zerocopy/pointer/ptr.rs
1// Copyright 2023 The Fuchsia Authors
2//
3// Licensed under a BSD-style license <LICENSE-BSD>, Apache License, Version 2.0
4// <LICENSE-APACHE or https://www.apache.org/licenses/LICENSE-2.0>, or the MIT
5// license <LICENSE-MIT or https://opensource.org/licenses/MIT>, at your option.
6// This file may not be copied, modified, or distributed except according to
7// those terms.
8
9use core::{
10 fmt::{Debug, Formatter},
11 marker::PhantomData,
12};
13
14use crate::{
15 pointer::{
16 inner::PtrInner,
17 invariant::*,
18 transmute::{MutationCompatible, SizeEq, TransmuteFromPtr},
19 },
20 AlignmentError, CastError, CastType, KnownLayout, SizeError, TryFromBytes, ValidityError,
21};
22
23/// Module used to gate access to [`Ptr`]'s fields.
24mod def {
25 #[cfg(doc)]
26 use super::super::invariant;
27 use super::*;
28
29 /// A raw pointer with more restrictions.
30 ///
31 /// `Ptr<T>` is similar to [`NonNull<T>`], but it is more restrictive in the
32 /// following ways (note that these requirements only hold of non-zero-sized
33 /// referents):
34 /// - It must derive from a valid allocation.
35 /// - It must reference a byte range which is contained inside the
36 /// allocation from which it derives.
37 /// - As a consequence, the byte range it references must have a size
38 /// which does not overflow `isize`.
39 ///
40 /// Depending on how `Ptr` is parameterized, it may have additional
41 /// invariants:
42 /// - `ptr` conforms to the aliasing invariant of
43 /// [`I::Aliasing`](invariant::Aliasing).
44 /// - `ptr` conforms to the alignment invariant of
45 /// [`I::Alignment`](invariant::Alignment).
46 /// - `ptr` conforms to the validity invariant of
47 /// [`I::Validity`](invariant::Validity).
48 ///
49 /// `Ptr<'a, T>` is [covariant] in `'a` and invariant in `T`.
50 ///
51 /// [`NonNull<T>`]: core::ptr::NonNull
52 /// [covariant]: https://doc.rust-lang.org/reference/subtyping.html
53 pub struct Ptr<'a, T, I>
54 where
55 T: ?Sized,
56 I: Invariants,
57 {
58 /// # Invariants
59 ///
60 /// 0. `ptr` conforms to the aliasing invariant of
61 /// [`I::Aliasing`](invariant::Aliasing).
62 /// 1. `ptr` conforms to the alignment invariant of
63 /// [`I::Alignment`](invariant::Alignment).
64 /// 2. `ptr` conforms to the validity invariant of
65 /// [`I::Validity`](invariant::Validity).
66 // SAFETY: `PtrInner<'a, T>` is covariant in `'a` and invariant in `T`.
67 ptr: PtrInner<'a, T>,
68 _invariants: PhantomData<I>,
69 }
70
71 impl<'a, T, I> Ptr<'a, T, I>
72 where
73 T: 'a + ?Sized,
74 I: Invariants,
75 {
76 /// Constructs a new `Ptr` from a [`PtrInner`].
77 ///
78 /// # Safety
79 ///
80 /// The caller promises that:
81 ///
82 /// 0. `ptr` conforms to the aliasing invariant of
83 /// [`I::Aliasing`](invariant::Aliasing).
84 /// 1. `ptr` conforms to the alignment invariant of
85 /// [`I::Alignment`](invariant::Alignment).
86 /// 2. `ptr` conforms to the validity invariant of
87 /// [`I::Validity`](invariant::Validity).
88 pub(crate) unsafe fn from_inner(ptr: PtrInner<'a, T>) -> Ptr<'a, T, I> {
89 // SAFETY: The caller has promised to satisfy all safety invariants
90 // of `Ptr`.
91 Self { ptr, _invariants: PhantomData }
92 }
93
94 /// Converts this `Ptr<T>` to a [`PtrInner<T>`].
95 ///
96 /// Note that this method does not consume `self`. The caller should
97 /// watch out for `unsafe` code which uses the returned value in a way
98 /// that violates the safety invariants of `self`.
99 pub(crate) fn as_inner(&self) -> PtrInner<'a, T> {
100 self.ptr
101 }
102 }
103}
104
105#[allow(unreachable_pub)] // This is a false positive on our MSRV toolchain.
106pub use def::Ptr;
107
108/// External trait implementations on [`Ptr`].
109mod _external {
110 use super::*;
111
112 /// SAFETY: Shared pointers are safely `Copy`. `Ptr`'s other invariants
113 /// (besides aliasing) are unaffected by the number of references that exist
114 /// to `Ptr`'s referent. The notable cases are:
115 /// - Alignment is a property of the referent type (`T`) and the address,
116 /// both of which are unchanged
117 /// - Let `S(T, V)` be the set of bit values permitted to appear in the
118 /// referent of a `Ptr<T, I: Invariants<Validity = V>>`. Since this copy
119 /// does not change `I::Validity` or `T`, `S(T, I::Validity)` is also
120 /// unchanged.
121 ///
122 /// We are required to guarantee that the referents of the original `Ptr`
123 /// and of the copy (which, of course, are actually the same since they
124 /// live in the same byte address range) both remain in the set `S(T,
125 /// I::Validity)`. Since this invariant holds on the original `Ptr`, it
126 /// cannot be violated by the original `Ptr`, and thus the original `Ptr`
127 /// cannot be used to violate this invariant on the copy. The inverse
128 /// holds as well.
129 impl<'a, T, I> Copy for Ptr<'a, T, I>
130 where
131 T: 'a + ?Sized,
132 I: Invariants<Aliasing = Shared>,
133 {
134 }
135
136 /// SAFETY: See the safety comment on `Copy`.
137 impl<'a, T, I> Clone for Ptr<'a, T, I>
138 where
139 T: 'a + ?Sized,
140 I: Invariants<Aliasing = Shared>,
141 {
142 #[inline]
143 fn clone(&self) -> Self {
144 *self
145 }
146 }
147
148 impl<'a, T, I> Debug for Ptr<'a, T, I>
149 where
150 T: 'a + ?Sized,
151 I: Invariants,
152 {
153 #[inline]
154 fn fmt(&self, f: &mut Formatter<'_>) -> core::fmt::Result {
155 self.as_inner().as_non_null().fmt(f)
156 }
157 }
158}
159
160/// Methods for converting to and from `Ptr` and Rust's safe reference types.
161mod _conversions {
162 use super::*;
163
164 /// `&'a T` → `Ptr<'a, T>`
165 impl<'a, T> Ptr<'a, T, (Shared, Aligned, Valid)>
166 where
167 T: 'a + ?Sized,
168 {
169 /// Constructs a `Ptr` from a shared reference.
170 #[doc(hidden)]
171 #[inline]
172 pub fn from_ref(ptr: &'a T) -> Self {
173 let inner = PtrInner::from_ref(ptr);
174 // SAFETY:
175 // 0. `ptr`, by invariant on `&'a T`, conforms to the aliasing
176 // invariant of `Shared`.
177 // 1. `ptr`, by invariant on `&'a T`, conforms to the alignment
178 // invariant of `Aligned`.
179 // 2. `ptr`'s referent, by invariant on `&'a T`, is a bit-valid `T`.
180 // This satisfies the requirement that a `Ptr<T, (_, _, Valid)>`
181 // point to a bit-valid `T`. Even if `T` permits interior
182 // mutation, this invariant guarantees that the returned `Ptr`
183 // can only ever be used to modify the referent to store
184 // bit-valid `T`s, which ensures that the returned `Ptr` cannot
185 // be used to violate the soundness of the original `ptr: &'a T`
186 // or of any other references that may exist to the same
187 // referent.
188 unsafe { Self::from_inner(inner) }
189 }
190 }
191
192 /// `&'a mut T` → `Ptr<'a, T>`
193 impl<'a, T> Ptr<'a, T, (Exclusive, Aligned, Valid)>
194 where
195 T: 'a + ?Sized,
196 {
197 /// Constructs a `Ptr` from an exclusive reference.
