Skip to content

Commit

Permalink
document & impl the transmutation modeled by BikeshedIntrinsicFrom
Browse files Browse the repository at this point in the history
Documents that `BikeshedIntrinsicFrom` models transmute-via-union,
which is slightly more expressive than the transmute-via-cast
implemented by `transmute_copy`. Additionally, we provide an
implementation of transmute-via-union as a method on the
`BikeshedIntrinsicFrom` trait with additional documentation on
the boundary between trait invariants and caller obligations.

Whether or not transmute-via-union is the right kind of transmute
to model remains up for discussion [1]. Regardless, it seems wise
to document the present behavior.

[1] https://rust-lang.zulipchat.com/#narrow/stream/216762-project-safe-transmute/topic/What.20'kind'.20of.20transmute.20to.20model.3F/near/426331967
  • Loading branch information
jswrenn committed Aug 14, 2024
1 parent 91376f4 commit 1c0e7fa
Show file tree
Hide file tree
Showing 2 changed files with 156 additions and 14 deletions.
5 changes: 5 additions & 0 deletions compiler/rustc_ty_utils/src/instance.rs
Original file line number Diff line number Diff line change
Expand Up @@ -363,6 +363,11 @@ fn resolve_associated_item<'tcx>(
tcx.item_name(trait_item_id)
),
}
} else if tcx.is_lang_item(trait_ref.def_id, LangItem::TransmuteTrait) {
let name = tcx.item_name(trait_item_id);
assert_eq!(name, sym::transmute);
let args = tcx.erase_regions(rcvr_args);
Some(ty::Instance::new(trait_item_id, args))
} else {
Instance::try_resolve_item_for_coroutine(tcx, trait_item_id, trait_id, rcvr_args)
}
Expand Down
165 changes: 151 additions & 14 deletions library/core/src/mem/transmutability.rs
Original file line number Diff line number Diff line change
@@ -1,10 +1,79 @@
use crate::marker::{ConstParamTy_, UnsizedConstParamTy};

/// Are values of a type transmutable into values of another type?
/// Marks that `Src` is transmutable into `Self`.
///
/// This trait is implemented on-the-fly by the compiler for types `Src` and `Self` when the bits of
/// any value of type `Self` are safely transmutable into a value of type `Dst`, in a given `Context`,
/// notwithstanding whatever safety checks you have asked the compiler to [`Assume`] are satisfied.
/// # Implementation
///
/// This trait cannot be implemented explicitly. It is implemented on-the-fly by
/// the compiler for all types `Src` and `Self` such that, given a set of safety
/// obligations on the programmer (see [`Assume`]), the compiler has proved that
/// the bits of a value of type `Src` can be soundly reinterpreted as a `Self`.
///
/// Specifically, this trait models (and
/// [implements](BikeshedIntrinsicFrom::transmute)) the semantics of
/// transmute-via-union; i.e.:
///
/// ```rust
/// pub unsafe fn transmute_via_union<Src, Dst>(src: Src) -> Dst {
/// use core::mem::ManuallyDrop;
///
/// #[repr(C)]
/// union Transmute<Src, Dst> {
/// src: ManuallyDrop<Src>,
/// dst: ManuallyDrop<Dst>,
/// }
///
/// let transmute = Transmute {
/// src: ManuallyDrop::new(src),
/// };
///
/// let dst = transmute.dst;
///
/// ManuallyDrop::into_inner(dst)
/// }
/// ```
///
/// Note that this construction supports some transmutations forbidden by
/// [`mem::transmute_copy`](super::transmute_copy); namely, transmutations that
/// extend the bits of `Src` with trailing padding to fill trailing
/// uninitialized bytes of `Self`; e.g.:
///
/// ```
/// #![feature(transmutability)]
///
/// use core::mem::{Assume, BikeshedIntrinsicFrom};
///
/// let src = 42u8; // size = 1
///
/// #[repr(C, align(2))]
/// struct Dst(u8); // size = 2
//
/// let _ = unsafe {
/// <Dst as BikeshedIntrinsicFrom<u8, { Assume::SAFETY }>>::transmute(src)
/// };
/// ```
///
/// ## Portability
///
/// Implementations of this trait do not provide any guarantee of portability
/// across toolchains, targets or compilations. This trait may be implemented
/// for certain combinations of `Src`, `Self` and `ASSUME` on some toolchains,
/// targets or compilations, but not others. For example, if the layouts of
/// `Src` or `Self` are non-deterministic, the presence or absence of an
/// implementation of this trait may also be non-deterministic. Even if `Src`
/// and `Self` have deterministic layouts (e.g., they are `repr(C)` structs),
/// Rust does not specify the alignments of its primitive integer types, and
/// layouts that involve these types may vary across toolchains.
///
/// ## Stability
///
/// Implementations of this trait do not provide any guarantee of SemVer
/// stability across the crate versions that define the `Src` and `Self` types.
/// If SemVer stability is crucial to your application, you must consult the
/// documentation of `Src` and `Self`s' defining crates. Note that the presence
/// of `repr(C)`, alone, does not carry a safety invariant of SemVer stability.
/// Furthermore, stability does not imply portability. For example, the size of
/// `usize` is stable, but not portable.
#[unstable(feature = "transmutability", issue = "99571")]
#[lang = "transmute_trait"]
#[rustc_deny_explicit_impl(implement_via_object = false)]
Expand All @@ -13,28 +82,96 @@ pub unsafe trait BikeshedIntrinsicFrom<Src, const ASSUME: Assume = { Assume::NOT
where
Src: ?Sized,
{
/// Transmutes a `Src` value into a `Self`.
///
/// # Safety
///
/// The safety obligations of the caller depend on the value of `ASSUME`:
/// - If [`ASSUME.alignment`](Assume::alignment), the caller must guarantee
/// that the addresses of references in the returned `Self` satisfy the
/// alignment requirements of their referent types.
/// - If [`ASSUME.lifetimes`](Assume::lifetimes), the caller must guarantee
/// that references in the returned `Self` will not outlive their
/// referents.
/// - If [`ASSUME.safety`](Assume::safety), the returned value might not
/// satisfy the library safety invariants of `Self`, and the caller must
/// guarantee that undefined behavior does not arise from uses of the
/// returned value.
/// - If [`ASSUME.validity`](Assume::validity), the caller must guarantee
/// that `src` is a bit-valid instance of `Self`.
///
/// When satisfying the above obligations (if any), the caller must *not*
/// assume that this trait provides any inherent guarantee of layout
/// [portability](#portability) or [stability](#stability).
unsafe fn transmute(src: Src) -> Self
where
Src: Sized,
Self: Sized,
{
use super::ManuallyDrop;

