[pointer] Add generic Cast framework

Add `unsafe trait Cast`, which is implemented by any raw pointer cast.
Use this to unify `PtrInner` and `Ptr` casts and field projections and
`SizeEq` casts.

gherrit-pr-id: G57b42ad4ff767a765f9b4ac149aa1c19d3796711

Author: joshlf

src/impls.rs

@@ -426,7 +426,7 @@ mod atomics {
             crate::util::macros::__unsafe();
 
             use core::cell::UnsafeCell;
-            use crate::pointer::{PtrInner, SizeEq, TransmuteFrom, invariant::Valid};
+            use crate::pointer::{SizeEq, TransmuteFrom, invariant::Valid};
 
             $(
                 // SAFETY: The caller promised that `$atomic` and `$prim` have
@@ -439,21 +439,11 @@ mod atomics {
                 // SAFETY: The caller promised that `$atomic` and `$prim` have
                 // the same size.
                 unsafe impl<$($tyvar)?> SizeEq<$atomic> for $prim {
-                    #[inline]
-                    fn cast_from_raw(a: PtrInner<'_, $atomic>) -> PtrInner<'_, $prim> {
-                        // SAFETY: The caller promised that `$atomic` and
-                        // `$prim` have the same size. Thus, this cast preserves
-                        // address, referent size, and provenance.
-                        unsafe { cast!(a) }
-                    }
+                    type CastFrom = $crate::pointer::cast::CastSized;
                 }
                 // SAFETY: See previous safety comment.
                 unsafe impl<$($tyvar)?> SizeEq<$prim> for $atomic {
-                    #[inline]
-                    fn cast_from_raw(p: PtrInner<'_, $prim>) -> PtrInner<'_, $atomic> {
-                        // SAFETY: See previous safety comment.
-                        unsafe { cast!(p) }
-                    }
+                    type CastFrom = $crate::pointer::cast::CastSized;
                 }
                 // SAFETY: The caller promised that `$atomic` and `$prim` have
                 // the same size. `UnsafeCell<T>` has the same size as `T` [1].
@@ -464,19 +454,11 @@ mod atomics {
                 //   its inner type `T`. A consequence of this guarantee is that
                 //   it is possible to convert between `T` and `UnsafeCell<T>`.
                 unsafe impl<$($tyvar)?> SizeEq<$atomic> for UnsafeCell<$prim> {
-                    #[inline]
-                    fn cast_from_raw(a: PtrInner<'_, $atomic>) -> PtrInner<'_, UnsafeCell<$prim>> {
-                        // SAFETY: See previous safety comment.
-                        unsafe { cast!(a) }
-                    }
+                    type CastFrom = $crate::pointer::cast::CastSized;
                 }
                 // SAFETY: See previous safety comment.
                 unsafe impl<$($tyvar)?> SizeEq<UnsafeCell<$prim>> for $atomic {
-                    #[inline]
-                    fn cast_from_raw(p: PtrInner<'_, UnsafeCell<$prim>>) -> PtrInner<'_, $atomic> {
-                        // SAFETY: See previous safety comment.
-                        unsafe { cast!(p) }
-                    }
+                    type CastFrom = $crate::pointer::cast::CastSized;
                 }
 
                 // SAFETY: The caller promised that `$atomic` and `$prim` have
@@ -818,7 +800,7 @@ const _: () = {
     // private field, and because it is the name it is referred to in the public
     // documentation of `ManuallyDrop::new`, `ManuallyDrop::into_inner`,
     // `ManuallyDrop::take` and `ManuallyDrop::drop`.
-    unsafe impl<T> HasField<value, 0, { crate::ident_id!(value) }> for ManuallyDrop<T> {
+    unsafe impl<T: ?Sized> HasField<value, 0, { crate::ident_id!(value) }> for ManuallyDrop<T> {
         type Type = T;
 
         #[inline]
@@ -829,15 +811,15 @@ const _: () = {
         }
 
         #[inline(always)]
-        fn project(slf: PtrInner<'_, Self>) -> PtrInner<'_, T> {
+        fn project(slf: *mut Self) -> *mut T {
             // SAFETY: `ManuallyDrop<T>` has the same layout and bit validity as
             // `T` [1].
             //
             // [1] Per https://doc.rust-lang.org/1.85.0/std/mem/struct.ManuallyDrop.html:
             //
             //   `ManuallyDrop<T>` is guaranteed to have the same layout and bit
             //   validity as `T`
-            unsafe { slf.cast() }
+            slf as *mut T
         }
     }
 };

src/layout.rs

@@ -738,10 +738,29 @@ impl DstLayout {
     }
 }
 
-pub(crate) use cast_from_raw::cast_from_raw;
+pub(crate) use cast_from_raw::CastFromRaw;
 mod cast_from_raw {
     use crate::{pointer::PtrInner, *};
 
