Permit shrinking transmutes in transmute machinery

joshlf · joshlf · commit b995fc0facd4 · 2026-01-24T17:19:29.000Z
With this change, some `TryTransmuteFromPtr` impls become conditionally sound – specifically, they are sound for size-preserving casts, but not for size-shrinking casts. In order to ensure they remain sound, we make the cast a type parameter on `TryTransmuteFromPtr`, which allows us to add the appropriate bounds on these impls. This also prepares us for more complex transmutes such as "overwriting/tearing" transmutes, as we can require overwriting/tearing transmutability *only* for shrikning casts, but not for size-preserving casts. Makes progress on #2701, #1940, #1852 gherrit-pr-id: Gd9d1c0de851091ffe6161889d21ca2167845a591
diff --git a/src/pointer/ptr.rs b/src/pointer/ptr.rs
@@ -160,7 +160,7 @@ mod _external {
 /// Methods for converting to and from `Ptr` and Rust's safe reference types.
 mod _conversions {
     use super::*;
-    use crate::pointer::cast::{CastExact, CastSized, IdCast};
+    use crate::pointer::cast::{Cast, CastSized, IdCast};
 
     /// `&'a T` → `Ptr<'a, T>`
     impl<'a, T> Ptr<'a, T, (Shared, Aligned, Valid)>
@@ -392,12 +392,11 @@ mod _conversions {
         where
             V: Validity,
             U: TransmuteFromPtr<T, I::Aliasing, I::Validity, V, C, R> + ?Sized,
-            C: CastExact<T, U>,
+            C: Cast<T, U>,
         {
             // SAFETY:
-            // - By `C: CastExact`, `C` preserves referent address, and so we
-            //   don't need to consider projections in the following safety
-            //   arguments.
+            // - By `C: Cast`, `C` preserves referent address, and so we don't
+            //   need to consider projections in the following safety arguments.
             // - If aliasing is `Shared`, then by `U: TransmuteFromPtr<T>`, at
             //   least one of the following holds:
             //   - `T: Immutable` and `U: Immutable`, in which case it is
diff --git a/src/pointer/transmute.rs b/src/pointer/transmute.rs
@@ -14,7 +14,7 @@ use core::{
 
