impls.rs source code [crates/zerocopy-0.8.24/src/impls.rs]

1	// Copyright 2024 The Fuchsia Authors
2	//
3	// Licensed under the 2-Clause BSD License <LICENSE-BSD or
4	// https://opensource.org/license/bsd-2-clause>, Apache License, Version 2.0
5	// <LICENSE-APACHE or https://www.apache.org/licenses/LICENSE-2.0>, or the MIT
6	// license <LICENSE-MIT or https://opensource.org/licenses/MIT>, at your option.
7	// This file may not be copied, modified, or distributed except according to
8	// those terms.
9
10	use core::{
11	cell::{Cell, UnsafeCell},
12	mem::MaybeUninit as CoreMaybeUninit,
13	ptr::NonNull,
14	};
15
16	use super::*;
17
18	safety_comment! {
19	/// SAFETY:
20	/// Per the reference [1], "the unit tuple (`()`) ... is guaranteed as a
21	/// zero-sized type to have a size of 0 and an alignment of 1."
22	/// - `Immutable`: `()` self-evidently does not contain any `UnsafeCell`s.
23	/// - `TryFromBytes` (with no validator), `FromZeros`, `FromBytes`: There is
24	/// only one possible sequence of 0 bytes, and `()` is inhabited.
25	/// - `IntoBytes`: Since `()` has size 0, it contains no padding bytes.
26	/// - `Unaligned`: `()` has alignment 1.
27	///
28	/// [1] https://doc.rust-lang.org/1.81.0/reference/type-layout.html#tuple-layout
29	unsafe_impl!((): Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned);
30	assert_unaligned!(());
31	}
32
33	safety_comment! {
34	/// SAFETY:
35	/// - `Immutable`: These types self-evidently do not contain any
36	/// `UnsafeCell`s.
37	/// - `TryFromBytes` (with no validator), `FromZeros`, `FromBytes`: all bit
38	/// patterns are valid for numeric types [1]
39	/// - `IntoBytes`: numeric types have no padding bytes [1]
40	/// - `Unaligned` (`u8` and `i8` only): The reference [2] specifies the size
41	/// of `u8` and `i8` as 1 byte. We also know that:
42	/// - Alignment is >= 1 [3]
43	/// - Size is an integer multiple of alignment [4]
44	/// - The only value >= 1 for which 1 is an integer multiple is 1
45	/// Therefore, the only possible alignment for `u8` and `i8` is 1.
46	///
47	/// [1] Per https://doc.rust-lang.org/1.81.0/reference/types/numeric.html#bit-validity:
48	///
49	/// For every numeric type, `T`, the bit validity of `T` is equivalent to
50	/// the bit validity of `[u8; size_of::<T>()]`. An uninitialized byte is
51	/// not a valid `u8`.
52	///
53	/// [2] https://doc.rust-lang.org/1.81.0/reference/type-layout.html#primitive-data-layout
54	///
55	/// [3] Per https://doc.rust-lang.org/1.81.0/reference/type-layout.html#size-and-alignment:
56	///
57	/// Alignment is measured in bytes, and must be at least 1.
58	///
59	/// [4] Per https://doc.rust-lang.org/1.81.0/reference/type-layout.html#size-and-alignment:
60	///
61	/// The size of a value is always a multiple of its alignment.
62	///
63	/// TODO(#278): Once we've updated the trait docs to refer to `u8`s rather
64	/// than bits or bytes, update this comment, especially the reference to
65	/// [1].
66	unsafe_impl!(u8: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned);
67	unsafe_impl!(i8: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned);
68	assert_unaligned!(u8, i8);
69	unsafe_impl!(u16: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes);
70	unsafe_impl!(i16: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes);
71	unsafe_impl!(u32: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes);
72	unsafe_impl!(i32: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes);
73	unsafe_impl!(u64: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes);
74	unsafe_impl!(i64: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes);
75	unsafe_impl!(u128: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes);
76	unsafe_impl!(i128: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes);
77	unsafe_impl!(usize: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes);
78	unsafe_impl!(isize: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes);
79	unsafe_impl!(f32: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes);
80	unsafe_impl!(f64: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes);
81	#[cfg(feature = "float-nightly")]
82	unsafe_impl!(#[cfg_attr(doc_cfg, doc(cfg(feature = "float-nightly")))] f16: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes);
83	#[cfg(feature = "float-nightly")]
84	unsafe_impl!(#[cfg_attr(doc_cfg, doc(cfg(feature = "float-nightly")))] f128: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes);
85	}
86
87	safety_comment! {
88	/// SAFETY:
89	/// - `Immutable`: `bool` self-evidently does not contain any `UnsafeCell`s.
90	/// - `FromZeros`: Valid since "[t]he value false has the bit pattern 0x00"
91	/// [1].
92	/// - `IntoBytes`: Since "the boolean type has a size and alignment of 1
93	/// each" and "The value false has the bit pattern 0x00 and the value true
94	/// has the bit pattern 0x01" [1]. Thus, the only byte of the bool is
95	/// always initialized.
96	/// - `Unaligned`: Per the reference [1], "[a]n object with the boolean type
97	/// has a size and alignment of 1 each."
98	///
99	/// [1] https://doc.rust-lang.org/1.81.0/reference/types/boolean.html
100	unsafe_impl!(bool: Immutable, FromZeros, IntoBytes, Unaligned);
101	assert_unaligned!(bool);
102	/// SAFETY:
103	/// The impl must only return `true` for its argument if the original
104	/// `Maybe<bool>` refers to a valid `bool`. We only return true if the `u8`
105	/// value is 0 or 1, and both of these are valid values for `bool` [1].
106	///
107	/// [1] Per https://doc.rust-lang.org/1.81.0/reference/types/boolean.html:
108	///
109	/// The value false has the bit pattern 0x00 and the value true has the
110	/// bit pattern 0x01.
111	unsafe_impl!(=> TryFromBytes for bool; \|byte\| {
112	let byte = byte.transmute::<u8, invariant::Valid, _>();
113	*byte.unaligned_as_ref() < `2`
114	});
115	}
116
117	impl_size_eq!(bool, u8);
118
119	safety_comment! {
120	/// SAFETY:
121	/// - `Immutable`: `char` self-evidently does not contain any `UnsafeCell`s.
122	/// - `FromZeros`: Per reference [1], "[a] value of type char is a Unicode
123	/// scalar value (i.e. a code point that is not a surrogate), represented
124	/// as a 32-bit unsigned word in the 0x0000 to 0xD7FF or 0xE000 to
125	/// 0x10FFFF range" which contains 0x0000.
126	/// - `IntoBytes`: `char` is per reference [1] "represented as a 32-bit
127	/// unsigned word" (`u32`) which is `IntoBytes`. Note that unlike `u32`,
128	/// not all bit patterns are valid for `char`.
129	///
130	/// [1] https://doc.rust-lang.org/1.81.0/reference/types/textual.html
131	unsafe_impl!(char: Immutable, FromZeros, IntoBytes);
132	/// SAFETY:
133	/// The impl must only return `true` for its argument if the original
134	/// `Maybe<char>` refers to a valid `char`. `char::from_u32` guarantees that
135	/// it returns `None` if its input is not a valid `char` [1].
136	///
137	/// [1] Per https://doc.rust-lang.org/core/primitive.char.html#method.from_u32:
138	///
139	/// `from_u32()` will return `None` if the input is not a valid value for
140	/// a `char`.
141	unsafe_impl!(=> TryFromBytes for char; \|c\| {
142	let c = c.transmute::<Unalign<u32>, invariant::Valid, _>();
143	let c = c.read_unaligned().into_inner();
144	char::from_u32(c).is_some()
145	});
146	}
147
148	impl_size_eq!(char, Unalign<u32>);
149
150	safety_comment! {
151	/// SAFETY:
152	/// Per the Reference [1], `str` has the same layout as `[u8]`.
153	/// - `Immutable`: `[u8]` does not contain any `UnsafeCell`s.
154	/// - `FromZeros`, `IntoBytes`, `Unaligned`: `[u8]` is `FromZeros`,
155	/// `IntoBytes`, and `Unaligned`.
156	///
157	/// Note that we don't `assert_unaligned!(str)` because `assert_unaligned!`
158	/// uses `align_of`, which only works for `Sized` types.
159	///
160	/// TODO(#429):
161	/// - Add quotes from documentation.
162	/// - Improve safety proof for `FromZeros` and `IntoBytes`; having the same
163	/// layout as `[u8]` isn't sufficient.
164	///
165	/// [1] https://doc.rust-lang.org/1.81.0/reference/type-layout.html#str-layout
166	unsafe_impl!(str: Immutable, FromZeros, IntoBytes, Unaligned);
167	/// SAFETY:
168	/// The impl must only return `true` for its argument if the original
169	/// `Maybe<str>` refers to a valid `str`. `str::from_utf8` guarantees that
170	/// it returns `Err` if its input is not a valid `str` [1].
171	///
172	/// [2] Per https://doc.rust-lang.org/core/str/fn.from_utf8.html#errors:
173	///
174	/// Returns `Err` if the slice is not UTF-8.
175	unsafe_impl!(=> TryFromBytes for str; \|c\| {
176	let c = c.transmute::<[u8], invariant::Valid, _>();
177	let c = c.unaligned_as_ref();
178	core::str::from_utf8(c).is_ok()
179	});
180	}
181
182	// SAFETY: `str` and `[u8]` have the same layout [1].
183	//
184	// [1] Per https://doc.rust-lang.org/1.81.0/reference/type-layout.html#str-layout:
185	//
186	// String slices are a UTF-8 representation of characters that have the same
187	// layout as slices of type `[u8]`.
188	unsafe impl pointer::SizeEq<str> for [u8] {
189	fn cast_from_raw(s: NonNull<str>) -> NonNull<[u8]> {
190	cast!(s)
191	}
192	}
193	// SAFETY: See previous safety comment.
194	unsafe impl pointer::SizeEq<[u8]> for str {
195	fn cast_from_raw(bytes: NonNull<[u8]>) -> NonNull<str> {
196	cast!(bytes)
197	}
198	}
199
200	macro_rules! unsafe_impl_try_from_bytes_for_nonzero {
201	($($nonzero:ident[$prim:ty]),*) => {
202	$(
203	unsafe_impl!(=> TryFromBytes for $nonzero; \|n\| {
204	unsafe impl pointer::SizeEq<$nonzero> for Unalign<$prim> {
205	fn cast_from_raw(n: NonNull<$nonzero>) -> NonNull<Unalign<$prim>> {
206	cast!(n)
207	}
208	}
209	unsafe impl pointer::SizeEq<Unalign<$prim>> for $nonzero {
210	fn cast_from_raw(p: NonNull<Unalign<$prim>>) -> NonNull<$nonzero> {
211	cast!(p)
212	}
213	}
214
215	let n = n.transmute::<Unalign<$prim>, invariant::Valid, _>();
216	$nonzero::new(n.read_unaligned().into_inner()).is_some()
217	});
218	)*
219	}
220	}
221
222	safety_comment! {
223	// `NonZeroXxx` is `IntoBytes`, but not `FromZeros` or `FromBytes`.
224	//
225	/// SAFETY:
226	/// - `IntoBytes`: `NonZeroXxx` has the same layout as its associated
227	/// primitive. Since it is the same size, this guarantees it has no
228	/// padding - integers have no padding, and there's no room for padding
229	/// if it can represent all of the same values except 0.
230	/// - `Unaligned`: `NonZeroU8` and `NonZeroI8` document that
231	/// `Option<NonZeroU8>` and `Option<NonZeroI8>` both have size 1. [1] [2]
232	/// This is worded in a way that makes it unclear whether it's meant as a
233	/// guarantee, but given the purpose of those types, it's virtually
234	/// unthinkable that that would ever change. `Option` cannot be smaller
235	/// than its contained type, which implies that, and `NonZeroX8` are of
236	/// size 1 or 0. `NonZeroX8` can represent multiple states, so they cannot
237	/// be 0 bytes, which means that they must be 1 byte. The only valid
238	/// alignment for a 1-byte type is 1.
239	///
240	/// TODO(#429):
241	/// - Add quotes from documentation.
242	/// - Add safety comment for `Immutable`. How can we prove that `NonZeroXxx`
243	/// doesn't contain any `UnsafeCell`s? It's obviously true, but it's not
244	/// clear how we'd prove it short of adding text to the stdlib docs that
245	/// says so explicitly, which likely wouldn't be accepted.
246	///
247	/// [1] https://doc.rust-lang.org/1.81.0/std/num/type.NonZeroU8.html
248	///
249	/// `NonZeroU8` is guaranteed to have the same layout and bit validity as `u8` with
250	/// the exception that 0 is not a valid instance
251	///
252	/// [2] https://doc.rust-lang.org/1.81.0/std/num/type.NonZeroI8.html
253	/// TODO(https://github.com/rust-lang/rust/pull/104082): Cite documentation
254	/// that layout is the same as primitive layout.
