zerocopy/util/macro_util.rs
1// Copyright 2022 The Fuchsia Authors
2//
3// Licensed under a BSD-style license <LICENSE-BSD>, Apache License, Version 2.0
4// <LICENSE-APACHE or https://www.apache.org/licenses/LICENSE-2.0>, or the MIT
5// license <LICENSE-MIT or https://opensource.org/licenses/MIT>, at your option.
6// This file may not be copied, modified, or distributed except according to
7// those terms.
8
9//! Utilities used by macros and by `zerocopy-derive`.
10//!
11//! These are defined here `zerocopy` rather than in code generated by macros or
12//! by `zerocopy-derive` so that they can be compiled once rather than
13//! recompiled for every invocation (e.g., if they were defined in generated
14//! code, then deriving `IntoBytes` and `FromBytes` on three different types
15//! would result in the code in question being emitted and compiled six
16//! different times).
17
18#![allow(missing_debug_implementations)]
19
20// FIXME(#29), FIXME(https://github.com/rust-lang/rust/issues/69835): Remove
21// this `cfg` when `size_of_val_raw` is stabilized.
22#[cfg(__ZEROCOPY_INTERNAL_USE_ONLY_NIGHTLY_FEATURES_IN_TESTS)]
23#[cfg(not(target_pointer_width = "16"))]
24use core::ptr::{self, NonNull};
25use core::{
26 marker::PhantomData,
27 mem::{self, ManuallyDrop},
28};
29
30use crate::{
31 pointer::{
32 invariant::{self, BecauseExclusive, BecauseImmutable, Invariants},
33 BecauseInvariantsEq, InvariantsEq, SizeEq, TryTransmuteFromPtr,
34 },
35 FromBytes, FromZeros, Immutable, IntoBytes, KnownLayout, Ptr, TryFromBytes, ValidityError,
36};
37
38/// Projects the type of the field at `Index` in `Self`.
39///
40/// The `Index` parameter is any sort of handle that identifies the field; its
41/// definition is the obligation of the implementer.
42///
43/// # Safety
44///
45/// Unsafe code may assume that this accurately reflects the definition of
46/// `Self`.
47pub unsafe trait Field<Index> {
48 /// The type of the field at `Index`.
49 type Type: ?Sized;
50}
51
52#[cfg_attr(
53 zerocopy_diagnostic_on_unimplemented_1_78_0,
54 diagnostic::on_unimplemented(
55 message = "`{T}` has {PADDING_BYTES} total byte(s) of padding",
56 label = "types with padding cannot implement `IntoBytes`",
57 note = "consider using `zerocopy::Unalign` to lower the alignment of individual fields",
58 note = "consider adding explicit fields where padding would be",
59 note = "consider using `#[repr(packed)]` to remove padding"
60 )
61)]
62pub trait PaddingFree<T: ?Sized, const PADDING_BYTES: usize> {}
63impl<T: ?Sized> PaddingFree<T, 0> for () {}
64
65// FIXME(#1112): In the slice DST case, we should delegate to *both*
66// `PaddingFree` *and* `DynamicPaddingFree` (and probably rename `PaddingFree`
67// to `StaticPaddingFree` or something - or introduce a third trait with that
68// name) so that we can have more clear error messages.
69
70#[cfg_attr(
71 zerocopy_diagnostic_on_unimplemented_1_78_0,
72 diagnostic::on_unimplemented(
73 message = "`{T}` has one or more padding bytes",
74 label = "types with padding cannot implement `IntoBytes`",
75 note = "consider using `zerocopy::Unalign` to lower the alignment of individual fields",
76 note = "consider adding explicit fields where padding would be",
77 note = "consider using `#[repr(packed)]` to remove padding"
78 )
79)]
80pub trait DynamicPaddingFree<T: ?Sized, const HAS_PADDING: bool> {}
81impl<T: ?Sized> DynamicPaddingFree<T, false> for () {}
82
83/// A type whose size is equal to `align_of::<T>()`.
84#[repr(C)]
85pub struct AlignOf<T> {
86 // This field ensures that:
87 // - The size is always at least 1 (the minimum possible alignment).
88 // - If the alignment is greater than 1, Rust has to round up to the next
89 // multiple of it in order to make sure that `Align`'s size is a multiple
90 // of that alignment. Without this field, its size could be 0, which is a
91 // valid multiple of any alignment.
92 _u: u8,
93 _a: [T; 0],
94}
95
96impl<T> AlignOf<T> {
97 #[inline(never)] // Make `missing_inline_in_public_items` happy.
98 #[cfg_attr(
99 all(coverage_nightly, __ZEROCOPY_INTERNAL_USE_ONLY_NIGHTLY_FEATURES_IN_TESTS),
100 coverage(off)
101 )]
102 pub fn into_t(self) -> T {
103 unreachable!()
104 }
105}
106
107/// A type whose size is equal to `max(align_of::<T>(), align_of::<U>())`.
108#[repr(C)]
109pub union MaxAlignsOf<T, U> {
110 _t: ManuallyDrop<AlignOf<T>>,
111 _u: ManuallyDrop<AlignOf<U>>,
112}
113
114impl<T, U> MaxAlignsOf<T, U> {
115 #[inline(never)] // Make `missing_inline_in_public_items` happy.
116 #[cfg_attr(
117 all(coverage_nightly, __ZEROCOPY_INTERNAL_USE_ONLY_NIGHTLY_FEATURES_IN_TESTS),
118 coverage(off)
119 )]
120 pub fn new(_t: T, _u: U) -> MaxAlignsOf<T, U> {
121 unreachable!()
122 }
123}
124
125#[cfg(__ZEROCOPY_INTERNAL_USE_ONLY_NIGHTLY_FEATURES_IN_TESTS)]
126#[cfg(not(target_pointer_width = "16"))]
127const _64K: usize = 1 << 16;
128
129// FIXME(#29), FIXME(https://github.com/rust-lang/rust/issues/69835): Remove
130// this `cfg` when `size_of_val_raw` is stabilized.
131#[cfg(__ZEROCOPY_INTERNAL_USE_ONLY_NIGHTLY_FEATURES_IN_TESTS)]
132#[cfg(not(target_pointer_width = "16"))]
133#[repr(C, align(65536))]
134struct Aligned64kAllocation([u8; _64K]);
135
136/// A pointer to an aligned allocation of size 2^16.
137///
138/// # Safety
139///
140/// `ALIGNED_64K_ALLOCATION` is guaranteed to point to the entirety of an
141/// allocation with size and alignment 2^16, and to have valid provenance.
142// FIXME(#29), FIXME(https://github.com/rust-lang/rust/issues/69835): Remove
143// this `cfg` when `size_of_val_raw` is stabilized.
144#[cfg(__ZEROCOPY_INTERNAL_USE_ONLY_NIGHTLY_FEATURES_IN_TESTS)]
145#[cfg(not(target_pointer_width = "16"))]
146pub const ALIGNED_64K_ALLOCATION: NonNull<[u8]> = {
147 const REF: &Aligned64kAllocation = &Aligned64kAllocation([0; _64K]);
148 let ptr: *const Aligned64kAllocation = REF;
149 let ptr: *const [u8] = ptr::slice_from_raw_parts(ptr.cast(), _64K);
150 // SAFETY:
151 // - `ptr` is derived from a Rust reference, which is guaranteed to be
152 // non-null.
153 // - `ptr` is derived from an `&Aligned64kAllocation`, which has size and
154 // alignment `_64K` as promised. Its length is initialized to `_64K`,
155 // which means that it refers to the entire allocation.
156 // - `ptr` is derived from a Rust reference, which is guaranteed to have
157 // valid provenance.
158 //
159 // FIXME(#429): Once `NonNull::new_unchecked` docs document that it
160 // preserves provenance, cite those docs.
161 // FIXME: Replace this `as` with `ptr.cast_mut()` once our MSRV >= 1.65
162 #[allow(clippy::as_conversions)]
163 unsafe {
164 NonNull::new_unchecked(ptr as *mut _)
165 }
166};
167
168/// Computes the offset of the base of the field `$trailing_field_name` within
169/// the type `$ty`.
170///
171/// `trailing_field_offset!` produces code which is valid in a `const` context.
