[pointer][WIP] Transmute

gherrit-pr-id: Iad14813bc6d933312bc8d7a1ddcf1aafc7126938

Author: joshlf

src/impls.rs

@@ -805,6 +805,17 @@ pub unsafe trait KnownLayout {
         // resulting size would not fit in a `usize`.
         meta.size_for_metadata(Self::LAYOUT)
     }
+
+    #[doc(hidden)]
+    #[must_use]
+    #[inline(always)]
+    fn cast_from_raw<P: KnownLayout<PointerMetadata = Self::PointerMetadata> + ?Sized>(
+        ptr: NonNull<P>,
+    ) -> NonNull<Self> {
+        let data = ptr.cast::<u8>();
+        let meta = P::pointer_to_metadata(ptr.as_ptr());
+        Self::raw_from_ptr_len(data, meta)
+    }
 }
 
 /// The metadata associated with a [`KnownLayout`] type.
@@ -2843,29 +2854,43 @@ unsafe fn try_read_from<S, T: TryFromBytes>(
     // We use `from_mut` despite not mutating via `c_ptr` so that we don't need
     // to add a `T: Immutable` bound.
     let c_ptr = Ptr::from_mut(&mut candidate);
-    let c_ptr = c_ptr.transparent_wrapper_into_inner();
     // SAFETY: `c_ptr` has no uninitialized sub-ranges because it derived from
     // `candidate`, which the caller promises is entirely initialized. Since
     // `candidate` is a `MaybeUninit`, it has no validity requirements, and so
-    // no values written to `c_ptr` can violate its validity. Since `c_ptr` has
-    // `Exclusive` aliasing, no mutations may happen except via `c_ptr` so long
-    // as it is live, so we don't need to worry about the fact that `c_ptr` may
-    // have more restricted validity than `candidate`.
+    // no values written to an `Initialized` `c_ptr` can violate its validity.
+    // Since `c_ptr` has `Exclusive` aliasing, no mutations may happen except
+    // via `c_ptr` so long as it is live, so we don't need to worry about the
+    // fact that `c_ptr` may have more restricted validity than `candidate`.
     let c_ptr = unsafe { c_ptr.assume_validity::<invariant::Initialized>() };
+    let c_ptr = c_ptr.transmute();
 
+    // Since we don't have `T: KnownLayout`, we hack around that by using
+    // `Wrapping<T>`, which implements `KnownLayout` even if `T` doesn't.
+    //
     // This call may panic. If that happens, it doesn't cause any soundness
-    // issues, as we have not generated any invalid state which we need to
-    // fix before returning.
+    // issues, as we have not generated any invalid state which we need to fix
+    // before returning.
     //
-    // Note that one panic or post-monomorphization error condition is
-    // calling `try_into_valid` (and thus `is_bit_valid`) with a shared
-    // pointer when `Self: !Immutable`. Since `Self: Immutable`, this panic
-    // condition will not happen.
-    if !T::is_bit_valid(c_ptr.forget_aligned()) {
+    // Note that one panic or post-monomorphization error condition is calling
+    // `try_into_valid` (and thus `is_bit_valid`) with a shared pointer when
+    // `Self: !Immutable`. Since `Self: Immutable`, this panic condition will
+    // not happen.
+    if !Wrapping::<T>::is_bit_valid(c_ptr.forget_aligned()) {
         return Err(ValidityError::new(source).into());
     }
 
-    // SAFETY: We just validated that `candidate` contains a valid `T`.
+    fn _assert_same_size_and_validity<T>()
+    where
+        Wrapping<T>: pointer::TransmuteFrom<T, invariant::Valid, invariant::Valid>,
+        T: pointer::TransmuteFrom<Wrapping<T>, invariant::Valid, invariant::Valid>,
+    {
+    }
+
+    _assert_same_size_and_validity::<T>();
+
+    // SAFETY: We just validated that `candidate` contains a valid
+    // `Wrapping<T>`, which has the same size and bit validity as `T`, as
+    // guaranteed by the preceding type assertion.
     Ok(unsafe { candidate.assume_init() })
 }
 
