_comment! {
736 /// SAFETY:
737 /// `TryFromBytes` (with no validator), `FromZeros`, `FromBytes`:
738 /// `MaybeUninit<T>` has no restrictions on its contents.
739 unsafe_impl!(T => TryFromBytes for CoreMaybeUninit<T>);
740 unsafe_impl!(T => FromZeros for CoreMaybeUninit<T>);
741 unsafe_impl!(T => FromBytes for CoreMaybeUninit<T>);
742 /// SAFETY:
743 /// `MaybeUninit<T>` has `UnsafeCell`s covering the same byte ranges as
744 /// `Inner = T`. This is not explicitly documented, but it can be inferred.
745 /// Per [1], `MaybeUninit<T>` has the same size as `T`. Further, note the
746 /// signature of `MaybeUninit::assume_init_ref` [2]:
747 ///
748 /// pub unsafe fn assume_init_ref(&self) -> &T
749 ///
750 /// If the argument `&MaybeUninit<T>` and the returned `&T` had
751 /// `UnsafeCell`s at different offsets, this would be unsound. Its existence
752 /// is proof that this is not the case.
753 ///
754 /// [1] Per https://doc.rust-lang.org/1.81.0/std/mem/union.MaybeUninit.html#layout-1:
755 ///
756 /// `MaybeUninit<T>` is guaranteed to have the same size, alignment, and ABI
757 /// as `T`.
758 ///
759 /// [2] https://doc.rust-lang.org/1.81.0/std/mem/union.MaybeUninit.html#method.assume_init_ref
760 unsafe_impl!(T: Immutable => Immutable for CoreMaybeUninit<T>);
761 /// SAFETY:
762 /// Per [1] in the preceding safety comment, `MaybeUninit<T>` has the same
763 /// alignment as `T`.
764 unsafe_impl!(T: Unaligned => Unaligned for CoreMaybeUninit<T>);
765}
766assert_unaligned!(CoreMaybeUninit<()>, CoreMaybeUninit<u8>);
767
768safety_comment! {
769 /// SAFETY:
770 /// `ManuallyDrop<T>` has the same layout as `T` [1]. This strongly implies,
771 /// but does not guarantee, that it contains `UnsafeCell`s covering the same
772 /// byte ranges as in `T`. However, it also implements `Defer<Target = T>`
773 /// [2], which provides the ability to convert `&ManuallyDrop<T> -> &T`.
774 /// This, combined with having the same size as `T`, implies that
775 /// `ManuallyDrop<T>` exactly contains a `T` with the same fields and
776 /// `UnsafeCell`s covering the same byte ranges, or else the `Deref` impl
777 /// would permit safe code to obtain different shared references to the same
778 /// region of memory with different `UnsafeCell` coverage, which would in
779 /// turn permit interior mutation that would violate the invariants of a
780 /// shared reference.
781 ///
782 /// [1] Per https://doc.rust-lang.org/1.85.0/std/mem/struct.ManuallyDrop.html:
783 ///
784 /// `ManuallyDrop<T>` is guaranteed to have the same layout and bit
785 /// validity as `T`
786 ///
787 /// [2] https://doc.rust-lang.org/1.85.0/std/mem/struct.ManuallyDrop.html#impl-Deref-for-ManuallyDrop%3CT%3E
788 unsafe_impl!(T: ?Sized + Immutable => Immutable for ManuallyDrop<T>);
789}
790
791impl_for_transmute_from!(T: ?Sized + TryFromBytes => TryFromBytes for ManuallyDrop<T>[<T>]);
792impl_for_transmute_from!(T: ?Sized + FromZeros => FromZeros for ManuallyDrop<T>[<T>]);
793impl_for_transmute_from!(T: ?Sized + FromBytes => FromBytes for ManuallyDrop<T>[<T>]);
794impl_for_transmute_from!(T: ?Sized + IntoBytes => IntoBytes for ManuallyDrop<T>[<T>]);
795safety_comment! {
796 /// SAFETY:
797 /// `ManuallyDrop<T>` has the same layout as `T` [1], and thus has the same
798 /// alignment as `T`.
799 ///
800 /// [1] Per https://doc.rust-lang.org/nightly/core/mem/struct.ManuallyDrop.html:
801 ///
802 /// `ManuallyDrop<T>` is guaranteed to have the same layout and bit
803 /// validity as `T`
804 unsafe_impl!(T: ?Sized + Unaligned => Unaligned for ManuallyDrop<T>);
805}
806assert_unaligned!(ManuallyDrop<()>, ManuallyDrop<u8>);
807
808impl_for_transmute_from!(T: ?Sized + TryFromBytes => TryFromBytes for Cell<T>[UnsafeCell<T>]);
809impl_for_transmute_from!(T: ?Sized + FromZeros => FromZeros for Cell<T>[UnsafeCell<T>]);
810impl_for_transmute_from!(T: ?Sized + FromBytes => FromBytes for Cell<T>[UnsafeCell<T>]);
811impl_for_transmute_from!(T: ?Sized + IntoBytes => IntoBytes for Cell<T>[UnsafeCell<T>]);
812safety_comment! {
813 /// SAFETY:
814 /// `Cell<T>` has the same in-memory representation as `T` [1], and thus has
815 /// the same alignment as `T`.
816 ///
817 /// [1] Per https://doc.rust-lang.org/1.81.0/core/cell/struct.Cell.html#memory-layout:
818 ///
819 /// `Cell<T>` has the same in-memory representation as its inner type `T`.
820 unsafe_impl!(T: ?Sized + Unaligned => Unaligned for Cell<T>);
821}
822
823impl_for_transmute_from!(T: ?Sized + FromZeros => FromZeros for UnsafeCell<T>[<T>]);
824impl_for_transmute_from!(T: ?Sized + FromBytes => FromBytes for UnsafeCell<T>[<T>]);
825impl_for_transmute_from!(T: ?Sized + IntoBytes => IntoBytes for UnsafeCell<T>[<T>]);
826safety_comment! {
827 /// SAFETY:
828 /// `UnsafeCell<T>` has the same in-memory representation as `T` [1], and
829 /// thus has the same alignment as `T`.
830 ///
831 /// [1] Per https://doc.rust-lang.org/1.81.0/core/cell/struct.UnsafeCell.html#memory-layout:
832 ///
833 /// `UnsafeCell<T>` has the same in-memory representation as its inner
834 /// type `T`.
835 unsafe_impl!(T: ?Sized + Unaligned => Unaligned for UnsafeCell<T>);
836}
837assert_unaligned!(UnsafeCell<()>, UnsafeCell<u8>);
838
839// SAFETY: See safety comment in `is_bit_valid` impl.
840unsafe impl<T: TryFromBytes + ?Sized> TryFromBytes for UnsafeCell<T> {
841 #[allow(clippy::missing_inline_in_public_items)]
842 fn only_derive_is_allowed_to_implement_this_trait()
843 where
844 Self: Sized,
845 {
846 }
847
848 #[inline]
849 fn is_bit_valid<A: invariant::Reference>(candidate: Maybe<'_, Self, A>) -> bool {
850 // The only way to implement this function is using an exclusive-aliased
851 // pointer. `UnsafeCell`s cannot be read via shared-aliased pointers
852 // (other than by using `unsafe` code, which we can't use since we can't
853 // guarantee how our users are accessing or modifying the `UnsafeCell`).
854 //
855 // `is_bit_valid` is documented as panicking or failing to monomorphize
856 // if called with a shared-aliased pointer on a type containing an
857 // `UnsafeCell`. In practice, it will always be a monorphization error.
858 // Since `is_bit_valid` is `#[doc(hidden)]` and only called directly
859 // from this crate, we only need to worry about our own code incorrectly
860 // calling `UnsafeCell::is_bit_valid`. The post-monomorphization error
861 // makes it easier to test that this is truly the case, and also means
862 // that if we make a mistake, it will cause downstream code to fail to
863 // compile, which will immediately surface the mistake and give us a
864 // chance to fix it quickly.
865 let c = candidate.into_exclusive_or_pme();
866
867 // SAFETY: Since `UnsafeCell<T>` and `T` have the same layout and bit
868 // validity, `UnsafeCell<T>` is bit-valid exactly when its wrapped `T`
869 // is. Thus, this is a sound implementation of
870 // `UnsafeCell::is_bit_valid`.
