#![cfg(feature = "extern_crate_alloc")]

#![allow(clippy::duplicated_attributes)]

//! Stuff to boost things in the `alloc` crate.

//!

//! * You must enable the `extern_crate_alloc` feature of `bytemuck` or you will

//!   not be able to use this module! This is generally done by adding the

//!   feature to the dependency in Cargo.toml like so:

//!

//!   `bytemuck = { version = "VERSION_YOU_ARE_USING", features =

//! ["extern_crate_alloc"]}`

use super::*;

#[cfg(target_has_atomic = "ptr")]

use alloc::sync::Arc;

use alloc::{

  alloc::{alloc_zeroed, Layout},

  boxed::Box,

  rc::Rc,

  vec,

  vec::Vec,

};

use core::{

  mem::{size_of_val, ManuallyDrop},

  ops::{Deref, DerefMut},

};

/// As [`try_cast_box`], but unwraps for you.

#[inline]

pub fn cast_box<A: NoUninit, B: AnyBitPattern>(input: Box<A>) -> Box<B> {

  try_cast_box(input).map_err(|(e, _v)| e).unwrap()

}

/// Attempts to cast the content type of a [`Box`].

///

/// On failure you get back an error along with the starting `Box`.

///

/// ## Failure

///

/// * The start and end content type of the `Box` must have the exact same

///   alignment.

/// * The start and end size of the `Box` must have the exact same size.

#[inline]

pub fn try_cast_box<A: NoUninit, B: AnyBitPattern>(

  input: Box<A>,

) -> Result<Box<B>, (PodCastError, Box<A>)> {

  if align_of::<A>() != align_of::<B>() {

    Err((PodCastError::AlignmentMismatch, input))

  } else if size_of::<A>() != size_of::<B>() {

    Err((PodCastError::SizeMismatch, input))

  } else {

    // Note(Lokathor): This is much simpler than with the Vec casting!

    let ptr: *mut B = Box::into_raw(input) as *mut B;

    Ok(unsafe { Box::from_raw(ptr) })

  }

}

/// Allocates a `Box<T>` with all of the contents being zeroed out.

///

/// This uses the global allocator to create a zeroed allocation and _then_

/// turns it into a Box. In other words, it's 100% assured that the zeroed data

/// won't be put temporarily on the stack. You can make a box of any size

/// without fear of a stack overflow.

///

/// ## Failure

///

/// This fails if the allocation fails.

#[inline]

pub fn try_zeroed_box<T: Zeroable>() -> Result<Box<T>, ()> {

  if size_of::<T>() == 0 {

    // This will not allocate but simply create an arbitrary non-null

    // aligned pointer, valid for Box for a zero-sized pointee.

    let ptr = core::ptr::NonNull::dangling().as_ptr();

    return Ok(unsafe { Box::from_raw(ptr) });

  }

  let layout = Layout::new::<T>();

  let ptr = unsafe { alloc_zeroed(layout) };

  if ptr.is_null() {

    // we don't know what the error is because `alloc_zeroed` is a dumb API

    Err(())

  } else {

    Ok(unsafe { Box::<T>::from_raw(ptr as *mut T) })

  }

}

/// As [`try_zeroed_box`], but unwraps for you.

#[inline]

pub fn zeroed_box<T: Zeroable>() -> Box<T> {

  try_zeroed_box().unwrap()

}

/// Allocates a `Vec<T>` of length and capacity exactly equal to `length` and

/// all elements zeroed.

///

/// ## Failure

///

/// This fails if the allocation fails, or if a layout cannot be calculated for

/// the allocation.

pub fn try_zeroed_vec<T: Zeroable>(length: usize) -> Result<Vec<T>, ()> {

  if length == 0 {

    Ok(Vec::new())

  } else {

    let boxed_slice = try_zeroed_slice_box(length)?;

    Ok(boxed_slice.into_vec())

  }

}

/// As [`try_zeroed_vec`] but unwraps for you

pub fn zeroed_vec<T: Zeroable>(length: usize) -> Vec<T> {

  try_zeroed_vec(length).unwrap()

}

/// Allocates a `Box<[T]>` with all contents being zeroed out.

///

/// This uses the global allocator to create a zeroed allocation and _then_

/// turns it into a Box. In other words, it's 100% assured that the zeroed data

/// won't be put temporarily on the stack. You can make a box of any size

/// without fear of a stack overflow.

///

/// ## Failure

///

/// This fails if the allocation fails, or if a layout cannot be calculated for

/// the allocation.

#[inline]

pub fn try_zeroed_slice_box<T: Zeroable>(

  length: usize,

) -> Result<Box<[T]>, ()> {

  if size_of::<T>() == 0 || length == 0 {

    // This will not allocate but simply create an arbitrary non-null aligned

    // slice pointer, valid for Box for a zero-sized pointee.

    let ptr = core::ptr::NonNull::dangling().as_ptr();

    let slice_ptr = core::ptr::slice_from_raw_parts_mut(ptr, length);

    return Ok(unsafe { Box::from_raw(slice_ptr) });

  }

  let layout = core::alloc::Layout::array::<T>(length).map_err(|_| ())?;

  let ptr = unsafe { alloc_zeroed(layout) };

  if ptr.is_null() {

    // we don't know what the error is because `alloc_zeroed` is a dumb API

    Err(())

  } else {

    let slice =

      unsafe { core::slice::from_raw_parts_mut(ptr as *mut T, length) };

    Ok(unsafe { Box::<[T]>::from_raw(slice) })

  }

}

/// As [`try_zeroed_slice_box`], but unwraps for you.

pub fn zeroed_slice_box<T: Zeroable>(length: usize) -> Box<[T]> {

  try_zeroed_slice_box(length).unwrap()

}

/// Allocates a `Arc<T>` with all contents being zeroed out.