@@ -4258,7 +4283,9 @@ pub unsafe trait FromBytes: FromZeros {
         let source = Ptr::from_mut(source);
         let maybe_slf = source.try_cast_into_no_leftover::<_, BecauseImmutable>(Some(count));
         match maybe_slf {
-            Ok(slf) => Ok(slf.bikeshed_recall_valid().as_mut()),
+            Ok(slf) => Ok(slf
+                .bikeshed_recall_valid::<(_, (_, (BecauseExclusive, BecauseExclusive)))>()
+                .as_mut()),
             Err(err) => Err(err.map_src(|s| s.as_mut())),
         }
     }
@@ -4728,7 +4755,7 @@ fn ref_from_prefix_suffix<T: FromBytes + KnownLayout + Immutable + ?Sized>(
 /// If there are insufficient bytes, or if that affix of `source` is not
 /// appropriately aligned, this returns `Err`.
 #[inline(always)]
-fn mut_from_prefix_suffix<T: FromBytes + KnownLayout + ?Sized>(
+fn mut_from_prefix_suffix<T: FromBytes + IntoBytes + KnownLayout + ?Sized>(
     source: &mut [u8],
     meta: Option<T::PointerMetadata>,
     cast_type: CastType,

src/lib.rs

@@ -178,7 +178,8 @@ pub enum Initialized {}
 // required to uphold).
 unsafe impl Validity for Initialized {}
 
-/// The referent of a `Ptr<T>` is bit-valid for `T`.
+/// The referent of a `Ptr<T>` is valid for `T`, upholding bit validity and any
+/// library safety invariants.
 pub enum Valid {}
 // SAFETY: `Valid`'s validity is well-defined for all `T: ?Sized`, and is not a
 // function of any property of `T` other than its bit validity.

src/pointer/invariant.rs

@@ -12,11 +12,15 @@ mod inner;
 #[doc(hidden)]
 pub mod invariant;
 mod ptr;
+mod transmute;
 
 #[doc(hidden)]
-pub use invariant::{BecauseExclusive, BecauseImmutable, Read};
+pub(crate) use transmute::*;
 #[doc(hidden)]
-pub use ptr::Ptr;
+pub use {
+    invariant::{BecauseExclusive, BecauseImmutable, Read},
+    ptr::Ptr,
+};
 
 use crate::Unaligned;
 

src/pointer/mod.rs

@@ -12,9 +12,12 @@ use core::{
     ptr::NonNull,
 };
 
-use super::{inner::PtrInner, invariant::*};
 use crate::{
-    util::{AlignmentVariance, Covariant, TransparentWrapper, ValidityVariance},
+    pointer::{
+        inner::PtrInner,
+        invariant::*,
+        transmute::{MutationCompatible, TransmuteFromPtr},
+    },
     AlignmentError, CastError, CastType, KnownLayout, SizeError, TryFromBytes, ValidityError,
 };
 
@@ -383,53 +386,31 @@ mod _conversions {
         }
     }
 
-    /// `Ptr<'a, T = Wrapper<U>>` → `Ptr<'a, U>`
-    impl<'a, T, I> Ptr<'a, T, I>
-    where
-        T: 'a + TransparentWrapper<I, UnsafeCellVariance = Covariant> + ?Sized,
-        I: Invariants,
-    {
-        /// Converts `self` to a transparent wrapper type into a `Ptr` to the
-        /// wrapped inner type.
-        pub(crate) fn transparent_wrapper_into_inner(
-            self,
-        ) -> Ptr<
-            'a,
-            T::Inner,
-            (
-                I::Aliasing,
-                <T::AlignmentVariance as AlignmentVariance<I::Alignment>>::Applied,
-                <T::ValidityVariance as ValidityVariance<I::Validity>>::Applied,
-            ),
-        > {
-            // SAFETY:
-            // - By invariant on `TransparentWrapper::cast_into_inner`:
-            //   - This cast preserves address and referent size, and thus the
-            //     returned pointer addresses the same bytes as `p`
-            //   - This cast preserves provenance
-            // - By invariant on `TransparentWrapper<UnsafeCellVariance =
-            //   Covariant>`, `T` and `T::Inner` have `UnsafeCell`s at the same
-            //   byte ranges. Since `p` and the returned pointer address the
-            //   same byte range, they refer to `UnsafeCell`s at the same byte
-            //   ranges.
-            // - By invariant on `TransparentWrapper`, since `self` satisfies
-            //   the validity invariant `I::Validity`, the returned pointer (of
-            //   type `T::Inner`) satisfies the given "applied" validity
-            //   invariant.
-            let ptr = unsafe { self.transmute_unchecked(|p| T::cast_into_inner(p)) };
-            // SAFETY: By invariant on `TransparentWrapper`, since `self`
-            // satisfies the alignment invariant `I::Alignment`, the returned
-            // pointer (of type `T::Inner`) satisfies the given "applied"
-            // alignment invariant.
-            unsafe { ptr.assume_alignment() }
-        }
-    }
-
     /// `Ptr<'a, T>` → `Ptr<'a, U>`
     impl<'a, T: ?Sized, I> Ptr<'a, T, I>
     where
         I: Invariants,
     {
+        pub(crate) fn transmute<U, V, R>(self) -> Ptr<'a, U, (I::Aliasing, Unaligned, V)>
+        where
+            T: KnownLayout,
+            V: Validity,
+            U: TransmuteFromPtr<T, I::Aliasing, I::Validity, V, R>
+                + KnownLayout<PointerMetadata = T::PointerMetadata>
+                + ?Sized,
+        {
+            unsafe { self.transmute_unchecked(|t: NonNull<T>| U::cast_from_raw(t)) }
+        }
+
+        pub(crate) fn transmute_sized<U, V, R>(self) -> Ptr<'a, U, (I::Aliasing, Unaligned, V)>
+        where
+            T: Sized,
+            V: Validity,
+            U: TransmuteFromPtr<T, I::Aliasing, I::Validity, V, R>,
+        {
+            unsafe { self.transmute_unchecked(cast!()) }
+        }
+
         /// Casts to a different (unsized) target type without checking interior
         /// mutability.
         ///
@@ -460,14 +441,9 @@ mod _conversions {
         ) -> Ptr<'a, U, (I::Aliasing, Unaligned, V)>
         where
             V: Validity,
-            F: FnOnce(*mut T) -> *mut U,
+            F: FnOnce(NonNull<T>) -> NonNull<U>,
         {
-            let ptr = cast(self.as_inner().as_non_null().as_ptr());
-
-            // SAFETY: Caller promises that `cast` returns a pointer whose
-            // address is in the range of `self.as_inner().as_non_null()`'s referent. By
-            // invariant, none of these addresses are null.
-            let ptr = unsafe { NonNull::new_unchecked(ptr) };
+            let ptr = cast(self.as_inner().as_non_null());
 
