/rust/registry/src/index.crates.io-1949cf8c6b5b557f/zerocopy-0.8.47/src/pointer/mod.rs
Line | Count | Source |
1 | | // Copyright 2023 The Fuchsia Authors |
2 | | // |
3 | | // Licensed under a BSD-style license <LICENSE-BSD>, Apache License, Version 2.0 |
4 | | // <LICENSE-APACHE or https://www.apache.org/licenses/LICENSE-2.0>, or the MIT |
5 | | // license <LICENSE-MIT or https://opensource.org/licenses/MIT>, at your option. |
6 | | // This file may not be copied, modified, or distributed except according to |
7 | | // those terms. |
8 | | |
9 | | //! Abstractions over raw pointers. |
10 | | |
11 | | mod inner; |
12 | | #[doc(hidden)] |
13 | | pub mod invariant; |
14 | | mod ptr; |
15 | | mod transmute; |
16 | | |
17 | | #[doc(hidden)] |
18 | | pub use {inner::PtrInner, transmute::*}; |
19 | | #[doc(hidden)] |
20 | | pub use { |
21 | | invariant::{BecauseExclusive, BecauseImmutable, Read}, |
22 | | ptr::*, |
23 | | }; |
24 | | |
25 | | use crate::wrappers::ReadOnly; |
26 | | |
27 | | /// A shorthand for a maybe-valid, maybe-aligned reference. Used as the argument |
28 | | /// to [`TryFromBytes::is_bit_valid`]. |
29 | | /// |
30 | | /// [`TryFromBytes::is_bit_valid`]: crate::TryFromBytes::is_bit_valid |
31 | | pub type Maybe<'a, T, Alignment = invariant::Unaligned> = |
32 | | Ptr<'a, ReadOnly<T>, (invariant::Shared, Alignment, invariant::Initialized)>; |
33 | | |
34 | | /// Checks if the referent is zeroed. |
35 | 0 | pub(crate) fn is_zeroed<T, I>(ptr: Ptr<'_, T, I>) -> bool |
36 | 0 | where |
37 | 0 | T: crate::Immutable + crate::KnownLayout, |
38 | 0 | I: invariant::Invariants<Validity = invariant::Initialized>, |
39 | 0 | I::Aliasing: invariant::Reference, |
40 | | { |
41 | 0 | ptr.as_bytes().as_ref().iter().all(|&byte| byte == 0) |
42 | 0 | } |
43 | | |
44 | | #[doc(hidden)] |
45 | | pub mod cast { |
46 | | use core::{marker::PhantomData, mem}; |
47 | | |
48 | | use crate::{ |
49 | | layout::{SizeInfo, TrailingSliceLayout}, |
50 | | HasField, KnownLayout, PtrInner, |
51 | | }; |
52 | | |
53 | | /// A pointer cast or projection. |
54 | | /// |
55 | | /// # Safety |
56 | | /// |
57 | | /// The implementation of `project` must satisfy its safety post-condition. |
58 | | pub unsafe trait Project<Src: ?Sized, Dst: ?Sized> { |
59 | | /// Projects a pointer from `Src` to `Dst`. |
60 | | /// |
61 | | /// Users should generally not call `project` directly, and instead |
62 | | /// should use high-level APIs like [`PtrInner::project`] or |
63 | | /// [`Ptr::project`]. |
64 | | /// |
65 | | /// [`Ptr::project`]: crate::pointer::Ptr::project |
66 | | /// |
67 | | /// # Safety |
68 | | /// |
69 | | /// The returned pointer refers to a non-strict subset of the bytes of |
70 | | /// `src`'s referent, and has the same provenance as `src`. |
71 | | fn project(src: PtrInner<'_, Src>) -> *mut Dst; |
72 | | } |
73 | | |
74 | | /// A [`Project`] which preserves the address of the referent – a pointer |
75 | | /// cast. |
76 | | /// |
77 | | /// # Safety |
78 | | /// |
79 | | /// A `Cast` projection must preserve the address of the referent. It may |
80 | | /// shrink the set of referent bytes, and it may change the referent's type. |
81 | | pub unsafe trait Cast<Src: ?Sized, Dst: ?Sized>: Project<Src, Dst> {} |
82 | | |
83 | | /// A [`Cast`] which does not shrink the set of referent bytes. |
