zerocopy/util/macros.rs
1// Copyright 2023 The Fuchsia Authors
2//
3// Licensed under a BSD-style license <LICENSE-BSD>, Apache License, Version 2.0
4// <LICENSE-APACHE or https://www.apache.org/licenses/LICENSE-2.0>, or the MIT
5// license <LICENSE-MIT or https://opensource.org/licenses/MIT>, at your option.
6// This file may not be copied, modified, or distributed except according to
7// those terms.
8
9/// Unsafely implements trait(s) for a type.
10///
11/// # Safety
12///
13/// The trait impl must be sound.
14///
15/// When implementing `TryFromBytes`:
16/// - If no `is_bit_valid` impl is provided, then it must be valid for
17/// `is_bit_valid` to unconditionally return `true`. In other words, it must
18/// be the case that any initialized sequence of bytes constitutes a valid
19/// instance of `$ty`.
20/// - If an `is_bit_valid` impl is provided, then the impl of `is_bit_valid`
21/// must only return `true` if its argument refers to a valid `$ty`.
22macro_rules! unsafe_impl {
23 // Implement `$trait` for `$ty` with no bounds.
24 ($(#[$attr:meta])* $ty:ty: $trait:ident $(; |$candidate:ident| $is_bit_valid:expr)?) => {{
25 crate::util::macros::__unsafe();
26
27 $(#[$attr])*
28 // SAFETY: The caller promises that this is sound.
29 unsafe impl $trait for $ty {
30 unsafe_impl!(@method $trait $(; |$candidate| $is_bit_valid)?);
31 }
32 }};
33
34 // Implement all `$traits` for `$ty` with no bounds.
35 //
36 // The 2 arms under this one are there so we can apply
37 // N attributes for each one of M trait implementations.
38 // The simple solution of:
39 //
40 // ($(#[$attrs:meta])* $ty:ty: $($traits:ident),*) => {
41 // $( unsafe_impl!( $(#[$attrs])* $ty: $traits ) );*
42 // }
43 //
44 // Won't work. The macro processor sees that the outer repetition
45 // contains both $attrs and $traits and expects them to match the same
46 // amount of fragments.
47 //
48 // To solve this we must:
49 // 1. Pack the attributes into a single token tree fragment we can match over.
50 // 2. Expand the traits.
51 // 3. Unpack and expand the attributes.
52 ($(#[$attrs:meta])* $ty:ty: $($traits:ident),*) => {
53 unsafe_impl!(@impl_traits_with_packed_attrs { $(#[$attrs])* } $ty: $($traits),*)
54 };
55
56 (@impl_traits_with_packed_attrs $attrs:tt $ty:ty: $($traits:ident),*) => {{
57 $( unsafe_impl!(@unpack_attrs $attrs $ty: $traits); )*
58 }};
59
60 (@unpack_attrs { $(#[$attrs:meta])* } $ty:ty: $traits:ident) => {
61 unsafe_impl!($(#[$attrs])* $ty: $traits);
62 };
63
64 // This arm is identical to the following one, except it contains a
65 // preceding `const`. If we attempt to handle these with a single arm, there
66 // is an inherent ambiguity between `const` (the keyword) and `const` (the
67 // ident match for `$tyvar:ident`).
68 //
69 // To explain how this works, consider the following invocation:
70 //
71 // unsafe_impl!(const N: usize, T: ?Sized + Copy => Clone for Foo<T>);
72 //
73 // In this invocation, here are the assignments to meta-variables:
74 //
75 // |---------------|------------|
76 // | Meta-variable | Assignment |
77 // |---------------|------------|
78 // | $constname | N |
79 // | $constty | usize |
80 // | $tyvar | T |
81 // | $optbound | Sized |
82 // | $bound | Copy |
83 // | $trait | Clone |
84 // | $ty | Foo<T> |
85 // |---------------|------------|
86 //
87 // The following arm has the same behavior with the exception of the lack of
88 // support for a leading `const` parameter.
89 (
90 $(#[$attr:meta])*
91 const $constname:ident : $constty:ident $(,)?
92 $($tyvar:ident $(: $(? $optbound:ident $(+)?)* $($bound:ident $(+)?)* )?),*
93 => $trait:ident for $ty:ty $(; |$candidate:ident| $is_bit_valid:expr)?
94 ) => {
95 unsafe_impl!(
96 @inner
97 $(#[$attr])*
98 @const $constname: $constty,
99 $($tyvar $(: $(? $optbound +)* + $($bound +)*)?,)*
100 => $trait for $ty $(; |$candidate| $is_bit_valid)?
101 );
102 };
103 (
104 $(#[$attr:meta])*
105 $($tyvar:ident $(: $(? $optbound:ident $(+)?)* $($bound:ident $(+)?)* )?),*
106 => $trait:ident for $ty:ty $(; |$candidate:ident| $is_bit_valid:expr)?
107 ) => {{
108 unsafe_impl!(
109 @inner
110 $(#[$attr])*
111 $($tyvar $(: $(? $optbound +)* + $($bound +)*)?,)*
112 => $trait for $ty $(; |$candidate| $is_bit_valid)?
113 );
114 }};
115 (
116 @inner
117 $(#[$attr:meta])*
118 $(@const $constname:ident : $constty:ident,)*
119 $($tyvar:ident $(: $(? $optbound:ident +)* + $($bound:ident +)* )?,)*
120 => $trait:ident for $ty:ty $(; |$candidate:ident| $is_bit_valid:expr)?
121 ) => {{
122 crate::util::macros::__unsafe();
123
124 $(#[$attr])*
125 #[allow(non_local_definitions)]
126 // SAFETY: The caller promises that this is sound.
