// Copyright 2018 The Fuchsia Authors

//

// Licensed under the 2-Clause BSD License <LICENSE-BSD or

// https://opensource.org/license/bsd-2-clause>, Apache License, Version 2.0

// <LICENSE-APACHE or https://www.apache.org/licenses/LICENSE-2.0>, or the MIT

// license <LICENSE-MIT or https://opensource.org/licenses/MIT>, at your option.

// This file may not be copied, modified, or distributed except according to

// those terms.

// After updating the following doc comment, make sure to run the following

// command to update `README.md` based on its contents:

//

//   cargo -q run --manifest-path tools/Cargo.toml -p generate-readme > README.md

//! *<span style="font-size: 100%; color:grey;">Need more out of zerocopy?

//! Submit a [customer request issue][customer-request-issue]!</span>*

//!

//! ***<span style="font-size: 140%">Fast, safe, <span

//! style="color:red;">compile error</span>. Pick two.</span>***

//!

//! Zerocopy makes zero-cost memory manipulation effortless. We write `unsafe`

//! so you don't have to.

//!

//! *Thanks for using zerocopy 0.8! For an overview of what changes from 0.7,

//! check out our [release notes][release-notes], which include a step-by-step

//! guide for upgrading from 0.7.*

//!

//! *Have questions? Need help? Ask the maintainers on [GitHub][github-q-a] or

//! on [Discord][discord]!*

//!

//! [customer-request-issue]: https://github.com/google/zerocopy/issues/new/choose

//! [release-notes]: https://github.com/google/zerocopy/discussions/1680

//! [github-q-a]: https://github.com/google/zerocopy/discussions/categories/q-a

//! [discord]: https://discord.gg/MAvWH2R6zk

//!

//! # Overview

//!

//! ##### Conversion Traits

//!

//! Zerocopy provides four derivable traits for zero-cost conversions:

//! - [`TryFromBytes`] indicates that a type may safely be converted from

//!   certain byte sequences (conditional on runtime checks)

//! - [`FromZeros`] indicates that a sequence of zero bytes represents a valid

//!   instance of a type

//! - [`FromBytes`] indicates that a type may safely be converted from an

//!   arbitrary byte sequence

//! - [`IntoBytes`] indicates that a type may safely be converted *to* a byte

//!   sequence

//!

//! These traits support sized types, slices, and [slice DSTs][slice-dsts].

//!

//! [slice-dsts]: KnownLayout#dynamically-sized-types

//!

//! ##### Marker Traits

//!

//! Zerocopy provides three derivable marker traits that do not provide any

//! functionality themselves, but are required to call certain methods provided

//! by the conversion traits:

//! - [`KnownLayout`] indicates that zerocopy can reason about certain layout

//!   qualities of a type

//! - [`Immutable`] indicates that a type is free from interior mutability,

//!   except by ownership or an exclusive (`&mut`) borrow

//! - [`Unaligned`] indicates that a type's alignment requirement is 1

//!

//! You should generally derive these marker traits whenever possible.

//!

//! ##### Conversion Macros

//!

//! Zerocopy provides six macros for safe casting between types:

//!

//! - ([`try_`][try_transmute])[`transmute`] (conditionally) converts a value of

//!   one type to a value of another type of the same size

//! - ([`try_`][try_transmute_mut])[`transmute_mut`] (conditionally) converts a

//!   mutable reference of one type to a mutable reference of another type of

//!   the same size

//! - ([`try_`][try_transmute_ref])[`transmute_ref`] (conditionally) converts a

//!   mutable or immutable reference of one type to an immutable reference of

//!   another type of the same size

//!

//! These macros perform *compile-time* size and alignment checks, meaning that

//! unconditional casts have zero cost at runtime. Conditional casts do not need

//! to validate size or alignment runtime, but do need to validate contents.

//!

//! These macros cannot be used in generic contexts. For generic conversions,

//! use the methods defined by the [conversion traits](#conversion-traits).

//!

//! ##### Byteorder-Aware Numerics

//!

//! Zerocopy provides byte-order aware integer types that support these

//! conversions; see the [`byteorder`] module. These types are especially useful

//! for network parsing.

//!

//! # Cargo Features

//!

//! - **`alloc`**

//!   By default, `zerocopy` is `no_std`. When the `alloc` feature is enabled,

//!   the `alloc` crate is added as a dependency, and some allocation-related

//!   functionality is added.

//!

//! - **`std`**

//!   By default, `zerocopy` is `no_std`. When the `std` feature is enabled, the

//!   `std` crate is added as a dependency (ie, `no_std` is disabled), and

//!   support for some `std` types is added. `std` implies `alloc`.

//!

//! - **`derive`**

//!   Provides derives for the core marker traits via the `zerocopy-derive`

//!   crate. These derives are re-exported from `zerocopy`, so it is not

//!   necessary to depend on `zerocopy-derive` directly.

//!

//!   However, you may experience better compile times if you instead directly

//!   depend on both `zerocopy` and `zerocopy-derive` in your `Cargo.toml`,

//!   since doing so will allow Rust to compile these crates in parallel. To do

//!   so, do *not* enable the `derive` feature, and list both dependencies in

//!   your `Cargo.toml` with the same leading non-zero version number; e.g:

//!

//!   ```toml

//!   [dependencies]

//!   zerocopy = "0.X"

//!   zerocopy-derive = "0.X"

//!   ```

//!

//!   To avoid the risk of [duplicate import errors][duplicate-import-errors] if

//!   one of your dependencies enables zerocopy's `derive` feature, import

//!   derives as `use zerocopy_derive::*` rather than by name (e.g., `use

//!   zerocopy_derive::FromBytes`).

//!

