[WIP] TryFromBytes

Makes progress on #5

Author: joshlf

src/derive_util.rs

@@ -62,3 +62,34 @@ macro_rules! union_has_padding {
         false $(|| core::mem::size_of::<$t>() != core::mem::size_of::<$ts>())*
     };
 }
+
+#[doc(hidden)]
+pub use project::project as __project;
+
+#[doc(hidden)] // `#[macro_export]` bypasses this module's `#[doc(hidden)]`.
+#[macro_export]
+macro_rules! impl_try_from_bytes {
+    ($ty:ty { $($f:tt: $f_ty:ty),* } $(=> $validation_method:ident)?) => {
+        #[allow(unused_qualifications)]
+        unsafe impl zerocopy::TryFromBytes for $ty {
+            fn is_bit_valid(bytes: &zerocopy::MaybeValid<Self>) -> bool {
+                true $(&& {
+                    let f: &zerocopy::MaybeValid<$f_ty>
+                        = zerocopy::derive_util::__project!(&bytes.$f);
+                    zerocopy::TryFromBytes::is_bit_valid(f)
+                })*
+                $(&& {
+                    let bytes_ptr: *const zerocopy::MaybeValid<Self> = bytes;
+                    let slf = unsafe { &*bytes_ptr.cast::<Self>() };
+                    // TODO: What about interior mutability? One approach would
+                    // be to have the validation method operate on a
+                    // `#[repr(transparent)]` `Freeze` container that implements
+                    // `Projectable`. If we eventually get a `Freeze` or
+                    // `NoCell` trait, that container could implement `Deref`
+                    // for types which don't contain any cells.
+                    slf.$validation_method()
+                })?
+            }
+        }
+    }
+}

src/lib.rs

@@ -157,6 +157,8 @@ use core::{
     ptr, slice,
 };
 
+use project::Projectable;
+
 #[cfg(feature = "alloc")]
 extern crate alloc;
 #[cfg(feature = "alloc")]
@@ -174,6 +176,29 @@ mod zerocopy {
     pub(crate) use crate::*;
 }
 
+/// Documents multiple unsafe blocks with a single safety comment.
+///
+/// Invoked as:
+///
+/// ```rust,ignore
+/// safety_comment! {
+///     // Non-doc comments come first.
+///     /// SAFETY:
+///     /// Safety comment starts on its own line.
+///     macro_1!(args);
+///     macro_2! { args };
+/// }
+/// ```
+///
+/// The macro invocations are emitted, each decorated with the following
+/// attribute: `#[allow(clippy::undocumented_unsafe_blocks)]`.
+macro_rules! safety_comment {
+    (#[doc = r" SAFETY:"] $(#[doc = $_doc:literal])* $($macro:ident!$args:tt;)*) => {
+        #[allow(clippy::undocumented_unsafe_blocks)]
+        const _: () = { $($macro!$args;)* };
+    }
+}
+
 /// Types for which a sequence of bytes all set to zero represents a valid
 /// instance of the type.
 ///
@@ -499,6 +524,275 @@ pub unsafe trait FromBytes: FromZeroes {
     }
 }
 
