zerocopy/impls.rs
1// Copyright 2024 The Fuchsia Authors
2//
3// Licensed under the 2-Clause BSD License <LICENSE-BSD or
4// https://opensource.org/license/bsd-2-clause>, Apache License, Version 2.0
5// <LICENSE-APACHE or https://www.apache.org/licenses/LICENSE-2.0>, or the MIT
6// license <LICENSE-MIT or https://opensource.org/licenses/MIT>, at your option.
7// This file may not be copied, modified, or distributed except according to
8// those terms.
9
10use core::{
11 cell::{Cell, UnsafeCell},
12 mem::MaybeUninit as CoreMaybeUninit,
13 ptr::NonNull,
14};
15
16use super::*;
17
18safety_comment! {
19 /// SAFETY:
20 /// Per the reference [1], "the unit tuple (`()`) ... is guaranteed as a
21 /// zero-sized type to have a size of 0 and an alignment of 1."
22 /// - `Immutable`: `()` self-evidently does not contain any `UnsafeCell`s.
23 /// - `TryFromBytes` (with no validator), `FromZeros`, `FromBytes`: There is
24 /// only one possible sequence of 0 bytes, and `()` is inhabited.
25 /// - `IntoBytes`: Since `()` has size 0, it contains no padding bytes.
26 /// - `Unaligned`: `()` has alignment 1.
27 ///
28 /// [1] https://doc.rust-lang.org/1.81.0/reference/type-layout.html#tuple-layout
29 unsafe_impl!((): Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned);
30 assert_unaligned!(());
31}
32
33safety_comment! {
34 /// SAFETY:
35 /// - `Immutable`: These types self-evidently do not contain any
36 /// `UnsafeCell`s.
37 /// - `TryFromBytes` (with no validator), `FromZeros`, `FromBytes`: all bit
38 /// patterns are valid for numeric types [1]
39 /// - `IntoBytes`: numeric types have no padding bytes [1]
40 /// - `Unaligned` (`u8` and `i8` only): The reference [2] specifies the size
41 /// of `u8` and `i8` as 1 byte. We also know that:
42 /// - Alignment is >= 1 [3]
43 /// - Size is an integer multiple of alignment [4]
44 /// - The only value >= 1 for which 1 is an integer multiple is 1
45 /// Therefore, the only possible alignment for `u8` and `i8` is 1.
46 ///
47 /// [1] Per https://doc.rust-lang.org/1.81.0/reference/types/numeric.html#bit-validity:
48 ///
49 /// For every numeric type, `T`, the bit validity of `T` is equivalent to
50 /// the bit validity of `[u8; size_of::<T>()]`. An uninitialized byte is
51 /// not a valid `u8`.
52 ///
53 /// [2] https://doc.rust-lang.org/1.81.0/reference/type-layout.html#primitive-data-layout
54 ///
55 /// [3] Per https://doc.rust-lang.org/1.81.0/reference/type-layout.html#size-and-alignment:
56 ///
57 /// Alignment is measured in bytes, and must be at least 1.
58 ///
59 /// [4] Per https://doc.rust-lang.org/1.81.0/reference/type-layout.html#size-and-alignment:
60 ///
61 /// The size of a value is always a multiple of its alignment.
62 ///
63 /// TODO(#278): Once we've updated the trait docs to refer to `u8`s rather
64 /// than bits or bytes, update this comment, especially the reference to
65 /// [1].
66 unsafe_impl!(u8: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned);
67 unsafe_impl!(i8: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned);
68 assert_unaligned!(u8, i8);
69 unsafe_impl!(u16: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes);
70 unsafe_impl!(i16: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes);
71 unsafe_impl!(u32: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes);
72 unsafe_impl!(i32: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes);
73 unsafe_impl!(u64: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes);
74 unsafe_impl!(i64: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes);
75 unsafe_impl!(u128: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes);
76 unsafe_impl!(i128: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes);
77 unsafe_impl!(usize: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes);
78 unsafe_impl!(isize: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes);
79 unsafe_impl!(f32: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes);
80 unsafe_impl!(f64: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes);
81 #[cfg(feature = "float-nightly")]
82 unsafe_impl!(#[cfg_attr(doc_cfg, doc(cfg(feature = "float-nightly")))] f16: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes);
83 #[cfg(feature = "float-nightly")]
84 unsafe_impl!(#[cfg_attr(doc_cfg, doc(cfg(feature = "float-nightly")))] f128: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes);
85}
86
87safety_comment! {
88 /// SAFETY:
89 /// - `Immutable`: `bool` self-evidently does not contain any `UnsafeCell`s.
90 /// - `FromZeros`: Valid since "[t]he value false has the bit pattern 0x00"
91 /// [1].
92 /// - `IntoBytes`: Since "the boolean type has a size and alignment of 1
93 /// each" and "The value false has the bit pattern 0x00 and the value true
94 /// has the bit pattern 0x01" [1]. Thus, the only byte of the bool is
95 /// always initialized.
96 /// - `Unaligned`: Per the reference [1], "[a]n object with the boolean type
97 /// has a size and alignment of 1 each."
98 ///
99 /// [1] https://doc.rust-lang.org/1.81.0/reference/types/boolean.html
100 unsafe_impl!(bool: Immutable, FromZeros, IntoBytes, Unaligned);
101 assert_unaligned!(bool);
102 /// SAFETY:
103 /// The impl must only return `true` for its argument if the original
104 /// `Maybe<bool>` refers to a valid `bool`. We only return true if the `u8`
105 /// value is 0 or 1, and both of these are valid values for `bool` [1].
106 ///
107 /// [1] Per https://doc.rust-lang.org/1.81.0/reference/types/boolean.html:
108 ///
109 /// The value false has the bit pattern 0x00 and the value true has the
110 /// bit pattern 0x01.
111 unsafe_impl!(=> TryFromBytes for bool; |byte| {
112 let byte = byte.transmute::<u8, invariant::Valid, _>();
113 *byte.unaligned_as_ref() < 2
114 });
115}
116
117impl_size_eq!(bool, u8);
118
119safety_comment! {
120 /// SAFETY:
121 /// - `Immutable`: `char` self-evidently does not contain any `UnsafeCell`s.
122 /// - `FromZeros`: Per reference [1], "[a] value of type char is a Unicode
123 /// scalar value (i.e. a code point that is not a surrogate), represented
124 /// as a 32-bit unsigned word in the 0x0000 to 0xD7FF or 0xE000 to
125 /// 0x10FFFF range" which contains 0x0000.
126 /// - `IntoBytes`: `char` is per reference [1] "represented as a 32-bit
127 /// unsigned word" (`u32`) which is `IntoBytes`. Note that unlike `u32`,
128 /// not all bit patterns are valid for `char`.
129 ///
130 /// [1] https://doc.rust-lang.org/1.81.0/reference/types/textual.html
131 unsafe_impl!(char: Immutable, FromZeros, IntoBytes);
132 /// SAFETY:
133 /// The impl must only return `true` for its argument if the original
134 /// `Maybe<char>` refers to a valid `char`. `char::from_u32` guarantees that
135 /// it returns `None` if its input is not a valid `char` [1].
136 ///
137 /// [1] Per https://doc.rust-lang.org/core/primitive.char.html#method.from_u32:
138 ///
139 /// `from_u32()` will return `None` if the input is not a valid value for
140 /// a `char`.
141 unsafe_impl!(=> TryFromBytes for char; |c| {
142 let c = c.transmute::<Unalign<u32>, invariant::Valid, _>();
143 let c = c.read_unaligned().into_inner();
144 char::from_u32(c).is_some()
145 });
146}
147
148impl_size_eq!(char, Unalign<u32>);
149
150safety_comment! {
151 /// SAFETY:
152 /// Per the Reference [1], `str` has the same layout as `[u8]`.
153 /// - `Immutable`: `[u8]` does not contain any `UnsafeCell`s.
154 /// - `FromZeros`, `IntoBytes`, `Unaligned`: `[u8]` is `FromZeros`,
155 /// `IntoBytes`, and `Unaligned`.
156 ///
157 /// Note that we don't `assert_unaligned!(str)` because `assert_unaligned!`
158 /// uses `align_of`, which only works for `Sized` types.
159 ///
160 /// TODO(#429):
161 /// - Add quotes from documentation.
162 /// - Improve safety proof for `FromZeros` and `IntoBytes`; having the same
163 /// layout as `[u8]` isn't sufficient.
164 ///
165 /// [1] https://doc.rust-lang.org/1.81.0/reference/type-layout.html#str-layout
166 unsafe_impl!(str: Immutable, FromZeros, IntoBytes, Unaligned);
167 /// SAFETY:
168 /// The impl must only return `true` for its argument if the original
169 /// `Maybe<str>` refers to a valid `str`. `str::from_utf8` guarantees that
170 /// it returns `Err` if its input is not a valid `str` [1].
171 ///
172 /// [2] Per https://doc.rust-lang.org/core/str/fn.from_utf8.html#errors:
173 ///
174 /// Returns `Err` if the slice is not UTF-8.
175 unsafe_impl!(=> TryFromBytes for str; |c| {
176 let c = c.transmute::<[u8], invariant::Valid, _>();
177 let c = c.unaligned_as_ref();
178 core::str::from_utf8(c).is_ok()
179 });
180}
181
182// SAFETY: `str` and `[u8]` have the same layout [1].
183//
184// [1] Per https://doc.rust-lang.org/1.81.0/reference/type-layout.html#str-layout:
185//
186// String slices are a UTF-8 representation of characters that have the same
187// layout as slices of type `[u8]`.
188unsafe impl pointer::SizeEq<str> for [u8] {
189 fn cast_from_raw(s: NonNull<str>) -> NonNull<[u8]> {
190 cast!(s)
191 }
192}
193// SAFETY: See previous safety comment.
194unsafe impl pointer::SizeEq<[u8]> for str {
195 fn cast_from_raw(bytes: NonNull<[u8]>) -> NonNull<str> {
196 cast!(bytes)
197 }
198}
199
200macro_rules! unsafe_impl_try_from_bytes_for_nonzero {
201 ($($nonzero:ident[$prim:ty]),*) => {
202 $(
203 unsafe_impl!(=> TryFromBytes for $nonzero; |n| {
204 unsafe impl pointer::SizeEq<$nonzero> for Unalign<$prim> {
205 fn cast_from_raw(n: NonNull<$nonzero>) -> NonNull<Unalign<$prim>> {
206 cast!(n)
207 }
208 }
209 unsafe impl pointer::SizeEq<Unalign<$prim>> for $nonzero {
210 fn cast_from_raw(p: NonNull<Unalign<$prim>>) -> NonNull<$nonzero> {
211 cast!(p)
212 }
213 }
214
215 let n = n.transmute::<Unalign<$prim>, invariant::Valid, _>();
216 $nonzero::new(n.read_unaligned().into_inner()).is_some()
217 });
218 )*
219 }
220}
221
222safety_comment! {
223 // `NonZeroXxx` is `IntoBytes`, but not `FromZeros` or `FromBytes`.
224 //
225 /// SAFETY:
226 /// - `IntoBytes`: `NonZeroXxx` has the same layout as its associated
227 /// primitive. Since it is the same size, this guarantees it has no
228 /// padding - integers have no padding, and there's no room for padding
229 /// if it can represent all of the same values except 0.
230 /// - `Unaligned`: `NonZeroU8` and `NonZeroI8` document that
231 /// `Option<NonZeroU8>` and `Option<NonZeroI8>` both have size 1. [1] [2]
232 /// This is worded in a way that makes it unclear whether it's meant as a
233 /// guarantee, but given the purpose of those types, it's virtually
234 /// unthinkable that that would ever change. `Option` cannot be smaller
235 /// than its contained type, which implies that, and `NonZeroX8` are of
236 /// size 1 or 0. `NonZeroX8` can represent multiple states, so they cannot
237 /// be 0 bytes, which means that they must be 1 byte. The only valid
238 /// alignment for a 1-byte type is 1.
239 ///
240 /// TODO(#429):
241 /// - Add quotes from documentation.
242 /// - Add safety comment for `Immutable`. How can we prove that `NonZeroXxx`
243 /// doesn't contain any `UnsafeCell`s? It's obviously true, but it's not
244 /// clear how we'd prove it short of adding text to the stdlib docs that
245 /// says so explicitly, which likely wouldn't be accepted.
246 ///
247 /// [1] https://doc.rust-lang.org/1.81.0/std/num/type.NonZeroU8.html
248 ///
249 /// `NonZeroU8` is guaranteed to have the same layout and bit validity as `u8` with
250 /// the exception that 0 is not a valid instance
251 ///
252 /// [2] https://doc.rust-lang.org/1.81.0/std/num/type.NonZeroI8.html
253 /// TODO(https://github.com/rust-lang/rust/pull/104082): Cite documentation
254 /// that layout is the same as primitive layout.