//! - **`simd`**

//!   When the `simd` feature is enabled, `FromZeros`, `FromBytes`, and

//!   `IntoBytes` impls are emitted for all stable SIMD types which exist on the

//!   target platform. Note that the layout of SIMD types is not yet stabilized,

//!   so these impls may be removed in the future if layout changes make them

//!   invalid. For more information, see the Unsafe Code Guidelines Reference

//!   page on the [layout of packed SIMD vectors][simd-layout].

//!

//! - **`simd-nightly`**

//!   Enables the `simd` feature and adds support for SIMD types which are only

//!   available on nightly. Since these types are unstable, support for any type

//!   may be removed at any point in the future.

//!

//! - **`float-nightly`**

//!   Adds support for the unstable `f16` and `f128` types. These types are

//!   not yet fully implemented and may not be supported on all platforms.

//!

//! [duplicate-import-errors]: https://github.com/google/zerocopy/issues/1587

//! [simd-layout]: https://rust-lang.github.io/unsafe-code-guidelines/layout/packed-simd-vectors.html

//!

//! # Security Ethos

//!

//! Zerocopy is expressly designed for use in security-critical contexts. We

//! strive to ensure that that zerocopy code is sound under Rust's current

//! memory model, and *any future memory model*. We ensure this by:

//! - **...not 'guessing' about Rust's semantics.**

//!   We annotate `unsafe` code with a precise rationale for its soundness that

//!   cites a relevant section of Rust's official documentation. When Rust's

//!   documented semantics are unclear, we work with the Rust Operational

//!   Semantics Team to clarify Rust's documentation.

//! - **...rigorously testing our implementation.**

//!   We run tests using [Miri], ensuring that zerocopy is sound across a wide

//!   array of supported target platforms of varying endianness and pointer

//!   width, and across both current and experimental memory models of Rust.

//! - **...formally proving the correctness of our implementation.**

//!   We apply formal verification tools like [Kani][kani] to prove zerocopy's

//!   correctness.

//!

//! For more information, see our full [soundness policy].

//!

//! [Miri]: https://github.com/rust-lang/miri

//! [Kani]: https://github.com/model-checking/kani

//! [soundness policy]: https://github.com/google/zerocopy/blob/main/POLICIES.md#soundness

//!

//! # Relationship to Project Safe Transmute

//!

//! [Project Safe Transmute] is an official initiative of the Rust Project to

//! develop language-level support for safer transmutation. The Project consults

//! with crates like zerocopy to identify aspects of safer transmutation that

//! would benefit from compiler support, and has developed an [experimental,

//! compiler-supported analysis][mcp-transmutability] which determines whether,

//! for a given type, any value of that type may be soundly transmuted into

//! another type. Once this functionality is sufficiently mature, zerocopy

//! intends to replace its internal transmutability analysis (implemented by our

//! custom derives) with the compiler-supported one. This change will likely be

//! an implementation detail that is invisible to zerocopy's users.

//!

//! Project Safe Transmute will not replace the need for most of zerocopy's

//! higher-level abstractions. The experimental compiler analysis is a tool for

//! checking the soundness of `unsafe` code, not a tool to avoid writing

//! `unsafe` code altogether. For the foreseeable future, crates like zerocopy

//! will still be required in order to provide higher-level abstractions on top

//! of the building block provided by Project Safe Transmute.

//!

//! [Project Safe Transmute]: https://rust-lang.github.io/rfcs/2835-project-safe-transmute.html

//! [mcp-transmutability]: https://github.com/rust-lang/compiler-team/issues/411

//!

//! # MSRV

//!

//! See our [MSRV policy].

//!

//! [MSRV policy]: https://github.com/google/zerocopy/blob/main/POLICIES.md#msrv

//!

//! # Changelog

//!

//! Zerocopy uses [GitHub Releases].

//!

//! [GitHub Releases]: https://github.com/google/zerocopy/releases

//!

//! # Thanks

//!

//! Zerocopy is maintained by engineers at Google and Amazon with help from

//! [many wonderful contributors][contributors]. Thank you to everyone who has

//! lent a hand in making Rust a little more secure!

//!

//! [contributors]: https://github.com/google/zerocopy/graphs/contributors

// Sometimes we want to use lints which were added after our MSRV.

// `unknown_lints` is `warn` by default and we deny warnings in CI, so without

// this attribute, any unknown lint would cause a CI failure when testing with

// our MSRV.

#![allow(unknown_lints, non_local_definitions, unreachable_patterns)]

#![deny(renamed_and_removed_lints)]

#![deny(

    anonymous_parameters,

    deprecated_in_future,

    late_bound_lifetime_arguments,

    missing_copy_implementations,

    missing_debug_implementations,

    missing_docs,

    path_statements,

    patterns_in_fns_without_body,

    rust_2018_idioms,

    trivial_numeric_casts,

    unreachable_pub,

    unsafe_op_in_unsafe_fn,

    unused_extern_crates,

    // We intentionally choose not to deny `unused_qualifications`. When items

    // are added to the prelude (e.g., `core::mem::size_of`), this has the

    // consequence of making some uses trigger this lint on the latest toolchain

    // (e.g., `mem::size_of`), but fixing it (e.g. by replacing with `size_of`)

    // does not work on older toolchains.

