Teach transmute_{ref,mut}! to handle slice DSTs#2428
Merged
Conversation
This was referenced Mar 7, 2025
joshlf
force-pushed
the
Ib4bc62202e0b3b09d155333b525087f7aa8f02c2
branch
6 times, most recently
from
829b199 to
a7c40db
Compare
joshlf
force-pushed
the
I70d5aa5ace6bd2e39e679eac7f00a66d4b843d57
branch
from
4d09d7c to
f2ec335
Compare
Base automatically changed from
I70d5aa5ace6bd2e39e679eac7f00a66d4b843d57
to
main
March 8, 2025 19:16
joshlf
force-pushed
the
Ib4bc62202e0b3b09d155333b525087f7aa8f02c2
branch
3 times, most recently
from
98bbab7 to
5196fac
Compare
joshlf
commented
Mar 9, 2025
joshlf
force-pushed
the
Ib4bc62202e0b3b09d155333b525087f7aa8f02c2
branch
2 times, most recently
from
398966d to
976b234
Compare
joshlf
changed the base branch from
main
to
I691b42ce8c0c3c6e5990e7684fc66f8f5dd73d85
joshlf
force-pushed
the
Ib4bc62202e0b3b09d155333b525087f7aa8f02c2
branch
4 times, most recently
from
bd3b50a to
e972a2c
Compare
joshlf
commented
Mar 9, 2025
joshlf
force-pushed
the
Ib4bc62202e0b3b09d155333b525087f7aa8f02c2
branch
2 times, most recently
from
e2b7f7d to
459de15
Compare
Base automatically changed from
I691b42ce8c0c3c6e5990e7684fc66f8f5dd73d85
to
main
March 11, 2025 19:21
joshlf
force-pushed
the
Ib4bc62202e0b3b09d155333b525087f7aa8f02c2
branch
from
459de15 to
424ddb4
Compare
joshlf
changed the base branch from
main
to
Icdb256acfdb274f34312cf5b216a02ca426338a1
joshlf
force-pushed
the
Ib4bc62202e0b3b09d155333b525087f7aa8f02c2
branch
7 times, most recently
from
ac7fd3f to
85cbc73
Compare
jswrenn
reviewed
Mar 25, 2025
joshlf
force-pushed
the
Ib4bc62202e0b3b09d155333b525087f7aa8f02c2
branch
2 times, most recently
from
5ebdc1a to
7d27689
Compare
jswrenn
requested changes
Mar 25, 2025
11 tasks
jswrenn
reviewed
Mar 25, 2025
Comment on lines
+323
to
+325
| /// Implementations of `cast_from_raw` must satisfy that method's safety | ||
| /// post-condition. | ||
| pub unsafe trait SizeCompat<Src: ?Sized> { |
Collaborator
There was a problem hiding this comment.
We don't need to do this now, but it'd be more idiomatic to name this CastFrom, after its method (and source of safety conditions). That name also conveys directionality, unlike SizeCompat.
jswrenn
reviewed
Mar 25, 2025
joshlf
force-pushed
the
Ib4bc62202e0b3b09d155333b525087f7aa8f02c2
branch
2 times, most recently
from
c5ae106 to
2d585bc
Compare
jswrenn
previously approved these changes
Mar 25, 2025
joshlf
force-pushed
the
Ib4bc62202e0b3b09d155333b525087f7aa8f02c2
branch
2 times, most recently
from
8a04b30 to
3931fcf
Compare
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #2428 +/- ##
==========================================
- Coverage 89.25% 88.85% -0.40%
==========================================
Files 19 20 +1
Lines 5126 5312 +186
==========================================
+ Hits 4575 4720 +145
- Misses 551 592 +41 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
joshlf
commented
Mar 25, 2025
| } | ||
| } | ||
|
|
||
| // TODO: Update all `TransmuteFrom` safety proofs. |
This was referenced Mar 28, 2025
jswrenn
reviewed
Jun 3, 2025
jswrenn
reviewed
Jun 3, 2025
| // so permits interior mutation exactly when `T` does. | ||
| unsafe_impl!(T: ?Sized + Immutable => Immutable for $dst<T>); | ||
|
|
||
| $blk |
Collaborator
There was a problem hiding this comment.
Wonder if the outer unsafe required to currently call this macro leaks into cover $blk.
Member
Author
There was a problem hiding this comment.