255 unsafe_impl!(NonZeroU8: Immutable, IntoBytes, Unaligned);
256 unsafe_impl!(NonZeroI8: Immutable, IntoBytes, Unaligned);
257 assert_unaligned!(NonZeroU8, NonZeroI8);
258 unsafe_impl!(NonZeroU16: Immutable, IntoBytes);
259 unsafe_impl!(NonZeroI16: Immutable, IntoBytes);
260 unsafe_impl!(NonZeroU32: Immutable, IntoBytes);
261 unsafe_impl!(NonZeroI32: Immutable, IntoBytes);
262 unsafe_impl!(NonZeroU64: Immutable, IntoBytes);
263 unsafe_impl!(NonZeroI64: Immutable, IntoBytes);
264 unsafe_impl!(NonZeroU128: Immutable, IntoBytes);
265 unsafe_impl!(NonZeroI128: Immutable, IntoBytes);
266 unsafe_impl!(NonZeroUsize: Immutable, IntoBytes);
267 unsafe_impl!(NonZeroIsize: Immutable, IntoBytes);
268 unsafe_impl_try_from_bytes_for_nonzero!(
269 NonZeroU8[u8],
270 NonZeroI8[i8],
271 NonZeroU16[u16],
272 NonZeroI16[i16],
273 NonZeroU32[u32],
274 NonZeroI32[i32],
275 NonZeroU64[u64],
276 NonZeroI64[i64],
277 NonZeroU128[u128],
278 NonZeroI128[i128],
279 NonZeroUsize[usize],
280 NonZeroIsize[isize]
281 );
282}
283safety_comment! {
284 /// SAFETY:
285 /// - `TryFromBytes` (with no validator), `FromZeros`, `FromBytes`,
286 /// `IntoBytes`: The Rust compiler reuses `0` value to represent `None`,
287 /// so `size_of::<Option<NonZeroXxx>>() == size_of::<xxx>()`; see
288 /// `NonZeroXxx` documentation.
289 /// - `Unaligned`: `NonZeroU8` and `NonZeroI8` document that
290 /// `Option<NonZeroU8>` and `Option<NonZeroI8>` both have size 1. [1] [2]
291 /// This is worded in a way that makes it unclear whether it's meant as a
292 /// guarantee, but given the purpose of those types, it's virtually
293 /// unthinkable that that would ever change. The only valid alignment for
294 /// a 1-byte type is 1.
295 ///
296 /// TODO(#429): Add quotes from documentation.
297 ///
298 /// [1] https://doc.rust-lang.org/stable/std/num/struct.NonZeroU8.html
299 /// [2] https://doc.rust-lang.org/stable/std/num/struct.NonZeroI8.html
300 ///
301 /// TODO(https://github.com/rust-lang/rust/pull/104082): Cite documentation
302 /// for layout guarantees.
303 unsafe_impl!(Option<NonZeroU8>: TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned);
304 unsafe_impl!(Option<NonZeroI8>: TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned);
305 assert_unaligned!(Option<NonZeroU8>, Option<NonZeroI8>);
306 unsafe_impl!(Option<NonZeroU16>: TryFromBytes, FromZeros, FromBytes, IntoBytes);
307 unsafe_impl!(Option<NonZeroI16>: TryFromBytes, FromZeros, FromBytes, IntoBytes);
308 unsafe_impl!(Option<NonZeroU32>: TryFromBytes, FromZeros, FromBytes, IntoBytes);
309 unsafe_impl!(Option<NonZeroI32>: TryFromBytes, FromZeros, FromBytes, IntoBytes);
310 unsafe_impl!(Option<NonZeroU64>: TryFromBytes, FromZeros, FromBytes, IntoBytes);
311 unsafe_impl!(Option<NonZeroI64>: TryFromBytes, FromZeros, FromBytes, IntoBytes);
312 unsafe_impl!(Option<NonZeroU128>: TryFromBytes, FromZeros, FromBytes, IntoBytes);
313 unsafe_impl!(Option<NonZeroI128>: TryFromBytes, FromZeros, FromBytes, IntoBytes);
314 unsafe_impl!(Option<NonZeroUsize>: TryFromBytes, FromZeros, FromBytes, IntoBytes);
315 unsafe_impl!(Option<NonZeroIsize>: TryFromBytes, FromZeros, FromBytes, IntoBytes);
316}
317
318safety_comment! {
319 /// SAFETY:
320 /// While it's not fully documented, the consensus is that `Box<T>` does not
321 /// contain any `UnsafeCell`s for `T: Sized` [1]. This is not a complete
322 /// proof, but we are accepting this as a known risk per #1358.
323 ///
324 /// [1] https://github.com/rust-lang/unsafe-code-guidelines/issues/492
325 #[cfg(feature = "alloc")]
326 unsafe_impl!(
327 #[cfg_attr(doc_cfg, doc(cfg(feature = "alloc")))]
328 T: Sized => Immutable for Box<T>
329 );
330}
331
332safety_comment! {
333 /// SAFETY:
334 /// The following types can be transmuted from `[0u8; size_of::<T>()]`. [1]
335 ///
336 /// [1] Per https://doc.rust-lang.org/nightly/core/option/index.html#representation:
337 ///
338 /// Rust guarantees to optimize the following types `T` such that
339 /// [`Option<T>`] has the same size and alignment as `T`. In some of these
340 /// cases, Rust further guarantees that `transmute::<_, Option<T>>([0u8;
341 /// size_of::<T>()])` is sound and produces `Option::<T>::None`. These
342 /// cases are identified by the second column:
343 ///
344 /// | `T` | `transmute::<_, Option<T>>([0u8; size_of::<T>()])` sound? |
345 /// |-----------------------|-----------------------------------------------------------|
346 /// | [`Box<U>`] | when `U: Sized` |
347 /// | `&U` | when `U: Sized` |
348 /// | `&mut U` | when `U: Sized` |
349 /// | [`ptr::NonNull<U>`] | when `U: Sized` |
350 /// | `fn`, `extern "C" fn` | always |
351 ///
352 /// TODO(#429), TODO(https://github.com/rust-lang/rust/pull/115333): Cite
353 /// the Stable docs once they're available.
354 #[cfg(feature = "alloc")]
355 unsafe_impl!(
356 #[cfg_attr(doc_cfg, doc(cfg(feature = "alloc")))]
357 T => TryFromBytes for Option<Box<T>>; |c| pointer::is_zeroed(c)
358 );
359 #[cfg(feature = "alloc")]
360 unsafe_impl!(
361 #[cfg_attr(doc_cfg, doc(cfg(feature = "alloc")))]
362 T => FromZeros for Option<Box<T>>
363 );
364 unsafe_impl!(
365 T => TryFromBytes for Option<&'_ T>; |c| pointer::is_zeroed(c)
366 );
367 unsafe_impl!(T => FromZeros for Option<&'_ T>);
368 unsafe_impl!(
369 T => TryFromBytes for Option<&'_ mut T>; |c| pointer::is_zeroed(c)
370 );
371 unsafe_impl!(T => FromZeros for Option<&'_ mut T>);
372 unsafe_impl!(
373 T => TryFromBytes for Option<NonNull<T>>; |c| pointer::is_zeroed(c)
374 );
375 unsafe_impl!(T => FromZeros for Option<NonNull<T>>);
376 unsafe_impl_for_power_set!(A, B, C, D, E, F, G, H, I, J, K, L -> M => FromZeros for opt_fn!(...));
377 unsafe_impl_for_power_set!(
378 A, B, C, D, E, F, G, H, I, J, K, L -> M => TryFromBytes for opt_fn!(...);
379 |c| pointer::is_zeroed(c)
380 );
381 unsafe_impl_for_power_set!(A, B, C, D, E, F, G, H, I, J, K, L -> M => FromZeros for opt_extern_c_fn!(...));
382 unsafe_impl_for_power_set!(
383 A, B, C, D, E, F, G, H, I, J, K, L -> M => TryFromBytes for opt_extern_c_fn!(...);
384 |c| pointer::is_zeroed(c)
385 );
386}
387
388safety_comment! {
389 /// SAFETY:
390 /// `fn()` and `extern "C" fn()` self-evidently do not contain
391 /// `UnsafeCell`s. This is not a proof, but we are accepting this as a known
392 /// risk per #1358.
393 unsafe_impl_for_power_set!(A, B, C, D, E, F, G, H, I, J, K, L -> M => Immutable for opt_fn!(...));
394 unsafe_impl_for_power_set!(A, B, C, D, E, F, G, H, I, J, K, L -> M => Immutable for opt_extern_c_fn!(...));
395}
396
397#[cfg(all(
398 zerocopy_target_has_atomics_1_60_0,
399 any(
400 target_has_atomic = "8",
401 target_has_atomic = "16",
402 target_has_atomic = "32",
403 target_has_atomic = "64",
404 target_has_atomic = "ptr"
405 )
406))]
407#[cfg_attr(doc_cfg, doc(cfg(rust = "1.60.0")))]
408mod atomics {
409 use super::*;
410
411 macro_rules! impl_traits_for_atomics {
412 ($($atomics:ident [$primitives:ident]),* $(,)?) => {
413 $(
414 impl_known_layout!($atomics);
415 impl_for_transmute_from!(=> TryFromBytes for $atomics [UnsafeCell<$primitives>]);
416 impl_for_transmute_from!(=> FromZeros for $atomics [UnsafeCell<$primitives>]);
417 impl_for_transmute_from!(=> FromBytes for $atomics [UnsafeCell<$primitives>]);
418 impl_for_transmute_from!(=> IntoBytes for $atomics [UnsafeCell<$primitives>]);
419 )*
420 };
421 }
422
423 /// Implements `TransmuteFrom` for `$atomic`, `$prim`, and
424 /// `UnsafeCell<$prim>`.
425 ///
426 /// # Safety
427 ///
428 /// `$atomic` must have the same size and bit validity as `$prim`.
429 macro_rules! unsafe_impl_transmute_from_for_atomic {
430 ($($($tyvar:ident)? => $atomic:ty [$prim:ty]),*) => {
431 const _: () = {
432 use core::{cell::UnsafeCell, ptr::NonNull};
433 use crate::pointer::{TransmuteFrom, SizeEq, invariant::Valid};
434
435 $(
436 #[allow(unused_unsafe)] // Force the caller to call this macro inside `safety_comment!`.
437 const _: () = unsafe {};
438
439 // SAFETY: The caller promised that `$atomic` and `$prim` have
440 // the same size and bit validity.
441 unsafe impl<$($tyvar)?> TransmuteFrom<$atomic, Valid, Valid> for $prim {}
442 // SAFETY: The caller promised that `$atomic` and `$prim` have
443 // the same size and bit validity.
444 unsafe impl<$($tyvar)?> TransmuteFrom<$prim, Valid, Valid> for $atomic {}
445
446 // SAFETY: THe caller promised that `$atomic` and `$prim`
447 // have the same size.
448 unsafe impl<$($tyvar)?> SizeEq<$atomic> for $prim {
449 fn cast_from_raw(a: NonNull<$atomic>) -> NonNull<$prim> {
450 cast!(a)
451 }
452 }
453 // SAFETY: THe caller promised that `$atomic` and `$prim`
454 // have the same size.
455 unsafe impl<$($tyvar)?> SizeEq<$prim> for $atomic {
456 fn cast_from_raw(p: NonNull<$prim>) -> NonNull<$atomic> {
457 cast!(p)
458 }
459 }
460 // SAFETY: The caller promised that `$atomic` and `$prim`
461 // have the same size. `UnsafeCell<T>` has the same size as
462 // `T` [1].
463 //
464 // [1] Per https://doc.rust-lang.org/1.85.0/std/cell/struct.UnsafeCell.html#memory-layout:
465 //
466 // `UnsafeCell<T>` has the same in-memory representation as
467 // its inner type `T`. A consequence of this guarantee is that
468 // it is possible to convert between `T` and `UnsafeCell<T>`.
469 unsafe impl<$($tyvar)?> SizeEq<$atomic> for UnsafeCell<$prim> {
470 fn cast_from_raw(a: NonNull<$atomic>) -> NonNull<UnsafeCell<$prim>> {
471 cast!(a)
472 }
473 }
474 // SAFETY: See previous safety comment.
475 unsafe impl<$($tyvar)?> SizeEq<UnsafeCell<$prim>> for $atomic {
476 fn cast_from_raw(p: NonNull<UnsafeCell<$prim>>) -> NonNull<$atomic> {
477 cast!(p)
478 }
479 }
480
481 // SAFETY: The caller promised that `$atomic` and `$prim`
482 // have the same bit validity. `UnsafeCell<T>` has the same
483 // bit validity as `T` [1].
484 //
485 // [1] Per https://doc.rust-lang.org/1.85.0/std/cell/struct.UnsafeCell.html#memory-layout:
486 //
487 // `UnsafeCell<T>` has the same in-memory representation as
488 // its inner type `T`. A consequence of this guarantee is that
489 // it is possible to convert between `T` and `UnsafeCell<T>`.
490 unsafe impl<$($tyvar)?> TransmuteFrom<$atomic, Valid, Valid> for core::cell::UnsafeCell<$prim> {}
491 // SAFETY: See previous safety comment.