127 unsafe impl<$($tyvar $(: $(? $optbound +)* $($bound +)*)?),* $(, const $constname: $constty,)*> $trait for $ty {
128 unsafe_impl!(@method $trait $(; |$candidate| $is_bit_valid)?);
129 }
130 }};
131
132 (@method TryFromBytes ; |$candidate:ident| $is_bit_valid:expr) => {
133 #[allow(clippy::missing_inline_in_public_items, dead_code)]
134 #[cfg_attr(all(coverage_nightly, __ZEROCOPY_INTERNAL_USE_ONLY_NIGHTLY_FEATURES_IN_TESTS), coverage(off))]
135 fn only_derive_is_allowed_to_implement_this_trait() {}
136
137 #[inline]
138 fn is_bit_valid<AA: crate::pointer::invariant::Reference>($candidate: Maybe<'_, Self, AA>) -> bool {
139 $is_bit_valid
140 }
141 };
142 (@method TryFromBytes) => {
143 #[allow(clippy::missing_inline_in_public_items)]
144 #[cfg_attr(all(coverage_nightly, __ZEROCOPY_INTERNAL_USE_ONLY_NIGHTLY_FEATURES_IN_TESTS), coverage(off))]
145 fn only_derive_is_allowed_to_implement_this_trait() {}
146 #[inline(always)] fn is_bit_valid<AA: crate::pointer::invariant::Reference>(_: Maybe<'_, Self, AA>) -> bool { true }
147 };
148 (@method $trait:ident) => {
149 #[allow(clippy::missing_inline_in_public_items, dead_code)]
150 #[cfg_attr(all(coverage_nightly, __ZEROCOPY_INTERNAL_USE_ONLY_NIGHTLY_FEATURES_IN_TESTS), coverage(off))]
151 fn only_derive_is_allowed_to_implement_this_trait() {}
152 };
153 (@method $trait:ident; |$_candidate:ident| $_is_bit_valid:expr) => {
154 compile_error!("Can't provide `is_bit_valid` impl for trait other than `TryFromBytes`");
155 };
156}
157
158/// Implements `$trait` for `$ty` where `$ty: TransmuteFrom<$repr>` (and
159/// vice-versa).
160///
161/// Calling this macro is safe; the internals of the macro emit appropriate
162/// trait bounds which ensure that the given impl is sound.
163macro_rules! impl_for_transmute_from {
164 (
165 $(#[$attr:meta])*
166 $($tyvar:ident $(: $(? $optbound:ident $(+)?)* $($bound:ident $(+)?)* )?)?
167 => $trait:ident for $ty:ty [$($unsafe_cell:ident)? <$repr:ty>]
168 ) => {
169 const _: () = {
170 $(#[$attr])*
171 #[allow(non_local_definitions)]
172
173 // SAFETY: `is_trait<T, R>` (defined and used below) requires `T:
174 // TransmuteFrom<R>`, `R: TransmuteFrom<T>`, and `R: $trait`. It is
175 // called using `$ty` and `$repr`, ensuring that `$ty` and `$repr`
176 // have equivalent bit validity, and ensuring that `$repr: $trait`.
177 // The supported traits - `TryFromBytes`, `FromZeros`, `FromBytes`,
178 // and `IntoBytes` - are defined only in terms of the bit validity
179 // of a type. Therefore, `$repr: $trait` ensures that `$ty: $trait`
180 // is sound.
181 unsafe impl<$($tyvar $(: $(? $optbound +)* $($bound +)*)?)?> $trait for $ty {
182 #[allow(dead_code, clippy::missing_inline_in_public_items)]
183 #[cfg_attr(all(coverage_nightly, __ZEROCOPY_INTERNAL_USE_ONLY_NIGHTLY_FEATURES_IN_TESTS), coverage(off))]
184 fn only_derive_is_allowed_to_implement_this_trait() {
185 use crate::pointer::{*, invariant::Valid};
186
187 impl_for_transmute_from!(@assert_is_supported_trait $trait);
188
189 fn is_trait<T, R>()
190 where
191 T: TransmuteFrom<R, Valid, Valid> + ?Sized,
192 R: TransmuteFrom<T, Valid, Valid> + ?Sized,
193 R: $trait,
194 {
195 }
196
197 #[cfg_attr(all(coverage_nightly, __ZEROCOPY_INTERNAL_USE_ONLY_NIGHTLY_FEATURES_IN_TESTS), coverage(off))]
198 fn f<$($tyvar $(: $(? $optbound +)* $($bound +)*)?)?>() {
199 is_trait::<$ty, $repr>();
200 }
201 }
202
203 impl_for_transmute_from!(
204 @is_bit_valid
205 $(<$tyvar $(: $(? $optbound +)* $($bound +)*)?>)?
206 $trait for $ty [$($unsafe_cell)? <$repr>]
207 );
208 }
209 };
210 };
211 (@assert_is_supported_trait TryFromBytes) => {};
212 (@assert_is_supported_trait FromZeros) => {};
213 (@assert_is_supported_trait FromBytes) => {};
214 (@assert_is_supported_trait IntoBytes) => {};
215 (
216 @is_bit_valid
217 $(<$tyvar:ident $(: $(? $optbound:ident $(+)?)* $($bound:ident $(+)?)* )?>)?
218 TryFromBytes for $ty:ty [UnsafeCell<$repr:ty>]
219 ) => {
220 #[inline]
221 fn is_bit_valid<A: crate::pointer::invariant::Reference>(candidate: Maybe<'_, Self, A>) -> bool {
222 let c: Maybe<'_, Self, crate::pointer::invariant::Exclusive> = candidate.into_exclusive_or_pme();
223 let c: Maybe<'_, $repr, _> = c.transmute::<_, _, (_, (_, (BecauseExclusive, BecauseExclusive)))>();
224 // SAFETY: This macro ensures that `$repr` and `Self` have the same
225 // size and bit validity. Thus, a bit-valid instance of `$repr` is
226 // also a bit-valid instance of `Self`.
