Merge branch 'main' into byteorder-no-crate-dep

Author: joshlf

.github/ISSUE_TEMPLATE/customer-request.md

@@ -0,0 +1,17 @@
+---
+name: Customer request
+about: Describe what features you'd like from zerocopy for your project
+title: Features to support <project>
+labels: customer-request
+assignees: ''
+
+---
+
+**What is the name of your project?**
+
+**Please provide a link to your project (GitHub repository, crates.io page, etc).**
+
+**What features would you like from zerocopy?**
+For each feature:
+- Describe why it would be useful to your project, providing any useful context (GitHub links, etc).
+- If there is an existing zerocopy GitHub issue describing this feature, link to it.

.github/workflows/ci.yml

@@ -251,10 +251,7 @@ jobs:
         # an API that cargo-semver-checks can understand.
         package: zerocopy
         feature-group: all-features
-        # TODO: Set this to the specific nightly we have pinned in CI. Not a big
-        # deal since this isn't affected by the trybuild stderr files, which is
-        # the reason we need to pin to a specific nightly.
-        rust-toolchain: nightly
+        rust-toolchain: ${{ env.ZC_TOOLCHAIN }}
       if: matrix.crate == 'zerocopy' && matrix.features == '--all-features' && matrix.toolchain == 'nightly'
 
   kani:
@@ -461,6 +458,40 @@ jobs:
           cargo install --locked kani-verifier       &> /dev/null || true
           cargo kani setup                           &> /dev/null || true
 
+  check-job-dependencies:
+    runs-on: ubuntu-latest
+    name: Check all-jobs-succeeded depends on all jobs
+    steps:
+      - name: Install yq (for YAML parsing)
+        run: go install github.com/mikefarah/yq/v4@latest
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Run dependency check
+        run: |
+          set -eo pipefail
+          jobs=$(for i in $(find .github -iname '*.yaml' -or -iname '*.yml')
+            do
+              # Select jobs that are triggered by pull request.
+              if yq -e '.on | has("pull_request")' "$i" 2>/dev/null >/dev/null
+              then
+                # This gets the list of jobs that all-jobs-succeed does not depend on.
+                comm -23 \
+                  <(yq -r '.jobs | keys | .[]' "$i" | sort | uniq) \
+                  <(yq -r '.jobs.all-jobs-succeed.needs[]' "$i" | sort | uniq)
+              fi
+
+            # The grep call here excludes all-jobs-succeed from the list of jobs that
+            # all-jobs-succeed does not depend on.  If all-jobs-succeed does
+            # not depend on itself, we do not care about it.
+            done | sort | uniq | (grep -v '^all-jobs-succeed$' || true)
+          )
+
+          if [ -n "$jobs" ]
+          then
+            missing_jobs="$(echo "$jobs" | tr ' ' '\n')"
+            echo "all-jobs-succeed missing dependencies on some jobs: $missing_jobs" | tee -a $GITHUB_STEP_SUMMARY
+            exit 1
+          fi
+
   # Used to signal to branch protections that all other jobs have succeeded.
   all-jobs-succeed:
       name: All checks succeeded
@@ -471,7 +502,7 @@ jobs:
       # https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/collaborating-on-repositories-with-code-quality-features/troubleshooting-required-status-checks#handling-skipped-but-required-checks
       if: failure()
       runs-on: ubuntu-latest
-      needs: [build_test, kani, check_fmt, check_readme, check_msrv, check_versions, generate_cache]
+      needs: [build_test, kani, check_fmt, check_readme, check_msrv, check_versions, generate_cache, check-job-dependencies]
       steps:
         - name: Mark the job as failed
           run: exit 1

.github/workflows/scorecard.yml

@@ -50,14 +50,14 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8
+        uses: github/codeql-action/upload-sarif@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12
         with:
           sarif_file: results.sarif