492 unsafe impl<$($tyvar)?> TransmuteFrom<core::cell::UnsafeCell<$prim>, Valid, Valid> for $atomic {}
493 )*
494 };
495 };
496 }
497
498 #[cfg(target_has_atomic = "8")]
499 #[cfg_attr(doc_cfg, doc(cfg(target_has_atomic = "8")))]
500 mod atomic_8 {
501 use core::sync::atomic::{AtomicBool, AtomicI8, AtomicU8};
502
503 use super::*;
504
505 impl_traits_for_atomics!(AtomicU8[u8], AtomicI8[i8]);
506
507 impl_known_layout!(AtomicBool);
508
509 impl_for_transmute_from!(=> TryFromBytes for AtomicBool [UnsafeCell<bool>]);
510 impl_for_transmute_from!(=> FromZeros for AtomicBool [UnsafeCell<bool>]);
511 impl_for_transmute_from!(=> IntoBytes for AtomicBool [UnsafeCell<bool>]);
512
513 safety_comment! {
514 /// SAFETY:
515 /// Per [1], `AtomicBool`, `AtomicU8`, and `AtomicI8` have the same
516 /// size as `bool`, `u8`, and `i8` respectively. Since a type's
517 /// alignment cannot be smaller than 1 [2], and since its alignment
518 /// cannot be greater than its size [3], the only possible value for
519 /// the alignment is 1. Thus, it is sound to implement `Unaligned`.
520 ///
521 /// [1] Per (for example) https://doc.rust-lang.org/1.81.0/std/sync/atomic/struct.AtomicU8.html:
522 ///
523 /// This type has the same size, alignment, and bit validity as
524 /// the underlying integer type
525 ///
526 /// [2] Per https://doc.rust-lang.org/1.81.0/reference/type-layout.html#size-and-alignment:
527 ///
528 /// Alignment is measured in bytes, and must be at least 1.
529 ///
530 /// [3] Per https://doc.rust-lang.org/1.81.0/reference/type-layout.html#size-and-alignment:
531 ///
532 /// The size of a value is always a multiple of its alignment.
533 unsafe_impl!(AtomicBool: Unaligned);
534 unsafe_impl!(AtomicU8: Unaligned);
535 unsafe_impl!(AtomicI8: Unaligned);
536 assert_unaligned!(AtomicBool, AtomicU8, AtomicI8);
537
538 /// SAFETY:
539 /// `AtomicU8`, `AtomicI8`, and `AtomicBool` have the same size and
540 /// bit validity as `u8`, `i8`, and `bool` respectively [1][2][3].
541 ///
542 /// [1] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicU8.html:
543 ///
544 /// This type has the same size, alignment, and bit validity as
545 /// the underlying integer type, `u8`.
546 ///
547 /// [2] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicI8.html:
548 ///
549 /// This type has the same size, alignment, and bit validity as
550 /// the underlying integer type, `i8`.
551 ///
552 /// [3] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicBool.html:
553 ///
554 /// This type has the same size, alignment, and bit validity a
555 /// `bool`.
556 unsafe_impl_transmute_from_for_atomic!(
557 => AtomicU8 [u8],
558 => AtomicI8 [i8],
559 => AtomicBool [bool]
560 );
561 }
562 }
563
564 #[cfg(target_has_atomic = "16")]
565 #[cfg_attr(doc_cfg, doc(cfg(target_has_atomic = "16")))]
566 mod atomic_16 {
567 use core::sync::atomic::{AtomicI16, AtomicU16};
568
569 use super::*;
570
571 impl_traits_for_atomics!(AtomicU16[u16], AtomicI16[i16]);
572
573 safety_comment! {
574 /// SAFETY:
575 /// `AtomicU16` and `AtomicI16` have the same size and bit validity
576 /// as `u16` and `i16` respectively [1][2].
577 ///
578 /// [1] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicU16.html:
579 ///
580 /// This type has the same size and bit validity as the underlying
581 /// integer type, `u16`.
582 ///
583 /// [2] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicI16.html:
584 ///
585 /// This type has the same size and bit validity as the underlying
586 /// integer type, `i16`.
587 unsafe_impl_transmute_from_for_atomic!(=> AtomicU16 [u16], => AtomicI16 [i16]);
588 }
589 }
590
591 #[cfg(target_has_atomic = "32")]
592 #[cfg_attr(doc_cfg, doc(cfg(target_has_atomic = "32")))]
593 mod atomic_32 {
594 use core::sync::atomic::{AtomicI32, AtomicU32};
595
596 use super::*;
597
598 impl_traits_for_atomics!(AtomicU32[u32], AtomicI32[i32]);
599
600 safety_comment! {
601 /// SAFETY:
602 /// `AtomicU32` and `AtomicI32` have the same size and bit validity
603 /// as `u32` and `i32` respectively [1][2].
604 ///
605 /// [1] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicU32.html:
606 ///
607 /// This type has the same size and bit validity as the underlying
608 /// integer type, `u32`.
609 ///
610 /// [2] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicI32.html:
611 ///
612 /// This type has the same size and bit validity as the underlying
613 /// integer type, `i32`.
614 unsafe_impl_transmute_from_for_atomic!(=> AtomicU32 [u32], => AtomicI32 [i32]);
615 }
616 }
617
618 #[cfg(target_has_atomic = "64")]
619 #[cfg_attr(doc_cfg, doc(cfg(target_has_atomic = "64")))]
620 mod atomic_64 {
621 use core::sync::atomic::{AtomicI64, AtomicU64};
622
623 use super::*;
624
625 impl_traits_for_atomics!(AtomicU64[u64], AtomicI64[i64]);
626
627 safety_comment! {
628 /// SAFETY:
629 /// `AtomicU64` and `AtomicI64` have the same size and bit validity
630 /// as `u64` and `i64` respectively [1][2].
631 ///
632 /// [1] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicU64.html:
633 ///
634 /// This type has the same size and bit validity as the underlying
635 /// integer type, `u64`.
636 ///
637 /// [2] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicI64.html:
638 ///
639 /// This type has the same size and bit validity as the underlying
640 /// integer type, `i64`.
641 unsafe_impl_transmute_from_for_atomic!(=> AtomicU64 [u64], => AtomicI64 [i64]);
642 }
643 }
644
645 #[cfg(target_has_atomic = "ptr")]
646 #[cfg_attr(doc_cfg, doc(cfg(target_has_atomic = "ptr")))]
647 mod atomic_ptr {
648 use core::sync::atomic::{AtomicIsize, AtomicPtr, AtomicUsize};
649
650 use super::*;
651
652 impl_traits_for_atomics!(AtomicUsize[usize], AtomicIsize[isize]);
653
654 impl_known_layout!(T => AtomicPtr<T>);
655
656 // TODO(#170): Implement `FromBytes` and `IntoBytes` once we implement
657 // those traits for `*mut T`.
658 impl_for_transmute_from!(T => TryFromBytes for AtomicPtr<T> [UnsafeCell<*mut T>]);
659 impl_for_transmute_from!(T => FromZeros for AtomicPtr<T> [UnsafeCell<*mut T>]);
660
661 safety_comment! {
662 /// SAFETY:
663 /// `AtomicUsize` and `AtomicIsize` have the same size and bit
664 /// validity as `usize` and `isize` respectively [1][2].
665 ///
666 /// [1] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicUsize.html:
667 ///
668 /// This type has the same size and bit validity as the underlying
669 /// integer type, `usize`.
670 ///
671 /// [2] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicIsize.html:
672 ///
673 /// This type has the same size and bit validity as the underlying
674 /// integer type, `isize`.
675 unsafe_impl_transmute_from_for_atomic!(=> AtomicUsize [usize], => AtomicIsize [isize]);
676 /// SAFETY:
677 /// Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicPtr.html:
678 ///
679 /// This type has the same size and bit validity as a `*mut T`.
680 unsafe_impl_transmute_from_for_atomic!(T => AtomicPtr<T> [*mut T]);
681 }
682 }
683}
684
685safety_comment! {
686 /// SAFETY:
687 /// Per reference [1]:
688 /// "For all T, the following are guaranteed:
689 /// size_of::<PhantomData<T>>() == 0
690 /// align_of::<PhantomData<T>>() == 1".
691 /// This gives:
692 /// - `Immutable`: `PhantomData` has no fields.
693 /// - `TryFromBytes` (with no validator), `FromZeros`, `FromBytes`: There is
694 /// only one possible sequence of 0 bytes, and `PhantomData` is inhabited.
695 /// - `IntoBytes`: Since `PhantomData` has size 0, it contains no padding
696 /// bytes.
697 /// - `Unaligned`: Per the preceding reference, `PhantomData` has alignment
698 /// 1.
699 ///
700 /// [1] https://doc.rust-lang.org/1.81.0/std/marker/struct.PhantomData.html#layout-1
701 unsafe_impl!(T: ?Sized => Immutable for PhantomData<T>);
702 unsafe_impl!(T: ?Sized => TryFromBytes for PhantomData<T>);
703 unsafe_impl!(T: ?Sized => FromZeros for PhantomData<T>);
704 unsafe_impl!(T: ?Sized => FromBytes for PhantomData<T>);
705 unsafe_impl!(T: ?Sized => IntoBytes for PhantomData<T>);
706 unsafe_impl!(T: ?Sized => Unaligned for PhantomData<T>);
707 assert_unaligned!(PhantomData<()>, PhantomData<u8>, PhantomData<u64>);
708}
709
710impl_for_transmute_from!(T: TryFromBytes => TryFromBytes for Wrapping<T>[<T>]);
711impl_for_transmute_from!(T: FromZeros => FromZeros for Wrapping<T>[<T>]);
712impl_for_transmute_from!(T: FromBytes => FromBytes for Wrapping<T>[<T>]);
713impl_for_transmute_from!(T: IntoBytes => IntoBytes for Wrapping<T>[<T>]);
714assert_unaligned!(Wrapping<()>, Wrapping<u8>);
715
716safety_comment! {
717 /// SAFETY:
718 /// Per [1], `Wrapping<T>` has the same layout as `T`. Since its single
719 /// field (of type `T`) is public, it would be a breaking change to add or
720 /// remove fields. Thus, we know that `Wrapping<T>` contains a `T` (as
721 /// opposed to just having the same size and alignment as `T`) with no pre-
722 /// or post-padding. Thus, `Wrapping<T>` must have `UnsafeCell`s covering
723 /// the same byte ranges as `Inner = T`.
724 ///
725 /// [1] Per https://doc.rust-lang.org/1.81.0/std/num/struct.Wrapping.html#layout-1:
726 ///
727 /// `Wrapping<T>` is guaranteed to have the same layout and ABI as `T`
728 unsafe_impl!(T: Immutable => Immutable for Wrapping<T>);
729 /// SAFETY:
730 /// Per [1] in the preceding safety comment, `Wrapping<T>` has the same
731 /// alignment as `T`.
732 unsafe_impl!(T: Unaligned => Unaligned for Wrapping<T>);
733}
734
735safety_comment! {
736 /// SAFETY:
737 /// `TryFromBytes` (with no validator), `FromZeros`, `FromBytes`:
738 /// `MaybeUninit<T>` has no restrictions on its contents.
739 unsafe_impl!(T => TryFromBytes for CoreMaybeUninit<T>);
740 unsafe_impl!(T => FromZeros for CoreMaybeUninit<T>);
741 unsafe_impl!(T => FromBytes for CoreMaybeUninit<T>);
742 /// SAFETY:
743 /// `MaybeUninit<T>` has `UnsafeCell`s covering the same byte ranges as
744 /// `Inner = T`. This is not explicitly documented, but it can be inferred.
745 /// Per [1], `MaybeUninit<T>` has the same size as `T`. Further, note the
746 /// signature of `MaybeUninit::assume_init_ref` [2]:
747 ///
748 /// pub unsafe fn assume_init_ref(&self) -> &T
749 ///
750 /// If the argument `&MaybeUninit<T>` and the returned `&T` had
751 /// `UnsafeCell`s at different offsets, this would be unsound. Its existence
752 /// is proof that this is not the case.
753 ///
754 /// [1] Per https://doc.rust-lang.org/1.81.0/std/mem/union.MaybeUninit.html#layout-1:
755 ///
756 /// `MaybeUninit<T>` is guaranteed to have the same size, alignment, and ABI
757 /// as `T`.
758 ///
759 /// [2] https://doc.rust-lang.org/1.81.0/std/mem/union.MaybeUninit.html#method.assume_init_ref
760 unsafe_impl!(T: Immutable => Immutable for CoreMaybeUninit<T>);
761 /// SAFETY:
762 /// Per [1] in the preceding safety comment, `MaybeUninit<T>` has the same
763 /// alignment as `T`.
764 unsafe_impl!(T: Unaligned => Unaligned for CoreMaybeUninit<T>);
765}
766assert_unaligned!(CoreMaybeUninit<()>, CoreMaybeUninit<u8>);
767
768safety_comment! {
769 /// SAFETY:
770 /// `ManuallyDrop<T>` has the same layout as `T` [1]. This strongly implies,
771 /// but does not guarantee, that it contains `UnsafeCell`s covering the same
772 /// byte ranges as in `T`. However, it also implements `Defer<Target = T>`
773 /// [2], which provides the ability to convert `&ManuallyDrop<T> -> &T`.