227 <$repr as TryFromBytes>::is_bit_valid(c)
228 }
229 };
230 (
231 @is_bit_valid
232 $(<$tyvar:ident $(: $(? $optbound:ident $(+)?)* $($bound:ident $(+)?)* )?>)?
233 TryFromBytes for $ty:ty [<$repr:ty>]
234 ) => {
235 #[inline]
236 fn is_bit_valid<A: crate::pointer::invariant::Reference>(candidate: $crate::Maybe<'_, Self, A>) -> bool {
237 // SAFETY: This macro ensures that `$repr` and `Self` have the same
238 // size and bit validity. Thus, a bit-valid instance of `$repr` is
239 // also a bit-valid instance of `Self`.
240 <$repr as TryFromBytes>::is_bit_valid(candidate.transmute())
241 }
242 };
243 (
244 @is_bit_valid
245 $(<$tyvar:ident $(: $(? $optbound:ident $(+)?)* $($bound:ident $(+)?)* )?>)?
246 $trait:ident for $ty:ty [$($unsafe_cell:ident)? <$repr:ty>]
247 ) => {
248 // Trait other than `TryFromBytes`; no `is_bit_valid` impl.
249 };
250}
251
252/// Implements a trait for a type, bounding on each member of the power set of
253/// a set of type variables. This is useful for implementing traits for tuples
254/// or `fn` types.
255///
256/// The last argument is the name of a macro which will be called in every
257/// `impl` block, and is expected to expand to the name of the type for which to
258/// implement the trait.
259///
260/// For example, the invocation:
261/// ```ignore
262/// unsafe_impl_for_power_set!(A, B => Foo for type!(...))
263/// ```
264/// ...expands to:
265/// ```ignore
266/// unsafe impl Foo for type!() { ... }
267/// unsafe impl<B> Foo for type!(B) { ... }
268/// unsafe impl<A, B> Foo for type!(A, B) { ... }
269/// ```
270macro_rules! unsafe_impl_for_power_set {
271 (
272 $first:ident $(, $rest:ident)* $(-> $ret:ident)? => $trait:ident for $macro:ident!(...)
273 $(; |$candidate:ident| $is_bit_valid:expr)?
274 ) => {
275 unsafe_impl_for_power_set!(
276 $($rest),* $(-> $ret)? => $trait for $macro!(...)
277 $(; |$candidate| $is_bit_valid)?
278 );
279 unsafe_impl_for_power_set!(
280 @impl $first $(, $rest)* $(-> $ret)? => $trait for $macro!(...)
281 $(; |$candidate| $is_bit_valid)?
282 );
283 };
284 (
285 $(-> $ret:ident)? => $trait:ident for $macro:ident!(...)
286 $(; |$candidate:ident| $is_bit_valid:expr)?
287 ) => {
288 unsafe_impl_for_power_set!(
289 @impl $(-> $ret)? => $trait for $macro!(...)
290 $(; |$candidate| $is_bit_valid)?
291 );
292 };
293 (
294 @impl $($vars:ident),* $(-> $ret:ident)? => $trait:ident for $macro:ident!(...)
295 $(; |$candidate:ident| $is_bit_valid:expr)?
296 ) => {
297 unsafe_impl!(
298 $($vars,)* $($ret)? => $trait for $macro!($($vars),* $(-> $ret)?)
299 $(; |$candidate| $is_bit_valid)?
300 );
301 };
302}
303
304/// Expands to an `Option<extern "C" fn>` type with the given argument types and
305/// return type. Designed for use with `unsafe_impl_for_power_set`.
306macro_rules! opt_extern_c_fn {
307 ($($args:ident),* -> $ret:ident) => { Option<extern "C" fn($($args),*) -> $ret> };
308}
309
310/// Expands to an `Option<unsafe extern "C" fn>` type with the given argument
311/// types and return type. Designed for use with `unsafe_impl_for_power_set`.
312macro_rules! opt_unsafe_extern_c_fn {
313 ($($args:ident),* -> $ret:ident) => { Option<unsafe extern "C" fn($($args),*) -> $ret> };
314}
315
316/// Expands to an `Option<fn>` type with the given argument types and return
317/// type. Designed for use with `unsafe_impl_for_power_set`.
318macro_rules! opt_fn {
319 ($($args:ident),* -> $ret:ident) => { Option<fn($($args),*) -> $ret> };
320}
321
322/// Expands to an `Option<unsafe fn>` type with the given argument types and
323/// return type. Designed for use with `unsafe_impl_for_power_set`.
324macro_rules! opt_unsafe_fn {
325 ($($args:ident),* -> $ret:ident) => { Option<unsafe fn($($args),*) -> $ret> };
326}
327
328/// Implements trait(s) for a type or verifies the given implementation by
329/// referencing an existing (derived) implementation.
330///
331/// This macro exists so that we can provide zerocopy-derive as an optional
332/// dependency and still get the benefit of using its derives to validate that
333/// our trait impls are sound.
334///
335/// When compiling without `--cfg 'feature = "derive"` and without `--cfg test`,
336/// `impl_or_verify!` emits the provided trait impl. When compiling with either
337/// of those cfgs, it is expected that the type in question is deriving the
338/// traits instead. In this case, `impl_or_verify!` emits code which validates
339/// that the given trait impl is at least as restrictive as the the impl emitted
340/// by the custom derive. This has the effect of confirming that the impl which
341/// is emitted when the `derive` feature is disabled is actually sound (on the
342/// assumption that the impl emitted by the custom derive is sound).
343///
344/// The caller is still required to provide a safety comment (e.g. using the
345/// `const _: () = unsafe` macro). The reason for this restriction is that,
346/// while `impl_or_verify!` can guarantee that the provided impl is sound when
347/// it is compiled with the appropriate cfgs, there is no way to guarantee that
348/// it is
349/// ever compiled with those cfgs. In particular, it would be possible to
350/// accidentally place an `impl_or_verify!` call in a context that is only ever
351/// compiled when the `derive` feature is disabled. If that were to happen,
352/// there would be nothing to prevent an unsound trait impl from being emitted.