Tried offline; turned out to be very difficult, so we're going to punt for now.
jswrenn
reviewed
Jun 3, 2025
Comment on lines
+888
to
+899
| if 1 == 0 { | ||
| let ptr = <$t as KnownLayout>::raw_dangling(); | ||
| #[allow(unused_unsafe)] | ||
| // SAFETY: This call is never executed. | ||
| let ptr = unsafe { crate::pointer::PtrInner::new(ptr) }; | ||
| #[allow(unused_unsafe)] | ||
| // SAFETY: This call is never executed. | ||
| let ptr = unsafe { cast!(ptr) }; | ||
| let _ = <$dst<$u> as SizeEq<$src<$t>>>::cast_from_raw(ptr); | ||
| } |
Collaborator
There was a problem hiding this comment.
We should drop a comment as to why this block exists.
Collaborator
There was a problem hiding this comment.
Is this okay? Can we rely on this PME occuring despite this code being dead?
Member
Author
There was a problem hiding this comment.
Comment: Done.
Can we rely on the PME: Maybe not, but the follow-up PR will ensure that it's sound since SizeEq will no longer convey a safety post-condition that can be consumed by unsafe code - the only way to use it will be via SizeEq::cast_from_raw, which will guarantee that the PME is triggered.
We generalize our existing support in `util::macro_util`, now relying on PMEs to detect when transmutes cannot be supported. In order to continue to support sized reference transmutation in a `const` context, we use the autoref specialization trick to fall back to our old (`const`-safe) implementation when both the source and destination type are `Sized`. The main challenge in generalizing this support is making a trait implementation available conditional on a PME. We do this using the `unsafe_with_size_eq!` helper macro, which introduces `#[repr(transparent)]` wrapper types, `Src` and `Dst`. Internal to this macro, we implement `SizeEq<Src<T>> for Dst<U>`, with the implementation of `SizeEq::cast_from_raw` containing the PME logic for size equality. The macro's caller must promise to only use the `Src` and `Dst` types to wrap the `T` and `U` types for which this PME logic has been applied (or else the `SizeEq` impl could "leak" to types for which it is unsound). In addition, we generalize our prior support for transmuting between unsized types. In particular, we previously used the `SizeEq` trait to denote that two types have equal sizes in the face of a cast operation (in particular, that `*const T as *const U` preserves referent size). In this commit, we add support for metadata fix-up, which means that we support casts for which `*const T as *const U` does *not* preserve referent size. Instead, we compute an affine function at compile time and apply it at runtime - computing the destination type's metadata as a function of the source metadata, `dst_meta = A + src_meta * B`. `A` and `B` are computed at compile time. We generalize `SizeEq` to permit its `cast_from_raw` method to perform a runtime metadata fix-up operation. Makes progress on #1817 Co-authored-by: Jack Wrenn <jswrenn@amazon.com> gherrit-pr-id: Ib4bc62202e0b3b09d155333b525087f7aa8f02c2
jswrenn
approved these changes
Jun 3, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
We generalize our existing support in
util::macro_util, now relying onPMEs to detect when transmutes cannot be supported. In order to continue
to support sized reference transmutation in a
constcontext, we usethe autoref specialization trick to fall back to our old (
const-safe)implementation when both the source and destination type are
Sized.The main challenge in generalizing this support is making a trait
implementation available conditional on a PME. We do this using the
unsafe_with_size_eq!helper macro, which introduces#[repr(transparent)]wrapper types,SrcandDst. Internal to thismacro, we implement
SizeEq<Src<T>> for Dst<U>, with the implementationof
SizeEq::cast_from_rawcontaining the PME logic for size equality.The macro's caller must promise to only use the
SrcandDsttypesto wrap the
TandUtypes for which this PME logic has been applied(or else the
SizeEqimpl could "leak" to types for which it isunsound).
In addition, we generalize our prior support for transmuting between
unsized types. In particular, we previously used the
SizeEqtrait todenote that two types have equal sizes in the face of a cast operation
(in particular, that
*const T as *const Upreserves referent size). Inthis commit, we add support for metadata fix-up, which means that we
support casts for which
*const T as *const Udoes not preservereferent size. Instead, we compute an affine function at compile time
and apply it at runtime - computing the destination type's metadata as a
function of the source metadata,
dst_meta = A + src_meta * B.AandBare computed at compile time.We generalize
SizeEqto permit itscast_from_rawmethod to perform aruntime metadata fix-up operation.
Makes progress on #1817
Co-authored-by: Jack Wrenn jswrenn@amazon.com
This PR is on branch transmute-ref-dst.
TransmuteFromsafety proofs #2469