172// FIXME(#29), FIXME(https://github.com/rust-lang/rust/issues/69835): Remove
173// this `cfg` when `size_of_val_raw` is stabilized.
174#[cfg(__ZEROCOPY_INTERNAL_USE_ONLY_NIGHTLY_FEATURES_IN_TESTS)]
175#[doc(hidden)] // `#[macro_export]` bypasses this module's `#[doc(hidden)]`.
176#[macro_export]
177macro_rules! trailing_field_offset {
178 ($ty:ty, $trailing_field_name:tt) => {{
179 let min_size = {
180 let zero_elems: *const [()] =
181 $crate::util::macro_util::core_reexport::ptr::slice_from_raw_parts(
182 $crate::util::macro_util::core_reexport::ptr::NonNull::<()>::dangling()
183 .as_ptr()
184 .cast_const(),
185 0,
186 );
187 // SAFETY:
188 // - If `$ty` is `Sized`, `size_of_val_raw` is always safe to call.
189 // - Otherwise:
190 // - If `$ty` is not a slice DST, this pointer conversion will
191 // fail due to "mismatched vtable kinds", and compilation will
192 // fail.
193 // - If `$ty` is a slice DST, we have constructed `zero_elems` to
194 // have zero trailing slice elements. Per the `size_of_val_raw`
195 // docs, "For the special case where the dynamic tail length is
196 // 0, this function is safe to call." [1]
197 //
198 // [1] https://doc.rust-lang.org/nightly/std/mem/fn.size_of_val_raw.html
199 unsafe {
200 #[allow(clippy::as_conversions)]
201 $crate::util::macro_util::core_reexport::mem::size_of_val_raw(
202 zero_elems as *const $ty,
203 )
204 }
205 };
206
207 assert!(min_size <= _64K);
208
209 #[allow(clippy::as_conversions)]
210 let ptr = ALIGNED_64K_ALLOCATION.as_ptr() as *const $ty;
211
212 // SAFETY:
213 // - Thanks to the preceding `assert!`, we know that the value with zero
214 // elements fits in `_64K` bytes, and thus in the allocation addressed
215 // by `ALIGNED_64K_ALLOCATION`. The offset of the trailing field is
216 // guaranteed to be no larger than this size, so this field projection
217 // is guaranteed to remain in-bounds of its allocation.
218 // - Because the minimum size is no larger than `_64K` bytes, and
219 // because an object's size must always be a multiple of its alignment
220 // [1], we know that `$ty`'s alignment is no larger than `_64K`. The
221 // allocation addressed by `ALIGNED_64K_ALLOCATION` is guaranteed to
222 // be aligned to `_64K`, so `ptr` is guaranteed to satisfy `$ty`'s
223 // alignment.
224 // - As required by `addr_of!`, we do not write through `field`.
225 //
226 // Note that, as of [2], this requirement is technically unnecessary
227 // for Rust versions >= 1.75.0, but no harm in guaranteeing it anyway
228 // until we bump our MSRV.
229 //
230 // [1] Per https://doc.rust-lang.org/reference/type-layout.html:
231 //
232 // The size of a value is always a multiple of its alignment.
233 //
234 // [2] https://github.com/rust-lang/reference/pull/1387
235 let field = unsafe {
236 $crate::util::macro_util::core_reexport::ptr::addr_of!((*ptr).$trailing_field_name)
237 };
238 // SAFETY:
239 // - Both `ptr` and `field` are derived from the same allocated object.
240 // - By the preceding safety comment, `field` is in bounds of that
241 // allocated object.
242 // - The distance, in bytes, between `ptr` and `field` is required to be
243 // a multiple of the size of `u8`, which is trivially true because
244 // `u8`'s size is 1.
245 // - The distance, in bytes, cannot overflow `isize`. This is guaranteed
246 // because no allocated object can have a size larger than can fit in
247 // `isize`. [1]
248 // - The distance being in-bounds cannot rely on wrapping around the
249 // address space. This is guaranteed because the same is guaranteed of
250 // allocated objects. [1]
251 //
252 // [1] FIXME(#429), FIXME(https://github.com/rust-lang/rust/pull/116675):
253 // Once these are guaranteed in the Reference, cite it.
254 let offset = unsafe { field.cast::<u8>().offset_from(ptr.cast::<u8>()) };
255 // Guaranteed not to be lossy: `field` comes after `ptr`, so the offset
256 // from `ptr` to `field` is guaranteed to be positive.
257 assert!(offset >= 0);
258 Some(
259 #[allow(clippy::as_conversions)]
260 {
261 offset as usize
262 },
263 )
264 }};
265}
266
267/// Computes alignment of `$ty: ?Sized`.
268///
269/// `align_of!` produces code which is valid in a `const` context.
270// FIXME(#29), FIXME(https://github.com/rust-lang/rust/issues/69835): Remove
271// this `cfg` when `size_of_val_raw` is stabilized.
272#[cfg(__ZEROCOPY_INTERNAL_USE_ONLY_NIGHTLY_FEATURES_IN_TESTS)]
273#[doc(hidden)] // `#[macro_export]` bypasses this module's `#[doc(hidden)]`.
274#[macro_export]
275macro_rules! align_of {
276 ($ty:ty) => {{
277 // SAFETY: `OffsetOfTrailingIsAlignment` is `repr(C)`, and its layout is
278 // guaranteed [1] to begin with the single-byte layout for `_byte`,
279 // followed by the padding needed to align `_trailing`, then the layout
280 // for `_trailing`, and finally any trailing padding bytes needed to
281 // correctly-align the entire struct.
282 //
283 // This macro computes the alignment of `$ty` by counting the number of
284 // bytes preceding `_trailing`. For instance, if the alignment of `$ty`
285 // is `1`, then no padding is required align `_trailing` and it will be
286 // located immediately after `_byte` at offset 1. If the alignment of
287 // `$ty` is 2, then a single padding byte is required before
288 // `_trailing`, and `_trailing` will be located at offset 2.
289
290 // This correspondence between offset and alignment holds for all valid
291 // Rust alignments, and we confirm this exhaustively (or, at least up to
292 // the maximum alignment supported by `trailing_field_offset!`) in
293 // `test_align_of_dst`.
294 //
295 // [1]: https://doc.rust-lang.org/nomicon/other-reprs.html#reprc
296
297 #[repr(C)]
298 struct OffsetOfTrailingIsAlignment {
299 _byte: u8,
300 _trailing: $ty,
301 }
302
303 trailing_field_offset!(OffsetOfTrailingIsAlignment, _trailing)
304 }};
305}
306
307mod size_to_tag {
308 pub trait SizeToTag<const SIZE: usize> {
309 type Tag;
310 }
311
312 impl SizeToTag<1> for () {
313 type Tag = u8;
314 }
315 impl SizeToTag<2> for () {
316 type Tag = u16;
317 }
318 impl SizeToTag<4> for () {
319 type Tag = u32;
320 }
321 impl SizeToTag<8> for () {
322 type Tag = u64;
323 }
324 impl SizeToTag<16> for () {
325 type Tag = u128;
326 }
327}
328
329/// An alias for the unsigned integer of the given size in bytes.
330#[doc(hidden)]
331pub type SizeToTag<const SIZE: usize> = <() as size_to_tag::SizeToTag<SIZE>>::Tag;
332
333// We put `Sized` in its own module so it can have the same name as the standard
334// library `Sized` without shadowing it in the parent module.
335#[cfg(zerocopy_diagnostic_on_unimplemented_1_78_0)]
336mod __size_of {
337 #[diagnostic::on_unimplemented(
338 message = "`{Self}` is unsized",
339 label = "`IntoBytes` needs all field types to be `Sized` in order to determine whether there is padding",
340 note = "consider using `#[repr(packed)]` to remove padding",
341 note = "`IntoBytes` does not require the fields of `#[repr(packed)]` types to be `Sized`"
342 )]
343 pub trait Sized: core::marker::Sized {}
344 impl<T: core::marker::Sized> Sized for T {}
345
346 #[inline(always)]
347 #[must_use]
348 #[allow(clippy::needless_maybe_sized)]
349 pub const fn size_of<T: Sized + ?core::marker::Sized>() -> usize {
350 core::mem::size_of::<T>()
351 }
352}
353
354#[cfg(not(zerocopy_diagnostic_on_unimplemented_1_78_0))]
355pub use core::mem::size_of;
356
357#[cfg(zerocopy_diagnostic_on_unimplemented_1_78_0)]
358pub use __size_of::size_of;
359
360/// How many padding bytes does the struct type `$t` have?
