[WIP] Generalize SizeEq to SizeCompat

This requires us to generalize our prior support for transmuting between
unsized types. In particular, we previously used the `SizeEq` trait to
denote that two types have equal sizes in the face of a cast operation
(in particular, that `*const T as *const U` preserves referent size). In
this commit, we add support for metadata fix-up, which means that we
support casts for which `*const T as *const U` does *not* preserve
referent size. Instead, we compute an affine function at compile time
and apply it at runtime - computing the destination type's metadata as a
function of the source metadata, `dst_meta = A + src_meta * B`. `A` and
`B` are computed at compile time.

We generalize `SizeEq` to permit its `cast_from_raw` method to perform a
runtime metadata fix-up operation.

Makes progress on #1817

Co-authored-by: Jack Wrenn <[email protected]>
gherrit-pr-id: I6c793a9620ad75bdc0d26ab7c7cd1a0c7bef1b8b

Author: joshlf

src/impls.rs

@@ -109,7 +109,8 @@ const _: () = unsafe {
         *byte.unaligned_as_ref() < 2
     })
 };
-impl_size_eq!(bool, u8);
+
+impl_size_compat!(bool, u8);
 
 // SAFETY:
 // - `Immutable`: `char` self-evidently does not contain any `UnsafeCell`s.
@@ -140,7 +141,7 @@ const _: () = unsafe {
     });
 };
 
-impl_size_eq!(char, Unalign<u32>);
+impl_size_compat!(char, Unalign<u32>);
 
 // SAFETY: Per the Reference [1], `str` has the same layout as `[u8]`.
 // - `Immutable`: `[u8]` does not contain any `UnsafeCell`s.
@@ -173,14 +174,13 @@ const _: () = unsafe {
     })
 };
 
-impl_size_eq!(str, [u8]);
+impl_size_compat!(str, [u8]);
 
 macro_rules! unsafe_impl_try_from_bytes_for_nonzero {
     ($($nonzero:ident[$prim:ty]),*) => {
         $(
             unsafe_impl!(=> TryFromBytes for $nonzero; |n| {
-                impl_size_eq!($nonzero, Unalign<$prim>);
-
+                impl_size_compat!($nonzero, Unalign<$prim>);
                 let n = n.transmute::<Unalign<$prim>, invariant::Valid, _>();
                 $nonzero::new(n.read_unaligned().into_inner()).is_some()
             });
@@ -396,63 +396,72 @@ mod atomics {
         ($($($tyvar:ident)? => $atomic:ty [$prim:ty]),*) => {{
             crate::util::macros::__unsafe();
 
-            use core::cell::UnsafeCell;
-            use crate::pointer::{PtrInner, SizeEq, TransmuteFrom, invariant::Valid};
+            use core::{cell::UnsafeCell};
+            use crate::pointer::{TransmuteFrom, PtrInner, SizeCompat, invariant::Valid};
 
             $(
-                // SAFETY: The caller promised that `$atomic` and `$prim` have
-                // the same size and bit validity.
+                // SAFETY: The caller promised that `$atomic` and `$prim`
+                // have the same size and bit validity. As a result of size
+                // equality, both impls of `SizeCompat::cast_from_raw`
+                // preserve referent size exactly.
                 unsafe impl<$($tyvar)?> TransmuteFrom<$atomic, Valid, Valid> for $prim {}
-                // SAFETY: The caller promised that `$atomic` and `$prim` have
-                // the same size and bit validity.
+                // SAFETY: The caller promised that `$atomic` and `$prim`
+                // have the same size and bit validity. As a result of size
+                // equality, both impls of `SizeCompat::cast_from_raw`
+                // preserve referent size exactly.
                 unsafe impl<$($tyvar)?> TransmuteFrom<$prim, Valid, Valid> for $atomic {}
 