871 T::is_bit_valid(c.get_mut())
872 }
873}
874
875safety_comment! {
876 /// SAFETY:
877 /// Per the reference [1]:
878 ///
879 /// An array of `[T; N]` has a size of `size_of::<T>() * N` and the same
880 /// alignment of `T`. Arrays are laid out so that the zero-based `nth`
881 /// element of the array is offset from the start of the array by `n *
882 /// size_of::<T>()` bytes.
883 ///
884 /// ...
885 ///
886 /// Slices have the same layout as the section of the array they slice.
887 ///
888 /// In other words, the layout of a `[T]` or `[T; N]` is a sequence of `T`s
889 /// laid out back-to-back with no bytes in between. Therefore, `[T]` or `[T;
890 /// N]` are `Immutable`, `TryFromBytes`, `FromZeros`, `FromBytes`, and
891 /// `IntoBytes` if `T` is (respectively). Furthermore, since an array/slice
892 /// has "the same alignment of `T`", `[T]` and `[T; N]` are `Unaligned` if
893 /// `T` is.
894 ///
895 /// Note that we don't `assert_unaligned!` for slice types because
896 /// `assert_unaligned!` uses `align_of`, which only works for `Sized` types.
897 ///
898 /// [1] https://doc.rust-lang.org/1.81.0/reference/type-layout.html#array-layout
899 unsafe_impl!(const N: usize, T: Immutable => Immutable for [T; N]);
900 unsafe_impl!(const N: usize, T: TryFromBytes => TryFromBytes for [T; N]; |c| {
901 // Note that this call may panic, but it would still be sound even if it
902 // did. `is_bit_valid` does not promise that it will not panic (in fact,
903 // it explicitly warns that it's a possibility), and we have not
904 // violated any safety invariants that we must fix before returning.
905 <[T] as TryFromBytes>::is_bit_valid(c.as_slice())
906 });
907 unsafe_impl!(const N: usize, T: FromZeros => FromZeros for [T; N]);
908 unsafe_impl!(const N: usize, T: FromBytes => FromBytes for [T; N]);
909 unsafe_impl!(const N: usize, T: IntoBytes => IntoBytes for [T; N]);
910 unsafe_impl!(const N: usize, T: Unaligned => Unaligned for [T; N]);
911 assert_unaligned!([(); 0], [(); 1], [u8; 0], [u8; 1]);
912 unsafe_impl!(T: Immutable => Immutable for [T]);
913 unsafe_impl!(T: TryFromBytes => TryFromBytes for [T]; |c| {
914 // SAFETY: Per the reference [1]:
915 //
916 // An array of `[T; N]` has a size of `size_of::<T>() * N` and the
917 // same alignment of `T`. Arrays are laid out so that the zero-based
918 // `nth` element of the array is offset from the start of the array by
919 // `n * size_of::<T>()` bytes.
920 //
921 // ...
922 //
923 // Slices have the same layout as the section of the array they slice.
924 //
925 // In other words, the layout of a `[T] is a sequence of `T`s laid out
926 // back-to-back with no bytes in between. If all elements in `candidate`
927 // are `is_bit_valid`, so too is `candidate`.
928 //
929 // Note that any of the below calls may panic, but it would still be
930 // sound even if it did. `is_bit_valid` does not promise that it will
931 // not panic (in fact, it explicitly warns that it's a possibility), and
932 // we have not violated any safety invariants that we must fix before
933 // returning.
934 c.iter().all(<T as TryFromBytes>::is_bit_valid)
935 });
936 unsafe_impl!(T: FromZeros => FromZeros for [T]);
937 unsafe_impl!(T: FromBytes => FromBytes for [T]);
938 unsafe_impl!(T: IntoBytes => IntoBytes for [T]);
939 unsafe_impl!(T: Unaligned => Unaligned for [T]);
940}
941safety_comment! {
942 /// SAFETY:
943 /// - `Immutable`: Raw pointers do not contain any `UnsafeCell`s.
944 /// - `FromZeros`: For thin pointers (note that `T: Sized`), the zero
945 /// pointer is considered "null". [1] No operations which require
946 /// provenance are legal on null pointers, so this is not a footgun.
947 /// - `TryFromBytes`: By the same reasoning as for `FromZeroes`, we can
948 /// implement `TryFromBytes` for thin pointers provided that
949 /// [`TryFromByte::is_bit_valid`] only produces `true` for zeroed bytes.
950 ///
951 /// NOTE(#170): Implementing `FromBytes` and `IntoBytes` for raw pointers
952 /// would be sound, but carries provenance footguns. We want to support
953 /// `FromBytes` and `IntoBytes` for raw pointers eventually, but we are
954 /// holding off until we can figure out how to address those footguns.
955 ///
956 /// [1] TODO(https://github.com/rust-lang/rust/pull/116988): Cite the
957 /// documentation once this PR lands.
958 unsafe_impl!(T: ?Sized => Immutable for *const T);
959 unsafe_impl!(T: ?Sized => Immutable for *mut T);
960 unsafe_impl!(T => TryFromBytes for *const T; |c| pointer::is_zeroed(c));
961 unsafe_impl!(T => FromZeros for *const T);
962 unsafe_impl!(T => TryFromBytes for *mut T; |c| pointer::is_zeroed(c));
963 unsafe_impl!(T => FromZeros for *mut T);
964}
965
966safety_comment! {
967 /// SAFETY:
968 /// `NonNull<T>` self-evidently does not contain `UnsafeCell`s. This is not
969 /// a proof, but we are accepting this as a known risk per #1358.
970 unsafe_impl!(T: ?Sized => Immutable for NonNull<T>);
971}
972
973safety_comment! {
974 /// SAFETY:
975 /// Reference types do not contain any `UnsafeCell`s.
976 unsafe_impl!(T: ?Sized => Immutable for &'_ T);
977 unsafe_impl!(T: ?Sized => Immutable for &'_ mut T);
978}
979
980safety_comment! {
981 /// SAFETY:
982 /// `Option` is not `#[non_exhaustive]` [1], which means that the types in
983 /// its variants cannot change, and no new variants can be added.
984 /// `Option<T>` does not contain any `UnsafeCell`s outside of `T`. [1]
985 ///
986 /// [1] https://doc.rust-lang.org/core/option/enum.Option.html
987 unsafe_impl!(T: Immutable => Immutable for Option<T>);
988}
989
990// SIMD support
991//
992// Per the Unsafe Code Guidelines Reference [1]:
993//
994// Packed SIMD vector types are `repr(simd)` homogeneous tuple-structs
995// containing `N` elements of type `T` where `N` is a power-of-two and the
996// size and alignment requirements of `T` are equal:
997//
998// ```rust
999// #[repr(simd)]
1000// struct Vector<T, N>(T_0, ..., T_(N - 1));
1001// ```
1002//
1003// ...
1004//
1005// The size of `Vector` is `N * size_of::<T>()` and its alignment is an
1006// implementation-defined function of `T` and `N` greater than or equal to
1007// `align_of::<T>()`.
1008//
1009// ...
1010//
1011// Vector elements are laid out in source field order, enabling random access
1012// to vector elements by reinterpreting the vector as an array:
1013//
1014// ```rust
1015// union U {
1016// vec: Vector<T, N>,
1017// arr: [T; N]
1018// }
1019//
1020// assert_eq!(size_of::<Vector<T, N>>(), size_of::<[T; N]>());
1021// assert!(align_of::<Vector<T, N>>() >= align_of::<[T; N]>());
1022//
1023// unsafe {
1024// let u = U { vec: Vector<T, N>(t_0, ..., t_(N - 1)) };
1025//
1026// assert_eq!(u.vec.0, u.arr[0]);
1027// // ...
1028// assert_eq!(u.vec.(N - 1), u.arr[N - 1]);
1029// }
1030// ```
1031//
1032// Given this background, we can observe that:
1033// - The size and bit pattern requirements of a SIMD type are equivalent to the
1034// equivalent array type. Thus, for any SIMD type whose primitive `T` is
1035// `Immutable`, `TryFromBytes`, `FromZeros`, `FromBytes`, or `IntoBytes`, that
1036// SIMD type is also `Immutable`, `TryFromBytes`, `FromZeros`, `FromBytes`, or
1037// `IntoBytes` respectively.
1038// - Since no upper bound is placed on the alignment, no SIMD type can be
1039// guaranteed to be `Unaligned`.
1040//
1041// Also per [1]:
1042//
1043// This chapter represents the consensus from issue #38. The statements in
1044// here are not (yet) "guaranteed" not to change until an RFC ratifies them.