198 #[inline]
199 pub(crate) fn from_mut(ptr: &'a mut T) -> Self {
200 let inner = PtrInner::from_mut(ptr);
201 // SAFETY:
202 // 0. `ptr`, by invariant on `&'a mut T`, conforms to the aliasing
203 // invariant of `Exclusive`.
204 // 1. `ptr`, by invariant on `&'a mut T`, conforms to the alignment
205 // invariant of `Aligned`.
206 // 2. `ptr`'s referent, by invariant on `&'a mut T`, is a bit-valid
207 // `T`. This satisfies the requirement that a `Ptr<T, (_, _,
208 // Valid)>` point to a bit-valid `T`. This invariant guarantees
209 // that the returned `Ptr` can only ever be used to modify the
210 // referent to store bit-valid `T`s, which ensures that the
211 // returned `Ptr` cannot be used to violate the soundness of the
212 // original `ptr: &'a mut T`.
213 unsafe { Self::from_inner(inner) }
214 }
215 }
216
217 /// `Ptr<'a, T>` → `&'a T`
218 impl<'a, T, I> Ptr<'a, T, I>
219 where
220 T: 'a + ?Sized,
221 I: Invariants<Alignment = Aligned, Validity = Valid>,
222 I::Aliasing: Reference,
223 {
224 /// Converts `self` to a shared reference.
225 // This consumes `self`, not `&self`, because `self` is, logically, a
226 // pointer. For `I::Aliasing = invariant::Shared`, `Self: Copy`, and so
227 // this doesn't prevent the caller from still using the pointer after
228 // calling `as_ref`.
229 #[allow(clippy::wrong_self_convention)]
230 pub(crate) fn as_ref(self) -> &'a T {
231 let raw = self.as_inner().as_non_null();
232 // SAFETY: `self` satisfies the `Aligned` invariant, so we know that
233 // `raw` is validly-aligned for `T`.
234 #[cfg(miri)]
235 unsafe {
236 crate::util::miri_promise_symbolic_alignment(
237 raw.as_ptr().cast(),
238 core::mem::align_of_val_raw(raw.as_ptr()),
239 );
240 }
241 // SAFETY: This invocation of `NonNull::as_ref` satisfies its
242 // documented safety preconditions:
243 //
244 // 1. The pointer is properly aligned. This is ensured by-contract
245 // on `Ptr`, because the `I::Alignment` is `Aligned`.
246 //
247 // 2. If the pointer's referent is not zero-sized, then the pointer
248 // must be “dereferenceable” in the sense defined in the module
249 // documentation; i.e.:
250 //
251 // > The memory range of the given size starting at the pointer
252 // > must all be within the bounds of a single allocated object.
253 // > [2]
254 //
255 // This is ensured by contract on all `PtrInner`s.
256 //
257 // 3. The pointer must point to a validly-initialized instance of
258 // `T`. This is ensured by-contract on `Ptr`, because the
259 // `I::Validity` is `Valid`.
260 //
261 // 4. You must enforce Rust’s aliasing rules. This is ensured by
262 // contract on `Ptr`, because `I::Aliasing: Reference`. Either it
263 // is `Shared` or `Exclusive`. If it is `Shared`, other
264 // references may not mutate the referent outside of
265 // `UnsafeCell`s.
266 //
267 // [1]: https://doc.rust-lang.org/std/ptr/struct.NonNull.html#method.as_ref
268 // [2]: https://doc.rust-lang.org/std/ptr/index.html#safety
269 unsafe { raw.as_ref() }
270 }
271 }
272
273 impl<'a, T, I> Ptr<'a, T, I>
274 where
275 T: 'a + ?Sized,
276 I: Invariants,
277 I::Aliasing: Reference,
278 {
279 /// Reborrows `self`, producing another `Ptr`.
280 ///
281 /// Since `self` is borrowed immutably, this prevents any mutable
282 /// methods from being called on `self` as long as the returned `Ptr`
283 /// exists.
284 #[doc(hidden)]
285 #[inline]
286 #[allow(clippy::needless_lifetimes)] // Allows us to name the lifetime in the safety comment below.
287 pub fn reborrow<'b>(&'b mut self) -> Ptr<'b, T, I>
288 where
289 'a: 'b,
290 {
291 // SAFETY: The following all hold by invariant on `self`, and thus
292 // hold of `ptr = self.as_inner()`:
293 // 0. SEE BELOW.
294 // 1. `ptr` conforms to the alignment invariant of
295 // [`I::Alignment`](invariant::Alignment).
296 // 2. `ptr` conforms to the validity invariant of
297 // [`I::Validity`](invariant::Validity). `self` and the returned
298 // `Ptr` permit the same bit values in their referents since they
299 // have the same referent type (`T`) and the same validity
300 // (`I::Validity`). Thus, regardless of what mutation is
301 // permitted (`Exclusive` aliasing or `Shared`-aliased interior
302 // mutation), neither can be used to write a value to the
303 // referent which violates the other's validity invariant.
304 //
305 // For aliasing (0 above), since `I::Aliasing: Reference`,
306 // there are two cases for `I::Aliasing`:
307 // - For `invariant::Shared`: `'a` outlives `'b`, and so the
308 // returned `Ptr` does not permit accessing the referent any
309 // longer than is possible via `self`. For shared aliasing, it is
310 // sound for multiple `Ptr`s to exist simultaneously which
311 // reference the same memory, so creating a new one is not
312 // problematic.
313 // - For `invariant::Exclusive`: Since `self` is `&'b mut` and we
314 // return a `Ptr` with lifetime `'b`, `self` is inaccessible to
315 // the caller for the lifetime `'b` - in other words, `self` is
316 // inaccessible to the caller as long as the returned `Ptr`
317 // exists. Since `self` is an exclusive `Ptr`, no other live
318 // references or `Ptr`s may exist which refer to the same memory
319 // while `self` is live. Thus, as long as the returned `Ptr`
320 // exists, no other references or `Ptr`s which refer to the same
321 // memory may be live.
322 unsafe { Ptr::from_inner(self.as_inner()) }
323 }
324 }
325
326 /// `Ptr<'a, T>` → `&'a mut T`
327 impl<'a, T> Ptr<'a, T, (Exclusive, Aligned, Valid)>
328 where
329 T: 'a + ?Sized,
330 {
331 /// Converts `self` to a mutable reference.
332 #[allow(clippy::wrong_self_convention)]
333 pub(crate) fn as_mut(self) -> &'a mut T {
334 let mut raw = self.as_inner().as_non_null();
335 // SAFETY: `self` satisfies the `Aligned` invariant, so we know that
336 // `raw` is validly-aligned for `T`.
337 #[cfg(miri)]
338 unsafe {
339 crate::util::miri_promise_symbolic_alignment(
340 raw.as_ptr().cast(),
341 core::mem::align_of_val_raw(raw.as_ptr()),
342 );
343 }
344 // SAFETY: This invocation of `NonNull::as_mut` satisfies its
345 // documented safety preconditions:
346 //
347 // 1. The pointer is properly aligned. This is ensured by-contract
348 // on `Ptr`, because the `ALIGNMENT_INVARIANT` is `Aligned`.
349 //
350 // 2. If the pointer's referent is not zero-sized, then the pointer
351 // must be “dereferenceable” in the sense defined in the module
352 // documentation; i.e.:
353 //
354 // > The memory range of the given size starting at the pointer
355 // > must all be within the bounds of a single allocated object.
356 // > [2]
357 //
358 // This is ensured by contract on all `PtrInner`s.
359 //
360 // 3. The pointer must point to a validly-initialized instance of
361 // `T`. This is ensured by-contract on `Ptr`, because the
362 // validity invariant is `Valid`.
363 //
364 // 4. You must enforce Rust’s aliasing rules. This is ensured by
365 // contract on `Ptr`, because the `ALIASING_INVARIANT` is
366 // `Exclusive`.
