macro_util.rs source code [crates/zerocopy-0.8.24/src/util/macro_util.rs]

1	// Copyright 2022 The Fuchsia Authors
2	//
3	// Licensed under a BSD-style license <LICENSE-BSD>, Apache License, Version 2.0
4	// <LICENSE-APACHE or https://www.apache.org/licenses/LICENSE-2.0>, or the MIT
5	// license <LICENSE-MIT or https://opensource.org/licenses/MIT>, at your option.
6	// This file may not be copied, modified, or distributed except according to
7	// those terms.
8
9	//! Utilities used by macros and by `zerocopy-derive`.
10	//!
11	//! These are defined here `zerocopy` rather than in code generated by macros or
12	//! by `zerocopy-derive` so that they can be compiled once rather than
13	//! recompiled for every invocation (e.g., if they were defined in generated
14	//! code, then deriving `IntoBytes` and `FromBytes` on three different types
15	//! would result in the code in question being emitted and compiled six
16	//! different times).
17
18	#![allow(missing_debug_implementations)]
19
20	use core::{
21	mem::{self, ManuallyDrop},
22	ptr::NonNull,
23	};
24
25	// TODO(#29), TODO(https://github.com/rust-lang/rust/issues/69835): Remove this
26	// `cfg` when `size_of_val_raw` is stabilized.
27	#[cfg(__ZEROCOPY_INTERNAL_USE_ONLY_NIGHTLY_FEATURES_IN_TESTS)]
28	#[cfg(not(target_pointer_width = "16"))]
29	use core::ptr;
30
31	use crate::{
32	pointer::{
33	invariant::{self, BecauseExclusive, BecauseImmutable, Invariants},
34	TryTransmuteFromPtr,
35	},
36	FromBytes, Immutable, IntoBytes, Ptr, TryFromBytes, ValidityError,
37	};
38
39	/// Projects the type of the field at `Index` in `Self`.
40	///
41	/// The `Index` parameter is any sort of handle that identifies the field; its
42	/// definition is the obligation of the implementer.
43	///
44	/// # Safety
45	///
46	/// Unsafe code may assume that this accurately reflects the definition of
47	/// `Self`.
48	pub unsafe trait Field<Index> {
49	/// The type of the field at `Index`.
50	type Type: ?Sized;
51	}
52
53	#[cfg_attr(
54	zerocopy_diagnostic_on_unimplemented_1_78_0,
55	diagnostic::on_unimplemented(
56	message = "`{T}` has inter-field padding",
57	label = "types with padding cannot implement `IntoBytes`",
58	note = "consider using `zerocopy::Unalign` to lower the alignment of individual fields",
59	note = "consider adding explicit fields where padding would be",
60	note = "consider using `#[repr(packed)]` to remove inter-field padding"
61	)
62	)]
63	pub trait PaddingFree<T: ?Sized, const HAS_PADDING: bool> {}
64	impl<T: ?Sized> PaddingFree<T, `false`> for () {}
65
66	/// A type whose size is equal to `align_of::<T>()`.
67	#[repr(C)]
68	pub struct AlignOf<T> {
69	// This field ensures that:
70	// - The size is always at least 1 (the minimum possible alignment).
71	// - If the alignment is greater than 1, Rust has to round up to the next
72	// multiple of it in order to make sure that `Align`'s size is a multiple
73	// of that alignment. Without this field, its size could be 0, which is a
74	// valid multiple of any alignment.
75	_u: u8,
76	_a: [T; `0`],
77	}
78
79	impl<T> AlignOf<T> {
80	#[inline(never)] // Make `missing_inline_in_public_items` happy.
81	#[cfg_attr(
82	all(coverage_nightly, __ZEROCOPY_INTERNAL_USE_ONLY_NIGHTLY_FEATURES_IN_TESTS),
83	coverage(off)
84	)]
85	pub fn into_t(self) -> T {
86	unreachable!()
87	}
88	}
89
90	/// A type whose size is equal to `max(align_of::<T>(), align_of::<U>())`.
91	#[repr(C)]
92	pub union MaxAlignsOf<T, U> {
93	_t: ManuallyDrop<AlignOf<T>>,
94	_u: ManuallyDrop<AlignOf<U>>,
95	}
96
97	impl<T, U> MaxAlignsOf<T, U> {
98	#[inline(never)] // Make `missing_inline_in_public_items` happy.
99	#[cfg_attr(
100	all(coverage_nightly, __ZEROCOPY_INTERNAL_USE_ONLY_NIGHTLY_FEATURES_IN_TESTS),
101	coverage(off)
102	)]
103	pub fn new(_t: T, _u: U) -> MaxAlignsOf<T, U> {
104	unreachable!()
105	}
106	}
107
108	#[cfg(__ZEROCOPY_INTERNAL_USE_ONLY_NIGHTLY_FEATURES_IN_TESTS)]
109	#[cfg(not(target_pointer_width = "16"))]
110	const _64K: usize = `1` << `16`;
111
112	// TODO(#29), TODO(https://github.com/rust-lang/rust/issues/69835): Remove this
113	// `cfg` when `size_of_val_raw` is stabilized.
114	#[cfg(__ZEROCOPY_INTERNAL_USE_ONLY_NIGHTLY_FEATURES_IN_TESTS)]
115	#[cfg(not(target_pointer_width = "16"))]
116	#[repr(C, align(`65536`))]
117	struct Aligned64kAllocation([u8; _64K]);
118
119	/// A pointer to an aligned allocation of size 2^16.
120	///
121	/// # Safety
122	///
123	/// `ALIGNED_64K_ALLOCATION` is guaranteed to point to the entirety of an
124	/// allocation with size and alignment 2^16, and to have valid provenance.
125	// TODO(#29), TODO(https://github.com/rust-lang/rust/issues/69835): Remove this
126	// `cfg` when `size_of_val_raw` is stabilized.
127	#[cfg(__ZEROCOPY_INTERNAL_USE_ONLY_NIGHTLY_FEATURES_IN_TESTS)]
128	#[cfg(not(target_pointer_width = "16"))]
129	pub const ALIGNED_64K_ALLOCATION: NonNull<[u8]> = {
130	const REF: &Aligned64kAllocation = &Aligned64kAllocation([`0`; _64K]);
131	let ptr: *const Aligned64kAllocation = REF;
132	let ptr: *const [u8] = ptr::slice_from_raw_parts(ptr.cast(), _64K);
133	// SAFETY:
134	// - `ptr` is derived from a Rust reference, which is guaranteed to be
135	// non-null.
136	// - `ptr` is derived from an `&Aligned64kAllocation`, which has size and
137	// alignment `_64K` as promised. Its length is initialized to `_64K`,
138	// which means that it refers to the entire allocation.
139	// - `ptr` is derived from a Rust reference, which is guaranteed to have
140	// valid provenance.
141	//
142	// TODO(#429): Once `NonNull::new_unchecked` docs document that it preserves
143	// provenance, cite those docs.
144	// TODO: Replace this `as` with `ptr.cast_mut()` once our MSRV >= 1.65
145	#[allow(clippy::as_conversions)]
146	unsafe {
147	NonNull::new_unchecked(ptr as *mut _)
148	}
149	};
150
151	/// Computes the offset of the base of the field `$trailing_field_name` within
152	/// the type `$ty`.