1045//
1046// See issue #38 [2]. While this behavior is not technically guaranteed, the
1047// likelihood that the behavior will change such that SIMD types are no longer
1048// `TryFromBytes`, `FromZeros`, `FromBytes`, or `IntoBytes` is next to zero, as
1049// that would defeat the entire purpose of SIMD types. Nonetheless, we put this
1050// behavior behind the `simd` Cargo feature, which requires consumers to opt
1051// into this stability hazard.
1052//
1053// [1] https://rust-lang.github.io/unsafe-code-guidelines/layout/packed-simd-vectors.html
1054// [2] https://github.com/rust-lang/unsafe-code-guidelines/issues/38
1055#[cfg(feature = "simd")]
1056#[cfg_attr(doc_cfg, doc(cfg(feature = "simd")))]
1057mod simd {
1058 /// Defines a module which implements `TryFromBytes`, `FromZeros`,
1059 /// `FromBytes`, and `IntoBytes` for a set of types from a module in
1060 /// `core::arch`.
1061 ///
1062 /// `$arch` is both the name of the defined module and the name of the
1063 /// module in `core::arch`, and `$typ` is the list of items from that module
1064 /// to implement `FromZeros`, `FromBytes`, and `IntoBytes` for.
1065 #[allow(unused_macros)] // `allow(unused_macros)` is needed because some
1066 // target/feature combinations don't emit any impls
1067 // and thus don't use this macro.
1068 macro_rules! simd_arch_mod {
1069 (#[cfg $cfg:tt] $arch:ident, $mod:ident, $($typ:ident),*) => {
1070 #[cfg $cfg]
1071 #[cfg_attr(doc_cfg, doc(cfg $cfg))]
1072 mod $mod {
1073 use core::arch::$arch::{$($typ),*};
1074
1075 use crate::*;
1076 impl_known_layout!($($typ),*);
1077 safety_comment! {
1078 /// SAFETY:
1079 /// See comment on module definition for justification.
1080 $( unsafe_impl!($typ: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes); )*
1081 }
1082 }
1083 };
1084 }
1085
1086 #[rustfmt::skip]
1087 const _: () = {
1088 simd_arch_mod!(
1089 #[cfg(target_arch = "x86")]
1090 x86, x86, __m128, __m128d, __m128i, __m256, __m256d, __m256i
1091 );
1092 simd_arch_mod!(
1093 #[cfg(all(feature = "simd-nightly", target_arch = "x86"))]
1094 x86, x86_nightly, __m512bh, __m512, __m512d, __m512i
1095 );
1096 simd_arch_mod!(
1097 #[cfg(target_arch = "x86_64")]
1098 x86_64, x86_64, __m128, __m128d, __m128i, __m256, __m256d, __m256i
1099 );
1100 simd_arch_mod!(
1101 #[cfg(all(feature = "simd-nightly", target_arch = "x86_64"))]
1102 x86_64, x86_64_nightly, __m512bh, __m512, __m512d, __m512i
1103 );
1104 simd_arch_mod!(
1105 #[cfg(target_arch = "wasm32")]
1106 wasm32, wasm32, v128
1107 );
1108 simd_arch_mod!(
1109 #[cfg(all(feature = "simd-nightly", target_arch = "powerpc"))]
1110 powerpc, powerpc, vector_bool_long, vector_double, vector_signed_long, vector_unsigned_long
1111 );
1112 simd_arch_mod!(
1113 #[cfg(all(feature = "simd-nightly", target_arch = "powerpc64"))]
1114 powerpc64, powerpc64, vector_bool_long, vector_double, vector_signed_long, vector_unsigned_long
1115 );
1116 #[cfg(zerocopy_aarch64_simd_1_59_0)]
1117 #[cfg_attr(doc_cfg, doc(cfg(rust = "1.59.0")))]
1118 simd_arch_mod!(
1119 // NOTE(https://github.com/rust-lang/stdarch/issues/1484): NEON intrinsics are currently
1120 // broken on big-endian platforms.
1121 #[cfg(all(target_arch = "aarch64", target_endian = "little"))]
1122 aarch64, aarch64, float32x2_t, float32x4_t, float64x1_t, float64x2_t, int8x8_t, int8x8x2_t,
1123 int8x8x3_t, int8x8x4_t, int8x16_t, int8x16x2_t, int8x16x3_t, int8x16x4_t, int16x4_t,
1124 int16x8_t, int32x2_t, int32x4_t, int64x1_t, int64x2_t, poly8x8_t, poly8x8x2_t, poly8x8x3_t,
1125 poly8x8x4_t, poly8x16_t, poly8x16x2_t, poly8x16x3_t, poly8x16x4_t, poly16x4_t, poly16x8_t,
1126 poly64x1_t, poly64x2_t, uint8x8_t, uint8x8x2_t, uint8x8x3_t, uint8x8x4_t, uint8x16_t,
1127 uint8x16x2_t, uint8x16x3_t, uint8x16x4_t, uint16x4_t, uint16x8_t, uint32x2_t, uint32x4_t,
1128 uint64x1_t, uint64x2_t
1129 );
1130 };
1131}
1132
1133#[cfg(test)]
1134mod tests {
1135 use super::*;
1136 use crate::pointer::invariant;
1137
1138 #[test]
1139 fn test_impls() {
1140 // A type that can supply test cases for testing
1141 // `TryFromBytes::is_bit_valid`. All types passed to `assert_impls!`
1142 // must implement this trait; that macro uses it to generate runtime
1143 // tests for `TryFromBytes` impls.
1144 //
1145 // All `T: FromBytes` types are provided with a blanket impl. Other
1146 // types must implement `TryFromBytesTestable` directly (ie using
1147 // `impl_try_from_bytes_testable!`).
1148 trait TryFromBytesTestable {
1149 fn with_passing_test_cases<F: Fn(Box<Self>)>(f: F);
1150 fn with_failing_test_cases<F: Fn(&mut [u8])>(f: F);
1151 }
1152
1153 impl<T: FromBytes> TryFromBytesTestable for T {
1154 fn with_passing_test_cases<F: Fn(Box<Self>)>(f: F) {
1155 // Test with a zeroed value.
1156 f(Self::new_box_zeroed().unwrap());
1157
1158 let ffs = {
1159 let mut t = Self::new_zeroed();
1160 let ptr: *mut T = &mut t;
1161 // SAFETY: `T: FromBytes`
1162 unsafe { ptr::write_bytes(ptr.cast::<u8>(), 0xFF, mem::size_of::<T>()) };
1163 t
1164 };
1165
1166 // Test with a value initialized with 0xFF.
1167 f(Box::new(ffs));
1168 }
1169
1170 fn with_failing_test_cases<F: Fn(&mut [u8])>(_f: F) {}
1171 }
1172
1173 macro_rules! impl_try_from_bytes_testable_for_null_pointer_optimization {
1174 ($($tys:ty),*) => {
1175 $(
1176 impl TryFromBytesTestable for Option<$tys> {
1177 fn with_passing_test_cases<F: Fn(Box<Self>)>(f: F) {
1178 // Test with a zeroed value.
1179 f(Box::new(None));
1180 }
1181
1182 fn with_failing_test_cases<F: Fn(&mut [u8])>(f: F) {
1183 for pos in 0..mem::size_of::<Self>() {
1184 let mut bytes = [0u8; mem::size_of::<Self>()];
1185 bytes[pos] = 0x01;
1186 f(&mut bytes[..]);
1187 }
1188 }
1189 }
1190 )*
1191 };
1192 }
1193
1194 // Implements `TryFromBytesTestable`.
1195 macro_rules! impl_try_from_bytes_testable {
1196 // Base case for recursion (when the list of types has run out).
1197 (=> @success $($success_case:expr),* $(, @failure $($failure_case:expr),*)?) => {};
1198 // Implements for type(s) with no type parameters.
1199 ($ty:ty $(,$tys:ty)* => @success $($success_case:expr),* $(, @failure $($failure_case:expr),*)?) => {
1200 impl TryFromBytesTestable for $ty {
1201 impl_try_from_bytes_testable!(
1202 @methods @success $($success_case),*
1203 $(, @failure $($failure_case),*)?
1204 );
1205 }
1206 impl_try_from_bytes_testable!($($tys),* => @success $($success_case),* $(, @failure $($failure_case),*)?);
1207 };
1208 // Implements for multiple types with no type parameters.