353/// Requiring a safety comment reduces the likelihood of emitting an unsound
354/// impl in this case, and also provides useful documentation for readers of the
355/// code.
356///
357/// Finally, if a `TryFromBytes::is_bit_valid` impl is provided, it must adhere
358/// to the safety preconditions of [`unsafe_impl!`].
359///
360/// ## Example
361///
362/// ```rust,ignore
363/// // Note that these derives are gated by `feature = "derive"`
364/// #[cfg_attr(any(feature = "derive", test), derive(FromZeros, FromBytes, IntoBytes, Unaligned))]
365/// #[repr(transparent)]
366/// struct Wrapper<T>(T);
367///
368/// const _: () = unsafe {
369/// /// SAFETY:
370/// /// `Wrapper<T>` is `repr(transparent)`, so it is sound to implement any
371/// /// zerocopy trait if `T` implements that trait.
372/// impl_or_verify!(T: FromZeros => FromZeros for Wrapper<T>);
373/// impl_or_verify!(T: FromBytes => FromBytes for Wrapper<T>);
374/// impl_or_verify!(T: IntoBytes => IntoBytes for Wrapper<T>);
375/// impl_or_verify!(T: Unaligned => Unaligned for Wrapper<T>);
376/// }
377/// ```
378macro_rules! impl_or_verify {
379 // The following two match arms follow the same pattern as their
380 // counterparts in `unsafe_impl!`; see the documentation on those arms for
381 // more details.
382 (
383 const $constname:ident : $constty:ident $(,)?
384 $($tyvar:ident $(: $(? $optbound:ident $(+)?)* $($bound:ident $(+)?)* )?),*
385 => $trait:ident for $ty:ty
386 ) => {
387 impl_or_verify!(@impl { unsafe_impl!(
388 const $constname: $constty, $($tyvar $(: $(? $optbound +)* $($bound +)*)?),* => $trait for $ty
389 ); });
390 impl_or_verify!(@verify $trait, {
391 impl<const $constname: $constty, $($tyvar $(: $(? $optbound +)* $($bound +)*)?),*> Subtrait for $ty {}
392 });
393 };
394 (
395 $($tyvar:ident $(: $(? $optbound:ident $(+)?)* $($bound:ident $(+)?)* )?),*
396 => $trait:ident for $ty:ty $(; |$candidate:ident| $is_bit_valid:expr)?
397 ) => {
398 impl_or_verify!(@impl { unsafe_impl!(
399 $($tyvar $(: $(? $optbound +)* $($bound +)*)?),* => $trait for $ty
400 $(; |$candidate| $is_bit_valid)?
401 ); });
402 impl_or_verify!(@verify $trait, {
403 impl<$($tyvar $(: $(? $optbound +)* $($bound +)*)?),*> Subtrait for $ty {}
404 });
405 };
406 (@impl $impl_block:tt) => {
407 #[cfg(not(any(feature = "derive", test)))]
408 { $impl_block };
409 };
410 (@verify $trait:ident, $impl_block:tt) => {
411 #[cfg(any(feature = "derive", test))]
412 {
413 // On some toolchains, `Subtrait` triggers the `dead_code` lint
414 // because it is implemented but never used.
415 #[allow(dead_code)]
416 trait Subtrait: $trait {}
417 $impl_block
418 };
419 };
420}
421
422/// Implements `KnownLayout` for a sized type.
423macro_rules! impl_known_layout {
424 ($(const $constvar:ident : $constty:ty, $tyvar:ident $(: ?$optbound:ident)? => $ty:ty),* $(,)?) => {
425 $(impl_known_layout!(@inner const $constvar: $constty, $tyvar $(: ?$optbound)? => $ty);)*
426 };
427 ($($tyvar:ident $(: ?$optbound:ident)? => $ty:ty),* $(,)?) => {
428 $(impl_known_layout!(@inner , $tyvar $(: ?$optbound)? => $ty);)*
429 };
430 ($($(#[$attrs:meta])* $ty:ty),*) => { $(impl_known_layout!(@inner , => $(#[$attrs])* $ty);)* };
431 (@inner $(const $constvar:ident : $constty:ty)? , $($tyvar:ident $(: ?$optbound:ident)?)? => $(#[$attrs:meta])* $ty:ty) => {
432 const _: () = {
433 use core::ptr::NonNull;
434
435 #[allow(non_local_definitions)]
436 $(#[$attrs])*
437 // SAFETY: Delegates safety to `DstLayout::for_type`.
438 unsafe impl<$($tyvar $(: ?$optbound)?)? $(, const $constvar : $constty)?> KnownLayout for $ty {
439 #[allow(clippy::missing_inline_in_public_items)]
440 #[cfg_attr(all(coverage_nightly, __ZEROCOPY_INTERNAL_USE_ONLY_NIGHTLY_FEATURES_IN_TESTS), coverage(off))]
441 fn only_derive_is_allowed_to_implement_this_trait() where Self: Sized {}
442
443 type PointerMetadata = ();
444
445 // SAFETY: `CoreMaybeUninit<T>::LAYOUT` and `T::LAYOUT` are
446 // identical because `CoreMaybeUninit<T>` has the same size and
447 // alignment as `T` [1], and `CoreMaybeUninit` admits
448 // uninitialized bytes in all positions.
449 //
450 // [1] Per https://doc.rust-lang.org/1.81.0/std/mem/union.MaybeUninit.html#layout-1:
451 //
452 // `MaybeUninit<T>` is guaranteed to have the same size,
453 // alignment, and ABI as `T`
454 type MaybeUninit = core::mem::MaybeUninit<Self>;
455
456 const LAYOUT: crate::DstLayout = crate::DstLayout::for_type::<$ty>();
457
458 // SAFETY: `.cast` preserves address and provenance.