    //

    // We tested a more complicated fix in #1413, but ultimately decided that,

    // since this lint is just a minor style lint, the complexity isn't worth it

    // - it's fine to occasionally have unused qualifications slip through,

    // especially since these do not affect our user-facing API in any way.

    variant_size_differences

)]

#![cfg_attr(

    __ZEROCOPY_INTERNAL_USE_ONLY_NIGHTLY_FEATURES_IN_TESTS,

    deny(fuzzy_provenance_casts, lossy_provenance_casts)

)]

#![deny(

    clippy::all,

    clippy::alloc_instead_of_core,

    clippy::arithmetic_side_effects,

    clippy::as_underscore,

    clippy::assertions_on_result_states,

    clippy::as_conversions,

    clippy::correctness,

    clippy::dbg_macro,

    clippy::decimal_literal_representation,

    clippy::double_must_use,

    clippy::get_unwrap,

    clippy::indexing_slicing,

    clippy::missing_inline_in_public_items,

    clippy::missing_safety_doc,

    clippy::must_use_candidate,

    clippy::must_use_unit,

    clippy::obfuscated_if_else,

    clippy::perf,

    clippy::print_stdout,

    clippy::return_self_not_must_use,

    clippy::std_instead_of_core,

    clippy::style,

    clippy::suspicious,

    clippy::todo,

    clippy::undocumented_unsafe_blocks,

    clippy::unimplemented,

    clippy::unnested_or_patterns,

    clippy::unwrap_used,

    clippy::use_debug

)]

#![allow(clippy::type_complexity)]

#![deny(

    rustdoc::bare_urls,

    rustdoc::broken_intra_doc_links,

    rustdoc::invalid_codeblock_attributes,

    rustdoc::invalid_html_tags,

    rustdoc::invalid_rust_codeblocks,

    rustdoc::missing_crate_level_docs,

    rustdoc::private_intra_doc_links

)]

// In test code, it makes sense to weight more heavily towards concise, readable

// code over correct or debuggable code.

#![cfg_attr(any(test, kani), allow(

    // In tests, you get line numbers and have access to source code, so panic

    // messages are less important. You also often unwrap a lot, which would

    // make expect'ing instead very verbose.

    clippy::unwrap_used,

    // In tests, there's no harm to "panic risks" - the worst that can happen is

    // that your test will fail, and you'll fix it. By contrast, panic risks in

    // production code introduce the possibly of code panicking unexpectedly "in

    // the field".

    clippy::arithmetic_side_effects,

    clippy::indexing_slicing,

))]

#![cfg_attr(not(any(test, feature = "std")), no_std)]

#![cfg_attr(

    all(feature = "simd-nightly", any(target_arch = "x86", target_arch = "x86_64")),

    feature(stdarch_x86_avx512)

)]

#![cfg_attr(

    all(feature = "simd-nightly", target_arch = "arm"),

    feature(stdarch_arm_dsp, stdarch_arm_neon_intrinsics)

)]

#![cfg_attr(

    all(feature = "simd-nightly", any(target_arch = "powerpc", target_arch = "powerpc64")),

    feature(stdarch_powerpc)

)]

#![cfg_attr(feature = "float-nightly", feature(f16, f128))]

#![cfg_attr(doc_cfg, feature(doc_cfg))]

#![cfg_attr(

    __ZEROCOPY_INTERNAL_USE_ONLY_NIGHTLY_FEATURES_IN_TESTS,

    feature(layout_for_ptr, coverage_attribute)

)]

// This is a hack to allow zerocopy-derive derives to work in this crate. They

// assume that zerocopy is linked as an extern crate, so they access items from

// it as `zerocopy::Xxx`. This makes that still work.

#[cfg(any(feature = "derive", test))]

extern crate self as zerocopy;

#[doc(hidden)]

#[macro_use]

pub mod util;

pub mod byte_slice;

pub mod byteorder;

mod deprecated;

// This module is `pub` so that zerocopy's error types and error handling

// documentation is grouped together in a cohesive module. In practice, we

// expect most users to use the re-export of `error`'s items to avoid identifier

// stuttering.

pub mod error;

mod impls;

#[doc(hidden)]

pub mod layout;

mod macros;

#[doc(hidden)]

pub mod pointer;

mod r#ref;

// TODO(#252): If we make this pub, come up with a better name.

mod wrappers;

pub use crate::byte_slice::*;

pub use crate::byteorder::*;

pub use crate::error::*;

pub use crate::r#ref::*;

pub use crate::wrappers::*;

use core::{

    cell::UnsafeCell,

    cmp::Ordering,

    fmt::{self, Debug, Display, Formatter},

    hash::Hasher,

    marker::PhantomData,

    mem::{self, ManuallyDrop, MaybeUninit as CoreMaybeUninit},

    num::{

        NonZeroI128, NonZeroI16, NonZeroI32, NonZeroI64, NonZeroI8, NonZeroIsize, NonZeroU128,

        NonZeroU16, NonZeroU32, NonZeroU64, NonZeroU8, NonZeroUsize, Wrapping,

    },

    ops::{Deref, DerefMut},

    ptr::{self, NonNull},

    slice,

};

#[cfg(feature = "std")]

use std::io;

use crate::pointer::{invariant, BecauseExclusive};

#[cfg(any(feature = "alloc", test))]

extern crate alloc;

#[cfg(any(feature = "alloc", test))]

use alloc::{boxed::Box, vec::Vec};

#[cfg(any(feature = "alloc", test, kani))]

use core::alloc::Layout;

// Used by `TryFromBytes::is_bit_valid`.

#[doc(hidden)]

pub use crate::pointer::{BecauseImmutable, Maybe, MaybeAligned, Ptr};

// Used by `KnownLayout`.

#[doc(hidden)]

pub use crate::layout::*;

// For each trait polyfill, as soon as the corresponding feature is stable, the

// polyfill import will be unused because method/function resolution will prefer

// the inherent method/function over a trait method/function. Thus, we suppress

// the `unused_imports` warning.

//

// See the documentation on `util::polyfills` for more information.