153	///
154	/// `trailing_field_offset!` produces code which is valid in a `const` context.
155	// TODO(#29), TODO(https://github.com/rust-lang/rust/issues/69835): Remove this
156	// `cfg` when `size_of_val_raw` is stabilized.
157	#[cfg(__ZEROCOPY_INTERNAL_USE_ONLY_NIGHTLY_FEATURES_IN_TESTS)]
158	#[doc(hidden)] // `#[macro_export]` bypasses this module's `#[doc(hidden)]`.
159	#[macro_export]
160	macro_rules! trailing_field_offset {
161	($ty:ty, $trailing_field_name:tt) => {{
162	let min_size = {
163	let zero_elems: *const [()] =
164	$crate::util::macro_util::core_reexport::ptr::slice_from_raw_parts(
165	// Work around https://github.com/rust-lang/rust-clippy/issues/12280
166	#[allow(clippy::incompatible_msrv)]
167	$crate::util::macro_util::core_reexport::ptr::NonNull::<()>::dangling()
168	.as_ptr()
169	.cast_const(),
170	`0`,
171	);
172	// SAFETY:
173	// - If `$ty` is `Sized`, `size_of_val_raw` is always safe to call.
174	// - Otherwise:
175	// - If `$ty` is not a slice DST, this pointer conversion will
176	// fail due to "mismatched vtable kinds", and compilation will
177	// fail.
178	// - If `$ty` is a slice DST, we have constructed `zero_elems` to
179	// have zero trailing slice elements. Per the `size_of_val_raw`
180	// docs, "For the special case where the dynamic tail length is
181	// 0, this function is safe to call." [1]
182	//
183	// [1] https://doc.rust-lang.org/nightly/std/mem/fn.size_of_val_raw.html
184	unsafe {
185	#[allow(clippy::as_conversions)]
186	$crate::util::macro_util::core_reexport::mem::size_of_val_raw(
187	zero_elems as *const $ty,
188	)
189	}
190	};
191
192	assert!(min_size <= _64K);
193
194	#[allow(clippy::as_conversions)]
195	let ptr = ALIGNED_64K_ALLOCATION.as_ptr() as *const $ty;
196
197	// SAFETY:
198	// - Thanks to the preceding `assert!`, we know that the value with zero
199	// elements fits in `_64K` bytes, and thus in the allocation addressed
200	// by `ALIGNED_64K_ALLOCATION`. The offset of the trailing field is
201	// guaranteed to be no larger than this size, so this field projection
202	// is guaranteed to remain in-bounds of its allocation.
203	// - Because the minimum size is no larger than `_64K` bytes, and
204	// because an object's size must always be a multiple of its alignment
205	// [1], we know that `$ty`'s alignment is no larger than `_64K`. The
206	// allocation addressed by `ALIGNED_64K_ALLOCATION` is guaranteed to
207	// be aligned to `_64K`, so `ptr` is guaranteed to satisfy `$ty`'s
208	// alignment.
209	// - As required by `addr_of!`, we do not write through `field`.
210	//
211	// Note that, as of [2], this requirement is technically unnecessary
212	// for Rust versions >= 1.75.0, but no harm in guaranteeing it anyway
213	// until we bump our MSRV.
214	//
215	// [1] Per https://doc.rust-lang.org/reference/type-layout.html:
216	//
217	// The size of a value is always a multiple of its alignment.
218	//
219	// [2] https://github.com/rust-lang/reference/pull/1387
220	let field = unsafe {
221	$crate::util::macro_util::core_reexport::ptr::addr_of!((*ptr).$trailing_field_name)
222	};
223	// SAFETY:
224	// - Both `ptr` and `field` are derived from the same allocated object.
225	// - By the preceding safety comment, `field` is in bounds of that
226	// allocated object.
227	// - The distance, in bytes, between `ptr` and `field` is required to be
228	// a multiple of the size of `u8`, which is trivially true because
229	// `u8`'s size is 1.
230	// - The distance, in bytes, cannot overflow `isize`. This is guaranteed
231	// because no allocated object can have a size larger than can fit in
232	// `isize`. [1]
233	// - The distance being in-bounds cannot rely on wrapping around the
234	// address space. This is guaranteed because the same is guaranteed of
235	// allocated objects. [1]
236	//
237	// [1] TODO(#429), TODO(https://github.com/rust-lang/rust/pull/116675):
238	// Once these are guaranteed in the Reference, cite it.
239	let offset = unsafe { field.cast::<u8>().offset_from(ptr.cast::<u8>()) };
240	// Guaranteed not to be lossy: `field` comes after `ptr`, so the offset
241	// from `ptr` to `field` is guaranteed to be positive.
242	assert!(offset >= `0`);
243	Some(
244	#[allow(clippy::as_conversions)]
245	{
246	offset as usize
247	},
248	)
249	}};
250	}
251
252	/// Computes alignment of `$ty: ?Sized`.
253	///
254	/// `align_of!` produces code which is valid in a `const` context.
255	// TODO(#29), TODO(https://github.com/rust-lang/rust/issues/69835): Remove this
256	// `cfg` when `size_of_val_raw` is stabilized.
257	#[cfg(__ZEROCOPY_INTERNAL_USE_ONLY_NIGHTLY_FEATURES_IN_TESTS)]
258	#[doc(hidden)] // `#[macro_export]` bypasses this module's `#[doc(hidden)]`.
259	#[macro_export]
260	macro_rules! align_of {
261	($ty:ty) => {{
262	// SAFETY: `OffsetOfTrailingIsAlignment` is `repr(C)`, and its layout is
263	// guaranteed [1] to begin with the single-byte layout for `_byte`,
264	// followed by the padding needed to align `_trailing`, then the layout
265	// for `_trailing`, and finally any trailing padding bytes needed to
266	// correctly-align the entire struct.
267	//
268	// This macro computes the alignment of `$ty` by counting the number of
269	// bytes preceeding `_trailing`. For instance, if the alignment of `$ty`
270	// is `1`, then no padding is required align `_trailing` and it will be
271	// located immediately after `_byte` at offset 1. If the alignment of
272	// `$ty` is 2, then a single padding byte is required before
273	// `_trailing`, and `_trailing` will be located at offset 2.
274
275	// This correspondence between offset and alignment holds for all valid
276	// Rust alignments, and we confirm this exhaustively (or, at least up to
277	// the maximum alignment supported by `trailing_field_offset!`) in
278	// `test_align_of_dst`.
279	//
280	// [1]: https://doc.rust-lang.org/nomicon/other-reprs.html#reprc
281
282	#[repr(C)]
283	struct OffsetOfTrailingIsAlignment {
284	_byte: u8,
285	_trailing: $ty,
286	}
287
288	trailing_field_offset!(OffsetOfTrailingIsAlignment, _trailing)
289	}};
290	}
291
292	mod size_to_tag {
293	pub trait SizeToTag<const SIZE: usize> {
294	type Tag;
295	}
296
297	impl SizeToTag<`1`> for () {
298	type Tag = u8;
299	}
300	impl SizeToTag<`2`> for () {
301	type Tag = u16;
302	}
303	impl SizeToTag<`4`> for () {
304	type Tag = u32;
305	}
306	impl SizeToTag<`8`> for () {
307	type Tag = u64;
308	}
309	impl SizeToTag<`16`> for () {
310	type Tag = u128;
311	}
312	}
313
314	/// An alias for the unsigned integer of the given size in bytes.