367 //
368 // [1]: https://doc.rust-lang.org/std/ptr/struct.NonNull.html#method.as_mut
369 // [2]: https://doc.rust-lang.org/std/ptr/index.html#safety
370 unsafe { raw.as_mut() }
371 }
372 }
373
374 /// `Ptr<'a, T>` → `Ptr<'a, U>`
375 impl<'a, T: ?Sized, I> Ptr<'a, T, I>
376 where
377 I: Invariants,
378 {
379 pub(crate) fn transmute<U, V, R>(self) -> Ptr<'a, U, (I::Aliasing, Unaligned, V)>
380 where
381 V: Validity,
382 U: TransmuteFromPtr<T, I::Aliasing, I::Validity, V, R> + SizeEq<T> + ?Sized,
383 {
384 // SAFETY:
385 // - `SizeEq::cast_from_raw` promises to preserve address,
386 // provenance, and the number of bytes in the referent
387 // - If aliasing is `Shared`, then by `U: TransmuteFromPtr<T>`, at
388 // least one of the following holds:
389 // - `T: Immutable` and `U: Immutable`, in which case it is
390 // trivially sound for shared code to operate on a `&T` and `&U`
391 // at the same time, as neither can perform interior mutation
392 // - It is directly guaranteed that it is sound for shared code to
393 // operate on these references simultaneously
394 // - By `U: TransmuteFromPtr<T, I::Aliasing, I::Validity, V>`, it is
395 // sound to perform this transmute.
396 unsafe { self.transmute_unchecked(SizeEq::cast_from_raw) }
397 }
398
399 #[doc(hidden)]
400 #[inline(always)]
401 #[must_use]
402 pub fn recall_validity<V, R>(self) -> Ptr<'a, T, (I::Aliasing, I::Alignment, V)>
403 where
404 V: Validity,
405 T: TransmuteFromPtr<T, I::Aliasing, I::Validity, V, R>,
406 {
407 // SAFETY:
408 // - This cast is a no-op, and so trivially preserves address,
409 // referent size, and provenance
410 // - It is trivially sound to have multiple `&T` referencing the
411 // same referent simultaneously
412 // - By `T: TransmuteFromPtr<T, I::Aliasing, I::Validity, V>`, it is
413 // sound to perform this transmute.
414 let ptr = unsafe { self.transmute_unchecked(SizeEq::cast_from_raw) };
415 // SAFETY: `self` and `ptr` have the same address and referent type.
416 // Therefore, if `self` satisfies `I::Alignment`, then so does
417 // `ptr`.
418 unsafe { ptr.assume_alignment::<I::Alignment>() }
419 }
420
421 /// Casts to a different (unsized) target type without checking interior
422 /// mutability.
423 ///
424 /// Callers should prefer [`cast_unsized`] where possible.
425 ///
426 /// [`cast_unsized`]: Ptr::cast_unsized
427 ///
428 /// # Safety
429 ///
430 /// The caller promises that `u = cast(p)` is a pointer cast with the
431 /// following properties:
432 /// - `u` addresses a subset of the bytes addressed by `p`
433 /// - `u` has the same provenance as `p`
434 /// - If `I::Aliasing` is [`Shared`], it must not be possible for safe
435 /// code, operating on a `&T` and `&U` with the same referent
436 /// simultaneously, to cause undefined behavior
437 /// - It is sound to transmute a pointer of type `T` with aliasing
438 /// `I::Aliasing` and validity `I::Validity` to a pointer of type `U`
439 /// with aliasing `I::Aliasing` and validity `V`. This is a subtle
440 /// soundness requirement that is a function of `T`, `U`,
441 /// `I::Aliasing`, `I::Validity`, and `V`, and may depend upon the
442 /// presence, absence, or specific location of `UnsafeCell`s in `T`
443 /// and/or `U`. See [`Validity`] for more details.
444 #[doc(hidden)]
445 #[inline]
446 pub unsafe fn transmute_unchecked<U: ?Sized, V, F>(
447 self,
448 cast: F,
449 ) -> Ptr<'a, U, (I::Aliasing, Unaligned, V)>
450 where
451 V: Validity,
452 F: FnOnce(PtrInner<'a, T>) -> PtrInner<'a, U>,
453 {
454 let ptr = cast(self.as_inner());
455
456 // SAFETY:
457 //
458 // The following safety arguments rely on the fact that the caller
459 // promises that `cast` returns a `PtrInner` which addresses a
460 // prefix of the bytes of `*self`, and so properties that hold of
461 // `*self` also hold of `*ptr`.
462 //
463 // 0. `ptr` conforms to the aliasing invariant of `I::Aliasing`:
464 // - `Exclusive`: `self` is the only `Ptr` or reference which is
465 // permitted to read or modify the referent for the lifetime
466 // `'a`. Since we consume `self` by value, the returned pointer
467 // remains the only `Ptr` or reference which is permitted to
468 // read or modify the referent for the lifetime `'a`.
469 // - `Shared`: Since `self` has aliasing `Shared`, we know that
470 // no other code may mutate the referent during the lifetime
471 // `'a`, except via `UnsafeCell`s, and except as permitted by
472 // `T`'s library safety invariants. The caller promises that
473 // any safe operations which can be permitted on a `&T` and a
474 // `&U` simultaneously must be sound. Thus, no operations on a
475 // `&U` could violate `&T`'s library safety invariants, and
476 // vice-versa. Since any mutation via shared references outside
477 // of `UnsafeCell`s is unsound, this must be impossible using
478 // `&T` and `&U`.
479 // - `Inaccessible`: There are no restrictions we need to uphold.
480 // 1. `ptr` trivially satisfies the alignment invariant `Unaligned`.
481 // 2. The caller promises that `ptr` conforms to the validity
482 // invariant `V` with respect to its referent type, `U`.
483 unsafe { Ptr::from_inner(ptr) }
484 }
485 }
486
487 /// `Ptr<'a, T, (_, _, _)>` → `Ptr<'a, Unalign<T>, (_, Aligned, _)>`
488 impl<'a, T, I> Ptr<'a, T, I>
489 where
490 I: Invariants,
491 {
492 /// Converts a `Ptr` an unaligned `T` into a `Ptr` to an aligned
493 /// `Unalign<T>`.
494 pub(crate) fn into_unalign(
495 self,
496 ) -> Ptr<'a, crate::Unalign<T>, (I::Aliasing, Aligned, I::Validity)> {
497 // SAFETY:
498 // - This cast preserves provenance.
499 // - This cast preserves address. `Unalign<T>` promises to have the
500 // same size as `T`, and so the cast returns a pointer addressing
501 // the same byte range as `p`.
502 // - By the same argument, the returned pointer refers to
503 // `UnsafeCell`s at the same locations as `p`.
504 // - `Unalign<T>` promises to have the same bit validity as `T`. By
505 // invariant on `Validity`, the set of bit patterns allowed in the
506 // referent of a `Ptr<X, (_, _, V)>` is only a function of the
507 // validity of `X` and of `V`. Thus, the set of bit patterns
508 // allowed in the referent of a `Ptr<T, (_, _, I::Validity)>` is
509 // the same as the set of bit patterns allowed in the referent of
510 // a `Ptr<Unalign<T>, (_, _, I::Validity)>`. As a result, `self`
511 // and the returned `Ptr` permit the same set of bit patterns in
512 // their referents, and so neither can be used to violate the
513 // validity of the other.
514 let ptr = unsafe { self.transmute_unchecked(PtrInner::cast_sized) };
515 ptr.bikeshed_recall_aligned()
516 }
517 }
518
519 impl<'a, T, I> Ptr<'a, T, I>
520 where
521 T: ?Sized,
522 I: Invariants<Validity = Valid>,
523 I::Aliasing: Reference,
524 {
525 /// Reads the referent.
526 #[must_use]
527 #[inline]
528 pub fn read_unaligned<R>(self) -> T
529 where
530 T: Copy,
531 T: Read<I::Aliasing, R>,
532 {
533 (*self.into_unalign().as_ref()).into_inner()
534 }
535
536 /// Views the value as an aligned reference.
537 ///
538 /// This is only available if `T` is [`Unaligned`].
539 #[must_use]
540 #[inline]
541 pub fn unaligned_as_ref(self) -> &'a T
542 where
543 T: crate::Unaligned,
544 {
545 self.bikeshed_recall_aligned().as_ref()
546 }
547 }
548}
549
550/// State transitions between invariants.