774 /// This, combined with having the same size as `T`, implies that
775 /// `ManuallyDrop<T>` exactly contains a `T` with the same fields and
776 /// `UnsafeCell`s covering the same byte ranges, or else the `Deref` impl
777 /// would permit safe code to obtain different shared references to the same
778 /// region of memory with different `UnsafeCell` coverage, which would in
779 /// turn permit interior mutation that would violate the invariants of a
780 /// shared reference.
781 ///
782 /// [1] Per https://doc.rust-lang.org/1.85.0/std/mem/struct.ManuallyDrop.html:
783 ///
784 /// `ManuallyDrop<T>` is guaranteed to have the same layout and bit
785 /// validity as `T`
786 ///
787 /// [2] https://doc.rust-lang.org/1.85.0/std/mem/struct.ManuallyDrop.html#impl-Deref-for-ManuallyDrop%3CT%3E
788 unsafe_impl!(T: ?Sized + Immutable => Immutable for ManuallyDrop<T>);
789}
790
791impl_for_transmute_from!(T: ?Sized + TryFromBytes => TryFromBytes for ManuallyDrop<T>[<T>]);
792impl_for_transmute_from!(T: ?Sized + FromZeros => FromZeros for ManuallyDrop<T>[<T>]);
793impl_for_transmute_from!(T: ?Sized + FromBytes => FromBytes for ManuallyDrop<T>[<T>]);
794impl_for_transmute_from!(T: ?Sized + IntoBytes => IntoBytes for ManuallyDrop<T>[<T>]);
795safety_comment! {
796 /// SAFETY:
797 /// `ManuallyDrop<T>` has the same layout as `T` [1], and thus has the same
798 /// alignment as `T`.
799 ///
800 /// [1] Per https://doc.rust-lang.org/nightly/core/mem/struct.ManuallyDrop.html:
801 ///
802 /// `ManuallyDrop<T>` is guaranteed to have the same layout and bit
803 /// validity as `T`
804 unsafe_impl!(T: ?Sized + Unaligned => Unaligned for ManuallyDrop<T>);
805}
806assert_unaligned!(ManuallyDrop<()>, ManuallyDrop<u8>);
807
808impl_for_transmute_from!(T: ?Sized + TryFromBytes => TryFromBytes for Cell<T>[UnsafeCell<T>]);
809impl_for_transmute_from!(T: ?Sized + FromZeros => FromZeros for Cell<T>[UnsafeCell<T>]);
810impl_for_transmute_from!(T: ?Sized + FromBytes => FromBytes for Cell<T>[UnsafeCell<T>]);
811impl_for_transmute_from!(T: ?Sized + IntoBytes => IntoBytes for Cell<T>[UnsafeCell<T>]);
812safety_comment! {
813 /// SAFETY:
814 /// `Cell<T>` has the same in-memory representation as `T` [1], and thus has
815 /// the same alignment as `T`.
816 ///
817 /// [1] Per https://doc.rust-lang.org/1.81.0/core/cell/struct.Cell.html#memory-layout:
818 ///
819 /// `Cell<T>` has the same in-memory representation as its inner type `T`.
820 unsafe_impl!(T: ?Sized + Unaligned => Unaligned for Cell<T>);
821}
822
823impl_for_transmute_from!(T: ?Sized + FromZeros => FromZeros for UnsafeCell<T>[<T>]);
824impl_for_transmute_from!(T: ?Sized + FromBytes => FromBytes for UnsafeCell<T>[<T>]);
825impl_for_transmute_from!(T: ?Sized + IntoBytes => IntoBytes for UnsafeCell<T>[<T>]);
826safety_comment! {
827 /// SAFETY:
828 /// `UnsafeCell<T>` has the same in-memory representation as `T` [1], and
829 /// thus has the same alignment as `T`.
830 ///
831 /// [1] Per https://doc.rust-lang.org/1.81.0/core/cell/struct.UnsafeCell.html#memory-layout:
832 ///
833 /// `UnsafeCell<T>` has the same in-memory representation as its inner
834 /// type `T`.
835 unsafe_impl!(T: ?Sized + Unaligned => Unaligned for UnsafeCell<T>);
836}
837assert_unaligned!(UnsafeCell<()>, UnsafeCell<u8>);
838
839// SAFETY: See safety comment in `is_bit_valid` impl.
840unsafe impl<T: TryFromBytes + ?Sized> TryFromBytes for UnsafeCell<T> {
841 #[allow(clippy::missing_inline_in_public_items)]
842 fn only_derive_is_allowed_to_implement_this_trait()
843 where
844 Self: Sized,
845 {
846 }
847
848 #[inline]
849 fn is_bit_valid<A: invariant::Reference>(candidate: Maybe<'_, Self, A>) -> bool {
850 // The only way to implement this function is using an exclusive-aliased
851 // pointer. `UnsafeCell`s cannot be read via shared-aliased pointers
852 // (other than by using `unsafe` code, which we can't use since we can't
853 // guarantee how our users are accessing or modifying the `UnsafeCell`).
854 //
855 // `is_bit_valid` is documented as panicking or failing to monomorphize
856 // if called with a shared-aliased pointer on a type containing an
857 // `UnsafeCell`. In practice, it will always be a monorphization error.
858 // Since `is_bit_valid` is `#[doc(hidden)]` and only called directly
859 // from this crate, we only need to worry about our own code incorrectly
860 // calling `UnsafeCell::is_bit_valid`. The post-monomorphization error
861 // makes it easier to test that this is truly the case, and also means
862 // that if we make a mistake, it will cause downstream code to fail to
863 // compile, which will immediately surface the mistake and give us a
864 // chance to fix it quickly.
865 let c = candidate.into_exclusive_or_pme();
866
867 // SAFETY: Since `UnsafeCell<T>` and `T` have the same layout and bit
868 // validity, `UnsafeCell<T>` is bit-valid exactly when its wrapped `T`
869 // is. Thus, this is a sound implementation of
870 // `UnsafeCell::is_bit_valid`.
871 T::is_bit_valid(c.get_mut())
872 }
873}
874
875safety_comment! {
876 /// SAFETY:
877 /// Per the reference [1]:
878 ///
879 /// An array of `[T; N]` has a size of `size_of::<T>() * N` and the same
880 /// alignment of `T`. Arrays are laid out so that the zero-based `nth`
881 /// element of the array is offset from the start of the array by `n *
882 /// size_of::<T>()` bytes.
883 ///
884 /// ...
885 ///
886 /// Slices have the same layout as the section of the array they slice.
887 ///
888 /// In other words, the layout of a `[T]` or `[T; N]` is a sequence of `T`s
889 /// laid out back-to-back with no bytes in between. Therefore, `[T]` or `[T;
890 /// N]` are `Immutable`, `TryFromBytes`, `FromZeros`, `FromBytes`, and
891 /// `IntoBytes` if `T` is (respectively). Furthermore, since an array/slice
892 /// has "the same alignment of `T`", `[T]` and `[T; N]` are `Unaligned` if
893 /// `T` is.
894 ///
895 /// Note that we don't `assert_unaligned!` for slice types because
896 /// `assert_unaligned!` uses `align_of`, which only works for `Sized` types.
897 ///
898 /// [1] https://doc.rust-lang.org/1.81.0/reference/type-layout.html#array-layout
899 unsafe_impl!(const N: usize, T: Immutable => Immutable for [T; N]);
900 unsafe_impl!(const N: usize, T: TryFromBytes => TryFromBytes for [T; N]; |c| {
901 // Note that this call may panic, but it would still be sound even if it
902 // did. `is_bit_valid` does not promise that it will not panic (in fact,
903 // it explicitly warns that it's a possibility), and we have not
904 // violated any safety invariants that we must fix before returning.
905 <[T] as TryFromBytes>::is_bit_valid(c.as_slice())
906 });
907 unsafe_impl!(const N: usize, T: FromZeros => FromZeros for [T; N]);
908 unsafe_impl!(const N: usize, T: FromBytes => FromBytes for [T; N]);
909 unsafe_impl!(const N: usize, T: IntoBytes => IntoBytes for [T; N]);
910 unsafe_impl!(const N: usize, T: Unaligned => Unaligned for [T; N]);
911 assert_unaligned!([(); 0], [(); 1], [u8; 0], [u8; 1]);
912 unsafe_impl!(T: Immutable => Immutable for [T]);
913 unsafe_impl!(T: TryFromBytes => TryFromBytes for [T]; |c| {
914 // SAFETY: Per the reference [1]:
915 //
916 // An array of `[T; N]` has a size of `size_of::<T>() * N` and the
917 // same alignment of `T`. Arrays are laid out so that the zero-based
918 // `nth` element of the array is offset from the start of the array by
919 // `n * size_of::<T>()` bytes.
920 //
921 // ...
922 //
923 // Slices have the same layout as the section of the array they slice.
924 //
925 // In other words, the layout of a `[T] is a sequence of `T`s laid out
926 // back-to-back with no bytes in between. If all elements in `candidate`
927 // are `is_bit_valid`, so too is `candidate`.
928 //
929 // Note that any of the below calls may panic, but it would still be
930 // sound even if it did. `is_bit_valid` does not promise that it will
931 // not panic (in fact, it explicitly warns that it's a possibility), and
932 // we have not violated any safety invariants that we must fix before
933 // returning.
934 c.iter().all(<T as TryFromBytes>::is_bit_valid)
935 });
936 unsafe_impl!(T: FromZeros => FromZeros for [T]);
937 unsafe_impl!(T: FromBytes => FromBytes for [T]);
938 unsafe_impl!(T: IntoBytes => IntoBytes for [T]);
939 unsafe_impl!(T: Unaligned => Unaligned for [T]);
940}
941safety_comment! {
942 /// SAFETY:
943 /// - `Immutable`: Raw pointers do not contain any `UnsafeCell`s.
944 /// - `FromZeros`: For thin pointers (note that `T: Sized`), the zero
945 /// pointer is considered "null". [1] No operations which require
946 /// provenance are legal on null pointers, so this is not a footgun.
947 /// - `TryFromBytes`: By the same reasoning as for `FromZeroes`, we can
948 /// implement `TryFromBytes` for thin pointers provided that
949 /// [`TryFromByte::is_bit_valid`] only produces `true` for zeroed bytes.
950 ///
951 /// NOTE(#170): Implementing `FromBytes` and `IntoBytes` for raw pointers
952 /// would be sound, but carries provenance footguns. We want to support
953 /// `FromBytes` and `IntoBytes` for raw pointers eventually, but we are
954 /// holding off until we can figure out how to address those footguns.
955 ///
956 /// [1] TODO(https://github.com/rust-lang/rust/pull/116988): Cite the
957 /// documentation once this PR lands.
958 unsafe_impl!(T: ?Sized => Immutable for *const T);
959 unsafe_impl!(T: ?Sized => Immutable for *mut T);
960 unsafe_impl!(T => TryFromBytes for *const T; |c| pointer::is_zeroed(c));
961 unsafe_impl!(T => FromZeros for *const T);
962 unsafe_impl!(T => TryFromBytes for *mut T; |c| pointer::is_zeroed(c));
963 unsafe_impl!(T => FromZeros for *mut T);
964}
965
966safety_comment! {
967 /// SAFETY:
968 /// `NonNull<T>` self-evidently does not contain `UnsafeCell`s. This is not
969 /// a proof, but we are accepting this as a known risk per #1358.
970 unsafe_impl!(T: ?Sized => Immutable for NonNull<T>);
971}
972
973safety_comment! {
974 /// SAFETY:
975 /// Reference types do not contain any `UnsafeCell`s.
976 unsafe_impl!(T: ?Sized => Immutable for &'_ T);
977 unsafe_impl!(T: ?Sized => Immutable for &'_ mut T);
978}
979
980safety_comment! {
981 /// SAFETY:
982 /// `Option` is not `#[non_exhaustive]` [1], which means that the types in
983 /// its variants cannot change, and no new variants can be added.
984 /// `Option<T>` does not contain any `UnsafeCell`s outside of `T`. [1]
985 ///
986 /// [1] https://doc.rust-lang.org/core/option/enum.Option.html
987 unsafe_impl!(T: Immutable => Immutable for Option<T>);
988}
989
990// SIMD support
991//
992// Per the Unsafe Code Guidelines Reference [1]:
993//
994// Packed SIMD vector types are `repr(simd)` homogeneous tuple-structs
995// containing `N` elements of type `T` where `N` is a power-of-two and the
996// size and alignment requirements of `T` are equal:
997//
998// ```rust
999// #[repr(simd)]
1000// struct Vector<T, N>(T_0, ..., T_(N - 1));
1001// ```
1002//
1003// ...
1004//
1005// The size of `Vector` is `N * size_of::<T>()` and its alignment is an
1006// implementation-defined function of `T` and `N` greater than or equal to
1007// `align_of::<T>()`.