315	#[doc(hidden)]
316	pub type SizeToTag<const SIZE: usize> = <() as size_to_tag::SizeToTag<SIZE>>::Tag;
317
318	// We put `Sized` in its own module so it can have the same name as the standard
319	// library `Sized` without shadowing it in the parent module.
320	#[cfg(zerocopy_diagnostic_on_unimplemented_1_78_0)]
321	mod __size_of {
322	#[diagnostic::on_unimplemented(
323	message = "`{Self}` is unsized",
324	label = "`IntoBytes` needs all field types to be `Sized` in order to determine whether there is inter-field padding",
325	note = "consider using `#[repr(packed)]` to remove inter-field padding",
326	note = "`IntoBytes` does not require the fields of `#[repr(packed)]` types to be `Sized`"
327	)]
328	pub trait Sized: core::marker::Sized {}
329	impl<T: core::marker::Sized> Sized for T {}
330
331	#[inline(always)]
332	#[must_use]
333	#[allow(clippy::needless_maybe_sized)]
334	pub const fn size_of<T: Sized + ?core::marker::Sized>() -> usize {
335	core::mem::size_of::<T>()
336	}
337	}
338
339	#[cfg(zerocopy_diagnostic_on_unimplemented_1_78_0)]
340	pub use __size_of::size_of;
341	#[cfg(not(zerocopy_diagnostic_on_unimplemented_1_78_0))]
342	pub use core::mem::size_of;
343
344	/// Does the struct type `$t` have padding?
345	///
346	/// `$ts` is the list of the type of every field in `$t`. `$t` must be a
347	/// struct type, or else `struct_has_padding!`'s result may be meaningless.
348	///
349	/// Note that `struct_has_padding!`'s results are independent of `repcr` since
350	/// they only consider the size of the type and the sizes of the fields.
351	/// Whatever the repr, the size of the type already takes into account any
352	/// padding that the compiler has decided to add. Structs with well-defined
353	/// representations (such as `repr(C)`) can use this macro to check for padding.
354	/// Note that while this may yield some consistent value for some `repr(Rust)`
355	/// structs, it is not guaranteed across platforms or compilations.
356	#[doc(hidden)] // `#[macro_export]` bypasses this module's `#[doc(hidden)]`.
357	#[macro_export]
358	macro_rules! struct_has_padding {
359	($t:ty, [$($ts:ty),*]) => {
360	$crate::util::macro_util::size_of::<$t>() > `0` $(+ $crate::util::macro_util::size_of::<$ts>())*
361	};
362	}
363
364	/// Does the union type `$t` have padding?
365	///
366	/// `$ts` is the list of the type of every field in `$t`. `$t` must be a
367	/// union type, or else `union_has_padding!`'s result may be meaningless.
368	///
369	/// Note that `union_has_padding!`'s results are independent of `repr` since
370	/// they only consider the size of the type and the sizes of the fields.
371	/// Whatever the repr, the size of the type already takes into account any
372	/// padding that the compiler has decided to add. Unions with well-defined
373	/// representations (such as `repr(C)`) can use this macro to check for padding.
374	/// Note that while this may yield some consistent value for some `repr(Rust)`
375	/// unions, it is not guaranteed across platforms or compilations.
376	#[doc(hidden)] // `#[macro_export]` bypasses this module's `#[doc(hidden)]`.
377	#[macro_export]
378	macro_rules! union_has_padding {
379	($t:ty, [$($ts:ty),*]) => {
380	`false` $(\|\| $crate::util::macro_util::size_of::<$t>() != $crate::util::macro_util::size_of::<$ts>())*
381	};
382	}
383
384	/// Does the enum type `$t` have padding?
385	///
386	/// `$disc` is the type of the enum tag, and `$ts` is a list of fields in each
387	/// square-bracket-delimited variant. `$t` must be an enum, or else
388	/// `enum_has_padding!`'s result may be meaningless. An enum has padding if any
389	/// of its variant structs [1][2] contain padding, and so all of the variants of
390	/// an enum must be "full" in order for the enum to not have padding.
391	///
392	/// The results of `enum_has_padding!` require that the enum is not
393	/// `repr(Rust)`, as `repr(Rust)` enums may niche the enum's tag and reduce the
394	/// total number of bytes required to represent the enum as a result. As long as
395	/// the enum is `repr(C)`, `repr(int)`, or `repr(C, int)`, this will
396	/// consistently return whether the enum contains any padding bytes.
397	///
398	/// [1]: https://doc.rust-lang.org/1.81.0/reference/type-layout.html#reprc-enums-with-fields
399	/// [2]: https://doc.rust-lang.org/1.81.0/reference/type-layout.html#primitive-representation-of-enums-with-fields
400	#[doc(hidden)] // `#[macro_export]` bypasses this module's `#[doc(hidden)]`.
401	#[macro_export]
402	macro_rules! enum_has_padding {
403	($t:ty, $disc:ty, $([$($ts:ty),]),) => {
404	`false` $(
405	\|\| $crate::util::macro_util::size_of::<$t>()
406	!= (
407	$crate::util::macro_util::size_of::<$disc>()
408	$(+ $crate::util::macro_util::size_of::<$ts>())*
409	)
410	)*
411	}
412	}
413
414	/// Does `t` have alignment greater than or equal to `u`? If not, this macro
415	/// produces a compile error. It must be invoked in a dead codepath. This is
416	/// used in `transmute_ref!` and `transmute_mut!`.
417	#[doc(hidden)] // `#[macro_export]` bypasses this module's `#[doc(hidden)]`.
418	#[macro_export]
419	macro_rules! assert_align_gt_eq {
420	($t:ident, $u: ident) => {{
421	// The comments here should be read in the context of this macro's
422	// invocations in `transmute_ref!` and `transmute_mut!`.
423	if `false` {
424	// The type wildcard in this bound is inferred to be `T` because
425	// `align_of.into_t()` is assigned to `t` (which has type `T`).
426	let align_of: $crate::util::macro_util::AlignOf<_> = unreachable!();
427	$t = align_of.into_t();
428	// `max_aligns` is inferred to have type `MaxAlignsOf<T, U>` because
429	// of the inferred types of `t` and `u`.
430	let mut max_aligns = $crate::util::macro_util::MaxAlignsOf::new($t, $u);
431
432	// This transmute will only compile successfully if
433	// `align_of::<T>() == max(align_of::<T>(), align_of::<U>())` - in
434	// other words, if `align_of::<T>() >= align_of::<U>()`.
435	//
436	// SAFETY: This code is never run.
437	max_aligns = unsafe {
438	// Clippy: We can't annotate the types; this macro is designed
439	// to infer the types from the calling context.
440	#[allow(clippy::missing_transmute_annotations)]
441	$crate::util::macro_util::core_reexport::mem::transmute(align_of)
442	};
443	} else {
444	loop {}
445	}
446	}};
447	}
448
449	/// Do `t` and `u` have the same size? If not, this macro produces a compile
450	/// error. It must be invoked in a dead codepath. This is used in
451	/// `transmute_ref!` and `transmute_mut!`.
452	#[doc(hidden)] // `#[macro_export]` bypasses this module's `#[doc(hidden)]`.
