Implement TryFromBytes for unsized UnsafeCell

joshlf · joshlf · commit e78e8f668044 · 2024-09-07T22:57:59.000-04:00
Makes progress on #251
diff --git a/src/impls.rs b/src/impls.rs
@@ -651,9 +651,7 @@ impl_for_transparent_wrapper!(T: ?Sized + Unaligned => Unaligned for UnsafeCell<
 assert_unaligned!(UnsafeCell<()>, UnsafeCell<u8>);
 
 // SAFETY: See safety comment in `is_bit_valid` impl.
-//
-// TODO(#5): Try to add `T: ?Sized` bound.
-unsafe impl<T: TryFromBytes> TryFromBytes for UnsafeCell<T> {
+unsafe impl<T: TryFromBytes + ?Sized> TryFromBytes for UnsafeCell<T> {
     #[allow(clippy::missing_inline_in_public_items)]
     fn only_derive_is_allowed_to_implement_this_trait()
     where
@@ -682,56 +680,11 @@ unsafe impl<T: TryFromBytes> TryFromBytes for UnsafeCell<T> {
         // chance to fix it quickly.
         let c = candidate.into_exclusive_or_post_monomorphization_error();
 
-        // We wrap in `Unalign` here so that we can get a vanilla Rust reference
-        // below, which in turn allows us to call `UnsafeCell::get_mut`.
-        //
-        // SAFETY:
-        // - `.cast` preserves address. `Unalign` and `MaybeUninit` both have
-        //   the same size as the types they wrap [1]. Thus, this cast will
-        //   preserve the size of the pointer. As a result, the cast will
-        //   address the same bytes as `c`.
-        // - `.cast` preserves provenance.
-        // - Since both the source and destination types are wrapped in
-        //   `UnsafeCell`, all bytes of both types are inside of `UnsafeCell`s,
-        //   and so the byte ranges covered by `UnsafeCell`s are identical in
-        //   both types. Since the pointers refer to the same byte ranges,
-        //   the same is true of the pointers' referents as well.
-        //
-        // [1] Per https://doc.rust-lang.org/stable/core/mem/union.MaybeUninit.html#layout-1:
-        //
-        //   MaybeUninit<T> is guaranteed to have the same size, alignment, and
-        //   ABI as T.
-        let c = unsafe {
-            c.cast_unsized(|c: *mut UnsafeCell<T>| c.cast::<UnsafeCell<Unalign<MaybeUninit<T>>>>())
-        };
-        // SAFETY: `MaybeUninit` has no validity requirements.
-        let c = unsafe { c.assume_valid() };
-        let c = c.bikeshed_recall_aligned();
-        // This is the crucial step at which we use `UnsafeCell::get_mut` to go
-        // from `UnsafeCell<U>` to `U` (where `U = Unalign<MaybeUninit<T>>`).
-        // Now that we've gotten rid of the `UnsafeCell`, we can delegate to
-        // `T::is_bit_valid`.
-        let c: &mut Unalign<MaybeUninit<T>> = c.as_mut().get_mut();
-        // This converts from an aligned `Unalign<MaybeUninit<T>>` pointer to an
-        // unaligned `MaybeUninit<T>` pointer.
-        let c: Ptr<'_, MaybeUninit<T>, _> = Ptr::from_mut(c).transparent_wrapper_into_inner();
-        let c: Ptr<'_, T, _> = c.transparent_wrapper_into_inner();
-
-        // SAFETY: The original `candidate` argument has `Initialized` validity.
-        // None of the subsequent operations modify the memory itself, and so
-        // that guarantee is still upheld.
-        let c = unsafe { c.assume_initialized() };
-        // Confirm that `Maybe` is a type alias for `Ptr` with the validity
-        // invariant `Initialized`. Our safety proof depends upon this
-        // invariant, and it might change at some point. If that happens, we
-        // want this function to stop compiling.
-        let _: Ptr<'_, UnsafeCell<T>, (_, _, invariant::Initialized)> = candidate;
-
         // SAFETY: Since `UnsafeCell<T>` and `T` have the same layout and bit
         // validity, `UnsafeCell<T>` is bit-valid exactly when its wrapped `T`
         // is. Thus, this is a sound implementation of
         // `UnsafeCell::is_bit_valid`.
-        T::is_bit_valid(c.forget_exclusive())
+        T::is_bit_valid(c.get_mut())
     }
 }
 
diff --git a/src/pointer/ptr.rs b/src/pointer/ptr.rs
@@ -724,6 +724,16 @@ mod _transitions {
             unsafe { Ptr::new(self.as_non_null()) }
         }
 