361///
362/// `$ts` is the list of the type of every field in `$t`. `$t` must be a struct
363/// type, or else `struct_padding!`'s result may be meaningless.
364///
365/// Note that `struct_padding!`'s results are independent of `repcr` since they
366/// only consider the size of the type and the sizes of the fields. Whatever the
367/// repr, the size of the type already takes into account any padding that the
368/// compiler has decided to add. Structs with well-defined representations (such
369/// as `repr(C)`) can use this macro to check for padding. Note that while this
370/// may yield some consistent value for some `repr(Rust)` structs, it is not
371/// guaranteed across platforms or compilations.
372#[doc(hidden)] // `#[macro_export]` bypasses this module's `#[doc(hidden)]`.
373#[macro_export]
374macro_rules! struct_padding {
375 ($t:ty, [$($ts:ty),*]) => {
376 $crate::util::macro_util::size_of::<$t>() - (0 $(+ $crate::util::macro_util::size_of::<$ts>())*)
377 };
378}
379
380/// Does the `repr(C)` struct type `$t` have padding?
381///
382/// `$ts` is the list of the type of every field in `$t`. `$t` must be a
383/// `repr(C)` struct type, or else `struct_has_padding!`'s result may be
384/// meaningless.
385#[doc(hidden)] // `#[macro_export]` bypasses this module's `#[doc(hidden)]`.
386#[macro_export]
387macro_rules! repr_c_struct_has_padding {
388 ($t:ty, [$($ts:tt),*]) => {{
389 let layout = $crate::DstLayout::for_repr_c_struct(
390 $crate::util::macro_util::core_reexport::option::Option::None,
391 $crate::util::macro_util::core_reexport::option::Option::None,
392 &[$($crate::repr_c_struct_has_padding!(@field $ts),)*]
393 );
394 layout.requires_static_padding() || layout.requires_dynamic_padding()
395 }};
396 (@field [$t:ty]) => {
397 <[$t] as $crate::KnownLayout>::LAYOUT
398 };
399 (@field $t:ty) => {
400 $crate::DstLayout::for_unpadded_type::<$t>()
401 };
402}
403
404/// Does the union type `$t` have padding?
405///
406/// `$ts` is the list of the type of every field in `$t`. `$t` must be a union
407/// type, or else `union_padding!`'s result may be meaningless.
408///
409/// Note that `union_padding!`'s results are independent of `repr` since they
410/// only consider the size of the type and the sizes of the fields. Whatever the
411/// repr, the size of the type already takes into account any padding that the
412/// compiler has decided to add. Unions with well-defined representations (such
413/// as `repr(C)`) can use this macro to check for padding. Note that while this
414/// may yield some consistent value for some `repr(Rust)` unions, it is not
415/// guaranteed across platforms or compilations.
416#[doc(hidden)] // `#[macro_export]` bypasses this module's `#[doc(hidden)]`.
417#[macro_export]
418macro_rules! union_padding {
419 ($t:ty, [$($ts:ty),*]) => {{
420 let mut max = 0;
421 $({
422 let padding = $crate::util::macro_util::size_of::<$t>() - $crate::util::macro_util::size_of::<$ts>();
423 if padding > max {
424 max = padding;
425 }
426 })*
427 max
428 }};
429}
430
431/// How many padding bytes does the enum type `$t` have?
432///
433/// `$disc` is the type of the enum tag, and `$ts` is a list of fields in each
434/// square-bracket-delimited variant. `$t` must be an enum, or else
435/// `enum_padding!`'s result may be meaningless. An enum has padding if any of
436/// its variant structs [1][2] contain padding, and so all of the variants of an
437/// enum must be "full" in order for the enum to not have padding.
438///
439/// The results of `enum_padding!` require that the enum is not `repr(Rust)`, as
440/// `repr(Rust)` enums may niche the enum's tag and reduce the total number of
441/// bytes required to represent the enum as a result. As long as the enum is
442/// `repr(C)`, `repr(int)`, or `repr(C, int)`, this will consistently return
443/// whether the enum contains any padding bytes.
444///
445/// [1]: https://doc.rust-lang.org/1.81.0/reference/type-layout.html#reprc-enums-with-fields
446/// [2]: https://doc.rust-lang.org/1.81.0/reference/type-layout.html#primitive-representation-of-enums-with-fields
447#[doc(hidden)] // `#[macro_export]` bypasses this module's `#[doc(hidden)]`.
448#[macro_export]
449macro_rules! enum_padding {
450 ($t:ty, $disc:ty, $([$($ts:ty),*]),*) => {{
451 let mut max = 0;
452 $({
453 let padding = $crate::util::macro_util::size_of::<$t>()
454 - (
455 $crate::util::macro_util::size_of::<$disc>()
456 $(+ $crate::util::macro_util::size_of::<$ts>())*
457 );
458 if padding > max {
459 max = padding;
460 }
461 })*
462 max
463 }};
464}
465
466/// Does `t` have alignment greater than or equal to `u`? If not, this macro
467/// produces a compile error. It must be invoked in a dead codepath. This is
468/// used in `transmute_ref!` and `transmute_mut!`.
469#[doc(hidden)] // `#[macro_export]` bypasses this module's `#[doc(hidden)]`.
470#[macro_export]
471macro_rules! assert_align_gt_eq {
472 ($t:ident, $u: ident) => {{
473 // The comments here should be read in the context of this macro's
474 // invocations in `transmute_ref!` and `transmute_mut!`.
475 if false {
476 // The type wildcard in this bound is inferred to be `T` because
477 // `align_of.into_t()` is assigned to `t` (which has type `T`).
478 let align_of: $crate::util::macro_util::AlignOf<_> = unreachable!();
479 $t = align_of.into_t();
480 // `max_aligns` is inferred to have type `MaxAlignsOf<T, U>` because
481 // of the inferred types of `t` and `u`.
482 let mut max_aligns = $crate::util::macro_util::MaxAlignsOf::new($t, $u);
483
484 // This transmute will only compile successfully if
485 // `align_of::<T>() == max(align_of::<T>(), align_of::<U>())` - in
486 // other words, if `align_of::<T>() >= align_of::<U>()`.
487 //
488 // SAFETY: This code is never run.
489 max_aligns = unsafe {
490 // Clippy: We can't annotate the types; this macro is designed
491 // to infer the types from the calling context.
492 #[allow(clippy::missing_transmute_annotations)]
493 $crate::util::macro_util::core_reexport::mem::transmute(align_of)
494 };
495 } else {
496 loop {}
497 }
498 }};
499}
500
501/// Do `t` and `u` have the same size? If not, this macro produces a compile
502/// error. It must be invoked in a dead codepath. This is used in
503/// `transmute_ref!` and `transmute_mut!`.
504#[doc(hidden)] // `#[macro_export]` bypasses this module's `#[doc(hidden)]`.
505#[macro_export]
506macro_rules! assert_size_eq {
507 ($t:ident, $u: ident) => {{
508 // The comments here should be read in the context of this macro's
509 // invocations in `transmute_ref!` and `transmute_mut!`.
510 if false {
511 // SAFETY: This code is never run.
512 $u = unsafe {
513 // Clippy:
514 // - It's okay to transmute a type to itself.
515 // - We can't annotate the types; this macro is designed to
516 // infer the types from the calling context.
517 #[allow(clippy::useless_transmute, clippy::missing_transmute_annotations)]
518 $crate::util::macro_util::core_reexport::mem::transmute($t)
519 };
520 } else {
521 loop {}
522 }
523 }};
524}
525
526/// Is a given source a valid instance of `Dst`?
527///
528/// If so, returns `src` casted to a `Ptr<Dst, _>`. Otherwise returns `None`.
529///
530/// # Safety
531///
532/// Unsafe code may assume that, if `try_cast_or_pme(src)` returns `Ok`,
533/// `*src` is a bit-valid instance of `Dst`, and that the size of `Src` is
534/// greater than or equal to the size of `Dst`.