459 //
460 // FIXME(#429): Add documentation to `.cast` that promises that
461 // it preserves provenance.
462 #[inline(always)]
463 fn raw_from_ptr_len(bytes: NonNull<u8>, _meta: ()) -> NonNull<Self> {
464 bytes.cast::<Self>()
465 }
466
467 #[inline(always)]
468 fn pointer_to_metadata(_ptr: *mut Self) -> () {
469 }
470 }
471 };
472 };
473}
474
475/// Implements `KnownLayout` for a type in terms of the implementation of
476/// another type with the same representation.
477///
478/// # Safety
479///
480/// - `$ty` and `$repr` must have the same:
481/// - Fixed prefix size
482/// - Alignment
483/// - (For DSTs) trailing slice element size
484/// - It must be valid to perform an `as` cast from `*mut $repr` to `*mut $ty`,
485/// and this operation must preserve referent size (ie, `size_of_val_raw`).
486macro_rules! unsafe_impl_known_layout {
487 ($($tyvar:ident: ?Sized + KnownLayout =>)? #[repr($repr:ty)] $ty:ty) => {{
488 use core::ptr::NonNull;
489
490 crate::util::macros::__unsafe();
491
492 #[allow(non_local_definitions)]
493 // SAFETY: The caller promises that this is sound.
494 unsafe impl<$($tyvar: ?Sized + KnownLayout)?> KnownLayout for $ty {
495 #[allow(clippy::missing_inline_in_public_items, dead_code)]
496 #[cfg_attr(all(coverage_nightly, __ZEROCOPY_INTERNAL_USE_ONLY_NIGHTLY_FEATURES_IN_TESTS), coverage(off))]
497 fn only_derive_is_allowed_to_implement_this_trait() {}
498
499 type PointerMetadata = <$repr as KnownLayout>::PointerMetadata;
500 type MaybeUninit = <$repr as KnownLayout>::MaybeUninit;
501
502 const LAYOUT: DstLayout = <$repr as KnownLayout>::LAYOUT;
503
504 // SAFETY: All operations preserve address and provenance. Caller
505 // has promised that the `as` cast preserves size.
506 //
507 // FIXME(#429): Add documentation to `NonNull::new_unchecked` that
508 // it preserves provenance.
509 #[inline(always)]
510 fn raw_from_ptr_len(bytes: NonNull<u8>, meta: <$repr as KnownLayout>::PointerMetadata) -> NonNull<Self> {
511 #[allow(clippy::as_conversions)]
512 let ptr = <$repr>::raw_from_ptr_len(bytes, meta).as_ptr() as *mut Self;
513 // SAFETY: `ptr` was converted from `bytes`, which is non-null.
514 unsafe { NonNull::new_unchecked(ptr) }
515 }
516
517 #[inline(always)]
518 fn pointer_to_metadata(ptr: *mut Self) -> Self::PointerMetadata {
519 #[allow(clippy::as_conversions)]
520 let ptr = ptr as *mut $repr;
521 <$repr>::pointer_to_metadata(ptr)
522 }
523 }
524 }};
525}
526
527/// Uses `align_of` to confirm that a type or set of types have alignment 1.
528///
529/// Note that `align_of<T>` requires `T: Sized`, so this macro doesn't work for
530/// unsized types.
531macro_rules! assert_unaligned {
532 ($($tys:ty),*) => {
533 $(
534 // We only compile this assertion under `cfg(test)` to avoid taking
535 // an extra non-dev dependency (and making this crate more expensive
536 // to compile for our dependents).
537 #[cfg(test)]
538 static_assertions::const_assert_eq!(core::mem::align_of::<$tys>(), 1);
539 )*
540 };
541}
542
543/// Emits a function definition as either `const fn` or `fn` depending on
544/// whether the current toolchain version supports `const fn` with generic trait
545/// bounds.
546macro_rules! maybe_const_trait_bounded_fn {
547 // This case handles both `self` methods (where `self` is by value) and
548 // non-method functions. Each `$args` may optionally be followed by `:
549 // $arg_tys:ty`, which can be omitted for `self`.
550 ($(#[$attr:meta])* $vis:vis const fn $name:ident($($args:ident $(: $arg_tys:ty)?),* $(,)?) $(-> $ret_ty:ty)? $body:block) => {
551 #[cfg(not(no_zerocopy_generic_bounds_in_const_fn_1_61_0))]
552 $(#[$attr])* $vis const fn $name($($args $(: $arg_tys)?),*) $(-> $ret_ty)? $body
553
554 #[cfg(no_zerocopy_generic_bounds_in_const_fn_1_61_0)]
555 $(#[$attr])* $vis fn $name($($args $(: $arg_tys)?),*) $(-> $ret_ty)? $body
556 };
557}
558
559/// Either panic (if the current Rust toolchain supports panicking in `const
560/// fn`) or evaluate a constant that will cause an array indexing error whose
561/// error message will include the format string.
562///
563/// The type that this expression evaluates to must be `Copy`, or else the
564/// non-panicking desugaring will fail to compile.
565macro_rules! const_panic {
566 (@non_panic $($_arg:tt)+) => {{
567 // This will type check to whatever type is expected based on the call
568 // site.
569 let panic: [_; 0] = [];
570 // This will always fail (since we're indexing into an array of size 0.
571 #[allow(unconditional_panic)]
572 panic[0]
573 }};
574 ($($arg:tt)+) => {{
575 #[cfg(not(no_zerocopy_panic_in_const_and_vec_try_reserve_1_57_0))]
576 panic!($($arg)+);
577 #[cfg(no_zerocopy_panic_in_const_and_vec_try_reserve_1_57_0)]
578 const_panic!(@non_panic $($arg)+)
579 }};
580}
581
582/// Either assert (if the current Rust toolchain supports panicking in `const
583/// fn`) or evaluate the expression and, if it evaluates to `false`, call
584/// `const_panic!`. This is used in place of `assert!` in const contexts to
585/// accommodate old toolchains.