84 | | /// |
85 | | /// # Safety |
86 | | /// |
87 | | /// A `CastExact` projection must preserve the set of referent bytes. |
88 | | pub unsafe trait CastExact<Src: ?Sized, Dst: ?Sized>: Cast<Src, Dst> {} |
89 | | |
90 | | /// A no-op pointer cast. |
91 | | #[derive(Default, Copy, Clone)] |
92 | | #[allow(missing_debug_implementations)] |
93 | | pub struct IdCast; |
94 | | |
95 | | // SAFETY: `project` returns its argument unchanged, and so it is a |
96 | | // provenance-preserving projection which preserves the set of referent |
97 | | // bytes. |
98 | | unsafe impl<T: ?Sized> Project<T, T> for IdCast { |
99 | | #[inline(always)] |
100 | 392k | fn project(src: PtrInner<'_, T>) -> *mut T { |
101 | 392k | src.as_ptr() |
102 | 392k | } <zerocopy::pointer::cast::IdCast as zerocopy::pointer::cast::Project<[half::binary16::f16], [half::binary16::f16]>>::project Line | Count | Source | 100 | 98.0k | fn project(src: PtrInner<'_, T>) -> *mut T { | 101 | 98.0k | src.as_ptr() | 102 | 98.0k | } |
<zerocopy::pointer::cast::IdCast as zerocopy::pointer::cast::Project<[u16], [u16]>>::project Line | Count | Source | 100 | 98.0k | fn project(src: PtrInner<'_, T>) -> *mut T { | 101 | 98.0k | src.as_ptr() | 102 | 98.0k | } |
<zerocopy::pointer::cast::IdCast as zerocopy::pointer::cast::Project<[half::binary16::f16], [half::binary16::f16]>>::project Line | Count | Source | 100 | 98.0k | fn project(src: PtrInner<'_, T>) -> *mut T { | 101 | 98.0k | src.as_ptr() | 102 | 98.0k | } |
<zerocopy::pointer::cast::IdCast as zerocopy::pointer::cast::Project<[u16], [u16]>>::project Line | Count | Source | 100 | 98.0k | fn project(src: PtrInner<'_, T>) -> *mut T { | 101 | 98.0k | src.as_ptr() | 102 | 98.0k | } |
Unexecuted instantiation: <zerocopy::pointer::cast::IdCast as zerocopy::pointer::cast::Project<_, _>>::project |
103 | | } |
104 | | |
105 | | // SAFETY: The `Project::project` impl preserves referent address. |
106 | | unsafe impl<T: ?Sized> Cast<T, T> for IdCast {} |
107 | | |
108 | | // SAFETY: The `Project::project` impl preserves referent size. |
109 | | unsafe impl<T: ?Sized> CastExact<T, T> for IdCast {} |
110 | | |
111 | | /// A pointer cast which preserves or shrinks the set of referent bytes of |
112 | | /// a statically-sized referent. |
113 | | /// |
114 | | /// # Safety |
115 | | /// |
116 | | /// The implementation of [`Project`] uses a compile-time assertion to |
117 | | /// guarantee that `Dst` is no larger than `Src`. Thus, `CastSized` has a |
118 | | /// sound implementation of [`Project`] for all `Src` and `Dst` – the caller |
119 | | /// may pass any `Src` and `Dst` without being responsible for soundness. |
120 | | #[allow(missing_debug_implementations, missing_copy_implementations)] |
121 | | pub enum CastSized {} |
122 | | |
123 | | // SAFETY: By the `static_assert!`, `Dst` is no larger than `Src`, |
124 | | // and so all casts preserve or shrink the set of referent bytes. All |
125 | | // operations preserve provenance. |
126 | | unsafe impl<Src, Dst> Project<Src, Dst> for CastSized { |
127 | | #[inline(always)] |
128 | 0 | fn project(src: PtrInner<'_, Src>) -> *mut Dst { |
129 | 0 | static_assert!(Src, Dst => mem::size_of::<Src>() >= mem::size_of::<Dst>()); |
130 | 0 | src.as_ptr().cast::<Dst>() |
131 | 0 | } |
132 | | } |