#[repr(C)]
union Transmute<Src, Dst> {
src: ManuallyDrop<Src>,
dst: ManuallyDrop<Dst>,
}

let transmute = Transmute { src: ManuallyDrop::new(src) };

// SAFETY: It is safe to reinterpret the bits of `src` as a value of
// type `Self`, because, by combination of invariant on this trait and
// contract on the caller, `src` has been proven to satisfy both the
// language and library invariants of `Self`. For all invariants not
// `ASSUME`'d by the caller, the safety obligation is supplied by the
// compiler. Conversely, for all invariants `ASSUME`'d by the caller,
// the safety obligation is supplied by contract on the caller.
let dst = unsafe { transmute.dst };

ManuallyDrop::into_inner(dst)
}
}

/// What transmutation safety conditions shall the compiler assume that *you* are checking?
/// Configurable proof assumptions of [`BikeshedIntrinsicFrom`].
///
/// When `false`, the respective proof obligation belongs to the compiler. When
/// `true`, the onus of the safety proof belongs to the programmer.
/// [`BikeshedIntrinsicFrom`].
#[unstable(feature = "transmutability", issue = "99571")]
#[lang = "transmute_opts"]
#[derive(PartialEq, Eq, Clone, Copy, Debug)]
pub struct Assume {
/// When `true`, the compiler assumes that *you* are ensuring (either dynamically or statically) that
/// destination referents do not have stricter alignment requirements than source referents.
/// When `false`, [`BikeshedIntrinsicFrom`] is not implemented for
/// transmutations that might violate the the alignment requirements of
/// references.
///
/// When `true`, [`BikeshedIntrinsicFrom`] assumes that *you* have ensured
/// that that references in the transmuted value satisfy the alignment
/// requirements of their referent types.
pub alignment: bool,

/// When `true`, the compiler assume that *you* are ensuring that lifetimes are not extended in a manner
/// that violates Rust's memory model.
/// When `false`, [`BikeshedIntrinsicFrom`] is not implemented for
/// transmutations that extend the lifetimes of references.
///
/// When `true`, [`BikeshedIntrinsicFrom`] assumes that *you* have ensured
/// that that references in the transmuted value do not outlive their
/// referents.
pub lifetimes: bool,

/// When `true`, the compiler assumes that *you* have ensured that no
/// unsoundness will arise from violating the safety invariants of the
/// destination type (and sometimes of the source type, too).
/// When `false`, [`BikeshedIntrinsicFrom`] is not implemented for
/// transmutations that might violate the library safety invariants of the
/// return type.
///
/// When `true`, [`BikeshedIntrinsicFrom`] assumes that *you* have ensured
/// that undefined behavior does not arise from using the returned value.
pub safety: bool,

/// When `true`, the compiler assumes that *you* are ensuring that the source type is actually a valid
/// instance of the destination type.
/// When `false`, [`BikeshedIntrinsicFrom`] is not implemented for
/// transmutations that might violate the language-level bit-validity
/// invariant of the return type.
///
/// When `true`, [`BikeshedIntrinsicFrom`] assumes that *you* have ensured
/// that the value being transmuted is a bit-valid instance of the return
/// type.
pub validity: bool,
}

Expand Down

0 comments on commit 1c0e7fa

Please sign in to comment.