586macro_rules! const_assert {
587 ($e:expr) => {{
588 #[cfg(not(no_zerocopy_panic_in_const_and_vec_try_reserve_1_57_0))]
589 assert!($e);
590 #[cfg(no_zerocopy_panic_in_const_and_vec_try_reserve_1_57_0)]
591 {
592 let e = $e;
593 if !e {
594 let _: () = const_panic!(@non_panic concat!("assertion failed: ", stringify!($e)));
595 }
596 }
597 }};
598 ($e:expr, $($args:tt)+) => {{
599 #[cfg(not(no_zerocopy_panic_in_const_and_vec_try_reserve_1_57_0))]
600 assert!($e, $($args)+);
601 #[cfg(no_zerocopy_panic_in_const_and_vec_try_reserve_1_57_0)]
602 {
603 let e = $e;
604 if !e {
605 let _: () = const_panic!(@non_panic concat!("assertion failed: ", stringify!($e), ": ", stringify!($arg)), $($args)*);
606 }
607 }
608 }};
609}
610
611/// Like `const_assert!`, but relative to `debug_assert!`.
612macro_rules! const_debug_assert {
613 ($e:expr $(, $msg:expr)?) => {{
614 #[cfg(not(no_zerocopy_panic_in_const_and_vec_try_reserve_1_57_0))]
615 debug_assert!($e $(, $msg)?);
616 #[cfg(no_zerocopy_panic_in_const_and_vec_try_reserve_1_57_0)]
617 {
618 // Use this (rather than `#[cfg(debug_assertions)]`) to ensure that
619 // `$e` is always compiled even if it will never be evaluated at
620 // runtime.
621 if cfg!(debug_assertions) {
622 let e = $e;
623 if !e {
624 let _: () = const_panic!(@non_panic concat!("assertion failed: ", stringify!($e) $(, ": ", $msg)?));
625 }
626 }
627 }
628 }}
629}
630
631/// Either invoke `unreachable!()` or `loop {}` depending on whether the Rust
632/// toolchain supports panicking in `const fn`.
633macro_rules! const_unreachable {
634 () => {{
635 #[cfg(not(no_zerocopy_panic_in_const_and_vec_try_reserve_1_57_0))]
636 unreachable!();
637
638 #[cfg(no_zerocopy_panic_in_const_and_vec_try_reserve_1_57_0)]
639 loop {}
640 }};
641}
642
643/// Asserts at compile time that `$condition` is true for `Self` or the given
644/// `$tyvar`s. Unlike `const_assert`, this is *strictly* a compile-time check;
645/// it cannot be evaluated in a runtime context. The condition is checked after
646/// monomorphization and, upon failure, emits a compile error.
647macro_rules! static_assert {
648 (Self $(: $(? $optbound:ident $(+)?)* $($bound:ident $(+)?)* )? => $condition:expr $(, $args:tt)*) => {{
649 trait StaticAssert {
650 const ASSERT: bool;
651 }
652
653 impl<T $(: $(? $optbound +)* $($bound +)*)?> StaticAssert for T {
654 const ASSERT: bool = {
655 const_assert!($condition $(, $args)*);
656 $condition
657 };
658 }
659
660 const_assert!(<Self as StaticAssert>::ASSERT);
661 }};
662 ($($tyvar:ident $(: $(? $optbound:ident $(+)?)* $($bound:ident $(+)?)* )?),* => $condition:expr $(, $args:tt)*) => {{
663 trait StaticAssert {
664 const ASSERT: bool;
665 }
666
667 // NOTE: We use `PhantomData` so we can support unsized types.
668 impl<$($tyvar $(: $(? $optbound +)* $($bound +)*)?,)*> StaticAssert for ($(core::marker::PhantomData<$tyvar>,)*) {
669 const ASSERT: bool = {
670 const_assert!($condition $(, $args)*);
671 $condition
672 };
673 }
674
675 const_assert!(<($(core::marker::PhantomData<$tyvar>,)*) as StaticAssert>::ASSERT);
676 }};
677}
678
679/// Assert at compile time that `tyvar` does not have a zero-sized DST
680/// component.
681macro_rules! static_assert_dst_is_not_zst {
682 ($tyvar:ident) => {{
683 use crate::KnownLayout;
684 static_assert!($tyvar: ?Sized + KnownLayout => {
685 let dst_is_zst = match $tyvar::LAYOUT.size_info {
686 crate::SizeInfo::Sized { .. } => false,
687 crate::SizeInfo::SliceDst(TrailingSliceLayout { elem_size, .. }) => {
688 elem_size == 0
689 }
690 };
691 !dst_is_zst
692 }, "cannot call this method on a dynamically-sized type whose trailing slice element is zero-sized");
693 }}
694}
695
696/// # Safety
697///
698/// The caller must ensure that the cast does not grow the size of the referent.
699/// Preserving or shrinking the size of the referent are both acceptable.
700macro_rules! cast {
701 ($p:expr) => {{
702 let ptr: crate::pointer::PtrInner<'_, _> = $p;
703 let ptr = ptr.as_non_null();
704 let ptr = ptr.as_ptr();
705 #[allow(clippy::as_conversions)]
706 let ptr = ptr as *mut _;
707 #[allow(unused_unsafe)]
708 // SAFETY: `NonNull::as_ptr` returns a non-null pointer, so the argument
709 // to `NonNull::new_unchecked` is also non-null.
710 let ptr = unsafe { core::ptr::NonNull::new_unchecked(ptr) };
711 // SAFETY: The caller promises that the cast preserves or shrinks
712 // referent size. By invariant on `$p: PtrInner` (guaranteed by type
713 // annotation above), `$p` refers to a byte range entirely contained
714 // inside of a single allocation, has provenance for that whole byte
715 // range, and will not outlive the allocation. All of these conditions
716 // are preserved when preserving or shrinking referent size.