453	#[macro_export]
454	macro_rules! assert_size_eq {
455	($t:ident, $u: ident) => {{
456	// The comments here should be read in the context of this macro's
457	// invocations in `transmute_ref!` and `transmute_mut!`.
458	if `false` {
459	// SAFETY: This code is never run.
460	$u = unsafe {
461	// Clippy:
462	// - It's okay to transmute a type to itself.
463	// - We can't annotate the types; this macro is designed to
464	// infer the types from the calling context.
465	#[allow(clippy::useless_transmute, clippy::missing_transmute_annotations)]
466	$crate::util::macro_util::core_reexport::mem::transmute($t)
467	};
468	} else {
469	loop {}
470	}
471	}};
472	}
473
474	/// Transmutes a reference of one type to a reference of another type.
475	///
476	/// # Safety
477	///
478	/// The caller must guarantee that:
479	/// - `Src: IntoBytes + Immutable`
480	/// - `Dst: FromBytes + Immutable`
481	/// - `size_of::<Src>() == size_of::<Dst>()`
482	/// - `align_of::<Src>() >= align_of::<Dst>()`
483	#[inline(always)]
484	pub const unsafe fn transmute_ref<'dst, 'src: 'dst, Src: 'src, Dst: 'dst>(
485	src: &'src Src,
486	) -> &'dst Dst {
487	let src: *const Src = src;
488	let dst: *const Dst = src.cast::<Dst>();
489	// SAFETY:
490	// - We know that it is sound to view the target type of the input reference
491	// (`Src`) as the target type of the output reference (`Dst`) because the
492	// caller has guaranteed that `Src: IntoBytes`, `Dst: FromBytes`, and
493	// `size_of::<Src>() == size_of::<Dst>()`.
494	// - We know that there are no `UnsafeCell`s, and thus we don't have to
495	// worry about `UnsafeCell` overlap, because `Src: Immutable` and `Dst:
496	// Immutable`.
497	// - The caller has guaranteed that alignment is not increased.
498	// - We know that the returned lifetime will not outlive the input lifetime
499	// thanks to the lifetime bounds on this function.
500	//
501	// TODO(#67): Once our MSRV is 1.58, replace this `transmute` with `&dst`.*
502	#[allow(clippy::transmute_ptr_to_ref)]
503	unsafe {
504	mem::transmute(src:dst)
505	}
506	}
507
508	/// Transmutes a mutable reference of one type to a mutable reference of another
509	/// type.
510	///
511	/// # Safety
512	///
513	/// The caller must guarantee that:
514	/// - `Src: FromBytes + IntoBytes`
515	/// - `Dst: FromBytes + IntoBytes`
516	/// - `size_of::<Src>() == size_of::<Dst>()`
517	/// - `align_of::<Src>() >= align_of::<Dst>()`
518	// TODO(#686): Consider removing the `Immutable` requirement.
519	#[inline(always)]
520	pub unsafe fn transmute_mut<'dst, 'src: 'dst, Src: 'src, Dst: 'dst>(
521	src: &'src mut Src,
522	) -> &'dst mut Dst {
523	let src: *mut Src = src;
524	let dst: *mut Dst = src.cast::<Dst>();
525	// SAFETY:
526	// - We know that it is sound to view the target type of the input reference
527	// (`Src`) as the target type of the output reference (`Dst`) and
528	// vice-versa because the caller has guaranteed that `Src: FromBytes +
529	// IntoBytes`, `Dst: FromBytes + IntoBytes`, and `size_of::<Src>() ==
530	// size_of::<Dst>()`.
531	// - The caller has guaranteed that alignment is not increased.
532	// - We know that the returned lifetime will not outlive the input lifetime
533	// thanks to the lifetime bounds on this function.
534	unsafe { &mut *dst }
535	}
536
537	/// Is a given source a valid instance of `Dst`?
538	///
539	/// If so, returns `src` casted to a `Ptr<Dst, _>`. Otherwise returns `None`.
540	///
541	/// # Safety
542	///
543	/// Unsafe code may assume that, if `try_cast_or_pme(src)` returns `Ok`,
544	/// `src` is a bit-valid instance of `Dst`, and that the size of `Src` is*
545	/// greater than or equal to the size of `Dst`.
546	///
547	/// Unsafe code may assume that, if `try_cast_or_pme(src)` returns `Err`, the
548	/// encapsulated `Ptr` value is the original `src`. `try_cast_or_pme` cannot
549	/// guarantee that the referent has not been modified, as it calls user-defined
550	/// code (`TryFromBytes::is_bit_valid`).
551	///
552	/// # Panics
553	///
554	/// `try_cast_or_pme` may either produce a post-monomorphization error or a
555	/// panic if `Dst` not the same size as `Src`. Otherwise, `try_cast_or_pme`
556	/// panics under the same circumstances as [`is_bit_valid`].
557	///
558	/// [`is_bit_valid`]: TryFromBytes::is_bit_valid
559	#[doc(hidden)]
560	#[inline]
561	fn try_cast_or_pme<Src, Dst, I, R, S>(
562	src: Ptr<'_, Src, I>,
563	) -> Result<
564	Ptr<'_, Dst, (I::Aliasing, invariant::Unaligned, invariant::Valid)>,
565	ValidityError<Ptr<'_, Src, I>, Dst>,
566	>
567	where
568	// TODO(#2226): There should be a `Src: FromBytes` bound here, but doing so
569	// requires deeper surgery.
570	Src: invariant::Read<I::Aliasing, R>,
571	Dst: TryFromBytes
572	+ invariant::Read<I::Aliasing, R>
573	+ TryTransmuteFromPtr<Dst, I::Aliasing, invariant::Initialized, invariant::Valid, S>,
574	I: Invariants<Validity = invariant::Initialized>,
575	I::Aliasing: invariant::Reference,
576	{
577	static_assert!(Src, Dst => mem::size_of::<Dst>() == mem::size_of::<Src>());
578
579	// SAFETY: This is a pointer cast, satisfying the following properties:
580	// - `p as mut Dst` addresses a subset of the `bytes` addressed by `src`,*
581	// because we assert above that the size of `Dst` equal to the size of
582	// `Src`.
583	// - `p as mut Dst` is a provenance-preserving cast*
584	#[allow(clippy::as_conversions)]
585	let c_ptr = unsafe { src.cast_unsized(NonNull::cast::<Dst>) };
586
587	match c_ptr.try_into_valid() {
588	Ok(ptr) => Ok(ptr),
589	Err(err) => {
590	// Re-cast `Ptr<Dst>` to `Ptr<Src>`.
591	let ptr = err.into_src();
592	// SAFETY: This is a pointer cast, satisfying the following
593	// properties:
594	// - `p as mut Src` addresses a subset of the `bytes` addressed by*
595	// `ptr`, because we assert above that the size of `Dst` is equal
596	// to the size of `Src`.
597	// - `p as mut Src` is a provenance-preserving cast*
598	#[allow(clippy::as_conversions)]
599	let ptr = unsafe { ptr.cast_unsized(NonNull::cast::<Src>) };
600	// SAFETY: `ptr` is `src`, and has the same alignment invariant.
601	let ptr = unsafe { ptr.assume_alignment::<I::Alignment>() };
602	// SAFETY: `ptr` is `src` and has the same validity invariant.