             // SAFETY:
             //
@@ -552,7 +528,7 @@ mod _conversions {
             //   validity of the other.
             let ptr = unsafe {
                 #[allow(clippy::as_conversions)]
-                self.transmute_unchecked(|p: *mut T| p as *mut crate::Unalign<T>)
+                self.transmute_unchecked(NonNull::cast::<crate::Unalign<T>>)
             };
             ptr.bikeshed_recall_aligned()
         }
@@ -561,6 +537,8 @@ mod _conversions {
 
 /// State transitions between invariants.
 mod _transitions {
+    use crate::pointer::transmute::TryTransmuteFromPtr;
+
     use super::*;
 
     impl<'a, T, I> Ptr<'a, T, I>
@@ -819,14 +797,11 @@ mod _transitions {
         #[inline]
         // TODO(#859): Reconsider the name of this method before making it
         // public.
-        pub fn bikeshed_recall_valid(self) -> Ptr<'a, T, (I::Aliasing, I::Alignment, Valid)>
+        pub fn bikeshed_recall_valid<R>(self) -> Ptr<'a, T, (I::Aliasing, I::Alignment, Valid)>
         where
-            T: crate::FromBytes,
+            T: crate::FromBytes + TryTransmuteFromPtr<T, I::Aliasing, I::Validity, Valid, R>,
             I: Invariants<Validity = Initialized>,
         {
-            // TODO(#1866): Fix this unsoundness.
-
-            // SAFETY: This is unsound!
             unsafe { self.assume_valid() }
         }
 