717 crate::pointer::PtrInner::new(ptr)
718 }};
719}
720
721/// Implements `TransmuteFrom` and `SizeEq` for `T` and `$wrapper<T>`.
722///
723/// # Safety
724///
725/// `T` and `$wrapper<T>` must have the same bit validity, and must have the
726/// same size in the sense of `SizeEq`.
727macro_rules! unsafe_impl_for_transparent_wrapper {
728 (T $(: ?$optbound:ident)? => $wrapper:ident<T>) => {{
729 crate::util::macros::__unsafe();
730
731 use crate::pointer::{TransmuteFrom, PtrInner, SizeEq, invariant::Valid};
732
733 // SAFETY: The caller promises that `T` and `$wrapper<T>` have the same
734 // bit validity.
735 unsafe impl<T $(: ?$optbound)?> TransmuteFrom<T, Valid, Valid> for $wrapper<T> {}
736 // SAFETY: See previous safety comment.
737 unsafe impl<T $(: ?$optbound)?> TransmuteFrom<$wrapper<T>, Valid, Valid> for T {}
738 // SAFETY: The caller promises that `T` and `$wrapper<T>` satisfy
739 // `SizeEq`.
740 unsafe impl<T $(: ?$optbound)?> SizeEq<T> for $wrapper<T> {
741 #[inline(always)]
742 fn cast_from_raw(t: PtrInner<'_, T>) -> PtrInner<'_, $wrapper<T>> {
743 // SAFETY: See previous safety comment.
744 unsafe { cast!(t) }
745 }
746 }
747 // SAFETY: See previous safety comment.
748 unsafe impl<T $(: ?$optbound)?> SizeEq<$wrapper<T>> for T {
749 #[inline(always)]
750 fn cast_from_raw(t: PtrInner<'_, $wrapper<T>>) -> PtrInner<'_, T> {
751 // SAFETY: See previous safety comment.
752 unsafe { cast!(t) }
753 }
754 }
755 }};
756}
757
758macro_rules! impl_transitive_transmute_from {
759 ($($tyvar:ident $(: ?$optbound:ident)?)? => $t:ty => $u:ty => $v:ty) => {
760 const _: () = {
761 use crate::pointer::{TransmuteFrom, PtrInner, SizeEq, invariant::Valid};
762
763 // SAFETY: Since `$u: SizeEq<$t>` and `$v: SizeEq<U>`, this impl is
764 // transitively sound.
765 unsafe impl<$($tyvar $(: ?$optbound)?)?> SizeEq<$t> for $v
766 where
767 $u: SizeEq<$t>,
768 $v: SizeEq<$u>,
769 {
770 #[inline(always)]
771 fn cast_from_raw(t: PtrInner<'_, $t>) -> PtrInner<'_, $v> {
772 let u = <$u as SizeEq<_>>::cast_from_raw(t);
773 <$v as SizeEq<_>>::cast_from_raw(u)
774 }
775 }
776
777 // SAFETY: Since `$u: TransmuteFrom<$t, Valid, Valid>`, it is sound
778 // to transmute a bit-valid `$t` to a bit-valid `$u`. Since `$v:
779 // TransmuteFrom<$u, Valid, Valid>`, it is sound to transmute that
780 // bit-valid `$u` to a bit-valid `$v`.
781 unsafe impl<$($tyvar $(: ?$optbound)?)?> TransmuteFrom<$t, Valid, Valid> for $v
782 where
783 $u: TransmuteFrom<$t, Valid, Valid>,
784 $v: TransmuteFrom<$u, Valid, Valid>,
785 {}
786 };
787 };
788}
789
790#[rustfmt::skip]
791macro_rules! impl_size_eq {
792 ($t:ty, $u:ty) => {
793 const _: () = {
794 use crate::{KnownLayout, pointer::{PtrInner, SizeEq}};
795
796 static_assert!(=> {
797 let t = <$t as KnownLayout>::LAYOUT;
798 let u = <$u as KnownLayout>::LAYOUT;
799 t.align.get() >= u.align.get() && match (t.size_info, u.size_info) {
800 (SizeInfo::Sized { size: t }, SizeInfo::Sized { size: u }) => t == u,
801 (
802 SizeInfo::SliceDst(TrailingSliceLayout { offset: t_offset, elem_size: t_elem_size }),
803 SizeInfo::SliceDst(TrailingSliceLayout { offset: u_offset, elem_size: u_elem_size })
804 ) => t_offset == u_offset && t_elem_size == u_elem_size,
805 _ => false,
806 }
807 });
808
809 // SAFETY: See inline.
810 unsafe impl SizeEq<$t> for $u {
811 #[inline(always)]
812 fn cast_from_raw(t: PtrInner<'_, $t>) -> PtrInner<'_, $u> {
813 // SAFETY: We've asserted that their
814 // `KnownLayout::LAYOUT.size_info`s are equal, and so this
815 // cast is guaranteed to preserve address and referent size.
816 // It trivially preserves provenance.
817 #[allow(clippy::multiple_unsafe_ops_per_block)]
818 unsafe { cast!(t) }
819 }
820 }
821 // SAFETY: See previous safety comment.
822 unsafe impl SizeEq<$u> for $t {
823 #[inline(always)]
824 fn cast_from_raw(u: PtrInner<'_, $u>) -> PtrInner<'_, $t> {
825 // SAFETY: See previous safety comment.
826 #[allow(clippy::multiple_unsafe_ops_per_block)]
827 unsafe { cast!(u) }
828 }
829 }
830 };
831 };
832}
833
834/// Invokes `$blk` in a context in which `$src<$t>` and `$dst<$u>` implement
835/// `SizeEq`.
836///
837/// This macro emits code which implements `SizeEq`, and ensures that the impl
838/// is sound via PME.
839///
840/// # Safety
841///
842/// Inside of `$blk`, the caller must only use `$src` and `$dst` as `$src<$t>`
843/// and `$dst<$u>`. The caller must not use `$src` or `$dst` to wrap any other
844/// types.