535///
536/// Unsafe code may assume that, if `try_cast_or_pme(src)` returns `Err`, the
537/// encapsulated `Ptr` value is the original `src`. `try_cast_or_pme` cannot
538/// guarantee that the referent has not been modified, as it calls user-defined
539/// code (`TryFromBytes::is_bit_valid`).
540///
541/// # Panics
542///
543/// `try_cast_or_pme` may either produce a post-monomorphization error or a
544/// panic if `Dst` not the same size as `Src`. Otherwise, `try_cast_or_pme`
545/// panics under the same circumstances as [`is_bit_valid`].
546///
547/// [`is_bit_valid`]: TryFromBytes::is_bit_valid
548#[doc(hidden)]
549#[inline]
550fn try_cast_or_pme<Src, Dst, I, R, S>(
551 src: Ptr<'_, Src, I>,
552) -> Result<
553 Ptr<'_, Dst, (I::Aliasing, invariant::Unaligned, invariant::Valid)>,
554 ValidityError<Ptr<'_, Src, I>, Dst>,
555>
556where
557 // FIXME(#2226): There should be a `Src: FromBytes` bound here, but doing so
558 // requires deeper surgery.
559 Src: invariant::Read<I::Aliasing, R>,
560 Dst: TryFromBytes
561 + invariant::Read<I::Aliasing, R>
562 + TryTransmuteFromPtr<Dst, I::Aliasing, invariant::Initialized, invariant::Valid, S>,
563 I: Invariants<Validity = invariant::Initialized>,
564 I::Aliasing: invariant::Reference,
565{
566 static_assert!(Src, Dst => mem::size_of::<Dst>() == mem::size_of::<Src>());
567
568 // SAFETY: This is a pointer cast, satisfying the following properties:
569 // - `p as *mut Dst` addresses a subset of the `bytes` addressed by `src`,
570 // because we assert above that the size of `Dst` equal to the size of
571 // `Src`.
572 // - `p as *mut Dst` is a provenance-preserving cast
573 let c_ptr = unsafe { src.cast_unsized(|p| cast!(p)) };
574
575 match c_ptr.try_into_valid() {
576 Ok(ptr) => Ok(ptr),
577 Err(err) => {
578 // Re-cast `Ptr<Dst>` to `Ptr<Src>`.
579 let ptr = err.into_src();
580 // SAFETY: This is a pointer cast, satisfying the following
581 // properties:
582 // - `p as *mut Src` addresses a subset of the `bytes` addressed by
583 // `ptr`, because we assert above that the size of `Dst` is equal
584 // to the size of `Src`.
585 // - `p as *mut Src` is a provenance-preserving cast
586 let ptr = unsafe { ptr.cast_unsized(|p| cast!(p)) };
587 // SAFETY: `ptr` is `src`, and has the same alignment invariant.
588 let ptr = unsafe { ptr.assume_alignment::<I::Alignment>() };
589 // SAFETY: `ptr` is `src` and has the same validity invariant.
590 let ptr = unsafe { ptr.assume_validity::<I::Validity>() };
591 Err(ValidityError::new(ptr.unify_invariants()))
592 }
593 }
594}
595
596/// Attempts to transmute `Src` into `Dst`.
597///
598/// A helper for `try_transmute!`.
599///
600/// # Panics
601///
602/// `try_transmute` may either produce a post-monomorphization error or a panic
603/// if `Dst` is bigger than `Src`. Otherwise, `try_transmute` panics under the
604/// same circumstances as [`is_bit_valid`].
605///
606/// [`is_bit_valid`]: TryFromBytes::is_bit_valid
607#[inline(always)]
608pub fn try_transmute<Src, Dst>(src: Src) -> Result<Dst, ValidityError<Src, Dst>>
609where
610 Src: IntoBytes,
611 Dst: TryFromBytes,
612{
613 static_assert!(Src, Dst => mem::size_of::<Dst>() == mem::size_of::<Src>());
614
615 let mu_src = mem::MaybeUninit::new(src);
616 // SAFETY: By invariant on `&`, the following are satisfied:
617 // - `&mu_src` is valid for reads
618 // - `&mu_src` is properly aligned
619 // - `&mu_src`'s referent is bit-valid
620 let mu_src_copy = unsafe { core::ptr::read(&mu_src) };
621 // SAFETY: `MaybeUninit` has no validity constraints.
622 let mut mu_dst: mem::MaybeUninit<Dst> =
623 unsafe { crate::util::transmute_unchecked(mu_src_copy) };
624
625 let ptr = Ptr::from_mut(&mut mu_dst);
626
627 // SAFETY: Since `Src: IntoBytes`, and since `size_of::<Src>() ==
628 // size_of::<Dst>()` by the preceding assertion, all of `mu_dst`'s bytes are
629 // initialized.
630 let ptr = unsafe { ptr.assume_validity::<invariant::Initialized>() };
631
632 // SAFETY: `MaybeUninit<T>` and `T` have the same size [1], so this cast
633 // preserves the referent's size. This cast preserves provenance.
634 //
635 // [1] Per https://doc.rust-lang.org/1.81.0/std/mem/union.MaybeUninit.html#layout-1:
636 //
637 // `MaybeUninit<T>` is guaranteed to have the same size, alignment, and
638 // ABI as `T`
639 let ptr: Ptr<'_, Dst, _> = unsafe {
640 ptr.cast_unsized(|ptr: crate::pointer::PtrInner<'_, mem::MaybeUninit<Dst>>| {
641 ptr.cast_sized()
642 })
643 };
644
645 if Dst::is_bit_valid(ptr.forget_aligned()) {
646 // SAFETY: Since `Dst::is_bit_valid`, we know that `ptr`'s referent is
647 // bit-valid for `Dst`. `ptr` points to `mu_dst`, and no intervening
648 // operations have mutated it, so it is a bit-valid `Dst`.
649 Ok(unsafe { mu_dst.assume_init() })
650 } else {
651 // SAFETY: `mu_src` was constructed from `src` and never modified, so it
652 // is still bit-valid.
653 Err(ValidityError::new(unsafe { mu_src.assume_init() }))
654 }
655}
656
657/// Attempts to transmute `&Src` into `&Dst`.
658///
659/// A helper for `try_transmute_ref!`.
660///
661/// # Panics
662///
663/// `try_transmute_ref` may either produce a post-monomorphization error or a
664/// panic if `Dst` is bigger or has a stricter alignment requirement than `Src`.
665/// Otherwise, `try_transmute_ref` panics under the same circumstances as
666/// [`is_bit_valid`].
667///
668/// [`is_bit_valid`]: TryFromBytes::is_bit_valid
669#[inline(always)]
670pub fn try_transmute_ref<Src, Dst>(src: &Src) -> Result<&Dst, ValidityError<&Src, Dst>>
671where
672 Src: IntoBytes + Immutable,
673 Dst: TryFromBytes + Immutable,
674{
675 let ptr = Ptr::from_ref(src);
676 let ptr = ptr.bikeshed_recall_initialized_immutable();
677 match try_cast_or_pme::<Src, Dst, _, BecauseImmutable, _>(ptr) {
678 Ok(ptr) => {
679 static_assert!(Src, Dst => mem::align_of::<Dst>() <= mem::align_of::<Src>());
680 // SAFETY: We have checked that `Dst` does not have a stricter
681 // alignment requirement than `Src`.
682 let ptr = unsafe { ptr.assume_alignment::<invariant::Aligned>() };
683 Ok(ptr.as_ref())
684 }
685 Err(err) => Err(err.map_src(|ptr| {
686 // SAFETY: Because `Src: Immutable` and we create a `Ptr` via
687 // `Ptr::from_ref`, the resulting `Ptr` is a shared-and-`Immutable`
688 // `Ptr`, which does not permit mutation of its referent. Therefore,
689 // no mutation could have happened during the call to
690 // `try_cast_or_pme` (any such mutation would be unsound).
691 //
692 // `try_cast_or_pme` promises to return its original argument, and
693 // so we know that we are getting back the same `ptr` that we
694 // originally passed, and that `ptr` was a bit-valid `Src`.
695 let ptr = unsafe { ptr.assume_valid() };
696 ptr.as_ref()
697 })),
698 }
699}
700
701/// Attempts to transmute `&mut Src` into `&mut Dst`.
702///
703/// A helper for `try_transmute_mut!`.