1209 ($($($ty:ty),* => @success $($success_case:expr), * $(, @failure $($failure_case:expr),*)?;)*) => {
1210 $(
1211 impl_try_from_bytes_testable!($($ty),* => @success $($success_case),* $(, @failure $($failure_case),*)*);
1212 )*
1213 };
1214 // Implements only the methods; caller must invoke this from inside
1215 // an impl block.
1216 (@methods @success $($success_case:expr),* $(, @failure $($failure_case:expr),*)?) => {
1217 fn with_passing_test_cases<F: Fn(Box<Self>)>(_f: F) {
1218 $(
1219 _f(Box::<Self>::from($success_case));
1220 )*
1221 }
1222
1223 fn with_failing_test_cases<F: Fn(&mut [u8])>(_f: F) {
1224 $($(
1225 let mut case = $failure_case;
1226 _f(case.as_mut_bytes());
1227 )*)?
1228 }
1229 };
1230 }
1231
1232 impl_try_from_bytes_testable_for_null_pointer_optimization!(
1233 Box<UnsafeCell<NotZerocopy>>,
1234 &'static UnsafeCell<NotZerocopy>,
1235 &'static mut UnsafeCell<NotZerocopy>,
1236 NonNull<UnsafeCell<NotZerocopy>>,
1237 fn(),
1238 FnManyArgs,
1239 extern "C" fn(),
1240 ECFnManyArgs
1241 );
1242
1243 macro_rules! bx {
1244 ($e:expr) => {
1245 Box::new($e)
1246 };
1247 }
1248
1249 // Note that these impls are only for types which are not `FromBytes`.
1250 // `FromBytes` types are covered by a preceding blanket impl.
1251 impl_try_from_bytes_testable!(
1252 bool => @success true, false,
1253 @failure 2u8, 3u8, 0xFFu8;
1254 char => @success '\u{0}', '\u{D7FF}', '\u{E000}', '\u{10FFFF}',
1255 @failure 0xD800u32, 0xDFFFu32, 0x110000u32;
1256 str => @success "", "hello", "❤️🧡💛💚💙💜",
1257 @failure [0, 159, 146, 150];
1258 [u8] => @success vec![].into_boxed_slice(), vec![0, 1, 2].into_boxed_slice();
1259 NonZeroU8, NonZeroI8, NonZeroU16, NonZeroI16, NonZeroU32,
1260 NonZeroI32, NonZeroU64, NonZeroI64, NonZeroU128, NonZeroI128,
1261 NonZeroUsize, NonZeroIsize
1262 => @success Self::new(1).unwrap(),
1263 // Doing this instead of `0` ensures that we always satisfy
1264 // the size and alignment requirements of `Self` (whereas `0`
1265 // may be any integer type with a different size or alignment
1266 // than some `NonZeroXxx` types).
1267 @failure Option::<Self>::None;
1268 [bool; 0] => @success [];
1269 [bool; 1]
1270 => @success [true], [false],
1271 @failure [2u8], [3u8], [0xFFu8];
1272 [bool]
1273 => @success vec![true, false].into_boxed_slice(), vec![false, true].into_boxed_slice(),
1274 @failure [2u8], [3u8], [0xFFu8], [0u8, 1u8, 2u8];
1275 Unalign<bool>
1276 => @success Unalign::new(false), Unalign::new(true),
1277 @failure 2u8, 0xFFu8;
1278 ManuallyDrop<bool>
1279 => @success ManuallyDrop::new(false), ManuallyDrop::new(true),
1280 @failure 2u8, 0xFFu8;
1281 ManuallyDrop<[u8]>
1282 => @success bx!(ManuallyDrop::new([])), bx!(ManuallyDrop::new([0u8])), bx!(ManuallyDrop::new([0u8, 1u8]));
1283 ManuallyDrop<[bool]>
1284 => @success bx!(ManuallyDrop::new([])), bx!(ManuallyDrop::new([false])), bx!(ManuallyDrop::new([false, true])),
1285 @failure [2u8], [3u8], [0xFFu8], [0u8, 1u8, 2u8];
1286 ManuallyDrop<[UnsafeCell<u8>]>
1287 => @success bx!(ManuallyDrop::new([UnsafeCell::new(0)])), bx!(ManuallyDrop::new([UnsafeCell::new(0), UnsafeCell::new(1)]));
1288 ManuallyDrop<[UnsafeCell<bool>]>
1289 => @success bx!(ManuallyDrop::new([UnsafeCell::new(false)])), bx!(ManuallyDrop::new([UnsafeCell::new(false), UnsafeCell::new(true)])),
1290 @failure [2u8], [3u8], [0xFFu8], [0u8, 1u8, 2u8];
1291 Wrapping<bool>
1292 => @success Wrapping(false), Wrapping(true),
1293 @failure 2u8, 0xFFu8;
1294 *const NotZerocopy
1295 => @success ptr::null::<NotZerocopy>(),
1296 @failure [0x01; mem::size_of::<*const NotZerocopy>()];
1297 *mut NotZerocopy
1298 => @success ptr::null_mut::<NotZerocopy>(),
1299 @failure [0x01; mem::size_of::<*mut NotZerocopy>()];
1300 );
1301
1302 // Use the trick described in [1] to allow us to call methods
1303 // conditional on certain trait bounds.
1304 //
1305 // In all of these cases, methods return `Option<R>`, where `R` is the
1306 // return type of the method we're conditionally calling. The "real"
1307 // implementations (the ones defined in traits using `&self`) return
1308 // `Some`, and the default implementations (the ones defined as inherent
1309 // methods using `&mut self`) return `None`.
1310 //
1311 // [1] https://github.com/dtolnay/case-studies/blob/master/autoref-specialization/README.md
1312 mod autoref_trick {
1313 use super::*;
1314
1315 pub(super) struct AutorefWrapper<T: ?Sized>(pub(super) PhantomData<T>);
1316
1317 pub(super) trait TestIsBitValidShared<T: ?Sized> {
1318 #[allow(clippy::needless_lifetimes)]
1319 fn test_is_bit_valid_shared<'ptr, A: invariant::Reference>(
1320 &self,
1321 candidate: Maybe<'ptr, T, A>,
1322 ) -> Option<bool>;
1323 }
1324
1325 impl<T: TryFromBytes + Immutable + ?Sized> TestIsBitValidShared<T> for AutorefWrapper<T> {
1326 #[allow(clippy::needless_lifetimes)]
1327 fn test_is_bit_valid_shared<'ptr, A: invariant::Reference>(
1328 &self,
1329 candidate: Maybe<'ptr, T, A>,
1330 ) -> Option<bool> {
1331 Some(T::is_bit_valid(candidate))
1332 }
1333 }
1334
1335 pub(super) trait TestTryFromRef<T: ?Sized> {
1336 #[allow(clippy::needless_lifetimes)]
1337 fn test_try_from_ref<'bytes>(
1338 &self,
1339 bytes: &'bytes [u8],
1340 ) -> Option<Option<&'bytes T>>;
1341 }
1342
1343 impl<T: TryFromBytes + Immutable + KnownLayout + ?Sized> TestTryFromRef<T> for AutorefWrapper<T> {
1344 #[allow(clippy::needless_lifetimes)]
1345 fn test_try_from_ref<'bytes>(
1346 &self,
1347 bytes: &'bytes [u8],
1348 ) -> Option<Option<&'bytes T>> {
1349 Some(T::try_ref_from_bytes(bytes).ok())
1350 }
1351 }
1352
1353 pub(super) trait TestTryFromMut<T: ?Sized> {
1354 #[allow(clippy::needless_lifetimes)]
1355 fn test_try_from_mut<'bytes>(
1356 &self,
1357 bytes: &'bytes mut [u8],
1358 ) -> Option<Option<&'bytes mut T>>;
1359 }
1360
1361 impl<T: TryFromBytes + IntoBytes + KnownLayout + ?Sized> TestTryFromMut<T> for AutorefWrapper<T> {
1362 #[allow(clippy::needless_lifetimes)]
1363 fn test_try_from_mut<'bytes>(
1364 &self,
1365 bytes: &'bytes mut [u8],
1366 ) -> Option<Option<&'bytes mut T>> {
1367 Some(T::try_mut_from_bytes(bytes).ok())
1368 }
1369 }
1370
1371 pub(super) trait TestTryReadFrom<T> {
1372 fn test_try_read_from(&self, bytes: &[u8]) -> Option<Option<T>>;
1373 }
1374
1375 impl<T: TryFromBytes> TestTryReadFrom<T> for AutorefWrapper<T> {
1376 fn test_try_read_from(&self, bytes: &[u8]) -> Option<Option<T>> {
1377 Some(T::try_read_from_bytes(bytes).ok())
1378 }
1379 }
1380
1381 pub(super) trait TestAsBytes<T: ?Sized> {
1382 #[allow(clippy::needless_lifetimes)]
1383 fn test_as_bytes<'slf, 't>(&'slf self, t: &'t T) -> Option<&'t [u8]>;
1384 }
1385
1386 impl<T: IntoBytes + Immutable + ?Sized> TestAsBytes<T> for AutorefWrapper<T> {
1387 #[allow(clippy::needless_lifetimes)]
1388 fn test_as_bytes<'slf, 't>(&'slf self, t: &'t T) -> Option<&'t [u8]> {
1389 Some(t.as_bytes())
1390 }
1391 }
1392 }
1393
1394 use autoref_trick::*;
1395
1396 // Asserts that `$ty` is one of a list of types which are allowed to not
1397 // provide a "real" implementation for `$fn_name`. Since the
1398 // `autoref_trick` machinery fails silently, this allows us to ensure
1399 // that the "default" impls are only being used for types which we
1400 // expect.