551mod _transitions {
552 use super::*;
553 use crate::pointer::transmute::TryTransmuteFromPtr;
554
555 impl<'a, T, I> Ptr<'a, T, I>
556 where
557 T: 'a + ?Sized,
558 I: Invariants,
559 {
560 /// Returns a `Ptr` with [`Exclusive`] aliasing if `self` already has
561 /// `Exclusive` aliasing, or generates a compile-time assertion failure.
562 ///
563 /// This allows code which is generic over aliasing to down-cast to a
564 /// concrete aliasing.
565 ///
566 /// [`Exclusive`]: crate::pointer::invariant::Exclusive
567 #[inline]
568 pub(crate) fn into_exclusive_or_pme(
569 self,
570 ) -> Ptr<'a, T, (Exclusive, I::Alignment, I::Validity)> {
571 // NOTE(https://github.com/rust-lang/rust/issues/131625): We do this
572 // rather than just having `Aliasing::IS_EXCLUSIVE` have the panic
573 // behavior because doing it that way causes rustdoc to fail while
574 // attempting to document hidden items (since it evaluates the
575 // constant - and thus panics).
576 trait AliasingExt: Aliasing {
577 const IS_EXCL: bool;
578 }
579
580 impl<A: Aliasing> AliasingExt for A {
581 const IS_EXCL: bool = {
582 const_assert!(Self::IS_EXCLUSIVE);
583 true
584 };
585 }
586
587 assert!(I::Aliasing::IS_EXCL);
588
589 // SAFETY: We've confirmed that `self` already has the aliasing
590 // `Exclusive`. If it didn't, either the preceding assert would fail
591 // or evaluating `I::Aliasing::IS_EXCL` would fail. We're *pretty*
592 // sure that it's guaranteed to fail const eval, but the `assert!`
593 // provides a backstop in case that doesn't work.
594 unsafe { self.assume_exclusive() }
595 }
596
597 /// Assumes that `self` satisfies the invariants `H`.
598 ///
599 /// # Safety
600 ///
601 /// The caller promises that `self` satisfies the invariants `H`.
602 unsafe fn assume_invariants<H: Invariants>(self) -> Ptr<'a, T, H> {
603 // SAFETY: The caller has promised to satisfy all parameterized
604 // invariants of `Ptr`. `Ptr`'s other invariants are satisfied
605 // by-contract by the source `Ptr`.
606 unsafe { Ptr::from_inner(self.as_inner()) }
607 }
608
609 /// Helps the type system unify two distinct invariant types which are
610 /// actually the same.
611 pub(crate) fn unify_invariants<
612 H: Invariants<Aliasing = I::Aliasing, Alignment = I::Alignment, Validity = I::Validity>,
613 >(
614 self,
615 ) -> Ptr<'a, T, H> {
616 // SAFETY: The associated type bounds on `H` ensure that the
617 // invariants are unchanged.
618 unsafe { self.assume_invariants::<H>() }
619 }
620
621 /// Assumes that `self` satisfies the aliasing requirement of `A`.
622 ///
623 /// # Safety
624 ///
625 /// The caller promises that `self` satisfies the aliasing requirement
626 /// of `A`.
627 #[inline]
628 pub(crate) unsafe fn assume_aliasing<A: Aliasing>(
629 self,
630 ) -> Ptr<'a, T, (A, I::Alignment, I::Validity)> {
631 // SAFETY: The caller promises that `self` satisfies the aliasing
632 // requirements of `A`.
633 unsafe { self.assume_invariants() }
634 }
635
636 /// Assumes `self` satisfies the aliasing requirement of [`Exclusive`].
637 ///
638 /// # Safety
639 ///
640 /// The caller promises that `self` satisfies the aliasing requirement
641 /// of `Exclusive`.
642 ///
643 /// [`Exclusive`]: crate::pointer::invariant::Exclusive
644 #[inline]
645 pub(crate) unsafe fn assume_exclusive(
646 self,
647 ) -> Ptr<'a, T, (Exclusive, I::Alignment, I::Validity)> {
648 // SAFETY: The caller promises that `self` satisfies the aliasing
649 // requirements of `Exclusive`.
650 unsafe { self.assume_aliasing::<Exclusive>() }
651 }
652
653 /// Assumes that `self`'s referent is validly-aligned for `T` if
654 /// required by `A`.
655 ///
656 /// # Safety
657 ///
658 /// The caller promises that `self`'s referent conforms to the alignment
659 /// invariant of `T` if required by `A`.
660 #[inline]
661 pub(crate) unsafe fn assume_alignment<A: Alignment>(
662 self,
663 ) -> Ptr<'a, T, (I::Aliasing, A, I::Validity)> {
664 // SAFETY: The caller promises that `self`'s referent is
665 // well-aligned for `T` if required by `A` .
666 unsafe { self.assume_invariants() }
667 }
668
669 /// Checks the `self`'s alignment at runtime, returning an aligned `Ptr`
670 /// on success.
671 pub(crate) fn try_into_aligned(
672 self,
673 ) -> Result<Ptr<'a, T, (I::Aliasing, Aligned, I::Validity)>, AlignmentError<Self, T>>
674 where
675 T: Sized,
676 {
677 if let Err(err) =
678 crate::util::validate_aligned_to::<_, T>(self.as_inner().as_non_null())
679 {
680 return Err(err.with_src(self));
681 }
682
683 // SAFETY: We just checked the alignment.
684 Ok(unsafe { self.assume_alignment::<Aligned>() })
685 }
686
687 /// Recalls that `self`'s referent is validly-aligned for `T`.
688 #[inline]
689 // FIXME(#859): Reconsider the name of this method before making it
690 // public.
691 pub(crate) fn bikeshed_recall_aligned(
692 self,
693 ) -> Ptr<'a, T, (I::Aliasing, Aligned, I::Validity)>
694 where
695 T: crate::Unaligned,
696 {
697 // SAFETY: The bound `T: Unaligned` ensures that `T` has no
698 // non-trivial alignment requirement.
699 unsafe { self.assume_alignment::<Aligned>() }
700 }
701
702 /// Assumes that `self`'s referent conforms to the validity requirement
703 /// of `V`.
704 ///
705 /// # Safety
706 ///
707 /// The caller promises that `self`'s referent conforms to the validity
708 /// requirement of `V`.
709 #[doc(hidden)]
710 #[must_use]
711 #[inline]
712 pub unsafe fn assume_validity<V: Validity>(
713 self,
714 ) -> Ptr<'a, T, (I::Aliasing, I::Alignment, V)> {
715 // SAFETY: The caller promises that `self`'s referent conforms to
716 // the validity requirement of `V`.
717 unsafe { self.assume_invariants() }
718 }
719
720 /// A shorthand for `self.assume_validity<invariant::Initialized>()`.
721 ///
722 /// # Safety
723 ///
724 /// The caller promises to uphold the safety preconditions of
725 /// `self.assume_validity<invariant::Initialized>()`.
726 #[doc(hidden)]
727 #[must_use]
728 #[inline]
729 pub unsafe fn assume_initialized(
730 self,
731 ) -> Ptr<'a, T, (I::Aliasing, I::Alignment, Initialized)> {
732 // SAFETY: The caller has promised to uphold the safety
733 // preconditions.
734 unsafe { self.assume_validity::<Initialized>() }
735 }
736
737 /// A shorthand for `self.assume_validity<Valid>()`.
738 ///
739 /// # Safety
740 ///
741 /// The caller promises to uphold the safety preconditions of
742 /// `self.assume_validity<Valid>()`.
743 #[doc(hidden)]
744 #[must_use]
745 #[inline]
746 pub unsafe fn assume_valid(self) -> Ptr<'a, T, (I::Aliasing, I::Alignment, Valid)> {
747 // SAFETY: The caller has promised to uphold the safety
748 // preconditions.
749 unsafe { self.assume_validity::<Valid>() }
750 }
751
752 /// Recalls that `self`'s referent is initialized.
753 #[doc(hidden)]
754 #[must_use]
755 #[inline]
756 // FIXME(#859): Reconsider the name of this method before making it
757 // public.
