Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Safe Transmute RFC #5

Merged
merged 61 commits into from
Aug 31, 2020
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
61 commits
Select commit Hold shift + click to select a range
8e0dc26
Create 0000-safe-transmute.md
jswrenn Aug 3, 2020
651e3bf
Apply suggestions from code review
jswrenn Aug 3, 2020
7a88370
Fix `derive` expansion.
jswrenn Aug 3, 2020
32bc4b9
reword motivation
jswrenn Aug 4, 2020
6ea3705
`Constrained` -> `NonEmptySlice`
jswrenn Aug 4, 2020
5eafe9f
missing word
jswrenn Aug 4, 2020
3a4e576
Apply suggestions from code review
jswrenn Aug 4, 2020
00167d6
add lifetime parameter to `NonEmptySlice`
jswrenn Aug 4, 2020
cf20426
`TransmuteFrom` connotes conversion
jswrenn Aug 4, 2020
a5122b2
extra explanatory comments on Summary example
jswrenn Aug 4, 2020
1a119b2
clarify why size expansion is dangerous, but leave the door open to it
jswrenn Aug 4, 2020
575eb97
missing word
jswrenn Aug 4, 2020
5297ad6
Fix botched types
jswrenn Aug 4, 2020
f85600d
platform stability clarification
jswrenn Aug 5, 2020
a47b885
neglect::Alignment -> NeglectAlignment
jswrenn Aug 5, 2020
bc1963f
neglect::Alignment -> NeglectAlignment
jswrenn Aug 5, 2020
ed172fe
`PromiseTransmutable` extension
jswrenn Aug 5, 2020
15fd0e9
clarify the purpose of "Dissecting Stability"
jswrenn Aug 5, 2020
4946585
rust -> Rust; rustc -> `rustc`
jswrenn Aug 5, 2020
528df3a
fix typo in slice casting extension
jswrenn Aug 10, 2020
216232e
fix dead links
jswrenn Aug 11, 2020
70f2d9c
slice casting revamp
jswrenn Aug 11, 2020
5424df4
packet parsing example
jswrenn Aug 11, 2020
cc01609
packet parsing tweaks
jswrenn Aug 12, 2020
4fe45b6
simplify minimal implementation
jswrenn Aug 14, 2020
b38d1df
fix broken link
jswrenn Aug 14, 2020
ea04744
nix needless `for<'a>`
jswrenn Aug 14, 2020
0fb4863
slice casting tweaks
jswrenn Aug 14, 2020
b7fef2d
packet parsing contributions from @joshlf
jswrenn Aug 15, 2020
41fa339
inline minimal implementation (with minor tweaks)
jswrenn Aug 15, 2020
3d3a3e3
link to packet_formats crate in parsing example
jswrenn Aug 15, 2020
b25348c
extension: trait gadgets for querying alignment & size
jswrenn Aug 25, 2020
b2baf68
extension: casting revamp
jswrenn Aug 25, 2020
781cf1f
rename: UnsafeTransmuteOptions -> TransmuteOptions
jswrenn Aug 25, 2020
a98df6e
dim of variation intro
jswrenn Aug 25, 2020
1df275e
typo
jswrenn Aug 25, 2020
a1362e9
possibility intros
jswrenn Aug 25, 2020
7eadf01
simplified formulation of constructability is a compiler stability ha…
jswrenn Aug 25, 2020
d86731c
typo
jswrenn Aug 25, 2020
618c8d5
fix: uninformative PromiseTransmutableInto::Archetype size trick
jswrenn Aug 25, 2020
98eb167
remove last dependency on const-generics!
jswrenn Aug 25, 2020
2f85008
nix extra sentence
jswrenn Aug 25, 2020
c4f5d60
factor out extensions
jswrenn Aug 27, 2020
1fb9949
rework motivation; cut case studies
jswrenn Aug 27, 2020
579a7a0
lingering Type -> Archetype
jswrenn Aug 28, 2020
8295f5b
abusing -> using
jswrenn Aug 28, 2020
2eaa505
update minimal impl
jswrenn Aug 28, 2020
9081e53
transmutation definition
jswrenn Aug 28, 2020
099896a
union repr
jswrenn Aug 28, 2020
7fe2146
REMOVE Dissecting Stability
jswrenn Aug 28, 2020
ed02a09
REMOVE Uncommon Use-Case: Weak Stability Guarantees
jswrenn Aug 28, 2020
c0063c4
syntax highlighting
jswrenn Aug 28, 2020
079324e
rework stability rationale
jswrenn Aug 28, 2020
19e629e
note on endianness
jswrenn Aug 28, 2020
aadfec7
undefined *or* unspecified behavior
jswrenn Aug 29, 2020
9ed6b6d
improve stability explanation
jswrenn Aug 31, 2020
93d8394
add explanatory note to error message
jswrenn Aug 31, 2020
b150c3f
prior art: haskell
jswrenn Aug 31, 2020
9fe396e
typo: TransmutableFromArchetype -> TransmutableIntoArchetype
jswrenn Aug 31, 2020
61448fb
change casting section heading
jswrenn Aug 31, 2020
3217d4a
Move one of `Archetype`'s bounds to `where`
jswrenn Aug 31, 2020
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
134 changes: 134 additions & 0 deletions rfcs/0000-ext-byte-transmutation.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,134 @@
- Feature Name: byte_transmutations
- Start Date: (fill me in with today's date, YYYY-MM-DD)
- RFC PR: [rust-lang/rfcs#0000](https://github.com/rust-lang/rfcs/pull/0000)
- Rust Issue: [rust-lang/rust#0000](https://github.com/rust-lang/rust/issues/0000)