133 | | |
134 | | // SAFETY: The `Project::project` impl preserves referent address. |
135 | | unsafe impl<Src, Dst> Cast<Src, Dst> for CastSized {} |
136 | | |
137 | | /// A pointer cast which preserves the set of referent bytes of a |
138 | | /// statically-sized referent. |
139 | | /// |
140 | | /// # Safety |
141 | | /// |
142 | | /// The implementation of [`Project`] uses a compile-time assertion to |
143 | | /// guarantee that `Dst` has the same size as `Src`. Thus, `CastSizedExact` |
144 | | /// has a sound implementation of [`Project`] for all `Src` and `Dst` – the |
145 | | /// caller may pass any `Src` and `Dst` without being responsible for |
146 | | /// soundness. |
147 | | #[allow(missing_debug_implementations, missing_copy_implementations)] |
148 | | pub enum CastSizedExact {} |
149 | | |
150 | | // SAFETY: By the `static_assert!`, `Dst` has the same size as `Src`, |
151 | | // and so all casts preserve the set of referent bytes. All operations |
152 | | // preserve provenance. |
153 | | unsafe impl<Src, Dst> Project<Src, Dst> for CastSizedExact { |
154 | | #[inline(always)] |
155 | 0 | fn project(src: PtrInner<'_, Src>) -> *mut Dst { |
156 | 0 | static_assert!(Src, Dst => mem::size_of::<Src>() == mem::size_of::<Dst>()); |
157 | 0 | src.as_ptr().cast::<Dst>() |
158 | 0 | } |
159 | | } |
160 | | |
161 | | // SAFETY: The `Project::project_raw` impl preserves referent address. |
162 | | unsafe impl<Src, Dst> Cast<Src, Dst> for CastSizedExact {} |
163 | | |
164 | | // SAFETY: By the `static_assert!`, `Project::project_raw` impl preserves |
165 | | // referent size. |
166 | | unsafe impl<Src, Dst> CastExact<Src, Dst> for CastSizedExact {} |
167 | | |
168 | | /// A pointer cast which preserves or shrinks the set of referent bytes of |
169 | | /// a dynamically-sized referent. |
170 | | /// |
171 | | /// # Safety |
172 | | /// |
173 | | /// The implementation of [`Project`] uses a compile-time assertion to |
174 | | /// guarantee that the cast preserves the set of referent bytes. Thus, |
175 | | /// `CastUnsized` has a sound implementation of [`Project`] for all `Src` |
176 | | /// and `Dst` – the caller may pass any `Src` and `Dst` without being |
177 | | /// responsible for soundness. |
178 | | #[allow(missing_debug_implementations, missing_copy_implementations)] |
179 | | pub enum CastUnsized {} |
180 | | |
181 | | // SAFETY: By the `static_assert!`, `Src` and `Dst` are either: |
182 | | // - Both sized and equal in size |
183 | | // - Both slice DSTs with the same trailing slice offset and element size |
184 | | // and with align_of::<Src>() == align_of::<Dst>(). These ensure that any |
185 | | // given pointer metadata encodes the same size for both `Src` and `Dst` |
186 | | // (note that the alignment is required as it affects the amount of |
187 | | // trailing padding). Thus, `project` preserves the set of referent bytes. |
188 | | unsafe impl<Src, Dst> Project<Src, Dst> for CastUnsized |
189 | | where |
190 | | Src: ?Sized + KnownLayout, |
191 | | Dst: ?Sized + KnownLayout<PointerMetadata = Src::PointerMetadata>, |
192 | | { |
193 | | #[inline(always)] |
194 | 0 | fn project(src: PtrInner<'_, Src>) -> *mut Dst { |
195 | | // FIXME: Do we want this to support shrinking casts as well? If so, |
196 | | // we'll need to remove the `CastExact` impl. |