@@ -843,24 +818,24 @@ mod _transitions {
         /// On error, unsafe code may rely on this method's returned
         /// `ValidityError` containing `self`.
         #[inline]
-        pub(crate) fn try_into_valid<R>(
+        pub(crate) fn try_into_valid<R, S>(
             mut self,
         ) -> Result<Ptr<'a, T, (I::Aliasing, I::Alignment, Valid)>, ValidityError<Self, T>>
         where
-            T: TryFromBytes + Read<I::Aliasing, R>,
+            T: TryFromBytes
+                + Read<I::Aliasing, R>
+                + TryTransmuteFromPtr<T, I::Aliasing, I::Validity, Valid, S>,
             I::Aliasing: Reference,
             I: Invariants<Validity = Initialized>,
         {
             // This call may panic. If that happens, it doesn't cause any soundness
             // issues, as we have not generated any invalid state which we need to
             // fix before returning.
             if T::is_bit_valid(self.reborrow().forget_aligned()) {
-                // SAFETY: If `T::is_bit_valid`, code may assume that `self`
-                // contains a bit-valid instance of `Self`.
+                // TODO: Complete this safety comment.
                 //
-                // TODO(#1866): This is unsound! The returned `Ptr` may permit
-                // writing referents which do not satisfy the `Initialized`
-                // validity invariant of `self`.
+                // If `T::is_bit_valid`, code may assume that `self` contains a
+                // bit-valid instance of `Self`.
                 Ok(unsafe { self.assume_valid() })
             } else {
                 Err(ValidityError::new(self))
@@ -902,9 +877,10 @@ mod _casts {
         /// - `u` has the same provenance as `p`
         /// - If `I::Aliasing` is [`Shared`], `UnsafeCell`s in `*u` must exist
         ///   at ranges identical to those at which `UnsafeCell`s exist in `*p`
+        /// TODO: UnsafeCell compatibility
         #[doc(hidden)]
         #[inline]
-        pub unsafe fn cast_unsized_unchecked<U, F: FnOnce(*mut T) -> *mut U>(
+        pub(crate) unsafe fn cast_unsized_unchecked<U, F: FnOnce(NonNull<T>) -> NonNull<U>>(
             self,
             cast: F,
         ) -> Ptr<'a, U, (I::Aliasing, Unaligned, I::Validity)>
@@ -940,20 +916,28 @@ mod _casts {
         /// - `u` has the same provenance as `p`
         #[doc(hidden)]
         #[inline]
-        pub unsafe fn cast_unsized<U, F, R, S>(
+        pub unsafe fn cast_unsized<U, F, R>(
             self,
             cast: F,
         ) -> Ptr<'a, U, (I::Aliasing, Unaligned, I::Validity)>
         where
-            T: Read<I::Aliasing, R>,
-            U: 'a + ?Sized + Read<I::Aliasing, S> + CastableFrom<T, I::Validity, I::Validity>,
-            F: FnOnce(*mut T) -> *mut U,
+            T: MutationCompatible<U, I::Aliasing, I::Validity, I::Validity, R>,
+            U: 'a + ?Sized + CastableFrom<T, I::Validity, I::Validity>,
+            F: FnOnce(NonNull<T>) -> NonNull<U>,
         {
-            // SAFETY: Because `T` and `U` both implement `Read<I::Aliasing, _>`,
-            // either:
-            // - `I::Aliasing` is `Exclusive`
-            // - `T` and `U` are both `Immutable`, in which case they trivially
-            //   contain `UnsafeCell`s at identical locations
+            // SAFETY: Because `T: MutationCompatible<U, I::Aliasing, R>`, one
+            // of the following holds:
+            // - `T: Read<I::Aliasing>` and `U: Read<I::Aliasing>`, in which
+            //   case one of the following holds:
+            //   - `I::Aliasing` is `Exclusive`
+            //   - `T` and `U` are both `Immutable`
+            // - `T` and `U` contain `UnsafeCell`s at identical locations
+            // TODO: This should also promise UnsafeCell compatibility
+            //
+            // In the first case, `I::Aliasing` is `Exclusive`, and in the
+            // second and third case, `T` and `U` contain `UnsafeCell`s at
+            // identical locations (in the second case, this is because `T` and
+            // `U` contain no `UnsafeCell`s at all).
             //
             // The caller promises all other safety preconditions.
             unsafe { self.cast_unsized_unchecked(cast) }
@@ -988,9 +972,8 @@ mod _casts {
             //   returned pointer addresses the same bytes as `p`
             // - `slice_from_raw_parts_mut` and `.cast` both preserve provenance
             let ptr: Ptr<'a, [u8], _> = unsafe {
-                self.cast_unsized(|p: *mut T| {
-                    #[allow(clippy::as_conversions)]
-                    core::ptr::slice_from_raw_parts_mut(p.cast::<u8>(), bytes)
+                self.cast_unsized(|p: NonNull<T>| {
+                    core::ptr::NonNull::slice_from_raw_parts(p.cast::<u8>(), bytes)
                 })
             };
 
@@ -1214,7 +1197,7 @@ mod _casts {
             //   inner type `T`. A consequence of this guarantee is that it is
             //   possible to convert between `T` and `UnsafeCell<T>`.
             #[allow(clippy::as_conversions)]
-            let ptr = unsafe { self.transmute_unchecked(|p| p as *mut T) };
+            let ptr = unsafe { self.transmute_unchecked(cast!()) };
 
             // SAFETY: `UnsafeCell<T>` has the same alignment as `T` [1],
             // and so if `self` is guaranteed to be aligned, then so is the
@@ -1321,10 +1304,12 @@ mod tests {
                     };
 
                     // SAFETY: The bytes in `slf` must be initialized.
-                    unsafe fn validate_and_get_len<T: ?Sized + KnownLayout + FromBytes>(
+                    unsafe fn validate_and_get_len<
+                        T: ?Sized + KnownLayout + FromBytes + Immutable,
+                    >(
                         slf: Ptr<'_, T, (Shared, Aligned, Initialized)>,
                     ) -> usize {
-                        let t = slf.bikeshed_recall_valid().as_ref();
+                        let t = slf.bikeshed_recall_valid::<BecauseImmutable>().as_ref();
 
                         let bytes = {
                             let len = mem::size_of_val(t);