1401 //
1402 // Note that, since this is a runtime test, it is possible to have an
1403 // allowlist which is too restrictive if the function in question is
1404 // never called for a particular type. For example, if `as_bytes` is not
1405 // supported for a particular type, and so `test_as_bytes` returns
1406 // `None`, methods such as `test_try_from_ref` may never be called for
1407 // that type. As a result, it's possible that, for example, adding
1408 // `as_bytes` support for a type would cause other allowlist assertions
1409 // to fail. This means that allowlist assertion failures should not
1410 // automatically be taken as a sign of a bug.
1411 macro_rules! assert_on_allowlist {
1412 ($fn_name:ident($ty:ty) $(: $($tys:ty),*)?) => {{
1413 use core::any::TypeId;
1414
1415 let allowlist: &[TypeId] = &[ $($(TypeId::of::<$tys>()),*)? ];
1416 let allowlist_names: &[&str] = &[ $($(stringify!($tys)),*)? ];
1417
1418 let id = TypeId::of::<$ty>();
1419 assert!(allowlist.contains(&id), "{} is not on allowlist for {}: {:?}", stringify!($ty), stringify!($fn_name), allowlist_names);
1420 }};
1421 }
1422
1423 // Asserts that `$ty` implements any `$trait` and doesn't implement any
1424 // `!$trait`. Note that all `$trait`s must come before any `!$trait`s.
1425 //
1426 // For `T: TryFromBytes`, uses `TryFromBytesTestable` to test success
1427 // and failure cases.
1428 macro_rules! assert_impls {
1429 ($ty:ty: TryFromBytes) => {
1430 // "Default" implementations that match the "real"
1431 // implementations defined in the `autoref_trick` module above.
1432 #[allow(unused, non_local_definitions)]
1433 impl AutorefWrapper<$ty> {
1434 #[allow(clippy::needless_lifetimes)]
1435 fn test_is_bit_valid_shared<'ptr, A: invariant::Reference>(
1436 &mut self,
1437 candidate: Maybe<'ptr, $ty, A>,
1438 ) -> Option<bool> {
1439 assert_on_allowlist!(
1440 test_is_bit_valid_shared($ty):
1441 ManuallyDrop<UnsafeCell<()>>,
1442 ManuallyDrop<[UnsafeCell<u8>]>,
1443 ManuallyDrop<[UnsafeCell<bool>]>,
1444 CoreMaybeUninit<NotZerocopy>,
1445 CoreMaybeUninit<UnsafeCell<()>>,
1446 Wrapping<UnsafeCell<()>>
1447 );
1448
1449 None
1450 }
1451
1452 #[allow(clippy::needless_lifetimes)]
1453 fn test_try_from_ref<'bytes>(&mut self, _bytes: &'bytes [u8]) -> Option<Option<&'bytes $ty>> {
1454 assert_on_allowlist!(
1455 test_try_from_ref($ty):
1456 ManuallyDrop<[UnsafeCell<bool>]>
1457 );
1458
1459 None
1460 }
1461
1462 #[allow(clippy::needless_lifetimes)]
1463 fn test_try_from_mut<'bytes>(&mut self, _bytes: &'bytes mut [u8]) -> Option<Option<&'bytes mut $ty>> {
1464 assert_on_allowlist!(
1465 test_try_from_mut($ty):
1466 Option<Box<UnsafeCell<NotZerocopy>>>,
1467 Option<&'static UnsafeCell<NotZerocopy>>,
1468 Option<&'static mut UnsafeCell<NotZerocopy>>,
1469 Option<NonNull<UnsafeCell<NotZerocopy>>>,
1470 Option<fn()>,
1471 Option<FnManyArgs>,
1472 Option<extern "C" fn()>,
1473 Option<ECFnManyArgs>,
1474 *const NotZerocopy,
1475 *mut NotZerocopy
1476 );
1477
1478 None
1479 }
1480
1481 fn test_try_read_from(&mut self, _bytes: &[u8]) -> Option<Option<&$ty>> {
1482 assert_on_allowlist!(
1483 test_try_read_from($ty):
1484 str,
1485 ManuallyDrop<[u8]>,
1486 ManuallyDrop<[bool]>,
1487 ManuallyDrop<[UnsafeCell<bool>]>,
1488 [u8],
1489 [bool]
1490 );
1491
1492 None
1493 }
1494
1495 fn test_as_bytes(&mut self, _t: &$ty) -> Option<&[u8]> {
1496 assert_on_allowlist!(
1497 test_as_bytes($ty):
1498 Option<&'static UnsafeCell<NotZerocopy>>,
1499 Option<&'static mut UnsafeCell<NotZerocopy>>,
1500 Option<NonNull<UnsafeCell<NotZerocopy>>>,
1501 Option<Box<UnsafeCell<NotZerocopy>>>,
1502 Option<fn()>,
1503 Option<FnManyArgs>,
1504 Option<extern "C" fn()>,
1505 Option<ECFnManyArgs>,
1506 CoreMaybeUninit<u8>,
1507 CoreMaybeUninit<NotZerocopy>,
1508 CoreMaybeUninit<UnsafeCell<()>>,
1509 ManuallyDrop<UnsafeCell<()>>,
1510 ManuallyDrop<[UnsafeCell<u8>]>,
1511 ManuallyDrop<[UnsafeCell<bool>]>,
1512 Wrapping<UnsafeCell<()>>,
1513 *const NotZerocopy,
1514 *mut NotZerocopy
1515 );
1516
1517 None
1518 }
1519 }
1520
1521 <$ty as TryFromBytesTestable>::with_passing_test_cases(|mut val| {
1522 // TODO(#494): These tests only get exercised for types
1523 // which are `IntoBytes`. Once we implement #494, we should
1524 // be able to support non-`IntoBytes` types by zeroing
1525 // padding.
1526
1527 // We define `w` and `ww` since, in the case of the inherent
1528 // methods, Rust thinks they're both borrowed mutably at the
1529 // same time (given how we use them below). If we just
1530 // defined a single `w` and used it for multiple operations,
1531 // this would conflict.
1532 //
1533 // We `#[allow(unused_mut]` for the cases where the "real"
1534 // impls are used, which take `&self`.
1535 #[allow(unused_mut)]
1536 let (mut w, mut ww) = (AutorefWrapper::<$ty>(PhantomData), AutorefWrapper::<$ty>(PhantomData));
1537
1538 let c = Ptr::from_ref(&*val);
1539 let c = c.forget_aligned();
1540 // SAFETY: TODO(#899): This is unsound. `$ty` is not
1541 // necessarily `IntoBytes`, but that's the corner we've
1542 // backed ourselves into by using `Ptr::from_ref`.
1543 let c = unsafe { c.assume_initialized() };
1544 let res = w.test_is_bit_valid_shared(c);
1545 if let Some(res) = res {
1546 assert!(res, "{}::is_bit_valid({:?}) (shared `Ptr`): got false, expected true", stringify!($ty), val);
1547 }
1548
1549 let c = Ptr::from_mut(&mut *val);
1550 let c = c.forget_aligned();
1551 // SAFETY: TODO(#899): This is unsound. `$ty` is not
1552 // necessarily `IntoBytes`, but that's the corner we've
1553 // backed ourselves into by using `Ptr::from_ref`.