255	unsafe_impl!(NonZeroU8: Immutable, IntoBytes, Unaligned);
256	unsafe_impl!(NonZeroI8: Immutable, IntoBytes, Unaligned);
257	assert_unaligned!(NonZeroU8, NonZeroI8);
258	unsafe_impl!(NonZeroU16: Immutable, IntoBytes);
259	unsafe_impl!(NonZeroI16: Immutable, IntoBytes);
260	unsafe_impl!(NonZeroU32: Immutable, IntoBytes);
261	unsafe_impl!(NonZeroI32: Immutable, IntoBytes);
262	unsafe_impl!(NonZeroU64: Immutable, IntoBytes);
263	unsafe_impl!(NonZeroI64: Immutable, IntoBytes);
264	unsafe_impl!(NonZeroU128: Immutable, IntoBytes);
265	unsafe_impl!(NonZeroI128: Immutable, IntoBytes);
266	unsafe_impl!(NonZeroUsize: Immutable, IntoBytes);
267	unsafe_impl!(NonZeroIsize: Immutable, IntoBytes);
268	unsafe_impl_try_from_bytes_for_nonzero!(
269	NonZeroU8[u8],
270	NonZeroI8[i8],
271	NonZeroU16[u16],
272	NonZeroI16[i16],
273	NonZeroU32[u32],
274	NonZeroI32[i32],
275	NonZeroU64[u64],
276	NonZeroI64[i64],
277	NonZeroU128[u128],
278	NonZeroI128[i128],
279	NonZeroUsize[usize],
280	NonZeroIsize[isize]
281	);
282	}
283	safety_comment! {
284	/// SAFETY:
285	/// - `TryFromBytes` (with no validator), `FromZeros`, `FromBytes`,
286	/// `IntoBytes`: The Rust compiler reuses `0` value to represent `None`,
287	/// so `size_of::<Option<NonZeroXxx>>() == size_of::<xxx>()`; see
288	/// `NonZeroXxx` documentation.
289	/// - `Unaligned`: `NonZeroU8` and `NonZeroI8` document that
290	/// `Option<NonZeroU8>` and `Option<NonZeroI8>` both have size 1. [1] [2]
291	/// This is worded in a way that makes it unclear whether it's meant as a
292	/// guarantee, but given the purpose of those types, it's virtually
293	/// unthinkable that that would ever change. The only valid alignment for
294	/// a 1-byte type is 1.
295	///
296	/// TODO(#429): Add quotes from documentation.
297	///
298	/// [1] https://doc.rust-lang.org/stable/std/num/struct.NonZeroU8.html
299	/// [2] https://doc.rust-lang.org/stable/std/num/struct.NonZeroI8.html
300	///
301	/// TODO(https://github.com/rust-lang/rust/pull/104082): Cite documentation
302	/// for layout guarantees.
303	unsafe_impl!(Option<NonZeroU8>: TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned);
304	unsafe_impl!(Option<NonZeroI8>: TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned);
305	assert_unaligned!(Option<NonZeroU8>, Option<NonZeroI8>);
306	unsafe_impl!(Option<NonZeroU16>: TryFromBytes, FromZeros, FromBytes, IntoBytes);
307	unsafe_impl!(Option<NonZeroI16>: TryFromBytes, FromZeros, FromBytes, IntoBytes);
308	unsafe_impl!(Option<NonZeroU32>: TryFromBytes, FromZeros, FromBytes, IntoBytes);
309	unsafe_impl!(Option<NonZeroI32>: TryFromBytes, FromZeros, FromBytes, IntoBytes);
310	unsafe_impl!(Option<NonZeroU64>: TryFromBytes, FromZeros, FromBytes, IntoBytes);
311	unsafe_impl!(Option<NonZeroI64>: TryFromBytes, FromZeros, FromBytes, IntoBytes);
312	unsafe_impl!(Option<NonZeroU128>: TryFromBytes, FromZeros, FromBytes, IntoBytes);
313	unsafe_impl!(Option<NonZeroI128>: TryFromBytes, FromZeros, FromBytes, IntoBytes);
314	unsafe_impl!(Option<NonZeroUsize>: TryFromBytes, FromZeros, FromBytes, IntoBytes);
315	unsafe_impl!(Option<NonZeroIsize>: TryFromBytes, FromZeros, FromBytes, IntoBytes);
316	}
317
318	safety_comment! {
319	/// SAFETY:
320	/// While it's not fully documented, the consensus is that `Box<T>` does not
321	/// contain any `UnsafeCell`s for `T: Sized` [1]. This is not a complete
322	/// proof, but we are accepting this as a known risk per #1358.
323	///
324	/// [1] https://github.com/rust-lang/unsafe-code-guidelines/issues/492
325	#[cfg(feature = "alloc")]
326	unsafe_impl!(
327	#[cfg_attr(doc_cfg, doc(cfg(feature = "alloc")))]
328	T: Sized => Immutable for Box<T>
329	);
330	}
331
332	safety_comment! {
333	/// SAFETY:
334	/// The following types can be transmuted from `[0u8; size_of::<T>()]`. [1]
335	///
336	/// [1] Per https://doc.rust-lang.org/nightly/core/option/index.html#representation:
337	///
338	/// Rust guarantees to optimize the following types `T` such that
339	/// [`Option<T>`] has the same size and alignment as `T`. In some of these
340	/// cases, Rust further guarantees that `transmute::<_, Option<T>>([0u8;
341	/// size_of::<T>()])` is sound and produces `Option::<T>::None`. These
342	/// cases are identified by the second column:
343	///
344	/// \| `T` \| `transmute::<_, Option<T>>([0u8; size_of::<T>()])` sound? \|
345	/// \|-----------------------\|-----------------------------------------------------------\|
346	/// \| [`Box<U>`] \| when `U: Sized` \|
347	/// \| `&U` \| when `U: Sized` \|
348	/// \| `&mut U` \| when `U: Sized` \|
349	/// \| [`ptr::NonNull<U>`] \| when `U: Sized` \|
350	/// \| `fn`, `extern "C" fn` \| always \|
351	///
352	/// TODO(#429), TODO(https://github.com/rust-lang/rust/pull/115333): Cite
353	/// the Stable docs once they're available.
354	#[cfg(feature = "alloc")]
355	unsafe_impl!(
356	#[cfg_attr(doc_cfg, doc(cfg(feature = "alloc")))]
357	T => TryFromBytes for Option<Box<T>>; \|c\| pointer::is_zeroed(c)
358	);
359	#[cfg(feature = "alloc")]
360	unsafe_impl!(
361	#[cfg_attr(doc_cfg, doc(cfg(feature = "alloc")))]
362	T => FromZeros for Option<Box<T>>
363	);
364	unsafe_impl!(
365	T => TryFromBytes for Option<&'_ T>; \|c\| pointer::is_zeroed(c)
366	);
367	unsafe_impl!(T => FromZeros for Option<&'_ T>);
368	unsafe_impl!(
369	T => TryFromBytes for Option<&'_ mut T>; \|c\| pointer::is_zeroed(c)
370	);
371	unsafe_impl!(T => FromZeros for Option<&'_ mut T>);
372	unsafe_impl!(
373	T => TryFromBytes for Option<NonNull<T>>; \|c\| pointer::is_zeroed(c)
374	);
375	unsafe_impl!(T => FromZeros for Option<NonNull<T>>);
376	unsafe_impl_for_power_set!(A, B, C, D, E, F, G, H, I, J, K, L -> M => FromZeros for opt_fn!(...));
377	unsafe_impl_for_power_set!(
378	A, B, C, D, E, F, G, H, I, J, K, L -> M => TryFromBytes for opt_fn!(...);
379	\|c\| pointer::is_zeroed(c)
380	);
381	unsafe_impl_for_power_set!(A, B, C, D, E, F, G, H, I, J, K, L -> M => FromZeros for opt_extern_c_fn!(...));
382	unsafe_impl_for_power_set!(
383	A, B, C, D, E, F, G, H, I, J, K, L -> M => TryFromBytes for opt_extern_c_fn!(...);
384	\|c\| pointer::is_zeroed(c)
385	);
386	}
387
388	safety_comment! {
389	/// SAFETY:
390	/// `fn()` and `extern "C" fn()` self-evidently do not contain
391	/// `UnsafeCell`s. This is not a proof, but we are accepting this as a known
392	/// risk per #1358.
393	unsafe_impl_for_power_set!(A, B, C, D, E, F, G, H, I, J, K, L -> M => Immutable for opt_fn!(...));
394	unsafe_impl_for_power_set!(A, B, C, D, E, F, G, H, I, J, K, L -> M => Immutable for opt_extern_c_fn!(...));
395	}
396
397	#[cfg(all(
398	zerocopy_target_has_atomics_1_60_0,
399	any(
400	target_has_atomic = "8",
401	target_has_atomic = "16",
402	target_has_atomic = "32",
403	target_has_atomic = "64",
404	target_has_atomic = "ptr"
405	)
406	))]
407	#[cfg_attr(doc_cfg, doc(cfg(rust = "1.60.0")))]
408	mod atomics {
409	use super::*;
410
411	macro_rules! impl_traits_for_atomics {
412	($($atomics:ident [$primitives:ident]),* $(,)?) => {
413	$(
414	impl_known_layout!($atomics);
415	impl_for_transmute_from!(=> TryFromBytes for $atomics [UnsafeCell<$primitives>]);
416	impl_for_transmute_from!(=> FromZeros for $atomics [UnsafeCell<$primitives>]);
417	impl_for_transmute_from!(=> FromBytes for $atomics [UnsafeCell<$primitives>]);
418	impl_for_transmute_from!(=> IntoBytes for $atomics [UnsafeCell<$primitives>]);
419	)*
420	};
421	}
422
423	/// Implements `TransmuteFrom` for `$atomic`, `$prim`, and
424	/// `UnsafeCell<$prim>`.
425	///
426	/// # Safety
427	///
428	/// `$atomic` must have the same size and bit validity as `$prim`.
429	macro_rules! unsafe_impl_transmute_from_for_atomic {
430	($($($tyvar:ident)? => $atomic:ty [$prim:ty]),*) => {
431	const _: () = {
432	use core::{cell::UnsafeCell, ptr::NonNull};
433	use crate::pointer::{TransmuteFrom, SizeEq, invariant::Valid};
434
435	$(
436	#[allow(unused_unsafe)] // Force the caller to call this macro inside `safety_comment!`.
437	const _: () = unsafe {};
438
439	// SAFETY: The caller promised that `$atomic` and `$prim` have
440	// the same size and bit validity.
441	unsafe impl<$($tyvar)?> TransmuteFrom<$atomic, Valid, Valid> for $prim {}
442	// SAFETY: The caller promised that `$atomic` and `$prim` have
443	// the same size and bit validity.
444	unsafe impl<$($tyvar)?> TransmuteFrom<$prim, Valid, Valid> for $atomic {}
445
446	// SAFETY: THe caller promised that `$atomic` and `$prim`
447	// have the same size.
448	unsafe impl<$($tyvar)?> SizeEq<$atomic> for $prim {
449	fn cast_from_raw(a: NonNull<$atomic>) -> NonNull<$prim> {
450	cast!(a)
451	}
452	}
453	// SAFETY: THe caller promised that `$atomic` and `$prim`
454	// have the same size.
455	unsafe impl<$($tyvar)?> SizeEq<$prim> for $atomic {
456	fn cast_from_raw(p: NonNull<$prim>) -> NonNull<$atomic> {
457	cast!(p)
458	}
459	}
460	// SAFETY: The caller promised that `$atomic` and `$prim`
461	// have the same size. `UnsafeCell<T>` has the same size as
462	// `T` [1].
463	//
464	// [1] Per https://doc.rust-lang.org/1.85.0/std/cell/struct.UnsafeCell.html#memory-layout:
465	//
466	// `UnsafeCell<T>` has the same in-memory representation as
467	// its inner type `T`. A consequence of this guarantee is that
468	// it is possible to convert between `T` and `UnsafeCell<T>`.
469	unsafe impl<$($tyvar)?> SizeEq<$atomic> for UnsafeCell<$prim> {
470	fn cast_from_raw(a: NonNull<$atomic>) -> NonNull<UnsafeCell<$prim>> {
471	cast!(a)
472	}
473	}
474	// SAFETY: See previous safety comment.
475	unsafe impl<$($tyvar)?> SizeEq<UnsafeCell<$prim>> for $atomic {
476	fn cast_from_raw(p: NonNull<UnsafeCell<$prim>>) -> NonNull<$atomic> {
477	cast!(p)
478	}
479	}
480
481	// SAFETY: The caller promised that `$atomic` and `$prim`
482	// have the same bit validity. `UnsafeCell<T>` has the same
483	// bit validity as `T` [1].
484	//
485	// [1] Per https://doc.rust-lang.org/1.85.0/std/cell/struct.UnsafeCell.html#memory-layout:
486	//
487	// `UnsafeCell<T>` has the same in-memory representation as
488	// its inner type `T`. A consequence of this guarantee is that
489	// it is possible to convert between `T` and `UnsafeCell<T>`.
490	unsafe impl<$($tyvar)?> TransmuteFrom<$atomic, Valid, Valid> for core::cell::UnsafeCell<$prim> {}
491	// SAFETY: See previous safety comment.