#[allow(unused_imports)]

use crate::util::polyfills::{self, NonNullExt as _, NumExt as _};

#[rustversion::nightly]

#[cfg(all(test, not(__ZEROCOPY_INTERNAL_USE_ONLY_NIGHTLY_FEATURES_IN_TESTS)))]

const _: () = {

    #[deprecated = "some tests may be skipped due to missing RUSTFLAGS=\"--cfg __ZEROCOPY_INTERNAL_USE_ONLY_NIGHTLY_FEATURES_IN_TESTS\""]

    const _WARNING: () = ();

    #[warn(deprecated)]

    _WARNING

};

// These exist so that code which was written against the old names will get

// less confusing error messages when they upgrade to a more recent version of

// zerocopy. On our MSRV toolchain, the error messages read, for example:

//

//   error[E0603]: trait `FromZeroes` is private

//       --> examples/deprecated.rs:1:15

//        |

//   1    | use zerocopy::FromZeroes;

//        |               ^^^^^^^^^^ private trait

//        |

//   note: the trait `FromZeroes` is defined here

//       --> /Users/josh/workspace/zerocopy/src/lib.rs:1845:5

//        |

//   1845 | use FromZeros as FromZeroes;

//        |     ^^^^^^^^^^^^^^^^^^^^^^^

//

// The "note" provides enough context to make it easy to figure out how to fix

// the error.

#[allow(unused)]

use {FromZeros as FromZeroes, IntoBytes as AsBytes, Ref as LayoutVerified};

/// Implements [`KnownLayout`].

///

/// This derive analyzes various aspects of a type's layout that are needed for

/// some of zerocopy's APIs. It can be applied to structs, enums, and unions;

/// e.g.:

///

/// ```

/// # use zerocopy_derive::KnownLayout;

/// #[derive(KnownLayout)]

/// struct MyStruct {

/// # /*

///     ...

/// # */

/// }

///

/// #[derive(KnownLayout)]

/// enum MyEnum {

/// #   V00,

/// # /*

///     ...

/// # */

/// }

///

/// #[derive(KnownLayout)]

/// union MyUnion {

/// #   variant: u8,

/// # /*

///     ...

/// # */

/// }

/// ```

///

/// # Limitations

///

/// This derive cannot currently be applied to unsized structs without an

/// explicit `repr` attribute.

///

/// Some invocations of this derive run afoul of a [known bug] in Rust's type

/// privacy checker. For example, this code:

///

/// ```compile_fail,E0446

/// use zerocopy::*;

/// # use zerocopy_derive::*;

///

/// #[derive(KnownLayout)]

/// #[repr(C)]

/// pub struct PublicType {

///     leading: Foo,

///     trailing: Bar,

/// }

///

/// #[derive(KnownLayout)]

/// struct Foo;

///

/// #[derive(KnownLayout)]

/// struct Bar;

/// ```

///

/// ...results in a compilation error:

///

/// ```text

/// error[E0446]: private type `Bar` in public interface

///  --> examples/bug.rs:3:10

///    |

/// 3  | #[derive(KnownLayout)]

///    |          ^^^^^^^^^^^ can't leak private type

/// ...

/// 14 | struct Bar;

///    | ---------- `Bar` declared as private

///    |

///    = note: this error originates in the derive macro `KnownLayout` (in Nightly builds, run with -Z macro-backtrace for more info)

/// ```

///

/// This issue arises when `#[derive(KnownLayout)]` is applied to `repr(C)`

/// structs whose trailing field type is less public than the enclosing struct.

///

/// To work around this, mark the trailing field type `pub` and annotate it with

/// `#[doc(hidden)]`; e.g.:

///

/// ```no_run

/// use zerocopy::*;

/// # use zerocopy_derive::*;

///

/// #[derive(KnownLayout)]

/// #[repr(C)]

/// pub struct PublicType {

///     leading: Foo,

///     trailing: Bar,

/// }

///

/// #[derive(KnownLayout)]

/// struct Foo;

///

/// #[doc(hidden)]

/// #[derive(KnownLayout)]

/// pub struct Bar; // <- `Bar` is now also `pub`

/// ```

///

/// [known bug]: https://github.com/rust-lang/rust/issues/45713

#[cfg(any(feature = "derive", test))]

#[cfg_attr(doc_cfg, doc(cfg(feature = "derive")))]

pub use zerocopy_derive::KnownLayout;

/// Indicates that zerocopy can reason about certain aspects of a type's layout.

///

/// This trait is required by many of zerocopy's APIs. It supports sized types,

/// slices, and [slice DSTs](#dynamically-sized-types).

///

/// # Implementation

///

/// **Do not implement this trait yourself!** Instead, use

/// [`#[derive(KnownLayout)]`][derive]; e.g.:

///

/// ```

/// # use zerocopy_derive::KnownLayout;

/// #[derive(KnownLayout)]

/// struct MyStruct {

/// # /*

///     ...

/// # */

/// }

///

/// #[derive(KnownLayout)]

/// enum MyEnum {

/// # /*

///     ...

/// # */

/// }

///

/// #[derive(KnownLayout)]

/// union MyUnion {

/// #   variant: u8,

/// # /*

///     ...

/// # */

/// }

/// ```

///

/// This derive performs a sophisticated analysis to deduce the layout

/// characteristics of types. You **must** implement this trait via the derive.

///

/// # Dynamically-sized types

///

/// `KnownLayout` supports slice-based dynamically sized types ("slice DSTs").

///

/// A slice DST is a type whose trailing field is either a slice or another

/// slice DST, rather than a type with fixed size. For example:

///

/// ```

/// #[repr(C)]

/// struct PacketHeader {

/// # /*

///     ...