CHANGELOG.md

@@ -0,0 +1,35 @@
+# Changelog
+
+## Releases
+
+We track releases and release notes using [GitHub
+Releases](https://github.com/google/zerocopy/releases).
+
+## Yanks and Regressions
+
+### 0.2.2 through 0.2.8, 0.3.0 through 0.3.1, 0.4.0, 0.5.0, 0.6.0 through 0.6.5, 0.7.0 through 0.7.30
+
+*Security advisories for this bug have been published as
+[RUSTSEC-2023-0074][rustsec-advisory] and [GHSA-3mv5-343c-w2qg][github-advisory].*
+
+In these versions, the `Ref` methods `into_ref`, `into_mut`, `into_slice`, and
+`into_mut_slice` were permitted in combination with the standard library
+`cell::Ref` and `cell::RefMut` types for `Ref<B, T>`'s `B` type parameter. These
+combinations are unsound, and may permit safe code to exhibit undefined
+behavior. Fixes have been published to each affected minor version which do not
+permit this code to compile.
+
+See [#716][issue-716] for more details.
+
+[rustsec-advisory]: https://rustsec.org/advisories/RUSTSEC-2023-0074.html
+[github-advisory]: https://github.com/google/zerocopy/security/advisories/GHSA-3mv5-343c-w2qg
+[issue-716]: https://github.com/google/zerocopy/issues/716
+
+### 0.7.27, 0.7.28
+
+These versions were briefly yanked due to a non-soundness regression reported in
+[#672][pull-672]. After reconsidering our yanking policy in [#679][issue-679],
+we un-yanked these versions.
+
+[pull-672]: https://github.com/google/zerocopy/pull/672
+[issue-679]: https://github.com/google/zerocopy/issues/679

CONTRIBUTING.md

@@ -157,7 +157,7 @@ name of that subsystem in square brackets, omitting any "zerocopy" prefix
 zerocopy-derive crate:
 
 ```text
-[derive] Support AsBytes on types with parameters
+[derive] Support IntoBytes on types with parameters
 ```
 
 The body may be omitted if the subject is self-explanatory; e.g. when fixing a

Cargo.toml

@@ -15,7 +15,7 @@
 [package]
 edition = "2018"
 name = "zerocopy"
-version = "0.8.0-alpha"
+version = "0.8.0-alpha.1"
 authors = ["Joshua Liebow-Feeser <[email protected]>"]
 description = "Utilities for zero-copy parsing and serialization"
 license = "BSD-2-Clause OR Apache-2.0 OR MIT"
@@ -30,8 +30,8 @@ rustdoc-args = ["--cfg", "doc_cfg", "--generate-link-to-definition"]
 
 [package.metadata.ci]
 # The versions of the stable and nightly compiler toolchains to use in CI.
-pinned-stable = "1.74.0"
-pinned-nightly = "nightly-2023-12-05"
+pinned-stable = "1.74.1"
+pinned-nightly = "nightly-2023-12-22"
 
 [package.metadata.playground]
 features = ["__internal_use_only_features_that_work_on_stable"]
@@ -47,13 +47,13 @@ simd-nightly = ["simd"]
 __internal_use_only_features_that_work_on_stable = ["alloc", "derive", "simd"]
 
 [dependencies]
-zerocopy-derive = { version = "=0.8.0-alpha", path = "zerocopy-derive", optional = true }
+zerocopy-derive = { version = "=0.8.0-alpha.1", path = "zerocopy-derive", optional = true }
 
 # The "associated proc macro pattern" ensures that the versions of zerocopy and
 # zerocopy-derive remain equal, even if the 'derive' feature isn't used.
 # See: https://github.com/matklad/macro-dep-test
 [target.'cfg(any())'.dependencies]
-zerocopy-derive = { version = "=0.8.0-alpha", path = "zerocopy-derive" }
+zerocopy-derive = { version = "=0.8.0-alpha.1", path = "zerocopy-derive" }
 
 [dev-dependencies]
 assert_matches = "1.5"
@@ -68,6 +68,6 @@ testutil = { path = "testutil" }
 # CI test failures.
 trybuild = { version = "=1.0.85", features = ["diff"] }
 # In tests, unlike in production, zerocopy-derive is not optional
-zerocopy-derive = { version = "=0.8.0-alpha", path = "zerocopy-derive" }
+zerocopy-derive = { version = "=0.8.0-alpha.1", path = "zerocopy-derive" }
 # TODO(#381) Remove this dependency once we have our own layout gadgets.
 elain = "0.3.0"

POLICIES.md

@@ -99,5 +99,10 @@ increase our MSRV during semver-breaking version changes (e.g., 0.1 -> 0.2, 1.0
 Whenever a bug or regression is identified, we will yank any affected versions
 which are part of the current version train. For example, if the most recent
 version is 0.10.20 and a bug is uncovered, we will release a fix in 0.10.21 and
-yank all 0.10.X versions which are affected. We *may* also yank versions in previous
-version trains on a case-by-case basis, but we don't guarantee it.
+yank all 0.10.X versions which are affected. We *may* also yank versions in
+previous version trains on a case-by-case basis, but we don't guarantee it.
+
+For information about a particular yanked or un-yanked version, see our [yank
+log][yank-log].
+
+[yank-log]: https://github.com/google/zerocopy/blob/main/CHANGELOG.md#yanks-and-regressions

README.md

@@ -12,8 +12,8 @@ made in the doc comment on `src/lib.rs` or in `generate-readme.sh`.
 