#[cfg(all(feature = "alloc_uninit", target_has_atomic = "ptr"))]

pub fn zeroed_arc<T: Zeroable>() -> Arc<T> {

  let mut arc = Arc::new_uninit();

  crate::write_zeroes(Arc::get_mut(&mut arc).unwrap()); // unwrap never fails for a newly allocated Arc

  unsafe { arc.assume_init() }

}

/// Allocates a `Arc<[T]>` with all contents being zeroed out.

#[cfg(all(feature = "alloc_uninit", target_has_atomic = "ptr"))]

pub fn zeroed_arc_slice<T: Zeroable>(length: usize) -> Arc<[T]> {

  let mut arc = Arc::new_uninit_slice(length);

  crate::fill_zeroes(Arc::get_mut(&mut arc).unwrap()); // unwrap never fails for a newly allocated Arc

  unsafe { arc.assume_init() }

}

/// Allocates a `Rc<T>` with all contents being zeroed out.

#[cfg(feature = "alloc_uninit")]

pub fn zeroed_rc<T: Zeroable>() -> Rc<T> {

  let mut rc = Rc::new_uninit();

  crate::write_zeroes(Rc::get_mut(&mut rc).unwrap()); // unwrap never fails for a newly allocated Rc

  unsafe { rc.assume_init() }

}

/// Allocates a `Rc<[T]>` with all contents being zeroed out.

#[cfg(feature = "alloc_uninit")]

pub fn zeroed_rc_slice<T: Zeroable>(length: usize) -> Rc<[T]> {

  let mut rc = Rc::new_uninit_slice(length);

  crate::fill_zeroes(Rc::get_mut(&mut rc).unwrap()); // unwrap never fails for a newly allocated Rc

  unsafe { rc.assume_init() }

}

/// As [`try_cast_slice_box`], but unwraps for you.

#[inline]

pub fn cast_slice_box<A: NoUninit, B: AnyBitPattern>(

  input: Box<[A]>,

) -> Box<[B]> {

  try_cast_slice_box(input).map_err(|(e, _v)| e).unwrap()

}

/// Attempts to cast the content type of a `Box<[T]>`.

///

/// On failure you get back an error along with the starting `Box<[T]>`.

///

/// ## Failure

///

/// * The start and end content type of the `Box<[T]>` must have the exact same

///   alignment.

/// * The start and end content size in bytes of the `Box<[T]>` must be the

///   exact same.

#[inline]

pub fn try_cast_slice_box<A: NoUninit, B: AnyBitPattern>(

  input: Box<[A]>,

) -> Result<Box<[B]>, (PodCastError, Box<[A]>)> {

  if align_of::<A>() != align_of::<B>() {

    Err((PodCastError::AlignmentMismatch, input))

  } else if size_of::<A>() != size_of::<B>() {

    let input_bytes = size_of_val::<[A]>(&*input);

    if (size_of::<B>() == 0 && input_bytes != 0)

      || (size_of::<B>() != 0 && input_bytes % size_of::<B>() != 0)

    {

      // If the size in bytes of the underlying buffer does not match an exact

      // multiple of the size of B, we cannot cast between them.

      Err((PodCastError::OutputSliceWouldHaveSlop, input))

    } else {

      // Because the size is an exact multiple, we can now change the length

      // of the slice and recreate the Box

      // NOTE: This is a valid operation because according to the docs of

      // std::alloc::GlobalAlloc::dealloc(), the Layout that was used to alloc

      // the block must be the same Layout that is used to dealloc the block.

      // Luckily, Layout only stores two things, the alignment, and the size in

      // bytes. So as long as both of those stay the same, the Layout will

      // remain a valid input to dealloc.

      let length =

        if size_of::<B>() != 0 { input_bytes / size_of::<B>() } else { 0 };

      let box_ptr: *mut A = Box::into_raw(input) as *mut A;

      let ptr: *mut [B] =

        unsafe { core::slice::from_raw_parts_mut(box_ptr as *mut B, length) };

      Ok(unsafe { Box::<[B]>::from_raw(ptr) })

    }

  } else {

    let box_ptr: *mut [A] = Box::into_raw(input);

    let ptr: *mut [B] = box_ptr as *mut [B];

    Ok(unsafe { Box::<[B]>::from_raw(ptr) })

  }

}

/// As [`try_cast_vec`], but unwraps for you.

#[inline]

pub fn cast_vec<A: NoUninit, B: AnyBitPattern>(input: Vec<A>) -> Vec<B> {

  try_cast_vec(input).map_err(|(e, _v)| e).unwrap()

}

/// Attempts to cast the content type of a [`Vec`].

///

/// On failure you get back an error along with the starting `Vec`.

///

/// ## Failure

///

/// * The start and end content type of the `Vec` must have the exact same

///   alignment.

/// * The start and end content size in bytes of the `Vec` must be the exact

///   same.

/// * The start and end capacity in bytes of the `Vec` must be the exact same.