758 pub fn bikeshed_recall_initialized_from_bytes(
759 self,
760 ) -> Ptr<'a, T, (I::Aliasing, I::Alignment, Initialized)>
761 where
762 T: crate::IntoBytes + crate::FromBytes,
763 I: Invariants<Validity = Valid>,
764 {
765 // SAFETY: The `T: IntoBytes + FromBytes` bound ensures that `T`'s
766 // bit validity is equivalent to `[u8]`. In other words, the set of
767 // allowed referents for a `Ptr<T, (_, _, Valid)>` is the set of
768 // initialized bit patterns. The same is true of the set of allowed
769 // referents for any `Ptr<_, (_, _, Initialized)>`. Thus, this call
770 // does not change the set of allowed values in the referent.
771 unsafe { self.assume_initialized() }
772 }
773
774 /// Recalls that `self`'s referent is initialized.
775 #[doc(hidden)]
776 #[must_use]
777 #[inline]
778 // FIXME(#859): Reconsider the name of this method before making it
779 // public.
780 pub fn bikeshed_recall_initialized_immutable(
781 self,
782 ) -> Ptr<'a, T, (Shared, I::Alignment, Initialized)>
783 where
784 T: crate::IntoBytes + crate::Immutable,
785 I: Invariants<Aliasing = Shared, Validity = Valid>,
786 {
787 // SAFETY: Let `O` (for "old") be the set of allowed bit patterns in
788 // `self`'s referent, and let `N` (for "new") be the set of allowed
789 // bit patterns in the referent of the returned `Ptr`. `T:
790 // IntoBytes` and `I: Invariants<Validity = Valid>` ensures that `O`
791 // cannot contain any uninitialized bit patterns. Since the returned
792 // `Ptr` has validity `Initialized`, `N` is equal to the set of all
793 // initialized bit patterns. Thus, `O` is a subset of `N`, and so
794 // the returned `Ptr`'s validity invariant is upheld.
795 //
796 // Since `T: Immutable` and aliasing is `Shared`, the returned `Ptr`
797 // cannot be used to modify the referent. Before this call, `self`'s
798 // referent is guaranteed by invariant on `Ptr` to satisfy `self`'s
799 // validity invariant. Since the returned `Ptr` cannot be used to
800 // modify the referent, this guarantee cannot be violated by the
801 // returned `Ptr` (even if `O` is a strict subset of `N`).
802 unsafe { self.assume_initialized() }
803 }
804
805 /// Checks that `self`'s referent is validly initialized for `T`,
806 /// returning a `Ptr` with `Valid` on success.
807 ///
808 /// # Panics
809 ///
810 /// This method will panic if
811 /// [`T::is_bit_valid`][TryFromBytes::is_bit_valid] panics.
812 ///
813 /// # Safety
814 ///
815 /// On error, unsafe code may rely on this method's returned
816 /// `ValidityError` containing `self`.
817 #[inline]
818 pub(crate) fn try_into_valid<R, S>(
819 mut self,
820 ) -> Result<Ptr<'a, T, (I::Aliasing, I::Alignment, Valid)>, ValidityError<Self, T>>
821 where
822 T: TryFromBytes
823 + Read<I::Aliasing, R>
824 + TryTransmuteFromPtr<T, I::Aliasing, I::Validity, Valid, S>,
825 I::Aliasing: Reference,
826 I: Invariants<Validity = Initialized>,
827 {
828 // This call may panic. If that happens, it doesn't cause any
829 // soundness issues, as we have not generated any invalid state
830 // which we need to fix before returning.
831 if T::is_bit_valid(self.reborrow().forget_aligned()) {
832 // SAFETY: If `T::is_bit_valid`, code may assume that `self`
833 // contains a bit-valid instance of `T`. By `T:
834 // TryTransmuteFromPtr<T, I::Aliasing, I::Validity, Valid>`, so
835 // long as `self`'s referent conforms to the `Valid` validity
836 // for `T` (which we just confirmed), then this transmute is
837 // sound.
838 Ok(unsafe { self.assume_valid() })
839 } else {
840 Err(ValidityError::new(self))
841 }
842 }
843
844 /// Forgets that `self`'s referent is validly-aligned for `T`.
845 #[doc(hidden)]
846 #[must_use]
847 #[inline]
848 pub fn forget_aligned(self) -> Ptr<'a, T, (I::Aliasing, Unaligned, I::Validity)> {
849 // SAFETY: `Unaligned` is less restrictive than `Aligned`.
850 unsafe { self.assume_invariants() }
851 }
852 }
853}
854
855/// Casts of the referent type.
856mod _casts {
857 use super::*;
858
859 impl<'a, T, I> Ptr<'a, T, I>
860 where
861 T: 'a + ?Sized,
862 I: Invariants,
863 {
864 /// Casts to a different (unsized) target type without checking interior
865 /// mutability.
866 ///
867 /// Callers should prefer [`cast_unsized`] where possible.
868 ///
869 /// [`cast_unsized`]: Ptr::cast_unsized
870 ///
871 /// # Safety
872 ///
873 /// The caller promises that `u = cast(p)` is a pointer cast with the
874 /// following properties:
875 /// - `u` addresses a subset of the bytes addressed by `p`
876 /// - `u` has the same provenance as `p`
877 /// - If `I::Aliasing` is [`Shared`], it must not be possible for safe
878 /// code, operating on a `&T` and `&U` with the same referent
879 /// simultaneously, to cause undefined behavior
880 ///
881 /// `cast_unsized_unchecked` guarantees that the pointer passed to
882 /// `cast` will reference a byte sequence which is either contained
883 /// inside a single allocated object or is zero sized. In either case,
884 /// this means that its size will fit in an `isize` and it will not wrap
885 /// around the address space.
886 #[doc(hidden)]
887 #[inline]
888 pub unsafe fn cast_unsized_unchecked<U, F: FnOnce(PtrInner<'a, T>) -> PtrInner<'a, U>>(
889 self,
890 cast: F,
891 ) -> Ptr<'a, U, (I::Aliasing, Unaligned, I::Validity)>
892 where
893 U: 'a + CastableFrom<T, I::Validity, I::Validity> + ?Sized,
894 {
895 // SAFETY:
896 // - The caller promises that `u = cast(p)` is a pointer which
897 // satisfies:
898 // - `u` addresses a subset of the bytes addressed by `p`
899 // - `u` has the same provenance as `p`
900 // - If `I::Aliasing` is [`Shared`], it must not be possible for
901 // safe code, operating on a `&T` and `&U` with the same
902 // referent simultaneously, to cause undefined behavior
903 // - By `U: CastableFrom<T, I::Validity, I::Validity>`,
904 // `I::Validity` is either `Uninit` or `Initialized`. In both
905 // cases, the bit validity `I::Validity` has the same semantics
906 // regardless of referent type. In other words, the set of allowed
907 // referent values for `Ptr<T, (_, _, I::Validity)>` and `Ptr<U,
908 // (_, _, I::Validity)>` are identical. As a consequence, neither
909 // `self` nor the returned `Ptr` can be used to write values which
910 // are invalid for the other.
911 //
912 // `transmute_unchecked` guarantees that it will only pass pointers
913 // to `cast` which either reference a zero-sized byte range or
914 // reference a byte range which is entirely contained inside of an
915 // allocated object.
916 #[allow(clippy::multiple_unsafe_ops_per_block)]
917 unsafe {
918 self.transmute_unchecked(cast)
919 }
920 }
921
922 /// Casts to a different (unsized) target type.
923 ///
924 /// # Safety
925 ///
926 /// The caller promises that `u = cast(p)` is a pointer cast with the
927 /// following properties:
928 /// - `u` addresses a subset of the bytes addressed by `p`
929 /// - `u` has the same provenance as `p`
930 #[doc(hidden)]
931 #[inline]
932 pub unsafe fn cast_unsized<U, F, R>(
933 self,
934 cast: F,
935 ) -> Ptr<'a, U, (I::Aliasing, Unaligned, I::Validity)>
936 where
937 T: MutationCompatible<U, I::Aliasing, I::Validity, I::Validity, R>,
938 U: 'a + ?Sized + CastableFrom<T, I::Validity, I::Validity>,
939 F: FnOnce(PtrInner<'a, T>) -> PtrInner<'a, U>,
940 {
941 // SAFETY: Because `T: MutationCompatible<U, I::Aliasing, R>`, one
942 // of the following holds:
943 // - `T: Read<I::Aliasing>` and `U: Read<I::Aliasing>`, in which
944 // case one of the following holds:
945 // - `I::Aliasing` is `Exclusive`
946 // - `T` and `U` are both `Immutable`
947 // - It is sound for safe code to operate on `&T` and `&U` with the
948 // same referent simultaneously
949 //
950 // The caller promises all other safety preconditions.
