Initial commit of NoCell

Makes progress on #251

Author: joshlf

src/lib.rs

@@ -1057,6 +1057,30 @@ safety_comment! {
 #[cfg_attr(doc_cfg, doc(cfg(feature = "derive")))]
 pub use zerocopy_derive::FromZeroes;
 
+/// Types which do not contain any [`UnsafeCell`]s.
+///
+/// WARNING: Do not implement this trait yourself! Instead, use
+/// `#[derive(NoCell)]`.
+///
+/// # Safety
+///
+/// If a type implements `NoCell`, unsafe code may assume that that type does
+/// not contain any [`UnsafeCell`]s and does not contain any types which contain
+/// any [`UnsafeCell`]s transitively. If a type implements `NoCell` which
+/// violates this assumption, it may cause [undefined behavior].
+///
+/// [`UnsafeCell`]: core::cell::UnsafeCell
+/// [undefined behavior]: https://raphlinus.github.io/programming/rust/2018/08/17/undefined-behavior.html
+#[doc(hidden)]
+pub unsafe trait NoCell {
+    // The `Self: Sized` bound makes it so that `NoCell` is still object
+    // safe.
+    #[doc(hidden)]
+    fn only_derive_is_allowed_to_implement_this_trait()
+    where
+        Self: Sized;
+}
+
 /// Types whose validity can be checked at runtime, allowing them to be
 /// conditionally converted from byte slices.
 ///
@@ -2127,18 +2151,20 @@ safety_comment! {
     /// SAFETY:
     /// Per the reference [1], "the unit tuple (`()`) ... is guaranteed as a
     /// zero-sized type to have a size of 0 and an alignment of 1."
+    /// - `NoCell`: `()` self-evidently does not contain any `UnsafeCell`s.
     /// - `TryFromBytes` (with no validator), `FromZeroes`, `FromBytes`: There
     ///   is only one possible sequence of 0 bytes, and `()` is inhabited.
     /// - `AsBytes`: Since `()` has size 0, it contains no padding bytes.
     /// - `Unaligned`: `()` has alignment 1.
     ///
     /// [1] https://doc.rust-lang.org/reference/type-layout.html#tuple-layout
-    unsafe_impl!((): TryFromBytes, FromZeroes, FromBytes, AsBytes, Unaligned);
+    unsafe_impl!((): NoCell, TryFromBytes, FromZeroes, FromBytes, AsBytes, Unaligned);
     assert_unaligned!(());
 }
 