1008//
1009// ...
1010//
1011// Vector elements are laid out in source field order, enabling random access
1012// to vector elements by reinterpreting the vector as an array:
1013//
1014// ```rust
1015// union U {
1016// vec: Vector<T, N>,
1017// arr: [T; N]
1018// }
1019//
1020// assert_eq!(size_of::<Vector<T, N>>(), size_of::<[T; N]>());
1021// assert!(align_of::<Vector<T, N>>() >= align_of::<[T; N]>());
1022//
1023// unsafe {
1024// let u = U { vec: Vector<T, N>(t_0, ..., t_(N - 1)) };
1025//
1026// assert_eq!(u.vec.0, u.arr[0]);
1027// // ...
1028// assert_eq!(u.vec.(N - 1), u.arr[N - 1]);
1029// }
1030// ```
1031//
1032// Given this background, we can observe that:
1033// - The size and bit pattern requirements of a SIMD type are equivalent to the
1034// equivalent array type. Thus, for any SIMD type whose primitive `T` is
1035// `Immutable`, `TryFromBytes`, `FromZeros`, `FromBytes`, or `IntoBytes`, that
1036// SIMD type is also `Immutable`, `TryFromBytes`, `FromZeros`, `FromBytes`, or
1037// `IntoBytes` respectively.
1038// - Since no upper bound is placed on the alignment, no SIMD type can be
1039// guaranteed to be `Unaligned`.
1040//
1041// Also per [1]:
1042//
1043// This chapter represents the consensus from issue #38. The statements in
1044// here are not (yet) "guaranteed" not to change until an RFC ratifies them.
1045//
1046// See issue #38 [2]. While this behavior is not technically guaranteed, the
1047// likelihood that the behavior will change such that SIMD types are no longer
1048// `TryFromBytes`, `FromZeros`, `FromBytes`, or `IntoBytes` is next to zero, as
1049// that would defeat the entire purpose of SIMD types. Nonetheless, we put this
1050// behavior behind the `simd` Cargo feature, which requires consumers to opt
1051// into this stability hazard.
1052//
1053// [1] https://rust-lang.github.io/unsafe-code-guidelines/layout/packed-simd-vectors.html
1054// [2] https://github.com/rust-lang/unsafe-code-guidelines/issues/38
1055#[cfg(feature = "simd")]
1056#[cfg_attr(doc_cfg, doc(cfg(feature = "simd")))]
1057mod simd {
1058 /// Defines a module which implements `TryFromBytes`, `FromZeros`,
1059 /// `FromBytes`, and `IntoBytes` for a set of types from a module in
1060 /// `core::arch`.
1061 ///
1062 /// `$arch` is both the name of the defined module and the name of the
1063 /// module in `core::arch`, and `$typ` is the list of items from that module
1064 /// to implement `FromZeros`, `FromBytes`, and `IntoBytes` for.
1065 #[allow(unused_macros)] // `allow(unused_macros)` is needed because some
1066 // target/feature combinations don't emit any impls
1067 // and thus don't use this macro.
1068 macro_rules! simd_arch_mod {
1069 ($(#[cfg $cfg:tt])* $(#[cfg_attr $cfg_attr:tt])? $arch:ident, $mod:ident, $($typ:ident),*) => {
1070 $(#[cfg $cfg])*
1071 #[cfg_attr(doc_cfg, doc(cfg $($cfg)*))]
1072 $(#[cfg_attr $cfg_attr])?
1073 mod $mod {
1074 use core::arch::$arch::{$($typ),*};
1075
1076 use crate::*;
1077 impl_known_layout!($($typ),*);
1078 safety_comment! {
1079 /// SAFETY:
1080 /// See comment on module definition for justification.
1081 $( unsafe_impl!($typ: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes); )*
1082 }
1083 }
1084 };
1085 }
1086
1087 #[rustfmt::skip]
1088 const _: () = {
1089 simd_arch_mod!(
1090 #[cfg(target_arch = "x86")]
1091 x86, x86, __m128, __m128d, __m128i, __m256, __m256d, __m256i
1092 );
1093 simd_arch_mod!(
1094 #[cfg(all(feature = "simd-nightly", target_arch = "x86"))]
1095 x86, x86_nightly, __m512bh, __m512, __m512d, __m512i
1096 );
1097 simd_arch_mod!(
1098 #[cfg(target_arch = "x86_64")]
1099 x86_64, x86_64, __m128, __m128d, __m128i, __m256, __m256d, __m256i
1100 );
1101 simd_arch_mod!(
1102 #[cfg(all(feature = "simd-nightly", target_arch = "x86_64"))]
1103 x86_64, x86_64_nightly, __m512bh, __m512, __m512d, __m512i
1104 );
1105 simd_arch_mod!(
1106 #[cfg(target_arch = "wasm32")]
1107 wasm32, wasm32, v128
1108 );
1109 simd_arch_mod!(
1110 #[cfg(all(feature = "simd-nightly", target_arch = "powerpc"))]
1111 powerpc, powerpc, vector_bool_long, vector_double, vector_signed_long, vector_unsigned_long
1112 );
1113 simd_arch_mod!(
1114 #[cfg(all(feature = "simd-nightly", target_arch = "powerpc64"))]
1115 powerpc64, powerpc64, vector_bool_long, vector_double, vector_signed_long, vector_unsigned_long
1116 );
1117 simd_arch_mod!(
1118 // NOTE(https://github.com/rust-lang/stdarch/issues/1484): NEON intrinsics are currently
1119 // broken on big-endian platforms.
1120 #[cfg(all(target_arch = "aarch64", target_endian = "little"))]
1121 #[cfg(zerocopy_aarch64_simd_1_59_0)]
1122 #[cfg_attr(doc_cfg, doc(cfg(rust = "1.59.0")))]
1123 aarch64, aarch64, float32x2_t, float32x4_t, float64x1_t, float64x2_t, int8x8_t, int8x8x2_t,
1124 int8x8x3_t, int8x8x4_t, int8x16_t, int8x16x2_t, int8x16x3_t, int8x16x4_t, int16x4_t,
1125 int16x8_t, int32x2_t, int32x4_t, int64x1_t, int64x2_t, poly8x8_t, poly8x8x2_t, poly8x8x3_t,
1126 poly8x8x4_t, poly8x16_t, poly8x16x2_t, poly8x16x3_t, poly8x16x4_t, poly16x4_t, poly16x8_t,
1127 poly64x1_t, poly64x2_t, uint8x8_t, uint8x8x2_t, uint8x8x3_t, uint8x8x4_t, uint8x16_t,
1128 uint8x16x2_t, uint8x16x3_t, uint8x16x4_t, uint16x4_t, uint16x8_t, uint32x2_t, uint32x4_t,
1129 uint64x1_t, uint64x2_t
1130 );
1131 };
1132}
1133
1134#[cfg(test)]
1135mod tests {
1136 use super::*;
1137 use crate::pointer::invariant;
1138
1139 #[test]
1140 fn test_impls() {
1141 // A type that can supply test cases for testing
1142 // `TryFromBytes::is_bit_valid`. All types passed to `assert_impls!`
1143 // must implement this trait; that macro uses it to generate runtime
1144 // tests for `TryFromBytes` impls.
1145 //
1146 // All `T: FromBytes` types are provided with a blanket impl. Other
1147 // types must implement `TryFromBytesTestable` directly (ie using
1148 // `impl_try_from_bytes_testable!`).
1149 trait TryFromBytesTestable {
1150 fn with_passing_test_cases<F: Fn(Box<Self>)>(f: F);
1151 fn with_failing_test_cases<F: Fn(&mut [u8])>(f: F);
1152 }
1153
1154 impl<T: FromBytes> TryFromBytesTestable for T {
1155 fn with_passing_test_cases<F: Fn(Box<Self>)>(f: F) {
1156 // Test with a zeroed value.
1157 f(Self::new_box_zeroed().unwrap());
1158
1159 let ffs = {
1160 let mut t = Self::new_zeroed();
1161 let ptr: *mut T = &mut t;
1162 // SAFETY: `T: FromBytes`
1163 unsafe { ptr::write_bytes(ptr.cast::<u8>(), 0xFF, mem::size_of::<T>()) };
1164 t
1165 };
1166
1167 // Test with a value initialized with 0xFF.
1168 f(Box::new(ffs));
1169 }
1170
1171 fn with_failing_test_cases<F: Fn(&mut [u8])>(_f: F) {}
1172 }
1173
1174 macro_rules! impl_try_from_bytes_testable_for_null_pointer_optimization {
1175 ($($tys:ty),*) => {
1176 $(
1177 impl TryFromBytesTestable for Option<$tys> {
1178 fn with_passing_test_cases<F: Fn(Box<Self>)>(f: F) {
1179 // Test with a zeroed value.
1180 f(Box::new(None));
1181 }
1182
1183 fn with_failing_test_cases<F: Fn(&mut [u8])>(f: F) {
1184 for pos in 0..mem::size_of::<Self>() {
1185 let mut bytes = [0u8; mem::size_of::<Self>()];
1186 bytes[pos] = 0x01;
1187 f(&mut bytes[..]);
1188 }
1189 }
1190 }
1191 )*
1192 };
1193 }
1194
1195 // Implements `TryFromBytesTestable`.
1196 macro_rules! impl_try_from_bytes_testable {
1197 // Base case for recursion (when the list of types has run out).
1198 (=> @success $($success_case:expr),* $(, @failure $($failure_case:expr),*)?) => {};
1199 // Implements for type(s) with no type parameters.
1200 ($ty:ty $(,$tys:ty)* => @success $($success_case:expr),* $(, @failure $($failure_case:expr),*)?) => {
1201 impl TryFromBytesTestable for $ty {
1202 impl_try_from_bytes_testable!(
1203 @methods @success $($success_case),*
1204 $(, @failure $($failure_case),*)?
1205 );
1206 }
1207 impl_try_from_bytes_testable!($($tys),* => @success $($success_case),* $(, @failure $($failure_case),*)?);
1208 };
1209 // Implements for multiple types with no type parameters.
1210 ($($($ty:ty),* => @success $($success_case:expr), * $(, @failure $($failure_case:expr),*)?;)*) => {
1211 $(
1212 impl_try_from_bytes_testable!($($ty),* => @success $($success_case),* $(, @failure $($failure_case),*)*);
1213 )*
1214 };
1215 // Implements only the methods; caller must invoke this from inside
1216 // an impl block.
1217 (@methods @success $($success_case:expr),* $(, @failure $($failure_case:expr),*)?) => {
1218 fn with_passing_test_cases<F: Fn(Box<Self>)>(_f: F) {
1219 $(
1220 _f(Box::<Self>::from($success_case));
1221 )*
1222 }
1223
1224 fn with_failing_test_cases<F: Fn(&mut [u8])>(_f: F) {
1225 $($(
1226 let mut case = $failure_case;
1227 _f(case.as_mut_bytes());
1228 )*)?
1229 }
1230 };
1231 }
1232
1233 impl_try_from_bytes_testable_for_null_pointer_optimization!(
1234 Box<UnsafeCell<NotZerocopy>>,
1235 &'static UnsafeCell<NotZerocopy>,
1236 &'static mut UnsafeCell<NotZerocopy>,
1237 NonNull<UnsafeCell<NotZerocopy>>,
1238 fn(),
1239 FnManyArgs,
1240 extern "C" fn(),
1241 ECFnManyArgs
1242 );
1243
1244 macro_rules! bx {
1245 ($e:expr) => {
1246 Box::new($e)
1247 };
1248 }
1249
1250 // Note that these impls are only for types which are not `FromBytes`.
1251 // `FromBytes` types are covered by a preceding blanket impl.
1252 impl_try_from_bytes_testable!(
1253 bool => @success true, false,
1254 @failure 2u8, 3u8, 0xFFu8;
1255 char => @success '\u{0}', '\u{D7FF}', '\u{E000}', '\u{10FFFF}',
1256 @failure 0xD800u32, 0xDFFFu32, 0x110000u32;
1257 str => @success "", "hello", "❤️🧡💛💚💙💜",
1258 @failure [0, 159, 146, 150];
1259 [u8] => @success vec![].into_boxed_slice(), vec![0, 1, 2].into_boxed_slice();
1260 NonZeroU8, NonZeroI8, NonZeroU16, NonZeroI16, NonZeroU32,
1261 NonZeroI32, NonZeroU64, NonZeroI64, NonZeroU128, NonZeroI128,
1262 NonZeroUsize, NonZeroIsize
1263 => @success Self::new(1).unwrap(),
1264 // Doing this instead of `0` ensures that we always satisfy
1265 // the size and alignment requirements of `Self` (whereas `0`
1266 // may be any integer type with a different size or alignment
1267 // than some `NonZeroXxx` types).