#[inline]

pub fn try_cast_vec<A: NoUninit, B: AnyBitPattern>(

  input: Vec<A>,

) -> Result<Vec<B>, (PodCastError, Vec<A>)> {

  if align_of::<A>() != align_of::<B>() {

    Err((PodCastError::AlignmentMismatch, input))

  } else if size_of::<A>() != size_of::<B>() {

    let input_size = size_of_val::<[A]>(&*input);

    let input_capacity = input.capacity() * size_of::<A>();

    if (size_of::<B>() == 0 && input_capacity != 0)

      || (size_of::<B>() != 0

        && (input_size % size_of::<B>() != 0

          || input_capacity % size_of::<B>() != 0))

    {

      // If the size in bytes of the underlying buffer does not match an exact

      // multiple of the size of B, we cannot cast between them.

      // Note that we have to pay special attention to make sure that both

      // length and capacity are valid under B, as we do not want to

      // change which bytes are considered part of the initialized slice

      // of the Vec

      Err((PodCastError::OutputSliceWouldHaveSlop, input))

    } else {

      // Because the size is an exact multiple, we can now change the length and

      // capacity and recreate the Vec

      // NOTE: This is a valid operation because according to the docs of

      // std::alloc::GlobalAlloc::dealloc(), the Layout that was used to alloc

      // the block must be the same Layout that is used to dealloc the block.

      // Luckily, Layout only stores two things, the alignment, and the size in

      // bytes. So as long as both of those stay the same, the Layout will

      // remain a valid input to dealloc.

      // Note(Lokathor): First we record the length and capacity, which don't

      // have any secret provenance metadata.

      let length: usize =

        if size_of::<B>() != 0 { input_size / size_of::<B>() } else { 0 };

      let capacity: usize =

        if size_of::<B>() != 0 { input_capacity / size_of::<B>() } else { 0 };

      // Note(Lokathor): Next we "pre-forget" the old Vec by wrapping with

      // ManuallyDrop, because if we used `core::mem::forget` after taking the

      // pointer then that would invalidate our pointer. In nightly there's a

      // "into raw parts" method, which we can switch this too eventually.

      let mut manual_drop_vec = ManuallyDrop::new(input);

      let vec_ptr: *mut A = manual_drop_vec.as_mut_ptr();

      let ptr: *mut B = vec_ptr as *mut B;

      Ok(unsafe { Vec::from_raw_parts(ptr, length, capacity) })

    }

  } else {

    // Note(Lokathor): First we record the length and capacity, which don't have

    // any secret provenance metadata.

    let length: usize = input.len();

    let capacity: usize = input.capacity();

    // Note(Lokathor): Next we "pre-forget" the old Vec by wrapping with

    // ManuallyDrop, because if we used `core::mem::forget` after taking the

    // pointer then that would invalidate our pointer. In nightly there's a

    // "into raw parts" method, which we can switch this too eventually.

    let mut manual_drop_vec = ManuallyDrop::new(input);

    let vec_ptr: *mut A = manual_drop_vec.as_mut_ptr();

    let ptr: *mut B = vec_ptr as *mut B;

    Ok(unsafe { Vec::from_raw_parts(ptr, length, capacity) })

  }

}

Unexecuted instantiation: bytemuck::allocation::try_cast_vec::<f32, u8>

bytemuck::allocation::try_cast_vec::<u8, u8>

Line

Count

Source

257

1.81k

pub fn try_cast_vec<A: NoUninit, B: AnyBitPattern>(

258

1.81k

  input: Vec<A>,

259

1.81k

) -> Result<Vec<B>, (PodCastError, Vec<A>)> {

260

1.81k

  if align_of::<A>() != align_of::<B>() {

261

0

    Err((PodCastError::AlignmentMismatch, input))

262

1.81k

  } else if size_of::<A>() != size_of::<B>() {

263

0

    let input_size = size_of_val::<[A]>(&*input);

264

0

    let input_capacity = input.capacity() * size_of::<A>();

265

0

    if (size_of::<B>() == 0 && input_capacity != 0)

266

0

      || (size_of::<B>() != 0

267

0

        && (input_size % size_of::<B>() != 0

268

0

          || input_capacity % size_of::<B>() != 0))

269

    {

270

      // If the size in bytes of the underlying buffer does not match an exact

271

      // multiple of the size of B, we cannot cast between them.

272

      // Note that we have to pay special attention to make sure that both

273

      // length and capacity are valid under B, as we do not want to

274

      // change which bytes are considered part of the initialized slice

275

      // of the Vec

276

0

      Err((PodCastError::OutputSliceWouldHaveSlop, input))

277

    } else {

278

      // Because the size is an exact multiple, we can now change the length and

279

      // capacity and recreate the Vec

280

      // NOTE: This is a valid operation because according to the docs of

281

      // std::alloc::GlobalAlloc::dealloc(), the Layout that was used to alloc

282

      // the block must be the same Layout that is used to dealloc the block.

283

      // Luckily, Layout only stores two things, the alignment, and the size in

284

      // bytes. So as long as both of those stay the same, the Layout will

285

      // remain a valid input to dealloc.

286

287

      // Note(Lokathor): First we record the length and capacity, which don't

288

      // have any secret provenance metadata.