+        /// Helps the type system unify two distinct invariant types which are
+        /// actually the same.
+        pub(super) fn unify_invariants<
+            H: Invariants<Aliasing = I::Aliasing, Alignment = I::Alignment, Validity = I::Validity>,
+        >(
+            self,
+        ) -> Ptr<'a, T, H> {
+            unsafe { self.assume_invariants::<H>() }
+        }
+
         /// Assumes that `self` satisfies the aliasing requirement of `A`.
         ///
         /// # Safety
@@ -1304,6 +1314,54 @@ mod _casts {
             }
         }
     }
+
+    impl<'a, T, I> Ptr<'a, core::cell::UnsafeCell<T>, I>
+    where
+        T: 'a + ?Sized,
+        I: Invariants<Aliasing = Exclusive>,
+    {
+        /// Converts this `Ptr` into a pointer to the underlying data.
+        ///
+        /// This call borrows the `UnsafeCell` mutably (at compile-time) which
+        /// guarantees that we possess the only reference.
+        ///
+        /// This is like [`UnsafeCell::get_mut`], but for `Ptr`.
+        #[inline(always)]
+        pub fn get_mut(self) -> Ptr<'a, T, I> {
+            // SAFETY:
+            // - The closure uses an `as` cast, which preserves address range
+            //   and provenance.
+            // - We require `I: Invariants<Aliasing = Exclusive>`, so we are not
+            //   required to uphold `UnsafeCell` equality.
+            let ptr = unsafe { self.cast_unsized(|p| p as *mut T) };
+
+            // SAFETY: `UnsafeCell<T>` has the same alignment as `T` [1],
+            // and so if `self` is guaranteed to be aligned, then so is the
+            // returned `Ptr`.
+            //
+            // [1] Per https://doc.rust-lang.org/1.81.0/core/cell/struct.UnsafeCell.html#memory-layout:
+            //
+            //   `UnsafeCell<T>` has the same in-memory representation as
+            //   its inner type `T`. A consequence of this guarantee is that
+            //   it is possible to convert between `T` and `UnsafeCell<T>`.
+            let ptr = unsafe { ptr.assume_alignment::<I::Alignment>() };
+
+            // SAFETY: `UnsafeCell<T>` has the same bit validity as `T` [1], and
+            // so if `self` has a particular validity invariant, then the same
+            // holds of the returned `Ptr`. Technically the term
+            // "representation" doesn't guarantee this, but the subsequent
+            // sentence in the documentation makes it clear that this is the
+            // intention.
+            //
+            // [1] Per https://doc.rust-lang.org/1.81.0/core/cell/struct.UnsafeCell.html#memory-layout:
+            //
+            //   `UnsafeCell<T>` has the same in-memory representation as its
+            //   inner type `T`. A consequence of this guarantee is that it is
+            //   possible to convert between `T` and `UnsafeCell<T>`.
+            let ptr = unsafe { ptr.assume_validity::<I::Validity>() };
+            ptr.unify_invariants()
+        }
+    }
 }
 
 /// Projections through the referent.
diff --git a/src/util.rs b/src/util.rs
@@ -261,7 +261,7 @@ unsafe impl<T, I: Invariants> TransparentWrapper<I> for Wrapping<T> {
 // - Per [1], `UnsafeCell<T>` has the same size as `T`.
 // - See inline comments for other safety justifications.
 //
-// [1] Per https://doc.rust-lang.org/core/cell/struct.UnsafeCell.html#memory-layout:
+// [1] Per https://doc.rust-lang.org/1.81.0/core/cell/struct.UnsafeCell.html#memory-layout:
 //
 //   `UnsafeCell<T>` has the same in-memory representation as its inner type
 //   `T`.
