//! Checked versions of the casting functions exposed in crate root //! that support [`CheckedBitPattern`] types. use crate::{ internal::{self, something_went_wrong}, AnyBitPattern, NoUninit, }; /// A marker trait that allows types that have some invalid bit patterns to be /// used in places that otherwise require [`AnyBitPattern`] or [`Pod`] types by /// performing a runtime check on a perticular set of bits. This is particularly /// useful for types like fieldless ('C-style') enums, [`char`], bool, and /// structs containing them. /// /// To do this, we define a `Bits` type which is a type with equivalent layout /// to `Self` other than the invalid bit patterns which disallow `Self` from /// being [`AnyBitPattern`]. This `Bits` type must itself implement /// [`AnyBitPattern`]. Then, we implement a function that checks whether a /// certain instance of the `Bits` is also a valid bit pattern of `Self`. If /// this check passes, then we can allow casting from the `Bits` to `Self` (and /// therefore, any type which is able to be cast to `Bits` is also able to be /// cast to `Self`). /// /// [`AnyBitPattern`] is a subset of [`CheckedBitPattern`], meaning that any `T: /// AnyBitPattern` is also [`CheckedBitPattern`]. This means you can also use /// any [`AnyBitPattern`] type in the checked versions of casting functions in /// this module. If it's possible, prefer implementing [`AnyBitPattern`] for /// your type directly instead of [`CheckedBitPattern`] as it gives greater /// flexibility. /// /// # Derive /// /// A `#[derive(CheckedBitPattern)]` macro is provided under the `derive` /// feature flag which will automatically validate the requirements of this /// trait and implement the trait for you for both enums and structs. This is /// the recommended method for implementing the trait, however it's also /// possible to do manually. /// /// # Example /// /// If manually implementing the trait, we can do something like so: /// /// ```rust /// use bytemuck::{CheckedBitPattern, NoUninit}; /// /// #[repr(u32)] /// #[derive(Copy, Clone)] /// enum MyEnum { /// Variant0 = 0, /// Variant1 = 1, /// Variant2 = 2, /// } /// /// unsafe impl CheckedBitPattern for MyEnum { /// type Bits = u32; /// /// fn is_valid_bit_pattern(bits: &u32) -> bool { /// match *bits { /// 0 | 1 | 2 => true, /// _ => false, /// } /// } /// } /// /// // It is often useful to also implement `NoUninit` on our `CheckedBitPattern` types. /// // This will allow us to do casting of mutable references (and mutable slices). /// // It is not always possible to do so, but in this case we have no padding so it is. /// unsafe impl NoUninit for MyEnum {} /// ``` /// /// We can now use relevant casting functions. For example, /// /// ```rust /// # use bytemuck::{CheckedBitPattern, NoUninit}; /// # #[repr(u32)] /// # #[derive(Copy, Clone, PartialEq, Eq, Debug)] /// # enum MyEnum { /// # Variant0 = 0, /// # Variant1 = 1, /// # Variant2 = 2, /// # } /// # unsafe impl NoUninit for MyEnum {} /// # unsafe impl CheckedBitPattern for MyEnum { /// # type Bits = u32; /// # fn is_valid_bit_pattern(bits: &u32) -> bool { /// # match *bits { /// # 0 | 1 | 2 => true, /// # _ => false, /// # } /// # } /// # } /// use bytemuck::{bytes_of, bytes_of_mut}; /// use bytemuck::checked; /// /// let bytes = bytes_of(&2u32); /// let result = checked::try_from_bytes::(bytes); /// assert_eq!(result, Ok(&MyEnum::Variant2)); /// /// // Fails for invalid discriminant /// let bytes = bytes_of(&100u32); /// let result = checked::try_from_bytes::(bytes); /// assert!