289

0

      let length: usize =

290

0

        if size_of::<B>() != 0 { input_size / size_of::<B>() } else { 0 };

291

0

      let capacity: usize =

292

0

        if size_of::<B>() != 0 { input_capacity / size_of::<B>() } else { 0 };

293

      // Note(Lokathor): Next we "pre-forget" the old Vec by wrapping with

294

      // ManuallyDrop, because if we used `core::mem::forget` after taking the

295

      // pointer then that would invalidate our pointer. In nightly there's a

296

      // "into raw parts" method, which we can switch this too eventually.

297

0

      let mut manual_drop_vec = ManuallyDrop::new(input);

298

0

      let vec_ptr: *mut A = manual_drop_vec.as_mut_ptr();

299

0

      let ptr: *mut B = vec_ptr as *mut B;

300

0

      Ok(unsafe { Vec::from_raw_parts(ptr, length, capacity) })

301

    }

302

  } else {

303

    // Note(Lokathor): First we record the length and capacity, which don't have

304

    // any secret provenance metadata.

305

1.81k

    let length: usize = input.len();

306

1.81k

    let capacity: usize = input.capacity();

307

    // Note(Lokathor): Next we "pre-forget" the old Vec by wrapping with

308

    // ManuallyDrop, because if we used `core::mem::forget` after taking the

309

    // pointer then that would invalidate our pointer. In nightly there's a

310

    // "into raw parts" method, which we can switch this too eventually.

311

1.81k

    let mut manual_drop_vec = ManuallyDrop::new(input);

312

1.81k

    let vec_ptr: *mut A = manual_drop_vec.as_mut_ptr();

313

1.81k

    let ptr: *mut B = vec_ptr as *mut B;

314

1.81k

    Ok(unsafe { Vec::from_raw_parts(ptr, length, capacity) })

315

  }

316

1.81k

}

Unexecuted instantiation: bytemuck::allocation::try_cast_vec::<u16, u8>

Unexecuted instantiation: bytemuck::allocation::try_cast_vec::<_, _>

/// This "collects" a slice of pod data into a vec of a different pod type.

///

/// Unlike with [`cast_slice`] and [`cast_slice_mut`], this will always work.

///

/// The output vec will be of a minimal size/capacity to hold the slice given.

///

/// ```rust

/// # use bytemuck::*;

/// let halfwords: [u16; 4] = [5, 6, 7, 8];

/// let vec_of_words: Vec<u32> = pod_collect_to_vec(&halfwords);

/// if cfg!(target_endian = "little") {

///   assert_eq!(&vec_of_words[..], &[0x0006_0005, 0x0008_0007][..])

/// } else {

///   assert_eq!(&vec_of_words[..], &[0x0005_0006, 0x0007_0008][..])

/// }

/// ```

pub fn pod_collect_to_vec<A: NoUninit, B: NoUninit + AnyBitPattern>(

  src: &[A],

) -> Vec<B> {

  let src_size = core::mem::size_of_val(src);

  // Note(Lokathor): dst_count is rounded up so that the dest will always be at

  // least as many bytes as the src.

  let dst_count = src_size / size_of::<B>()

    + if src_size % size_of::<B>() != 0 { 1 } else { 0 };

  let mut dst = vec![B::zeroed(); dst_count];

  let src_bytes: &[u8] = cast_slice(src);

  let dst_bytes: &mut [u8] = cast_slice_mut(&mut dst[..]);

  dst_bytes[..src_size].copy_from_slice(src_bytes);

  dst

}

Unexecuted instantiation: bytemuck::allocation::pod_collect_to_vec::<_, _>

Unexecuted instantiation: bytemuck::allocation::pod_collect_to_vec::<u8, f32>

Unexecuted instantiation: bytemuck::allocation::pod_collect_to_vec::<u8, u16>

/// As [`try_cast_rc`], but unwraps for you.

#[inline]

pub fn cast_rc<A: NoUninit + AnyBitPattern, B: NoUninit + AnyBitPattern>(

  input: Rc<A>,

) -> Rc<B> {

  try_cast_rc(input).map_err(|(e, _v)| e).unwrap()

}

/// Attempts to cast the content type of a [`Rc`].

///

/// On failure you get back an error along with the starting `Rc`.

///

/// The bounds on this function are the same as [`cast_mut`], because a user

/// could call `Rc::get_unchecked_mut` on the output, which could be observable

/// in the input.

///

/// ## Failure

///

/// * The start and end content type of the `Rc` must have the exact same

///   alignment.

/// * The start and end size of the `Rc` must have the exact same size.

#[inline]

pub fn try_cast_rc<A: NoUninit + AnyBitPattern, B: NoUninit + AnyBitPattern>(

  input: Rc<A>,

) -> Result<Rc<B>, (PodCastError, Rc<A>)> {

  if align_of::<A>() != align_of::<B>() {

    Err((PodCastError::AlignmentMismatch, input))

  } else if size_of::<A>() != size_of::<B>() {

    Err((PodCastError::SizeMismatch, input))

  } else {

    // Safety: Rc::from_raw requires size and alignment match, which is met.

    let ptr: *const B = Rc::into_raw(input) as *const B;

    Ok(unsafe { Rc::from_raw(ptr) })

  }

}

/// As [`try_cast_arc`], but unwraps for you.

#[inline]

#[cfg(target_has_atomic = "ptr")]

pub fn cast_arc<A: NoUninit + AnyBitPattern, B: NoUninit + AnyBitPattern>(

  input: Arc<A>,

) -> Arc<B> {

  try_cast_arc(input).map_err(|(e, _v)| e).unwrap()

}

/// Attempts to cast the content type of a [`Arc`].