/// # */

/// }

///

/// #[repr(C)]

/// struct Packet {

///     header: PacketHeader,

///     body: [u8],

/// }

/// ```

///

/// It can be useful to think of slice DSTs as a generalization of slices - in

/// other words, a normal slice is just the special case of a slice DST with

/// zero leading fields. In particular:

/// - Like slices, slice DSTs can have different lengths at runtime

/// - Like slices, slice DSTs cannot be passed by-value, but only by reference

///   or via other indirection such as `Box`

/// - Like slices, a reference (or `Box`, or other pointer type) to a slice DST

///   encodes the number of elements in the trailing slice field

///

/// ## Slice DST layout

///

/// Just like other composite Rust types, the layout of a slice DST is not

/// well-defined unless it is specified using an explicit `#[repr(...)]`

/// attribute such as `#[repr(C)]`. [Other representations are

/// supported][reprs], but in this section, we'll use `#[repr(C)]` as our

/// example.

///

/// A `#[repr(C)]` slice DST is laid out [just like sized `#[repr(C)]`

/// types][repr-c-structs], but the presenence of a variable-length field

/// introduces the possibility of *dynamic padding*. In particular, it may be

/// necessary to add trailing padding *after* the trailing slice field in order

/// to satisfy the outer type's alignment, and the amount of padding required

/// may be a function of the length of the trailing slice field. This is just a

/// natural consequence of the normal `#[repr(C)]` rules applied to slice DSTs,

/// but it can result in surprising behavior. For example, consider the

/// following type:

///

/// ```

/// #[repr(C)]

/// struct Foo {

///     a: u32,

///     b: u8,

///     z: [u16],

/// }

/// ```

///

/// Assuming that `u32` has alignment 4 (this is not true on all platforms),

/// then `Foo` has alignment 4 as well. Here is the smallest possible value for

/// `Foo`:

///

/// ```text

/// byte offset | 01234567

///       field | aaaab---

///                    ><

/// ```

///

/// In this value, `z` has length 0. Abiding by `#[repr(C)]`, the lowest offset

/// that we can place `z` at is 5, but since `z` has alignment 2, we need to

/// round up to offset 6. This means that there is one byte of padding between

/// `b` and `z`, then 0 bytes of `z` itself (denoted `><` in this diagram), and

/// then two bytes of padding after `z` in order to satisfy the overall

/// alignment of `Foo`. The size of this instance is 8 bytes.

///

/// What about if `z` has length 1?

///

/// ```text

/// byte offset | 01234567

///       field | aaaab-zz

/// ```

///

/// In this instance, `z` has length 1, and thus takes up 2 bytes. That means

/// that we no longer need padding after `z` in order to satisfy `Foo`'s

/// alignment. We've now seen two different values of `Foo` with two different

/// lengths of `z`, but they both have the same size - 8 bytes.

///

/// What about if `z` has length 2?

///

/// ```text

/// byte offset | 012345678901

///       field | aaaab-zzzz--

/// ```

///

/// Now `z` has length 2, and thus takes up 4 bytes. This brings our un-padded

/// size to 10, and so we now need another 2 bytes of padding after `z` to

/// satisfy `Foo`'s alignment.

///

/// Again, all of this is just a logical consequence of the `#[repr(C)]` rules

/// applied to slice DSTs, but it can be surprising that the amount of trailing

/// padding becomes a function of the trailing slice field's length, and thus

/// can only be computed at runtime.

///

/// [reprs]: https://doc.rust-lang.org/reference/type-layout.html#representations

/// [repr-c-structs]: https://doc.rust-lang.org/reference/type-layout.html#reprc-structs

///

/// ## What is a valid size?

///

/// There are two places in zerocopy's API that we refer to "a valid size" of a

/// type. In normal casts or conversions, where the source is a byte slice, we

/// need to know whether the source byte slice is a valid size of the

/// destination type. In prefix or suffix casts, we need to know whether *there

/// exists* a valid size of the destination type which fits in the source byte

/// slice and, if so, what the largest such size is.

///

/// As outlined above, a slice DST's size is defined by the number of elements

/// in its trailing slice field. However, there is not necessarily a 1-to-1

/// mapping between trailing slice field length and overall size. As we saw in

/// the previous section with the type `Foo`, instances with both 0 and 1

/// elements in the trailing `z` field result in a `Foo` whose size is 8 bytes.

///

/// When we say "x is a valid size of `T`", we mean one of two things:

/// - If `T: Sized`, then we mean that `x == size_of::<T>()`

/// - If `T` is a slice DST, then we mean that there exists a `len` such that the instance of

///   `T` with `len` trailing slice elements has size `x`

///

/// When we say "largest possible size of `T` that fits in a byte slice", we

/// mean one of two things:

/// - If `T: Sized`, then we mean `size_of::<T>()` if the byte slice is at least

///   `size_of::<T>()` bytes long

/// - If `T` is a slice DST, then we mean to consider all values, `len`, such

///   that the instance of `T` with `len` trailing slice elements fits in the

///   byte slice, and to choose the largest such `len`, if any

///

///

/// # Safety

///

/// This trait does not convey any safety guarantees to code outside this crate.

///

/// You must not rely on the `#[doc(hidden)]` internals of `KnownLayout`. Future

/// releases of zerocopy may make backwards-breaking changes to these items,

/// including changes that only affect soundness, which may cause code which

/// uses those items to silently become unsound.

///

#[cfg_attr(feature = "derive", doc = "[derive]: zerocopy_derive::KnownLayout")]

#[cfg_attr(

    not(feature = "derive"),

    doc = concat!("[derive]: https://docs.rs/zerocopy/", env!("CARGO_PKG_VERSION"), "/zerocopy/derive.KnownLayout.html"),

)]

#[cfg_attr(

    zerocopy_diagnostic_on_unimplemented_1_78_0,

    diagnostic::on_unimplemented(note = "Consider adding `#[derive(KnownLayout)]` to `{Self}`")

)]

pub unsafe trait KnownLayout {

    // The `Self: Sized` bound makes it so that `KnownLayout` can still be

    // object safe. It's not currently object safe thanks to `const LAYOUT`, and

    // it likely won't be in the future, but there's no reason not to be

    // forwards-compatible with object safety.

