bytemuck/
lib.rs

1#![no_std]
2#![warn(missing_docs)]
3#![allow(clippy::match_like_matches_macro)]
4#![allow(clippy::uninlined_format_args)]
5#![allow(clippy::result_unit_err)]
6#![allow(clippy::type_complexity)]
7#![cfg_attr(feature = "nightly_docs", feature(doc_cfg))]
8#![cfg_attr(feature = "nightly_portable_simd", feature(portable_simd))]
9#![cfg_attr(feature = "nightly_float", feature(f16, f128))]
10#![cfg_attr(
11  all(
12    feature = "nightly_stdsimd",
13    any(target_arch = "x86_64", target_arch = "x86")
14  ),
15  feature(stdarch_x86_avx512)
16)]
17
18//! This crate gives small utilities for casting between plain data types.
19//!
20//! ## Basics
21//!
22//! Data comes in five basic forms in Rust, so we have five basic casting
23//! functions:
24//!
25//! * `T` uses [`cast`]
26//! * `&T` uses [`cast_ref`]
27//! * `&mut T` uses [`cast_mut`]
28//! * `&[T]` uses [`cast_slice`]
29//! * `&mut [T]` uses [`cast_slice_mut`]
30//!
31//! Depending on the function, the [`NoUninit`] and/or [`AnyBitPattern`] traits
32//! are used to maintain memory safety.
33//!
34//! **Historical Note:** When the crate first started the [`Pod`] trait was used
35//! instead, and so you may hear people refer to that, but it has the strongest
36//! requirements and people eventually wanted the more fine-grained system, so
37//! here we are. All types that impl `Pod` have a blanket impl to also support
38//! `NoUninit` and `AnyBitPattern`. The traits unfortunately do not have a
39//! perfectly clean hierarchy for semver reasons.
40//!
41//! ## Failures
42//!
43//! Some casts will never fail, and other casts might fail.
44//!
45//! * `cast::<u32, f32>` always works (and [`f32::from_bits`]).
46//! * `cast_ref::<[u8; 4], u32>` might fail if the specific array reference
47//!   given at runtime doesn't have alignment 4.
48//!
49//! In addition to the "normal" forms of each function, which will panic on
50//! invalid input, there's also `try_` versions which will return a `Result`.
51//!
52//! If you would like to statically ensure that a cast will work at runtime you
53//! can use the `must_cast` crate feature and the `must_` casting functions. A
54//! "must cast" that can't be statically known to be valid will cause a
55//! compilation error (and sometimes a very hard to read compilation error).
56//!
57//! ## Using Your Own Types
58//!
59//! All the functions listed above are guarded by the [`Pod`] trait, which is a
60//! sub-trait of the [`Zeroable`] trait.
61//!
62//! If you enable the crate's `derive` feature then these traits can be derived
63//! on your own types. The derive macros will perform the necessary checks on
64//! your type declaration, and trigger an error if your type does not qualify.
65//!
66//! The derive macros might not cover all edge cases, and sometimes they will
67//! error when actually everything is fine. As a last resort you can impl these
68//! traits manually. However, these traits are `unsafe`, and you should
69//! carefully read the requirements before using a manual implementation.
70//!
71//! ## Cargo Features
72//!
73//! The crate supports Rust 1.34 when no features are enabled, and so there's
74//! cargo features for thing that you might consider "obvious".
75//!
76//! The cargo features **do not** promise any particular MSRV, and they may
77//! increase their MSRV in new versions.
78//!
79//! * `derive`: Provide derive macros for the various traits.
80//! * `extern_crate_alloc`: Provide utilities for `alloc` related types such as
81//!   Box and Vec.
82//! * `zeroable_maybe_uninit` and `zeroable_atomics`: Provide more [`Zeroable`]
83//!   impls.
84//! * `wasm_simd` and `aarch64_simd`: Support more SIMD types.
85//! * `min_const_generics`: Provides appropriate impls for arrays of all lengths
86//!   instead of just for a select list of array lengths.
87//! * `must_cast`: Provides the `must_` functions, which will compile error if
88//!   the requested cast can't be statically verified.
