Skip to content

Commit

Permalink
added prefix transmute
Browse files Browse the repository at this point in the history
  • Loading branch information
Aditya-PS-05 committed Nov 5, 2024
1 parent ace5bb0 commit 7c86112
Show file tree
Hide file tree
Showing 2 changed files with 274 additions and 27 deletions.
185 changes: 160 additions & 25 deletions src/macros.rs
Original file line number Diff line number Diff line change
Expand Up @@ -49,20 +49,58 @@
/// # Use in `const` contexts
///
/// This macro can be invoked in `const` contexts.
// #[macro_export]
// macro_rules! transmute {
// ($e:expr) => {{
// // NOTE: This must be a macro (rather than a function with trait bounds)
// // because there's no way, in a generic context, to enforce that two
// // types have the same size. `core::mem::transmute` uses compiler magic
// // to enforce this so long as the types are concrete.

// let e = $e;
// if false {
// // This branch, though never taken, ensures that the type of `e` is
// // `IntoBytes` and that the type of this macro invocation expression
// // is `FromBytes`.

// struct AssertIsIntoBytes<T: $crate::IntoBytes>(T);
// let _ = AssertIsIntoBytes(e);

// struct AssertIsFromBytes<U: $crate::FromBytes>(U);
// #[allow(unused, unreachable_code)]
// let u = AssertIsFromBytes(loop {});
// u.0
// } else {
// // SAFETY: `core::mem::transmute` ensures that the type of `e` and
// // the type of this macro invocation expression have the same size.
// // We know this transmute is safe thanks to the `IntoBytes` and
// // `FromBytes` bounds enforced by the `false` branch.
// //
// // We use this reexport of `core::mem::transmute` because we know it
// // will always be available for crates which are using the 2015
// // edition of Rust. By contrast, if we were to use
// // `std::mem::transmute`, this macro would not work for such crates
// // in `no_std` contexts, and if we were to use
// // `core::mem::transmute`, this macro would not work in `std`
// // contexts in which `core` was not manually imported. This is not a
// // problem for 2018 edition crates.
// let u = unsafe {
// // Clippy: We can't annotate the types; this macro is designed
// // to infer the types from the calling context.
// #[allow(clippy::missing_transmute_annotations)]
// $crate::util::macro_util::core_reexport::mem::transmute(e)
// };
// $crate::util::macro_util::must_use(u)
// }
// }}
// }

#[macro_export]
macro_rules! transmute {
// Original behavior
($e:expr) => {{
// NOTE: This must be a macro (rather than a function with trait bounds)
// because there's no way, in a generic context, to enforce that two
// types have the same size. `core::mem::transmute` uses compiler magic
// to enforce this so long as the types are concrete.

let e = $e;
if false {
// This branch, though never taken, ensures that the type of `e` is
// `IntoBytes` and that the type of this macro invocation expression
// is `FromBytes`.

struct AssertIsIntoBytes<T: $crate::IntoBytes>(T);
let _ = AssertIsIntoBytes(e);

Expand All @@ -71,30 +109,49 @@ macro_rules! transmute {
let u = AssertIsFromBytes(loop {});
u.0
} else {
// SAFETY: `core::mem::transmute` ensures that the type of `e` and
// the type of this macro invocation expression have the same size.
// We know this transmute is safe thanks to the `IntoBytes` and
// `FromBytes` bounds enforced by the `false` branch.
//
// We use this reexport of `core::mem::transmute` because we know it
// will always be available for crates which are using the 2015
// edition of Rust. By contrast, if we were to use
// `std::mem::transmute`, this macro would not work for such crates
// in `no_std` contexts, and if we were to use
// `core::mem::transmute`, this macro would not work in `std`
// contexts in which `core` was not manually imported. This is not a
// problem for 2018 edition crates.
let u = unsafe {
// Clippy: We can't annotate the types; this macro is designed
// to infer the types from the calling context.
#[allow(clippy::missing_transmute_annotations)]
$crate::util::macro_util::core_reexport::mem::transmute(e)
};
$crate::util::macro_util::must_use(u)
}
}}
}};

// New prefix transmute behavior
(@prefix $e:expr) => {{
let e = $e;
if false {
// Verify source type implements IntoBytes
struct AssertIsIntoBytes<T: $crate::IntoBytes>(T);
let _ = AssertIsIntoBytes(e);

// Verify destination type implements FromBytes
struct AssertIsFromBytes<U: $crate::FromBytes>(U);
#[allow(unused, unreachable_code)]
let u = AssertIsFromBytes(loop {});
u.0
} else {
// Create a union to verify size relationships at compile time
#[repr(C)]
union MaxSizesOf<T, U> {
source: T,
_dest: U,
}

let u = unsafe {
// First transmute to union to verify size relationships
let union_val = $crate::util::macro_util::core_reexport::mem::transmute::<_, MaxSizesOf<_, _>>(e);

// Then transmute to final type, which is guaranteed to be prefix-compatible
$crate::util::macro_util::core_reexport::mem::transmute_copy(&union_val.source)
};
$crate::util::macro_util::must_use(u)
}
}};
}