-                // SAFETY: The caller promised that `$atomic` and `$prim` have
-                // the same size.
-                unsafe impl<$($tyvar)?> SizeEq<$atomic> for $prim {
+                // SAFETY: See inline safety comment.
+                unsafe impl<$($tyvar)?> SizeCompat<$atomic> for $prim {
                     #[inline]
                     fn cast_from_raw(a: PtrInner<'_, $atomic>) -> PtrInner<'_, $prim> {
-                        // SAFETY: The caller promised that `$atomic` and
-                        // `$prim` have the same size. Thus, this cast preserves
+                        // SAFETY: The caller promised that `$atomic` and `$prim`
+                        // have the same size. Thus, this cast preserves
                         // address, referent size, and provenance.
                         unsafe { cast!(a) }
                     }
                 }
                 // SAFETY: See previous safety comment.
-                unsafe impl<$($tyvar)?> SizeEq<$prim> for $atomic {
+                unsafe impl<$($tyvar)?> SizeCompat<$prim> for $atomic {
                     #[inline]
                     fn cast_from_raw(p: PtrInner<'_, $prim>) -> PtrInner<'_, $atomic> {
                         // SAFETY: See previous safety comment.
                         unsafe { cast!(p) }
                     }
                 }
-                // SAFETY: The caller promised that `$atomic` and `$prim` have
-                // the same size. `UnsafeCell<T>` has the same size as `T` [1].
+
+                // SAFETY: The caller promised that `$atomic` and `$prim`
+                // have the same size. `UnsafeCell<T>` has the same size as
+                // `T` [1]. Thus, this cast preserves address, referent
+                // size, and provenance.
                 //
                 // [1] Per https://doc.rust-lang.org/1.85.0/std/cell/struct.UnsafeCell.html#memory-layout:
                 //
                 //   `UnsafeCell<T>` has the same in-memory representation as
                 //   its inner type `T`. A consequence of this guarantee is that
                 //   it is possible to convert between `T` and `UnsafeCell<T>`.
-                unsafe impl<$($tyvar)?> SizeEq<$atomic> for UnsafeCell<$prim> {
+                unsafe impl<$($tyvar)?> SizeCompat<$atomic> for UnsafeCell<$prim> {
                     #[inline]
                     fn cast_from_raw(a: PtrInner<'_, $atomic>) -> PtrInner<'_, UnsafeCell<$prim>> {
                         // SAFETY: See previous safety comment.
                         unsafe { cast!(a) }
                     }
                 }
                 // SAFETY: See previous safety comment.
-                unsafe impl<$($tyvar)?> SizeEq<UnsafeCell<$prim>> for $atomic {
+                unsafe impl<$($tyvar)?> SizeCompat<UnsafeCell<$prim>> for $atomic {
                     #[inline]
                     fn cast_from_raw(p: PtrInner<'_, UnsafeCell<$prim>>) -> PtrInner<'_, $atomic> {
                         // SAFETY: See previous safety comment.
                         unsafe { cast!(p) }
                     }
                 }
 
-                // SAFETY: The caller promised that `$atomic` and `$prim` have
-                // the same bit validity. `UnsafeCell<T>` has the same bit
-                // validity as `T` [1].
+                // SAFETY: The caller promised that `$atomic` and `$prim`
+                // have the same bit validity. `UnsafeCell<T>` has the same
+                // bit validity as `T` [1]. `UnsafeCell<T>` also has the
+                // same size as `T` [1], and so both impls of
+                // `SizeCompat::cast_from_raw` preserve referent size
+                // exactly.
                 //
                 // [1] Per https://doc.rust-lang.org/1.85.0/std/cell/struct.UnsafeCell.html#memory-layout:
                 //

src/layout.rs

@@ -612,15 +612,15 @@ pub(crate) use cast_from_raw::cast_from_raw;
 mod cast_from_raw {
     use crate::{pointer::PtrInner, *};
 