(result.is_err()); /// /// // Since we implemented NoUninit, we can also cast mutably from an original type /// // that is `NoUninit + AnyBitPattern`: /// let mut my_u32 = 2u32; /// { /// let as_enum_mut = checked::cast_mut::<_, MyEnum>(&mut my_u32); /// assert_eq!(as_enum_mut, &mut MyEnum::Variant2); /// *as_enum_mut = MyEnum::Variant0; /// } /// assert_eq!(my_u32, 0u32); /// ``` /// /// # Safety /// /// * `Self` *must* have the same layout as the specified `Bits` except for /// the possible invalid bit patterns being checked during /// [`is_valid_bit_pattern`]. /// * This almost certainly means your type must be `#[repr(C)]` or a similar /// specified repr, but if you think you know better, you probably don't. If /// you still think you know better, be careful and have fun. And don't mess /// it up (I mean it). /// * If [`is_valid_bit_pattern`] returns true, then the bit pattern contained /// in `bits` must also be valid for an instance of `Self`. /// * Probably more, don't mess it up (I mean it 2.0) /// /// [`is_valid_bit_pattern`]: CheckedBitPattern::is_valid_bit_pattern /// [`Pod`]: crate::Pod pub unsafe trait CheckedBitPattern: Copy { /// `Self` *must* have the same layout as the specified `Bits` except for /// the possible invalid bit patterns being checked during /// [`is_valid_bit_pattern`]. /// /// [`is_valid_bit_pattern`]: CheckedBitPattern::is_valid_bit_pattern type Bits: AnyBitPattern; /// If this function returns true, then it must be valid to reinterpret `bits` /// as `&Self`. fn is_valid_bit_pattern(bits: &Self::Bits) -> bool; } unsafe impl CheckedBitPattern for T { type Bits = T; #[inline(always)] fn is_valid_bit_pattern(_bits: &T) -> bool { true } } unsafe impl CheckedBitPattern for char { type Bits = u32; #[inline] fn is_valid_bit_pattern(bits: &Self::Bits) -> bool { core::char::from_u32(*bits).is_some() } } unsafe impl CheckedBitPattern for bool { type Bits = u8; #[inline] fn is_valid_bit_pattern(bits: &Self::Bits) -> bool { match *bits { 0 | 1 => true, _ => false, } } } // Rust 1.70.0 documents that NonZero[int] has the same layout as [int]. macro_rules! impl_checked_for_nonzero { ($($nonzero:ty: $primitive:ty),* $(,)?) => { $( unsafe impl CheckedBitPattern for $nonzero { type Bits = $primitive; #[inline] fn is_valid_bit_pattern(bits: &Self::Bits) -> bool { *bits != 0 } } )* }; } impl_checked_for_nonzero! { core::num::NonZeroU8: u8, core::num::NonZeroI8: i8, core::num::NonZeroU16: u16, core::num::NonZeroI16: i16, core::num::NonZeroU32: u32, core::num::NonZeroI32: i32, core::num::NonZeroU64: u64, core::num::NonZeroI64: i64, core::num::NonZeroI128: i128, core::num::NonZeroU128: u128, core::num::NonZeroUsize: usize, core::num::NonZeroIsize: isize, } /// The things that can go wrong when casting between [`CheckedBitPattern`] data /// forms. #[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)] pub enum CheckedCastError { /// An error occurred during a true-[`Pod`] cast /// /// [`Pod`]: crate::Pod PodCastError(crate::PodCastError), /// When casting to a [`CheckedBitPattern`] type, it is possible that the /// original data contains an invalid bit pattern. If so, the cast will /// fail and this error will be returned. Will never happen on casts /// between [`Pod`] types. /// /// [`Pod`]: crate::Pod InvalidBitPattern, } #[cfg(not(target_arch = "spirv"))] impl core::fmt::Display for CheckedCastError { fn fmt(&self, f: &mut core::fmt::Formatter) -> core::fmt::Result { write!(f, "{:?