// Helper trait to validate size relationships at compile time

/// Safely transmutes a mutable or immutable reference of one type to an
/// immutable reference of another type of the same size and compatible
/// alignment.
Expand Down Expand Up @@ -462,6 +519,66 @@ macro_rules! try_transmute {
}}
}

/// Conditionally transmutes a value of one type to a prefix-compatible value of
/// another type, allowing the destination type to be smaller than the source type.
///
/// This macro provides prefix transmutation functionality, where the destination
/// type's size can be smaller than or equal to the source type's size. The types
/// `Src` and `Dst` must be explicitly specified in the macro invocation, allowing
/// it to verify that the prefix of `Src` is compatible with `Dst`.
///
/// # Syntax
/// ```ignore
/// try_transmute_prefix!(SrcType, DstType, value_expr)
/// ```
///
/// # Parameters
/// - `SrcType`: The source type of the transmute. Must implement `IntoBytes`.
/// - `DstType`: The destination type for the transmute. Must implement `FromBytes`.
/// - `value_expr`: The expression producing the `SrcType` value to be transmuted.
///
/// In this prefix transmutation, the `SrcType` value will not be dropped.
/// Instead, its bits will be copied into a new value of type `DstType`,
/// allowing for compatibility when `size_of::<SrcType>() >= size_of::<DstType>()`.
///
/// # Safety
/// This macro performs an unsafe operation, using a union to verify size
/// relationships. It will only compile if `size_of::<SrcType>() >= size_of::<DstType>()`,
/// ensuring safe prefix compatibility.
///
/// # Examples
///
/// ```
/// # use zerocopy::*;
/// let large_array: [u8; 5] = [0, 1, 2, 3, 4];
/// let result: Result<[u8; 2], _> = try_transmute_prefix!([u8; 5], [u8; 2], large_array);
/// assert!(result.is_ok());
/// assert_eq!(result.unwrap(), [0, 1]);
///
/// let large_num: u64 = 0x0102030405060708;
/// let result: Result<u32, _> = try_transmute_prefix!(u64, u32, large_num);
/// assert!(result.is_ok());
/// assert_eq!(result.unwrap(), 0x05060708);
/// ```
///
#[macro_export]
macro_rules! try_transmute_prefix {
($src_type:ty, $dest_type:ty, $e:expr) => {{
let e: $src_type = $e;
if false {
// Check that the source size is greater than or equal to destination size

// SAFETY: This code is never executed.
Ok(unsafe {
let union_val = $crate::util::macro_util::core_reexport::mem::transmute::<$src_type, $crate::util::macro_util::MaxSizesOf<$src_type, $dest_type>>(e);
$crate::util::macro_util::core_reexport::mem::transmute_copy(&union_val.source)
})
} else {
$crate::util::macro_util::try_transmute_prefix::<$src_type, $dest_type>(e)
}
}};
}

/// Conditionally transmutes a mutable or immutable reference of one type to an
/// immutable reference of another type of the same size and compatible
/// alignment.
Expand Down Expand Up @@ -776,6 +893,24 @@ mod tests {
assert_eq!(x.into_inner(), 1);
}

#[test]
fn test_prefix_transmute() {
// Test prefix transmutation with arrays
let large_array = [0u8, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11];
let expected_small_arrays = [[0, 1], [2, 3], [4, 5], [6, 7]];

let result: Result<[[u8; 2]; 4], _> =
try_transmute_prefix!([u8; 12], [[u8; 2]; 4], large_array);
assert!(result.is_ok());
assert_eq!(result.unwrap(), expected_small_arrays);

// Test with different sized integers
let large_num: u64 = 0x0102030405060708;
let result: Result<u32, _> = try_transmute_prefix!(u64, u32, large_num);
assert!(result.is_ok());
assert_eq!(result.unwrap(), 0x05060708);
}

#[test]
fn test_transmute_ref() {
// Test that memory is transmuted as expected.
Expand Down
116 changes: 114 additions & 2 deletions src/util/macro_util.rs
Original file line number Diff line number Diff line change
Expand Up @@ -440,6 +440,12 @@ macro_rules! assert_size_eq {
}};
}

#[repr(C)]
pub union MaxSizesOf<T, U> {
pub source: ManuallyDrop<T>,
pub _dest: ManuallyDrop<U>,
}

/// Transmutes a reference of one type to a reference of another type.
///
/// # Safety
Expand Down Expand Up @@ -599,6 +605,112 @@ where
}
}

#[doc(hidden)]
#[inline]
fn try_cast_prefix_or_pme<Src, Dst, I, R>(
src: Ptr<'_, Src, I>,
) -> Result<
Ptr<'_, Dst, (I::Aliasing, invariant::Unknown, invariant::Valid)>,
ValidityError<Ptr<'_, Src, I>, Dst>,
>
where
Src: IntoBytes + invariant::Read<I::Aliasing, R>,
Dst: TryFromBytes + invariant::Read<I::Aliasing, R>,
I: Invariants<Validity = invariant::Valid>,
I::Aliasing: invariant::Reference,
{
// Assert that source size is greater than or equal to destination size
static_assert!(Src, Dst => mem::size_of::<Src>() >= mem::size_of::<Dst>());