1554 let c = unsafe { c.assume_initialized() };
1555 let res = <$ty as TryFromBytes>::is_bit_valid(c);
1556 assert!(res, "{}::is_bit_valid({:?}) (exclusive `Ptr`): got false, expected true", stringify!($ty), val);
1557
1558 // `bytes` is `Some(val.as_bytes())` if `$ty: IntoBytes +
1559 // Immutable` and `None` otherwise.
1560 let bytes = w.test_as_bytes(&*val);
1561
1562 // The inner closure returns
1563 // `Some($ty::try_ref_from_bytes(bytes))` if `$ty:
1564 // Immutable` and `None` otherwise.
1565 let res = bytes.and_then(|bytes| ww.test_try_from_ref(bytes));
1566 if let Some(res) = res {
1567 assert!(res.is_some(), "{}::try_ref_from_bytes({:?}): got `None`, expected `Some`", stringify!($ty), val);
1568 }
1569
1570 if let Some(bytes) = bytes {
1571 // We need to get a mutable byte slice, and so we clone
1572 // into a `Vec`. However, we also need these bytes to
1573 // satisfy `$ty`'s alignment requirement, which isn't
1574 // guaranteed for `Vec<u8>`. In order to get around
1575 // this, we create a `Vec` which is twice as long as we
1576 // need. There is guaranteed to be an aligned byte range
1577 // of size `size_of_val(val)` within that range.
1578 let val = &*val;
1579 let size = mem::size_of_val(val);
1580 let align = mem::align_of_val(val);
1581
1582 let mut vec = bytes.to_vec();
1583 vec.extend(bytes);
1584 let slc = vec.as_slice();
1585 let offset = slc.as_ptr().align_offset(align);
1586 let bytes_mut = &mut vec.as_mut_slice()[offset..offset+size];
1587 bytes_mut.copy_from_slice(bytes);
1588
1589 let res = ww.test_try_from_mut(bytes_mut);
1590 if let Some(res) = res {
1591 assert!(res.is_some(), "{}::try_mut_from_bytes({:?}): got `None`, expected `Some`", stringify!($ty), val);
1592 }
1593 }
1594
1595 let res = bytes.and_then(|bytes| ww.test_try_read_from(bytes));
1596 if let Some(res) = res {
1597 assert!(res.is_some(), "{}::try_read_from_bytes({:?}): got `None`, expected `Some`", stringify!($ty), val);
1598 }
1599 });
1600 #[allow(clippy::as_conversions)]
1601 <$ty as TryFromBytesTestable>::with_failing_test_cases(|c| {
1602 #[allow(unused_mut)] // For cases where the "real" impls are used, which take `&self`.
1603 let mut w = AutorefWrapper::<$ty>(PhantomData);
1604
1605 // This is `Some($ty::try_ref_from_bytes(c))` if `$ty:
1606 // Immutable` and `None` otherwise.
1607 let res = w.test_try_from_ref(c);
1608 if let Some(res) = res {
1609 assert!(res.is_none(), "{}::try_ref_from_bytes({:?}): got Some, expected None", stringify!($ty), c);
1610 }
1611
1612 let res = w.test_try_from_mut(c);
1613 if let Some(res) = res {
1614 assert!(res.is_none(), "{}::try_mut_from_bytes({:?}): got Some, expected None", stringify!($ty), c);
1615 }
1616
1617
1618 let res = w.test_try_read_from(c);
1619 if let Some(res) = res {
1620 assert!(res.is_none(), "{}::try_read_from_bytes({:?}): got Some, expected None", stringify!($ty), c);
1621 }
1622 });
1623
1624 #[allow(dead_code)]
1625 const _: () = { static_assertions::assert_impl_all!($ty: TryFromBytes); };
1626 };
1627 ($ty:ty: $trait:ident) => {
1628 #[allow(dead_code)]
1629 const _: () = { static_assertions::assert_impl_all!($ty: $trait); };
1630 };
1631 ($ty:ty: !$trait:ident) => {
1632 #[allow(dead_code)]
1633 const _: () = { static_assertions::assert_not_impl_any!($ty: $trait); };
1634 };
1635 ($ty:ty: $($trait:ident),* $(,)? $(!$negative_trait:ident),*) => {
1636 $(
1637 assert_impls!($ty: $trait);
1638 )*
1639
1640 $(
1641 assert_impls!($ty: !$negative_trait);
1642 )*
1643 };
1644 }
1645
1646 // NOTE: The negative impl assertions here are not necessarily
1647 // prescriptive. They merely serve as change detectors to make sure
1648 // we're aware of what trait impls are getting added with a given
1649 // change. Of course, some impls would be invalid (e.g., `bool:
1650 // FromBytes`), and so this change detection is very important.
1651
1652 assert_impls!(
1653 (): KnownLayout,
1654 Immutable,
1655 TryFromBytes,
1656 FromZeros,
1657 FromBytes,
1658 IntoBytes,
1659 Unaligned
1660 );
1661 assert_impls!(
1662 u8: KnownLayout,
1663 Immutable,
1664 TryFromBytes,
1665 FromZeros,
1666 FromBytes,
1667 IntoBytes,
1668 Unaligned
1669 );
1670 assert_impls!(
1671 i8: KnownLayout,
1672 Immutable,
1673 TryFromBytes,
1674 FromZeros,
1675 FromBytes,
1676 IntoBytes,
1677 Unaligned
1678 );
1679 assert_impls!(
1680 u16: KnownLayout,
1681 Immutable,
1682 TryFromBytes,
1683 FromZeros,
1684 FromBytes,
1685 IntoBytes,
1686 !Unaligned
1687 );
1688 assert_impls!(
1689 i16: KnownLayout,
1690 Immutable,
1691 TryFromBytes,
1692 FromZeros,
1693 FromBytes,
1694 IntoBytes,
1695 !Unaligned
1696 );
1697 assert_impls!(
1698 u32: KnownLayout,
1699 Immutable,
1700 TryFromBytes,
1701 FromZeros,
1702 FromBytes,
1703 IntoBytes,
1704 !Unaligned
1705 );
1706 assert_impls!(
1707 i32: KnownLayout,
1708 Immutable,
1709 TryFromBytes,
1710 FromZeros,
1711 FromBytes,
1712 IntoBytes,
1713 !Unaligned
1714 );
1715 assert_impls!(
1716 u64: KnownLayout,
1717 Immutable,
1718 TryFromBytes,
1719 FromZeros,
1720 FromBytes,
1721 IntoBytes,
1722 !Unaligned
1723 );
1724 assert_impls!(
1725 i64: KnownLayout,
1726 Immutable,
1727 TryFromBytes,
1728 FromZeros,
1729 FromBytes,
1730 IntoBytes,
1731 !Unaligned
1732 );
1733 assert_impls!(
1734 u128: KnownLayout,
1735 Immutable,
1736 TryFromBytes,
1737 FromZeros,
1738 FromBytes,
1739 IntoBytes,
1740 !Unaligned
1741 );
1742 assert_impls!(
1743 i128: KnownLayout,
1744 Immutable,
1745 TryFromBytes,
1746 FromZeros,
1747 FromBytes,
1748 IntoBytes,
1749 !Unaligned
1750 );
1751 assert_impls!(
1752 usize: KnownLayout,
1753 Immutable,
1754 TryFromBytes,
1755 FromZeros,
1756 FromBytes,
1757 IntoBytes,
1758 !Unaligned
1759 );
1760 assert_impls!(
1761 isize: KnownLayout,
1762 Immutable,
1763 TryFromBytes,
1764 FromZeros,
1765 FromBytes,
1766 IntoBytes,
1767 !Unaligned
1768 );
1769 #[cfg(feature = "float-nightly")]
1770 assert_impls!(
1771 f16: KnownLayout,
1772 Immutable,
1773 TryFromBytes,
1774 FromZeros,
1775 FromBytes,
1776 IntoBytes,
1777 !Unaligned
1778 );
1779 assert_impls!(
1780 f32: KnownLayout,
1781 Immutable,
1782 TryFromBytes,
1783 FromZeros,
1784 FromBytes,
1785 IntoBytes,
1786 !Unaligned
1787 );
1788 assert_impls!(
1789 f64: KnownLayout,
1790 Immutable,
1791 TryFromBytes,
1792 FromZeros,
1793 FromBytes,
1794 IntoBytes,
1795 !Unaligned
1796 );
1797 #[cfg(feature = "float-nightly")]
1798 assert_impls!(
1799 f128: KnownLayout,
1800 Immutable,
1801 TryFromBytes,
1802 FromZeros,
1803 FromBytes,
1804 IntoBytes,
1805 !Unaligned
1806 );
1807 assert_impls!(
1808 bool: KnownLayout,
1809 Immutable,
