Teach transmute_{ref,mut}! to handle slice DSTs #2428
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This was referenced Mar 7, 2025
joshlf
force-pushed
the
Ib4bc62202e0b3b09d155333b525087f7aa8f02c2
branch
6 times, most recently
from
829b199 to
a7c40db
Compare
joshlf
force-pushed
the
I70d5aa5ace6bd2e39e679eac7f00a66d4b843d57
branch
from
4d09d7c to
f2ec335
Compare
Base automatically changed from
I70d5aa5ace6bd2e39e679eac7f00a66d4b843d57
to
main
March 8, 2025 19:16
joshlf
force-pushed
the
Ib4bc62202e0b3b09d155333b525087f7aa8f02c2
branch
3 times, most recently
from
98bbab7 to
5196fac
Compare
joshlf
commented
Mar 9, 2025
| /// constructed using the address of `src` and using `dst_meta` as its | ||
| /// pointer metadata, then `dst` will address the same bytes as `src`. | ||
| /// | ||
| /// TODO: Mention that post-padding may not be preserved. |
| // | ||
| // (15) `dst_len = src_len` | ||
| // | ||
| // [1] TODO |
| // | ||
| // [1] TODO | ||
| // | ||
| // TODO: Clarify that this algorithm is agnostic to post-padding, and |
| #[allow(clippy::arithmetic_side_effects)] | ||
| let elem_multiple = slf.elem_size / other.elem_size; | ||
|
|
||
| // INVARIANTS: TODO |
| $crate::util::macro_util::must_use(u) | ||
| use $crate::util::macro_util::TransmuteRefDst; | ||
| let t = $crate::util::macro_util::Wrap(e); | ||
| // SAFETY: todo |
| // SAFETY: TODO | ||
| unsafe_impl_for_transparent_wrapper!(T: ?Sized => $dst<T>); | ||
|
|
||
| // SAFETY: TODO |
| // SAFETY: TODO | ||
| unsafe impl<T: ?Sized> InvariantsEq<$src<T>> for T {} | ||
|
|
||
| // SAFETY: TODO |
| // SAFETY: TODO | ||
| unsafe impl<T: ?Sized> InvariantsEq<$dst<T>> for T {} | ||
|
|
||
| // SAFETY: TODO |
| impl_for_transmute_from!(U: ?Sized + FromZeros => FromZeros for $dst<U>[<U>]); | ||
| impl_for_transmute_from!(U: ?Sized + IntoBytes => IntoBytes for $dst<U>[<U>]); | ||
|
|
||
| // SAFETY: TODO |
| // SAFETY: TODO | ||
| unsafe_impl!(T: ?Sized + Immutable => Immutable for $src<T>); | ||
|
|
||
| // SAFETY: TODO |
joshlf
force-pushed
the
Ib4bc62202e0b3b09d155333b525087f7aa8f02c2
branch
2 times, most recently
from
398966d to
976b234
Compare
joshlf
changed the base branch from
main
to
I691b42ce8c0c3c6e5990e7684fc66f8f5dd73d85
joshlf
force-pushed
the
Ib4bc62202e0b3b09d155333b525087f7aa8f02c2
branch
3 times, most recently
from
8634aa4 to
bd3b50a
Compare
TODO: - Convince ourselves that it's acceptable to drop the `TransmuteFrom: SizeCompatible` super-trait bound. - Write Kani tests for layout computations - Print useful error message when `try_compute_cast_params` fails during static assertion - Test when post padding doesn't match between types - Do we need to prevent the padded size from increasing? While it's not a problem on today's Rust, it would become a problem if unsized locals are ever introduced, as you could then do `*dst = ...`, which would have the effect of writing padding past the end of `*src` Makes progress on #1817 Co-authored-by: Jack Wrenn <[email protected]> gherrit-pr-id: Ib4bc62202e0b3b09d155333b525087f7aa8f02c2
joshlf
force-pushed
the
Ib4bc62202e0b3b09d155333b525087f7aa8f02c2
branch
from
bd3b50a to
e972a2c
Compare
joshlf
commented
Mar 9, 2025
Comment on lines
+284
to
+295
| /// For all [valid sizes] of `Src`, `ssize`, the following must hold: | ||
| /// | ||
| /// Let `dsize` be the smallest valid size of `Dst` such that `dsize >= | ||
| /// ssize`.\* For all `DV`-valid values of `Dst` with size `dsize`, `dst`, and | ||
| /// for all `SV`-valid values of `Src` with size `ssize`, `src`, let `dst'` be | ||
| /// constructed by concatenating `src` with the trailing `dsize - ssize` bytes | ||
| /// of `dst`. It must be the case that `dst'` is a `DV`-valid `Dst`. | ||
| /// | ||
| /// Now, instead let `dsize` be the largest valid size of `Dst` such that `dsize | ||
| /// <= ssize`.\* For all `SV`-valid values of `Src` with size `ssize`, `src`, it | ||
| /// must be the case that the leading `dsize` bytes of `src` constitute a | ||
| /// `DV`-valid `Dst`. |
There was a problem hiding this comment.
The motivation behind this invariant is case analysis:
- When going from
&Srcto&Dst, we require thatssize >= dsize, or else we'd produce a&Dstthat addresses bytes past the end of the original referent. So long as we always implement such transmutes by choosing the largestdsizesuch thatdsize <= ssize, then the second condition ensures that this is sound. - If we have already gone from
&mut Dstto&mut Src(or&with interior mutation), then we need it to be the case that writing asrcto this reference will not invalidate the originalDst. Again, so long as we always implement reference transmutes by choosing the largest possible valid size for the produced reference, then the first condition ensures that it is sound for the resulting&mut Srcto be modified, overwriting the prefix ofDst.
My intention is that this should handle by-reference transmutations for all four combinations of sized or unsized Src to sized or unsized Dst:
- Unsized to unsized is the fully general case described by this prose.
- Sized to unsized means that there's exactly one value of
ssize, but the subsequent condition still needs to hold (regarding the largest and smallest values ofdsizeon either size ofssize). - Unsized to sized means that there's exactly one value of
dsizeto consider in the analysis- For all values of
ssizesuch thatdsize <= ssize, we consider truncating transmutes - For all values of
ssizesuch thatdsize >= ssize, we consider tearing transmutes
- For all values of
- Sized to sized is trivial, since there are no "foralls" or "there exists" involved. There are again two sub-cases:
- If
dsize <= ssize, we must consider truncating transmutes - If
dsize >= ssize, we must consider tearing transmutes
- If
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
TODO:
TransmuteFrom: SizeCompatiblesuper-trait bound.try_compute_cast_paramsfails duringstatic assertion
a problem on today's Rust, it would become a problem if unsized locals
are ever introduced, as you could then do
*dst = ..., which wouldhave the effect of writing padding past the end of
*srcMakes progress on #1817
Co-authored-by: Jack Wrenn [email protected]
This PR is on branch cell-traits.