 use crate::{
     pointer::{
-        cast::{self, CastExact, CastSizedExact},
+        cast::{self, Cast, CastExact, CastSizedExact},
         invariant::*,
     },
     FromBytes, Immutable, IntoBytes, Unalign,
@@ -36,9 +36,9 @@ use crate::{
 /// Given `Dst: TryTransmuteFromPtr<Src, A, SV, DV, C, _>`, callers may assume
 /// the following:
 ///
-/// Given `src: Ptr<'a, Src, (A, _, SV)>`, if the referent of `src` is
-/// `DV`-valid for `Dst`, then it is sound to transmute `src` into `dst: Ptr<'a,
-/// Dst, (A, Unaligned, DV)>` using `C`.
+/// Given `src: Ptr<'a, Src, (A, _, SV)>`, let `dst` be the result of casting
+/// from `src` using `C`. If `dst`'s referent is `DV`-valid for `Dst`, then it
+/// is sound to treat it as a `Ptr<'a, Dst, (A, Unaligned, DV)>`.
 ///
 /// ## Pre-conditions
 ///
@@ -49,42 +49,50 @@ use crate::{
 ///   - So long as `dst` is active, no mutation of `dst`'s referent is allowed
 ///     except via `dst` itself
 ///   - The set of `DV`-valid referents of `dst` is a superset of the set of
-///     `SV`-valid referents of `src` (NOTE: this condition effectively bans
-///     shrinking or overwriting transmutes, which cannot satisfy this
-///     condition)
+///     (the prefixes of) `SV`-valid referents of `src`. The "prefix" caveat is
+///     necessary since this may be a shrinking transmute – ie, `dst` addresses
+///     a smaller referent than `src`.
 /// - Reverse transmutation: Either of the following hold:
 ///   - `dst` does not permit mutation of its referent
-///   - The set of `DV`-valid referents of `dst` is a subset of the set of
-///     `SV`-valid referents of `src` (NOTE: this condition effectively bans
-///     shrinking or overwriting transmutes, which cannot satisfy this
-///     condition)
+///   - `C: CastExact`, and the set of `DV`-valid referents of `dst` is a
+///     subset of the set of `SV`-valid referents of `src`
 /// - No safe code, given access to `src` and `dst`, can cause undefined
 ///   behavior: Any of the following hold:
-///   - `A` is `Exclusive`
+///   - `A` is `Exclusive`*
 ///   - `Src: Immutable` and `Dst: Immutable`
 ///   - It is sound for shared code to operate on a `&Src` and `&Dst` which
 ///     reference the same byte range at the same time
 ///
+/// * TODO: This assumes that `dst` shadows *all* of `src` (ie, `src` isn't
+///   split into `dst` and some other pointer/reference). Should we just restrict
+///   this trait's invariant to require that, if `A` is `Exclusive`, then `src`
+///   is inaccessible so long as `dst` is alive?
+///
 /// ## Proof
 ///
 /// Given:
 /// - `src: Ptr<'a, Src, (A, _, SV)>`
-/// - `src`'s referent is `DV`-valid for `Dst`
+/// - `dst` is constructed by casting from `src` using `C`
+/// - `dst`'s referent is `DV`-valid for `Dst`
+///
+/// We are trying to prove that it is sound to perform this cast from `src` to
+/// `dst` using `C` and treat `dst` as having invariants `(A, Unaligned, DV)`.
+/// We need to prove that such a cast does not violate any of `src`'s
+/// invariants, and that it satisfies all invariants of the destination `Ptr`
+/// type (`Ptr<'a, Dst, (A, Unaligned, DV)>`).
 ///
-/// We are trying to prove that it is sound to perform a cast from `src` to a
-/// `dst: Ptr<'a, Dst, (A, Unaligned, DV)>` using `C`. We need to prove that
-/// such a cast does not violate any of `src`'s invariants, and that it
-/// satisfies all invariants of the destination `Ptr` type.
+/// TODO: What does this first sentence even mean?
 ///
-/// First, by `C: CastExact`, `src`'s address is unchanged, so it still satisfies
-/// its alignment. Since `dst`'s alignment is `Unaligned`, it trivially satisfies
-/// its alignment.
+/// First, by `C: Cast`, `src`'s address is unchanged, so it still satisfies its
+/// alignment. Since `dst`'s alignment is `Unaligned`, it trivially satisfies its
+/// alignment.
 ///
 /// Second, aliasing is either `Exclusive` or `Shared`:
 /// - If it is `Exclusive`, then both `src` and `dst` satisfy `Exclusive`
 ///   aliasing trivially: since `src` and `dst` have the same lifetime, `src` is
 ///   inaccessible so long as `dst` is alive, and no other live `Ptr`s or
-///   references may reference the same referent.
+///   references may reference the same referent. (TODO: Add the following?)
+///   This holds even if `dst` addresses a subset of `src`'s referent.
 /// - If it is `Shared`, then either:
 ///   - `Src: Immutable` and `Dst: Immutable`, and so `UnsafeCell`s trivially
 ///     cover the same byte ranges in both types.
@@ -95,8 +103,9 @@ use crate::{
 /// as an `SV`-valid `Src`. It is guaranteed to remain so, as either of the
 /// following hold:
 /// - `dst` does not permit mutation of its referent.
-/// - The set of `DV`-valid referents of `dst` is a subset of the set of
-///   `SV`-valid referents of `src`. Thus, any value written via `dst` is
+/// - `C: CastExact`, and the set of `DV`-valid referents of `dst` is a subset
+///   of the set of `SV`-valid referents of `src`. By `CastExact`, `src` and
+///   `dst` address the same referent. Thus, any value written via `dst` is
 ///   guaranteed to be an `SV`-valid referent of `src`.
 ///
 /// Fourth, `dst`'s validity is satisfied. It is a given of this proof that the
@@ -105,14 +114,15 @@ use crate::{
 /// - So long as `dst` is active, no mutation of the referent is allowed except
 ///   via `dst` itself.
 /// - The set of `DV`-valid referents of `dst` is a superset of the set of
-///   `SV`-valid referents of `src`. Thus, any value written via `src` is
-///   guaranteed to be a `DV`-valid referent of `dst`.
+///   (the prefixes of) `SV`-valid referents of `src`. Thus, (the prefix of) any
+///   value written via `src` is guaranteed to be a `DV`-valid referent of
+///   `dst`.
 pub unsafe trait TryTransmuteFromPtr<
     Src: ?Sized,
     A: Aliasing,
     SV: Validity,
     DV: Validity,
-    C: CastExact<Src, Self>,
+    C: Cast<Src, Self>,
     R,
 >
 {
@@ -130,14 +140,13 @@ pub enum BecauseMutationCompatible {}
 //       exists, no mutation is permitted except via that `Ptr`
 //     - Aliasing is `Shared`, `Src: Immutable`, and `Dst: Immutable`, in which
 //       case no mutation is possible via either `Ptr`
-//   - Since the underlying cast is size-preserving, `dst` addresses the same
-//     referent as `src`. By `Dst: TransmuteFrom<Src, SV, DV>`, the set of
-//     `DV`-valid referents of `dst` is a superset of the set of `SV`-valid
-//     referents of `src`.
-// - Reverse transmutation: Since the underlying cast is size-preserving, `dst`
-//   addresses the same referent as `src`. By `Src: TransmuteFrom<Dst, DV, SV>`,
-//   the set of `DV`-valid referents of `src` is a subset of the set of
-//   `SV`-valid referents of `dst`.
+//   - By `Dst: TransmuteFrom<Src, SV, DV>`, the set of `DV`-valid referents of
+//     `dst` is a supserset of the set of (the prefixes of) `SV`-valid referents
+//     of `src`.
+// - Reverse transmutation: Since `C: CastExact`, `dst` addresses the same
+//   referent as `src`. By `Src: TransmuteFrom<Dst, DV, SV>`, the set of
+//   `DV`-valid referents of `dst` is a subset of the set of `SV`-valid referents
+//   of `src`.
 // - No safe code, given access to `src` and `dst`, can cause undefined
 //   behavior: By `Dst: MutationCompatible<Src, A, SV, DV, _>`, at least one of
 //   the following holds:
@@ -171,7 +180,7 @@ where
     DV: Validity,
     Src: Immutable + ?Sized,
     Dst: Immutable + ?Sized,
-    C: CastExact<Src, Dst>,
+    C: Cast<Src, Dst>,
 {
 }
 