704///
705/// # Panics
706///
707/// `try_transmute_mut` may either produce a post-monomorphization error or a
708/// panic if `Dst` is bigger or has a stricter alignment requirement than `Src`.
709/// Otherwise, `try_transmute_mut` panics under the same circumstances as
710/// [`is_bit_valid`].
711///
712/// [`is_bit_valid`]: TryFromBytes::is_bit_valid
713#[inline(always)]
714pub fn try_transmute_mut<Src, Dst>(src: &mut Src) -> Result<&mut Dst, ValidityError<&mut Src, Dst>>
715where
716 Src: FromBytes + IntoBytes,
717 Dst: TryFromBytes + IntoBytes,
718{
719 let ptr = Ptr::from_mut(src);
720 let ptr = ptr.bikeshed_recall_initialized_from_bytes();
721 match try_cast_or_pme::<Src, Dst, _, BecauseExclusive, _>(ptr) {
722 Ok(ptr) => {
723 static_assert!(Src, Dst => mem::align_of::<Dst>() <= mem::align_of::<Src>());
724 // SAFETY: We have checked that `Dst` does not have a stricter
725 // alignment requirement than `Src`.
726 let ptr = unsafe { ptr.assume_alignment::<invariant::Aligned>() };
727 Ok(ptr.as_mut())
728 }
729 Err(err) => {
730 Err(err.map_src(|ptr| ptr.recall_validity::<_, (_, BecauseInvariantsEq)>().as_mut()))
731 }
732 }
733}
734
735// Used in `transmute_ref!` and friends.
736//
737// This permits us to use the autoref specialization trick to dispatch to
738// associated functions for `transmute_ref` and `transmute_mut` when both `Src`
739// and `Dst` are `Sized`, and to trait methods otherwise. The associated
740// functions, unlike the trait methods, do not require a `KnownLayout` bound.
741// This permits us to add support for transmuting references to unsized types
742// without breaking backwards-compatibility (on v0.8.x) with the old
743// implementation, which did not require a `KnownLayout` bound to transmute
744// sized types.
745#[derive(Copy, Clone)]
746pub struct Wrap<Src, Dst>(pub Src, pub PhantomData<Dst>);
747
748impl<Src, Dst> Wrap<Src, Dst> {
749 #[inline(always)]
750 pub const fn new(src: Src) -> Self {
751 Wrap(src, PhantomData)
752 }
753}
754
755impl<'a, Src, Dst> Wrap<&'a Src, &'a Dst> {
756 /// # Safety
757 /// The caller must guarantee that:
758 /// - `Src: IntoBytes + Immutable`
759 /// - `Dst: FromBytes + Immutable`
760 ///
761 /// # PME
762 ///
763 /// Instantiating this method PMEs unless both:
764 /// - `mem::size_of::<Dst>() == mem::size_of::<Src>()`
765 /// - `mem::align_of::<Dst>() <= mem::align_of::<Src>()`
766 #[inline(always)]
767 #[must_use]
768 pub const unsafe fn transmute_ref(self) -> &'a Dst {
769 static_assert!(Src, Dst => mem::size_of::<Dst>() == mem::size_of::<Src>());
770 static_assert!(Src, Dst => mem::align_of::<Dst>() <= mem::align_of::<Src>());
771
772 let src: *const Src = self.0;
773 let dst = src.cast::<Dst>();
774 // SAFETY:
775 // - We know that it is sound to view the target type of the input reference
776 // (`Src`) as the target type of the output reference (`Dst`) because the
777 // caller has guaranteed that `Src: IntoBytes`, `Dst: FromBytes`, and
778 // `size_of::<Src>() == size_of::<Dst>()`.
779 // - We know that there are no `UnsafeCell`s, and thus we don't have to
780 // worry about `UnsafeCell` overlap, because `Src: Immutable` and `Dst:
781 // Immutable`.
782 // - The caller has guaranteed that alignment is not increased.
783 // - We know that the returned lifetime will not outlive the input lifetime
784 // thanks to the lifetime bounds on this function.
785 //
786 // FIXME(#67): Once our MSRV is 1.58, replace this `transmute` with `&*dst`.
787 #[allow(clippy::transmute_ptr_to_ref)]
788 unsafe {
789 mem::transmute(dst)
790 }
791 }
792}
793
794impl<'a, Src, Dst> Wrap<&'a mut Src, &'a mut Dst> {
795 /// Transmutes a mutable reference of one type to a mutable reference of another
796 /// type.
797 ///
798 /// # PME
799 ///
800 /// Instantiating this method PMEs unless both:
801 /// - `mem::size_of::<Dst>() == mem::size_of::<Src>()`
802 /// - `mem::align_of::<Dst>() <= mem::align_of::<Src>()`
803 #[inline(always)]
804 #[must_use]
805 pub fn transmute_mut(self) -> &'a mut Dst
806 where
807 Src: FromBytes + IntoBytes,
808 Dst: FromBytes + IntoBytes,
809 {
810 static_assert!(Src, Dst => mem::size_of::<Dst>() == mem::size_of::<Src>());
811 static_assert!(Src, Dst => mem::align_of::<Dst>() <= mem::align_of::<Src>());
812
813 let src: *mut Src = self.0;
814 let dst = src.cast::<Dst>();
815 // SAFETY:
816 // - We know that it is sound to view the target type of the input
817 // reference (`Src`) as the target type of the output reference
818 // (`Dst`) and vice-versa because `Src: FromBytes + IntoBytes`, `Dst:
819 // FromBytes + IntoBytes`, and (as asserted above) `size_of::<Src>()
820 // == size_of::<Dst>()`.
821 // - We asserted above that alignment will not increase.
822 // - We know that the returned lifetime will not outlive the input
823 // lifetime thanks to the lifetime bounds on this function.
824 unsafe { &mut *dst }
825 }
826}
827
828pub trait TransmuteRefDst<'a> {
829 type Dst: ?Sized;
830
831 #[must_use]
832 fn transmute_ref(self) -> &'a Self::Dst;
833}
834
835impl<'a, Src: ?Sized, Dst: ?Sized> TransmuteRefDst<'a> for Wrap<&'a Src, &'a Dst>
836where
837 Src: KnownLayout<PointerMetadata = usize> + IntoBytes + Immutable,
838 Dst: KnownLayout<PointerMetadata = usize> + FromBytes + Immutable,
839{
840 type Dst = Dst;
841
842 #[inline(always)]
843 fn transmute_ref(self) -> &'a Dst {
844 static_assert!(Src: ?Sized + KnownLayout, Dst: ?Sized + KnownLayout => {
845 Src::LAYOUT.align.get() >= Dst::LAYOUT.align.get()
846 }, "cannot transmute reference when destination type has higher alignment than source type");
847
848 // SAFETY: We only use `S` as `S<Src>` and `D` as `D<Dst>`.
849 unsafe {
850 unsafe_with_size_eq!(<S<Src>, D<Dst>> {
851 let ptr = Ptr::from_ref(self.0)
852 .transmute::<S<Src>, invariant::Valid, BecauseImmutable>()
853 .recall_validity::<invariant::Initialized, _>()
854 .transmute::<D<Dst>, invariant::Initialized, (crate::pointer::BecauseMutationCompatible, _)>()
855 .recall_validity::<invariant::Valid, _>();
856
857 #[allow(unused_unsafe)]
858 // SAFETY: The preceding `static_assert!` ensures that
859 // `T::LAYOUT.align >= U::LAYOUT.align`. Since `self.0` is
860 // validly-aligned for `T`, it is also validly-aligned for `U`.
861 let ptr = unsafe { ptr.assume_alignment() };
862
863 &ptr.as_ref().0
864 })
865 }
866 }
867}
868
869pub trait TransmuteMutDst<'a> {
870 type Dst: ?Sized;
871 #[must_use]
872 fn transmute_mut(self) -> &'a mut Self::Dst;
873}
874
875impl<'a, Src: ?Sized, Dst: ?Sized> TransmuteMutDst<'a> for Wrap<&'a mut Src, &'a mut Dst>
876where
877 Src: KnownLayout<PointerMetadata = usize> + FromBytes + IntoBytes,
878 Dst: KnownLayout<PointerMetadata = usize> + FromBytes + IntoBytes,
879{
880 type Dst = Dst;
881
882 #[inline(always)]
883 fn transmute_mut(self) -> &'a mut Dst {
884 static_assert!(Src: ?Sized + KnownLayout, Dst: ?Sized + KnownLayout => {
885 Src::LAYOUT.align.get() >= Dst::LAYOUT.align.get()
886 }, "cannot transmute reference when destination type has higher alignment than source type");
887
888 // SAFETY: We only use `S` as `S<Src>` and `D` as `D<Dst>`.