+    pub(crate) struct CastFromRaw<Dst: ?Sized>(PhantomData<Dst>);
+
+    impl<Dst: ?Sized> Default for CastFromRaw<Dst> {
+        fn default() -> Self {
+            Self(PhantomData)
+        }
+    }
+
+    unsafe impl<Src, Dst> crate::pointer::cast::Cast<Src, Dst> for CastFromRaw<Dst>
+    where
+        Src: KnownLayout<PointerMetadata = usize> + ?Sized,
+        Dst: KnownLayout<PointerMetadata = usize> + ?Sized,
+    {
+        unsafe fn cast(self, src: *mut Src) -> *mut Dst {
+            let src = unsafe { PtrInner::new(NonNull::new_unchecked(src)) };
+            cast_from_raw(src).as_non_null().as_ptr()
+        }
+    }
+
     /// Implements [`<Dst as SizeEq<Src>>::cast_from_raw`][cast_from_raw].
     ///
     /// # PME

src/lib.rs

@@ -1113,7 +1113,7 @@ pub unsafe trait HasField<Field, const VARIANT_ID: u128, const FIELD_ID: u128> {
     type Type: ?Sized;
 
     /// Projects from `slf` to the field.
-    fn project(slf: PtrInner<'_, Self>) -> PtrInner<'_, Self::Type>;
+    fn project(slf: *mut Self) -> *mut Self::Type;
 }
 
 /// Analyzes whether a type is [`FromZeros`].

src/pointer/inner.rs

@@ -6,14 +6,15 @@
 // This file may not be copied, modified, or distributed except according to
 // those terms.
 
-use core::{marker::PhantomData, mem, ops::Range, ptr::NonNull};
+use core::{marker::PhantomData, ops::Range, ptr::NonNull};
 
 pub use _def::PtrInner;
 
 #[allow(unused_imports)]
 use crate::util::polyfills::NumExt as _;
 use crate::{
     layout::{CastType, MetadataCastError},
+    pointer::cast,
     util::AsAddress,
     AlignmentError, CastError, HasField, KnownLayout, MetadataOf, SizeError, SplitAt,
 };
@@ -170,31 +171,7 @@ impl<'a, T: ?Sized> PtrInner<'a, T> {
     where
         T: Sized,
     {
-        static_assert!(T, U => mem::size_of::<T>() >= mem::size_of::<U>());
-        // SAFETY: By the preceding assert, `U` is no larger than `T`, which is
-        // the size of `self`'s referent.
-        unsafe { self.cast() }
-    }
-
-    /// # Safety
-    ///
-    /// `U` must not be larger than the size of `self`'s referent.
-    #[must_use]
-    #[inline(always)]
-    pub unsafe fn cast<U>(self) -> PtrInner<'a, U> {
-        let ptr = self.as_non_null().cast::<U>();
-
-        // SAFETY: The caller promises that `U` is no larger than `self`'s
-        // referent. Thus, `ptr` addresses a subset of the bytes addressed by
-        // `self`.
-        //
-        // 0. By invariant on `self`, if `self`'s referent is not zero sized,
-        //    then `self` has valid provenance for its referent, which is
-        //    entirely contained in some Rust allocation, `A`. Thus, the same
-        //    holds of `ptr`.
-        // 1. By invariant on `self`, if `self`'s referent is not zero sized,
-        //    then `A` is guaranteed to live for at least `'a`.
-        unsafe { PtrInner::new(ptr) }
+        self.cast(cast::CastSized)
     }
 