492	unsafe impl<$($tyvar)?> TransmuteFrom<core::cell::UnsafeCell<$prim>, Valid, Valid> for $atomic {}
493	)*
494	};
495	};
496	}
497
498	#[cfg(target_has_atomic = "8")]
499	#[cfg_attr(doc_cfg, doc(cfg(target_has_atomic = "8")))]
500	mod atomic_8 {
501	use core::sync::atomic::{AtomicBool, AtomicI8, AtomicU8};
502
503	use super::*;
504
505	impl_traits_for_atomics!(AtomicU8[u8], AtomicI8[i8]);
506
507	impl_known_layout!(AtomicBool);
508
509	impl_for_transmute_from!(=> TryFromBytes for AtomicBool [UnsafeCell<bool>]);
510	impl_for_transmute_from!(=> FromZeros for AtomicBool [UnsafeCell<bool>]);
511	impl_for_transmute_from!(=> IntoBytes for AtomicBool [UnsafeCell<bool>]);
512
513	safety_comment! {
514	/// SAFETY:
515	/// Per [1], `AtomicBool`, `AtomicU8`, and `AtomicI8` have the same
516	/// size as `bool`, `u8`, and `i8` respectively. Since a type's
517	/// alignment cannot be smaller than 1 [2], and since its alignment
518	/// cannot be greater than its size [3], the only possible value for
519	/// the alignment is 1. Thus, it is sound to implement `Unaligned`.
520	///
521	/// [1] Per (for example) https://doc.rust-lang.org/1.81.0/std/sync/atomic/struct.AtomicU8.html:
522	///
523	/// This type has the same size, alignment, and bit validity as
524	/// the underlying integer type
525	///
526	/// [2] Per https://doc.rust-lang.org/1.81.0/reference/type-layout.html#size-and-alignment:
527	///
528	/// Alignment is measured in bytes, and must be at least 1.
529	///
530	/// [3] Per https://doc.rust-lang.org/1.81.0/reference/type-layout.html#size-and-alignment:
531	///
532	/// The size of a value is always a multiple of its alignment.
533	unsafe_impl!(AtomicBool: Unaligned);
534	unsafe_impl!(AtomicU8: Unaligned);
535	unsafe_impl!(AtomicI8: Unaligned);
536	assert_unaligned!(AtomicBool, AtomicU8, AtomicI8);
537
538	/// SAFETY:
539	/// `AtomicU8`, `AtomicI8`, and `AtomicBool` have the same size and
540	/// bit validity as `u8`, `i8`, and `bool` respectively [1][2][3].
541	///
542	/// [1] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicU8.html:
543	///
544	/// This type has the same size, alignment, and bit validity as
545	/// the underlying integer type, `u8`.
546	///
547	/// [2] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicI8.html:
548	///
549	/// This type has the same size, alignment, and bit validity as
550	/// the underlying integer type, `i8`.
551	///
552	/// [3] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicBool.html:
553	///
554	/// This type has the same size, alignment, and bit validity a
555	/// `bool`.
556	unsafe_impl_transmute_from_for_atomic!(
557	=> AtomicU8 [u8],
558	=> AtomicI8 [i8],
559	=> AtomicBool [bool]
560	);
561	}
562	}
563
564	#[cfg(target_has_atomic = "16")]
565	#[cfg_attr(doc_cfg, doc(cfg(target_has_atomic = "16")))]
566	mod atomic_16 {
567	use core::sync::atomic::{AtomicI16, AtomicU16};
568
569	use super::*;
570
571	impl_traits_for_atomics!(AtomicU16[u16], AtomicI16[i16]);
572
573	safety_comment! {
574	/// SAFETY:
575	/// `AtomicU16` and `AtomicI16` have the same size and bit validity
576	/// as `u16` and `i16` respectively [1][2].
577	///
578	/// [1] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicU16.html:
579	///
580	/// This type has the same size and bit validity as the underlying
581	/// integer type, `u16`.
582	///
583	/// [2] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicI16.html:
584	///
585	/// This type has the same size and bit validity as the underlying
586	/// integer type, `i16`.
587	unsafe_impl_transmute_from_for_atomic!(=> AtomicU16 [u16], => AtomicI16 [i16]);
588	}
589	}
590
591	#[cfg(target_has_atomic = "32")]
592	#[cfg_attr(doc_cfg, doc(cfg(target_has_atomic = "32")))]
593	mod atomic_32 {
594	use core::sync::atomic::{AtomicI32, AtomicU32};
595
596	use super::*;
597
598	impl_traits_for_atomics!(AtomicU32[u32], AtomicI32[i32]);
599
600	safety_comment! {
601	/// SAFETY:
602	/// `AtomicU32` and `AtomicI32` have the same size and bit validity
603	/// as `u32` and `i32` respectively [1][2].
604	///
605	/// [1] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicU32.html:
606	///
607	/// This type has the same size and bit validity as the underlying
608	/// integer type, `u32`.
609	///
610	/// [2] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicI32.html:
611	///
612	/// This type has the same size and bit validity as the underlying
613	/// integer type, `i32`.
614	unsafe_impl_transmute_from_for_atomic!(=> AtomicU32 [u32], => AtomicI32 [i32]);
615	}
616	}
617
618	#[cfg(target_has_atomic = "64")]
619	#[cfg_attr(doc_cfg, doc(cfg(target_has_atomic = "64")))]
620	mod atomic_64 {
621	use core::sync::atomic::{AtomicI64, AtomicU64};
622
623	use super::*;
624
625	impl_traits_for_atomics!(AtomicU64[u64], AtomicI64[i64]);
626
627	safety_comment! {
628	/// SAFETY:
629	/// `AtomicU64` and `AtomicI64` have the same size and bit validity
630	/// as `u64` and `i64` respectively [1][2].
631	///
632	/// [1] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicU64.html:
633	///
634	/// This type has the same size and bit validity as the underlying
635	/// integer type, `u64`.
636	///
637	/// [2] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicI64.html:
638	///
639	/// This type has the same size and bit validity as the underlying
640	/// integer type, `i64`.
641	unsafe_impl_transmute_from_for_atomic!(=> AtomicU64 [u64], => AtomicI64 [i64]);
642	}
643	}
644
645	#[cfg(target_has_atomic = "ptr")]
646	#[cfg_attr(doc_cfg, doc(cfg(target_has_atomic = "ptr")))]
647	mod atomic_ptr {
648	use core::sync::atomic::{AtomicIsize, AtomicPtr, AtomicUsize};
649
650	use super::*;
651
652	impl_traits_for_atomics!(AtomicUsize[usize], AtomicIsize[isize]);
653
654	impl_known_layout!(T => AtomicPtr<T>);
655
656	// TODO(#170): Implement `FromBytes` and `IntoBytes` once we implement
657	// those traits for `mut T`.*
658	impl_for_transmute_from!(T => TryFromBytes for AtomicPtr<T> [UnsafeCell<*mut T>]);
659	impl_for_transmute_from!(T => FromZeros for AtomicPtr<T> [UnsafeCell<*mut T>]);
660
661	safety_comment! {
662	/// SAFETY:
663	/// `AtomicUsize` and `AtomicIsize` have the same size and bit
664	/// validity as `usize` and `isize` respectively [1][2].
665	///
666	/// [1] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicUsize.html:
667	///
668	/// This type has the same size and bit validity as the underlying
669	/// integer type, `usize`.
670	///
671	/// [2] Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicIsize.html:
672	///
673	/// This type has the same size and bit validity as the underlying
674	/// integer type, `isize`.
675	unsafe_impl_transmute_from_for_atomic!(=> AtomicUsize [usize], => AtomicIsize [isize]);
676	/// SAFETY:
677	/// Per https://doc.rust-lang.org/1.85.0/std/sync/atomic/struct.AtomicPtr.html:
678	///
679	/// This type has the same size and bit validity as a `mut T`.*
680	unsafe_impl_transmute_from_for_atomic!(T => AtomicPtr<T> [*mut T]);
681	}
682	}
683	}
684
685	safety_comment! {
686	/// SAFETY:
687	/// Per reference [1]:
688	/// "For all T, the following are guaranteed:
689	/// size_of::<PhantomData<T>>() == 0
690	/// align_of::<PhantomData<T>>() == 1".
691	/// This gives:
692	/// - `Immutable`: `PhantomData` has no fields.
693	/// - `TryFromBytes` (with no validator), `FromZeros`, `FromBytes`: There is
694	/// only one possible sequence of 0 bytes, and `PhantomData` is inhabited.
695	/// - `IntoBytes`: Since `PhantomData` has size 0, it contains no padding
696	/// bytes.
697	/// - `Unaligned`: Per the preceding reference, `PhantomData` has alignment
698	/// 1.
699	///
700	/// [1] https://doc.rust-lang.org/1.81.0/std/marker/struct.PhantomData.html#layout-1
701	unsafe_impl!(T: ?Sized => Immutable for PhantomData<T>);
702	unsafe_impl!(T: ?Sized => TryFromBytes for PhantomData<T>);
703	unsafe_impl!(T: ?Sized => FromZeros for PhantomData<T>);
704	unsafe_impl!(T: ?Sized => FromBytes for PhantomData<T>);
705	unsafe_impl!(T: ?Sized => IntoBytes for PhantomData<T>);
706	unsafe_impl!(T: ?Sized => Unaligned for PhantomData<T>);
707	assert_unaligned!(PhantomData<()>, PhantomData<u8>, PhantomData<u64>);
708	}
709
710	impl_for_transmute_from!(T: TryFromBytes => TryFromBytes for Wrapping<T>[<T>]);
711	impl_for_transmute_from!(T: FromZeros => FromZeros for Wrapping<T>[<T>]);
712	impl_for_transmute_from!(T: FromBytes => FromBytes for Wrapping<T>[<T>]);
713	impl_for_transmute_from!(T: IntoBytes => IntoBytes for Wrapping<T>[<T>]);
714	assert_unaligned!(Wrapping<()>, Wrapping<u8>);
715
716	safety_comment! {
717	/// SAFETY:
718	/// Per [1], `Wrapping<T>` has the same layout as `T`. Since its single
719	/// field (of type `T`) is public, it would be a breaking change to add or
720	/// remove fields. Thus, we know that `Wrapping<T>` contains a `T` (as
721	/// opposed to just having the same size and alignment as `T`) with no pre-
722	/// or post-padding. Thus, `Wrapping<T>` must have `UnsafeCell`s covering
723	/// the same byte ranges as `Inner = T`.
724	///
725	/// [1] Per https://doc.rust-lang.org/1.81.0/std/num/struct.Wrapping.html#layout-1:
726	///
727	/// `Wrapping<T>` is guaranteed to have the same layout and ABI as `T`
728	unsafe_impl!(T: Immutable => Immutable for Wrapping<T>);
729	/// SAFETY:
730	/// Per [1] in the preceding safety comment, `Wrapping<T>` has the same
731	/// alignment as `T`.
732	unsafe_impl!(T: Unaligned => Unaligned for Wrapping<T>);
733	}
734
735	safety_comment! {
736	/// SAFETY:
737	/// `TryFromBytes` (with no validator), `FromZeros`, `FromBytes`:
738	/// `MaybeUninit<T>` has no restrictions on its contents.
739	unsafe_impl!(T => TryFromBytes for CoreMaybeUninit<T>);
740	unsafe_impl!(T => FromZeros for CoreMaybeUninit<T>);
741	unsafe_impl!(T => FromBytes for CoreMaybeUninit<T>);
742	/// SAFETY:
743	/// `MaybeUninit<T>` has `UnsafeCell`s covering the same byte ranges as
744	/// `Inner = T`. This is not explicitly documented, but it can be inferred.
745	/// Per [1], `MaybeUninit<T>` has the same size as `T`. Further, note the
746	/// signature of `MaybeUninit::assume_init_ref` [2]:
747	///
748	/// pub unsafe fn assume_init_ref(&self) -> &T
749	///
750	/// If the argument `&MaybeUninit<T>` and the returned `&T` had
751	/// `UnsafeCell`s at different offsets, this would be unsound. Its existence
752	/// is proof that this is not the case.
753	///
754	/// [1] Per https://doc.rust-lang.org/1.81.0/std/mem/union.MaybeUninit.html#layout-1:
755	///
756	/// `MaybeUninit<T>` is guaranteed to have the same size, alignment, and ABI
757	/// as `T`.
758	///
759	/// [2] https://doc.rust-lang.org/1.81.0/std/mem/union.MaybeUninit.html#method.assume_init_ref
760	unsafe_impl!(T: Immutable => Immutable for CoreMaybeUninit<T>);
761	/// SAFETY:
762	/// Per [1] in the preceding safety comment, `MaybeUninit<T>` has the same
763	/// alignment as `T`.
764	unsafe_impl!(T: Unaligned => Unaligned for CoreMaybeUninit<T>);
765	}
766	assert_unaligned!(CoreMaybeUninit<()>, CoreMaybeUninit<u8>);
767
768	safety_comment! {
769	/// SAFETY:
770	/// `ManuallyDrop<T>` has the same layout as `T` [1]. This strongly implies,
771	/// but does not guarantee, that it contains `UnsafeCell`s covering the same
772	/// byte ranges as in `T`. However, it also implements `Defer<Target = T>`
773	/// [2], which provides the ability to convert `&ManuallyDrop<T> -> &T`.