889 unsafe {
890 unsafe_with_size_eq!(<S<Src>, D<Dst>> {
891 let ptr = Ptr::from_mut(self.0)
892 .transmute::<S<Src>, invariant::Valid, _>()
893 .recall_validity::<invariant::Initialized, (_, (_, _))>()
894 .transmute::<D<Dst>, invariant::Initialized, _>()
895 .recall_validity::<invariant::Valid, (_, (_, _))>();
896
897 #[allow(unused_unsafe)]
898 // SAFETY: The preceding `static_assert!` ensures that
899 // `T::LAYOUT.align >= U::LAYOUT.align`. Since `self.0` is
900 // validly-aligned for `T`, it is also validly-aligned for `U`.
901 let ptr = unsafe { ptr.assume_alignment() };
902
903 &mut ptr.as_mut().0
904 })
905 }
906 }
907}
908
909/// A function which emits a warning if its return value is not used.
910#[must_use]
911#[inline(always)]
912pub const fn must_use<T>(t: T) -> T {
913 t
914}
915
916// NOTE: We can't change this to a `pub use core as core_reexport` until [1] is
917// fixed or we update to a semver-breaking version (as of this writing, 0.8.0)
918// on the `main` branch.
919//
920// [1] https://github.com/obi1kenobi/cargo-semver-checks/issues/573
921pub mod core_reexport {
922 pub use core::*;
923
924 pub mod mem {
925 pub use core::mem::*;
926 }
927}
928
929#[cfg(test)]
930mod tests {
931 use super::*;
932 use crate::util::testutil::*;
933
934 #[test]
935 fn test_align_of() {
936 macro_rules! test {
937 ($ty:ty) => {
938 assert_eq!(mem::size_of::<AlignOf<$ty>>(), mem::align_of::<$ty>());
939 };
940 }
941
942 test!(());
943 test!(u8);
944 test!(AU64);
945 test!([AU64; 2]);
946 }
947
948 #[test]
949 fn test_max_aligns_of() {
950 macro_rules! test {
951 ($t:ty, $u:ty) => {
952 assert_eq!(
953 mem::size_of::<MaxAlignsOf<$t, $u>>(),
954 core::cmp::max(mem::align_of::<$t>(), mem::align_of::<$u>())
955 );
956 };
957 }
958
959 test!(u8, u8);
960 test!(u8, AU64);
961 test!(AU64, u8);
962 }
963
964 #[test]
965 fn test_typed_align_check() {
966 // Test that the type-based alignment check used in
967 // `assert_align_gt_eq!` behaves as expected.
968
969 macro_rules! assert_t_align_gteq_u_align {
970 ($t:ty, $u:ty, $gteq:expr) => {
971 assert_eq!(
972 mem::size_of::<MaxAlignsOf<$t, $u>>() == mem::size_of::<AlignOf<$t>>(),
973 $gteq
974 );
975 };
976 }
977
978 assert_t_align_gteq_u_align!(u8, u8, true);
979 assert_t_align_gteq_u_align!(AU64, AU64, true);
980 assert_t_align_gteq_u_align!(AU64, u8, true);
981 assert_t_align_gteq_u_align!(u8, AU64, false);
982 }
983
984 // FIXME(#29), FIXME(https://github.com/rust-lang/rust/issues/69835): Remove
985 // this `cfg` when `size_of_val_raw` is stabilized.
986 #[allow(clippy::decimal_literal_representation)]
987 #[cfg(__ZEROCOPY_INTERNAL_USE_ONLY_NIGHTLY_FEATURES_IN_TESTS)]
988 #[test]
989 fn test_trailing_field_offset() {
990 assert_eq!(mem::align_of::<Aligned64kAllocation>(), _64K);
991
992 macro_rules! test {
993 (#[$cfg:meta] ($($ts:ty),* ; $trailing_field_ty:ty) => $expect:expr) => {{
994 #[$cfg]
995 struct Test($(#[allow(dead_code)] $ts,)* #[allow(dead_code)] $trailing_field_ty);
996 assert_eq!(test!(@offset $($ts),* ; $trailing_field_ty), $expect);
997 }};
998 (#[$cfg:meta] $(#[$cfgs:meta])* ($($ts:ty),* ; $trailing_field_ty:ty) => $expect:expr) => {
999 test!(#[$cfg] ($($ts),* ; $trailing_field_ty) => $expect);
1000 test!($(#[$cfgs])* ($($ts),* ; $trailing_field_ty) => $expect);
1001 };
1002 (@offset ; $_trailing:ty) => { trailing_field_offset!(Test, 0) };
1003 (@offset $_t:ty ; $_trailing:ty) => { trailing_field_offset!(Test, 1) };
1004 }
1005
1006 test!(#[repr(C)] #[repr(transparent)] #[repr(packed)](; u8) => Some(0));
1007 test!(#[repr(C)] #[repr(transparent)] #[repr(packed)](; [u8]) => Some(0));
1008 test!(#[repr(C)] #[repr(C, packed)] (u8; u8) => Some(1));
1009 test!(#[repr(C)] (; AU64) => Some(0));
1010 test!(#[repr(C)] (; [AU64]) => Some(0));
1011 test!(#[repr(C)] (u8; AU64) => Some(8));
1012 test!(#[repr(C)] (u8; [AU64]) => Some(8));
1013
1014 #[derive(
1015 Immutable, FromBytes, Eq, PartialEq, Ord, PartialOrd, Default, Debug, Copy, Clone,
1016 )]
1017 #[repr(C)]
1018 pub(crate) struct Nested<T, U: ?Sized> {
1019 _t: T,
1020 _u: U,
1021 }
1022
1023 test!(#[repr(C)] (; Nested<u8, AU64>) => Some(0));
1024 test!(#[repr(C)] (; Nested<u8, [AU64]>) => Some(0));
1025 test!(#[repr(C)] (u8; Nested<u8, AU64>) => Some(8));
1026 test!(#[repr(C)] (u8; Nested<u8, [AU64]>) => Some(8));
1027
1028 // Test that `packed(N)` limits the offset of the trailing field.
1029 test!(#[repr(C, packed( 1))] (u8; elain::Align< 2>) => Some( 1));
1030 test!(#[repr(C, packed( 2))] (u8; elain::Align< 4>) => Some( 2));
1031 test!(#[repr(C, packed( 4))] (u8; elain::Align< 8>) => Some( 4));
1032 test!(#[repr(C, packed( 8))] (u8; elain::Align< 16>) => Some( 8));
1033 test!(#[repr(C, packed( 16))] (u8; elain::Align< 32>) => Some( 16));
1034 test!(#[repr(C, packed( 32))] (u8; elain::Align< 64>) => Some( 32));
1035 test!(#[repr(C, packed( 64))] (u8; elain::Align< 128>) => Some( 64));
1036 test!(#[repr(C, packed( 128))] (u8; elain::Align< 256>) => Some( 128));
1037 test!(#[repr(C, packed( 256))] (u8; elain::Align< 512>) => Some( 256));
1038 test!(#[repr(C, packed( 512))] (u8; elain::Align< 1024>) => Some( 512));
1039 test!(#[repr(C, packed( 1024))] (u8; elain::Align< 2048>) => Some( 1024));
1040 test!(#[repr(C, packed( 2048))] (u8; elain::Align< 4096>) => Some( 2048));
1041 test!(#[repr(C, packed( 4096))] (u8; elain::Align< 8192>) => Some( 4096));
1042 test!(#[repr(C, packed( 8192))] (u8; elain::Align< 16384>) => Some( 8192));
1043 test!(#[repr(C, packed( 16384))] (u8; elain::Align< 32768>) => Some( 16384));
1044 test!(#[repr(C, packed( 32768))] (u8; elain::Align< 65536>) => Some( 32768));
1045 test!(#[repr(C, packed( 65536))] (u8; elain::Align< 131072>) => Some( 65536));
1046 /* Alignments above 65536 are not yet supported.