 safety_comment! {
     /// SAFETY:
+    /// - `NoCell`: These types self-evidently do not contain any `UnsafeCell`s.
     /// - `TryFromBytes` (with no validator), `FromZeroes`, `FromBytes`: all bit
     ///   patterns are valid for numeric types [1]
     /// - `AsBytes`: numeric types have no padding bytes [1]
@@ -2171,25 +2197,26 @@ safety_comment! {
     /// TODO(#278): Once we've updated the trait docs to refer to `u8`s rather
     /// than bits or bytes, update this comment, especially the reference to
     /// [1].
-    unsafe_impl!(u8: TryFromBytes, FromZeroes, FromBytes, AsBytes, Unaligned);
-    unsafe_impl!(i8: TryFromBytes, FromZeroes, FromBytes, AsBytes, Unaligned);
+    unsafe_impl!(u8: NoCell, TryFromBytes, FromZeroes, FromBytes, AsBytes, Unaligned);
+    unsafe_impl!(i8: NoCell, TryFromBytes, FromZeroes, FromBytes, AsBytes, Unaligned);
     assert_unaligned!(u8, i8);
-    unsafe_impl!(u16: TryFromBytes, FromZeroes, FromBytes, AsBytes);
-    unsafe_impl!(i16: TryFromBytes, FromZeroes, FromBytes, AsBytes);
-    unsafe_impl!(u32: TryFromBytes, FromZeroes, FromBytes, AsBytes);
-    unsafe_impl!(i32: TryFromBytes, FromZeroes, FromBytes, AsBytes);
-    unsafe_impl!(u64: TryFromBytes, FromZeroes, FromBytes, AsBytes);
-    unsafe_impl!(i64: TryFromBytes, FromZeroes, FromBytes, AsBytes);
-    unsafe_impl!(u128: TryFromBytes, FromZeroes, FromBytes, AsBytes);
-    unsafe_impl!(i128: TryFromBytes, FromZeroes, FromBytes, AsBytes);
-    unsafe_impl!(usize: TryFromBytes, FromZeroes, FromBytes, AsBytes);
-    unsafe_impl!(isize: TryFromBytes, FromZeroes, FromBytes, AsBytes);
-    unsafe_impl!(f32: TryFromBytes, FromZeroes, FromBytes, AsBytes);
-    unsafe_impl!(f64: TryFromBytes, FromZeroes, FromBytes, AsBytes);
+    unsafe_impl!(u16: NoCell, TryFromBytes, FromZeroes, FromBytes, AsBytes);
+    unsafe_impl!(i16: NoCell, TryFromBytes, FromZeroes, FromBytes, AsBytes);
+    unsafe_impl!(u32: NoCell, TryFromBytes, FromZeroes, FromBytes, AsBytes);
+    unsafe_impl!(i32: NoCell, TryFromBytes, FromZeroes, FromBytes, AsBytes);
+    unsafe_impl!(u64: NoCell, TryFromBytes, FromZeroes, FromBytes, AsBytes);
+    unsafe_impl!(i64: NoCell, TryFromBytes, FromZeroes, FromBytes, AsBytes);
+    unsafe_impl!(u128: NoCell, TryFromBytes, FromZeroes, FromBytes, AsBytes);
+    unsafe_impl!(i128: NoCell, TryFromBytes, FromZeroes, FromBytes, AsBytes);
+    unsafe_impl!(usize: NoCell, TryFromBytes, FromZeroes, FromBytes, AsBytes);
+    unsafe_impl!(isize: NoCell, TryFromBytes, FromZeroes, FromBytes, AsBytes);
+    unsafe_impl!(f32: NoCell, TryFromBytes, FromZeroes, FromBytes, AsBytes);
+    unsafe_impl!(f64: NoCell, TryFromBytes, FromZeroes, FromBytes, AsBytes);
 }
 