774	/// This, combined with having the same size as `T`, implies that
775	/// `ManuallyDrop<T>` exactly contains a `T` with the same fields and
776	/// `UnsafeCell`s covering the same byte ranges, or else the `Deref` impl
777	/// would permit safe code to obtain different shared references to the same
778	/// region of memory with different `UnsafeCell` coverage, which would in
779	/// turn permit interior mutation that would violate the invariants of a
780	/// shared reference.
781	///
782	/// [1] Per https://doc.rust-lang.org/1.85.0/std/mem/struct.ManuallyDrop.html:
783	///
784	/// `ManuallyDrop<T>` is guaranteed to have the same layout and bit
785	/// validity as `T`
786	///
787	/// [2] https://doc.rust-lang.org/1.85.0/std/mem/struct.ManuallyDrop.html#impl-Deref-for-ManuallyDrop%3CT%3E
788	unsafe_impl!(T: ?Sized + Immutable => Immutable for ManuallyDrop<T>);
789	}
790
791	impl_for_transmute_from!(T: ?Sized + TryFromBytes => TryFromBytes for ManuallyDrop<T>[<T>]);
792	impl_for_transmute_from!(T: ?Sized + FromZeros => FromZeros for ManuallyDrop<T>[<T>]);
793	impl_for_transmute_from!(T: ?Sized + FromBytes => FromBytes for ManuallyDrop<T>[<T>]);
794	impl_for_transmute_from!(T: ?Sized + IntoBytes => IntoBytes for ManuallyDrop<T>[<T>]);
795	safety_comment! {
796	/// SAFETY:
797	/// `ManuallyDrop<T>` has the same layout as `T` [1], and thus has the same
798	/// alignment as `T`.
799	///
800	/// [1] Per https://doc.rust-lang.org/nightly/core/mem/struct.ManuallyDrop.html:
801	///
802	/// `ManuallyDrop<T>` is guaranteed to have the same layout and bit
803	/// validity as `T`
804	unsafe_impl!(T: ?Sized + Unaligned => Unaligned for ManuallyDrop<T>);
805	}
806	assert_unaligned!(ManuallyDrop<()>, ManuallyDrop<u8>);
807
808	impl_for_transmute_from!(T: ?Sized + TryFromBytes => TryFromBytes for Cell<T>[UnsafeCell<T>]);
809	impl_for_transmute_from!(T: ?Sized + FromZeros => FromZeros for Cell<T>[UnsafeCell<T>]);
810	impl_for_transmute_from!(T: ?Sized + FromBytes => FromBytes for Cell<T>[UnsafeCell<T>]);
811	impl_for_transmute_from!(T: ?Sized + IntoBytes => IntoBytes for Cell<T>[UnsafeCell<T>]);
812	safety_comment! {
813	/// SAFETY:
814	/// `Cell<T>` has the same in-memory representation as `T` [1], and thus has
815	/// the same alignment as `T`.
816	///
817	/// [1] Per https://doc.rust-lang.org/1.81.0/core/cell/struct.Cell.html#memory-layout:
818	///
819	/// `Cell<T>` has the same in-memory representation as its inner type `T`.
820	unsafe_impl!(T: ?Sized + Unaligned => Unaligned for Cell<T>);
821	}
822
823	impl_for_transmute_from!(T: ?Sized + FromZeros => FromZeros for UnsafeCell<T>[<T>]);
824	impl_for_transmute_from!(T: ?Sized + FromBytes => FromBytes for UnsafeCell<T>[<T>]);
825	impl_for_transmute_from!(T: ?Sized + IntoBytes => IntoBytes for UnsafeCell<T>[<T>]);
826	safety_comment! {
827	/// SAFETY:
828	/// `UnsafeCell<T>` has the same in-memory representation as `T` [1], and
829	/// thus has the same alignment as `T`.
830	///
831	/// [1] Per https://doc.rust-lang.org/1.81.0/core/cell/struct.UnsafeCell.html#memory-layout:
832	///
833	/// `UnsafeCell<T>` has the same in-memory representation as its inner
834	/// type `T`.
835	unsafe_impl!(T: ?Sized + Unaligned => Unaligned for UnsafeCell<T>);
836	}
837	assert_unaligned!(UnsafeCell<()>, UnsafeCell<u8>);
838
839	// SAFETY: See safety comment in `is_bit_valid` impl.
840	unsafe impl<T: TryFromBytes + ?Sized> TryFromBytes for UnsafeCell<T> {
841	#[allow(clippy::missing_inline_in_public_items)]
842	fn only_derive_is_allowed_to_implement_this_trait()
843	where
844	Self: Sized,
845	{
846	}
847
848	#[inline]
849	fn is_bit_valid<A: invariant::Reference>(candidate: Maybe<'_, Self, A>) -> bool {
850	// The only way to implement this function is using an exclusive-aliased
851	// pointer. `UnsafeCell`s cannot be read via shared-aliased pointers
852	// (other than by using `unsafe` code, which we can't use since we can't
853	// guarantee how our users are accessing or modifying the `UnsafeCell`).
854	//
855	// `is_bit_valid` is documented as panicking or failing to monomorphize
856	// if called with a shared-aliased pointer on a type containing an
857	// `UnsafeCell`. In practice, it will always be a monorphization error.
858	// Since `is_bit_valid` is `#[doc(hidden)]` and only called directly
859	// from this crate, we only need to worry about our own code incorrectly
860	// calling `UnsafeCell::is_bit_valid`. The post-monomorphization error
861	// makes it easier to test that this is truly the case, and also means
862	// that if we make a mistake, it will cause downstream code to fail to
863	// compile, which will immediately surface the mistake and give us a
864	// chance to fix it quickly.
865	let c = candidate.into_exclusive_or_pme();
866
867	// SAFETY: Since `UnsafeCell<T>` and `T` have the same layout and bit
868	// validity, `UnsafeCell<T>` is bit-valid exactly when its wrapped `T`
869	// is. Thus, this is a sound implementation of
870	// `UnsafeCell::is_bit_valid`.
871	T::is_bit_valid(c.get_mut())
872	}
873	}
874
875	safety_comment! {
876	/// SAFETY:
877	/// Per the reference [1]:
878	///
879	/// An array of `[T; N]` has a size of `size_of::<T>() N` and the same*
880	/// alignment of `T`. Arrays are laid out so that the zero-based `nth`
881	/// element of the array is offset from the start of the array by `n *
882	/// size_of::<T>()` bytes.
883	///
884	/// ...
885	///
886	/// Slices have the same layout as the section of the array they slice.
887	///
888	/// In other words, the layout of a `[T]` or `[T; N]` is a sequence of `T`s
889	/// laid out back-to-back with no bytes in between. Therefore, `[T]` or `[T;
890	/// N]` are `Immutable`, `TryFromBytes`, `FromZeros`, `FromBytes`, and
891	/// `IntoBytes` if `T` is (respectively). Furthermore, since an array/slice
892	/// has "the same alignment of `T`", `[T]` and `[T; N]` are `Unaligned` if
893	/// `T` is.
894	///
895	/// Note that we don't `assert_unaligned!` for slice types because
896	/// `assert_unaligned!` uses `align_of`, which only works for `Sized` types.
897	///
898	/// [1] https://doc.rust-lang.org/1.81.0/reference/type-layout.html#array-layout
899	unsafe_impl!(const N: usize, T: Immutable => Immutable for [T; N]);
900	unsafe_impl!(const N: usize, T: TryFromBytes => TryFromBytes for [T; N]; \|c\| {
901	// Note that this call may panic, but it would still be sound even if it
902	// did. `is_bit_valid` does not promise that it will not panic (in fact,
903	// it explicitly warns that it's a possibility), and we have not
904	// violated any safety invariants that we must fix before returning.
905	<[T] as TryFromBytes>::is_bit_valid(c.as_slice())
906	});
907	unsafe_impl!(const N: usize, T: FromZeros => FromZeros for [T; N]);
908	unsafe_impl!(const N: usize, T: FromBytes => FromBytes for [T; N]);
909	unsafe_impl!(const N: usize, T: IntoBytes => IntoBytes for [T; N]);
910	unsafe_impl!(const N: usize, T: Unaligned => Unaligned for [T; N]);
911	assert_unaligned!([(); `0`], [(); `1`], [u8; `0`], [u8; `1`]);
912	unsafe_impl!(T: Immutable => Immutable for [T]);
913	unsafe_impl!(T: TryFromBytes => TryFromBytes for [T]; \|c\| {
914	// SAFETY: Per the reference [1]:
915	//
916	// An array of `[T; N]` has a size of `size_of::<T>() N` and the*
917	// same alignment of `T`. Arrays are laid out so that the zero-based
918	// `nth` element of the array is offset from the start of the array by
919	// `n size_of::<T>()` bytes.*
920	//
921	// ...
922	//
923	// Slices have the same layout as the section of the array they slice.
924	//
925	// In other words, the layout of a `[T] is a sequence of `T`s laid out
926	// back-to-back with no bytes in between. If all elements in `candidate`
927	// are `is_bit_valid`, so too is `candidate`.
928	//
929	// Note that any of the below calls may panic, but it would still be
930	// sound even if it did. `is_bit_valid` does not promise that it will
931	// not panic (in fact, it explicitly warns that it's a possibility), and
932	// we have not violated any safety invariants that we must fix before
933	// returning.
934	c.iter().all(<T as TryFromBytes>::is_bit_valid)
935	});
936	unsafe_impl!(T: FromZeros => FromZeros for [T]);
937	unsafe_impl!(T: FromBytes => FromBytes for [T]);
938	unsafe_impl!(T: IntoBytes => IntoBytes for [T]);
939	unsafe_impl!(T: Unaligned => Unaligned for [T]);
940	}
941	safety_comment! {
942	/// SAFETY:
943	/// - `Immutable`: Raw pointers do not contain any `UnsafeCell`s.
944	/// - `FromZeros`: For thin pointers (note that `T: Sized`), the zero
945	/// pointer is considered "null". [1] No operations which require
946	/// provenance are legal on null pointers, so this is not a footgun.
947	/// - `TryFromBytes`: By the same reasoning as for `FromZeroes`, we can
948	/// implement `TryFromBytes` for thin pointers provided that
949	/// [`TryFromByte::is_bit_valid`] only produces `true` for zeroed bytes.
950	///
951	/// NOTE(#170): Implementing `FromBytes` and `IntoBytes` for raw pointers
952	/// would be sound, but carries provenance footguns. We want to support
953	/// `FromBytes` and `IntoBytes` for raw pointers eventually, but we are
954	/// holding off until we can figure out how to address those footguns.
955	///
956	/// [1] TODO(https://github.com/rust-lang/rust/pull/116988): Cite the
957	/// documentation once this PR lands.
958	unsafe_impl!(T: ?Sized => Immutable for *const T);
959	unsafe_impl!(T: ?Sized => Immutable for *mut T);
960	unsafe_impl!(T => TryFromBytes for *const T; \|c\| pointer::is_zeroed(c));
961	unsafe_impl!(T => FromZeros for *const T);
962	unsafe_impl!(T => TryFromBytes for *mut T; \|c\| pointer::is_zeroed(c));
963	unsafe_impl!(T => FromZeros for *mut T);
964	}
965
966	safety_comment! {
967	/// SAFETY:
968	/// `NonNull<T>` self-evidently does not contain `UnsafeCell`s. This is not
969	/// a proof, but we are accepting this as a known risk per #1358.
970	unsafe_impl!(T: ?Sized => Immutable for NonNull<T>);
971	}
972
973	safety_comment! {
974	/// SAFETY:
975	/// Reference types do not contain any `UnsafeCell`s.
976	unsafe_impl!(T: ?Sized => Immutable for &'_ T);
977	unsafe_impl!(T: ?Sized => Immutable for &'_ mut T);
978	}
979
980	safety_comment! {
981	/// SAFETY:
982	/// `Option` is not `#[non_exhaustive]` [1], which means that the types in
983	/// its variants cannot change, and no new variants can be added.
984	/// `Option<T>` does not contain any `UnsafeCell`s outside of `T`. [1]
985	///
986	/// [1] https://doc.rust-lang.org/core/option/enum.Option.html
987	unsafe_impl!(T: Immutable => Immutable for Option<T>);
988	}
989
990	// SIMD support
991	//
992	// Per the Unsafe Code Guidelines Reference [1]:
993	//
994	// Packed SIMD vector types are `repr(simd)` homogeneous tuple-structs
995	// containing `N` elements of type `T` where `N` is a power-of-two and the
996	// size and alignment requirements of `T` are equal:
997	//
998	// ```rust
999	// #[repr(simd)]
1000	// struct Vector<T, N>(T_0, ..., T_(N - 1));
1001	// ```
1002	//
1003	// ...
1004	//
1005	// The size of `Vector` is `N size_of::<T>()` and its alignment is an*
1006	// implementation-defined function of `T` and `N` greater than or equal to
1007	// `align_of::<T>()`.
1008	//
1009	// ...