197 | 0 | static_assert!(Src: ?Sized + KnownLayout, Dst: ?Sized + KnownLayout => { |
198 | | let src = <Src as KnownLayout>::LAYOUT; |
199 | | let dst = <Dst as KnownLayout>::LAYOUT; |
200 | | match (src.size_info, dst.size_info) { |
201 | | (SizeInfo::Sized { size: src_size }, SizeInfo::Sized { size: dst_size }) => src_size == dst_size, |
202 | | ( |
203 | | SizeInfo::SliceDst(TrailingSliceLayout { offset: src_offset, elem_size: src_elem_size }), |
204 | | SizeInfo::SliceDst(TrailingSliceLayout { offset: dst_offset, elem_size: dst_elem_size }) |
205 | | ) => src.align.get() == dst.align.get() && src_offset == dst_offset && src_elem_size == dst_elem_size, |
206 | | _ => false, |
207 | | } |
208 | | }); |
209 | | |
210 | 0 | let metadata = Src::pointer_to_metadata(src.as_ptr()); |
211 | 0 | Dst::raw_from_ptr_len(src.as_non_null().cast::<u8>(), metadata).as_ptr() |
212 | 0 | } |
213 | | } |
214 | | |
215 | | // SAFETY: The `Project::project` impl preserves referent address. |
216 | | unsafe impl<Src, Dst> Cast<Src, Dst> for CastUnsized |
217 | | where |
218 | | Src: ?Sized + KnownLayout, |
219 | | Dst: ?Sized + KnownLayout<PointerMetadata = Src::PointerMetadata>, |
220 | | { |
221 | | } |
222 | | |
223 | | // SAFETY: By the `static_assert!` in `Project::project`, `Src` and `Dst` |
224 | | // are either: |
225 | | // - Both sized and equal in size |
226 | | // - Both slice DSTs with the same alignment, trailing slice offset, and |
227 | | // element size. These ensure that any given pointer metadata encodes the |
228 | | // same size for both `Src` and `Dst` (note that the alignment is required |
229 | | // as it affects the amount of trailing padding). |
230 | | unsafe impl<Src, Dst> CastExact<Src, Dst> for CastUnsized |
231 | | where |
232 | | Src: ?Sized + KnownLayout, |
233 | | Dst: ?Sized + KnownLayout<PointerMetadata = Src::PointerMetadata>, |
234 | | { |
235 | | } |
236 | | |
237 | | /// A field projection |
238 | | /// |
239 | | /// A `Projection` is a [`Project`] which implements projection by |
240 | | /// delegating to an implementation of [`HasField::project`]. |
241 | | #[allow(missing_debug_implementations, missing_copy_implementations)] |
242 | | pub struct Projection<F: ?Sized, const VARIANT_ID: i128, const FIELD_ID: i128> { |
243 | | _never: core::convert::Infallible, |
244 | | _phantom: PhantomData<F>, |
245 | | } |
246 | | |
247 | | // SAFETY: `HasField::project` has the same safety post-conditions as |
248 | | // `Project::project`. |
249 | | unsafe impl<T: ?Sized, F, const VARIANT_ID: i128, const FIELD_ID: i128> Project<T, T::Type> |
250 | | for Projection<F, VARIANT_ID, FIELD_ID> |
251 | | where |
252 | | T: HasField<F, VARIANT_ID, FIELD_ID>, |
253 | | { |
254 | | #[inline(always)] |
255 | 0 | fn project(src: PtrInner<'_, T>) -> *mut T::Type { |
256 | 0 | T::project(src) |
257 | 0 | } |
258 | | } |
259 | | |
260 | | // SAFETY: All `repr(C)` union fields exist at offset 0 within the union [1], |
261 | | // and so any union projection is actually a cast (ie, preserves address). |
262 | | // |
263 | | // [1] Per |
264 | | // https://doc.rust-lang.org/1.92.0/reference/type-layout.html#reprc-unions, |
265 | | // it's not *technically* guaranteed that non-maximally-sized fields |