 safety_comment! {
     /// SAFETY:
+    /// - `NoCell`: `bool` self-evidently does not contain any `UnsafeCell`s.
     /// - `FromZeroes`: Valid since "[t]he value false has the bit pattern
     ///   0x00" [1].
     /// - `AsBytes`: Since "the boolean type has a size and alignment of 1 each"
@@ -2200,7 +2227,7 @@ safety_comment! {
     ///   has a size and alignment of 1 each."
     ///
     /// [1] https://doc.rust-lang.org/reference/types/boolean.html
-    unsafe_impl!(bool: FromZeroes, AsBytes, Unaligned);
+    unsafe_impl!(bool: NoCell, FromZeroes, AsBytes, Unaligned);
     assert_unaligned!(bool);
     /// SAFETY:
     /// - The safety requirements for `unsafe_impl!` with an `is_bit_valid`
@@ -2243,6 +2270,7 @@ safety_comment! {
 }
 safety_comment! {
     /// SAFETY:
+    /// - `NoCell`: `char` self-evidently does not contain any `UnsafeCell`s.
     /// - `FromZeroes`: Per reference [1], "[a] value of type char is a Unicode
     ///   scalar value (i.e. a code point that is not a surrogate), represented
     ///   as a 32-bit unsigned word in the 0x0000 to 0xD7FF or 0xE000 to
@@ -2252,7 +2280,7 @@ safety_comment! {
     ///   all bit patterns are valid for `char`.
     ///
     /// [1] https://doc.rust-lang.org/reference/types/textual.html
-    unsafe_impl!(char: FromZeroes, AsBytes);
+    unsafe_impl!(char: NoCell, FromZeroes, AsBytes);
     /// SAFETY:
     /// - The safety requirements for `unsafe_impl!` with an `is_bit_valid`
     ///   closure:
@@ -2289,14 +2317,18 @@ safety_comment! {
 }
 safety_comment! {
     /// SAFETY:
-    /// - `FromZeroes`, `AsBytes`, `Unaligned`: Per the reference [1], `str`
-    ///   has the same layout as `[u8]`, and `[u8]` is `FromZeroes`, `AsBytes`,
-    ///   and `Unaligned`.
+    /// Per the Reference [1], `str` has the same layout as `[u8]`.
+    /// - `NoCell`: `[u8]` does not contain any `UnsafeCell`s.
+    /// - `FromZeroes`, `AsBytes`, `Unaligned`: `[u8]` is `FromZeroes`,
+    ///   `AsBytes`, and `Unaligned`.
     ///
     /// Note that we don't `assert_unaligned!(str)` because `assert_unaligned!`
     /// uses `align_of`, which only works for `Sized` types.
     ///
-    /// TODO(#429): Add quotes from documentation.
+    /// TODO(#429):
+    /// - Add quotes from documentation.
+    /// - Improve safety proof for `FromZeroes` and `AsBytes`; having the same
+    ///   layout as `[u8]` isn't sufficient.
     ///
     /// [1] https://doc.rust-lang.org/reference/type-layout.html#str-layout
     unsafe_impl!(str: FromZeroes, AsBytes, Unaligned);
@@ -2333,6 +2365,7 @@ safety_comment! {
     // `NonZeroXxx` is `AsBytes`, but not `FromZeroes` or `FromBytes`.
     //
     /// SAFETY:
+    /// - `NoCell`: TODO
     /// - `AsBytes`: `NonZeroXxx` has the same layout as its associated
     ///    primitive. Since it is the same size, this guarantees it has no
     ///    padding - integers have no padding, and there's no room for padding
@@ -2353,19 +2386,19 @@ safety_comment! {
     /// [2] https://doc.rust-lang.org/stable/std/num/struct.NonZeroI8.html
     /// TODO(https://github.com/rust-lang/rust/pull/104082): Cite documentation
     /// that layout is the same as primitive layout.
-    unsafe_impl!(NonZeroU8: AsBytes, Unaligned);
-    unsafe_impl!(NonZeroI8: AsBytes, Unaligned);
+    unsafe_impl!(NonZeroU8: NoCell, AsBytes, Unaligned);
+    unsafe_impl!(NonZeroI8: NoCell, AsBytes, Unaligned);
     assert_unaligned!(NonZeroU8, NonZeroI8);
-    unsafe_impl!(NonZeroU16: AsBytes);
-    unsafe_impl!(NonZeroI16: AsBytes);
-    unsafe_impl!(NonZeroU32: AsBytes);
-    unsafe_impl!(NonZeroI32: AsBytes);
-    unsafe_impl!(NonZeroU64: AsBytes);
-    unsafe_impl!(NonZeroI64: AsBytes);
-    unsafe_impl!(NonZeroU128: AsBytes);
-    unsafe_impl!(NonZeroI128: AsBytes);
-    unsafe_impl!(NonZeroUsize: AsBytes);
-    unsafe_impl!(NonZeroIsize: AsBytes);
+    unsafe_impl!(NonZeroU16: NoCell, AsBytes);
+    unsafe_impl!(NonZeroI16: NoCell, AsBytes);