1810 TryFromBytes,
1811 FromZeros,
1812 IntoBytes,
1813 Unaligned,
1814 !FromBytes
1815 );
1816 assert_impls!(
1817 char: KnownLayout,
1818 Immutable,
1819 TryFromBytes,
1820 FromZeros,
1821 IntoBytes,
1822 !FromBytes,
1823 !Unaligned
1824 );
1825 assert_impls!(
1826 str: KnownLayout,
1827 Immutable,
1828 TryFromBytes,
1829 FromZeros,
1830 IntoBytes,
1831 Unaligned,
1832 !FromBytes
1833 );
1834
1835 assert_impls!(
1836 NonZeroU8: KnownLayout,
1837 Immutable,
1838 TryFromBytes,
1839 IntoBytes,
1840 Unaligned,
1841 !FromZeros,
1842 !FromBytes
1843 );
1844 assert_impls!(
1845 NonZeroI8: KnownLayout,
1846 Immutable,
1847 TryFromBytes,
1848 IntoBytes,
1849 Unaligned,
1850 !FromZeros,
1851 !FromBytes
1852 );
1853 assert_impls!(
1854 NonZeroU16: KnownLayout,
1855 Immutable,
1856 TryFromBytes,
1857 IntoBytes,
1858 !FromBytes,
1859 !Unaligned
1860 );
1861 assert_impls!(
1862 NonZeroI16: KnownLayout,
1863 Immutable,
1864 TryFromBytes,
1865 IntoBytes,
1866 !FromBytes,
1867 !Unaligned
1868 );
1869 assert_impls!(
1870 NonZeroU32: KnownLayout,
1871 Immutable,
1872 TryFromBytes,
1873 IntoBytes,
1874 !FromBytes,
1875 !Unaligned
1876 );
1877 assert_impls!(
1878 NonZeroI32: KnownLayout,
1879 Immutable,
1880 TryFromBytes,
1881 IntoBytes,
1882 !FromBytes,
1883 !Unaligned
1884 );
1885 assert_impls!(
1886 NonZeroU64: KnownLayout,
1887 Immutable,
1888 TryFromBytes,
1889 IntoBytes,
1890 !FromBytes,
1891 !Unaligned
1892 );
1893 assert_impls!(
1894 NonZeroI64: KnownLayout,
1895 Immutable,
1896 TryFromBytes,
1897 IntoBytes,
1898 !FromBytes,
1899 !Unaligned
1900 );
1901 assert_impls!(
1902 NonZeroU128: KnownLayout,
1903 Immutable,
1904 TryFromBytes,
1905 IntoBytes,
1906 !FromBytes,
1907 !Unaligned
1908 );
1909 assert_impls!(
1910 NonZeroI128: KnownLayout,
1911 Immutable,
1912 TryFromBytes,
1913 IntoBytes,
1914 !FromBytes,
1915 !Unaligned
1916 );
1917 assert_impls!(
1918 NonZeroUsize: KnownLayout,
1919 Immutable,
1920 TryFromBytes,
1921 IntoBytes,
1922 !FromBytes,
1923 !Unaligned
1924 );
1925 assert_impls!(
1926 NonZeroIsize: KnownLayout,
1927 Immutable,
1928 TryFromBytes,
1929 IntoBytes,
1930 !FromBytes,
1931 !Unaligned
1932 );
1933
1934 assert_impls!(Option<NonZeroU8>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned);
1935 assert_impls!(Option<NonZeroI8>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned);
1936 assert_impls!(Option<NonZeroU16>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, !Unaligned);
1937 assert_impls!(Option<NonZeroI16>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, !Unaligned);
1938 assert_impls!(Option<NonZeroU32>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, !Unaligned);
1939 assert_impls!(Option<NonZeroI32>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, !Unaligned);
1940 assert_impls!(Option<NonZeroU64>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, !Unaligned);
1941 assert_impls!(Option<NonZeroI64>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, !Unaligned);
1942 assert_impls!(Option<NonZeroU128>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, !Unaligned);
1943 assert_impls!(Option<NonZeroI128>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, !Unaligned);
1944 assert_impls!(Option<NonZeroUsize>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, !Unaligned);
1945 assert_impls!(Option<NonZeroIsize>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, !Unaligned);
1946
1947 // Implements none of the ZC traits.
1948 struct NotZerocopy;
1949
1950 #[rustfmt::skip]
1951 type FnManyArgs = fn(
1952 NotZerocopy, u8, u8, u8, u8, u8, u8, u8, u8, u8, u8, u8,
1953 ) -> (NotZerocopy, NotZerocopy);
1954
1955 // Allowed, because we're not actually using this type for FFI.
1956 #[allow(improper_ctypes_definitions)]
1957 #[rustfmt::skip]
1958 type ECFnManyArgs = extern "C" fn(
1959 NotZerocopy, u8, u8, u8, u8, u8, u8, u8, u8, u8, u8, u8,
1960 ) -> (NotZerocopy, NotZerocopy);
1961
1962 #[cfg(feature = "alloc")]
1963 assert_impls!(Option<Box<UnsafeCell<NotZerocopy>>>: KnownLayout, Immutable, TryFromBytes, FromZeros, !FromBytes, !IntoBytes, !Unaligned);
1964 assert_impls!(Option<Box<[UnsafeCell<NotZerocopy>]>>: KnownLayout, !Immutable, !TryFromBytes, !FromZeros, !FromBytes, !IntoBytes, !Unaligned);
1965 assert_impls!(Option<&'static UnsafeCell<NotZerocopy>>: KnownLayout, Immutable, TryFromBytes, FromZeros, !FromBytes, !IntoBytes, !Unaligned);
1966 assert_impls!(Option<&'static [UnsafeCell<NotZerocopy>]>: KnownLayout, Immutable, !TryFromBytes, !FromZeros, !FromBytes, !IntoBytes, !Unaligned);
1967 assert_impls!(Option<&'static mut UnsafeCell<NotZerocopy>>: KnownLayout, Immutable, TryFromBytes, FromZeros, !FromBytes, !IntoBytes, !Unaligned);
1968 assert_impls!(Option<&'static mut [UnsafeCell<NotZerocopy>]>: KnownLayout, Immutable, !TryFromBytes, !FromZeros, !FromBytes, !IntoBytes, !Unaligned);
1969 assert_impls!(Option<NonNull<UnsafeCell<NotZerocopy>>>: KnownLayout, TryFromBytes, FromZeros, Immutable, !FromBytes, !IntoBytes, !Unaligned);
1970 assert_impls!(Option<NonNull<[UnsafeCell<NotZerocopy>]>>: KnownLayout, Immutable, !TryFromBytes, !FromZeros, !FromBytes, !IntoBytes, !Unaligned);
1971 assert_impls!(Option<fn()>: KnownLayout, Immutable, TryFromBytes, FromZeros, !FromBytes, !IntoBytes, !Unaligned);
1972 assert_impls!(Option<FnManyArgs>: KnownLayout, Immutable, TryFromBytes, FromZeros, !FromBytes, !IntoBytes, !Unaligned);
1973 assert_impls!(Option<extern "C" fn()>: KnownLayout, Immutable, TryFromBytes, FromZeros, !FromBytes, !IntoBytes, !Unaligned);
1974 assert_impls!(Option<ECFnManyArgs>: KnownLayout, Immutable, TryFromBytes, FromZeros, !FromBytes, !IntoBytes, !Unaligned);
1975
1976 assert_impls!(PhantomData<NotZerocopy>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned);
1977 assert_impls!(PhantomData<UnsafeCell<()>>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned);
1978 assert_impls!(PhantomData<[u8]>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned);
1979
1980 assert_impls!(ManuallyDrop<u8>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned);
1981 // This test is important because it allows us to test our hand-rolled
1982 // implementation of `<ManuallyDrop<T> as TryFromBytes>::is_bit_valid`.
1983 assert_impls!(ManuallyDrop<bool>: KnownLayout, Immutable, TryFromBytes, FromZeros, IntoBytes, Unaligned, !FromBytes);
1984 assert_impls!(ManuallyDrop<[u8]>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned);
1985 // This test is important because it allows us to test our hand-rolled
1986 // implementation of `<ManuallyDrop<T> as TryFromBytes>::is_bit_valid`.
