google
diff --git a/‎src/doctests.rs‎
Lines changed: 125 additions & 0 deletions b/‎src/doctests.rs‎
Lines changed: 125 additions & 0 deletions
diff --git a/‎src/impls.rs‎
Lines changed: 24 additions & 40 deletions b/‎src/impls.rs‎
Lines changed: 24 additions & 40 deletions
@@ -0,0 +1,125 @@
+// Copyright 2025 The Fuchsia Authors
+//
+// Licensed under the 2-Clause BSD License <LICENSE-BSD or
+// https://opensource.org/license/bsd-2-clause>, Apache License, Version 2.0
+// <LICENSE-APACHE or https://www.apache.org/licenses/LICENSE-2.0>, or the MIT
+// license <LICENSE-MIT or https://opensource.org/licenses/MIT>, at your option.
+// This file may not be copied, modified, or distributed except according to
+// those terms.
+
+#![cfg(feature = "derive")] // Required for derives on `SliceDst`
+#![allow(dead_code)]
+
+//! Our UI test framework, built on the `trybuild` crate, does not support
+//! testing for post-monomorphization errors. Instead, we use doctests, which
+//! are able to test for post-monomorphization errors.
+
+use crate::*;
+
+#[derive(KnownLayout, FromBytes, IntoBytes, Immutable)]
+#[repr(C)]
+#[allow(missing_debug_implementations, missing_copy_implementations)]
+pub struct SliceDst<T, U> {
+    pub t: T,
+    pub u: [U],
+}
+
+#[allow(clippy::must_use_candidate, clippy::missing_inline_in_public_items, clippy::todo)]
+impl<T: FromBytes + IntoBytes, U: FromBytes + IntoBytes> SliceDst<T, U> {
+    pub fn new() -> &'static SliceDst<T, U> {
+        todo!()
+    }
+
+    pub fn new_mut() -> &'static mut SliceDst<T, U> {
+        todo!()
+    }
+}
+
+/// `transmute_ref!` does not support transmuting from a type of smaller
+/// alignment to one of larger alignment.
+///
+/// ```compile_fail,E0080
+/// let increase_alignment: &u16 = zerocopy::transmute_ref!(&[0u8; 2]);
+/// ```
+///
+/// ```compile_fail,E0080
+/// let mut src = [0u8; 2];
+/// let increase_alignment: &mut u16 = zerocopy::transmute_mut!(&mut src);
+/// ```
+enum TransmuteRefMutAlignmentIncrease {}
+
+/// We require that the size of the destination type is not larger than the size
+/// of the source type.
+///
+/// ```compile_fail,E0080
+/// let increase_size: &[u8; 2] = zerocopy::transmute_ref!(&0u8);
+/// ```
+///
+/// ```compile_fail,E0080
+/// let mut src = 0u8;
+/// let increase_size: &mut [u8; 2] = zerocopy::transmute_mut!(&mut src);
+/// ```
+enum TransmuteRefMutSizeIncrease {}
+
+/// We require that the size of the destination type is not smaller than the
+/// size of the source type.
+///
+/// ```compile_fail,E0080
+/// let decrease_size: &u8 = zerocopy::transmute_ref!(&[0u8; 2]);
+/// ```
+///
+/// ```compile_fail,E0080
+/// let mut src = [0u8; 2];
+/// let decrease_size: &mut u8 = zerocopy::transmute_mut!(&mut src);
+/// ```
+enum TransmuteRefMutSizeDecrease {}
+
+/// It's not possible in the general case to increase the trailing slice offset
+/// during a reference transmutation - some pointer metadata values would not be
+/// supportable, and so such a transmutation would be fallible.
+///
+/// ```compile_fail,E0080
+/// use zerocopy::doctests::SliceDst;
+/// let src: &SliceDst<u8, u8> = SliceDst::new();
+/// let increase_offset: &SliceDst<[u8; 2], u8> = zerocopy::transmute_ref!(src);
+/// ```
+///
+/// ```compile_fail,E0080
+/// use zerocopy::doctests::SliceDst;
+/// let src: &mut SliceDst<u8, u8> = SliceDst::new_mut();
+/// let increase_offset: &mut SliceDst<[u8; 2], u8> = zerocopy::transmute_mut!(src);
+/// ```
+enum TransmuteRefMutDstOffsetIncrease {}
+
+/// Reference transmutes are not possible when the difference between the source
+/// and destination types' trailing slice offsets is not a multiple of the
+/// destination type's trailing slice element size.
+///
+/// ```compile_fail,E0080
+/// use zerocopy::doctests::SliceDst;
+/// let src: &SliceDst<[u8; 3], [u8; 2]> = SliceDst::new();
+/// let _: &SliceDst<[u8; 2], [u8; 2]> = zerocopy::transmute_ref!(src);
+/// ```
+///
+/// ```compile_fail,E0080
+/// use zerocopy::doctests::SliceDst;
+/// let src: &mut SliceDst<[u8; 3], [u8; 2]> = SliceDst::new_mut();
+/// let _: &mut SliceDst<[u8; 2], [u8; 2]> = zerocopy::transmute_mut!(src);
+/// ```
+enum TransmuteRefMutDstOffsetNotMultiple {}
+
+/// Reference transmutes are not possible when the source's trailing slice
+/// element size is not a multiple of the destination's.
+///
+/// ```compile_fail,E0080
+/// use zerocopy::doctests::SliceDst;
+/// let src: &SliceDst<(), [u8; 3]> = SliceDst::new();
+/// let _: &SliceDst<(), [u8; 2]> = zerocopy::transmute_ref!(src);
+/// ```
+///
+/// ```compile_fail,E0080
+/// use zerocopy::doctests::SliceDst;
+/// let src: &mut SliceDst<(), [u8; 3]> = SliceDst::new_mut();
+/// let _: &mut SliceDst<(), [u8; 2]> = zerocopy::transmute_mut!(src);
+/// ```
+enum TransmuteRefMutDstElemSizeNotMultiple {}
@@ -179,38 +179,13 @@ safety_comment! {
     });
 }
 
