[WIP] ReadOnly + is_bit_valid

Author: joshlf

src/impls.rs

@@ -13,6 +13,8 @@ use core::{
     ptr::NonNull,
 };
 
+use crate::pointer::SizeEq;
+
 use super::*;
 
 // SAFETY: Per the reference [1], "the unit tuple (`()`) ... is guaranteed as a
@@ -105,7 +107,8 @@ assert_unaligned!(bool);
 //   pattern 0x01.
 const _: () = unsafe {
     unsafe_impl!(=> TryFromBytes for bool; |byte| {
-        let byte = byte.transmute::<u8, invariant::Valid, _>();
+        impl_size_eq!(ReadOnly<bool>, u8);
+        let byte = byte.transmute::<u8, invariant::Valid, BecauseImmutable>();
         *byte.unaligned_as_ref() < 2
     })
 };
@@ -134,7 +137,8 @@ const _: () = unsafe { unsafe_impl!(char: Immutable, FromZeros, IntoBytes) };
 //   `char`.
 const _: () = unsafe {
     unsafe_impl!(=> TryFromBytes for char; |c| {
-        let c = c.transmute::<Unalign<u32>, invariant::Valid, _>();
+        impl_size_eq!(ReadOnly<char>, Unalign<u32>);
+        let c = c.transmute::<Unalign<u32>, invariant::Valid, BecauseImmutable>();
         let c = c.read_unaligned().into_inner();
         char::from_u32(c).is_some()
     });
@@ -167,7 +171,8 @@ const _: () = unsafe { unsafe_impl!(str: Immutable, FromZeros, IntoBytes, Unalig
 //   Returns `Err` if the slice is not UTF-8.
 const _: () = unsafe {
     unsafe_impl!(=> TryFromBytes for str; |c| {
-        let c = c.transmute::<[u8], invariant::Valid, _>();
+        impl_size_eq!(ReadOnly<str>, [u8]);
+        let c = c.transmute::<[u8], invariant::Valid, BecauseImmutable>();
         let c = c.unaligned_as_ref();
         core::str::from_utf8(c).is_ok()
     })
@@ -179,9 +184,10 @@ macro_rules! unsafe_impl_try_from_bytes_for_nonzero {
     ($($nonzero:ident[$prim:ty]),*) => {
         $(
             unsafe_impl!(=> TryFromBytes for $nonzero; |n| {
-                impl_size_eq!($nonzero, Unalign<$prim>);
+                // impl_size_eq!($nonzero, Unalign<$prim>);
+                impl_size_eq!(ReadOnly<$nonzero>, Unalign<$prim>);
 
-                let n = n.transmute::<Unalign<$prim>, invariant::Valid, _>();
+                let n = n.transmute::<Unalign<$prim>, invariant::Valid, BecauseImmutable>();
                 $nonzero::new(n.read_unaligned().into_inner()).is_some()
             });
         )*
@@ -804,29 +810,16 @@ unsafe impl<T: TryFromBytes + ?Sized> TryFromBytes for UnsafeCell<T> {
     }
 
     #[inline]
-    fn is_bit_valid<A: invariant::Reference>(candidate: Maybe<'_, Self, A>) -> bool {
-        // The only way to implement this function is using an exclusive-aliased
-        // pointer. `UnsafeCell`s cannot be read via shared-aliased pointers
-        // (other than by using `unsafe` code, which we can't use since we can't
-        // guarantee how our users are accessing or modifying the `UnsafeCell`).
-        //
-        // `is_bit_valid` is documented as panicking or failing to monomorphize
-        // if called with a shared-aliased pointer on a type containing an
-        // `UnsafeCell`. In practice, it will always be a monorphization error.
-        // Since `is_bit_valid` is `#[doc(hidden)]` and only called directly
-        // from this crate, we only need to worry about our own code incorrectly
-        // calling `UnsafeCell::is_bit_valid`. The post-monomorphization error
-        // makes it easier to test that this is truly the case, and also means
-        // that if we make a mistake, it will cause downstream code to fail to
-        // compile, which will immediately surface the mistake and give us a
-        // chance to fix it quickly.
-        let c = candidate.into_exclusive_or_pme();
-
-        // SAFETY: Since `UnsafeCell<T>` and `T` have the same layout and bit
-        // validity, `UnsafeCell<T>` is bit-valid exactly when its wrapped `T`
-        // is. Thus, this is a sound implementation of
-        // `UnsafeCell::is_bit_valid`.
-        T::is_bit_valid(c.get_mut())
+    fn is_bit_valid(candidate: Maybe<'_, Self>) -> bool {
+        impl_transitive_transmute_from!(T: ?Sized => ReadOnly<UnsafeCell<T>> => UnsafeCell<T> => T);
+        impl_transitive_transmute_from!(T: ?Sized => ReadOnly<UnsafeCell<T>> => T => ReadOnly<T>);
+        // impl_size_eq!(T: ?Sized => ReadOnly<UnsafeCell<T>>, ReadOnly<T>);
+        // unsafe impl<T: ?Sized> SizeEq<ReadOnly<UnsafeCell<T>>> for ReadOnly<T> {
+        //     fn cast_from_raw(t: pointer::PtrInner<'_, ReadOnly<UnsafeCell<T>>>) -> pointer::PtrInner<'_, Self> {
+        //         todo!()
+        //     }
+        // }
+        T::is_bit_valid(candidate.transmute::<_, _, BecauseImmutable>())
     }
 }
 