}", self) } } #[cfg(feature = "extern_crate_std")] #[cfg_attr(feature = "nightly_docs", doc(cfg(feature = "extern_crate_std")))] impl std::error::Error for CheckedCastError {} impl From for CheckedCastError { fn from(err: crate::PodCastError) -> CheckedCastError { CheckedCastError::PodCastError(err) } } /// Re-interprets `&[u8]` as `&T`. /// /// ## Failure /// /// * If the slice isn't aligned for the new type /// * If the slice's length isn’t exactly the size of the new type /// * If the slice contains an invalid bit pattern for `T` #[inline] pub fn try_from_bytes( s: &[u8], ) -> Result<&T, CheckedCastError> { let pod = crate::try_from_bytes(s)?; if ::is_valid_bit_pattern(pod) { Ok(unsafe { &*(pod as *const ::Bits as *const T) }) } else { Err(CheckedCastError::InvalidBitPattern) } } /// Re-interprets `&mut [u8]` as `&mut T`. /// /// ## Failure /// /// * If the slice isn't aligned for the new type /// * If the slice's length isn’t exactly the size of the new type /// * If the slice contains an invalid bit pattern for `T` #[inline] pub fn try_from_bytes_mut( s: &mut [u8], ) -> Result<&mut T, CheckedCastError> { let pod = unsafe { internal::try_from_bytes_mut(s) }?; if ::is_valid_bit_pattern(pod) { Ok(unsafe { &mut *(pod as *mut ::Bits as *mut T) }) } else { Err(CheckedCastError::InvalidBitPattern) } } /// Reads from the bytes as if they were a `T`. /// /// ## Failure /// * If the `bytes` length is not equal to `size_of::()`. /// * If the slice contains an invalid bit pattern for `T` #[inline] pub fn try_pod_read_unaligned( bytes: &[u8], ) -> Result { let pod = crate::try_pod_read_unaligned(bytes)?; if ::is_valid_bit_pattern(&pod) { Ok(unsafe { transmute!(pod) }) } else { Err(CheckedCastError::InvalidBitPattern) } } /// Try to cast `T` into `U`. /// /// Note that for this particular type of cast, alignment isn't a factor. The /// input value is semantically copied into the function and then returned to a /// new memory location which will have whatever the required alignment of the /// output type is. /// /// ## Failure /// /// * If the types don't have the same size this fails. /// * If `a` contains an invalid bit pattern for `B` this fails. #[inline] pub fn try_cast( a: A, ) -> Result { let pod = crate::try_cast(a)?; if ::is_valid_bit_pattern(&pod) { Ok(unsafe { transmute!(pod) }) } else { Err(CheckedCastError::InvalidBitPattern) } } /// Try to convert a `&T` into `&U`. /// /// ## Failure /// /// * If the reference isn't aligned in the new type /// * If the source type and target type aren't the same size. /// * If `a` contains an invalid bit pattern for `B` this fails. #[inline] pub fn try_cast_ref( a: &A, ) -> Result<&B, CheckedCastError> { let pod = crate::try_cast_ref(a)?; if ::is_valid_bit_pattern(pod) { Ok(unsafe { &*(pod as *const ::Bits as *const B) }) } else { Err(CheckedCastError::InvalidBitPattern) } } /// Try to convert a `&mut T` into `&mut U`. /// /// As [`try_cast_ref`], but `mut`. #[inline] pub fn try_cast_mut< A: NoUninit + AnyBitPattern, B: CheckedBitPattern + NoUninit, >( a: &mut A, ) -> Result<&mut B, CheckedCastError> { let pod = unsafe { internal::try_cast_mut(a) }?; if ::is_valid_bit_pattern(pod) { Ok(unsafe { &mut *(pod as *mut ::Bits as *mut B) }) } else { Err(CheckedCastError::InvalidBitPattern) } } /// Try to convert `&[A]` into `&[B]` (possibly with a change in length). /// /// * `input.as_ptr() as usize == output.as_ptr() as usize` /// * `input.len() * size_of::() == output.len() * size_of::()` /// /// ## Failure /// /// * If the target type has a greater alignment requirement and the input slice /// isn't aligned. /// * If