     /// Projects a field.
@@ -204,7 +181,46 @@ impl<'a, T: ?Sized> PtrInner<'a, T> {
     where
         T: HasField<F, VARIANT_ID, FIELD_ID>,
     {
-        <T as HasField<F, VARIANT_ID, FIELD_ID>>::project(self)
+        let cast = unsafe {
+            crate::pointer::cast::FnCast::new(<T as HasField<F, VARIANT_ID, FIELD_ID>>::project)
+        };
+        self.cast(cast)
+    }
+
+    #[must_use]
+    #[inline(always)]
+    pub fn cast<U: ?Sized, C: cast::Cast<T, U>>(self, cast: C) -> PtrInner<'a, U> {
+        let non_null = self.as_non_null();
+        let raw = non_null.as_ptr();
+
+        // SAFETY: By invariant on `self`, `raw`'s referent is zero-sized or
+        // lives in a single allocation.
+        let projected_raw = unsafe { cast.cast(raw) };
+
+        // SAFETY: `self`'s referent lives at a `NonNull` address, and is either
+        // zero-sized or lives in an allocation. In either case, it does not
+        // wrap around the address space [1], and so none of the addresses
+        // contained in it or one-past-the-end of it are null.
+        //
+        // By invariant on `C: Cast`, `C::cast` is a provenance-preserving cast
+        // which preserves or shrinks the set of referent bytes, so
+        // `projected_raw` references a subset of `self`'s referent, and so it
+        // cannot be null.
+        //
+        // [1] https://doc.rust-lang.org/1.92.0/std/ptr/index.html#allocation
+        let projected_non_null = unsafe { NonNull::new_unchecked(projected_raw) };
+
+        // SAFETY: As described in the preceding safety comment, `projected_raw`,
+        // and thus `projected_non_null`, addresses a subset of `self`'s
+        // referent. Thus, `projected_non_null` either:
+        // - Addresses zero bytes or,
+        // - Addresses a subset of the referent of `self`. In this case, `self`
+        //   has provenance for its referent, which lives in an allocation.
+        //   Since `projected_non_null` was constructed using a sequence of
+        //   provenance-preserving operations, it also has provenance for its
+        //   referent and that referent lives in an allocation. By invariant on
+        //   `self`, that allocation lives for `'a`.
+        unsafe { PtrInner::new(projected_non_null) }
     }
 }
 
@@ -262,37 +278,6 @@ where
         //    zero sized, then `A` is guaranteed to live for at least `'a`.
         unsafe { PtrInner::new(raw) }
     }
-
-    pub(crate) fn as_bytes(self) -> PtrInner<'a, [u8]> {
-        let ptr = self.as_non_null();
-        let bytes = match T::size_of_val_raw(ptr) {
-            Some(bytes) => bytes,
-            // SAFETY: `KnownLayout::size_of_val_raw` promises to always
-            // return `Some` so long as the resulting size fits in a
-            // `usize`. By invariant on `PtrInner`, `self` refers to a range
-            // of bytes whose size fits in an `isize`, which implies that it
-            // also fits in a `usize`.
-            None => unsafe { core::hint::unreachable_unchecked() },
-        };
-
-        let ptr = core::ptr::slice_from_raw_parts_mut(ptr.cast::<u8>().as_ptr(), bytes);
-
-        // SAFETY: `ptr` has the same address as `ptr = self.as_non_null()`,
-        // which is non-null by construction.
-        let ptr = unsafe { NonNull::new_unchecked(ptr) };
-
-        // SAFETY: `ptr` points to `bytes` `u8`s starting at the same address as
-        // `self`'s referent. Since `bytes` is the length of `self`'s referent,
-        // `ptr` addresses the same byte range as `self`. Thus, by invariant on
-        // `self` (as a `PtrInner`):
-        //
-        // 0. If `ptr`'s referent is not zero sized, then `ptr` has valid
-        //    provenance for its referent, which is entirely contained in some
-        //    Rust allocation, `A`.
-        // 1. If `ptr`'s referent is not zero sized, `A` is guaranteed to live
-        //    for at least `'a`.
-        unsafe { PtrInner::new(ptr) }
-    }
 }
 
 #[allow(clippy::needless_lifetimes)]