-    /// Implements [`<Dst as SizeEq<Src>>::cast_from_raw`][cast_from_raw].
+    /// Implements [`<Dst as SizeCompat<Src>>::cast_from_raw`][cast_from_raw].
     ///
     /// # PME
     ///
     /// Generates a post-monomorphization error if it is not possible to satisfy
-    /// the soundness conditions of [`SizeEq::cast_from_raw`][cast_from_raw]
+    /// the soundness conditions of [`SizeCompat::cast_from_raw`][cast_from_raw]
     /// for `Src` and `Dst`.
     ///
-    /// [cast_from_raw]: crate::pointer::SizeEq::cast_from_raw
+    /// [cast_from_raw]: crate::pointer::SizeCompat::cast_from_raw
     //
     // FIXME(#1817): Support Sized->Unsized and Unsized->Sized casts
     pub(crate) fn cast_from_raw<Src, Dst>(src: PtrInner<'_, Src>) -> PtrInner<'_, Dst>

src/pointer/ptr.rs

@@ -16,7 +16,7 @@ use crate::{
     pointer::{
         inner::PtrInner,
         invariant::*,
-        transmute::{MutationCompatible, SizeEq, TransmuteFromPtr},
+        transmute::{MutationCompatible, SizeCompat, TransmuteFromPtr},
     },
     AlignmentError, CastError, CastType, KnownLayout, SizeError, TryFromBytes, ValidityError,
 };
@@ -388,10 +388,13 @@ mod _conversions {
         pub(crate) fn transmute<U, V, R>(self) -> Ptr<'a, U, (I::Aliasing, Unaligned, V)>
         where
             V: Validity,
-            U: TransmuteFromPtr<T, I::Aliasing, I::Validity, V, R> + SizeEq<T> + ?Sized,
+            U: TransmuteFromPtr<T, I::Aliasing, I::Validity, V, R> + SizeCompat<T> + ?Sized,
         {
+            // TODO: Update this safety comment based on the new invariants on
+            // `TryTransmuteFromPtr` and `SizeCompat`.
+
             // SAFETY:
-            // - `SizeEq::cast_from_raw` promises to preserve address,
+            // - `SizeCompat::cast_from_raw` promises to preserve address,
             //   provenance, and the number of bytes in the referent
             // - If aliasing is `Shared`, then by `U: TransmuteFromPtr<T>`, at
             //   least one of the following holds:
@@ -402,7 +405,7 @@ mod _conversions {
             //     operate on these references simultaneously
             // - By `U: TransmuteFromPtr<T, I::Aliasing, I::Validity, V>`, it is
             //   sound to perform this transmute.
-            unsafe { self.transmute_unchecked(|ptr| SizeEq::cast_from_raw(ptr).as_non_null()) }
+            unsafe { self.transmute_unchecked(|ptr| SizeCompat::cast_from_raw(ptr).as_non_null()) }
         }
 
         #[doc(hidden)]
@@ -413,6 +416,9 @@ mod _conversions {
             V: Validity,
             T: TransmuteFromPtr<T, I::Aliasing, I::Validity, V, R>,
         {
+            // TODO: Update this safety comment based on the new invariants on
+            // `TryTransmuteFromPtr`.
+
             // SAFETY:
             // - This cast is a no-op, and so trivially preserves address,
             //   referent size, and provenance
@@ -858,9 +864,13 @@ mod _transitions {
                 // SAFETY: If `T::is_bit_valid`, code may assume that `self`
                 // contains a bit-valid instance of `T`. By `T:
                 // TryTransmuteFromPtr<T, I::Aliasing, I::Validity, Valid>`, so
-                // long as `self`'s referent conforms to the `Valid` validity
-                // for `T` (which we just confired), then this transmute is
-                // sound.
+                // long as `SizeCompat::cast_from_raw(self.into_inner)`'s
+                // referent conforms to the `Valid` validity for `T`, then this
+                // transmute is sound. Since `<T as
+                // SizeCompat<T>>::cast_from_raw` is guaranteed to be the
+                // identity function, this is equivalent to the statement that
+                // `self`'s referent conforms to the `Valid` validity for `T`,
+                // which we just confirmed using `T::is_bit_valid`.
                 Ok(unsafe { self.assume_valid() })
             } else {
                 Err(ValidityError::new(self))