+/// TODO
+///
+/// # Safety
+///
+/// `AsMaybeUninit` must only be implemented for types which are `Sized` or
+/// whose last field is a slice whose element type is `Sized` (this includes
+/// slice types themselves; in a slice type, the "last field" simply refers to
+/// the slice itself).
+pub unsafe trait AsMaybeUninit {
+    /// TODO
+    ///
+    /// # Safety
+    ///
+    /// For `T: AsMaybeUninit`, the following must hold:
+    /// - Given `m: T::MaybeUninit`, it is sound to write uninitialized bytes at
+    ///   every byte offset in `m` (this description avoids the "what lengths
+    ///   are valid" problem)
+    /// - `T` and `T::MaybeUninit` have the same alignment requirement (can't
+    ///   use `align_of` to describe this because it requires that its argument
+    ///   is sized)
+    /// - `T` and `T::MaybeUninit` are either both `Sized` or both `!Sized`
+    /// - If they are `Sized`, `size_of::<T>() == size_of::<T::MaybeUninit>()`
+    /// - If they are `!Sized`, then they are both DSTs with a trailing slice.
+    ///   Given `t: &T` and `m: &T::MaybeUninit` with the same number of
+    ///   elements in their trailing slices, `size_of_val(t) == size_of_val(m)`.
+    type MaybeUninit: ?Sized + FromBytes;
+}
+
+unsafe impl<T: Sized> AsMaybeUninit for T {
+    type MaybeUninit = MaybeUninit<T>;
+}
+
+unsafe impl<T: Sized> AsMaybeUninit for [T] {
+    type MaybeUninit = [MaybeUninit<T>];
+}
+
+unsafe impl AsMaybeUninit for str {
+    type MaybeUninit = <[u8] as AsMaybeUninit>::MaybeUninit;
+}
+
+/// A value which might or might not constitute a valid instance of `T`.
+///
+/// `MaybeValid<T>` has the same layout (size and alignment) and field offsets
+/// as `T`. However, it may contain any bit pattern with a few restrictions:
+/// Given `m: MaybeValid<T>` and a byte offset, `b` in the range `[0,
+/// size_of::<MaybeValid<T>>())`:
+/// - If, in all valid instances `t: T`, the byte at offset `b` in `t` is
+///   initialized, then the byte at offset `b` within `m` is guaranteed to be
+///   initialized.
+/// - Let `s` be the sequence of bytes of length `b` in the offset range `[0,
+///   b)` in `m`. Let `TT` be the subset of valid instances of `T` which contain
+///   this sequence in the offset range `[0, b)`. If, for all instances of `t:
+///   T` in `TT`, the byte at offset `b` in `t` is initialized, then the byte at
+///   offset `b` in `m` is guaranteed to be initialized.
+///
+///   Pragmatically, this means that if `m` is guaranteed to contain an enum
+///   type at a particular offset, and the enum discriminant stored in `m`
+///   corresponds to a valid variant of that enum type, then it is guaranteed
+///   that the appropriate bytes of `m` are initialized as defined by that
+///   variant's layout (although note that the variant's layout may contain
+///   another enum type, in which case the same rules apply depending on the
+///   state of its discriminant, and so on recursively).
+///
+/// # Safety
+///
+/// TODO (make sure to mention enum layout)
+#[derive(FromZeroes, FromBytes, AsBytes, Unaligned)]
+#[repr(transparent)]
+pub struct MaybeValid<T: AsMaybeUninit + ?Sized> {
+    inner: T::MaybeUninit,
+}
+
+impl<T> MaybeValid<T> {
+    /// TODO
+    pub const unsafe fn assume_valid(self) -> T {
+        unsafe { self.inner.assume_init() }
+    }
+}
+
+impl<T> MaybeValid<[T]> {
+    /// TODO
+    pub const fn as_slice_of_maybe_valids(&self) -> &[MaybeValid<T>] {
+        let inner: &[<T as AsMaybeUninit>::MaybeUninit] = &self.inner;
+        // SAFETY: Since `inner` is a `&[T::MaybeUninit]`, and `MaybeValid<T>`
+        // is a `repr(transparent)` struct around `T::MaybeUninit`, `inner` has