    #[doc(hidden)]

    fn only_derive_is_allowed_to_implement_this_trait()

    where

        Self: Sized;

    /// The type of metadata stored in a pointer to `Self`.

    ///

    /// This is `()` for sized types and `usize` for slice DSTs.

    type PointerMetadata: PointerMetadata;

    /// A maybe-uninitialized analog of `Self`

    ///

    /// # Safety

    ///

    /// `Self::LAYOUT` and `Self::MaybeUninit::LAYOUT` are identical.

    /// `Self::MaybeUninit` admits uninitialized bytes in all positions.

    #[doc(hidden)]

    type MaybeUninit: ?Sized + KnownLayout<PointerMetadata = Self::PointerMetadata>;

    /// The layout of `Self`.

    ///

    /// # Safety

    ///

    /// Callers may assume that `LAYOUT` accurately reflects the layout of

    /// `Self`. In particular:

    /// - `LAYOUT.align` is equal to `Self`'s alignment

    /// - If `Self: Sized`, then `LAYOUT.size_info == SizeInfo::Sized { size }`

    ///   where `size == size_of::<Self>()`

    /// - If `Self` is a slice DST, then `LAYOUT.size_info ==

    ///   SizeInfo::SliceDst(slice_layout)` where:

    ///   - The size, `size`, of an instance of `Self` with `elems` trailing

    ///     slice elements is equal to `slice_layout.offset +

    ///     slice_layout.elem_size * elems` rounded up to the nearest multiple

    ///     of `LAYOUT.align`

    ///   - For such an instance, any bytes in the range `[slice_layout.offset +

    ///     slice_layout.elem_size * elems, size)` are padding and must not be

    ///     assumed to be initialized

    #[doc(hidden)]

    const LAYOUT: DstLayout;

    /// SAFETY: The returned pointer has the same address and provenance as

    /// `bytes`. If `Self` is a DST, the returned pointer's referent has `elems`

    /// elements in its trailing slice.

    #[doc(hidden)]

    fn raw_from_ptr_len(bytes: NonNull<u8>, meta: Self::PointerMetadata) -> NonNull<Self>;

    /// Extracts the metadata from a pointer to `Self`.

    ///

    /// # Safety

    ///

    /// `pointer_to_metadata` always returns the correct metadata stored in

    /// `ptr`.

    #[doc(hidden)]

    fn pointer_to_metadata(ptr: *mut Self) -> Self::PointerMetadata;

    /// Computes the length of the byte range addressed by `ptr`.

    ///

    /// Returns `None` if the resulting length would not fit in an `usize`.

    ///

    /// # Safety

    ///

    /// Callers may assume that `size_of_val_raw` always returns the correct

    /// size.

    ///

    /// Callers may assume that, if `ptr` addresses a byte range whose length

    /// fits in an `usize`, this will return `Some`.

    #[doc(hidden)]

    #[must_use]

    #[inline(always)]

    fn size_of_val_raw(ptr: NonNull<Self>) -> Option<usize> {

        let meta = Self::pointer_to_metadata(ptr.as_ptr());

        // SAFETY: `size_for_metadata` promises to only return `None` if the

        // resulting size would not fit in a `usize`.

        meta.size_for_metadata(Self::LAYOUT)

    }

}

/// The metadata associated with a [`KnownLayout`] type.

#[doc(hidden)]

pub trait PointerMetadata: Copy + Eq + Debug {

    /// Constructs a `Self` from an element count.

    ///

    /// If `Self = ()`, this returns `()`. If `Self = usize`, this returns

    /// `elems`. No other types are currently supported.

    fn from_elem_count(elems: usize) -> Self;

    /// Computes the size of the object with the given layout and pointer

    /// metadata.

    ///

    /// # Panics

    ///

    /// If `Self = ()`, `layout` must describe a sized type. If `Self = usize`,

    /// `layout` must describe a slice DST. Otherwise, `size_for_metadata` may

    /// panic.

    ///

    /// # Safety

    ///

    /// `size_for_metadata` promises to only return `None` if the resulting size

    /// would not fit in a `usize`.

    fn size_for_metadata(&self, layout: DstLayout) -> Option<usize>;

}

impl PointerMetadata for () {

    #[inline]

    #[allow(clippy::unused_unit)]

    fn from_elem_count(_elems: usize) -> () {}

    #[inline]

    fn size_for_metadata(&self, layout: DstLayout) -> Option<usize> {

        match layout.size_info {

            SizeInfo::Sized { size } => Some(size),

            // NOTE: This branch is unreachable, but we return `None` rather

            // than `unreachable!()` to avoid generating panic paths.

            SizeInfo::SliceDst(_) => None,

        }

    }

}

impl PointerMetadata for usize {

    #[inline]

    fn from_elem_count(elems: usize) -> usize {

        elems

    }

    #[inline]

    fn size_for_metadata(&self, layout: DstLayout) -> Option<usize> {

        match layout.size_info {

            SizeInfo::SliceDst(TrailingSliceLayout { offset, elem_size }) => {

                let slice_len = elem_size.checked_mul(*self)?;

                let without_padding = offset.checked_add(slice_len)?;

                without_padding.checked_add(util::padding_needed_for(without_padding, layout.align))

            }

            // NOTE: This branch is unreachable, but we return `None` rather

            // than `unreachable!()` to avoid generating panic paths.