1268 @failure Option::<Self>::None;
1269 [bool; 0] => @success [];
1270 [bool; 1]
1271 => @success [true], [false],
1272 @failure [2u8], [3u8], [0xFFu8];
1273 [bool]
1274 => @success vec![true, false].into_boxed_slice(), vec![false, true].into_boxed_slice(),
1275 @failure [2u8], [3u8], [0xFFu8], [0u8, 1u8, 2u8];
1276 Unalign<bool>
1277 => @success Unalign::new(false), Unalign::new(true),
1278 @failure 2u8, 0xFFu8;
1279 ManuallyDrop<bool>
1280 => @success ManuallyDrop::new(false), ManuallyDrop::new(true),
1281 @failure 2u8, 0xFFu8;
1282 ManuallyDrop<[u8]>
1283 => @success bx!(ManuallyDrop::new([])), bx!(ManuallyDrop::new([0u8])), bx!(ManuallyDrop::new([0u8, 1u8]));
1284 ManuallyDrop<[bool]>
1285 => @success bx!(ManuallyDrop::new([])), bx!(ManuallyDrop::new([false])), bx!(ManuallyDrop::new([false, true])),
1286 @failure [2u8], [3u8], [0xFFu8], [0u8, 1u8, 2u8];
1287 ManuallyDrop<[UnsafeCell<u8>]>
1288 => @success bx!(ManuallyDrop::new([UnsafeCell::new(0)])), bx!(ManuallyDrop::new([UnsafeCell::new(0), UnsafeCell::new(1)]));
1289 ManuallyDrop<[UnsafeCell<bool>]>
1290 => @success bx!(ManuallyDrop::new([UnsafeCell::new(false)])), bx!(ManuallyDrop::new([UnsafeCell::new(false), UnsafeCell::new(true)])),
1291 @failure [2u8], [3u8], [0xFFu8], [0u8, 1u8, 2u8];
1292 Wrapping<bool>
1293 => @success Wrapping(false), Wrapping(true),
1294 @failure 2u8, 0xFFu8;
1295 *const NotZerocopy
1296 => @success ptr::null::<NotZerocopy>(),
1297 @failure [0x01; mem::size_of::<*const NotZerocopy>()];
1298 *mut NotZerocopy
1299 => @success ptr::null_mut::<NotZerocopy>(),
1300 @failure [0x01; mem::size_of::<*mut NotZerocopy>()];
1301 );
1302
1303 // Use the trick described in [1] to allow us to call methods
1304 // conditional on certain trait bounds.
1305 //
1306 // In all of these cases, methods return `Option<R>`, where `R` is the
1307 // return type of the method we're conditionally calling. The "real"
1308 // implementations (the ones defined in traits using `&self`) return
1309 // `Some`, and the default implementations (the ones defined as inherent
1310 // methods using `&mut self`) return `None`.
1311 //
1312 // [1] https://github.com/dtolnay/case-studies/blob/master/autoref-specialization/README.md
1313 mod autoref_trick {
1314 use super::*;
1315
1316 pub(super) struct AutorefWrapper<T: ?Sized>(pub(super) PhantomData<T>);
1317
1318 pub(super) trait TestIsBitValidShared<T: ?Sized> {
1319 #[allow(clippy::needless_lifetimes)]
1320 fn test_is_bit_valid_shared<'ptr, A: invariant::Reference>(
1321 &self,
1322 candidate: Maybe<'ptr, T, A>,
1323 ) -> Option<bool>;
1324 }
1325
1326 impl<T: TryFromBytes + Immutable + ?Sized> TestIsBitValidShared<T> for AutorefWrapper<T> {
1327 #[allow(clippy::needless_lifetimes)]
1328 fn test_is_bit_valid_shared<'ptr, A: invariant::Reference>(
1329 &self,
1330 candidate: Maybe<'ptr, T, A>,
1331 ) -> Option<bool> {
1332 Some(T::is_bit_valid(candidate))
1333 }
1334 }
1335
1336 pub(super) trait TestTryFromRef<T: ?Sized> {
1337 #[allow(clippy::needless_lifetimes)]
1338 fn test_try_from_ref<'bytes>(
1339 &self,
1340 bytes: &'bytes [u8],
1341 ) -> Option<Option<&'bytes T>>;
1342 }
1343
1344 impl<T: TryFromBytes + Immutable + KnownLayout + ?Sized> TestTryFromRef<T> for AutorefWrapper<T> {
1345 #[allow(clippy::needless_lifetimes)]
1346 fn test_try_from_ref<'bytes>(
1347 &self,
1348 bytes: &'bytes [u8],
1349 ) -> Option<Option<&'bytes T>> {
1350 Some(T::try_ref_from_bytes(bytes).ok())
1351 }
1352 }
1353
1354 pub(super) trait TestTryFromMut<T: ?Sized> {
1355 #[allow(clippy::needless_lifetimes)]
1356 fn test_try_from_mut<'bytes>(
1357 &self,
1358 bytes: &'bytes mut [u8],
1359 ) -> Option<Option<&'bytes mut T>>;
1360 }
1361
1362 impl<T: TryFromBytes + IntoBytes + KnownLayout + ?Sized> TestTryFromMut<T> for AutorefWrapper<T> {
1363 #[allow(clippy::needless_lifetimes)]
1364 fn test_try_from_mut<'bytes>(
1365 &self,
1366 bytes: &'bytes mut [u8],
1367 ) -> Option<Option<&'bytes mut T>> {
1368 Some(T::try_mut_from_bytes(bytes).ok())
1369 }
1370 }
1371
1372 pub(super) trait TestTryReadFrom<T> {
1373 fn test_try_read_from(&self, bytes: &[u8]) -> Option<Option<T>>;
1374 }
1375
1376 impl<T: TryFromBytes> TestTryReadFrom<T> for AutorefWrapper<T> {
1377 fn test_try_read_from(&self, bytes: &[u8]) -> Option<Option<T>> {
1378 Some(T::try_read_from_bytes(bytes).ok())
1379 }
1380 }
1381
1382 pub(super) trait TestAsBytes<T: ?Sized> {
1383 #[allow(clippy::needless_lifetimes)]
1384 fn test_as_bytes<'slf, 't>(&'slf self, t: &'t T) -> Option<&'t [u8]>;
1385 }
1386
1387 impl<T: IntoBytes + Immutable + ?Sized> TestAsBytes<T> for AutorefWrapper<T> {
1388 #[allow(clippy::needless_lifetimes)]
1389 fn test_as_bytes<'slf, 't>(&'slf self, t: &'t T) -> Option<&'t [u8]> {
1390 Some(t.as_bytes())
1391 }
1392 }
1393 }
1394
1395 use autoref_trick::*;
1396
1397 // Asserts that `$ty` is one of a list of types which are allowed to not
1398 // provide a "real" implementation for `$fn_name`. Since the
1399 // `autoref_trick` machinery fails silently, this allows us to ensure
1400 // that the "default" impls are only being used for types which we
1401 // expect.
1402 //
1403 // Note that, since this is a runtime test, it is possible to have an
1404 // allowlist which is too restrictive if the function in question is
1405 // never called for a particular type. For example, if `as_bytes` is not
1406 // supported for a particular type, and so `test_as_bytes` returns
1407 // `None`, methods such as `test_try_from_ref` may never be called for
1408 // that type. As a result, it's possible that, for example, adding
1409 // `as_bytes` support for a type would cause other allowlist assertions
1410 // to fail. This means that allowlist assertion failures should not
1411 // automatically be taken as a sign of a bug.
1412 macro_rules! assert_on_allowlist {
1413 ($fn_name:ident($ty:ty) $(: $($tys:ty),*)?) => {{
1414 use core::any::TypeId;
1415
1416 let allowlist: &[TypeId] = &[ $($(TypeId::of::<$tys>()),*)? ];
1417 let allowlist_names: &[&str] = &[ $($(stringify!($tys)),*)? ];
1418
1419 let id = TypeId::of::<$ty>();
1420 assert!(allowlist.contains(&id), "{} is not on allowlist for {}: {:?}", stringify!($ty), stringify!($fn_name), allowlist_names);
1421 }};
1422 }
1423
1424 // Asserts that `$ty` implements any `$trait` and doesn't implement any
1425 // `!$trait`. Note that all `$trait`s must come before any `!$trait`s.
1426 //
1427 // For `T: TryFromBytes`, uses `TryFromBytesTestable` to test success
1428 // and failure cases.
1429 macro_rules! assert_impls {
1430 ($ty:ty: TryFromBytes) => {
1431 // "Default" implementations that match the "real"
1432 // implementations defined in the `autoref_trick` module above.
1433 #[allow(unused, non_local_definitions)]
1434 impl AutorefWrapper<$ty> {
1435 #[allow(clippy::needless_lifetimes)]
1436 fn test_is_bit_valid_shared<'ptr, A: invariant::Reference>(
1437 &mut self,
1438 candidate: Maybe<'ptr, $ty, A>,
1439 ) -> Option<bool> {
1440 assert_on_allowlist!(
1441 test_is_bit_valid_shared($ty):
1442 ManuallyDrop<UnsafeCell<()>>,
1443 ManuallyDrop<[UnsafeCell<u8>]>,
1444 ManuallyDrop<[UnsafeCell<bool>]>,
1445 CoreMaybeUninit<NotZerocopy>,
1446 CoreMaybeUninit<UnsafeCell<()>>,
1447 Wrapping<UnsafeCell<()>>
1448 );
1449
1450 None
1451 }
1452
1453 #[allow(clippy::needless_lifetimes)]
1454 fn test_try_from_ref<'bytes>(&mut self, _bytes: &'bytes [u8]) -> Option<Option<&'bytes $ty>> {
1455 assert_on_allowlist!(
1456 test_try_from_ref($ty):
1457 ManuallyDrop<[UnsafeCell<bool>]>
1458 );
1459
1460 None
1461 }
1462
1463 #[allow(clippy::needless_lifetimes)]
1464 fn test_try_from_mut<'bytes>(&mut self, _bytes: &'bytes mut [u8]) -> Option<Option<&'bytes mut $ty>> {
1465 assert_on_allowlist!(
1466 test_try_from_mut($ty):
1467 Option<Box<UnsafeCell<NotZerocopy>>>,
1468 Option<&'static UnsafeCell<NotZerocopy>>,
1469 Option<&'static mut UnsafeCell<NotZerocopy>>,
1470 Option<NonNull<UnsafeCell<NotZerocopy>>>,
1471 Option<fn()>,
1472 Option<FnManyArgs>,
1473 Option<extern "C" fn()>,
1474 Option<ECFnManyArgs>,
1475 *const NotZerocopy,
1476 *mut NotZerocopy
1477 );
1478
1479 None
1480 }
1481
1482 fn test_try_read_from(&mut self, _bytes: &[u8]) -> Option<Option<&$ty>> {
1483 assert_on_allowlist!(
1484 test_try_read_from($ty):
1485 str,
1486 ManuallyDrop<[u8]>,
1487 ManuallyDrop<[bool]>,
1488 ManuallyDrop<[UnsafeCell<bool>]>,
1489 [u8],
1490 [bool]
1491 );
1492
1493 None
1494 }
1495
1496 fn test_as_bytes(&mut self, _t: &$ty) -> Option<&[u8]> {
1497 assert_on_allowlist!(
1498 test_as_bytes($ty):
1499 Option<&'static UnsafeCell<NotZerocopy>>,
1500 Option<&'static mut UnsafeCell<NotZerocopy>>,
1501 Option<NonNull<UnsafeCell<NotZerocopy>>>,
1502 Option<Box<UnsafeCell<NotZerocopy>>>,
1503 Option<fn()>,
1504 Option<FnManyArgs>,
1505 Option<extern "C" fn()>,
1506 Option<ECFnManyArgs>,
1507 CoreMaybeUninit<u8>,
1508 CoreMaybeUninit<NotZerocopy>,
1509 CoreMaybeUninit<UnsafeCell<()>>,
1510 ManuallyDrop<UnsafeCell<()>>,
1511 ManuallyDrop<[UnsafeCell<u8>]>,
1512 ManuallyDrop<[UnsafeCell<bool>]>,
1513 Wrapping<UnsafeCell<()>>,
1514 *const NotZerocopy,
1515 *mut NotZerocopy
1516 );
1517
1518 None
1519 }
1520 }
1521
1522 <$ty as TryFromBytesTestable>::with_passing_test_cases(|mut val| {
1523 // TODO(#494): These tests only get exercised for types
1524 // which are `IntoBytes`. Once we implement #494, we should
1525 // be able to support non-`IntoBytes` types by zeroing
1526 // padding.
1527
1528 // We define `w` and `ww` since, in the case of the inherent
1529 // methods, Rust thinks they're both borrowed mutably at the
1530 // same time (given how we use them below). If we just
1531 // defined a single `w` and used it for multiple operations,
1532 // this would conflict.
1533 //
1534 // We `#[allow(unused_mut]` for the cases where the "real"
1535 // impls are used, which take `&self`.
1536 #[allow(unused_mut)]
1537 let (mut w, mut ww) = (AutorefWrapper::<$ty>(PhantomData), AutorefWrapper::<$ty>(PhantomData));
1538
1539 let c = Ptr::from_ref(&*val);
1540 let c = c.forget_aligned();
1541 // SAFETY: TODO(#899): This is unsound. `$ty` is not
1542 // necessarily `IntoBytes`, but that's the corner we've
1543 // backed ourselves into by using `Ptr::from_ref`.