951 unsafe { self.cast_unsized_unchecked(cast) }
952 }
953 }
954
955 impl<'a, T, I> Ptr<'a, T, I>
956 where
957 T: 'a + KnownLayout + ?Sized,
958 I: Invariants<Validity = Initialized>,
959 {
960 /// Casts this pointer-to-initialized into a pointer-to-bytes.
961 #[allow(clippy::wrong_self_convention)]
962 #[must_use]
963 #[inline]
964 pub fn as_bytes<R>(self) -> Ptr<'a, [u8], (I::Aliasing, Aligned, Valid)>
965 where
966 T: Read<I::Aliasing, R>,
967 I::Aliasing: Reference,
968 {
969 // SAFETY: `PtrInner::as_bytes` returns a pointer which addresses
970 // the same byte range as its argument, and which has the same
971 // provenance.
972 let ptr = unsafe { self.cast_unsized(PtrInner::as_bytes) };
973 ptr.bikeshed_recall_aligned().recall_validity::<Valid, (_, (_, _))>()
974 }
975 }
976
977 impl<'a, T, I, const N: usize> Ptr<'a, [T; N], I>
978 where
979 T: 'a,
980 I: Invariants,
981 {
982 /// Casts this pointer-to-array into a slice.
983 #[allow(clippy::wrong_self_convention)]
984 pub(crate) fn as_slice(self) -> Ptr<'a, [T], I> {
985 let slice = self.as_inner().as_slice();
986 // SAFETY: Note that, by post-condition on `PtrInner::as_slice`,
987 // `slice` refers to the same byte range as `self.as_inner()`.
988 //
989 // 0. Thus, `slice` conforms to the aliasing invariant of
990 // `I::Aliasing` because `self` does.
991 // 1. By the above lemma, `slice` conforms to the alignment
992 // invariant of `I::Alignment` because `self` does.
993 // 2. Since `[T; N]` and `[T]` have the same bit validity [1][2],
994 // and since `self` and the returned `Ptr` have the same validity
995 // invariant, neither `self` nor the returned `Ptr` can be used
996 // to write a value to the referent which violates the other's
997 // validity invariant.
998 //
999 // [1] Per https://doc.rust-lang.org/1.81.0/reference/type-layout.html#array-layout:
1000 //
1001 // An array of `[T; N]` has a size of `size_of::<T>() * N` and the
1002 // same alignment of `T`. Arrays are laid out so that the
1003 // zero-based `nth` element of the array is offset from the start
1004 // of the array by `n * size_of::<T>()` bytes.
1005 //
1006 // ...
1007 //
1008 // Slices have the same layout as the section of the array they
1009 // slice.
1010 //
1011 // [2] Per https://doc.rust-lang.org/1.81.0/reference/types/array.html#array-types:
1012 //
1013 // All elements of arrays are always initialized
1014 unsafe { Ptr::from_inner(slice) }
1015 }
1016 }
1017
1018 /// For caller convenience, these methods are generic over alignment
1019 /// invariant. In practice, the referent is always well-aligned, because the
1020 /// alignment of `[u8]` is 1.
1021 impl<'a, I> Ptr<'a, [u8], I>
1022 where
1023 I: Invariants<Validity = Valid>,
1024 {
1025 /// Attempts to cast `self` to a `U` using the given cast type.
1026 ///
1027 /// If `U` is a slice DST and pointer metadata (`meta`) is provided,
1028 /// then the cast will only succeed if it would produce an object with
1029 /// the given metadata.
1030 ///
1031 /// Returns `None` if the resulting `U` would be invalidly-aligned, if
1032 /// no `U` can fit in `self`, or if the provided pointer metadata
1033 /// describes an invalid instance of `U`. On success, returns a pointer
1034 /// to the largest-possible `U` which fits in `self`.
1035 ///
1036 /// # Safety
1037 ///
1038 /// The caller may assume that this implementation is correct, and may
1039 /// rely on that assumption for the soundness of their code. In
1040 /// particular, the caller may assume that, if `try_cast_into` returns
1041 /// `Some((ptr, remainder))`, then `ptr` and `remainder` refer to
1042 /// non-overlapping byte ranges within `self`, and that `ptr` and
1043 /// `remainder` entirely cover `self`. Finally:
1044 /// - If this is a prefix cast, `ptr` has the same address as `self`.
1045 /// - If this is a suffix cast, `remainder` has the same address as
1046 /// `self`.
1047 #[inline(always)]
1048 pub(crate) fn try_cast_into<U, R>(
1049 self,
1050 cast_type: CastType,
1051 meta: Option<U::PointerMetadata>,
1052 ) -> Result<
1053 (Ptr<'a, U, (I::Aliasing, Aligned, Initialized)>, Ptr<'a, [u8], I>),
1054 CastError<Self, U>,
1055 >
1056 where
1057 I::Aliasing: Reference,
1058 U: 'a + ?Sized + KnownLayout + Read<I::Aliasing, R>,
1059 {
1060 let (inner, remainder) =
1061 self.as_inner().try_cast_into(cast_type, meta).map_err(|err| {
1062 err.map_src(|inner|
1063 // SAFETY: `PtrInner::try_cast_into` promises to return its
1064 // original argument on error, which was originally produced
1065 // by `self.as_inner()`, which is guaranteed to satisfy
1066 // `Ptr`'s invariants.
1067 unsafe { Ptr::from_inner(inner) })
1068 })?;
1069
1070 // SAFETY:
1071 // 0. Since `U: Read<I::Aliasing, _>`, either:
1072 // - `I::Aliasing` is `Exclusive`, in which case both `src` and
1073 // `ptr` conform to `Exclusive`
1074 // - `I::Aliasing` is `Shared` and `U` is `Immutable` (we already
1075 // know that `[u8]: Immutable`). In this case, neither `U` nor
1076 // `[u8]` permit mutation, and so `Shared` aliasing is
1077 // satisfied.
1078 // 1. `ptr` conforms to the alignment invariant of `Aligned` because
1079 // it is derived from `try_cast_into`, which promises that the
1080 // object described by `target` is validly aligned for `U`.
1081 // 2. By trait bound, `self` - and thus `target` - is a bit-valid
1082 // `[u8]`. `Ptr<[u8], (_, _, Valid)>` and `Ptr<_, (_, _,
1083 // Initialized)>` have the same bit validity, and so neither
1084 // `self` nor `res` can be used to write a value to the referent
1085 // which violates the other's validity invariant.
1086 let res = unsafe { Ptr::from_inner(inner) };
1087
1088 // SAFETY:
1089 // 0. `self` and `remainder` both have the type `[u8]`. Thus, they
1090 // have `UnsafeCell`s at the same locations. Type casting does
1091 // not affect aliasing.
1092 // 1. `[u8]` has no alignment requirement.
1093 // 2. `self` has validity `Valid` and has type `[u8]`. Since
1094 // `remainder` references a subset of `self`'s referent, it is
1095 // also a bit-valid `[u8]`. Thus, neither `self` nor `remainder`
1096 // can be used to write a value to the referent which violates
1097 // the other's validity invariant.
1098 let remainder = unsafe { Ptr::from_inner(remainder) };
1099
1100 Ok((res, remainder))
1101 }
1102
1103 /// Attempts to cast `self` into a `U`, failing if all of the bytes of
1104 /// `self` cannot be treated as a `U`.
1105 ///
1106 /// In particular, this method fails if `self` is not validly-aligned
1107 /// for `U` or if `self`'s size is not a valid size for `U`.
1108 ///
1109 /// # Safety
1110 ///
1111 /// On success, the caller may assume that the returned pointer
1112 /// references the same byte range as `self`.