the target element type is a different size from the current element /// type, and the output slice wouldn't be a whole number of elements when /// accounting for the size change (eg: 3 `u16` values is 1.5 `u32` values, so /// that's a failure). /// * Similarly, you can't convert between a [ZST](https://doc.rust-lang.org/nomicon/exotic-sizes.html#zero-sized-types-zsts) /// and a non-ZST. /// * If any element of the converted slice would contain an invalid bit pattern /// for `B` this fails. #[inline] pub fn try_cast_slice( a: &[A], ) -> Result<&[B], CheckedCastError> { let pod = crate::try_cast_slice(a)?; if pod.iter().all(|pod| ::is_valid_bit_pattern(pod)) { Ok(unsafe { core::slice::from_raw_parts(pod.as_ptr() as *const B, pod.len()) }) } else { Err(CheckedCastError::InvalidBitPattern) } } /// Try to convert `&mut [A]` into `&mut [B]` (possibly with a change in /// length). /// /// As [`try_cast_slice`], but `&mut`. #[inline] pub fn try_cast_slice_mut< A: NoUninit + AnyBitPattern, B: CheckedBitPattern + NoUninit, >( a: &mut [A], ) -> Result<&mut [B], CheckedCastError> { let pod = unsafe { internal::try_cast_slice_mut(a) }?; if pod.iter().all(|pod| ::is_valid_bit_pattern(pod)) { Ok(unsafe { core::slice::from_raw_parts_mut(pod.as_mut_ptr() as *mut B, pod.len()) }) } else { Err(CheckedCastError::InvalidBitPattern) } } /// Re-interprets `&[u8]` as `&T`. /// /// ## Panics /// /// This is [`try_from_bytes`] but will panic on error. #[inline] pub fn from_bytes(s: &[u8]) -> &T { match try_from_bytes(s) { Ok(t) => t, Err(e) => something_went_wrong("from_bytes", e), } } /// Re-interprets `&mut [u8]` as `&mut T`. /// /// ## Panics /// /// This is [`try_from_bytes_mut`] but will panic on error. #[inline] pub fn from_bytes_mut(s: &mut [u8]) -> &mut T { match try_from_bytes_mut(s) { Ok(t) => t, Err(e) => something_went_wrong("from_bytes_mut", e), } } /// Reads the slice into a `T` value. /// /// ## Panics /// * This is like `try_pod_read_unaligned` but will panic on failure. #[inline] pub fn pod_read_unaligned(bytes: &[u8]) -> T { match try_pod_read_unaligned(bytes) { Ok(t) => t, Err(e) => something_went_wrong("pod_read_unaligned", e), } } /// Cast `T` into `U` /// /// ## Panics /// /// * This is like [`try_cast`](try_cast), but will panic on a size mismatch. #[inline] pub fn cast(a: A) -> B { match try_cast(a) { Ok(t) => t, Err(e) => something_went_wrong("cast", e), } } /// Cast `&mut T` into `&mut U`. /// /// ## Panics /// /// This is [`try_cast_mut`] but will panic on error. #[inline] pub fn cast_mut< A: NoUninit + AnyBitPattern, B: NoUninit + CheckedBitPattern, >( a: &mut A, ) -> &mut B { match try_cast_mut(a) { Ok(t) => t, Err(e) => something_went_wrong("cast_mut", e), } } /// Cast `&T` into `&U`. /// /// ## Panics /// /// This is [`try_cast_ref`] but will panic on error. #[inline] pub fn cast_ref(a: &A) -> &B { match try_cast_ref(a) { Ok(t) => t, Err(e) => something_went_wrong("cast_ref", e), } } /// Cast `&[A]` into `&[B]`. /// /// ## Panics /// /// This is [`try_cast_slice`] but will panic on error. #[inline] pub fn cast_slice(a: &[A]) -> &[B] { match try_cast_slice(a) { Ok(t) => t, Err(e) => something_went_wrong("cast_slice", e), } } /// Cast `&mut [T]` into `&mut [U]`. /// /// ## Panics /// /// This is [`try_cast_slice_mut`] but will panic on error. #[inline] pub fn cast_slice_mut< A: NoUninit + AnyBitPattern, B: NoUninit + CheckedBitPattern, >( a: &mut [A], ) -> &mut [B] { match try_cast_slice_mut(a) { Ok(t) => t, Err(e) => something_went_wrong("cast_slice_mut", e), } }