603	let ptr = unsafe { ptr.assume_validity::<I::Validity>() };
604	Err(ValidityError::new(ptr.unify_invariants()))
605	}
606	}
607	}
608
609	/// Attempts to transmute `Src` into `Dst`.
610	///
611	/// A helper for `try_transmute!`.
612	///
613	/// # Panics
614	///
615	/// `try_transmute` may either produce a post-monomorphization error or a panic
616	/// if `Dst` is bigger than `Src`. Otherwise, `try_transmute` panics under the
617	/// same circumstances as [`is_bit_valid`].
618	///
619	/// [`is_bit_valid`]: TryFromBytes::is_bit_valid
620	#[inline(always)]
621	pub fn try_transmute<Src, Dst>(src: Src) -> Result<Dst, ValidityError<Src, Dst>>
622	where
623	Src: IntoBytes,
624	Dst: TryFromBytes,
625	{
626	static_assert!(Src, Dst => mem::size_of::<Dst>() == mem::size_of::<Src>());
627
628	let mu_src = mem::MaybeUninit::new(src);
629	// SAFETY: By invariant on `&`, the following are satisfied:
630	// - `&mu_src` is valid for reads
631	// - `&mu_src` is properly aligned
632	// - `&mu_src`'s referent is bit-valid
633	let mu_src_copy = unsafe { core::ptr::read(&mu_src) };
634	// SAFETY: `MaybeUninit` has no validity constraints.
635	let mut mu_dst: mem::MaybeUninit<Dst> =
636	unsafe { crate::util::transmute_unchecked(mu_src_copy) };
637
638	let ptr = Ptr::from_mut(&mut mu_dst);
639
640	// SAFETY: Since `Src: IntoBytes`, and since `size_of::<Src>() ==
641	// size_of::<Dst>()` by the preceding assertion, all of `mu_dst`'s bytes are
642	// initialized.
643	let ptr = unsafe { ptr.assume_validity::<invariant::Initialized>() };
644
645	// SAFETY: `MaybeUninit<T>` and `T` have the same size [1], so this cast
646	// preserves the referent's size. This cast preserves provenance.
647	//
648	// [1] Per https://doc.rust-lang.org/1.81.0/std/mem/union.MaybeUninit.html#layout-1:
649	//
650	// `MaybeUninit<T>` is guaranteed to have the same size, alignment, and
651	// ABI as `T`
652	let ptr: Ptr<'_, Dst, _> = unsafe { ptr.cast_unsized(NonNull::<mem::MaybeUninit<Dst>>::cast) };
653
654	if Dst::is_bit_valid(ptr.forget_aligned()) {
655	// SAFETY: Since `Dst::is_bit_valid`, we know that `ptr`'s referent is
656	// bit-valid for `Dst`. `ptr` points to `mu_dst`, and no intervening
657	// operations have mutated it, so it is a bit-valid `Dst`.
658	Ok(unsafe { mu_dst.assume_init() })
659	} else {
660	// SAFETY: `mu_src` was constructed from `src` and never modified, so it
661	// is still bit-valid.
662	Err(ValidityError::new(unsafe { mu_src.assume_init() }))
663	}
664	}
665
666	/// Attempts to transmute `&Src` into `&Dst`.
667	///
668	/// A helper for `try_transmute_ref!`.
669	///
670	/// # Panics
671	///
672	/// `try_transmute_ref` may either produce a post-monomorphization error or a
673	/// panic if `Dst` is bigger or has a stricter alignment requirement than `Src`.
674	/// Otherwise, `try_transmute_ref` panics under the same circumstances as
675	/// [`is_bit_valid`].
676	///
677	/// [`is_bit_valid`]: TryFromBytes::is_bit_valid
678	#[inline(always)]
679	pub fn try_transmute_ref<Src, Dst>(src: &Src) -> Result<&Dst, ValidityError<&Src, Dst>>
680	where
681	Src: IntoBytes + Immutable,
682	Dst: TryFromBytes + Immutable,
683	{
684	let ptr = Ptr::from_ref(src);
685	let ptr = ptr.bikeshed_recall_initialized_immutable();
686	match try_cast_or_pme::<Src, Dst, _, BecauseImmutable, _>(ptr) {
687	Ok(ptr) => {
688	static_assert!(Src, Dst => mem::align_of::<Dst>() <= mem::align_of::<Src>());
689	// SAFETY: We have checked that `Dst` does not have a stricter
690	// alignment requirement than `Src`.
691	let ptr = unsafe { ptr.assume_alignment::<invariant::Aligned>() };
692	Ok(ptr.as_ref())
693	}
694	Err(err) => Err(err.map_src(\|ptr\| {
695	// SAFETY: Because `Src: Immutable` and we create a `Ptr` via
696	// `Ptr::from_ref`, the resulting `Ptr` is a shared-and-`Immutable`
697	// `Ptr`, which does not permit mutation of its referent. Therefore,
698	// no mutation could have happened during the call to
699	// `try_cast_or_pme` (any such mutation would be unsound).
700	//
701	// `try_cast_or_pme` promises to return its original argument, and
702	// so we know that we are getting back the same `ptr` that we
703	// originally passed, and that `ptr` was a bit-valid `Src`.
704	let ptr = unsafe { ptr.assume_valid() };
705	ptr.as_ref()
706	})),
707	}
708	}
709
710	/// Attempts to transmute `&mut Src` into `&mut Dst`.
711	///
712	/// A helper for `try_transmute_mut!`.
713	///
714	/// # Panics
715	///
716	/// `try_transmute_mut` may either produce a post-monomorphization error or a
717	/// panic if `Dst` is bigger or has a stricter alignment requirement than `Src`.
718	/// Otherwise, `try_transmute_mut` panics under the same circumstances as
719	/// [`is_bit_valid`].
720	///
721	/// [`is_bit_valid`]: TryFromBytes::is_bit_valid
722	#[inline(always)]
723	pub fn try_transmute_mut<Src, Dst>(src: &mut Src) -> Result<&mut Dst, ValidityError<&mut Src, Dst>>
724	where
725	Src: FromBytes + IntoBytes,
726	Dst: TryFromBytes + IntoBytes,
727	{
728	let ptr: Ptr<'_, Src, (Exclusive, …)> = Ptr::from_mut(ptr:src);
729	let ptr: Ptr<'_, Src, (Exclusive, …)> = ptr.bikeshed_recall_initialized_from_bytes();
730	match try_cast_or_pme::<Src, Dst, _, BecauseExclusive, _>(src:ptr) {
731	Ok(ptr: Ptr<'_, Dst, (Exclusive, …)>) => {
732	static_assert!(Src, Dst => mem::align_of::<Dst>() <= mem::align_of::<Src>());
733	// SAFETY: We have checked that `Dst` does not have a stricter
734	// alignment requirement than `Src`.
735	let ptr: Ptr<'_, Dst, (Exclusive, …)> = unsafe { ptr.assume_alignment::<invariant::Aligned>() };
736	Ok(ptr.as_mut())
737	}
738	Err(err: ValidityError, …>) => Err(err.map_src(\|ptr: Ptr<'_, Src, (Exclusive, …)>\| ptr.recall_validity().as_mut())),
739	}
740	}
741
742	/// A function which emits a warning if its return value is not used.