1047 test!(#[repr(C, packed( 131072))] (u8; elain::Align< 262144>) => Some( 131072));
1048 test!(#[repr(C, packed( 262144))] (u8; elain::Align< 524288>) => Some( 262144));
1049 test!(#[repr(C, packed( 524288))] (u8; elain::Align< 1048576>) => Some( 524288));
1050 test!(#[repr(C, packed( 1048576))] (u8; elain::Align< 2097152>) => Some( 1048576));
1051 test!(#[repr(C, packed( 2097152))] (u8; elain::Align< 4194304>) => Some( 2097152));
1052 test!(#[repr(C, packed( 4194304))] (u8; elain::Align< 8388608>) => Some( 4194304));
1053 test!(#[repr(C, packed( 8388608))] (u8; elain::Align< 16777216>) => Some( 8388608));
1054 test!(#[repr(C, packed( 16777216))] (u8; elain::Align< 33554432>) => Some( 16777216));
1055 test!(#[repr(C, packed( 33554432))] (u8; elain::Align< 67108864>) => Some( 33554432));
1056 test!(#[repr(C, packed( 67108864))] (u8; elain::Align< 33554432>) => Some( 67108864));
1057 test!(#[repr(C, packed( 33554432))] (u8; elain::Align<134217728>) => Some( 33554432));
1058 test!(#[repr(C, packed(134217728))] (u8; elain::Align<268435456>) => Some(134217728));
1059 test!(#[repr(C, packed(268435456))] (u8; elain::Align<268435456>) => Some(268435456));
1060 */
1061
1062 // Test that `align(N)` does not limit the offset of the trailing field.
1063 test!(#[repr(C, align( 1))] (u8; elain::Align< 2>) => Some( 2));
1064 test!(#[repr(C, align( 2))] (u8; elain::Align< 4>) => Some( 4));
1065 test!(#[repr(C, align( 4))] (u8; elain::Align< 8>) => Some( 8));
1066 test!(#[repr(C, align( 8))] (u8; elain::Align< 16>) => Some( 16));
1067 test!(#[repr(C, align( 16))] (u8; elain::Align< 32>) => Some( 32));
1068 test!(#[repr(C, align( 32))] (u8; elain::Align< 64>) => Some( 64));
1069 test!(#[repr(C, align( 64))] (u8; elain::Align< 128>) => Some( 128));
1070 test!(#[repr(C, align( 128))] (u8; elain::Align< 256>) => Some( 256));
1071 test!(#[repr(C, align( 256))] (u8; elain::Align< 512>) => Some( 512));
1072 test!(#[repr(C, align( 512))] (u8; elain::Align< 1024>) => Some( 1024));
1073 test!(#[repr(C, align( 1024))] (u8; elain::Align< 2048>) => Some( 2048));
1074 test!(#[repr(C, align( 2048))] (u8; elain::Align< 4096>) => Some( 4096));
1075 test!(#[repr(C, align( 4096))] (u8; elain::Align< 8192>) => Some( 8192));
1076 test!(#[repr(C, align( 8192))] (u8; elain::Align< 16384>) => Some( 16384));
1077 test!(#[repr(C, align( 16384))] (u8; elain::Align< 32768>) => Some( 32768));
1078 test!(#[repr(C, align( 32768))] (u8; elain::Align< 65536>) => Some( 65536));
1079 /* Alignments above 65536 are not yet supported.
1080 test!(#[repr(C, align( 65536))] (u8; elain::Align< 131072>) => Some( 131072));
1081 test!(#[repr(C, align( 131072))] (u8; elain::Align< 262144>) => Some( 262144));
1082 test!(#[repr(C, align( 262144))] (u8; elain::Align< 524288>) => Some( 524288));
1083 test!(#[repr(C, align( 524288))] (u8; elain::Align< 1048576>) => Some( 1048576));
1084 test!(#[repr(C, align( 1048576))] (u8; elain::Align< 2097152>) => Some( 2097152));
1085 test!(#[repr(C, align( 2097152))] (u8; elain::Align< 4194304>) => Some( 4194304));
1086 test!(#[repr(C, align( 4194304))] (u8; elain::Align< 8388608>) => Some( 8388608));
1087 test!(#[repr(C, align( 8388608))] (u8; elain::Align< 16777216>) => Some( 16777216));
1088 test!(#[repr(C, align( 16777216))] (u8; elain::Align< 33554432>) => Some( 33554432));
1089 test!(#[repr(C, align( 33554432))] (u8; elain::Align< 67108864>) => Some( 67108864));
1090 test!(#[repr(C, align( 67108864))] (u8; elain::Align< 33554432>) => Some( 33554432));
1091 test!(#[repr(C, align( 33554432))] (u8; elain::Align<134217728>) => Some(134217728));
1092 test!(#[repr(C, align(134217728))] (u8; elain::Align<268435456>) => Some(268435456));
1093 */
1094 }
1095
1096 // FIXME(#29), FIXME(https://github.com/rust-lang/rust/issues/69835): Remove
1097 // this `cfg` when `size_of_val_raw` is stabilized.
1098 #[allow(clippy::decimal_literal_representation)]
1099 #[cfg(__ZEROCOPY_INTERNAL_USE_ONLY_NIGHTLY_FEATURES_IN_TESTS)]
1100 #[test]
1101 fn test_align_of_dst() {
1102 // Test that `align_of!` correctly computes the alignment of DSTs.
1103 assert_eq!(align_of!([elain::Align<1>]), Some(1));
1104 assert_eq!(align_of!([elain::Align<2>]), Some(2));
1105 assert_eq!(align_of!([elain::Align<4>]), Some(4));
1106 assert_eq!(align_of!([elain::Align<8>]), Some(8));
1107 assert_eq!(align_of!([elain::Align<16>]), Some(16));
1108 assert_eq!(align_of!([elain::Align<32>]), Some(32));
1109 assert_eq!(align_of!([elain::Align<64>]), Some(64));
1110 assert_eq!(align_of!([elain::Align<128>]), Some(128));
1111 assert_eq!(align_of!([elain::Align<256>]), Some(256));
1112 assert_eq!(align_of!([elain::Align<512>]), Some(512));
1113 assert_eq!(align_of!([elain::Align<1024>]), Some(1024));
1114 assert_eq!(align_of!([elain::Align<2048>]), Some(2048));
1115 assert_eq!(align_of!([elain::Align<4096>]), Some(4096));
1116 assert_eq!(align_of!([elain::Align<8192>]), Some(8192));
1117 assert_eq!(align_of!([elain::Align<16384>]), Some(16384));
1118 assert_eq!(align_of!([elain::Align<32768>]), Some(32768));
1119 assert_eq!(align_of!([elain::Align<65536>]), Some(65536));
1120 /* Alignments above 65536 are not yet supported.
1121 assert_eq!(align_of!([elain::Align<131072>]), Some(131072));
1122 assert_eq!(align_of!([elain::Align<262144>]), Some(262144));
1123 assert_eq!(align_of!([elain::Align<524288>]), Some(524288));
1124 assert_eq!(align_of!([elain::Align<1048576>]), Some(1048576));
1125 assert_eq!(align_of!([elain::Align<2097152>]), Some(2097152));
1126 assert_eq!(align_of!([elain::Align<4194304>]), Some(4194304));
1127 assert_eq!(align_of!([elain::Align<8388608>]), Some(8388608));
1128 assert_eq!(align_of!([elain::Align<16777216>]), Some(16777216));
1129 assert_eq!(align_of!([elain::Align<33554432>]), Some(33554432));
1130 assert_eq!(align_of!([elain::Align<67108864>]), Some(67108864));
1131 assert_eq!(align_of!([elain::Align<33554432>]), Some(33554432));
1132 assert_eq!(align_of!([elain::Align<134217728>]), Some(134217728));
1133 assert_eq!(align_of!([elain::Align<268435456>]), Some(268435456));
1134 */
1135 }
1136
1137 #[test]
1138 fn test_enum_casts() {
1139 // Test that casting the variants of enums with signed integer reprs to
1140 // unsigned integers obeys expected signed -> unsigned casting rules.