///

/// On failure you get back an error along with the starting `Arc`.

///

/// The bounds on this function are the same as [`cast_mut`], because a user

/// could call `Rc::get_unchecked_mut` on the output, which could be observable

/// in the input.

///

/// ## Failure

///

/// * The start and end content type of the `Arc` must have the exact same

///   alignment.

/// * The start and end size of the `Arc` must have the exact same size.

#[inline]

#[cfg(target_has_atomic = "ptr")]

pub fn try_cast_arc<

  A: NoUninit + AnyBitPattern,

  B: NoUninit + AnyBitPattern,

>(

  input: Arc<A>,

) -> Result<Arc<B>, (PodCastError, Arc<A>)> {

  if align_of::<A>() != align_of::<B>() {

    Err((PodCastError::AlignmentMismatch, input))

  } else if size_of::<A>() != size_of::<B>() {

    Err((PodCastError::SizeMismatch, input))

  } else {

    // Safety: Arc::from_raw requires size and alignment match, which is met.

    let ptr: *const B = Arc::into_raw(input) as *const B;

    Ok(unsafe { Arc::from_raw(ptr) })

  }

}

/// As [`try_cast_slice_rc`], but unwraps for you.

#[inline]

pub fn cast_slice_rc<

  A: NoUninit + AnyBitPattern,

  B: NoUninit + AnyBitPattern,

>(

  input: Rc<[A]>,

) -> Rc<[B]> {

  try_cast_slice_rc(input).map_err(|(e, _v)| e).unwrap()

}

/// Attempts to cast the content type of a `Rc<[T]>`.

///

/// On failure you get back an error along with the starting `Rc<[T]>`.

///

/// The bounds on this function are the same as [`cast_mut`], because a user

/// could call `Rc::get_unchecked_mut` on the output, which could be observable

/// in the input.

///

/// ## Failure

///

/// * The start and end content type of the `Rc<[T]>` must have the exact same

///   alignment.

/// * The start and end content size in bytes of the `Rc<[T]>` must be the exact

///   same.

#[inline]

pub fn try_cast_slice_rc<

  A: NoUninit + AnyBitPattern,

  B: NoUninit + AnyBitPattern,

>(

  input: Rc<[A]>,

) -> Result<Rc<[B]>, (PodCastError, Rc<[A]>)> {

  if align_of::<A>() != align_of::<B>() {

    Err((PodCastError::AlignmentMismatch, input))

  } else if size_of::<A>() != size_of::<B>() {

    let input_bytes = size_of_val::<[A]>(&*input);

    if (size_of::<B>() == 0 && input_bytes != 0)

      || (size_of::<B>() != 0 && input_bytes % size_of::<B>() != 0)

    {

      // If the size in bytes of the underlying buffer does not match an exact

      // multiple of the size of B, we cannot cast between them.

      Err((PodCastError::OutputSliceWouldHaveSlop, input))

    } else {

      // Because the size is an exact multiple, we can now change the length

      // of the slice and recreate the Rc

      // NOTE: This is a valid operation because according to the docs of

      // std::rc::Rc::from_raw(), the type U that was in the original Rc<U>

      // acquired from Rc::into_raw() must have the same size alignment and

      // size of the type T in the new Rc<T>. So as long as both the size

      // and alignment stay the same, the Rc will remain a valid Rc.

      let length =

        if size_of::<B>() != 0 { input_bytes / size_of::<B>() } else { 0 };

      let rc_ptr: *const A = Rc::into_raw(input) as *const A;

      // Must use ptr::slice_from_raw_parts, because we cannot make an

      // intermediate const reference, because it has mutable provenance,

      // nor an intermediate mutable reference, because it could be aliased.

      let ptr = core::ptr::slice_from_raw_parts(rc_ptr as *const B, length);

      Ok(unsafe { Rc::<[B]>::from_raw(ptr) })

    }

  } else {

    let rc_ptr: *const [A] = Rc::into_raw(input);

    let ptr: *const [B] = rc_ptr as *const [B];

    Ok(unsafe { Rc::<[B]>::from_raw(ptr) })

  }

}

/// As [`try_cast_slice_arc`], but unwraps for you.

#[inline]

#[cfg(target_has_atomic = "ptr")]

pub fn cast_slice_arc<

  A: NoUninit + AnyBitPattern,

  B: NoUninit + AnyBitPattern,

>(

  input: Arc<[A]>,

) -> Arc<[B]> {

  try_cast_slice_arc(input).map_err(|(e, _v)| e).unwrap()

}

/// Attempts to cast the content type of a `Arc<[T]>`.

///

/// On failure you get back an error along with the starting `Arc<[T]>`.

///

/// The bounds on this function are the same as [`cast_mut`], because a user

/// could call `Rc::get_unchecked_mut` on the output, which could be observable

/// in the input.

///

/// ## Failure

///

/// * The start and end content type of the `Arc<[T]>` must have the exact same

///   alignment.

/// * The start and end content size in bytes of the `Arc<[T]>` must be the

///   exact same.