266 | | // are at offset 0, but it's clear that this is the intention of `repr(C)` |
267 | | // unions. It says: |
268 | | // |
269 | | // > A union declared with `#[repr(C)]` will have the same size and |
270 | | // > alignment as an equivalent C union declaration in the C language for |
271 | | // > the target platform. |
272 | | // |
273 | | // Note that this only mentions size and alignment, not layout. However, |
274 | | // C unions *do* guarantee that all fields start at offset 0. [2] |
275 | | // |
276 | | // This is also reinforced by |
277 | | // https://doc.rust-lang.org/1.92.0/reference/items/unions.html#r-items.union.fields.offset: |
278 | | // |
279 | | // > Fields might have a non-zero offset (except when the C |
280 | | // > representation is used); in that case the bits starting at the |
281 | | // > offset of the fields are read |
282 | | // |
283 | | // [2] Per https://port70.net/~nsz/c/c11/n1570.html#6.7.2.1p16: |
284 | | // |
285 | | // > The size of a union is sufficient to contain the largest of its |
286 | | // > members. The value of at most one of the members can be stored in a |
287 | | // > union object at any time. A pointer to a union object, suitably |
288 | | // > converted, points to each of its members (or if a member is a |
289 | | // > bit-field, then to the unit in which it resides), and vice versa. |
290 | | // |
291 | | // FIXME(https://github.com/rust-lang/unsafe-code-guidelines/issues/595): |
292 | | // Cite the documentation once it's updated. |
293 | | unsafe impl<T: ?Sized, F, const FIELD_ID: i128> Cast<T, T::Type> |
294 | | for Projection<F, { crate::REPR_C_UNION_VARIANT_ID }, FIELD_ID> |
295 | | where |
296 | | T: HasField<F, { crate::REPR_C_UNION_VARIANT_ID }, FIELD_ID>, |
297 | | { |
298 | | } |
299 | | |
300 | | /// A transitive sequence of projections. |
301 | | /// |
302 | | /// Given `TU: Project` and `UV: Project`, `TransitiveProject<_, TU, UV>` is |
303 | | /// a [`Project`] which projects by applying `TU` followed by `UV`. |
304 | | /// |
305 | | /// If `TU: Cast` and `UV: Cast`, then `TransitiveProject<_, TU, UV>: Cast`. |
306 | | #[allow(missing_debug_implementations)] |
307 | | pub struct TransitiveProject<U: ?Sized, TU, UV> { |
308 | | _never: core::convert::Infallible, |
309 | | _projections: PhantomData<(TU, UV)>, |
310 | | // On our MSRV (1.56), the debuginfo for a tuple containing both an |
311 | | // uninhabited type and a DST causes an ICE. We split `U` from `TU` and |
312 | | // `UV` to avoid this situation. |
313 | | _u: PhantomData<U>, |
314 | | } |
315 | | |
316 | | // SAFETY: Since `TU::project` and `UV::project` are each |
317 | | // provenance-preserving operations which preserve or shrink the set of |
318 | | // referent bytes, so is their composition. |
319 | | unsafe impl<T, U, V, TU, UV> Project<T, V> for TransitiveProject<U, TU, UV> |
320 | | where |
321 | | T: ?Sized, |
322 | | U: ?Sized, |
323 | | V: ?Sized, |
324 | | TU: Project<T, U>, |
325 | | UV: Project<U, V>, |
326 | | { |
327 | | #[inline(always)] |
328 | 0 | fn project(t: PtrInner<'_, T>) -> *mut V { |
329 | 0 | t.project::<_, TU>().project::<_, UV>().as_ptr() |
330 | 0 | } |
331 | | } |
332 | | |
333 | | // SAFETY: Since the `Project::project` impl delegates to `TU::project` and |
334 | | // `UV::project`, and since `TU` and `UV` are `Cast`, the `Project::project` |