-// SAFETY: `str` and `[u8]` have the same layout [1].
-//
-// [1] Per https://doc.rust-lang.org/1.81.0/reference/type-layout.html#str-layout:
-//
-//   String slices are a UTF-8 representation of characters that have the same
-//   layout as slices of type `[u8]`.
-unsafe impl pointer::SizeEq<str> for [u8] {
-    fn cast_from_raw(s: NonNull<str>) -> NonNull<[u8]> {
-        cast!(s)
-    }
-}
-// SAFETY: See previous safety comment.
-unsafe impl pointer::SizeEq<[u8]> for str {
-    fn cast_from_raw(bytes: NonNull<[u8]>) -> NonNull<str> {
-        cast!(bytes)
-    }
-}
+impl_size_eq!(str, [u8]);
 
 macro_rules! unsafe_impl_try_from_bytes_for_nonzero {
     ($($nonzero:ident[$prim:ty]),*) => {
         $(
             unsafe_impl!(=> TryFromBytes for $nonzero; |n| {
-                unsafe impl pointer::SizeEq<$nonzero> for Unalign<$prim> {
-                    fn cast_from_raw(n: NonNull<$nonzero>) -> NonNull<Unalign<$prim>> {
-                        cast!(n)
-                    }
-                }
-                unsafe impl pointer::SizeEq<Unalign<$prim>> for $nonzero {
-                    fn cast_from_raw(p: NonNull<Unalign<$prim>>) -> NonNull<$nonzero> {
-                        cast!(p)
-                    }
-                }
+                impl_size_eq!($nonzero, Unalign<$prim>);
 
                 let n = n.transmute::<Unalign<$prim>, invariant::Valid, _>();
                 $nonzero::new(n.read_unaligned().into_inner()).is_some()
@@ -429,8 +404,8 @@ mod atomics {
     macro_rules! unsafe_impl_transmute_from_for_atomic {
         ($($($tyvar:ident)? => $atomic:ty [$prim:ty]),*) => {
             const _: () = {
-                use core::{cell::UnsafeCell, ptr::NonNull};
-                use crate::pointer::{TransmuteFrom, SizeEq, invariant::Valid};
+                use core::cell::UnsafeCell;
+                use crate::pointer::{PtrInner, SizeEq, TransmuteFrom, invariant::Valid};
 
                 $(
                     #[allow(unused_unsafe)] // Force the caller to call this macro inside `safety_comment!`.
@@ -443,18 +418,23 @@ mod atomics {
                     // the same size and bit validity.
                     unsafe impl<$($tyvar)?> TransmuteFrom<$prim, Valid, Valid> for $atomic {}
 
-                    // SAFETY: THe caller promised that `$atomic` and `$prim`
+                    // SAFETY: The caller promised that `$atomic` and `$prim`
                     // have the same size.
                     unsafe impl<$($tyvar)?> SizeEq<$atomic> for $prim {
-                        fn cast_from_raw(a: NonNull<$atomic>) -> NonNull<$prim> {
-                            cast!(a)
+                        #[inline]
+                        fn cast_from_raw(a: PtrInner<'_, $atomic>) -> PtrInner<'_, $prim> {
+                            // SAFETY: The caller promised that `$atomic` and `$prim`
+                            // have the same size. Thus, this cast preserves
+                            // address, referent size, and provenance.
+                            unsafe { cast!(a) }
                         }
                     }
-                    // SAFETY: THe caller promised that `$atomic` and `$prim`
-                    // have the same size.
+                    // SAFETY: See previous safety comment.
                     unsafe impl<$($tyvar)?> SizeEq<$prim> for $atomic {
-                        fn cast_from_raw(p: NonNull<$prim>) -> NonNull<$atomic> {
-                            cast!(p)
+                        #[inline]
+                        fn cast_from_raw(p: PtrInner<'_, $prim>) -> PtrInner<'_, $atomic> {
+                            // SAFETY: See previous safety comment.
+                            unsafe { cast!(p) }
                         }
                     }
                     // SAFETY: The caller promised that `$atomic` and `$prim`
@@ -467,14 +447,18 @@ mod atomics {
                     //   its inner type `T`. A consequence of this guarantee is that
                     //   it is possible to convert between `T` and `UnsafeCell<T>`.
                     unsafe impl<$($tyvar)?> SizeEq<$atomic> for UnsafeCell<$prim> {
-                        fn cast_from_raw(a: NonNull<$atomic>) -> NonNull<UnsafeCell<$prim>> {
-                            cast!(a)
+                        #[inline]
+                        fn cast_from_raw(a: PtrInner<'_, $atomic>) -> PtrInner<'_, UnsafeCell<$prim>> {
+                            // SAFETY: See previous safety comment.
+                            unsafe { cast!(a) }
                         }
                     }
                     // SAFETY: See previous safety comment.
                     unsafe impl<$($tyvar)?> SizeEq<UnsafeCell<$prim>> for $atomic {
-                        fn cast_from_raw(p: NonNull<UnsafeCell<$prim>>) -> NonNull<$atomic> {
-                            cast!(p)
+                        #[inline]
+                        fn cast_from_raw(p: PtrInner<'_, UnsafeCell<$prim>>) -> PtrInner<'_, $atomic> {
+                            // SAFETY: See previous safety comment.
+                            unsafe { cast!(p) }
                         }
                     }