#[inline]

#[cfg(target_has_atomic = "ptr")]

pub fn try_cast_slice_arc<

  A: NoUninit + AnyBitPattern,

  B: NoUninit + AnyBitPattern,

>(

  input: Arc<[A]>,

) -> Result<Arc<[B]>, (PodCastError, Arc<[A]>)> {

  if align_of::<A>() != align_of::<B>() {

    Err((PodCastError::AlignmentMismatch, input))

  } else if size_of::<A>() != size_of::<B>() {

    let input_bytes = size_of_val::<[A]>(&*input);

    if (size_of::<B>() == 0 && input_bytes != 0)

      || (size_of::<B>() != 0 && input_bytes % size_of::<B>() != 0)

    {

      // If the size in bytes of the underlying buffer does not match an exact

      // multiple of the size of B, we cannot cast between them.

      Err((PodCastError::OutputSliceWouldHaveSlop, input))

    } else {

      // Because the size is an exact multiple, we can now change the length

      // of the slice and recreate the Arc

      // NOTE: This is a valid operation because according to the docs of

      // std::sync::Arc::from_raw(), the type U that was in the original Arc<U>

      // acquired from Arc::into_raw() must have the same size alignment and

      // size of the type T in the new Arc<T>. So as long as both the size

      // and alignment stay the same, the Arc will remain a valid Arc.

      let length =

        if size_of::<B>() != 0 { input_bytes / size_of::<B>() } else { 0 };

      let arc_ptr: *const A = Arc::into_raw(input) as *const A;

      // Must use ptr::slice_from_raw_parts, because we cannot make an

      // intermediate const reference, because it has mutable provenance,

      // nor an intermediate mutable reference, because it could be aliased.

      let ptr = core::ptr::slice_from_raw_parts(arc_ptr as *const B, length);

      Ok(unsafe { Arc::<[B]>::from_raw(ptr) })

    }

  } else {

    let arc_ptr: *const [A] = Arc::into_raw(input);

    let ptr: *const [B] = arc_ptr as *const [B];

    Ok(unsafe { Arc::<[B]>::from_raw(ptr) })

  }

}

/// An extension trait for `TransparentWrapper` and alloc types.

pub trait TransparentWrapperAlloc<Inner: ?Sized>:

  TransparentWrapper<Inner>

{

  /// Convert a vec of the inner type into a vec of the wrapper type.

  fn wrap_vec(s: Vec<Inner>) -> Vec<Self>

  where

    Self: Sized,

    Inner: Sized,

  {

    let mut s = ManuallyDrop::new(s);

    let length = s.len();

    let capacity = s.capacity();

    let ptr = s.as_mut_ptr();

    unsafe {

      // SAFETY:

      // * ptr comes from Vec (and will not be double-dropped)

      // * the two types have the identical representation

      // * the len and capacity fields are valid

      Vec::from_raw_parts(ptr as *mut Self, length, capacity)

    }

  }

  /// Convert a box to the inner type into a box to the wrapper

  /// type.

  #[inline]

  fn wrap_box(s: Box<Inner>) -> Box<Self> {

    // The unsafe contract requires that these two have

    // identical representations, and thus identical pointer metadata.

    // Assert that Self and Inner have the same pointer size,

    // which is the best we can do to assert their metadata is the same type

    // on stable.

    assert!(size_of::<*mut Inner>() == size_of::<*mut Self>());

    unsafe {

      // A pointer cast doesn't work here because rustc can't tell that

      // the vtables match (because of the `?Sized` restriction relaxation).

      // A `transmute` doesn't work because the sizes are unspecified.

      //

      // SAFETY:

      // * The unsafe contract requires that pointers to Inner and Self have

      //   identical representations

      // * Box is guaranteed to have representation identical to a (non-null)

      //   pointer

      // * The pointer comes from a box (and thus satisfies all safety

      //   requirements of Box)

      let inner_ptr: *mut Inner = Box::into_raw(s);

      let wrapper_ptr: *mut Self = transmute!(inner_ptr);

      Box::from_raw(wrapper_ptr)

    }

  }

  /// Convert an [`Rc`] to the inner type into an `Rc` to the wrapper type.

  #[inline]

  fn wrap_rc(s: Rc<Inner>) -> Rc<Self> {

    // The unsafe contract requires that these two have

    // identical representations, and thus identical pointer metadata.

    // Assert that Self and Inner have the same pointer size,

    // which is the best we can do to assert their metadata is the same type

    // on stable.

    assert!(size_of::<*mut Inner>() == size_of::<*mut Self>());

    unsafe {

      // A pointer cast doesn't work here because rustc can't tell that

      // the vtables match (because of the `?Sized` restriction relaxation).

      // A `transmute` doesn't work because the layout of Rc is unspecified.

      //

      // SAFETY:

      // * The unsafe contract requires that pointers to Inner and Self have

      //   identical representations, and that the size and alignment of Inner

      //   and Self are the same, which meets the safety requirements of

      //   Rc::from_raw

      let inner_ptr: *const Inner = Rc::into_raw(s);

      let wrapper_ptr: *const Self = transmute!(inner_ptr);

      Rc::from_raw(wrapper_ptr)

    }

  }

  /// Convert an [`Arc`] to the inner type into an `Arc` to the wrapper type.

  #[inline]

  #[cfg(target_has_atomic = "ptr")]

  fn wrap_arc(s: Arc<Inner>) -> Arc<Self> {

    // The unsafe contract requires that these two have

    // identical representations, and thus identical pointer metadata.

    // Assert that Self and Inner have the same pointer size,

    // which is the best we can do to assert their metadata is the same type

    // on stable.

    assert!(size_of::<*mut Inner>() == size_of::<*mut Self>());

    unsafe {

      // A pointer cast doesn't work here because rustc can't tell that

      // the vtables match (because of the `?Sized` restriction relaxation).