+        // the same layout as `&[MaybeValid<T>]`.
+        unsafe { mem::transmute(inner) }
+    }
+}
+
+impl<const N: usize, T> MaybeValid<[T; N]> {
+    /// TODO
+    pub const fn as_slice(&self) -> &MaybeValid<[T]> {
+        todo!()
+    }
+}
+
+unsafe impl<T, F> Projectable<F, MaybeValid<F>> for MaybeValid<T> {
+    type Inner = T;
+}
+
+impl<T> Debug for MaybeValid<T> {
+    fn fmt(&self, f: &mut Formatter<'_>) -> fmt::Result {
+        f.pad(core::any::type_name::<Self>())
+    }
+}
+
+/// TODO
+pub unsafe trait TryFromBytes: AsMaybeUninit {
+    /// TODO
+    fn is_bit_valid(candidate: &MaybeValid<Self>) -> bool;
+
+    /// TODO
+    // Note that, in a future in which we distinguish between `FromBytes` and `RefFromBytes`,
+    // this requires `where Self: RefFromBytes` to disallow interior mutability.
+    fn try_from_ref(bytes: &[u8]) -> Option<&Self>
+    where
+        // TODO: Remove this bound.
+        Self: Sized,
+        // TODO: Why can't Rust infer this based on the blanket impl for `T:
+        // Sized`? It sets `MaybeUninit = MaybeUninit<T>`, which is `Sized`.
+        <Self as AsMaybeUninit>::MaybeUninit: Sized,
+    {
+        // let byte_array: &ByteArray<Self> = TryFrom::try_from(bytes).ok()?;
+        // let aligned = Align::try_from_ref(byte_array)?;
+        let maybe_valid = Ref::<_, MaybeValid<Self>>::new(bytes)?.into_ref();
+
+        if Self::is_bit_valid(maybe_valid) {
+            Some(unsafe { &*bytes.as_ptr().cast::<Self>() })
+        } else {
+            None
+        }
+    }
+
+    /// TODO
+    fn try_from_mut(bytes: &mut [u8]) -> Option<&mut Self>
+    where
+        // TODO: Remove the `Sized` bound.
+        Self: AsBytes + Sized,
+        // TODO: Why can't Rust infer this based on the blanket impl for `T:
+        // Sized`? It sets `MaybeUninit = MaybeUninit<T>`, which is `Sized`.
+        <Self as AsMaybeUninit>::MaybeUninit: Sized,
+    {
+        // let byte_array: &ByteArray<Self> = TryFrom::try_from(&*bytes).ok()?;
+        // let aligned = Align::try_from_ref(byte_array)?;
+        let maybe_valid = Ref::<_, MaybeValid<Self>>::new(&*bytes)?.into_ref();
+
+        if Self::is_bit_valid(maybe_valid) {
+            Some(unsafe { &mut *bytes.as_mut_ptr().cast::<Self>() })
+        } else {
+            None
+        }
+    }
+
+    /// TODO
+    fn try_read_from(bytes: &[u8]) -> Option<Self>
+    where
+        Self: Sized,
+        // TODO: Why can't Rust infer this based on the blanket impl for `T:
+        // Sized`? It sets `MaybeUninit = MaybeUninit<T>`, which is `Sized`.
+        <Self as AsMaybeUninit>::MaybeUninit: Sized,
+    {
+        // let byte_array: &ByteArray<Self> = TryFrom::try_from(bytes).ok()?;
+        let maybe_valid = MaybeValid::<Self>::read_from(bytes)?;
+
+        if Self::is_bit_valid(&maybe_valid) {
+            Some(unsafe { maybe_valid.assume_valid() })
+        } else {
+            None
+        }
+    }
+}
+
+unsafe impl<T: FromBytes> TryFromBytes for T {
+    fn is_bit_valid(_candidate: &MaybeValid<T>) -> bool {
+        true
+    }
+}
+
+// TODO: This conflicts with the blanket impl for `T: TryFromBytes`.
+
+// unsafe impl<const N: usize, T: TryFromBytes + Sized> TryFromBytes for [T; N]
+// where
+//     // TODO: Why can't Rust infer this based on the blanket impl for `T: Sized`?
+//     // It sets `MaybeUninit = MaybeUninit<T>`, which is `Sized`.
+//     <T as AsMaybeUninit>::MaybeUninit: Sized,
+// {
+//     fn is_bit_valid(candidate: &MaybeValid<[T; N]>) -> bool {
+//         candidate.as_slice().as_slice_of_maybe_valids().iter().all(|c| T::is_bit_valid(c))
+//     }
+// }
+
+unsafe impl<T: TryFromBytes + Sized> TryFromBytes for [T]
+where