1544 let c = unsafe { c.assume_initialized() };
1545 let res = w.test_is_bit_valid_shared(c);
1546 if let Some(res) = res {
1547 assert!(res, "{}::is_bit_valid({:?}) (shared `Ptr`): got false, expected true", stringify!($ty), val);
1548 }
1549
1550 let c = Ptr::from_mut(&mut *val);
1551 let c = c.forget_aligned();
1552 // SAFETY: TODO(#899): This is unsound. `$ty` is not
1553 // necessarily `IntoBytes`, but that's the corner we've
1554 // backed ourselves into by using `Ptr::from_ref`.
1555 let c = unsafe { c.assume_initialized() };
1556 let res = <$ty as TryFromBytes>::is_bit_valid(c);
1557 assert!(res, "{}::is_bit_valid({:?}) (exclusive `Ptr`): got false, expected true", stringify!($ty), val);
1558
1559 // `bytes` is `Some(val.as_bytes())` if `$ty: IntoBytes +
1560 // Immutable` and `None` otherwise.
1561 let bytes = w.test_as_bytes(&*val);
1562
1563 // The inner closure returns
1564 // `Some($ty::try_ref_from_bytes(bytes))` if `$ty:
1565 // Immutable` and `None` otherwise.
1566 let res = bytes.and_then(|bytes| ww.test_try_from_ref(bytes));
1567 if let Some(res) = res {
1568 assert!(res.is_some(), "{}::try_ref_from_bytes({:?}): got `None`, expected `Some`", stringify!($ty), val);
1569 }
1570
1571 if let Some(bytes) = bytes {
1572 // We need to get a mutable byte slice, and so we clone
1573 // into a `Vec`. However, we also need these bytes to
1574 // satisfy `$ty`'s alignment requirement, which isn't
1575 // guaranteed for `Vec<u8>`. In order to get around
1576 // this, we create a `Vec` which is twice as long as we
1577 // need. There is guaranteed to be an aligned byte range
1578 // of size `size_of_val(val)` within that range.
1579 let val = &*val;
1580 let size = mem::size_of_val(val);
1581 let align = mem::align_of_val(val);
1582
1583 let mut vec = bytes.to_vec();
1584 vec.extend(bytes);
1585 let slc = vec.as_slice();
1586 let offset = slc.as_ptr().align_offset(align);
1587 let bytes_mut = &mut vec.as_mut_slice()[offset..offset+size];
1588 bytes_mut.copy_from_slice(bytes);
1589
1590 let res = ww.test_try_from_mut(bytes_mut);
1591 if let Some(res) = res {
1592 assert!(res.is_some(), "{}::try_mut_from_bytes({:?}): got `None`, expected `Some`", stringify!($ty), val);
1593 }
1594 }
1595
1596 let res = bytes.and_then(|bytes| ww.test_try_read_from(bytes));
1597 if let Some(res) = res {
1598 assert!(res.is_some(), "{}::try_read_from_bytes({:?}): got `None`, expected `Some`", stringify!($ty), val);
1599 }
1600 });
1601 #[allow(clippy::as_conversions)]
1602 <$ty as TryFromBytesTestable>::with_failing_test_cases(|c| {
1603 #[allow(unused_mut)] // For cases where the "real" impls are used, which take `&self`.
1604 let mut w = AutorefWrapper::<$ty>(PhantomData);
1605
1606 // This is `Some($ty::try_ref_from_bytes(c))` if `$ty:
1607 // Immutable` and `None` otherwise.
1608 let res = w.test_try_from_ref(c);
1609 if let Some(res) = res {
1610 assert!(res.is_none(), "{}::try_ref_from_bytes({:?}): got Some, expected None", stringify!($ty), c);
1611 }
1612
1613 let res = w.test_try_from_mut(c);
1614 if let Some(res) = res {
1615 assert!(res.is_none(), "{}::try_mut_from_bytes({:?}): got Some, expected None", stringify!($ty), c);
1616 }
1617
1618
1619 let res = w.test_try_read_from(c);
1620 if let Some(res) = res {
1621 assert!(res.is_none(), "{}::try_read_from_bytes({:?}): got Some, expected None", stringify!($ty), c);
1622 }
1623 });
1624
1625 #[allow(dead_code)]
1626 const _: () = { static_assertions::assert_impl_all!($ty: TryFromBytes); };
1627 };
1628 ($ty:ty: $trait:ident) => {
1629 #[allow(dead_code)]
1630 const _: () = { static_assertions::assert_impl_all!($ty: $trait); };
1631 };
1632 ($ty:ty: !$trait:ident) => {
1633 #[allow(dead_code)]
1634 const _: () = { static_assertions::assert_not_impl_any!($ty: $trait); };
1635 };
1636 ($ty:ty: $($trait:ident),* $(,)? $(!$negative_trait:ident),*) => {
1637 $(
1638 assert_impls!($ty: $trait);
1639 )*
1640
1641 $(
1642 assert_impls!($ty: !$negative_trait);
1643 )*
1644 };
1645 }
1646
1647 // NOTE: The negative impl assertions here are not necessarily
1648 // prescriptive. They merely serve as change detectors to make sure
1649 // we're aware of what trait impls are getting added with a given
1650 // change. Of course, some impls would be invalid (e.g., `bool:
1651 // FromBytes`), and so this change detection is very important.
1652
1653 assert_impls!(
1654 (): KnownLayout,
1655 Immutable,
1656 TryFromBytes,
1657 FromZeros,
1658 FromBytes,
1659 IntoBytes,
1660 Unaligned
1661 );
1662 assert_impls!(
1663 u8: KnownLayout,
1664 Immutable,
1665 TryFromBytes,
1666 FromZeros,
1667 FromBytes,
1668 IntoBytes,
1669 Unaligned
1670 );
1671 assert_impls!(
1672 i8: KnownLayout,
1673 Immutable,
1674 TryFromBytes,
1675 FromZeros,
1676 FromBytes,
1677 IntoBytes,
1678 Unaligned
1679 );
1680 assert_impls!(
1681 u16: KnownLayout,
1682 Immutable,
1683 TryFromBytes,
1684 FromZeros,
1685 FromBytes,
1686 IntoBytes,
1687 !Unaligned
1688 );
1689 assert_impls!(
1690 i16: KnownLayout,
1691 Immutable,
1692 TryFromBytes,
1693 FromZeros,
1694 FromBytes,
1695 IntoBytes,
1696 !Unaligned
1697 );
1698 assert_impls!(
1699 u32: KnownLayout,
1700 Immutable,
1701 TryFromBytes,
1702 FromZeros,
1703 FromBytes,
1704 IntoBytes,
1705 !Unaligned
1706 );
1707 assert_impls!(
1708 i32: KnownLayout,
1709 Immutable,
1710 TryFromBytes,
1711 FromZeros,
1712 FromBytes,
1713 IntoBytes,
1714 !Unaligned
1715 );
1716 assert_impls!(
1717 u64: KnownLayout,
1718 Immutable,
1719 TryFromBytes,
1720 FromZeros,
1721 FromBytes,
1722 IntoBytes,
1723 !Unaligned
1724 );
1725 assert_impls!(
1726 i64: KnownLayout,
1727 Immutable,
1728 TryFromBytes,
1729 FromZeros,
1730 FromBytes,
1731 IntoBytes,
1732 !Unaligned
1733 );
1734 assert_impls!(
1735 u128: KnownLayout,
1736 Immutable,
1737 TryFromBytes,
1738 FromZeros,
1739 FromBytes,
1740 IntoBytes,
1741 !Unaligned
1742 );
1743 assert_impls!(
1744 i128: KnownLayout,
1745 Immutable,
1746 TryFromBytes,
1747 FromZeros,
1748 FromBytes,
1749 IntoBytes,
1750 !Unaligned
1751 );
1752 assert_impls!(
1753 usize: KnownLayout,
1754 Immutable,
1755 TryFromBytes,
1756 FromZeros,
1757 FromBytes,
1758 IntoBytes,
1759 !Unaligned
1760 );
1761 assert_impls!(
1762 isize: KnownLayout,
1763 Immutable,
1764 TryFromBytes,
1765 FromZeros,
1766 FromBytes,
1767 IntoBytes,
1768 !Unaligned
1769 );
1770 #[cfg(feature = "float-nightly")]
1771 assert_impls!(
1772 f16: KnownLayout,
1773 Immutable,
1774 TryFromBytes,
1775 FromZeros,
1776 FromBytes,
1777 IntoBytes,
1778 !Unaligned
1779 );
1780 assert_impls!(
1781 f32: KnownLayout,
1782 Immutable,
1783 TryFromBytes,
1784 FromZeros,
1785 FromBytes,
1786 IntoBytes,
1787 !Unaligned
1788 );
1789 assert_impls!(
1790 f64: KnownLayout,
1791 Immutable,
1792 TryFromBytes,
1793 FromZeros,
1794 FromBytes,
1795 IntoBytes,
1796 !Unaligned
1797 );
1798 #[cfg(feature = "float-nightly")]
1799 assert_impls!(
1800 f128: KnownLayout,
1801 Immutable,
1802 TryFromBytes,
1803 FromZeros,
1804 FromBytes,
1805 IntoBytes,
1806 !Unaligned
1807 );
1808 assert_impls!(
1809 bool: KnownLayout,
1810 Immutable,
1811 TryFromBytes,
1812 FromZeros,
1813 IntoBytes,
1814 Unaligned,
1815 !FromBytes
1816 );
1817 assert_impls!(
1818 char: KnownLayout,
1819 Immutable,
1820 TryFromBytes,
1821 FromZeros,
1822 IntoBytes,
1823 !FromBytes,
1824 !Unaligned
1825 );
1826 assert_impls!(
1827 str: KnownLayout,
1828 Immutable,
1829 TryFromBytes,
1830 FromZeros,
1831 IntoBytes,
1832 Unaligned,
1833 !FromBytes
1834 );
1835
1836 assert_impls!(
1837 NonZeroU8: KnownLayout,
1838 Immutable,
1839 TryFromBytes,
1840 IntoBytes,
1841 Unaligned,
1842 !FromZeros,
1843 !FromBytes
1844 );
1845 assert_impls!(
1846 NonZeroI8: KnownLayout,
1847 Immutable,
1848 TryFromBytes,
1849 IntoBytes,
1850 Unaligned,
1851 !FromZeros,
1852 !FromBytes
1853 );
1854 assert_impls!(
1855 NonZeroU16: KnownLayout,
1856 Immutable,
1857 TryFromBytes,
1858 IntoBytes,
1859 !FromBytes,
1860 !Unaligned
1861 );
1862 assert_impls!(
1863 NonZeroI16: KnownLayout,
1864 Immutable,
1865 TryFromBytes,
1866 IntoBytes,
1867 !FromBytes,
1868 !Unaligned
1869 );
1870 assert_impls!(
1871 NonZeroU32: KnownLayout,
1872 Immutable,
1873 TryFromBytes,
1874 IntoBytes,
1875 !FromBytes,
1876 !Unaligned
1877 );
1878 assert_impls!(
1879 NonZeroI32: KnownLayout,
1880 Immutable,
1881 TryFromBytes,
1882 IntoBytes,
1883 !FromBytes,
1884 !Unaligned
1885 );
1886 assert_impls!(
1887 NonZeroU64: KnownLayout,
1888 Immutable,
1889 TryFromBytes,
1890 IntoBytes,
1891 !FromBytes,
1892 !Unaligned
1893 );
1894 assert_impls!(
1895 NonZeroI64: KnownLayout,
1896 Immutable,
1897 TryFromBytes,
1898 IntoBytes,
1899 !FromBytes,
1900 !Unaligned
1901 );
1902 assert_impls!(
1903 NonZeroU128: KnownLayout,
1904 Immutable,
1905 TryFromBytes,
1906 IntoBytes,
1907 !FromBytes,
1908 !Unaligned
1909 );
1910 assert_impls!(
1911 NonZeroI128: KnownLayout,
1912 Immutable,
1913 TryFromBytes,
1914 IntoBytes,
1915 !FromBytes,
1916 !Unaligned
1917 );
1918 assert_impls!(
1919 NonZeroUsize: KnownLayout,
1920 Immutable,
1921 TryFromBytes,
1922 IntoBytes,
1923 !FromBytes,
1924 !Unaligned
1925 );
1926 assert_impls!(
1927 NonZeroIsize: KnownLayout,
1928 Immutable,
1929 TryFromBytes,
1930 IntoBytes,
1931 !FromBytes,
1932 !Unaligned
1933 );
1934
1935 assert_impls!(Option<NonZeroU8>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned);
1936 assert_impls!(Option<NonZeroI8>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned);
1937 assert_impls!(Option<NonZeroU16>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, !Unaligned);
1938 assert_impls!(Option<NonZeroI16>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, !Unaligned);
1939 assert_impls!(Option<NonZeroU32>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, !Unaligned);
1940 assert_impls!(Option<NonZeroI32>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, !Unaligned);
1941 assert_impls!(Option<NonZeroU64>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, !Unaligned);
1942 assert_impls!(Option<NonZeroI64>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, !Unaligned);
1943 assert_impls!(Option<NonZeroU128>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, !Unaligned);
1944 assert_impls!(Option<NonZeroI128>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, !Unaligned);
1945 assert_impls!(Option<NonZeroUsize>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, !Unaligned);
1946 assert_impls!(Option<NonZeroIsize>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, !Unaligned);
1947
1948 // Implements none of the ZC traits.