1141
1142 #[repr(i8)]
1143 enum ReprI8 {
1144 MinusOne = -1,
1145 Zero = 0,
1146 Min = i8::MIN,
1147 Max = i8::MAX,
1148 }
1149
1150 #[allow(clippy::as_conversions)]
1151 let x = ReprI8::MinusOne as u8;
1152 assert_eq!(x, u8::MAX);
1153
1154 #[allow(clippy::as_conversions)]
1155 let x = ReprI8::Zero as u8;
1156 assert_eq!(x, 0);
1157
1158 #[allow(clippy::as_conversions)]
1159 let x = ReprI8::Min as u8;
1160 assert_eq!(x, 128);
1161
1162 #[allow(clippy::as_conversions)]
1163 let x = ReprI8::Max as u8;
1164 assert_eq!(x, 127);
1165 }
1166
1167 #[test]
1168 fn test_struct_padding() {
1169 // Test that, for each provided repr, `struct_padding!` reports the
1170 // expected value.
1171 macro_rules! test {
1172 (#[$cfg:meta] ($($ts:ty),*) => $expect:expr) => {{
1173 #[$cfg]
1174 #[allow(dead_code)]
1175 struct Test($($ts),*);
1176 assert_eq!(struct_padding!(Test, [$($ts),*]), $expect);
1177 }};
1178 (#[$cfg:meta] $(#[$cfgs:meta])* ($($ts:ty),*) => $expect:expr) => {
1179 test!(#[$cfg] ($($ts),*) => $expect);
1180 test!($(#[$cfgs])* ($($ts),*) => $expect);
1181 };
1182 }
1183
1184 test!(#[repr(C)] #[repr(transparent)] #[repr(packed)] () => 0);
1185 test!(#[repr(C)] #[repr(transparent)] #[repr(packed)] (u8) => 0);
1186 test!(#[repr(C)] #[repr(transparent)] #[repr(packed)] (u8, ()) => 0);
1187 test!(#[repr(C)] #[repr(packed)] (u8, u8) => 0);
1188
1189 test!(#[repr(C)] (u8, AU64) => 7);
1190 // Rust won't let you put `#[repr(packed)]` on a type which contains a
1191 // `#[repr(align(n > 1))]` type (`AU64`), so we have to use `u64` here.
1192 // It's not ideal, but it definitely has align > 1 on /some/ of our CI
1193 // targets, and this isn't a particularly complex macro we're testing
1194 // anyway.
1195 test!(#[repr(packed)] (u8, u64) => 0);
1196 }
1197
1198 #[test]
1199 fn test_repr_c_struct_padding() {
1200 // Test that, for each provided repr, `repr_c_struct_padding!` reports
1201 // the expected value.
1202 macro_rules! test {
1203 (($($ts:tt),*) => $expect:expr) => {{
1204 #[repr(C)]
1205 #[allow(dead_code)]
1206 struct Test($($ts),*);
1207 assert_eq!(repr_c_struct_has_padding!(Test, [$($ts),*]), $expect);
1208 }};
1209 }
1210
1211 // Test static padding
1212 test!(() => false);
1213 test!(([u8]) => false);
1214 test!((u8) => false);
1215 test!((u8, [u8]) => false);
1216 test!((u8, ()) => false);
1217 test!((u8, (), [u8]) => false);
1218 test!((u8, u8) => false);
1219 test!((u8, u8, [u8]) => false);
1220
1221 test!((u8, AU64) => true);
1222 test!((u8, AU64, [u8]) => true);
1223
1224 // Test dynamic padding
1225 test!((AU64, [AU64]) => false);
1226 test!((u8, [AU64]) => true);
1227
1228 #[repr(align(4))]
1229 struct AU32(#[allow(unused)] u32);
1230 test!((AU64, [AU64]) => false);
1231 test!((AU64, [AU32]) => true);
1232 }
1233
1234 #[test]
1235 fn test_union_padding() {
1236 // Test that, for each provided repr, `union_padding!` reports the
1237 // expected value.
1238 macro_rules! test {
1239 (#[$cfg:meta] {$($fs:ident: $ts:ty),*} => $expect:expr) => {{
1240 #[$cfg]
1241 #[allow(unused)] // fields are never read
1242 union Test{ $($fs: $ts),* }
1243 assert_eq!(union_padding!(Test, [$($ts),*]), $expect);
1244 }};
1245 (#[$cfg:meta] $(#[$cfgs:meta])* {$($fs:ident: $ts:ty),*} => $expect:expr) => {
1246 test!(#[$cfg] {$($fs: $ts),*} => $expect);
1247 test!($(#[$cfgs])* {$($fs: $ts),*} => $expect);
1248 };
1249 }
1250
1251 test!(#[repr(C)] #[repr(packed)] {a: u8} => 0);
1252 test!(#[repr(C)] #[repr(packed)] {a: u8, b: u8} => 0);
1253
1254 // Rust won't let you put `#[repr(packed)]` on a type which contains a
1255 // `#[repr(align(n > 1))]` type (`AU64`), so we have to use `u64` here.
1256 // It's not ideal, but it definitely has align > 1 on /some/ of our CI
1257 // targets, and this isn't a particularly complex macro we're testing
1258 // anyway.
1259 test!(#[repr(C)] #[repr(packed)] {a: u8, b: u64} => 7);
1260 }
1261
1262 #[test]
1263 fn test_enum_padding() {
1264 // Test that, for each provided repr, `enum_has_padding!` reports the
1265 // expected value.
1266 macro_rules! test {
1267 (#[repr($disc:ident $(, $c:ident)?)] { $($vs:ident ($($ts:ty),*),)* } => $expect:expr) => {
1268 test!(@case #[repr($disc $(, $c)?)] { $($vs ($($ts),*),)* } => $expect);
1269 };
1270 (#[repr($disc:ident $(, $c:ident)?)] #[$cfg:meta] $(#[$cfgs:meta])* { $($vs:ident ($($ts:ty),*),)* } => $expect:expr) => {
1271 test!(@case #[repr($disc $(, $c)?)] #[$cfg] { $($vs ($($ts),*),)* } => $expect);
1272 test!(#[repr($disc $(, $c)?)] $(#[$cfgs])* { $($vs ($($ts),*),)* } => $expect);
1273 };
1274 (@case #[repr($disc:ident $(, $c:ident)?)] $(#[$cfg:meta])? { $($vs:ident ($($ts:ty),*),)* } => $expect:expr) => {{
1275 #[repr($disc $(, $c)?)]
1276 $(#[$cfg])?
1277 #[allow(unused)] // variants and fields are never used
1278 enum Test {
1279 $($vs ($($ts),*),)*
1280 }
1281 assert_eq!(
1282 enum_padding!(Test, $disc, $([$($ts),*]),*),
1283 $expect
1284 );
1285 }};
1286 }
1287
1288 #[allow(unused)]
1289 #[repr(align(2))]
1290 struct U16(u16);
1291
1292 #[allow(unused)]
1293 #[repr(align(4))]
1294 struct U32(u32);
1295
1296 test!(#[repr(u8)] #[repr(C)] {
1297 A(u8),
1298 } => 0);
1299 test!(#[repr(u16)] #[repr(C)] {
1300 A(u8, u8),
1301 B(U16),
1302 } => 0);
1303 test!(#[repr(u32)] #[repr(C)] {
1304 A(u8, u8, u8, u8),
1305 B(U16, u8, u8),
1306 C(u8, u8, U16),
1307 D(U16, U16),
1308 E(U32),
1309 } => 0);
1310
1311 // `repr(int)` can pack the discriminant more efficiently
1312 test!(#[repr(u8)] {
1313 A(u8, U16),
1314 } => 0);
1315 test!(#[repr(u8)] {
1316 A(u8, U16, U32),
1317 } => 0);
1318
1319 // `repr(C)` cannot
1320 test!(#[repr(u8, C)] {
1321 A(u8, U16),
1322 } => 2);
1323 test!(#[repr(u8, C)] {
1324 A(u8, u8, u8, U32),
1325 } => 4);
1326
1327 // And field ordering can always cause problems
1328 test!(#[repr(u8)] #[repr(C)] {
1329 A(U16, u8),
1330 } => 2);
1331 test!(#[repr(u8)] #[repr(C)] {
1332 A(U32, u8, u8, u8),
1333 } => 4);
1334 }
1335}