@@ -268,28 +277,27 @@ pub unsafe trait TransmuteFromPtr<
     A: Aliasing,
     SV: Validity,
     DV: Validity,
-    C: CastExact<Src, Self>,
+    C: Cast<Src, Self>,
     R,
 >: TryTransmuteFromPtr<Src, A, SV, DV, C, R> + TransmuteFrom<Src, SV, DV>
 {
 }
 
 // SAFETY: The `where` bounds are equivalent to the safety invariant on
 // `TransmuteFromPtr`.
-unsafe impl<
-        Src: ?Sized,
-        Dst: ?Sized,
-        A: Aliasing,
-        SV: Validity,
-        DV: Validity,
-        C: CastExact<Src, Dst>,
-        R,
-    > TransmuteFromPtr<Src, A, SV, DV, C, R> for Dst
+unsafe impl<Src: ?Sized, Dst: ?Sized, A: Aliasing, SV: Validity, DV: Validity, C: Cast<Src, Dst>, R>
+    TransmuteFromPtr<Src, A, SV, DV, C, R> for Dst
 where
     Dst: TransmuteFrom<Src, SV, DV> + TryTransmuteFromPtr<Src, A, SV, DV, C, R>,
 {
 }
 
+// TODO: We need to update the invariant of `TransmuteFrom` in order to make the
+// "reverse transmutation" impl of `TryTransmuteFromPtr` sound – currently, it
+// says that `Dst: TransmuteFrom<Src>` guarantees transmutation *even in the
+// case of a shrinking transmute*, but that's not currently guaranteed by
+// `TransmuteFrom`'s safety invariant.
+
 /// Denotes that any `SV`-valid `Src` may soundly be transmuted into a
 /// `DV`-valid `Self`.
 ///
@@ -315,12 +323,12 @@ pub unsafe trait TransmuteFrom<Src: ?Sized, SV, DV> {}
 ///
 /// `SizeEq` on its own conveys no safety guarantee. Any safety guarantees come
 /// from the safety invariants on the associated [`CastFrom`] type, specifically
-/// the [`CastExact`] bound.
+/// the [`Cast`] bound.
 ///
 /// [`CastFrom`]: SizeEq::CastFrom
-/// [`CastExact`]: CastExact
+/// [`Cast`]: cast::Cast
 pub trait SizeEq<Src: ?Sized> {
-    type CastFrom: CastExact<Src, Self>;
+    type CastFrom: cast::Cast<Src, Self>;
 }
 
 impl<T: ?Sized> SizeEq<T> for T {