src/lib.rs

@@ -1520,7 +1520,7 @@ pub unsafe trait TryFromBytes {
     /// [`UnsafeCell`]: core::cell::UnsafeCell
     /// [`Shared`]: invariant::Shared
     #[doc(hidden)]
-    fn is_bit_valid<A: invariant::Reference>(candidate: Maybe<'_, Self, A>) -> bool;
+    fn is_bit_valid(candidate: Maybe<'_, Self>) -> bool;
 
     /// Attempts to interpret the given `source` as a `&Self`.
     ///

src/macros.rs

@@ -895,10 +895,7 @@ macro_rules! cryptocorrosion_derive_traits {
                 $($field_ty: $crate::FromBytes,)*
             )?
         {
-            fn is_bit_valid<A>(_c: $crate::Maybe<'_, Self, A>) -> bool
-            where
-                A: $crate::pointer::invariant::Reference
-            {
+            fn is_bit_valid(_c: $crate::Maybe<'_, Self>) -> bool {
                 // SAFETY: This macro only accepts `#[repr(C)]` and
                 // `#[repr(transparent)]` structs, and this `impl` block
                 // requires all field types to be `FromBytes`. Thus, all
@@ -1038,10 +1035,7 @@ macro_rules! cryptocorrosion_derive_traits {
                 $field_ty: $crate::FromBytes,
             )*
         {
-            fn is_bit_valid<A>(_c: $crate::Maybe<'_, Self, A>) -> bool
-            where
-                A: $crate::pointer::invariant::Reference
-            {
+            fn is_bit_valid(_c: $crate::Maybe<'_, Self>) -> bool {
                 // SAFETY: This macro only accepts `#[repr(C)]` unions, and this
                 // `impl` block requires all field types to be `FromBytes`.
                 // Thus, all initialized byte sequences constitutes valid

src/pointer/mod.rs

@@ -27,7 +27,7 @@ pub use {
 ///
 /// [`TryFromBytes::is_bit_valid`]: crate::TryFromBytes::is_bit_valid
 pub type Maybe<'a, T, Aliasing = invariant::Shared, Alignment = invariant::Unaligned> =
-    Ptr<'a, T, (Aliasing, Alignment, invariant::Initialized)>;
+    Ptr<'a, crate::wrappers::ReadOnly<T>, (Aliasing, Alignment, invariant::Initialized)>;
 
 /// Checks if the referent is zeroed.
 pub(crate) fn is_zeroed<T, I>(ptr: Ptr<'_, T, I>) -> bool

src/util/macro_util.rs

@@ -29,10 +29,9 @@ use core::{
 
 use crate::{
     pointer::{
-        invariant::{self, BecauseExclusive, BecauseImmutable, Invariants},
+        invariant::{self, BecauseExclusive, BecauseImmutable, Exclusive, Invariants},
         BecauseInvariantsEq, InvariantsEq, SizeEq, TryTransmuteFromPtr,
-    },
-    FromBytes, FromZeros, Immutable, IntoBytes, KnownLayout, Ptr, TryFromBytes, ValidityError,
+    }, FromBytes, FromZeros, Immutable, IntoBytes, KnownLayout, Ptr, ReadOnly, TryFromBytes, ValidityError
 };
 
 /// Projects the type of the field at `Index` in `Self`.
@@ -587,19 +586,22 @@ where
     // initialized.
     let ptr = unsafe { ptr.assume_validity::<invariant::Initialized>() };
 