[safer transmutation]: 0000-safe-transmute.md
[zerocopy]: https://crates.io/crates/zerocopy
[bytemuck]: https://crates.io/crates/bytemuck

# Summary
[summary]: #summary

This is a **library extension** to [safer transmutation] (i.e., it does not require additional compiler support) which introduces traits encoding common transmutation-conversions: *byte* transmutations:
- `FromZeros`, implemented if `Self` is initializable from an equivalently-sized array of zeroed bytes.
- `FromBytes`, implemented if `Self` is transmutable into an equivalently-sized array of initialized bytes.
- `IntoBytes`, implemented if `Self` is transmutable from an equivalently-sized array of initialized bytes.

# Motivation
[motivation]: #motivation
Transmutations of types to-and-from equivalently-sized buffers of bytes are perhaps the most common use-case of transmutation; e.g., `FromBytes` and `AsBytes` traits of [zerocopy] form the foundation of Fuchsia's Rust networking stack. These traits can be formulated soundly and completely via [safer transmutation], but the obvious formulations aren't viable; e.g.:
```rust
// `Dst` is `FromBytes` if it can be safely transmuted *from* an
// equivalently sized array of `u8`.
unsafe impl<Dst> FromBytes for Dst
where
Dst: TransmuteFrom<[u8; size_of::<Dst>()]>,
{}
```
At the time of writing, `size_of::<Dst>()` *cannot* appear in this context. Our proposal provides implementation of these traits that do not rely on speculative advancements in const generics.

Together, `IntoBytes` and `FromBytes` can form the basis of a [bytemuck]-like [`PlainOldData` trait](https://docs.rs/bytemuck/1.*/bytemuck/trait.Pod.html):
```rust
/// Implemented by types that are "plain old data":
pub unsafe trait PlainOldData<Neglect=()>
where
Neglect: TransmuteOptions
{}

unsafe impl<T, Neglect> PlainOldData for T
where
T: FromBytes<Neglect> + IntoBytes<Neglect>,
Neglect: TransmuteOptions
{}
```

# Reference-level explanation
[reference-level-explanation]: #reference-level-explanation

The implementations of these traits using [safer transmutation] follows:

## `FromZeros`
Indicates that a type may be transmuted from an appropriately-sized array of zeroed bytes. This trait provide a safe alternative to [`mem::zeroed()`](https://doc.rust-lang.org/core/mem/fn.zeroed.html).

```rust
pub unsafe trait FromZeros<Neglect = ()>
where
Neglect: TransmuteOptions
{
/// Safely initialize `Self` from zeroed bytes.
fn zeroed() -> Self
where
Neglect: SafeTransmuteOptions;

/// Unsafely initialize `Self` from zeroed bytes.
fn unsafe_zeroed() -> Self
where
Neglect: TransmuteOptions;
}

#[derive(Copy, Clone, PromiseTransmutableFrom, PromiseTransmutableInto)]
#[repr(u8)]
enum Zero {
Zero = 0u8
}

unsafe impl<Dst, Neglect> FromZeros<Neglect> for Dst
where
Dst: TransmuteFrom<[Zero; usize::MAX], Neglect>,
Neglect: TransmuteOptions
{
fn zeroed() -> Self
where
Neglect: SafeTransmuteOptions
{
[Zero; size_of::<Self>].transmute_into()
}

unsafe fn unsafe_zeroed() -> Self
where
Neglect: TransmuteOptions
{
[Zero; size_of::<Self>].unsafe_transmute_into()
}
}
```

## `FromBytes`
Indicates that a type may be transmuted from an appropriately-sized array of bytes.
```rust
pub unsafe trait FromBytes<Neglect = ()>
where
Neglect: TransmuteOptions
{}

unsafe impl<Dst, Neglect> FromBytes<Neglect> for Dst
where
Dst: TransmuteFrom<[u8; usize::MAX], Neglect>,
Neglect: TransmuteOptions
{}
```

## `IntoBytes`
Indicates that a type may be transmuted into an appropriately-sized array of bytes.
```rust
#[marker]
pub unsafe trait IntoBytes<Neglect = ()>
where
Neglect: TransmuteOptions
{}

// covers `size_of::<Src>() >= 1`
unsafe impl<Src, Neglect> IntoBytes<Options> for Src
where
[Src: usize::MAX]: TransmuteInto<[u8; usize::MAX], Neglect>,
Neglect: TransmuteOptions
{}

// covers `size_of::<Src>() == 0`
unsafe impl<Src, Neglect> IntoBytes for Src
where
Src: SizeEq<()>,
Neglect: TransmuteOptions
{}
```
Loading