845macro_rules! unsafe_with_size_eq {
846 (<$src:ident<$t:ident>, $dst:ident<$u:ident>> $blk:expr) => {{
847 crate::util::macros::__unsafe();
848
849 use crate::{KnownLayout, pointer::PtrInner};
850
851 #[repr(transparent)]
852 struct $src<T: ?Sized>(T);
853
854 #[repr(transparent)]
855 struct $dst<U: ?Sized>(U);
856
857 // SAFETY: Since `$src<T>` is a `#[repr(transparent)]` wrapper around
858 // `T`, it has the same bit validity and size as `T`.
859 unsafe_impl_for_transparent_wrapper!(T: ?Sized => $src<T>);
860
861 // SAFETY: Since `$dst<T>` is a `#[repr(transparent)]` wrapper around
862 // `T`, it has the same bit validity and size as `T`.
863 unsafe_impl_for_transparent_wrapper!(T: ?Sized => $dst<T>);
864
865 // SAFETY: `$src<T>` is a `#[repr(transparent)]` wrapper around `T` with
866 // no added semantics.
867 unsafe impl<T: ?Sized> InvariantsEq<$src<T>> for T {}
868
869 // SAFETY: `$dst<T>` is a `#[repr(transparent)]` wrapper around `T` with
870 // no added semantics.
871 unsafe impl<T: ?Sized> InvariantsEq<$dst<T>> for T {}
872
873 // SAFETY: See inline for the soundness of this impl when
874 // `cast_from_raw` is actually instantiated (otherwise, PMEs may not be
875 // triggered).
876 //
877 // We manually instantiate `cast_from_raw` below to ensure that this PME
878 // can be triggered, and the caller promises not to use `$src` and
879 // `$dst` with any wrapped types other than `$t` and `$u` respectively.
880 unsafe impl<T: ?Sized, U: ?Sized> SizeEq<$src<T>> for $dst<U>
881 where
882 T: KnownLayout<PointerMetadata = usize>,
883 U: KnownLayout<PointerMetadata = usize>,
884 {
885 fn cast_from_raw(src: PtrInner<'_, $src<T>>) -> PtrInner<'_, Self> {
886 // SAFETY: `crate::layout::cast_from_raw` promises to satisfy
887 // the safety invariants of `SizeEq::cast_from_raw`, or to
888 // generate a PME. Since `$src<T>` and `$dst<U>` are
889 // `#[repr(transparent)]` wrappers around `T` and `U`
890 // respectively, a `cast_from_raw` impl which satisfies the
891 // conditions for casting from `NonNull<T>` to `NonNull<U>` also
892 // satisfies the conditions for casting from `NonNull<$src<T>>`
893 // to `NonNull<$dst<U>>`.
894
895 // SAFETY: By the preceding safety comment, this cast preserves
896 // referent size.
897 #[allow(clippy::multiple_unsafe_ops_per_block)]
898 let src: PtrInner<'_, T> = unsafe { cast!(src) };
899 let dst: PtrInner<'_, U> = crate::layout::cast_from_raw(src);
900 // SAFETY: By the preceding safety comment, this cast preserves
901 // referent size.
902 #[allow(clippy::multiple_unsafe_ops_per_block)]
903 unsafe { cast!(dst) }
904 }
905 }
906
907 // See safety comment on the preceding `unsafe impl` block for an
908 // explanation of why we need this block.
909 if 1 == 0 {
910 let ptr = <$t as KnownLayout>::raw_dangling();
911 #[allow(unused_unsafe)]
912 // SAFETY: This call is never executed.
913 #[allow(clippy::multiple_unsafe_ops_per_block)]
914 let ptr = unsafe { crate::pointer::PtrInner::new(ptr) };
915 #[allow(unused_unsafe)]
916 // SAFETY: This call is never executed.
917 #[allow(clippy::multiple_unsafe_ops_per_block)]
918 let ptr = unsafe { cast!(ptr) };
919 let _ = <$dst<$u> as SizeEq<$src<$t>>>::cast_from_raw(ptr);
920 }
921
922 impl_for_transmute_from!(T: ?Sized + TryFromBytes => TryFromBytes for $src<T>[<T>]);
923 impl_for_transmute_from!(T: ?Sized + FromBytes => FromBytes for $src<T>[<T>]);
924 impl_for_transmute_from!(T: ?Sized + FromZeros => FromZeros for $src<T>[<T>]);
925 impl_for_transmute_from!(T: ?Sized + IntoBytes => IntoBytes for $src<T>[<T>]);
926
927 impl_for_transmute_from!(U: ?Sized + TryFromBytes => TryFromBytes for $dst<U>[<U>]);
928 impl_for_transmute_from!(U: ?Sized + FromBytes => FromBytes for $dst<U>[<U>]);
929 impl_for_transmute_from!(U: ?Sized + FromZeros => FromZeros for $dst<U>[<U>]);
930 impl_for_transmute_from!(U: ?Sized + IntoBytes => IntoBytes for $dst<U>[<U>]);
931
932 // SAFETY: `$src<T>` is a `#[repr(transparent)]` wrapper around `T`, and
933 // so permits interior mutation exactly when `T` does.
934 unsafe_impl!(T: ?Sized + Immutable => Immutable for $src<T>);
935
936 // SAFETY: `$dst<T>` is a `#[repr(transparent)]` wrapper around `T`, and
937 // so permits interior mutation exactly when `T` does.
938 unsafe_impl!(T: ?Sized + Immutable => Immutable for $dst<T>);
939
940 $blk
941 }};
942}
943
944/// A no-op `unsafe fn` for use in macro expansions.
945///
946/// Calling this function in a macro expansion ensures that the macro's caller
947/// must wrap the call in `unsafe { ... }`.
948pub(crate) const unsafe fn __unsafe() {}