743	#[must_use]
744	#[inline(always)]
745	pub const fn must_use<T>(t: T) -> T {
746	t
747	}
748
749	// NOTE: We can't change this to a `pub use core as core_reexport` until [1] is
750	// fixed or we update to a semver-breaking version (as of this writing, 0.8.0)
751	// on the `main` branch.
752	//
753	// [1] https://github.com/obi1kenobi/cargo-semver-checks/issues/573
754	pub mod core_reexport {
755	pub use core::*;
756
757	pub mod mem {
758	pub use core::mem::*;
759	}
760	}
761
762	#[cfg(test)]
763	mod tests {
764	use super::*;
765	use crate::util::testutil::*;
766
767	#[test]
768	fn test_align_of() {
769	macro_rules! test {
770	($ty:ty) => {
771	assert_eq!(mem::size_of::<AlignOf<$ty>>(), mem::align_of::<$ty>());
772	};
773	}
774
775	test!(());
776	test!(u8);
777	test!(AU64);
778	test!([AU64; `2`]);
779	}
780
781	#[test]
782	fn test_max_aligns_of() {
783	macro_rules! test {
784	($t:ty, $u:ty) => {
785	assert_eq!(
786	mem::size_of::<MaxAlignsOf<$t, $u>>(),
787	core::cmp::max(mem::align_of::<$t>(), mem::align_of::<$u>())
788	);
789	};
790	}
791
792	test!(u8, u8);
793	test!(u8, AU64);
794	test!(AU64, u8);
795	}
796
797	#[test]
798	fn test_typed_align_check() {
799	// Test that the type-based alignment check used in
800	// `assert_align_gt_eq!` behaves as expected.
801
802	macro_rules! assert_t_align_gteq_u_align {
803	($t:ty, $u:ty, $gteq:expr) => {
804	assert_eq!(
805	mem::size_of::<MaxAlignsOf<$t, $u>>() == mem::size_of::<AlignOf<$t>>(),
806	$gteq
807	);
808	};
809	}
810
811	assert_t_align_gteq_u_align!(u8, u8, `true`);
812	assert_t_align_gteq_u_align!(AU64, AU64, `true`);
813	assert_t_align_gteq_u_align!(AU64, u8, `true`);
814	assert_t_align_gteq_u_align!(u8, AU64, `false`);
815	}
816
817	// TODO(#29), TODO(https://github.com/rust-lang/rust/issues/69835): Remove
818	// this `cfg` when `size_of_val_raw` is stabilized.
819	#[allow(clippy::decimal_literal_representation)]
820	#[cfg(__ZEROCOPY_INTERNAL_USE_ONLY_NIGHTLY_FEATURES_IN_TESTS)]
821	#[test]
822	fn test_trailing_field_offset() {
823	assert_eq!(mem::align_of::<Aligned64kAllocation>(), _64K);
824
825	macro_rules! test {
826	(#[$cfg:meta] ($($ts:ty),* ; $trailing_field_ty:ty) => $expect:expr) => {{
827	#[$cfg]
828	struct Test($(#[allow(dead_code)] $ts,)* #[allow(dead_code)] $trailing_field_ty);
829	assert_eq!(test!(@offset $($ts),* ; $trailing_field_ty), $expect);
830	}};
831	(#[$cfg:meta] $(#[$cfgs:meta])* ($($ts:ty),* ; $trailing_field_ty:ty) => $expect:expr) => {
832	test!(#[$cfg] ($($ts),* ; $trailing_field_ty) => $expect);
833	test!($(#[$cfgs])* ($($ts),* ; $trailing_field_ty) => $expect);
834	};
835	(@offset ; $_trailing:ty) => { trailing_field_offset!(Test, `0`) };
836	(@offset $_t:ty ; $_trailing:ty) => { trailing_field_offset!(Test, `1`) };
837	}
838
839	test!(#[repr(C)] #[repr(transparent)] #[repr(packed)](; u8) => Some(`0`));
840	test!(#[repr(C)] #[repr(transparent)] #[repr(packed)](; [u8]) => Some(`0`));
841	test!(#[repr(C)] #[repr(C, packed)] (u8; u8) => Some(`1`));
842	test!(#[repr(C)] (; AU64) => Some(`0`));
843	test!(#[repr(C)] (; [AU64]) => Some(`0`));
844	test!(#[repr(C)] (u8; AU64) => Some(`8`));
845	test!(#[repr(C)] (u8; [AU64]) => Some(`8`));
846	test!(#[repr(C)] (; Nested<u8, AU64>) => Some(`0`));
847	test!(#[repr(C)] (; Nested<u8, [AU64]>) => Some(`0`));
848	test!(#[repr(C)] (u8; Nested<u8, AU64>) => Some(`8`));
849	test!(#[repr(C)] (u8; Nested<u8, [AU64]>) => Some(`8`));
850
851	// Test that `packed(N)` limits the offset of the trailing field.
852	test!(#[repr(C, packed( `1`))] (u8; elain::Align< `2`>) => Some( `1`));
853	test!(#[repr(C, packed( `2`))] (u8; elain::Align< `4`>) => Some( `2`));
854	test!(#[repr(C, packed( `4`))] (u8; elain::Align< `8`>) => Some( `4`));
855	test!(#[repr(C, packed( `8`))] (u8; elain::Align< `16`>) => Some( `8`));
856	test!(#[repr(C, packed( `16`))] (u8; elain::Align< `32`>) => Some( `16`));
857	test!(#[repr(C, packed( `32`))] (u8; elain::Align< `64`>) => Some( `32`));
858	test!(#[repr(C, packed( `64`))] (u8; elain::Align< `128`>) => Some( `64`));
859	test!(#[repr(C, packed( `128`))] (u8; elain::Align< `256`>) => Some( `128`));
860	test!(#[repr(C, packed( `256`))] (u8; elain::Align< `512`>) => Some( `256`));
861	test!(#[repr(C, packed( `512`))] (u8; elain::Align< `1024`>) => Some( `512`));
862	test!(#[repr(C, packed( `1024`))] (u8; elain::Align< `2048`>) => Some( `1024`));
863	test!(#[repr(C, packed( `2048`))] (u8; elain::Align< `4096`>) => Some( `2048`));
864	test!(#[repr(C, packed( `4096`))] (u8; elain::Align< `8192`>) => Some( `4096`));
865	test!(#[repr(C, packed( `8192`))] (u8; elain::Align< `16384`>) => Some( `8192`));
866	test!(#[repr(C, packed( `16384`))] (u8; elain::Align< `32768`>) => Some( `16384`));
867	test!(#[repr(C, packed( `32768`))] (u8; elain::Align< `65536`>) => Some( `32768`));
868	test!(#[repr(C, packed( `65536`))] (u8; elain::Align< `131072`>) => Some( `65536`));
869	/ Alignments above 65536 are not yet supported.*
870	test!(#[repr(C, packed( 131072))] (u8; elain::Align< 262144>) => Some( 131072));
871	test!(#[repr(C, packed( 262144))] (u8; elain::Align< 524288>) => Some( 262144));
872	test!(#[repr(C, packed( 524288))] (u8; elain::Align< 1048576>) => Some( 524288));
873	test!(#[repr(C, packed( 1048576))] (u8; elain::Align< 2097152>) => Some( 1048576));
874	test!(#[repr(C, packed( 2097152))] (u8; elain::Align< 4194304>) => Some( 2097152));
875	test!(#[repr(C, packed( 4194304))] (u8; elain::Align< 8388608>) => Some( 4194304));
876	test!(#[repr(C, packed( 8388608))] (u8; elain::Align< 16777216>) => Some( 8388608));
877	test!(#[repr(C, packed( 16777216))] (u8; elain::Align< 33554432>) => Some( 16777216));
878	test!(#[repr(C, packed( 33554432))] (u8; elain::Align< 67108864>) => Some( 33554432));
879	test!(#[repr(C, packed( 67108864))] (u8; elain::Align< 33554432>) => Some( 67108864));
880	test!(#[repr(C, packed( 33554432))] (u8; elain::Align<134217728>) => Some( 33554432));
881	test!(#[repr(C, packed(134217728))] (u8; elain::Align<268435456>) => Some(134217728));
882	test!(#[repr(C, packed(268435456))] (u8; elain::Align<268435456>) => Some(268435456));
883	*/
884
885	// Test that `align(N)` does not limit the offset of the trailing field.