+    unsafe_impl!(NonZeroU32: NoCell, AsBytes);
+    unsafe_impl!(NonZeroI32: NoCell, AsBytes);
+    unsafe_impl!(NonZeroU64: NoCell, AsBytes);
+    unsafe_impl!(NonZeroI64: NoCell, AsBytes);
+    unsafe_impl!(NonZeroU128: NoCell, AsBytes);
+    unsafe_impl!(NonZeroI128: NoCell, AsBytes);
+    unsafe_impl!(NonZeroUsize: NoCell, AsBytes);
+    unsafe_impl!(NonZeroIsize: NoCell, AsBytes);
     /// SAFETY:
     /// - The safety requirements for `unsafe_impl!` with an `is_bit_valid`
     ///   closure:
@@ -2424,6 +2457,9 @@ safety_comment! {
     ///
     /// TODO(https://github.com/rust-lang/rust/pull/104082): Cite documentation
     /// for layout guarantees.
+    ///
+    /// TODO(#251): Implement `NoCell` (possibly by implementing it for
+    /// `Option<T>` where `T: NoCell`).
     unsafe_impl!(Option<NonZeroU8>: TryFromBytes, FromZeroes, FromBytes, AsBytes, Unaligned);
     unsafe_impl!(Option<NonZeroI8>: TryFromBytes, FromZeroes, FromBytes, AsBytes, Unaligned);
     assert_unaligned!(Option<NonZeroU8>, Option<NonZeroI8>);
@@ -2507,6 +2543,8 @@ safety_comment! {
     /// that the `#[repr(transparent)]` attribute is "considered part of the
     /// public ABI".
     ///
+    /// - `NoCell`: `Wrapping<T>` has `UnsafeCell`s exactly when `T` does, so
+    ///   `T: NoCell` guarantees that `Wrapping<T>` has no `UnsafeCell`s.
     /// - `TryFromBytes`: The safety requirements for `unsafe_impl!` with an
     ///   `is_bit_valid` closure:
     ///   - Given `t: *mut Wrapping<T>` and `let r = *mut T`, `r` refers to an
@@ -2542,6 +2580,7 @@ safety_comment! {
     /// Reference this documentation once it's available on stable.
     ///
     /// [2] https://doc.rust-lang.org/nomicon/other-reprs.html#reprtransparent
+    unsafe_impl!(T: NoCell => NoCell for Wrapping<T>);
     unsafe_impl!(T: TryFromBytes => TryFromBytes for Wrapping<T>; |candidate: Ptr<T>| {
         // SAFETY:
         // - Since `T` and `Wrapping<T>` have the same layout and bit validity
@@ -2565,6 +2604,8 @@ safety_comment! {
     // since it may contain uninitialized bytes.
     //
     /// SAFETY:
+    /// - `NoCell`: `MaybeUninit<T>` has `UnsafeCell`s exactly when `T` does, so
+    ///   `T: NoCell` guarantees that `MaybeUninit<T>` has no `UnsafeCell`s.
     /// - `TryFromBytes` (with no validator), `FromZeroes`, `FromBytes`:
     ///   `MaybeUninit<T>` has no restrictions on its contents. Unfortunately,
     ///   in addition to bit validity, `TryFromBytes`, `FromZeroes` and
@@ -2581,6 +2622,7 @@ safety_comment! {
     /// `FromBytes` and `RefFromBytes`, or if we introduce a separate
     /// `NoCell`/`Freeze` trait, we can relax the trait bounds for `FromZeroes`
     /// and `FromBytes`.
+    unsafe_impl!(T: NoCell => NoCell for MaybeUninit<T>);
     unsafe_impl!(T: TryFromBytes => TryFromBytes for MaybeUninit<T>);
     unsafe_impl!(T: FromZeroes => FromZeroes for MaybeUninit<T>);
     unsafe_impl!(T: FromBytes => FromBytes for MaybeUninit<T>);
@@ -2593,6 +2635,8 @@ safety_comment! {
     /// accessing the inner value is safe (meaning that it's unsound to leave
     /// the inner value uninitialized while exposing the `ManuallyDrop` to safe
     /// code).
+    /// - `NoCell`: `ManuallyDrop<T>` has `UnsafeCell`s exactly when `T` does,
+    ///   so `T: NoCell` guarantees that `ManuallyDrop<T>` has no `UnsafeCell`s.
     /// - `FromZeroes`, `FromBytes`: Since it has the same layout as `T`, any
     ///   valid `T` is a valid `ManuallyDrop<T>`. If `T: FromZeroes`, a sequence
     ///   of zero bytes is a valid `T`, and thus a valid `ManuallyDrop<T>`. If
@@ -2616,6 +2660,7 @@ safety_comment! {
     /// - Once [1] (added in
     /// https://github.com/rust-lang/rust/pull/115522) is available on stable,
     /// quote the stable docs instead of the nightly docs.
+    unsafe_impl!(T: ?Sized + NoCell => NoCell for ManuallyDrop<T>);
     unsafe_impl!(T: ?Sized + FromZeroes => FromZeroes for ManuallyDrop<T>);