            SizeInfo::Sized { .. } => None,

        }

    }

}

// SAFETY: Delegates safety to `DstLayout::for_slice`.

unsafe impl<T> KnownLayout for [T] {

    #[allow(clippy::missing_inline_in_public_items)]

    #[cfg_attr(

        all(coverage_nightly, __ZEROCOPY_INTERNAL_USE_ONLY_NIGHTLY_FEATURES_IN_TESTS),

        coverage(off)

    )]

    fn only_derive_is_allowed_to_implement_this_trait()

    where

        Self: Sized,

    {

    }

    type PointerMetadata = usize;

    // SAFETY: `CoreMaybeUninit<T>::LAYOUT` and `T::LAYOUT` are identical

    // because `CoreMaybeUninit<T>` has the same size and alignment as `T` [1].

    // Consequently, `[CoreMaybeUninit<T>]::LAYOUT` and `[T]::LAYOUT` are

    // identical, because they both lack a fixed-sized prefix and because they

    // inherit the alignments of their inner element type (which are identical)

    // [2][3].

    //

    // `[CoreMaybeUninit<T>]` admits uninitialized bytes at all positions

    // because `CoreMaybeUninit<T>` admits uninitialized bytes at all positions

    // and because the inner elements of `[CoreMaybeUninit<T>]` are laid out

    // back-to-back [2][3].

    //

    // [1] Per https://doc.rust-lang.org/1.81.0/std/mem/union.MaybeUninit.html#layout-1:

    //

    //   `MaybeUninit<T>` is guaranteed to have the same size, alignment, and ABI as

    //   `T`

    //

    // [2] Per https://doc.rust-lang.org/1.82.0/reference/type-layout.html#slice-layout:

    //

    //   Slices have the same layout as the section of the array they slice.

    //

    // [3] Per https://doc.rust-lang.org/1.82.0/reference/type-layout.html#array-layout:

    //

    //   An array of `[T; N]` has a size of `size_of::<T>() * N` and the same

    //   alignment of `T`. Arrays are laid out so that the zero-based `nth`

    //   element of the array is offset from the start of the array by `n *

    //   size_of::<T>()` bytes.

    type MaybeUninit = [CoreMaybeUninit<T>];

    const LAYOUT: DstLayout = DstLayout::for_slice::<T>();

    // SAFETY: `.cast` preserves address and provenance. The returned pointer

    // refers to an object with `elems` elements by construction.

    #[inline(always)]

    fn raw_from_ptr_len(data: NonNull<u8>, elems: usize) -> NonNull<Self> {

        // TODO(#67): Remove this allow. See NonNullExt for more details.

        #[allow(unstable_name_collisions)]

        NonNull::slice_from_raw_parts(data.cast::<T>(), elems)

    }

    #[inline(always)]

    fn pointer_to_metadata(ptr: *mut [T]) -> usize {

        #[allow(clippy::as_conversions)]

        let slc = ptr as *const [()];

        // SAFETY:

        // - `()` has alignment 1, so `slc` is trivially aligned.

        // - `slc` was derived from a non-null pointer.

        // - The size is 0 regardless of the length, so it is sound to

        //   materialize a reference regardless of location.

        // - By invariant, `self.ptr` has valid provenance.

        let slc = unsafe { &*slc };

        // This is correct because the preceding `as` cast preserves the number

        // of slice elements. [1]

        //

        // [1] Per https://doc.rust-lang.org/reference/expressions/operator-expr.html#pointer-to-pointer-cast:

        //

        //   For slice types like `[T]` and `[U]`, the raw pointer types `*const

        //   [T]`, `*mut [T]`, `*const [U]`, and `*mut [U]` encode the number of

        //   elements in this slice. Casts between these raw pointer types

        //   preserve the number of elements. ... The same holds for `str` and

        //   any compound type whose unsized tail is a slice type, such as

        //   struct `Foo(i32, [u8])` or `(u64, Foo)`.

        slc.len()

    }

}

#[rustfmt::skip]

impl_known_layout!(

    (),

    u8, i8, u16, i16, u32, i32, u64, i64, u128, i128, usize, isize, f32, f64,

    bool, char,

    NonZeroU8, NonZeroI8, NonZeroU16, NonZeroI16, NonZeroU32, NonZeroI32,

    NonZeroU64, NonZeroI64, NonZeroU128, NonZeroI128, NonZeroUsize, NonZeroIsize

);

#[rustfmt::skip]

#[cfg(feature = "float-nightly")]

impl_known_layout!(

    #[cfg_attr(doc_cfg, doc(cfg(feature = "float-nightly")))]

    f16,

    #[cfg_attr(doc_cfg, doc(cfg(feature = "float-nightly")))]

    f128

);

#[rustfmt::skip]

impl_known_layout!(

    T         => Option<T>,

    T: ?Sized => PhantomData<T>,

    T         => Wrapping<T>,

    T         => CoreMaybeUninit<T>,

    T: ?Sized => *const T,

    T: ?Sized => *mut T,

    T: ?Sized => &'_ T,

    T: ?Sized => &'_ mut T,

);

impl_known_layout!(const N: usize, T => [T; N]);

safety_comment! {

    /// SAFETY:

    /// `str`, `ManuallyDrop<[T]>` [1], and `UnsafeCell<T>` [2] have the same

    /// representations as `[u8]`, `[T]`, and `T` repsectively. `str` has

    /// different bit validity than `[u8]`, but that doesn't affect the

    /// soundness of this impl.

    ///

    /// [1] Per https://doc.rust-lang.org/nightly/core/mem/struct.ManuallyDrop.html:

    ///

    ///   `ManuallyDrop<T>` is guaranteed to have the same layout and bit

    ///   validity as `T`

    ///

    /// [2] Per https://doc.rust-lang.org/core/cell/struct.UnsafeCell.html#memory-layout:

    ///

    ///   `UnsafeCell<T>` has the same in-memory representation as its inner

    ///   type `T`.