src/pointer/mod.rs

@@ -38,3 +38,141 @@ where
 {
     ptr.as_bytes::<BecauseImmutable>().as_ref().iter().all(|&byte| byte == 0)
 }
+
+#[doc(hidden)]
+pub mod cast {
+    use core::{marker::PhantomData, mem, ptr::NonNull};
+
+    use crate::{
+        layout::{SizeInfo, TrailingSliceLayout},
+        KnownLayout,
+    };
+
+    /// # Safety
+    ///
+    /// `cast` must be a provenance-preserving cast which preserves or shrinks the
+    /// set of referent bytes.
+    pub unsafe trait Cast<Src: ?Sized, Dst: ?Sized> {
+        /// # Safety
+        ///
+        /// `src` must have provenance for its entire referent, which must be
+        /// zero-sized or live in a single allocation.
+        unsafe fn cast(self, src: *mut Src) -> *mut Dst;
+    }
+
+    #[derive(Default, Copy, Clone)]
+    #[allow(missing_debug_implementations)]
+    pub struct IdCast;
+
+    unsafe impl<T: ?Sized> Cast<T, T> for IdCast {
+        unsafe fn cast(self, src: *mut T) -> *mut T {
+            src
+        }
+    }
+
+    #[allow(missing_debug_implementations)]
+    pub struct FnCast<F>(F);
+
+    impl<F> FnCast<F> {
+        pub const unsafe fn new(f: F) -> Self {
+            Self(f)
+        }
+    }
+
+    unsafe impl<F, Src: ?Sized, Dst: ?Sized> Cast<Src, Dst> for FnCast<F>
+    where
+        F: Fn(*mut Src) -> *mut Dst,
+    {
+        unsafe fn cast(self, src: *mut Src) -> *mut Dst {
+            (self.0)(src)
+        }
+    }
+
+    #[derive(Default)]
+    #[allow(missing_debug_implementations)]
+    pub struct CastSized;
+
+    #[derive(Default)]
+    #[allow(missing_debug_implementations)]
+    pub struct CastUnsized;
+
+    unsafe impl<Src, Dst> Cast<Src, Dst> for CastUnsized
+    where
+        Src: ?Sized + KnownLayout,
+        Dst: ?Sized + KnownLayout<PointerMetadata = Src::PointerMetadata>,
+    {
+        unsafe fn cast(self, src: *mut Src) -> *mut Dst {
+            static_assert!(Src: ?Sized + KnownLayout, Dst: ?Sized + KnownLayout => {
+                let t = <Src as KnownLayout>::LAYOUT;
+                let u = <Dst as KnownLayout>::LAYOUT;
+                t.align.get() >= u.align.get() && match (t.size_info, u.size_info) {
+                    (SizeInfo::Sized { size: t }, SizeInfo::Sized { size: u }) => t == u,
+                    (
+                        SizeInfo::SliceDst(TrailingSliceLayout { offset: t_offset, elem_size: t_elem_size }),
+                        SizeInfo::SliceDst(TrailingSliceLayout { offset: u_offset, elem_size: u_elem_size })
+                    ) => t_offset == u_offset && t_elem_size == u_elem_size,
+                    _ => false,
+                }
+            });
+
+            let metadata = Src::pointer_to_metadata(src);
+            // TODO: Need a non-null guarantee in order for this to be sound.
+            let src = unsafe { NonNull::new_unchecked(src) };
+            Dst::raw_from_ptr_len(src.cast::<u8>(), metadata).as_ptr()
+        }
+    }
+
+    // SAFETY: By the `static_assert!`, `Dst` is no larger than `Src`,
+    // and `<*mut Src>::cast` is a provenance-preserving cast.
+    unsafe impl<Src, Dst> Cast<Src, Dst> for CastSized {
+        unsafe fn cast(self, src: *mut Src) -> *mut Dst {
+            static_assert!(Src, Dst => mem::size_of::<Src>() >= mem::size_of::<Dst>());
+            src.cast::<Dst>()
+        }
+    }
+
+    #[allow(missing_debug_implementations)]
+    pub struct TransitiveCast<U: ?Sized, TU, UV> {
+        tu: TU,
+        uv: UV,
+        _u: PhantomData<U>,
+    }
+
+    impl<U: ?Sized, TU: Default, UV: Default> Default for TransitiveCast<U, TU, UV> {
+        fn default() -> Self {
+            Self { tu: Default::default(), uv: Default::default(), _u: PhantomData }
+        }
+    }
+
+    unsafe impl<T, U, V, TU, UV> Cast<T, V> for TransitiveCast<U, TU, UV>
+    where
+        T: ?Sized,
+        U: ?Sized,
+        V: ?Sized,
+        TU: Cast<T, U>,
+        UV: Cast<U, V>,
+    {
+        unsafe fn cast(self, t: *mut T) -> *mut V {
+            let u = unsafe { self.tu.cast(t) };
+            unsafe { self.uv.cast(u) }
+        }
+    }
+
+    pub(crate) struct AsBytesCast;
+
+    unsafe impl<T: ?Sized + KnownLayout> Cast<T, [u8]> for AsBytesCast {
+        unsafe fn cast(self, src: *mut T) -> *mut [u8] {
+            let bytes = match T::size_of_val_raw(src) {
+                Some(bytes) => bytes,
+                // SAFETY: `KnownLayout::size_of_val_raw` promises to always
+                // return `Some` so long as the resulting size fits in a
+                // `usize`. By invariant on `PtrInner`, `self` refers to a range
+                // of bytes whose size fits in an `isize`, which implies that it
+                // also fits in a `usize`.
+                None => unsafe { core::hint::unreachable_unchecked() },
+            };
+
+            core::ptr::slice_from_raw_parts_mut(src.cast::<u8>(), bytes)
+        }
+    }
+}