     unsafe_impl!(T: ?Sized + FromBytes => FromBytes for ManuallyDrop<T>);
     unsafe_impl!(T: ?Sized + AsBytes => AsBytes for ManuallyDrop<T>);
@@ -2635,28 +2680,32 @@ safety_comment! {
     ///
     ///   Slices have the same layout as the section of the array they slice.
     ///
-    /// In other words, the layout of a `[T]` or `[T; N]` is a sequence of `T`s
-    /// laid out back-to-back with no bytes in between. Therefore, `[T]` or `[T;
-    /// N]` are `FromZeroes`, `FromBytes`, and `AsBytes` if `T` is
-    /// (respectively). Furthermore, since an array/slice has "the same
-    /// alignment of `T`", `[T]` and `[T; N]` are `Unaligned` if `T` is.
+    /// In other words, the layout and bit validity of a `[T]` or `[T; N]` is
+    /// that of a sequence of `T`s laid out back-to-back with no bytes in
+    /// between. Therefore, `[T]` or `[T; N]` are `NoCell`, `FromZeroes`,
+    /// `FromBytes`, and `AsBytes` if `T` is (respectively). Furthermore, since
+    /// an array/slice has "the same alignment of `T`", `[T]` and `[T; N]` are
+    /// `Unaligned` if `T` is.
     ///
     /// Note that we don't `assert_unaligned!` for slice types because
     /// `assert_unaligned!` uses `align_of`, which only works for `Sized` types.
     ///
     /// [1] https://doc.rust-lang.org/reference/type-layout.html#array-layout
+    unsafe_impl!(const N: usize, T: NoCell => NoCell for [T; N]);
     unsafe_impl!(const N: usize, T: FromZeroes => FromZeroes for [T; N]);
     unsafe_impl!(const N: usize, T: FromBytes => FromBytes for [T; N]);
     unsafe_impl!(const N: usize, T: AsBytes => AsBytes for [T; N]);
     unsafe_impl!(const N: usize, T: Unaligned => Unaligned for [T; N]);
     assert_unaligned!([(); 0], [(); 1], [u8; 0], [u8; 1]);
+    unsafe_impl!(T: NoCell => NoCell for [T]);
     unsafe_impl!(T: FromZeroes => FromZeroes for [T]);
     unsafe_impl!(T: FromBytes => FromBytes for [T]);
     unsafe_impl!(T: AsBytes => AsBytes for [T]);
     unsafe_impl!(T: Unaligned => Unaligned for [T]);
 }
 safety_comment! {
     /// SAFETY:
+    /// - `NoCell`: Raw pointers do not contain any `UnsafeCell`s.
     /// - `FromZeroes`: For thin pointers (note that `T: Sized`), the zero
     ///   pointer is considered "null". [1] No operations which require
     ///   provenance are legal on null pointers, so this is not a footgun.
@@ -2668,9 +2717,17 @@ safety_comment! {
     ///
     /// [1] TODO(https://github.com/rust-lang/rust/pull/116988): Cite the
     /// documentation once this PR lands.
+    unsafe_impl!(T => NoCell for *const T);
+    unsafe_impl!(T => NoCell for *mut T);
     unsafe_impl!(T => FromZeroes for *const T);
     unsafe_impl!(T => FromZeroes for *mut T);
 }
+safety_comment! {
+    /// SAFETY:
+    /// Reference types do not contain any `UnsafeCell`s.
+    unsafe_impl!(T: ?Sized => NoCell for &'_ T);
+    unsafe_impl!(T: ?Sized => NoCell for &'_ mut T);
+}
 
 // SIMD support
 //
@@ -2721,6 +2778,7 @@ safety_comment! {
 //   also `TryFromBytes`, `FromZeroes`, `FromBytes`, or `AsBytes` respectively.
 // - Since no upper bound is placed on the alignment, no SIMD type can be
 //   guaranteed to be `Unaligned`.
+// - `NoCell`: TODO
 //
 // Also per [1]:
 //
@@ -2761,7 +2819,7 @@ mod simd {
                 safety_comment! {
                     /// SAFETY:
                     /// See comment on module definition for justification.
-                    $( unsafe_impl!($typ: TryFromBytes, FromZeroes, FromBytes, AsBytes); )*
+                    $( unsafe_impl!($typ: NoCell, TryFromBytes, FromZeroes, FromBytes, AsBytes); )*
                 }
             }
         };
@@ -5344,6 +5402,7 @@ mod tests {
 
     #[test]
     fn test_object_safety() {
+        fn _takes_no_cell(_: &dyn NoCell) {}
         fn _takes_from_zeroes(_: &dyn FromZeroes) {}
         fn _takes_from_bytes(_: &dyn FromBytes) {}
         fn _takes_unaligned(_: &dyn Unaligned) {}