      // A `transmute` doesn't work because the layout of Arc is unspecified.

      //

      // SAFETY:

      // * The unsafe contract requires that pointers to Inner and Self have

      //   identical representations, and that the size and alignment of Inner

      //   and Self are the same, which meets the safety requirements of

      //   Arc::from_raw

      let inner_ptr: *const Inner = Arc::into_raw(s);

      let wrapper_ptr: *const Self = transmute!(inner_ptr);

      Arc::from_raw(wrapper_ptr)

    }

  }

  /// Convert a vec of the wrapper type into a vec of the inner type.

  fn peel_vec(s: Vec<Self>) -> Vec<Inner>

  where

    Self: Sized,

    Inner: Sized,

  {

    let mut s = ManuallyDrop::new(s);

    let length = s.len();

    let capacity = s.capacity();

    let ptr = s.as_mut_ptr();

    unsafe {

      // SAFETY:

      // * ptr comes from Vec (and will not be double-dropped)

      // * the two types have the identical representation

      // * the len and capacity fields are valid

      Vec::from_raw_parts(ptr as *mut Inner, length, capacity)

    }

  }

  /// Convert a box to the wrapper type into a box to the inner

  /// type.

  #[inline]

  fn peel_box(s: Box<Self>) -> Box<Inner> {

    // The unsafe contract requires that these two have

    // identical representations, and thus identical pointer metadata.

    // Assert that Self and Inner have the same pointer size,

    // which is the best we can do to assert their metadata is the same type

    // on stable.

    assert!(size_of::<*mut Inner>() == size_of::<*mut Self>());

    unsafe {

      // A pointer cast doesn't work here because rustc can't tell that

      // the vtables match (because of the `?Sized` restriction relaxation).

      // A `transmute` doesn't work because the sizes are unspecified.

      //

      // SAFETY:

      // * The unsafe contract requires that pointers to Inner and Self have

      //   identical representations

      // * Box is guaranteed to have representation identical to a (non-null)

      //   pointer

      // * The pointer comes from a box (and thus satisfies all safety

      //   requirements of Box)

      let wrapper_ptr: *mut Self = Box::into_raw(s);

      let inner_ptr: *mut Inner = transmute!(wrapper_ptr);

      Box::from_raw(inner_ptr)

    }

  }

  /// Convert an [`Rc`] to the wrapper type into an `Rc` to the inner type.

  #[inline]

  fn peel_rc(s: Rc<Self>) -> Rc<Inner> {

    // The unsafe contract requires that these two have

    // identical representations, and thus identical pointer metadata.

    // Assert that Self and Inner have the same pointer size,

    // which is the best we can do to assert their metadata is the same type

    // on stable.

    assert!(size_of::<*mut Inner>() == size_of::<*mut Self>());

    unsafe {

      // A pointer cast doesn't work here because rustc can't tell that

      // the vtables match (because of the `?Sized` restriction relaxation).

      // A `transmute` doesn't work because the layout of Rc is unspecified.

      //

      // SAFETY:

      // * The unsafe contract requires that pointers to Inner and Self have

      //   identical representations, and that the size and alignment of Inner

      //   and Self are the same, which meets the safety requirements of

      //   Rc::from_raw

      let wrapper_ptr: *const Self = Rc::into_raw(s);

      let inner_ptr: *const Inner = transmute!(wrapper_ptr);

      Rc::from_raw(inner_ptr)

    }

  }

  /// Convert an [`Arc`] to the wrapper type into an `Arc` to the inner type.

  #[inline]

  #[cfg(target_has_atomic = "ptr")]

  fn peel_arc(s: Arc<Self>) -> Arc<Inner> {

    // The unsafe contract requires that these two have

    // identical representations, and thus identical pointer metadata.

    // Assert that Self and Inner have the same pointer size,

    // which is the best we can do to assert their metadata is the same type

    // on stable.

    assert!(size_of::<*mut Inner>() == size_of::<*mut Self>());

    unsafe {

      // A pointer cast doesn't work here because rustc can't tell that

      // the vtables match (because of the `?Sized` restriction relaxation).

      // A `transmute` doesn't work because the layout of Arc is unspecified.

      //

      // SAFETY:

      // * The unsafe contract requires that pointers to Inner and Self have

      //   identical representations, and that the size and alignment of Inner

      //   and Self are the same, which meets the safety requirements of

      //   Arc::from_raw

      let wrapper_ptr: *const Self = Arc::into_raw(s);

      let inner_ptr: *const Inner = transmute!(wrapper_ptr);

      Arc::from_raw(inner_ptr)

    }

  }

}

impl<I: ?Sized, T: ?Sized + TransparentWrapper<I>> TransparentWrapperAlloc<I>

  for T

{

}

/// As `Box<[u8]>`, but remembers the original alignment.

pub struct BoxBytes {

  // SAFETY: `ptr` is aligned to `layout.align()`, points to

  // `layout.size()` initialized bytes, and, if `layout.size() > 0`,

  // is owned and was allocated with the global allocator with `layout`.

  ptr: NonNull<u8>,

  layout: Layout,

}

// SAFETY: `BoxBytes` is semantically a `Box<[u8], Global>` with a different allocation alignment,

// `Box<[u8], Global>` is `Send + Sync`, and changing the allocation alignment has no thread-safety implications.