 # zerocopy
 
-*<span style="font-size: 100%; color:grey;">Want to help improve zerocopy?
-Fill out our [user survey][user-survey]!</span>*
+*<span style="font-size: 100%; color:grey;">Need more out of zerocopy?
+Submit a [customer request issue][customer-request-issue]!</span>*
 
 ***<span style="font-size: 140%">Fast, safe, <span
 style="color:red;">compile error</span>. Pick two.</span>***
@@ -24,12 +24,12 @@ so you don't have to.
 ## Overview
 
 Zerocopy provides four core marker traits, each of which can be derived
-(e.g., `#[derive(FromZeroes)]`):
-- `FromZeroes` indicates that a sequence of zero bytes represents a valid
+(e.g., `#[derive(FromZeros)]`):
+- `FromZeros` indicates that a sequence of zero bytes represents a valid
   instance of a type
 - `FromBytes` indicates that a type may safely be converted from an
   arbitrary byte sequence
-- `AsBytes` indicates that a type may safely be converted *to* a byte
+- `IntoBytes` indicates that a type may safely be converted *to* a byte
   sequence
 - `Unaligned` indicates that a type's alignment requirement is 1
 
@@ -40,7 +40,7 @@ Zerocopy also provides byte-order aware integer types that support these
 conversions; see the `byteorder` module. These types are especially useful
 for network parsing.
 
-[user-survey]: https://docs.google.com/forms/d/e/1FAIpQLSdzBNTN9tzwsmtyZxRFNL02K36IWCdHWW2ZBckyQS2xiO3i8Q/viewform?usp=published_options
+[customer-request-issue]: https://github.com/google/zerocopy/issues/new/choose
 