335 | | // impl preserves the address of the referent. |
336 | | unsafe impl<T, U, V, TU, UV> Cast<T, V> for TransitiveProject<U, TU, UV> |
337 | | where |
338 | | T: ?Sized, |
339 | | U: ?Sized, |
340 | | V: ?Sized, |
341 | | TU: Cast<T, U>, |
342 | | UV: Cast<U, V>, |
343 | | { |
344 | | } |
345 | | |
346 | | // SAFETY: Since the `Project::project` impl delegates to `TU::project` and |
347 | | // `UV::project`, and since `TU` and `UV` are `CastExact`, the `Project::project` |
348 | | // impl preserves the set of referent bytes. |
349 | | unsafe impl<T, U, V, TU, UV> CastExact<T, V> for TransitiveProject<U, TU, UV> |
350 | | where |
351 | | T: ?Sized, |
352 | | U: ?Sized, |
353 | | V: ?Sized, |
354 | | TU: CastExact<T, U>, |
355 | | UV: CastExact<U, V>, |
356 | | { |
357 | | } |
358 | | |
359 | | /// A cast from `T` to `[u8]`. |
360 | | #[allow(missing_copy_implementations, missing_debug_implementations)] |
361 | | pub struct AsBytesCast; |
362 | | |
363 | | // SAFETY: `project` constructs a pointer with the same address as `src` |
364 | | // and with a referent of the same size as `*src`. It does this using |
365 | | // provenance-preserving operations. |
366 | | // |
367 | | // FIXME(https://github.com/rust-lang/unsafe-code-guidelines/issues/594): |
368 | | // Technically, this proof assumes that `*src` is contiguous (the same is |
369 | | // true of other proofs in this codebase). Is this guaranteed anywhere? |
370 | | unsafe impl<T: ?Sized + KnownLayout> Project<T, [u8]> for AsBytesCast { |
371 | | #[inline(always)] |
372 | 0 | fn project(src: PtrInner<'_, T>) -> *mut [u8] { |
373 | 0 | let bytes = match T::size_of_val_raw(src.as_non_null()) { |
374 | 0 | Some(bytes) => bytes, |
375 | | // SAFETY: `KnownLayout::size_of_val_raw` promises to always |
376 | | // return `Some` so long as the resulting size fits in a |
377 | | // `usize`. By invariant on `PtrInner`, `src` refers to a range |
378 | | // of bytes whose size fits in an `isize`, which implies that it |
379 | | // also fits in a `usize`. |
380 | 0 | None => unsafe { core::hint::unreachable_unchecked() }, |
381 | | }; |
382 | | |
383 | 0 | core::ptr::slice_from_raw_parts_mut(src.as_ptr().cast::<u8>(), bytes) |
384 | 0 | } |
385 | | } |
386 | | |
387 | | // SAFETY: The `Project::project` impl preserves referent address. |
388 | | unsafe impl<T: ?Sized + KnownLayout> Cast<T, [u8]> for AsBytesCast {} |
389 | | |
390 | | // SAFETY: The `Project::project` impl preserves the set of referent bytes. |
391 | | unsafe impl<T: ?Sized + KnownLayout> CastExact<T, [u8]> for AsBytesCast {} |
392 | | |
393 | | /// A cast from any type to `()`. |
394 | | #[allow(missing_copy_implementations, missing_debug_implementations)] |
395 | | pub struct CastToUnit; |
396 | | |
397 | | // SAFETY: The `project` implementation projects to a subset of its |
398 | | // argument's referent using provenance-preserving operations. |
399 | | unsafe impl<T: ?Sized> Project<T, ()> for CastToUnit { |
400 | | #[inline(always)] |
401 | 0 | fn project(src: PtrInner<'_, T>) -> *mut () { |
402 | 0 | src.as_ptr().cast::<()>() |
403 | 0 | } |
404 | | } |
405 | | |
406 | | // SAFETY: The `project` implementation preserves referent address. |
407 | | unsafe impl<T: ?Sized> Cast<T, ()> for CastToUnit {} |
408 | | } |