-    // SAFETY: `MaybeUninit<T>` and `T` have the same size [1], so this cast
-    // preserves the referent's size. This cast preserves provenance.
+    // SAFETY: `MaybeUninit<T>` and `T` have the same size [1], and
+    // `ReadOnly<T>` and `T` have the same size, so this cast preserves the
+    // referent's size. This cast preserves provenance.
     //
     // [1] Per https://doc.rust-lang.org/1.81.0/std/mem/union.MaybeUninit.html#layout-1:
     //
     //   `MaybeUninit<T>` is guaranteed to have the same size, alignment, and
     //   ABI as `T`
-    let ptr: Ptr<'_, Dst, _> = unsafe {
-        ptr.cast_unsized(|ptr: crate::pointer::PtrInner<'_, mem::MaybeUninit<Dst>>| {
+    let ptr: Ptr<'_, ReadOnly<Dst>, (Exclusive, _, _)> = unsafe {
+        ptr.cast_unsized::<_, _, (_, (BecauseExclusive, _))>(|ptr: crate::pointer::PtrInner<'_, mem::MaybeUninit<Dst>>| {
             ptr.cast_sized()
         })
     };
 
+    // TODO: Replace this with `ptr.into_shared()` or something.
+    let ptr = unsafe { ptr.assume_aliasing() };
     if Dst::is_bit_valid(ptr.forget_aligned()) {
         // SAFETY: Since `Dst::is_bit_valid`, we know that `ptr`'s referent is
         // bit-valid for `Dst`. `ptr` points to `mu_dst`, and no intervening

src/util/macros.rs

@@ -135,15 +135,15 @@ macro_rules! unsafe_impl {
         fn only_derive_is_allowed_to_implement_this_trait() {}
 
         #[inline]
-        fn is_bit_valid<AA: crate::pointer::invariant::Reference>($candidate: Maybe<'_, Self, AA>) -> bool {
+        fn is_bit_valid($candidate: Maybe<'_, Self>) -> bool {
             $is_bit_valid
         }
     };
     (@method TryFromBytes) => {
         #[allow(clippy::missing_inline_in_public_items)]
         #[cfg_attr(all(coverage_nightly, __ZEROCOPY_INTERNAL_USE_ONLY_NIGHTLY_FEATURES_IN_TESTS), coverage(off))]
         fn only_derive_is_allowed_to_implement_this_trait() {}
-        #[inline(always)] fn is_bit_valid<AA: crate::pointer::invariant::Reference>(_: Maybe<'_, Self, AA>) -> bool { true }
+        #[inline(always)] fn is_bit_valid(_: Maybe<'_, Self>) -> bool { true }
     };
     (@method $trait:ident) => {
         #[allow(clippy::missing_inline_in_public_items, dead_code)]
@@ -166,6 +166,13 @@ macro_rules! impl_for_transmute_from {
         $($tyvar:ident $(: $(? $optbound:ident $(+)?)* $($bound:ident $(+)?)* )?)?
         => $trait:ident for $ty:ty [$($unsafe_cell:ident)? <$repr:ty>]
     ) => {
+        // SAFETY: TODO
+        const _: () = unsafe {
+            impl_size_eq!(
+                @inner [$($tyvar $(: $(? $optbound +)* $($bound +)*)?)?] ReadOnly<$ty>, ReadOnly<$repr>
+            );
+        };
+
         const _: () = {
             $(#[$attr])*
             #[allow(non_local_definitions)]
@@ -218,9 +225,9 @@ macro_rules! impl_for_transmute_from {
         TryFromBytes for $ty:ty [UnsafeCell<$repr:ty>]
     ) => {
         #[inline]
-        fn is_bit_valid<A: crate::pointer::invariant::Reference>(candidate: Maybe<'_, Self, A>) -> bool {
-            let c: Maybe<'_, Self, crate::pointer::invariant::Exclusive> = candidate.into_exclusive_or_pme();
-            let c: Maybe<'_, $repr, _> = c.transmute::<_, _, (_, (_, (BecauseExclusive, BecauseExclusive)))>();
+        fn is_bit_valid(candidate: Maybe<'_, Self>) -> bool {
+            // let c: Maybe<'_, Self, crate::pointer::invariant::Exclusive> = candidate.into_exclusive_or_pme();
+            let c: Maybe<'_, $repr, _> = candidate.transmute::<_, _, (_, (_, (BecauseImmutable, BecauseImmutable)))>();
             // SAFETY: This macro ensures that `$repr` and `Self` have the same
             // size and bit validity. Thus, a bit-valid instance of `$repr` is
             // also a bit-valid instance of `Self`.
@@ -233,11 +240,11 @@ macro_rules! impl_for_transmute_from {
         TryFromBytes for $ty:ty [<$repr:ty>]
     ) => {
         #[inline]
-        fn is_bit_valid<A: crate::pointer::invariant::Reference>(candidate: $crate::Maybe<'_, Self, A>) -> bool {
+        fn is_bit_valid(candidate: $crate::Maybe<'_, Self>) -> bool {
             // SAFETY: This macro ensures that `$repr` and `Self` have the same
             // size and bit validity. Thus, a bit-valid instance of `$repr` is
             // also a bit-valid instance of `Self`.
-            <$repr as TryFromBytes>::is_bit_valid(candidate.transmute())
+            <$repr as TryFromBytes>::is_bit_valid(candidate.transmute::<_, _, BecauseImmutable>())
         }
     };
     (
@@ -788,44 +795,56 @@ macro_rules! impl_transitive_transmute_from {
 