1010	//
1011	// Vector elements are laid out in source field order, enabling random access
1012	// to vector elements by reinterpreting the vector as an array:
1013	//
1014	// ```rust
1015	// union U {
1016	// vec: Vector<T, N>,
1017	// arr: [T; N]
1018	// }
1019	//
1020	// assert_eq!(size_of::<Vector<T, N>>(), size_of::<[T; N]>());
1021	// assert!(align_of::<Vector<T, N>>() >= align_of::<[T; N]>());
1022	//
1023	// unsafe {
1024	// let u = U { vec: Vector<T, N>(t_0, ..., t_(N - 1)) };
1025	//
1026	// assert_eq!(u.vec.0, u.arr[0]);
1027	// // ...
1028	// assert_eq!(u.vec.(N - 1), u.arr[N - 1]);
1029	// }
1030	// ```
1031	//
1032	// Given this background, we can observe that:
1033	// - The size and bit pattern requirements of a SIMD type are equivalent to the
1034	// equivalent array type. Thus, for any SIMD type whose primitive `T` is
1035	// `Immutable`, `TryFromBytes`, `FromZeros`, `FromBytes`, or `IntoBytes`, that
1036	// SIMD type is also `Immutable`, `TryFromBytes`, `FromZeros`, `FromBytes`, or
1037	// `IntoBytes` respectively.
1038	// - Since no upper bound is placed on the alignment, no SIMD type can be
1039	// guaranteed to be `Unaligned`.
1040	//
1041	// Also per [1]:
1042	//
1043	// This chapter represents the consensus from issue #38. The statements in
1044	// here are not (yet) "guaranteed" not to change until an RFC ratifies them.
1045	//
1046	// See issue #38 [2]. While this behavior is not technically guaranteed, the
1047	// likelihood that the behavior will change such that SIMD types are no longer
1048	// `TryFromBytes`, `FromZeros`, `FromBytes`, or `IntoBytes` is next to zero, as
1049	// that would defeat the entire purpose of SIMD types. Nonetheless, we put this
1050	// behavior behind the `simd` Cargo feature, which requires consumers to opt
1051	// into this stability hazard.
1052	//
1053	// [1] https://rust-lang.github.io/unsafe-code-guidelines/layout/packed-simd-vectors.html
1054	// [2] https://github.com/rust-lang/unsafe-code-guidelines/issues/38
1055	#[cfg(feature = "simd")]
1056	#[cfg_attr(doc_cfg, doc(cfg(feature = "simd")))]
1057	mod simd {
1058	/// Defines a module which implements `TryFromBytes`, `FromZeros`,
1059	/// `FromBytes`, and `IntoBytes` for a set of types from a module in
1060	/// `core::arch`.
1061	///
1062	/// `$arch` is both the name of the defined module and the name of the
1063	/// module in `core::arch`, and `$typ` is the list of items from that module
1064	/// to implement `FromZeros`, `FromBytes`, and `IntoBytes` for.
1065	#[allow(unused_macros)] // `allow(unused_macros)` is needed because some
1066	// target/feature combinations don't emit any impls
1067	// and thus don't use this macro.
1068	macro_rules! simd_arch_mod {
1069	(#[cfg $cfg:tt] $arch:ident, $mod:ident, $($typ:ident),*) => {
1070	#[cfg $cfg]
1071	#[cfg_attr(doc_cfg, doc(cfg $cfg))]
1072	mod $mod {
1073	use core::arch::$arch::{$($typ),*};
1074
1075	use crate::*;
1076	impl_known_layout!($($typ),*);
1077	safety_comment! {
1078	/// SAFETY:
1079	/// See comment on module definition for justification.
1080	$( unsafe_impl!($typ: Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes); )*
1081	}
1082	}
1083	};
1084	}
1085
1086	#[rustfmt::skip]
1087	const _: () = {
1088	simd_arch_mod!(
1089	#[cfg(target_arch = "x86")]
1090	x86, x86, __m128, __m128d, __m128i, __m256, __m256d, __m256i
1091	);
1092	simd_arch_mod!(
1093	#[cfg(all(feature = "simd-nightly", target_arch = "x86"))]
1094	x86, x86_nightly, __m512bh, __m512, __m512d, __m512i
1095	);
1096	simd_arch_mod!(
1097	#[cfg(target_arch = "x86_64")]
1098	x86_64, x86_64, __m128, __m128d, __m128i, __m256, __m256d, __m256i
1099	);
1100	simd_arch_mod!(
1101	#[cfg(all(feature = "simd-nightly", target_arch = "x86_64"))]
1102	x86_64, x86_64_nightly, __m512bh, __m512, __m512d, __m512i
1103	);
1104	simd_arch_mod!(
1105	#[cfg(target_arch = "wasm32")]
1106	wasm32, wasm32, v128
1107	);
1108	simd_arch_mod!(
1109	#[cfg(all(feature = "simd-nightly", target_arch = "powerpc"))]
1110	powerpc, powerpc, vector_bool_long, vector_double, vector_signed_long, vector_unsigned_long
1111	);
1112	simd_arch_mod!(
1113	#[cfg(all(feature = "simd-nightly", target_arch = "powerpc64"))]
1114	powerpc64, powerpc64, vector_bool_long, vector_double, vector_signed_long, vector_unsigned_long
1115	);
1116	#[cfg(zerocopy_aarch64_simd_1_59_0)]
1117	#[cfg_attr(doc_cfg, doc(cfg(rust = "1.59.0")))]
1118	simd_arch_mod!(
1119	// NOTE(https://github.com/rust-lang/stdarch/issues/1484): NEON intrinsics are currently
1120	// broken on big-endian platforms.
1121	#[cfg(all(target_arch = "aarch64", target_endian = "little"))]
1122	aarch64, aarch64, float32x2_t, float32x4_t, float64x1_t, float64x2_t, int8x8_t, int8x8x2_t,
1123	int8x8x3_t, int8x8x4_t, int8x16_t, int8x16x2_t, int8x16x3_t, int8x16x4_t, int16x4_t,
1124	int16x8_t, int32x2_t, int32x4_t, int64x1_t, int64x2_t, poly8x8_t, poly8x8x2_t, poly8x8x3_t,
1125	poly8x8x4_t, poly8x16_t, poly8x16x2_t, poly8x16x3_t, poly8x16x4_t, poly16x4_t, poly16x8_t,
1126	poly64x1_t, poly64x2_t, uint8x8_t, uint8x8x2_t, uint8x8x3_t, uint8x8x4_t, uint8x16_t,
1127	uint8x16x2_t, uint8x16x3_t, uint8x16x4_t, uint16x4_t, uint16x8_t, uint32x2_t, uint32x4_t,
1128	uint64x1_t, uint64x2_t
1129	);
1130	};
1131	}
1132
1133	#[cfg(test)]
1134	mod tests {
1135	use super::*;
1136	use crate::pointer::invariant;
1137
1138	#[test]
1139	fn test_impls() {
1140	// A type that can supply test cases for testing
1141	// `TryFromBytes::is_bit_valid`. All types passed to `assert_impls!`
1142	// must implement this trait; that macro uses it to generate runtime
1143	// tests for `TryFromBytes` impls.
1144	//
1145	// All `T: FromBytes` types are provided with a blanket impl. Other
1146	// types must implement `TryFromBytesTestable` directly (ie using
1147	// `impl_try_from_bytes_testable!`).
1148	trait TryFromBytesTestable {
1149	fn with_passing_test_cases<F: Fn(Box<Self>)>(f: F);
1150	fn with_failing_test_cases<F: Fn(&mut [u8])>(f: F);
1151	}
1152
1153	impl<T: FromBytes> TryFromBytesTestable for T {
1154	fn with_passing_test_cases<F: Fn(Box<Self>)>(f: F) {
1155	// Test with a zeroed value.
1156	f(Self::new_box_zeroed().unwrap());
1157
1158	let ffs = {
1159	let mut t = Self::new_zeroed();
1160	let ptr: *mut T = &mut t;
1161	// SAFETY: `T: FromBytes`
1162	unsafe { ptr::write_bytes(ptr.cast::<u8>(), `0xFF`, mem::size_of::<T>()) };
1163	t
1164	};
1165
1166	// Test with a value initialized with 0xFF.
1167	f(Box::new(ffs));
1168	}
1169
1170	fn with_failing_test_cases<F: Fn(&mut [u8])>(_f: F) {}
1171	}
1172
1173	macro_rules! impl_try_from_bytes_testable_for_null_pointer_optimization {
1174	($($tys:ty),*) => {
1175	$(
1176	impl TryFromBytesTestable for Option<$tys> {
1177	fn with_passing_test_cases<F: Fn(Box<Self>)>(f: F) {
1178	// Test with a zeroed value.
1179	f(Box::new(None));
1180	}
1181
1182	fn with_failing_test_cases<F: Fn(&mut [u8])>(f: F) {
1183	for pos in `0`..mem::size_of::<Self>() {
1184	let mut bytes = [`0u8`; mem::size_of::<Self>()];
1185	bytes[pos] = `0x01`;
1186	f(&mut bytes[..]);
1187	}
1188	}
1189	}
1190	)*
1191	};
1192	}
1193
1194	// Implements `TryFromBytesTestable`.
1195	macro_rules! impl_try_from_bytes_testable {
1196	// Base case for recursion (when the list of types has run out).
1197	(=> @success $($success_case:expr),* $(, @failure $($failure_case:expr),*)?) => {};
1198	// Implements for type(s) with no type parameters.
1199	($ty:ty $(,$tys:ty)* => @success $($success_case:expr),* $(, @failure $($failure_case:expr),*)?) => {
1200	impl TryFromBytesTestable for $ty {
1201	impl_try_from_bytes_testable!(
1202	@methods @success $($success_case),*
1203	$(, @failure $($failure_case),*)?
1204	);
1205	}
1206	impl_try_from_bytes_testable!($($tys),* => @success $($success_case),* $(, @failure $($failure_case),*)?);
1207	};
1208	// Implements for multiple types with no type parameters.
1209	($($($ty:ty),* => @success $($success_case:expr), * $(, @failure $($failure_case:expr),)?;)) => {
1210	$(
1211	impl_try_from_bytes_testable!($($ty),* => @success $($success_case),* $(, @failure $($failure_case),));
1212	)*
1213	};
1214	// Implements only the methods; caller must invoke this from inside
1215	// an impl block.
1216	(@methods @success $($success_case:expr),* $(, @failure $($failure_case:expr),*)?) => {
1217	fn with_passing_test_cases<F: Fn(Box<Self>)>(_f: F) {
1218	$(
1219	_f(Box::<Self>::from($success_case));
1220	)*
1221	}
1222
1223	fn with_failing_test_cases<F: Fn(&mut [u8])>(_f: F) {
1224	$($(
1225	let mut case = $failure_case;
1226	_f(case.as_mut_bytes());
1227	)*)?
1228	}
1229	};
1230	}
1231
1232	impl_try_from_bytes_testable_for_null_pointer_optimization!(
1233	Box<UnsafeCell<NotZerocopy>>,
1234	&'static UnsafeCell<NotZerocopy>,
1235	&'static mut UnsafeCell<NotZerocopy>,
1236	NonNull<UnsafeCell<NotZerocopy>>,
1237	fn(),
1238	FnManyArgs,
1239	extern "C" fn(),
1240	ECFnManyArgs
1241	);
1242
1243	macro_rules! bx {
1244	($e:expr) => {
1245	Box::new($e)
1246	};
1247	}
1248
1249	// Note that these impls are only for types which are not `FromBytes`.
1250	// `FromBytes` types are covered by a preceding blanket impl.
1251	impl_try_from_bytes_testable!(
1252	bool => @success `true`, `false`,
1253	@failure `2u8`, `3u8`, `0xFFu8`;
1254	char => @success '`\u{0}`', '`\u{D7FF}`', '`\u{E000}`', '`\u{10FFFF}`',
1255	@failure `0xD800u32`, `0xDFFFu32`, `0x110000u32`;
1256	str => @success "", "hello", "❤️🧡💛💚💙💜",
1257	@failure [`0`, `159`, `146`, `150`];
1258	[u8] => @success vec![].into_boxed_slice(), vec![`0`, `1`, `2`].into_boxed_slice();
1259	NonZeroU8, NonZeroI8, NonZeroU16, NonZeroI16, NonZeroU32,
1260	NonZeroI32, NonZeroU64, NonZeroI64, NonZeroU128, NonZeroI128,
1261	NonZeroUsize, NonZeroIsize
1262	=> @success Self::new(`1`).unwrap(),
1263	// Doing this instead of `0` ensures that we always satisfy
1264	// the size and alignment requirements of `Self` (whereas `0`
1265	// may be any integer type with a different size or alignment
1266	// than some `NonZeroXxx` types).