+    // TODO: Why can't Rust infer this based on the blanket impl for `T: Sized`?
+    // It sets `MaybeUninit = MaybeUninit<T>`, which is `Sized`.
+    <T as AsMaybeUninit>::MaybeUninit: Sized,
+{
+    fn is_bit_valid(candidate: &MaybeValid<[T]>) -> bool {
+        candidate.as_slice_of_maybe_valids().iter().all(|c| T::is_bit_valid(c))
+    }
+}
+
+/// # Safety
+///
+/// It must be sound to transmute `&MaybeValid<$ty>` into `&$repr`.
+macro_rules! unsafe_impl_try_from_bytes {
+    ($ty:ty, $repr:ty, |$candidate:ident| $is_bit_valid:expr) => {
+        unsafe impl TryFromBytes for $ty {
+            fn is_bit_valid(candidate: &MaybeValid<$ty>) -> bool {
+                let $candidate = unsafe { &*(candidate as *const MaybeValid<$ty> as *const $repr) };
+                $is_bit_valid
+            }
+        }
+    };
+}
+
+safety_comment! {
+    /// SAFETY:
+    /// All of the `NonZeroXxx` types have the same layout as `Xxx`. Also, every
+    /// byte of such a type is required to be initialized, so it is guaranteed
+    /// that every byte of a `MaybeValid<NonZeroXxx>` must also be initialized.
+    /// Thus, it is sound to transmute a `&MaybeValid<NonZeroXxx>` to a `&Xxx`.
+    ///
+    /// TODO: Why are these impls correct (ie, ensure valid NonZeroXxx types)?
+    unsafe_impl_try_from_bytes!(NonZeroU8, u8, |n| *n != 0);
+    unsafe_impl_try_from_bytes!(NonZeroU16, u16, |n| *n != 0);
+    unsafe_impl_try_from_bytes!(NonZeroU32, u32, |n| *n != 0);
+    unsafe_impl_try_from_bytes!(NonZeroU64, u64, |n| *n != 0);
+    unsafe_impl_try_from_bytes!(NonZeroU128, u128, |n| *n != 0);
+    unsafe_impl_try_from_bytes!(NonZeroUsize, usize, |n| *n != 0);
+    unsafe_impl_try_from_bytes!(NonZeroI8, i8, |n| *n != 0);
+    unsafe_impl_try_from_bytes!(NonZeroI16, i16, |n| *n != 0);
+    unsafe_impl_try_from_bytes!(NonZeroI32, i32, |n| *n != 0);
+    unsafe_impl_try_from_bytes!(NonZeroI64, i64, |n| *n != 0);
+    unsafe_impl_try_from_bytes!(NonZeroI128, i128, |n| *n != 0);
+    unsafe_impl_try_from_bytes!(NonZeroIsize, isize, |n| *n != 0);
+}
+
+unsafe_impl_try_from_bytes!(bool, u8, |byte| *byte < 2);
+
+unsafe_impl_try_from_bytes!(char, [u8; 4], |bytes| {
+    let c = u32::from_ne_bytes(*bytes);
+    char::from_u32(c).is_some()
+});
+
+unsafe_impl_try_from_bytes!(str, [u8], |bytes| core::str::from_utf8(bytes).is_ok());
+
+mod try_from_bytes_derive_example {
+    use super::*;
+
+    struct Foo {
+        a: u8,
+        b: u16,
+    }
+
+    impl_try_from_bytes!(Foo { a: u8, b: u16 });
+
+    struct Bar(Foo);
+
+    impl Bar {
+        fn is_valid(&self) -> bool {
+            u16::from(self.0.a) < self.0.b
+        }
+    }
+
+    impl_try_from_bytes!(Bar { 0: Foo } => is_valid);
+}
+
 /// Types which are safe to treat as an immutable byte slice.
 ///
 /// WARNING: Do not implement this trait yourself! Instead, use
@@ -696,29 +990,6 @@ pub unsafe trait Unaligned {
         Self: Sized;
 }
 
-/// Documents multiple unsafe blocks with a single safety comment.
-///
-/// Invoked as:
-///
-/// ```rust,ignore
-/// safety_comment! {
-///     // Non-doc comments come first.
-///     /// SAFETY:
-///     /// Safety comment starts on its own line.
-///     macro_1!(args);
-///     macro_2! { args };
-/// }
-/// ```
-///
-/// The macro invocations are emitted, each decorated with the following
-/// attribute: `#[allow(clippy::undocumented_unsafe_blocks)]`.
-macro_rules! safety_comment {
-    (#[doc = r" SAFETY:"] $(#[doc = $_doc:literal])* $($macro:ident!$args:tt;)*) => {
-        #[allow(clippy::undocumented_unsafe_blocks)]
-        const _: () = { $($macro!$args;)* };
-    }
-}
-
 /// Unsafely implements trait(s) for a type.
 macro_rules! unsafe_impl {
     // Implement `$trait` for `$ty` with no bounds.