 #[rustfmt::skip]
 macro_rules! impl_size_eq {
-    ($t:ty, $u:ty) => {
-        const _: () = {
-            use crate::{KnownLayout, pointer::{PtrInner, SizeEq}};
-
-            static_assert!(=> {
-                let t = <$t as KnownLayout>::LAYOUT;
-                let u = <$u as KnownLayout>::LAYOUT;
-                t.align.get() >= u.align.get() && match (t.size_info, u.size_info) {
-                    (SizeInfo::Sized { size: t }, SizeInfo::Sized { size: u }) => t == u,
-                    (
-                        SizeInfo::SliceDst(TrailingSliceLayout { offset: t_offset, elem_size: t_elem_size }),
-                        SizeInfo::SliceDst(TrailingSliceLayout { offset: u_offset, elem_size: u_elem_size })
-                    ) => t_offset == u_offset && t_elem_size == u_elem_size,
-                    _ => false,
-                }
-            });
+    ($t:ty, $u:ty) => { 
+        const _: () = { static_assert!(=> {
+            let t = <$t as KnownLayout>::LAYOUT;
+            let u = <$u as KnownLayout>::LAYOUT;
+            t.align.get() >= u.align.get() && match (t.size_info, u.size_info) {
+                (SizeInfo::Sized { size: t }, SizeInfo::Sized { size: u }) => t == u,
+                (
+                    SizeInfo::SliceDst(TrailingSliceLayout { offset: t_offset, elem_size: t_elem_size }),
+                    SizeInfo::SliceDst(TrailingSliceLayout { offset: u_offset, elem_size: u_elem_size })
+                ) => t_offset == u_offset && t_elem_size == u_elem_size,
+                _ => false,
+            }
+        }) };
 
-            // SAFETY: See inline.
-            unsafe impl SizeEq<$t> for $u {
-                #[inline(always)]
-                fn cast_from_raw(t: PtrInner<'_, $t>) -> PtrInner<'_, $u> {
-                    // SAFETY: We've asserted that their
-                    // `KnownLayout::LAYOUT.size_info`s are equal, and so this
-                    // cast is guaranteed to preserve address and referent size.
-                    // It trivially preserves provenance.
-                    unsafe { cast!(t) }
-                }
+        const _: () = unsafe { impl_size_eq!(@inner [] $t, $u); };
+    };
+    (
+        $tyvar:ident $(: $(? $optbound:ident $(+)?)* $($bound:ident $(+)?)* )? =>
+        $t:ty, $u:ty
+    ) => {
+        impl_size_eq!(@inner [$tyvar $(: $(? $optbound)* $($bound)* )?] $t, $u);
+    };
+    (
+        @inner [$($tyvar:ident $(: $(? $optbound:ident $(+)?)* $($bound:ident $(+)?)* )?)?]
+        $t:ty, $u:ty
+    ) => {{
+        $crate::util::macros::__unsafe();
+        
+        use crate::{KnownLayout, pointer::{PtrInner, SizeEq}, layout::{SizeInfo, TrailingSliceLayout}};
+
+        // SAFETY: See inline.
+        unsafe impl<$($tyvar $(: $(? $optbound +)* $($bound +)*)?)?> SizeEq<$t> for $u {
+            #[inline(always)]
+            fn cast_from_raw(t: PtrInner<'_, $t>) -> PtrInner<'_, $u> {
+                // SAFETY: We've asserted that their
+                // `KnownLayout::LAYOUT.size_info`s are equal, and so this
+                // cast is guaranteed to preserve address and referent size.
+                // It trivially preserves provenance.
+                unsafe { cast!(t) }
             }
-            // SAFETY: See previous safety comment.
-            unsafe impl SizeEq<$u> for $t {
-                #[inline(always)]
-                fn cast_from_raw(u: PtrInner<'_, $u>) -> PtrInner<'_, $t> {
-                    // SAFETY: See previous safety comment.
-                    unsafe { cast!(u) }
-                }
+        }
+        // SAFETY: See previous safety comment.
+        unsafe impl<$($tyvar $(: $(? $optbound +)* $($bound +)*)?)?> SizeEq<$u> for $t {
+            #[inline(always)]
+            fn cast_from_raw(u: PtrInner<'_, $u>) -> PtrInner<'_, $t> {
+                // SAFETY: See previous safety comment.
+                unsafe { cast!(u) }
             }
-        };
-    };
+        }
+    }};
 }
 
 /// Invokes `$blk` in a context in which `$src<$t>` and `$dst<$u>` implement