1267	@failure Option::<Self>::None;
1268	[bool; `0`] => @success [];
1269	[bool; `1`]
1270	=> @success [`true`], [`false`],
1271	@failure [`2u8`], [`3u8`], [`0xFFu8`];
1272	[bool]
1273	=> @success vec![`true`, `false`].into_boxed_slice(), vec![`false`, `true`].into_boxed_slice(),
1274	@failure [`2u8`], [`3u8`], [`0xFFu8`], [`0u8`, `1u8`, `2u8`];
1275	Unalign<bool>
1276	=> @success Unalign::new(`false`), Unalign::new(`true`),
1277	@failure `2u8`, `0xFFu8`;
1278	ManuallyDrop<bool>
1279	=> @success ManuallyDrop::new(`false`), ManuallyDrop::new(`true`),
1280	@failure `2u8`, `0xFFu8`;
1281	ManuallyDrop<[u8]>
1282	=> @success bx!(ManuallyDrop::new([])), bx!(ManuallyDrop::new([`0u8`])), bx!(ManuallyDrop::new([`0u8`, `1u8`]));
1283	ManuallyDrop<[bool]>
1284	=> @success bx!(ManuallyDrop::new([])), bx!(ManuallyDrop::new([`false`])), bx!(ManuallyDrop::new([`false`, `true`])),
1285	@failure [`2u8`], [`3u8`], [`0xFFu8`], [`0u8`, `1u8`, `2u8`];
1286	ManuallyDrop<[UnsafeCell<u8>]>
1287	=> @success bx!(ManuallyDrop::new([UnsafeCell::new(`0`)])), bx!(ManuallyDrop::new([UnsafeCell::new(`0`), UnsafeCell::new(`1`)]));
1288	ManuallyDrop<[UnsafeCell<bool>]>
1289	=> @success bx!(ManuallyDrop::new([UnsafeCell::new(`false`)])), bx!(ManuallyDrop::new([UnsafeCell::new(`false`), UnsafeCell::new(`true`)])),
1290	@failure [`2u8`], [`3u8`], [`0xFFu8`], [`0u8`, `1u8`, `2u8`];
1291	Wrapping<bool>
1292	=> @success Wrapping(`false`), Wrapping(`true`),
1293	@failure `2u8`, `0xFFu8`;
1294	*const NotZerocopy
1295	=> @success ptr::null::<NotZerocopy>(),
1296	@failure [`0x01`; mem::size_of::<*const NotZerocopy>()];
1297	*mut NotZerocopy
1298	=> @success ptr::null_mut::<NotZerocopy>(),
1299	@failure [`0x01`; mem::size_of::<*mut NotZerocopy>()];
1300	);
1301
1302	// Use the trick described in [1] to allow us to call methods
1303	// conditional on certain trait bounds.
1304	//
1305	// In all of these cases, methods return `Option<R>`, where `R` is the
1306	// return type of the method we're conditionally calling. The "real"
1307	// implementations (the ones defined in traits using `&self`) return
1308	// `Some`, and the default implementations (the ones defined as inherent
1309	// methods using `&mut self`) return `None`.
1310	//
1311	// [1] https://github.com/dtolnay/case-studies/blob/master/autoref-specialization/README.md
1312	mod autoref_trick {
1313	use super::*;
1314
1315	pub(super) struct AutorefWrapper<T: ?Sized>(pub(super) PhantomData<T>);
1316
1317	pub(super) trait TestIsBitValidShared<T: ?Sized> {
1318	#[allow(clippy::needless_lifetimes)]
1319	fn test_is_bit_valid_shared<'ptr, A: invariant::Reference>(
1320	&self,
1321	candidate: Maybe<'ptr, T, A>,
1322	) -> Option<bool>;
1323	}
1324
1325	impl<T: TryFromBytes + Immutable + ?Sized> TestIsBitValidShared<T> for AutorefWrapper<T> {
1326	#[allow(clippy::needless_lifetimes)]
1327	fn test_is_bit_valid_shared<'ptr, A: invariant::Reference>(
1328	&self,
1329	candidate: Maybe<'ptr, T, A>,
1330	) -> Option<bool> {
1331	Some(T::is_bit_valid(candidate))
1332	}
1333	}
1334
1335	pub(super) trait TestTryFromRef<T: ?Sized> {
1336	#[allow(clippy::needless_lifetimes)]
1337	fn test_try_from_ref<'bytes>(
1338	&self,
1339	bytes: &'bytes [u8],
1340	) -> Option<Option<&'bytes T>>;
1341	}
1342
1343	impl<T: TryFromBytes + Immutable + KnownLayout + ?Sized> TestTryFromRef<T> for AutorefWrapper<T> {
1344	#[allow(clippy::needless_lifetimes)]
1345	fn test_try_from_ref<'bytes>(
1346	&self,
1347	bytes: &'bytes [u8],
1348	) -> Option<Option<&'bytes T>> {
1349	Some(T::try_ref_from_bytes(bytes).ok())
1350	}
1351	}
1352
1353	pub(super) trait TestTryFromMut<T: ?Sized> {
1354	#[allow(clippy::needless_lifetimes)]
1355	fn test_try_from_mut<'bytes>(
1356	&self,
1357	bytes: &'bytes mut [u8],
1358	) -> Option<Option<&'bytes mut T>>;
1359	}
1360
1361	impl<T: TryFromBytes + IntoBytes + KnownLayout + ?Sized> TestTryFromMut<T> for AutorefWrapper<T> {
1362	#[allow(clippy::needless_lifetimes)]
1363	fn test_try_from_mut<'bytes>(
1364	&self,
1365	bytes: &'bytes mut [u8],
1366	) -> Option<Option<&'bytes mut T>> {
1367	Some(T::try_mut_from_bytes(bytes).ok())
1368	}
1369	}
1370
1371	pub(super) trait TestTryReadFrom<T> {
1372	fn test_try_read_from(&self, bytes: &[u8]) -> Option<Option<T>>;
1373	}
1374
1375	impl<T: TryFromBytes> TestTryReadFrom<T> for AutorefWrapper<T> {
1376	fn test_try_read_from(&self, bytes: &[u8]) -> Option<Option<T>> {
1377	Some(T::try_read_from_bytes(bytes).ok())
1378	}
1379	}
1380
1381	pub(super) trait TestAsBytes<T: ?Sized> {
1382	#[allow(clippy::needless_lifetimes)]
1383	fn test_as_bytes<'slf, 't>(&'slf self, t: &'t T) -> Option<&'t [u8]>;
1384	}
1385
1386	impl<T: IntoBytes + Immutable + ?Sized> TestAsBytes<T> for AutorefWrapper<T> {
1387	#[allow(clippy::needless_lifetimes)]
1388	fn test_as_bytes<'slf, 't>(&'slf self, t: &'t T) -> Option<&'t [u8]> {
1389	Some(t.as_bytes())
1390	}
1391	}
1392	}
1393
1394	use autoref_trick::*;
1395
1396	// Asserts that `$ty` is one of a list of types which are allowed to not
1397	// provide a "real" implementation for `$fn_name`. Since the
1398	// `autoref_trick` machinery fails silently, this allows us to ensure
1399	// that the "default" impls are only being used for types which we
1400	// expect.
1401	//
1402	// Note that, since this is a runtime test, it is possible to have an
1403	// allowlist which is too restrictive if the function in question is
1404	// never called for a particular type. For example, if `as_bytes` is not
1405	// supported for a particular type, and so `test_as_bytes` returns
1406	// `None`, methods such as `test_try_from_ref` may never be called for
1407	// that type. As a result, it's possible that, for example, adding
1408	// `as_bytes` support for a type would cause other allowlist assertions
1409	// to fail. This means that allowlist assertion failures should not
1410	// automatically be taken as a sign of a bug.
1411	macro_rules! assert_on_allowlist {
1412	($fn_name:ident($ty:ty) $(: $($tys:ty),*)?) => {{
1413	use core::any::TypeId;
1414
1415	let allowlist: &[TypeId] = &[ $($(TypeId::of::<$tys>()),*)? ];
1416	let allowlist_names: &[&str] = &[ $($(stringify!($tys)),*)? ];
1417
1418	let id = TypeId::of::<$ty>();
1419	assert!(allowlist.contains(&id), "{} is not on allowlist for {}: {:?}", stringify!($ty), stringify!($fn_name), allowlist_names);
1420	}};
1421	}
1422
1423	// Asserts that `$ty` implements any `$trait` and doesn't implement any
1424	// `!$trait`. Note that all `$trait`s must come before any `!$trait`s.
1425	//
1426	// For `T: TryFromBytes`, uses `TryFromBytesTestable` to test success
1427	// and failure cases.
1428	macro_rules! assert_impls {
1429	($ty:ty: TryFromBytes) => {
1430	// "Default" implementations that match the "real"
1431	// implementations defined in the `autoref_trick` module above.
1432	#[allow(unused, non_local_definitions)]
1433	impl AutorefWrapper<$ty> {
1434	#[allow(clippy::needless_lifetimes)]
1435	fn test_is_bit_valid_shared<'ptr, A: invariant::Reference>(
1436	&mut self,
1437	candidate: Maybe<'ptr, $ty, A>,
1438	) -> Option<bool> {
1439	assert_on_allowlist!(
1440	test_is_bit_valid_shared($ty):
1441	ManuallyDrop<UnsafeCell<()>>,
1442	ManuallyDrop<[UnsafeCell<u8>]>,
1443	ManuallyDrop<[UnsafeCell<bool>]>,
1444	CoreMaybeUninit<NotZerocopy>,
1445	CoreMaybeUninit<UnsafeCell<()>>,
1446	Wrapping<UnsafeCell<()>>
1447	);
1448
1449	None
1450	}
1451
1452	#[allow(clippy::needless_lifetimes)]
1453	fn test_try_from_ref<'bytes>(&mut self, _bytes: &'bytes [u8]) -> Option<Option<&'bytes $ty>> {
1454	assert_on_allowlist!(
1455	test_try_from_ref($ty):
1456	ManuallyDrop<[UnsafeCell<bool>]>
1457	);
1458
1459	None
1460	}
1461
1462	#[allow(clippy::needless_lifetimes)]
1463	fn test_try_from_mut<'bytes>(&mut self, _bytes: &'bytes mut [u8]) -> Option<Option<&'bytes mut $ty>> {
1464	assert_on_allowlist!(
1465	test_try_from_mut($ty):
1466	Option<Box<UnsafeCell<NotZerocopy>>>,
1467	Option<&'static UnsafeCell<NotZerocopy>>,
1468	Option<&'static mut UnsafeCell<NotZerocopy>>,
1469	Option<NonNull<UnsafeCell<NotZerocopy>>>,
1470	Option<fn()>,
1471	Option<FnManyArgs>,
1472	Option<extern "C" fn()>,
1473	Option<ECFnManyArgs>,
1474	*const NotZerocopy,
1475	*mut NotZerocopy
1476	);
1477
1478	None
1479	}
1480
1481	fn test_try_read_from(&mut self, _bytes: &[u8]) -> Option<Option<&$ty>> {
1482	assert_on_allowlist!(
1483	test_try_read_from($ty):
1484	str,
1485	ManuallyDrop<[u8]>,
1486	ManuallyDrop<[bool]>,
1487	ManuallyDrop<[UnsafeCell<bool>]>,
1488	[u8],
1489	[bool]
1490	);
1491
1492	None
1493	}
1494
1495	fn test_as_bytes(&mut self, _t: &$ty) -> Option<&[u8]> {
1496	assert_on_allowlist!(
1497	test_as_bytes($ty):
1498	Option<&'static UnsafeCell<NotZerocopy>>,
1499	Option<&'static mut UnsafeCell<NotZerocopy>>,
1500	Option<NonNull<UnsafeCell<NotZerocopy>>>,
1501	Option<Box<UnsafeCell<NotZerocopy>>>,
1502	Option<fn()>,
1503	Option<FnManyArgs>,
1504	Option<extern "C" fn()>,
1505	Option<ECFnManyArgs>,
1506	CoreMaybeUninit<u8>,
1507	CoreMaybeUninit<NotZerocopy>,
1508	CoreMaybeUninit<UnsafeCell<()>>,
1509	ManuallyDrop<UnsafeCell<()>>,
1510	ManuallyDrop<[UnsafeCell<u8>]>,
1511	ManuallyDrop<[UnsafeCell<bool>]>,
1512	Wrapping<UnsafeCell<()>>,
1513	*const NotZerocopy,
1514	*mut NotZerocopy
1515	);
1516
1517	None
1518	}
1519	}
1520
1521	<$ty as TryFromBytesTestable>::with_passing_test_cases(\|mut val\| {
1522	// TODO(#494): These tests only get exercised for types
1523	// which are `IntoBytes`. Once we implement #494, we should
1524	// be able to support non-`IntoBytes` types by zeroing
1525	// padding.
1526
1527	// We define `w` and `ww` since, in the case of the inherent
1528	// methods, Rust thinks they're both borrowed mutably at the
1529	// same time (given how we use them below). If we just
1530	// defined a single `w` and used it for multiple operations,
1531	// this would conflict.
1532	//
1533	// We `#[allow(unused_mut]` for the cases where the "real"
1534	// impls are used, which take `&self`.
1535	#[allow(unused_mut)]
1536	let (mut w, mut ww) = (AutorefWrapper::<$ty>(PhantomData), AutorefWrapper::<$ty>(PhantomData));
1537
1538	let c = Ptr::from_ref(&*val);
1539	let c = c.forget_aligned();
1540	// SAFETY: TODO(#899): This is unsound. `$ty` is not
1541	// necessarily `IntoBytes`, but that's the corner we've
1542	// backed ourselves into by using `Ptr::from_ref`.