    ///

    /// TODO(#429):

    /// -  Add quotes from docs.

    /// -  Once [1] (added in

    /// https://github.com/rust-lang/rust/pull/115522) is available on stable,

    /// quote the stable docs instead of the nightly docs.

    unsafe_impl_known_layout!(#[repr([u8])] str);

    unsafe_impl_known_layout!(T: ?Sized + KnownLayout => #[repr(T)] ManuallyDrop<T>);

    unsafe_impl_known_layout!(T: ?Sized + KnownLayout => #[repr(T)] UnsafeCell<T>);

}

safety_comment! {

    /// SAFETY:

    /// - By consequence of the invariant on `T::MaybeUninit` that `T::LAYOUT`

    ///   and `T::MaybeUninit::LAYOUT` are equal, `T` and `T::MaybeUninit`

    ///   have the same:

    ///   - Fixed prefix size

    ///   - Alignment

    ///   - (For DSTs) trailing slice element size

    /// - By consequence of the above, referents `T::MaybeUninit` and `T` have

    ///   the require the same kind of pointer metadata, and thus it is valid to

    ///   perform an `as` cast from `*mut T` and `*mut T::MaybeUninit`, and this

    ///   operation preserves referent size (ie, `size_of_val_raw`).

    unsafe_impl_known_layout!(T: ?Sized + KnownLayout => #[repr(T::MaybeUninit)] MaybeUninit<T>);

}

/// Analyzes whether a type is [`FromZeros`].

///

/// This derive analyzes, at compile time, whether the annotated type satisfies

/// the [safety conditions] of `FromZeros` and implements `FromZeros` and its

/// supertraits if it is sound to do so. This derive can be applied to structs,

/// enums, and unions; e.g.:

///

/// ```

/// # use zerocopy_derive::{FromZeros, Immutable};

/// #[derive(FromZeros)]

/// struct MyStruct {

/// # /*

///     ...

/// # */

/// }

///

/// #[derive(FromZeros)]

/// #[repr(u8)]

/// enum MyEnum {

/// #   Variant0,

/// # /*

///     ...

/// # */

/// }

///

/// #[derive(FromZeros, Immutable)]

/// union MyUnion {

/// #   variant: u8,

/// # /*

///     ...

/// # */

/// }

/// ```

///

/// [safety conditions]: trait@FromZeros#safety

///

/// # Analysis

///

/// *This section describes, roughly, the analysis performed by this derive to

/// determine whether it is sound to implement `FromZeros` for a given type.

/// Unless you are modifying the implementation of this derive, or attempting to

/// manually implement `FromZeros` for a type yourself, you don't need to read

/// this section.*

///

/// If a type has the following properties, then this derive can implement

/// `FromZeros` for that type:

///

/// - If the type is a struct, all of its fields must be `FromZeros`.

/// - If the type is an enum:

///   - It must have a defined representation (`repr`s `C`, `u8`, `u16`, `u32`,

///     `u64`, `usize`, `i8`, `i16`, `i32`, `i64`, or `isize`).

///   - It must have a variant with a discriminant/tag of `0`, and its fields

///     must be `FromZeros`. See [the reference] for a description of

///     discriminant values are specified.

///   - The fields of that variant must be `FromZeros`.

///

/// This analysis is subject to change. Unsafe code may *only* rely on the

/// documented [safety conditions] of `FromZeros`, and must *not* rely on the

/// implementation details of this derive.

///

/// [the reference]: https://doc.rust-lang.org/reference/items/enumerations.html#custom-discriminant-values-for-fieldless-enumerations

///

/// ## Why isn't an explicit representation required for structs?

///

/// Neither this derive, nor the [safety conditions] of `FromZeros`, requires

/// that structs are marked with `#[repr(C)]`.

///

/// Per the [Rust reference](reference),

///

/// > The representation of a type can change the padding between fields, but

/// > does not change the layout of the fields themselves.

///

/// [reference]: https://doc.rust-lang.org/reference/type-layout.html#representations

///

/// Since the layout of structs only consists of padding bytes and field bytes,

/// a struct is soundly `FromZeros` if:

/// 1. its padding is soundly `FromZeros`, and

/// 2. its fields are soundly `FromZeros`.

///

/// The answer to the first question is always yes: padding bytes do not have

/// any validity constraints. A [discussion] of this question in the Unsafe Code

/// Guidelines Working Group concluded that it would be virtually unimaginable

/// for future versions of rustc to add validity constraints to padding bytes.

///

/// [discussion]: https://github.com/rust-lang/unsafe-code-guidelines/issues/174

///

/// Whether a struct is soundly `FromZeros` therefore solely depends on whether

/// its fields are `FromZeros`.

// TODO(#146): Document why we don't require an enum to have an explicit `repr`

// attribute.

#[cfg(any(feature = "derive", test))]

#[cfg_attr(doc_cfg, doc(cfg(feature = "derive")))]

pub use zerocopy_derive::FromZeros;

/// Analyzes whether a type is [`Immutable`].

///

/// This derive analyzes, at compile time, whether the annotated type satisfies

/// the [safety conditions] of `Immutable` and implements `Immutable` if it is

/// sound to do so. This derive can be applied to structs, enums, and unions;

/// e.g.:

///

/// ```

/// # use zerocopy_derive::Immutable;

/// #[derive(Immutable)]

/// struct MyStruct {

/// # /*

///     ...

/// # */

/// }

///

/// #[derive(Immutable)]

/// enum MyEnum {

/// #   Variant0,

/// # /*

///     ...