886	test!(#[repr(C, align( `1`))] (u8; elain::Align< `2`>) => Some( `2`));
887	test!(#[repr(C, align( `2`))] (u8; elain::Align< `4`>) => Some( `4`));
888	test!(#[repr(C, align( `4`))] (u8; elain::Align< `8`>) => Some( `8`));
889	test!(#[repr(C, align( `8`))] (u8; elain::Align< `16`>) => Some( `16`));
890	test!(#[repr(C, align( `16`))] (u8; elain::Align< `32`>) => Some( `32`));
891	test!(#[repr(C, align( `32`))] (u8; elain::Align< `64`>) => Some( `64`));
892	test!(#[repr(C, align( `64`))] (u8; elain::Align< `128`>) => Some( `128`));
893	test!(#[repr(C, align( `128`))] (u8; elain::Align< `256`>) => Some( `256`));
894	test!(#[repr(C, align( `256`))] (u8; elain::Align< `512`>) => Some( `512`));
895	test!(#[repr(C, align( `512`))] (u8; elain::Align< `1024`>) => Some( `1024`));
896	test!(#[repr(C, align( `1024`))] (u8; elain::Align< `2048`>) => Some( `2048`));
897	test!(#[repr(C, align( `2048`))] (u8; elain::Align< `4096`>) => Some( `4096`));
898	test!(#[repr(C, align( `4096`))] (u8; elain::Align< `8192`>) => Some( `8192`));
899	test!(#[repr(C, align( `8192`))] (u8; elain::Align< `16384`>) => Some( `16384`));
900	test!(#[repr(C, align( `16384`))] (u8; elain::Align< `32768`>) => Some( `32768`));
901	test!(#[repr(C, align( `32768`))] (u8; elain::Align< `65536`>) => Some( `65536`));
902	/ Alignments above 65536 are not yet supported.*
903	test!(#[repr(C, align( 65536))] (u8; elain::Align< 131072>) => Some( 131072));
904	test!(#[repr(C, align( 131072))] (u8; elain::Align< 262144>) => Some( 262144));
905	test!(#[repr(C, align( 262144))] (u8; elain::Align< 524288>) => Some( 524288));
906	test!(#[repr(C, align( 524288))] (u8; elain::Align< 1048576>) => Some( 1048576));
907	test!(#[repr(C, align( 1048576))] (u8; elain::Align< 2097152>) => Some( 2097152));
908	test!(#[repr(C, align( 2097152))] (u8; elain::Align< 4194304>) => Some( 4194304));
909	test!(#[repr(C, align( 4194304))] (u8; elain::Align< 8388608>) => Some( 8388608));
910	test!(#[repr(C, align( 8388608))] (u8; elain::Align< 16777216>) => Some( 16777216));
911	test!(#[repr(C, align( 16777216))] (u8; elain::Align< 33554432>) => Some( 33554432));
912	test!(#[repr(C, align( 33554432))] (u8; elain::Align< 67108864>) => Some( 67108864));
913	test!(#[repr(C, align( 67108864))] (u8; elain::Align< 33554432>) => Some( 33554432));
914	test!(#[repr(C, align( 33554432))] (u8; elain::Align<134217728>) => Some(134217728));
915	test!(#[repr(C, align(134217728))] (u8; elain::Align<268435456>) => Some(268435456));
916	*/
917	}
918
919	// TODO(#29), TODO(https://github.com/rust-lang/rust/issues/69835): Remove
920	// this `cfg` when `size_of_val_raw` is stabilized.
921	#[allow(clippy::decimal_literal_representation)]
922	#[cfg(__ZEROCOPY_INTERNAL_USE_ONLY_NIGHTLY_FEATURES_IN_TESTS)]
923	#[test]
924	fn test_align_of_dst() {
925	// Test that `align_of!` correctly computes the alignment of DSTs.
926	assert_eq!(align_of!([elain::Align<`1`>]), Some(`1`));
927	assert_eq!(align_of!([elain::Align<`2`>]), Some(`2`));
928	assert_eq!(align_of!([elain::Align<`4`>]), Some(`4`));
929	assert_eq!(align_of!([elain::Align<`8`>]), Some(`8`));
930	assert_eq!(align_of!([elain::Align<`16`>]), Some(`16`));
931	assert_eq!(align_of!([elain::Align<`32`>]), Some(`32`));
932	assert_eq!(align_of!([elain::Align<`64`>]), Some(`64`));
933	assert_eq!(align_of!([elain::Align<`128`>]), Some(`128`));
934	assert_eq!(align_of!([elain::Align<`256`>]), Some(`256`));
935	assert_eq!(align_of!([elain::Align<`512`>]), Some(`512`));
936	assert_eq!(align_of!([elain::Align<`1024`>]), Some(`1024`));
937	assert_eq!(align_of!([elain::Align<`2048`>]), Some(`2048`));
938	assert_eq!(align_of!([elain::Align<`4096`>]), Some(`4096`));
939	assert_eq!(align_of!([elain::Align<`8192`>]), Some(`8192`));
940	assert_eq!(align_of!([elain::Align<`16384`>]), Some(`16384`));
941	assert_eq!(align_of!([elain::Align<`32768`>]), Some(`32768`));
942	assert_eq!(align_of!([elain::Align<`65536`>]), Some(`65536`));
943	/ Alignments above 65536 are not yet supported.*
944	assert_eq!(align_of!([elain::Align<131072>]), Some(131072));
945	assert_eq!(align_of!([elain::Align<262144>]), Some(262144));
946	assert_eq!(align_of!([elain::Align<524288>]), Some(524288));
947	assert_eq!(align_of!([elain::Align<1048576>]), Some(1048576));
948	assert_eq!(align_of!([elain::Align<2097152>]), Some(2097152));
949	assert_eq!(align_of!([elain::Align<4194304>]), Some(4194304));
950	assert_eq!(align_of!([elain::Align<8388608>]), Some(8388608));
951	assert_eq!(align_of!([elain::Align<16777216>]), Some(16777216));
952	assert_eq!(align_of!([elain::Align<33554432>]), Some(33554432));
953	assert_eq!(align_of!([elain::Align<67108864>]), Some(67108864));
954	assert_eq!(align_of!([elain::Align<33554432>]), Some(33554432));
955	assert_eq!(align_of!([elain::Align<134217728>]), Some(134217728));
956	assert_eq!(align_of!([elain::Align<268435456>]), Some(268435456));
957	*/
958	}
959
960	#[test]
961	fn test_enum_casts() {
962	// Test that casting the variants of enums with signed integer reprs to
963	// unsigned integers obeys expected signed -> unsigned casting rules.