1543	let c = unsafe { c.assume_initialized() };
1544	let res = w.test_is_bit_valid_shared(c);
1545	if let Some(res) = res {
1546	assert!(res, "{}::is_bit_valid({:?}) (shared `Ptr`): got false, expected true", stringify!($ty), val);
1547	}
1548
1549	let c = Ptr::from_mut(&mut *val);
1550	let c = c.forget_aligned();
1551	// SAFETY: TODO(#899): This is unsound. `$ty` is not
1552	// necessarily `IntoBytes`, but that's the corner we've
1553	// backed ourselves into by using `Ptr::from_ref`.
1554	let c = unsafe { c.assume_initialized() };
1555	let res = <$ty as TryFromBytes>::is_bit_valid(c);
1556	assert!(res, "{}::is_bit_valid({:?}) (exclusive `Ptr`): got false, expected true", stringify!($ty), val);
1557
1558	// `bytes` is `Some(val.as_bytes())` if `$ty: IntoBytes +
1559	// Immutable` and `None` otherwise.
1560	let bytes = w.test_as_bytes(&*val);
1561
1562	// The inner closure returns
1563	// `Some($ty::try_ref_from_bytes(bytes))` if `$ty:
1564	// Immutable` and `None` otherwise.
1565	let res = bytes.and_then(\|bytes\| ww.test_try_from_ref(bytes));
1566	if let Some(res) = res {
1567	assert!(res.is_some(), "{}::try_ref_from_bytes({:?}): got `None`, expected `Some`", stringify!($ty), val);
1568	}
1569
1570	if let Some(bytes) = bytes {
1571	// We need to get a mutable byte slice, and so we clone
1572	// into a `Vec`. However, we also need these bytes to
1573	// satisfy `$ty`'s alignment requirement, which isn't
1574	// guaranteed for `Vec<u8>`. In order to get around
1575	// this, we create a `Vec` which is twice as long as we
1576	// need. There is guaranteed to be an aligned byte range
1577	// of size `size_of_val(val)` within that range.
1578	let val = &*val;
1579	let size = mem::size_of_val(val);
1580	let align = mem::align_of_val(val);
1581
1582	let mut vec = bytes.to_vec();
1583	vec.extend(bytes);
1584	let slc = vec.as_slice();
1585	let offset = slc.as_ptr().align_offset(align);
1586	let bytes_mut = &mut vec.as_mut_slice()[offset..offset+size];
1587	bytes_mut.copy_from_slice(bytes);
1588
1589	let res = ww.test_try_from_mut(bytes_mut);
1590	if let Some(res) = res {
1591	assert!(res.is_some(), "{}::try_mut_from_bytes({:?}): got `None`, expected `Some`", stringify!($ty), val);
1592	}
1593	}
1594
1595	let res = bytes.and_then(\|bytes\| ww.test_try_read_from(bytes));
1596	if let Some(res) = res {
1597	assert!(res.is_some(), "{}::try_read_from_bytes({:?}): got `None`, expected `Some`", stringify!($ty), val);
1598	}
1599	});
1600	#[allow(clippy::as_conversions)]
1601	<$ty as TryFromBytesTestable>::with_failing_test_cases(\|c\| {
1602	#[allow(unused_mut)] // For cases where the "real" impls are used, which take `&self`.
1603	let mut w = AutorefWrapper::<$ty>(PhantomData);
1604
1605	// This is `Some($ty::try_ref_from_bytes(c))` if `$ty:
1606	// Immutable` and `None` otherwise.
1607	let res = w.test_try_from_ref(c);
1608	if let Some(res) = res {
1609	assert!(res.is_none(), "{}::try_ref_from_bytes({:?}): got Some, expected None", stringify!($ty), c);
1610	}
1611
1612	let res = w.test_try_from_mut(c);
1613	if let Some(res) = res {
1614	assert!(res.is_none(), "{}::try_mut_from_bytes({:?}): got Some, expected None", stringify!($ty), c);
1615	}
1616
1617
1618	let res = w.test_try_read_from(c);
1619	if let Some(res) = res {
1620	assert!(res.is_none(), "{}::try_read_from_bytes({:?}): got Some, expected None", stringify!($ty), c);
1621	}
1622	});
1623
1624	#[allow(dead_code)]
1625	const _: () = { static_assertions::assert_impl_all!($ty: TryFromBytes); };
1626	};
1627	($ty:ty: $trait:ident) => {
1628	#[allow(dead_code)]
1629	const _: () = { static_assertions::assert_impl_all!($ty: $trait); };
1630	};
1631	($ty:ty: !$trait:ident) => {
1632	#[allow(dead_code)]
1633	const _: () = { static_assertions::assert_not_impl_any!($ty: $trait); };
1634	};
1635	($ty:ty: $($trait:ident),* $(,)? $(!$negative_trait:ident),*) => {
1636	$(
1637	assert_impls!($ty: $trait);
1638	)*
1639
1640	$(
1641	assert_impls!($ty: !$negative_trait);
1642	)*
1643	};
1644	}
1645
1646	// NOTE: The negative impl assertions here are not necessarily
1647	// prescriptive. They merely serve as change detectors to make sure
1648	// we're aware of what trait impls are getting added with a given
1649	// change. Of course, some impls would be invalid (e.g., `bool:
1650	// FromBytes`), and so this change detection is very important.
1651
1652	assert_impls!(
1653	(): KnownLayout,
1654	Immutable,
1655	TryFromBytes,
1656	FromZeros,
1657	FromBytes,
1658	IntoBytes,
1659	Unaligned
1660	);
1661	assert_impls!(
1662	u8: KnownLayout,
1663	Immutable,
1664	TryFromBytes,
1665	FromZeros,
1666	FromBytes,
1667	IntoBytes,
1668	Unaligned
1669	);
1670	assert_impls!(
1671	i8: KnownLayout,
1672	Immutable,
1673	TryFromBytes,
1674	FromZeros,
1675	FromBytes,
1676	IntoBytes,
1677	Unaligned
1678	);
1679	assert_impls!(
1680	u16: KnownLayout,
1681	Immutable,
1682	TryFromBytes,
1683	FromZeros,
1684	FromBytes,
1685	IntoBytes,
1686	!Unaligned
1687	);
1688	assert_impls!(
1689	i16: KnownLayout,
1690	Immutable,
1691	TryFromBytes,
1692	FromZeros,
1693	FromBytes,
1694	IntoBytes,
1695	!Unaligned
1696	);
1697	assert_impls!(
1698	u32: KnownLayout,
1699	Immutable,
1700	TryFromBytes,
1701	FromZeros,
1702	FromBytes,
1703	IntoBytes,
1704	!Unaligned
1705	);
1706	assert_impls!(
1707	i32: KnownLayout,
1708	Immutable,
1709	TryFromBytes,
1710	FromZeros,
1711	FromBytes,
1712	IntoBytes,
1713	!Unaligned
1714	);
1715	assert_impls!(
1716	u64: KnownLayout,
1717	Immutable,
1718	TryFromBytes,
1719	FromZeros,
1720	FromBytes,
1721	IntoBytes,
1722	!Unaligned
1723	);
1724	assert_impls!(
1725	i64: KnownLayout,
1726	Immutable,
1727	TryFromBytes,
1728	FromZeros,
1729	FromBytes,
1730	IntoBytes,
1731	!Unaligned
1732	);
1733	assert_impls!(
1734	u128: KnownLayout,
1735	Immutable,
1736	TryFromBytes,
1737	FromZeros,
1738	FromBytes,
1739	IntoBytes,
1740	!Unaligned
1741	);
1742	assert_impls!(
1743	i128: KnownLayout,
1744	Immutable,
1745	TryFromBytes,
1746	FromZeros,
1747	FromBytes,
1748	IntoBytes,
1749	!Unaligned
1750	);
1751	assert_impls!(
1752	usize: KnownLayout,
1753	Immutable,
1754	TryFromBytes,
1755	FromZeros,
1756	FromBytes,
1757	IntoBytes,
1758	!Unaligned
1759	);
1760	assert_impls!(
1761	isize: KnownLayout,
1762	Immutable,
1763	TryFromBytes,
1764	FromZeros,
1765	FromBytes,
1766	IntoBytes,
1767	!Unaligned
1768	);
1769	#[cfg(feature = "float-nightly")]
1770	assert_impls!(
1771	f16: KnownLayout,
1772	Immutable,
1773	TryFromBytes,
1774	FromZeros,
1775	FromBytes,
1776	IntoBytes,
1777	!Unaligned
1778	);
1779	assert_impls!(
1780	f32: KnownLayout,
1781	Immutable,
1782	TryFromBytes,
1783	FromZeros,
1784	FromBytes,
1785	IntoBytes,
1786	!Unaligned
1787	);
1788	assert_impls!(
1789	f64: KnownLayout,
1790	Immutable,
1791	TryFromBytes,
1792	FromZeros,
1793	FromBytes,
1794	IntoBytes,
1795	!Unaligned
1796	);
1797	#[cfg(feature = "float-nightly")]
1798	assert_impls!(
1799	f128: KnownLayout,
1800	Immutable,
1801	TryFromBytes,
1802	FromZeros,
1803	FromBytes,
1804	IntoBytes,
1805	!Unaligned
1806	);
1807	assert_impls!(
1808	bool: KnownLayout,
1809	Immutable,
1810	TryFromBytes,
1811	FromZeros,
1812	IntoBytes,
1813	Unaligned,
1814	!FromBytes
1815	);
1816	assert_impls!(
1817	char: KnownLayout,
1818	Immutable,
1819	TryFromBytes,
1820	FromZeros,
1821	IntoBytes,
1822	!FromBytes,
1823	!Unaligned
1824	);
1825	assert_impls!(
1826	str: KnownLayout,
1827	Immutable,
1828	TryFromBytes,
1829	FromZeros,
1830	IntoBytes,
1831	Unaligned,
1832	!FromBytes
1833	);
1834
1835	assert_impls!(
1836	NonZeroU8: KnownLayout,
1837	Immutable,
1838	TryFromBytes,
1839	IntoBytes,
1840	Unaligned,
1841	!FromZeros,
1842	!FromBytes
1843	);
1844	assert_impls!(
1845	NonZeroI8: KnownLayout,
1846	Immutable,
1847	TryFromBytes,
1848	IntoBytes,
1849	Unaligned,
1850	!FromZeros,
1851	!FromBytes
1852	);
1853	assert_impls!(
1854	NonZeroU16: KnownLayout,
1855	Immutable,
1856	TryFromBytes,
1857	IntoBytes,
1858	!FromBytes,
1859	!Unaligned
1860	);
1861	assert_impls!(
1862	NonZeroI16: KnownLayout,
1863	Immutable,
1864	TryFromBytes,
1865	IntoBytes,
1866	!FromBytes,
1867	!Unaligned
1868	);
1869	assert_impls!(
1870	NonZeroU32: KnownLayout,
1871	Immutable,
1872	TryFromBytes,
1873	IntoBytes,
1874	!FromBytes,
1875	!Unaligned
1876	);
1877	assert_impls!(
1878	NonZeroI32: KnownLayout,
1879	Immutable,
1880	TryFromBytes,
1881	IntoBytes,
1882	!FromBytes,
1883	!Unaligned
1884	);
1885	assert_impls!(
1886	NonZeroU64: KnownLayout,
1887	Immutable,
1888	TryFromBytes,
1889	IntoBytes,
1890	!FromBytes,
1891	!Unaligned
1892	);
1893	assert_impls!(
1894	NonZeroI64: KnownLayout,
1895	Immutable,
1896	TryFromBytes,
1897	IntoBytes,
1898	!FromBytes,
1899	!Unaligned
1900	);
1901	assert_impls!(
1902	NonZeroU128: KnownLayout,
1903	Immutable,
1904	TryFromBytes,
1905	IntoBytes,
1906	!FromBytes,
1907	!Unaligned
1908	);
1909	assert_impls!(
1910	NonZeroI128: KnownLayout,
1911	Immutable,
1912	TryFromBytes,
1913	IntoBytes,
1914	!FromBytes,
1915	!Unaligned
1916	);
1917	assert_impls!(
1918	NonZeroUsize: KnownLayout,
1919	Immutable,
1920	TryFromBytes,
1921	IntoBytes,
1922	!FromBytes,
1923	!Unaligned
1924	);
1925	assert_impls!(
1926	NonZeroIsize: KnownLayout,
1927	Immutable,
1928	TryFromBytes,
1929	IntoBytes,
1930	!FromBytes,
1931	!Unaligned
1932	);
1933
1934	assert_impls!(Option<NonZeroU8>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned);
1935	assert_impls!(Option<NonZeroI8>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned);
1936	assert_impls!(Option<NonZeroU16>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, !Unaligned);
1937	assert_impls!(Option<NonZeroI16>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, !Unaligned);
1938	assert_impls!(Option<NonZeroU32>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, !Unaligned);
1939	assert_impls!(Option<NonZeroI32>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, !Unaligned);
1940	assert_impls!(Option<NonZeroU64>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, !Unaligned);
1941	assert_impls!(Option<NonZeroI64>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, !Unaligned);
1942	assert_impls!(Option<NonZeroU128>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, !Unaligned);
1943	assert_impls!(Option<NonZeroI128>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, !Unaligned);
1944	assert_impls!(Option<NonZeroUsize>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, !Unaligned);
1945	assert_impls!(Option<NonZeroIsize>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, !Unaligned);
1946
1947	// Implements none of the ZC traits.