 ## Cargo Features
 
@@ -67,8 +67,8 @@ for network parsing.
   ```
 
 - **`simd`**
-  When the `simd` feature is enabled, `FromZeroes`, `FromBytes`, and
-  `AsBytes` impls are emitted for all stable SIMD types which exist on the
+  When the `simd` feature is enabled, `FromZeros`, `FromBytes`, and
+  `IntoBytes` impls are emitted for all stable SIMD types which exist on the
   target platform. Note that the layout of SIMD types is not yet stabilized,
   so these impls may be removed in the future if layout changes make them
   invalid. For more information, see the Unsafe Code Guidelines Reference
@@ -134,6 +134,12 @@ See our [MSRV policy].
 
 [MSRV policy]: https://github.com/google/zerocopy/blob/main/POLICIES.md#msrv
 
+## Changelog
+
+Zerocopy uses [GitHub Releases].
+
+[GitHub Releases]: https://github.com/google/zerocopy/releases
+
 ## Disclaimer
 
 Disclaimer: Zerocopy is not an officially supported Google product.

src/byteorder.rs

@@ -16,7 +16,7 @@
 //! this module - [`U16`], [`I16`], [`U32`], [`F64`], etc. Unlike their native
 //! counterparts, these types have alignment 1, and take a type parameter
 //! specifying the byte order in which the bytes are stored in memory. Each type
-//! implements the [`FromBytes`], [`AsBytes`], and [`Unaligned`] traits.
+//! implements the [`FromBytes`], [`IntoBytes`], and [`Unaligned`] traits.
 //!
 //! These two properties, taken together, make these types useful for defining
 //! data structures whose memory layout matches a wire format such as that of a
@@ -35,10 +35,10 @@
 //!
 //! ```rust,edition2021
 //! # #[cfg(feature = "derive")] { // This example uses derives, and won't compile without them
-//! use zerocopy::{AsBytes, ByteSlice, FromBytes, FromZeroes, Ref, Unaligned};
+//! use zerocopy::{IntoBytes, ByteSlice, FromBytes, FromZeros, NoCell, Ref, Unaligned};
 //! use zerocopy::byteorder::network_endian::U16;
 //!
-//! #[derive(FromZeroes, FromBytes, AsBytes, Unaligned)]
+//! #[derive(FromZeros, FromBytes, IntoBytes, NoCell, Unaligned)]
 //! #[repr(C)]
 //! struct UdpHeader {
 //!     src_port: U16,
@@ -346,18 +346,18 @@ order to uphold the invariants that a) the layout of `", stringify!($name), "`
 has endianness `O` and that, b) the layout of `", stringify!($native), "` has
 the platform's native endianness.
 
-`", stringify!($name), "` implements [`FromBytes`], [`AsBytes`], and [`Unaligned`],
+`", stringify!($name), "` implements [`FromBytes`], [`IntoBytes`], and [`Unaligned`],
 making it useful for parsing and serialization. See the module documentation for an
 example of how it can be used for parsing UDP packets.
 
 [`new`]: crate::byteorder::", stringify!($name), "::new
 [`get`]: crate::byteorder::", stringify!($name), "::get
 [`set`]: crate::byteorder::", stringify!($name), "::set
 [`FromBytes`]: crate::FromBytes
-[`AsBytes`]: crate::AsBytes
+[`IntoBytes`]: crate::IntoBytes
 [`Unaligned`]: crate::Unaligned"),
             #[derive(Copy, Clone, Eq, PartialEq, Hash)]
-            #[cfg_attr(any(feature = "derive", test), derive(KnownLayout, FromZeroes, FromBytes, AsBytes, Unaligned))]
+            #[cfg_attr(any(feature = "derive", test), derive(KnownLayout, NoCell, FromZeros, FromBytes, IntoBytes, Unaligned))]
             #[repr(transparent)]
             pub struct $name<O>([u8; $bytes], PhantomData<O>);
         }
@@ -369,10 +369,12 @@ example of how it can be used for parsing UDP packets.
             /// SAFETY:
             /// `$name<O>` is `repr(transparent)`, and so it has the same layout
             /// as its only non-zero field, which is a `u8` array. `u8` arrays
-            /// are `FromZeroes`, `FromBytes`, `AsBytes`, and `Unaligned`.
-            impl_or_verify!(O => FromZeroes for $name<O>);
+            /// are `NoCell`, `FromZeros`, `FromBytes`, `IntoBytes`, and
+            /// `Unaligned`.
+            impl_or_verify!(O => NoCell for $name<O>);
+            impl_or_verify!(O => FromZeros for $name<O>);
             impl_or_verify!(O => FromBytes for $name<O>);
-            impl_or_verify!(O => AsBytes for $name<O>);
+            impl_or_verify!(O => IntoBytes for $name<O>);
             impl_or_verify!(O => Unaligned for $name<O>);
         }
 
@@ -813,7 +815,7 @@ module!(native_endian, NativeEndian, "native-endian");
 mod tests {
     use {
         super::*,
-        crate::{AsBytes, FromBytes, Unaligned},
+        crate::{FromBytes, IntoBytes, Unaligned},
     };
 
     #[cfg(not(kani))]
@@ -861,7 +863,7 @@ mod tests {
     use compatibility::*;
 
     // A native integer type (u16, i32, etc).
-    trait Native: Arbitrary + FromBytes + AsBytes + Copy + PartialEq + Debug {
+    trait Native: Arbitrary + FromBytes + IntoBytes + NoCell + Copy + PartialEq + Debug {
         const ZERO: Self;
         const MAX_VALUE: Self;
 
@@ -898,13 +900,13 @@ mod tests {
     }
 
     trait ByteArray:
-        FromBytes + AsBytes + Copy + AsRef<[u8]> + AsMut<[u8]> + Debug + Default + Eq
+        FromBytes + IntoBytes + NoCell + Copy + AsRef<[u8]> + AsMut<[u8]> + Debug + Default + Eq
     {
         /// Invert the order of the bytes in the array.
         fn invert(self) -> Self;
     }
 
-    trait ByteOrderType: FromBytes + AsBytes + Unaligned + Copy + Eq + Debug {
+    trait ByteOrderType: FromBytes + IntoBytes + Unaligned + Copy + Eq + Debug {
         type Native: Native;
         type ByteArray: ByteArray;