// // Verify alignment requirements for the destination type
// let src_addr = src.as_ref().as_ptr() as usize;
// if src_addr % mem::align_of::<Dst>() != 0 {
// // If alignment requirements aren't met, return error
// return Err(ValidityError::new(src.unify_invariants()));
// }

// SAFETY: This is a pointer cast, satisfying the following properties:
// - `p as *mut Dst` addresses a prefix of the bytes addressed by `src`,
// because we assert above that the size of `Dst` is less than or equal
// to the size of `Src`.
// - `p as *mut Dst` is a provenance-preserving cast
// - Alignment has been verified above
#[allow(clippy::as_conversions)]
let c_ptr = unsafe { src.cast_unsized(|p| p as *mut Dst) };

// SAFETY: `c_ptr` is derived from `src` which is `IntoBytes`. By
// invariant on `IntoBytes`, `c_ptr`'s referent consists entirely of
// initialized bytes. We only read the prefix of these bytes.
let c_ptr = unsafe { c_ptr.assume_initialized() };

match c_ptr.try_into_valid() {
Ok(ptr) => Ok(ptr),
Err(err) => {
// Re-cast `Ptr<Dst>` to `Ptr<Src>`
let ptr = err.into_src();

// SAFETY: This is a pointer cast, satisfying the following properties:
// - `p as *mut Src` addresses the full range of bytes addressed by `ptr`
// - `p as *mut Src` is a provenance-preserving cast
#[allow(clippy::as_conversions)]
let ptr = unsafe { ptr.cast_unsized(|p| p as *mut Src) };

// SAFETY: `ptr` is `src`, and has the same alignment invariant
let ptr = unsafe { ptr.assume_alignment::<I::Alignment>() };

// SAFETY: `ptr` is `src` and has the same validity invariant
let ptr = unsafe { ptr.assume_validity::<I::Validity>() };

Err(ValidityError::new(ptr.unify_invariants()))
}
}
}

// Helper trait for static assertions
#[allow(dead_code)]
trait StaticAssert {
fn assert() -> bool;
}

// Implementation to verify size relationships
impl<Src, Dst> StaticAssert for (Src, Dst)
where
Src: Sized,
Dst: Sized,
{
fn assert() -> bool {
mem::size_of::<Src>() >= mem::size_of::<Dst>()
}
}

// Macro for static assertions

pub fn try_transmute_prefix<Src, Dst>(src: Src) -> Result<Dst, ValidityError<Src, Dst>>
where
Src: IntoBytes,
Dst: TryFromBytes,
{
// Ensure source size is greater than or equal to destination size
if mem::size_of::<Src>() < mem::size_of::<Dst>() {
return Err(ValidityError::new(src));
}

let mut src = ManuallyDrop::new(src);
let ptr = Ptr::from_mut(&mut src);

// Similar to try_transmute, but we handle partial reads
match try_cast_prefix_or_pme::<_, ManuallyDrop<Unalign<Dst>>, _, BecauseExclusive>(ptr) {
Ok(ptr) => {
let dst = ptr.bikeshed_recall_aligned().as_mut();
// SAFETY: By shadowing `dst`, we ensure that `dst` is not re-used
// after taking its inner value.
let dst = unsafe { ManuallyDrop::take(dst) };
Ok(dst.into_inner())
}
Err(_) => Err(ValidityError::new(ManuallyDrop::into_inner(src))),
}
}

/// Attempts to transmute `&Src` into `&Dst`.
///
/// A helper for `try_transmute_ref!`.
Expand All @@ -619,7 +731,7 @@ where
{
match try_cast_or_pme::<Src, Dst, _, BecauseImmutable>(Ptr::from_ref(src)) {
Ok(ptr) => {
static_assert!(Src, Dst => mem::align_of::<Dst>() <= mem::align_of::<Src>());
assert!(mem::align_of::<Dst>() <= mem::align_of::<Src>());
// SAFETY: We have checked that `Dst` does not have a stricter
// alignment requirement than `Src`.
let ptr = unsafe { ptr.assume_alignment::<invariant::Aligned>() };
Expand Down Expand Up @@ -649,7 +761,7 @@ where
{
match try_cast_or_pme::<Src, Dst, _, BecauseExclusive>(Ptr::from_mut(src)) {
Ok(ptr) => {
static_assert!(Src, Dst => mem::align_of::<Dst>() <= mem::align_of::<Src>());
debug_assert!(mem::align_of::<Dst>() <= mem::align_of::<Src>());
// SAFETY: We have checked that `Dst` does not have a stricter
// alignment requirement than `Src`.
let ptr = unsafe { ptr.assume_alignment::<invariant::Aligned>() };
Expand Down

0 comments on commit 7c86112

Please sign in to comment.