1948	struct NotZerocopy;
1949
1950	#[rustfmt::skip]
1951	type FnManyArgs = fn(
1952	NotZerocopy, u8, u8, u8, u8, u8, u8, u8, u8, u8, u8, u8,
1953	) -> (NotZerocopy, NotZerocopy);
1954
1955	// Allowed, because we're not actually using this type for FFI.
1956	#[allow(improper_ctypes_definitions)]
1957	#[rustfmt::skip]
1958	type ECFnManyArgs = extern "C" fn(
1959	NotZerocopy, u8, u8, u8, u8, u8, u8, u8, u8, u8, u8, u8,
1960	) -> (NotZerocopy, NotZerocopy);
1961
1962	#[cfg(feature = "alloc")]
1963	assert_impls!(Option<Box<UnsafeCell<NotZerocopy>>>: KnownLayout, Immutable, TryFromBytes, FromZeros, !FromBytes, !IntoBytes, !Unaligned);
1964	assert_impls!(Option<Box<[UnsafeCell<NotZerocopy>]>>: KnownLayout, !Immutable, !TryFromBytes, !FromZeros, !FromBytes, !IntoBytes, !Unaligned);
1965	assert_impls!(Option<&'static UnsafeCell<NotZerocopy>>: KnownLayout, Immutable, TryFromBytes, FromZeros, !FromBytes, !IntoBytes, !Unaligned);
1966	assert_impls!(Option<&'static [UnsafeCell<NotZerocopy>]>: KnownLayout, Immutable, !TryFromBytes, !FromZeros, !FromBytes, !IntoBytes, !Unaligned);
1967	assert_impls!(Option<&'static mut UnsafeCell<NotZerocopy>>: KnownLayout, Immutable, TryFromBytes, FromZeros, !FromBytes, !IntoBytes, !Unaligned);
1968	assert_impls!(Option<&'static mut [UnsafeCell<NotZerocopy>]>: KnownLayout, Immutable, !TryFromBytes, !FromZeros, !FromBytes, !IntoBytes, !Unaligned);
1969	assert_impls!(Option<NonNull<UnsafeCell<NotZerocopy>>>: KnownLayout, TryFromBytes, FromZeros, Immutable, !FromBytes, !IntoBytes, !Unaligned);
1970	assert_impls!(Option<NonNull<[UnsafeCell<NotZerocopy>]>>: KnownLayout, Immutable, !TryFromBytes, !FromZeros, !FromBytes, !IntoBytes, !Unaligned);
1971	assert_impls!(Option<fn()>: KnownLayout, Immutable, TryFromBytes, FromZeros, !FromBytes, !IntoBytes, !Unaligned);
1972	assert_impls!(Option<FnManyArgs>: KnownLayout, Immutable, TryFromBytes, FromZeros, !FromBytes, !IntoBytes, !Unaligned);
1973	assert_impls!(Option<extern "C" fn()>: KnownLayout, Immutable, TryFromBytes, FromZeros, !FromBytes, !IntoBytes, !Unaligned);
1974	assert_impls!(Option<ECFnManyArgs>: KnownLayout, Immutable, TryFromBytes, FromZeros, !FromBytes, !IntoBytes, !Unaligned);
1975
1976	assert_impls!(PhantomData<NotZerocopy>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned);
1977	assert_impls!(PhantomData<UnsafeCell<()>>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned);
1978	assert_impls!(PhantomData<[u8]>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned);
1979
1980	assert_impls!(ManuallyDrop<u8>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned);
1981	// This test is important because it allows us to test our hand-rolled
1982	// implementation of `<ManuallyDrop<T> as TryFromBytes>::is_bit_valid`.
1983	assert_impls!(ManuallyDrop<bool>: KnownLayout, Immutable, TryFromBytes, FromZeros, IntoBytes, Unaligned, !FromBytes);
1984	assert_impls!(ManuallyDrop<[u8]>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned);
1985	// This test is important because it allows us to test our hand-rolled
1986	// implementation of `<ManuallyDrop<T> as TryFromBytes>::is_bit_valid`.
1987	assert_impls!(ManuallyDrop<[bool]>: KnownLayout, Immutable, TryFromBytes, FromZeros, IntoBytes, Unaligned, !FromBytes);
1988	assert_impls!(ManuallyDrop<NotZerocopy>: !Immutable, !TryFromBytes, !KnownLayout, !FromZeros, !FromBytes, !IntoBytes, !Unaligned);
1989	assert_impls!(ManuallyDrop<[NotZerocopy]>: KnownLayout, !Immutable, !TryFromBytes, !FromZeros, !FromBytes, !IntoBytes, !Unaligned);
1990	assert_impls!(ManuallyDrop<UnsafeCell<()>>: KnownLayout, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned, !Immutable);
1991	assert_impls!(ManuallyDrop<[UnsafeCell<u8>]>: KnownLayout, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned, !Immutable);
1992	assert_impls!(ManuallyDrop<[UnsafeCell<bool>]>: KnownLayout, TryFromBytes, FromZeros, IntoBytes, Unaligned, !Immutable, !FromBytes);
1993
1994	assert_impls!(CoreMaybeUninit<u8>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, Unaligned, !IntoBytes);
1995	assert_impls!(CoreMaybeUninit<NotZerocopy>: KnownLayout, TryFromBytes, FromZeros, FromBytes, !Immutable, !IntoBytes, !Unaligned);
1996	assert_impls!(CoreMaybeUninit<UnsafeCell<()>>: KnownLayout, TryFromBytes, FromZeros, FromBytes, Unaligned, !Immutable, !IntoBytes);
1997
1998	assert_impls!(Wrapping<u8>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned);
1999	// This test is important because it allows us to test our hand-rolled
2000	// implementation of `<Wrapping<T> as TryFromBytes>::is_bit_valid`.
2001	assert_impls!(Wrapping<bool>: KnownLayout, Immutable, TryFromBytes, FromZeros, IntoBytes, Unaligned, !FromBytes);
2002	assert_impls!(Wrapping<NotZerocopy>: KnownLayout, !Immutable, !TryFromBytes, !FromZeros, !FromBytes, !IntoBytes, !Unaligned);
2003	assert_impls!(Wrapping<UnsafeCell<()>>: KnownLayout, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned, !Immutable);
2004
2005	assert_impls!(Unalign<u8>: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, Unaligned);
2006	// This test is important because it allows us to test our hand-rolled
2007	// implementation of `<Unalign<T> as TryFromBytes>::is_bit_valid`.
2008	assert_impls!(Unalign<bool>: KnownLayout, Immutable, TryFromBytes, FromZeros, IntoBytes, Unaligned, !FromBytes);
2009	assert_impls!(Unalign<NotZerocopy>: KnownLayout, Unaligned, !Immutable, !TryFromBytes, !FromZeros, !FromBytes, !IntoBytes);
2010
2011	assert_impls!(
2012	[u8]: KnownLayout,
2013	Immutable,
2014	TryFromBytes,
2015	FromZeros,
2016	FromBytes,
2017	IntoBytes,
2018	Unaligned
2019	);
2020	assert_impls!(
2021	[bool]: KnownLayout,
2022	Immutable,
2023	TryFromBytes,
2024	FromZeros,
2025	IntoBytes,
2026	Unaligned,
2027	!FromBytes
2028	);
2029	assert_impls!([NotZerocopy]: KnownLayout, !Immutable, !TryFromBytes, !FromZeros, !FromBytes, !IntoBytes, !Unaligned);
2030	assert_impls!(
2031	[u8; `0`]: KnownLayout,
2032	Immutable,
2033	TryFromBytes,
2034	FromZeros,
2035	FromBytes,
2036	IntoBytes,
2037	Unaligned,
2038	);
2039	assert_impls!(
2040	[NotZerocopy; `0`]: KnownLayout,
2041	!Immutable,
2042	!TryFromBytes,
2043	!FromZeros,
2044	!FromBytes,
2045	!IntoBytes,
2046	!Unaligned
2047	);
2048	assert_impls!(
2049	[u8; `1`]: KnownLayout,
2050	Immutable,
2051	TryFromBytes,
2052	FromZeros,
2053	FromBytes,
2054	IntoBytes,
2055	Unaligned,
2056	);
2057	assert_impls!(
2058	[NotZerocopy; `1`]: KnownLayout,
2059	!Immutable,
2060	!TryFromBytes,
2061	!FromZeros,
2062	!FromBytes,
2063	!IntoBytes,
2064	!Unaligned
2065	);
2066
2067	assert_impls!(*const NotZerocopy: KnownLayout, Immutable, TryFromBytes, FromZeros, !FromBytes, !IntoBytes, !Unaligned);
2068	assert_impls!(*mut NotZerocopy: KnownLayout, Immutable, TryFromBytes, FromZeros, !FromBytes, !IntoBytes, !Unaligned);
2069	assert_impls!(*const [NotZerocopy]: KnownLayout, Immutable, !TryFromBytes, !FromZeros, !FromBytes, !IntoBytes, !Unaligned);
2070	assert_impls!(*mut [NotZerocopy]: KnownLayout, Immutable, !TryFromBytes, !FromZeros, !FromBytes, !IntoBytes, !Unaligned);
2071	assert_impls!(*const dyn Debug: KnownLayout, Immutable, !TryFromBytes, !FromZeros, !FromBytes, !IntoBytes, !Unaligned);
2072	assert_impls!(*mut dyn Debug: KnownLayout, Immutable, !TryFromBytes, !FromZeros, !FromBytes, !IntoBytes, !Unaligned);
2073
2074	#[cfg(feature = "simd")]
2075	{
2076	#[allow(unused_macros)]
2077	macro_rules! test_simd_arch_mod {
2078	($arch:ident, $($typ:ident),*) => {
2079	{
2080	use core::arch::$arch::{$($typ),*};
2081	use crate::*;
2082	$( assert_impls!($typ: KnownLayout, Immutable, TryFromBytes, FromZeros, FromBytes, IntoBytes, !Unaligned); )*
2083	}
2084	};
2085	}
2086	#[cfg(target_arch = "x86")]
2087	test_simd_arch_mod!(x86, __m128, __m128d, __m128i, __m256, __m256d, __m256i);
2088
2089	#[cfg(all(feature = "simd-nightly", target_arch = "x86"))]
2090	test_simd_arch_mod!(x86, __m512bh, __m512, __m512d, __m512i);
2091
2092	#[cfg(target_arch = "x86_64")]
2093	test_simd_arch_mod!(x86_64, __m128, __m128d, __m128i, __m256, __m256d, __m256i);
2094
2095	#[cfg(all(feature = "simd-nightly", target_arch = "x86_64"))]
2096	test_simd_arch_mod!(x86_64, __m512bh, __m512, __m512d, __m512i);
2097
2098	#[cfg(target_arch = "wasm32")]
2099	test_simd_arch_mod!(wasm32, v128);
2100
2101	#[cfg(all(feature = "simd-nightly", target_arch = "powerpc"))]
2102	test_simd_arch_mod!(
2103	powerpc,
2104	vector_bool_long,
2105	vector_double,
2106	vector_signed_long,
2107	vector_unsigned_long
2108	);
2109
2110	#[cfg(all(feature = "simd-nightly", target_arch = "powerpc64"))]
2111	test_simd_arch_mod!(
2112	powerpc64,
2113	vector_bool_long,
2114	vector_double,
2115	vector_signed_long,
2116	vector_unsigned_long
2117	);
2118	#[cfg(all(target_arch = "aarch64", zerocopy_aarch64_simd_1_59_0))]
2119	#[rustfmt::skip]
2120	test_simd_arch_mod!(
2121	aarch64, float32x2_t, float32x4_t, float64x1_t, float64x2_t, int8x8_t, int8x8x2_t,
2122	int8x8x3_t, int8x8x4_t, int8x16_t, int8x16x2_t, int8x16x3_t, int8x16x4_t, int16x4_t,
2123	int16x8_t, int32x2_t, int32x4_t, int64x1_t, int64x2_t, poly8x8_t, poly8x8x2_t, poly8x8x3_t,
2124	poly8x8x4_t, poly8x16_t, poly8x16x2_t, poly8x16x3_t, poly8x16x4_t, poly16x4_t, poly16x8_t,
2125	poly64x1_t, poly64x2_t, uint8x8_t, uint8x8x2_t, uint8x8x3_t, uint8x8x4_t, uint8x16_t,
2126	uint8x16x2_t, uint8x16x3_t, uint8x16x4_t, uint16x4_t, uint16x8_t, uint32x2_t, uint32x4_t,
2127	uint64x1_t, uint64x2_t
2128	);
2129	}
2130	}
2131	}
2132