1113 #[allow(unused)]
1114 #[inline(always)]
1115 pub(crate) fn try_cast_into_no_leftover<U, R>(
1116 self,
1117 meta: Option<U::PointerMetadata>,
1118 ) -> Result<Ptr<'a, U, (I::Aliasing, Aligned, Initialized)>, CastError<Self, U>>
1119 where
1120 I::Aliasing: Reference,
1121 U: 'a + ?Sized + KnownLayout + Read<I::Aliasing, R>,
1122 {
1123 // FIXME(#67): Remove this allow. See NonNulSlicelExt for more
1124 // details.
1125 #[allow(unstable_name_collisions)]
1126 match self.try_cast_into(CastType::Prefix, meta) {
1127 Ok((slf, remainder)) => {
1128 if remainder.len() == 0 {
1129 Ok(slf)
1130 } else {
1131 // Undo the cast so we can return the original bytes.
1132 let slf = slf.as_bytes();
1133 // Restore the initial alignment invariant of `self`.
1134 //
1135 // SAFETY: The referent type of `slf` is now equal to
1136 // that of `self`, but the alignment invariants
1137 // nominally differ. Since `slf` and `self` refer to the
1138 // same memory and no actions have been taken that would
1139 // violate the original invariants on `self`, it is
1140 // sound to apply the alignment invariant of `self` onto
1141 // `slf`.
1142 let slf = unsafe { slf.assume_alignment::<I::Alignment>() };
1143 let slf = slf.unify_invariants();
1144 Err(CastError::Size(SizeError::<_, U>::new(slf)))
1145 }
1146 }
1147 Err(err) => Err(err),
1148 }
1149 }
1150 }
1151
1152 impl<'a, T, I> Ptr<'a, core::cell::UnsafeCell<T>, I>
1153 where
1154 T: 'a + ?Sized,
1155 I: Invariants<Aliasing = Exclusive>,
1156 {
1157 /// Converts this `Ptr` into a pointer to the underlying data.
1158 ///
1159 /// This call borrows the `UnsafeCell` mutably (at compile-time) which
1160 /// guarantees that we possess the only reference.
1161 ///
1162 /// This is like [`UnsafeCell::get_mut`], but for `Ptr`.
1163 ///
1164 /// [`UnsafeCell::get_mut`]: core::cell::UnsafeCell::get_mut
1165 #[must_use]
1166 #[inline(always)]
1167 pub fn get_mut(self) -> Ptr<'a, T, I> {
1168 // SAFETY:
1169 // - The closure uses an `as` cast, which preserves address range
1170 // and provenance.
1171 // - Aliasing is `Exclusive`, and so we are not required to promise
1172 // anything about the locations of `UnsafeCell`s.
1173 // - `UnsafeCell<T>` has the same bit validity as `T` [1].
1174 // Technically the term "representation" doesn't guarantee this,
1175 // but the subsequent sentence in the documentation makes it clear
1176 // that this is the intention.
1177 //
1178 // By invariant on `Validity`, since `T` and `UnsafeCell<T>` have
1179 // the same bit validity, then the set of values which may appear
1180 // in the referent of a `Ptr<T, (_, _, V)>` is the same as the set
1181 // which may appear in the referent of a `Ptr<UnsafeCell<T>, (_,
1182 // _, V)>`. Thus, neither `self` nor `ptr` may be used to write a
1183 // value to the referent which would violate the other's validity
1184 // invariant.
1185 //
1186 // [1] Per https://doc.rust-lang.org/1.81.0/core/cell/struct.UnsafeCell.html#memory-layout:
1187 //
1188 // `UnsafeCell<T>` has the same in-memory representation as its
1189 // inner type `T`. A consequence of this guarantee is that it is
1190 // possible to convert between `T` and `UnsafeCell<T>`.
1191 #[allow(clippy::as_conversions)]
1192 #[allow(clippy::multiple_unsafe_ops_per_block)]
1193 let ptr = unsafe { self.transmute_unchecked(|ptr| cast!(ptr)) };
1194
1195 // SAFETY: `UnsafeCell<T>` has the same alignment as `T` [1],
1196 // and so if `self` is guaranteed to be aligned, then so is the
1197 // returned `Ptr`.
1198 //
1199 // [1] Per https://doc.rust-lang.org/1.81.0/core/cell/struct.UnsafeCell.html#memory-layout:
1200 //
1201 // `UnsafeCell<T>` has the same in-memory representation as
1202 // its inner type `T`. A consequence of this guarantee is that
1203 // it is possible to convert between `T` and `UnsafeCell<T>`.
1204 let ptr = unsafe { ptr.assume_alignment::<I::Alignment>() };
1205 ptr.unify_invariants()
1206 }
1207 }
1208}
1209
1210/// Projections through the referent.
1211mod _project {
1212 use super::*;
1213
1214 impl<'a, T, I> Ptr<'a, [T], I>
1215 where
1216 T: 'a,
1217 I: Invariants,
1218 I::Aliasing: Reference,
1219 {
1220 /// Iteratively projects the elements `Ptr<T>` from `Ptr<[T]>`.
1221 pub(crate) fn iter(&self) -> impl Iterator<Item = Ptr<'a, T, I>> {
1222 // SAFETY:
1223 // 0. `elem` conforms to the aliasing invariant of `I::Aliasing`
1224 // because projection does not impact the aliasing invariant.
1225 // 1. `elem`, conditionally, conforms to the validity invariant of
1226 // `I::Alignment`. If `elem` is projected from data well-aligned
1227 // for `[T]`, `elem` will be valid for `T`.
1228 // 2. `elem` conforms to the validity invariant of `I::Validity`.
1229 // Per https://doc.rust-lang.org/1.81.0/reference/type-layout.html#array-layout:
1230 //
1231 // Slices have the same layout as the section of the array they
1232 // slice.
1233 //
1234 // Arrays are laid out so that the zero-based `nth` element of
1235 // the array is offset from the start of the array by `n *
1236 // size_of::<T>()` bytes. Thus, `elem` addresses a valid `T`
1237 // within the slice. Since `self` satisfies `I::Validity`, `elem`
1238 // also satisfies `I::Validity`.
1239 self.as_inner().iter().map(|elem| unsafe { Ptr::from_inner(elem) })
1240 }
1241 }
1242
1243 #[allow(clippy::needless_lifetimes)]
1244 impl<'a, T, I> Ptr<'a, T, I>
1245 where
1246 T: 'a + ?Sized + KnownLayout<PointerMetadata = usize>,
1247 I: Invariants,
1248 {
1249 /// The number of slice elements in the object referenced by `self`.
1250 pub(crate) fn len(&self) -> usize {
1251 self.as_inner().meta().get()
1252 }
1253 }
1254}
1255
1256#[cfg(test)]
1257mod tests {
1258 use core::mem::{self, MaybeUninit};
1259
1260 use super::*;
1261 #[allow(unused)] // Needed on our MSRV, but considered unused on later toolchains.
1262 use crate::util::AsAddress;
1263 use crate::{pointer::BecauseImmutable, util::testutil::AU64, FromBytes, Immutable};
1264
1265 mod test_ptr_try_cast_into_soundness {
1266 use super::*;
1267
1268 // This test is designed so that if `Ptr::try_cast_into_xxx` are
1269 // buggy, it will manifest as unsoundness that Miri can detect.
1270
1271 // - If `size_of::<T>() == 0`, `N == 4`
1272 // - Else, `N == 4 * size_of::<T>()`
1273 //
1274 // Each test will be run for each metadata in `metas`.
1275 fn test<T, I, const N: usize>(metas: I)
1276 where
1277 T: ?Sized + KnownLayout + Immutable + FromBytes,
1278 I: IntoIterator<Item = Option<T::PointerMetadata>> + Clone,
1279 {
1280 let mut bytes = [MaybeUninit::<u8>::uninit(); N];
1281 let initialized = [MaybeUninit::new(0u8); N];
1282 for start in 0..=bytes.len() {
1283 for end in start..=bytes.len() {
1284 // Set all bytes to uninitialized other than those in
1285 // the range we're going to pass to `try_cast_from`.
1286 // This allows Miri to detect out-of-bounds reads
1287 // because they read uninitialized memory. Without this,
1288 // some out-of-bounds reads would still be in-bounds of
1289 // `bytes`, and so might spuriously be accepted.