1987 assert_impls!(ManuallyDrop<[bool]>: KnownLayout, Immutable, TryFromBytes, FromZeros, IntoBytes, Unaligned, !FromBytes);
1988 assert_impls!(ManuallyDrop<NotZerocopy>: !Immutable, !TryFromBytes, !KnownLayout, !FromZeros, !FromBytes, !IntoBytes, !Unaligned);
1989 assert_impls!(ManuallyDrop<[NotZerocopy]>: KnownLayout, !Immutable, !TryFromBytes, !FromZeros, !FromBytes, !IntoBytes, !Unaligned);
1990 assert_impls!(ManuallyDrop<UnsafeCell<()>>: KnownLayout, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned, !Immutable);
1991 assert_impls!(ManuallyDrop<[UnsafeCell<u8>]>: KnownLayout, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned, !Immutable);
1992 assert_impls!(ManuallyDrop<[UnsafeCell<bool>]>: KnownLayout, TryFromBytes, FromZeros, IntoBytes, Unaligned, !Immutable, !FromBytes);
1993
1994 assert_impls!(CoreMaybeUninit<u8>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, Unaligned, !IntoBytes);
1995 assert_impls!(CoreMaybeUninit<NotZerocopy>: KnownLayout, TryFromBytes, FromZeros, FromBytes, !Immutable, !IntoBytes, !Unaligned);
1996 assert_impls!(CoreMaybeUninit<UnsafeCell<()>>: KnownLayout, TryFromBytes, FromZeros, FromBytes, Unaligned, !Immutable, !IntoBytes);
1997
1998 assert_impls!(Wrapping<u8>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned);
1999 // This test is important because it allows us to test our hand-rolled
2000 // implementation of `<Wrapping<T> as TryFromBytes>::is_bit_valid`.
2001 assert_impls!(Wrapping<bool>: KnownLayout, Immutable, TryFromBytes, FromZeros, IntoBytes, Unaligned, !FromBytes);
2002 assert_impls!(Wrapping<NotZerocopy>: KnownLayout, !Immutable, !TryFromBytes, !FromZeros, !FromBytes, !IntoBytes, !Unaligned);
2003 assert_impls!(Wrapping<UnsafeCell<()>>: KnownLayout, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned, !Immutable);
2004
2005 assert_impls!(Unalign<u8>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned);
2006 // This test is important because it allows us to test our hand-rolled
2007 // implementation of `<Unalign<T> as TryFromBytes>::is_bit_valid`.
2008 assert_impls!(Unalign<bool>: KnownLayout, Immutable, TryFromBytes, FromZeros, IntoBytes, Unaligned, !FromBytes);
2009 assert_impls!(Unalign<NotZerocopy>: KnownLayout, Unaligned, !Immutable, !TryFromBytes, !FromZeros, !FromBytes, !IntoBytes);
2010
2011 assert_impls!(
2012 [u8]: KnownLayout,
2013 Immutable,
2014 TryFromBytes,
2015 FromZeros,
2016 FromBytes,
2017 IntoBytes,
2018 Unaligned
2019 );
2020 assert_impls!(
2021 [bool]: KnownLayout,
2022 Immutable,
2023 TryFromBytes,
2024 FromZeros,
2025 IntoBytes,
2026 Unaligned,
2027 !FromBytes
2028 );
2029 assert_impls!([NotZerocopy]: KnownLayout, !Immutable, !TryFromBytes, !FromZeros, !FromBytes, !IntoBytes, !Unaligned);
2030 assert_impls!(
2031 [u8; 0]: KnownLayout,
2032 Immutable,
2033 TryFromBytes,
2034 FromZeros,
2035 FromBytes,
2036 IntoBytes,
2037 Unaligned,
2038 );
2039 assert_impls!(
2040 [NotZerocopy; 0]: KnownLayout,
2041 !Immutable,
2042 !TryFromBytes,
2043 !FromZeros,
2044 !FromBytes,
2045 !IntoBytes,
2046 !Unaligned
2047 );
2048 assert_impls!(
2049 [u8; 1]: KnownLayout,
2050 Immutable,
2051 TryFromBytes,
2052 FromZeros,
2053 FromBytes,
2054 IntoBytes,
2055 Unaligned,
2056 );
2057 assert_impls!(
2058 [NotZerocopy; 1]: KnownLayout,
2059 !Immutable,
2060 !TryFromBytes,
2061 !FromZeros,
2062 !FromBytes,
2063 !IntoBytes,
2064 !Unaligned
2065 );
2066
2067 assert_impls!(*const NotZerocopy: KnownLayout, Immutable, TryFromBytes, FromZeros, !FromBytes, !IntoBytes, !Unaligned);
2068 assert_impls!(*mut NotZerocopy: KnownLayout, Immutable, TryFromBytes, FromZeros, !FromBytes, !IntoBytes, !Unaligned);
2069 assert_impls!(*const [NotZerocopy]: KnownLayout, Immutable, !TryFromBytes, !FromZeros, !FromBytes, !IntoBytes, !Unaligned);
2070 assert_impls!(*mut [NotZerocopy]: KnownLayout, Immutable, !TryFromBytes, !FromZeros, !FromBytes, !IntoBytes, !Unaligned);
2071 assert_impls!(*const dyn Debug: KnownLayout, Immutable, !TryFromBytes, !FromZeros, !FromBytes, !IntoBytes, !Unaligned);
2072 assert_impls!(*mut dyn Debug: KnownLayout, Immutable, !TryFromBytes, !FromZeros, !FromBytes, !IntoBytes, !Unaligned);
2073
2074 #[cfg(feature = "simd")]
2075 {
2076 #[allow(unused_macros)]
2077 macro_rules! test_simd_arch_mod {
2078 ($arch:ident, $($typ:ident),*) => {
2079 {
2080 use core::arch::$arch::{$($typ),*};
2081 use crate::*;
2082 $( assert_impls!($typ: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, !Unaligned); )*
2083 }
2084 };
2085 }
2086 #[cfg(target_arch = "x86")]
2087 test_simd_arch_mod!(x86, __m128, __m128d, __m128i, __m256, __m256d, __m256i);
2088
2089 #[cfg(all(feature = "simd-nightly", target_arch = "x86"))]
2090 test_simd_arch_mod!(x86, __m512bh, __m512, __m512d, __m512i);
2091
2092 #[cfg(target_arch = "x86_64")]
2093 test_simd_arch_mod!(x86_64, __m128, __m128d, __m128i, __m256, __m256d, __m256i);
2094
2095 #[cfg(all(feature = "simd-nightly", target_arch = "x86_64"))]
2096 test_simd_arch_mod!(x86_64, __m512bh, __m512, __m512d, __m512i);
2097
2098 #[cfg(target_arch = "wasm32")]
2099 test_simd_arch_mod!(wasm32, v128);
2100
2101 #[cfg(all(feature = "simd-nightly", target_arch = "powerpc"))]
2102 test_simd_arch_mod!(
2103 powerpc,
2104 vector_bool_long,
2105 vector_double,
2106 vector_signed_long,
2107 vector_unsigned_long
2108 );
2109
2110 #[cfg(all(feature = "simd-nightly", target_arch = "powerpc64"))]
2111 test_simd_arch_mod!(
2112 powerpc64,
2113 vector_bool_long,
2114 vector_double,
2115 vector_signed_long,
2116 vector_unsigned_long
2117 );
2118 #[cfg(all(target_arch = "aarch64", zerocopy_aarch64_simd_1_59_0))]
2119 #[rustfmt::skip]
2120 test_simd_arch_mod!(
2121 aarch64, float32x2_t, float32x4_t, float64x1_t, float64x2_t, int8x8_t, int8x8x2_t,
2122 int8x8x3_t, int8x8x4_t, int8x16_t, int8x16x2_t, int8x16x3_t, int8x16x4_t, int16x4_t,
2123 int16x8_t, int32x2_t, int32x4_t, int64x1_t, int64x2_t, poly8x8_t, poly8x8x2_t, poly8x8x3_t,
2124 poly8x8x4_t, poly8x16_t, poly8x16x2_t, poly8x16x3_t, poly8x16x4_t, poly16x4_t, poly16x8_t,
2125 poly64x1_t, poly64x2_t, uint8x8_t, uint8x8x2_t, uint8x8x3_t, uint8x8x4_t, uint8x16_t,
2126 uint8x16x2_t, uint8x16x3_t, uint8x16x4_t, uint16x4_t, uint16x8_t, uint32x2_t, uint32x4_t,
2127 uint64x1_t, uint64x2_t
2128 );
2129 }
2130 }
2131}