unsafe impl Send for BoxBytes {}

// SAFETY: See `Send` impl

unsafe impl Sync for BoxBytes {}

impl Deref for BoxBytes {

  type Target = [u8];

  fn deref(&self) -> &Self::Target {

    // SAFETY: See type invariant.

    unsafe {

      core::slice::from_raw_parts(self.ptr.as_ptr(), self.layout.size())

    }

  }

}

impl DerefMut for BoxBytes {

  fn deref_mut(&mut self) -> &mut Self::Target {

    // SAFETY: See type invariant.

    unsafe {

      core::slice::from_raw_parts_mut(self.ptr.as_ptr(), self.layout.size())

    }

  }

}

impl Drop for BoxBytes {

  fn drop(&mut self) {

    if self.layout.size() != 0 {

      // SAFETY: See type invariant: if `self.layout.size() != 0`, then

      // `self.ptr` is owned and was allocated with `self.layout`.

      unsafe { alloc::alloc::dealloc(self.ptr.as_ptr(), self.layout) };

    }

  }

}

impl<T: ?Sized + sealed::BoxBytesOf> From<Box<T>> for BoxBytes {

  fn from(value: Box<T>) -> Self {

    value.box_bytes_of()

  }

}

mod sealed {

  use crate::{BoxBytes, PodCastError};

  use alloc::boxed::Box;

  pub trait BoxBytesOf {

    fn box_bytes_of(self: Box<Self>) -> BoxBytes;

  }

  pub trait FromBoxBytes {

    fn try_from_box_bytes(

      bytes: BoxBytes,

    ) -> Result<Box<Self>, (PodCastError, BoxBytes)>;

  }

}

impl<T: NoUninit> sealed::BoxBytesOf for T {

  fn box_bytes_of(self: Box<Self>) -> BoxBytes {

    let layout = Layout::new::<T>();

    let ptr = Box::into_raw(self) as *mut u8;

    // SAFETY: Box::into_raw() returns a non-null pointer.

    let ptr = unsafe { NonNull::new_unchecked(ptr) };

    BoxBytes { ptr, layout }

  }

}

impl<T: NoUninit> sealed::BoxBytesOf for [T] {

  fn box_bytes_of(self: Box<Self>) -> BoxBytes {

    let layout = Layout::for_value::<[T]>(&self);

    let ptr = Box::into_raw(self) as *mut u8;

    // SAFETY: Box::into_raw() returns a non-null pointer.

    let ptr = unsafe { NonNull::new_unchecked(ptr) };

    BoxBytes { ptr, layout }

  }

}

impl sealed::BoxBytesOf for str {

  fn box_bytes_of(self: Box<Self>) -> BoxBytes {

    self.into_boxed_bytes().box_bytes_of()

  }

}

impl<T: AnyBitPattern> sealed::FromBoxBytes for T {

  fn try_from_box_bytes(

    bytes: BoxBytes,

  ) -> Result<Box<Self>, (PodCastError, BoxBytes)> {

    let layout = Layout::new::<T>();

    if bytes.layout.align() != layout.align() {

      Err((PodCastError::AlignmentMismatch, bytes))

    } else if bytes.layout.size() != layout.size() {

      Err((PodCastError::SizeMismatch, bytes))

    } else {

      let (ptr, _) = bytes.into_raw_parts();

      // SAFETY: See BoxBytes type invariant.

      Ok(unsafe { Box::from_raw(ptr.as_ptr() as *mut T) })

    }

  }

}

impl<T: AnyBitPattern> sealed::FromBoxBytes for [T] {

  fn try_from_box_bytes(

    bytes: BoxBytes,

  ) -> Result<Box<Self>, (PodCastError, BoxBytes)> {

    let single_layout = Layout::new::<T>();

    if bytes.layout.align() != single_layout.align() {

      Err((PodCastError::AlignmentMismatch, bytes))

    } else if (single_layout.size() == 0 && bytes.layout.size() != 0)

      || (single_layout.size() != 0

        && bytes.layout.size() % single_layout.size() != 0)

    {

      Err((PodCastError::OutputSliceWouldHaveSlop, bytes))

    } else {

      let (ptr, layout) = bytes.into_raw_parts();

      let length = if single_layout.size() != 0 {

        layout.size() / single_layout.size()

      } else {

        0

      };

      let ptr =

        core::ptr::slice_from_raw_parts_mut(ptr.as_ptr() as *mut T, length);

      // SAFETY: See BoxBytes type invariant.

      Ok(unsafe { Box::from_raw(ptr) })

    }

  }

}

/// Re-interprets `Box<T>` as `BoxBytes`.

///

/// `T` must be either [`Sized`] and [`NoUninit`],

/// [`[U]`](slice) where `U: NoUninit`, or [`str`].

#[inline]

pub fn box_bytes_of<T: sealed::BoxBytesOf + ?Sized>(input: Box<T>) -> BoxBytes {

  input.box_bytes_of()

}

/// Re-interprets `BoxBytes` as `Box<T>`.

///

/// `T` must be either [`Sized`] + [`AnyBitPattern`], or

/// [`[U]`](slice) where `U: AnyBitPattern`.

///

/// ## Panics

///

/// This is [`try_from_box_bytes`] but will panic on error and the input will be

/// dropped.

#[inline]

#[cfg_attr(feature = "track_caller", track_caller)]

pub fn from_box_bytes<T: sealed::FromBoxBytes + ?Sized>(

  input: BoxBytes,