1949 struct NotZerocopy;
1950
1951 #[rustfmt::skip]
1952 type FnManyArgs = fn(
1953 NotZerocopy, u8, u8, u8, u8, u8, u8, u8, u8, u8, u8, u8,
1954 ) -> (NotZerocopy, NotZerocopy);
1955
1956 // Allowed, because we're not actually using this type for FFI.
1957 #[allow(improper_ctypes_definitions)]
1958 #[rustfmt::skip]
1959 type ECFnManyArgs = extern "C" fn(
1960 NotZerocopy, u8, u8, u8, u8, u8, u8, u8, u8, u8, u8, u8,
1961 ) -> (NotZerocopy, NotZerocopy);
1962
1963 #[cfg(feature = "alloc")]
1964 assert_impls!(Option<Box<UnsafeCell<NotZerocopy>>>: KnownLayout, Immutable, TryFromBytes, FromZeros, !FromBytes, !IntoBytes, !Unaligned);
1965 assert_impls!(Option<Box<[UnsafeCell<NotZerocopy>]>>: KnownLayout, !Immutable, !TryFromBytes, !FromZeros, !FromBytes, !IntoBytes, !Unaligned);
1966 assert_impls!(Option<&'static UnsafeCell<NotZerocopy>>: KnownLayout, Immutable, TryFromBytes, FromZeros, !FromBytes, !IntoBytes, !Unaligned);
1967 assert_impls!(Option<&'static [UnsafeCell<NotZerocopy>]>: KnownLayout, Immutable, !TryFromBytes, !FromZeros, !FromBytes, !IntoBytes, !Unaligned);
1968 assert_impls!(Option<&'static mut UnsafeCell<NotZerocopy>>: KnownLayout, Immutable, TryFromBytes, FromZeros, !FromBytes, !IntoBytes, !Unaligned);
1969 assert_impls!(Option<&'static mut [UnsafeCell<NotZerocopy>]>: KnownLayout, Immutable, !TryFromBytes, !FromZeros, !FromBytes, !IntoBytes, !Unaligned);
1970 assert_impls!(Option<NonNull<UnsafeCell<NotZerocopy>>>: KnownLayout, TryFromBytes, FromZeros, Immutable, !FromBytes, !IntoBytes, !Unaligned);
1971 assert_impls!(Option<NonNull<[UnsafeCell<NotZerocopy>]>>: KnownLayout, Immutable, !TryFromBytes, !FromZeros, !FromBytes, !IntoBytes, !Unaligned);
1972 assert_impls!(Option<fn()>: KnownLayout, Immutable, TryFromBytes, FromZeros, !FromBytes, !IntoBytes, !Unaligned);
1973 assert_impls!(Option<FnManyArgs>: KnownLayout, Immutable, TryFromBytes, FromZeros, !FromBytes, !IntoBytes, !Unaligned);
1974 assert_impls!(Option<extern "C" fn()>: KnownLayout, Immutable, TryFromBytes, FromZeros, !FromBytes, !IntoBytes, !Unaligned);
1975 assert_impls!(Option<ECFnManyArgs>: KnownLayout, Immutable, TryFromBytes, FromZeros, !FromBytes, !IntoBytes, !Unaligned);
1976
1977 assert_impls!(PhantomData<NotZerocopy>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned);
1978 assert_impls!(PhantomData<UnsafeCell<()>>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned);
1979 assert_impls!(PhantomData<[u8]>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned);
1980
1981 assert_impls!(ManuallyDrop<u8>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned);
1982 // This test is important because it allows us to test our hand-rolled
1983 // implementation of `<ManuallyDrop<T> as TryFromBytes>::is_bit_valid`.
1984 assert_impls!(ManuallyDrop<bool>: KnownLayout, Immutable, TryFromBytes, FromZeros, IntoBytes, Unaligned, !FromBytes);
1985 assert_impls!(ManuallyDrop<[u8]>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned);
1986 // This test is important because it allows us to test our hand-rolled
1987 // implementation of `<ManuallyDrop<T> as TryFromBytes>::is_bit_valid`.
1988 assert_impls!(ManuallyDrop<[bool]>: KnownLayout, Immutable, TryFromBytes, FromZeros, IntoBytes, Unaligned, !FromBytes);
1989 assert_impls!(ManuallyDrop<NotZerocopy>: !Immutable, !TryFromBytes, !KnownLayout, !FromZeros, !FromBytes, !IntoBytes, !Unaligned);
1990 assert_impls!(ManuallyDrop<[NotZerocopy]>: KnownLayout, !Immutable, !TryFromBytes, !FromZeros, !FromBytes, !IntoBytes, !Unaligned);
1991 assert_impls!(ManuallyDrop<UnsafeCell<()>>: KnownLayout, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned, !Immutable);
1992 assert_impls!(ManuallyDrop<[UnsafeCell<u8>]>: KnownLayout, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned, !Immutable);
1993 assert_impls!(ManuallyDrop<[UnsafeCell<bool>]>: KnownLayout, TryFromBytes, FromZeros, IntoBytes, Unaligned, !Immutable, !FromBytes);
1994
1995 assert_impls!(CoreMaybeUninit<u8>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, Unaligned, !IntoBytes);
1996 assert_impls!(CoreMaybeUninit<NotZerocopy>: KnownLayout, TryFromBytes, FromZeros, FromBytes, !Immutable, !IntoBytes, !Unaligned);
1997 assert_impls!(CoreMaybeUninit<UnsafeCell<()>>: KnownLayout, TryFromBytes, FromZeros, FromBytes, Unaligned, !Immutable, !IntoBytes);
1998
1999 assert_impls!(Wrapping<u8>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned);
2000 // This test is important because it allows us to test our hand-rolled
2001 // implementation of `<Wrapping<T> as TryFromBytes>::is_bit_valid`.
2002 assert_impls!(Wrapping<bool>: KnownLayout, Immutable, TryFromBytes, FromZeros, IntoBytes, Unaligned, !FromBytes);
2003 assert_impls!(Wrapping<NotZerocopy>: KnownLayout, !Immutable, !TryFromBytes, !FromZeros, !FromBytes, !IntoBytes, !Unaligned);
2004 assert_impls!(Wrapping<UnsafeCell<()>>: KnownLayout, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned, !Immutable);
2005
2006 assert_impls!(Unalign<u8>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned);
2007 // This test is important because it allows us to test our hand-rolled
2008 // implementation of `<Unalign<T> as TryFromBytes>::is_bit_valid`.
2009 assert_impls!(Unalign<bool>: KnownLayout, Immutable, TryFromBytes, FromZeros, IntoBytes, Unaligned, !FromBytes);
2010 assert_impls!(Unalign<NotZerocopy>: KnownLayout, Unaligned, !Immutable, !TryFromBytes, !FromZeros, !FromBytes, !IntoBytes);
2011
2012 assert_impls!(
2013 [u8]: KnownLayout,
2014 Immutable,
2015 TryFromBytes,
2016 FromZeros,
2017 FromBytes,
2018 IntoBytes,
2019 Unaligned
2020 );
2021 assert_impls!(
2022 [bool]: KnownLayout,
2023 Immutable,
2024 TryFromBytes,
2025 FromZeros,
2026 IntoBytes,
2027 Unaligned,
2028 !FromBytes
2029 );
2030 assert_impls!([NotZerocopy]: KnownLayout, !Immutable, !TryFromBytes, !FromZeros, !FromBytes, !IntoBytes, !Unaligned);
2031 assert_impls!(
2032 [u8; 0]: KnownLayout,
2033 Immutable,
2034 TryFromBytes,
2035 FromZeros,
2036 FromBytes,
2037 IntoBytes,
2038 Unaligned,
2039 );
2040 assert_impls!(
2041 [NotZerocopy; 0]: KnownLayout,
2042 !Immutable,
2043 !TryFromBytes,
2044 !FromZeros,
2045 !FromBytes,
2046 !IntoBytes,
2047 !Unaligned
2048 );
2049 assert_impls!(
2050 [u8; 1]: KnownLayout,
2051 Immutable,
2052 TryFromBytes,
2053 FromZeros,
2054 FromBytes,
2055 IntoBytes,
2056 Unaligned,
2057 );
2058 assert_impls!(
2059 [NotZerocopy; 1]: KnownLayout,
2060 !Immutable,
2061 !TryFromBytes,
2062 !FromZeros,
2063 !FromBytes,
2064 !IntoBytes,
2065 !Unaligned
2066 );
2067
2068 assert_impls!(*const NotZerocopy: KnownLayout, Immutable, TryFromBytes, FromZeros, !FromBytes, !IntoBytes, !Unaligned);
2069 assert_impls!(*mut NotZerocopy: KnownLayout, Immutable, TryFromBytes, FromZeros, !FromBytes, !IntoBytes, !Unaligned);
2070 assert_impls!(*const [NotZerocopy]: KnownLayout, Immutable, !TryFromBytes, !FromZeros, !FromBytes, !IntoBytes, !Unaligned);
2071 assert_impls!(*mut [NotZerocopy]: KnownLayout, Immutable, !TryFromBytes, !FromZeros, !FromBytes, !IntoBytes, !Unaligned);
2072 assert_impls!(*const dyn Debug: KnownLayout, Immutable, !TryFromBytes, !FromZeros, !FromBytes, !IntoBytes, !Unaligned);
2073 assert_impls!(*mut dyn Debug: KnownLayout, Immutable, !TryFromBytes, !FromZeros, !FromBytes, !IntoBytes, !Unaligned);
2074
2075 #[cfg(feature = "simd")]
2076 {
2077 #[allow(unused_macros)]
2078 macro_rules! test_simd_arch_mod {
2079 ($arch:ident, $($typ:ident),*) => {
2080 {
2081 use core::arch::$arch::{$($typ),*};
2082 use crate::*;
2083 $( assert_impls!($typ: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, !Unaligned); )*
2084 }
2085 };
2086 }
2087 #[cfg(target_arch = "x86")]
2088 test_simd_arch_mod!(x86, __m128, __m128d, __m128i, __m256, __m256d, __m256i);
2089
2090 #[cfg(all(feature = "simd-nightly", target_arch = "x86"))]
2091 test_simd_arch_mod!(x86, __m512bh, __m512, __m512d, __m512i);
2092
2093 #[cfg(target_arch = "x86_64")]
2094 test_simd_arch_mod!(x86_64, __m128, __m128d, __m128i, __m256, __m256d, __m256i);
2095
2096 #[cfg(all(feature = "simd-nightly", target_arch = "x86_64"))]
2097 test_simd_arch_mod!(x86_64, __m512bh, __m512, __m512d, __m512i);
2098
2099 #[cfg(target_arch = "wasm32")]
2100 test_simd_arch_mod!(wasm32, v128);
2101
2102 #[cfg(all(feature = "simd-nightly", target_arch = "powerpc"))]
2103 test_simd_arch_mod!(
2104 powerpc,
2105 vector_bool_long,
2106 vector_double,
2107 vector_signed_long,
2108 vector_unsigned_long
2109 );
2110
2111 #[cfg(all(feature = "simd-nightly", target_arch = "powerpc64"))]
2112 test_simd_arch_mod!(
2113 powerpc64,
2114 vector_bool_long,
2115 vector_double,
2116 vector_signed_long,
2117 vector_unsigned_long
2118 );
2119 #[cfg(all(target_arch = "aarch64", zerocopy_aarch64_simd_1_59_0))]
2120 #[rustfmt::skip]
2121 test_simd_arch_mod!(
2122 aarch64, float32x2_t, float32x4_t, float64x1_t, float64x2_t, int8x8_t, int8x8x2_t,
2123 int8x8x3_t, int8x8x4_t, int8x16_t, int8x16x2_t, int8x16x3_t, int8x16x4_t, int16x4_t,
2124 int16x8_t, int32x2_t, int32x4_t, int64x1_t, int64x2_t, poly8x8_t, poly8x8x2_t, poly8x8x3_t,
2125 poly8x8x4_t, poly8x16_t, poly8x16x2_t, poly8x16x3_t, poly8x16x4_t, poly16x4_t, poly16x8_t,
2126 poly64x1_t, poly64x2_t, uint8x8_t, uint8x8x2_t, uint8x8x3_t, uint8x8x4_t, uint8x16_t,
2127 uint8x16x2_t, uint8x16x3_t, uint8x16x4_t, uint16x4_t, uint16x8_t, uint32x2_t, uint32x4_t,
2128 uint64x1_t, uint64x2_t
2129 );
2130 }
2131 }
2132}