964
965	#[repr(i8)]
966	enum ReprI8 {
967	MinusOne = `-1`,
968	Zero = `0`,
969	Min = i8::MIN,
970	Max = i8::MAX,
971	}
972
973	#[allow(clippy::as_conversions)]
974	let x = ReprI8::MinusOne as u8;
975	assert_eq!(x, u8::MAX);
976
977	#[allow(clippy::as_conversions)]
978	let x = ReprI8::Zero as u8;
979	assert_eq!(x, `0`);
980
981	#[allow(clippy::as_conversions)]
982	let x = ReprI8::Min as u8;
983	assert_eq!(x, `128`);
984
985	#[allow(clippy::as_conversions)]
986	let x = ReprI8::Max as u8;
987	assert_eq!(x, `127`);
988	}
989
990	#[test]
991	fn test_struct_has_padding() {
992	// Test that, for each provided repr, `struct_has_padding!` reports the
993	// expected value.
994	macro_rules! test {
995	(#[$cfg:meta] ($($ts:ty),*) => $expect:expr) => {{
996	#[$cfg]
997	struct Test($(#[allow(dead_code)] $ts),*);
998	assert_eq!(struct_has_padding!(Test, [$($ts),*]), $expect);
999	}};
1000	(#[$cfg:meta] $(#[$cfgs:meta])* ($($ts:ty),*) => $expect:expr) => {
1001	test!(#[$cfg] ($($ts),*) => $expect);
1002	test!($(#[$cfgs])* ($($ts),*) => $expect);
1003	};
1004	}
1005
1006	test!(#[repr(C)] #[repr(transparent)] #[repr(packed)] () => `false`);
1007	test!(#[repr(C)] #[repr(transparent)] #[repr(packed)] (u8) => `false`);
1008	test!(#[repr(C)] #[repr(transparent)] #[repr(packed)] (u8, ()) => `false`);
1009	test!(#[repr(C)] #[repr(packed)] (u8, u8) => `false`);
1010
1011	test!(#[repr(C)] (u8, AU64) => `true`);
1012	// Rust won't let you put `#[repr(packed)]` on a type which contains a
1013	// `#[repr(align(n > 1))]` type (`AU64`), so we have to use `u64` here.
1014	// It's not ideal, but it definitely has align > 1 on /some/ of our CI
1015	// targets, and this isn't a particularly complex macro we're testing
1016	// anyway.
1017	test!(#[repr(packed)] (u8, u64) => `false`);
1018	}
1019
1020	#[test]
1021	fn test_union_has_padding() {
1022	// Test that, for each provided repr, `union_has_padding!` reports the
1023	// expected value.
1024	macro_rules! test {
1025	(#[$cfg:meta] {$($fs:ident: $ts:ty),*} => $expect:expr) => {{
1026	#[$cfg]
1027	#[allow(unused)] // fields are never read
1028	union Test{ $($fs: $ts),* }
1029	assert_eq!(union_has_padding!(Test, [$($ts),*]), $expect);
1030	}};
1031	(#[$cfg:meta] $(#[$cfgs:meta])* {$($fs:ident: $ts:ty),*} => $expect:expr) => {
1032	test!(#[$cfg] {$($fs: $ts),*} => $expect);
1033	test!($(#[$cfgs])* {$($fs: $ts),*} => $expect);
1034	};
1035	}
1036
1037	test!(#[repr(C)] #[repr(packed)] {a: u8} => `false`);
1038	test!(#[repr(C)] #[repr(packed)] {a: u8, b: u8} => `false`);
1039
1040	// Rust won't let you put `#[repr(packed)]` on a type which contains a
1041	// `#[repr(align(n > 1))]` type (`AU64`), so we have to use `u64` here.
1042	// It's not ideal, but it definitely has align > 1 on /some/ of our CI
1043	// targets, and this isn't a particularly complex macro we're testing
1044	// anyway.
1045	test!(#[repr(C)] #[repr(packed)] {a: u8, b: u64} => `true`);
1046	}
1047
1048	#[test]
1049	fn test_enum_has_padding() {
1050	// Test that, for each provided repr, `enum_has_padding!` reports the
1051	// expected value.
1052	macro_rules! test {
1053	(#[repr($disc:ident $(, $c:ident)?)] { $($vs:ident ($($ts:ty),),) } => $expect:expr) => {
1054	test!(@case #[repr($disc $(, $c)?)] { $($vs ($($ts),),) } => $expect);
1055	};
1056	(#[repr($disc:ident $(, $c:ident)?)] #[$cfg:meta] $(#[$cfgs:meta])* { $($vs:ident ($($ts:ty),),) } => $expect:expr) => {
1057	test!(@case #[repr($disc $(, $c)?)] #[$cfg] { $($vs ($($ts),),) } => $expect);
1058	test!(#[repr($disc $(, $c)?)] $(#[$cfgs])* { $($vs ($($ts),),) } => $expect);
1059	};
1060	(@case #[repr($disc:ident $(, $c:ident)?)] $(#[$cfg:meta])? { $($vs:ident ($($ts:ty),),) } => $expect:expr) => {{
1061	#[repr($disc $(, $c)?)]
1062	$(#[$cfg])?
1063	#[allow(unused)] // variants and fields are never used
1064	enum Test {
1065	$($vs ($($ts),),)
1066	}
1067	assert_eq!(
1068	enum_has_padding!(Test, $disc, $([$($ts),]),),
1069	$expect
1070	);
1071	}};
1072	}
1073
1074	#[allow(unused)]
1075	#[repr(align(`2`))]
1076	struct U16(u16);
1077
1078	#[allow(unused)]
1079	#[repr(align(`4`))]
1080	struct U32(u32);
1081
1082	test!(#[repr(u8)] #[repr(C)] {
1083	A(u8),
1084	} => `false`);
1085	test!(#[repr(u16)] #[repr(C)] {
1086	A(u8, u8),
1087	B(U16),
1088	} => `false`);
1089	test!(#[repr(u32)] #[repr(C)] {
1090	A(u8, u8, u8, u8),
1091	B(U16, u8, u8),
1092	C(u8, u8, U16),
1093	D(U16, U16),
1094	E(U32),
1095	} => `false`);
1096
1097	// `repr(int)` can pack the discriminant more efficiently
1098	test!(#[repr(u8)] {
1099	A(u8, U16),
1100	} => `false`);
1101	test!(#[repr(u8)] {
1102	A(u8, U16, U32),
1103	} => `false`);
1104
1105	// `repr(C)` cannot
1106	test!(#[repr(u8, C)] {
1107	A(u8, U16),
1108	} => `true`);
1109	test!(#[repr(u8, C)] {
1110	A(u8, u8, u8, U32),
1111	} => `true`);
1112
1113	// And field ordering can always cause problems
1114	test!(#[repr(u8)] #[repr(C)] {
1115	A(U16, u8),
1116	} => `true`);
1117	test!(#[repr(u8)] #[repr(C)] {
1118	A(U32, u8, u8, u8),
1119	} => `true`);
1120	}
1121	}
1122