1290 bytes = [MaybeUninit::<u8>::uninit(); N];
1291 let bytes = &mut bytes[start..end];
1292 // Initialize only the byte range we're going to pass to
1293 // `try_cast_from`.
1294 bytes.copy_from_slice(&initialized[start..end]);
1295
1296 let bytes = {
1297 let bytes: *const [MaybeUninit<u8>] = bytes;
1298 #[allow(clippy::as_conversions)]
1299 let bytes = bytes as *const [u8];
1300 // SAFETY: We just initialized these bytes to valid
1301 // `u8`s.
1302 unsafe { &*bytes }
1303 };
1304
1305 // SAFETY: The bytes in `slf` must be initialized.
1306 unsafe fn validate_and_get_len<
1307 T: ?Sized + KnownLayout + FromBytes + Immutable,
1308 >(
1309 slf: Ptr<'_, T, (Shared, Aligned, Initialized)>,
1310 ) -> usize {
1311 let t = slf.recall_validity().as_ref();
1312
1313 let bytes = {
1314 let len = mem::size_of_val(t);
1315 let t: *const T = t;
1316 // SAFETY:
1317 // - We know `t`'s bytes are all initialized
1318 // because we just read it from `slf`, which
1319 // points to an initialized range of bytes. If
1320 // there's a bug and this doesn't hold, then
1321 // that's exactly what we're hoping Miri will
1322 // catch!
1323 // - Since `T: FromBytes`, `T` doesn't contain
1324 // any `UnsafeCell`s, so it's okay for `t: T`
1325 // and a `&[u8]` to the same memory to be
1326 // alive concurrently.
1327 unsafe { core::slice::from_raw_parts(t.cast::<u8>(), len) }
1328 };
1329
1330 // This assertion ensures that `t`'s bytes are read
1331 // and compared to another value, which in turn
1332 // ensures that Miri gets a chance to notice if any
1333 // of `t`'s bytes are uninitialized, which they
1334 // shouldn't be (see the comment above).
1335 assert_eq!(bytes, vec![0u8; bytes.len()]);
1336
1337 mem::size_of_val(t)
1338 }
1339
1340 for meta in metas.clone().into_iter() {
1341 for cast_type in [CastType::Prefix, CastType::Suffix] {
1342 if let Ok((slf, remaining)) = Ptr::from_ref(bytes)
1343 .try_cast_into::<T, BecauseImmutable>(cast_type, meta)
1344 {
1345 // SAFETY: All bytes in `bytes` have been
1346 // initialized.
1347 let len = unsafe { validate_and_get_len(slf) };
1348 assert_eq!(remaining.len(), bytes.len() - len);
1349 #[allow(unstable_name_collisions)]
1350 let bytes_addr = bytes.as_ptr().addr();
1351 #[allow(unstable_name_collisions)]
1352 let remaining_addr =
1353 remaining.as_inner().as_non_null().as_ptr().addr();
1354 match cast_type {
1355 CastType::Prefix => {
1356 assert_eq!(remaining_addr, bytes_addr + len)
1357 }
1358 CastType::Suffix => assert_eq!(remaining_addr, bytes_addr),
1359 }
1360
1361 if let Some(want) = meta {
1362 let got = KnownLayout::pointer_to_metadata(
1363 slf.as_inner().as_non_null().as_ptr(),
1364 );
1365 assert_eq!(got, want);
1366 }
1367 }
1368 }
1369
1370 if let Ok(slf) = Ptr::from_ref(bytes)
1371 .try_cast_into_no_leftover::<T, BecauseImmutable>(meta)
1372 {
1373 // SAFETY: All bytes in `bytes` have been
1374 // initialized.
1375 let len = unsafe { validate_and_get_len(slf) };
1376 assert_eq!(len, bytes.len());
1377
1378 if let Some(want) = meta {
1379 let got = KnownLayout::pointer_to_metadata(
1380 slf.as_inner().as_non_null().as_ptr(),
1381 );
1382 assert_eq!(got, want);
1383 }
1384 }
1385 }
1386 }
1387 }
1388 }
1389
1390 #[derive(FromBytes, KnownLayout, Immutable)]
1391 #[repr(C)]
1392 struct SliceDst<T> {
1393 a: u8,
1394 trailing: [T],
1395 }
1396
1397 // Each test case becomes its own `#[test]` function. We do this because
1398 // this test in particular takes far, far longer to execute under Miri
1399 // than all of our other tests combined. Previously, we had these
1400 // execute sequentially in a single test function. We run Miri tests in
1401 // parallel in CI, but this test being sequential meant that most of
1402 // that parallelism was wasted, as all other tests would finish in a
1403 // fraction of the total execution time, leaving this test to execute on
1404 // a single thread for the remainder of the test. By putting each test
1405 // case in its own function, we permit better use of available
1406 // parallelism.
1407 macro_rules! test {
1408 ($test_name:ident: $ty:ty) => {
1409 #[test]
1410 #[allow(non_snake_case)]
1411 fn $test_name() {
1412 const S: usize = core::mem::size_of::<$ty>();
1413 const N: usize = if S == 0 { 4 } else { S * 4 };
1414 test::<$ty, _, N>([None]);
1415
1416 // If `$ty` is a ZST, then we can't pass `None` as the
1417 // pointer metadata, or else computing the correct trailing
1418 // slice length will panic.
1419 if S == 0 {
1420 test::<[$ty], _, N>([Some(0), Some(1), Some(2), Some(3)]);
1421 test::<SliceDst<$ty>, _, N>([Some(0), Some(1), Some(2), Some(3)]);
1422 } else {
1423 test::<[$ty], _, N>([None, Some(0), Some(1), Some(2), Some(3)]);
1424 test::<SliceDst<$ty>, _, N>([None, Some(0), Some(1), Some(2), Some(3)]);
1425 }
1426 }
1427 };
1428 ($ty:ident) => {
1429 test!($ty: $ty);
1430 };
1431 ($($ty:ident),*) => { $(test!($ty);)* }
1432 }
1433
1434 test!(empty_tuple: ());
1435 test!(u8, u16, u32, u64, u128, usize, AU64);
1436 test!(i8, i16, i32, i64, i128, isize);
1437 test!(f32, f64);
1438 }
1439
1440 #[test]
1441 fn test_try_cast_into_explicit_count() {
1442 macro_rules! test {
1443 ($ty:ty, $bytes:expr, $elems:expr, $expect:expr) => {{
1444 let bytes = [0u8; $bytes];
1445 let ptr = Ptr::from_ref(&bytes[..]);
1446 let res =
1447 ptr.try_cast_into::<$ty, BecauseImmutable>(CastType::Prefix, Some($elems));
1448 if let Some(expect) = $expect {
1449 let (ptr, _) = res.unwrap();
1450 assert_eq!(
1451 KnownLayout::pointer_to_metadata(ptr.as_inner().as_non_null().as_ptr()),
1452 expect
1453 );
1454 } else {
1455 let _ = res.unwrap_err();
1456 }
1457 }};
1458 }
1459
1460 #[derive(KnownLayout, Immutable)]
1461 #[repr(C)]
1462 struct ZstDst {
1463 u: [u8; 8],
1464 slc: [()],
1465 }
1466
1467 test!(ZstDst, 8, 0, Some(0));
1468 test!(ZstDst, 7, 0, None);
1469
1470 test!(ZstDst, 8, usize::MAX, Some(usize::MAX));
1471 test!(ZstDst, 7, usize::MAX, None);
1472
1473 #[derive(KnownLayout, Immutable)]
1474 #[repr(C)]
1475 struct Dst {
1476 u: [u8; 8],
1477 slc: [u8],
1478 }
1479
1480 test!(Dst, 8, 0, Some(0));
1481 test!(Dst, 7, 0, None);
1482
1483 test!(Dst, 9, 1, Some(1));
1484 test!(Dst, 8, 1, None);
1485
1486 // If we didn't properly check for overflow, this would cause the
1487 // metadata to overflow to 0, and thus the cast would spuriously
1488 // succeed.
1489 test!(Dst, 8, usize::MAX - 8 + 1, None);
1490 }
1491}