89//! * `const_zeroed`: Provides a const version of the `zeroed` function.
90
91#[cfg(all(target_arch = "aarch64", feature = "aarch64_simd"))]
92use core::arch::aarch64;
93#[cfg(all(target_arch = "wasm32", feature = "wasm_simd"))]
94use core::arch::wasm32;
95#[cfg(target_arch = "x86")]
96use core::arch::x86;
97#[cfg(target_arch = "x86_64")]
98use core::arch::x86_64;
99//
100use core::{
101  marker::*,
102  mem::{align_of, size_of},
103  num::*,
104  ptr::*,
105};
106
107// Used from macros to ensure we aren't using some locally defined name and
108// actually are referencing libcore. This also would allow pre-2018 edition
109// crates to use our macros, but I'm not sure how important that is.
110#[doc(hidden)]
111pub use ::core as __core;
112
113#[cfg(not(feature = "min_const_generics"))]
114macro_rules! impl_unsafe_marker_for_array {
115  ( $marker:ident , $( $n:expr ),* ) => {
116    $(unsafe impl<T> $marker for [T; $n] where T: $marker {})*
117  }
118}
119
120/// A macro to transmute between two types without requiring knowing size
121/// statically.
122macro_rules! transmute {
123  ($val:expr) => {
124    ::core::mem::transmute_copy(&::core::mem::ManuallyDrop::new($val))
125  };
126  // This arm is for use in const contexts, where the borrow required to use
127  // transmute_copy poses an issue since the compiler hedges that the type
128  // being borrowed could have interior mutability.
129  ($srcty:ty; $dstty:ty; $val:expr) => {{
130    #[repr(C)]
131    union Transmute<A, B> {
132      src: ::core::mem::ManuallyDrop<A>,
133      dst: ::core::mem::ManuallyDrop<B>,
134    }
135    ::core::mem::ManuallyDrop::into_inner(
136      Transmute::<$srcty, $dstty> { src: ::core::mem::ManuallyDrop::new($val) }
137        .dst,
138    )
139  }};
140}
141
142/// A macro to implement marker traits for various simd types.
143/// #[allow(unused)] because the impls are only compiled on relevant platforms
144/// with relevant cargo features enabled.
145#[allow(unused)]
146macro_rules! impl_unsafe_marker_for_simd {
147  ($(#[cfg($cfg_predicate:meta)])? unsafe impl $trait:ident for $platform:ident :: {}) => {};
148  ($(#[cfg($cfg_predicate:meta)])? unsafe impl $trait:ident for $platform:ident :: { $first_type:ident $(, $types:ident)* $(,)? }) => {
149    $( #[cfg($cfg_predicate)] )?
150    $( #[cfg_attr(feature = "nightly_docs", doc(cfg($cfg_predicate)))] )?
151    unsafe impl $trait for $platform::$first_type {}
152    $( #[cfg($cfg_predicate)] )? // To prevent recursion errors if nothing is going to be expanded anyway.
153    impl_unsafe_marker_for_simd!($( #[cfg($cfg_predicate)] )? unsafe impl $trait for $platform::{ $( $types ),* });
154  };
155}
156
157#[cfg(feature = "extern_crate_std")]
158extern crate std;
159
160#[cfg(feature = "extern_crate_alloc")]
161extern crate alloc;
162#[cfg(feature = "extern_crate_alloc")]
163#[cfg_attr(feature = "nightly_docs", doc(cfg(feature = "extern_crate_alloc")))]
164pub mod allocation;
165#[cfg(feature = "extern_crate_alloc")]
166pub use allocation::*;
167
168mod anybitpattern;
169pub use anybitpattern::*;
170
171pub mod checked;
172pub use checked::CheckedBitPattern;
173
174mod internal;
175
176mod zeroable;
177pub use zeroable::*;
178mod zeroable_in_option;
179pub use zeroable_in_option::*;
180
181mod pod;
182pub use pod::*;
183mod pod_in_option;
184pub use pod_in_option::*;
185
186#[cfg(feature = "must_cast")]
187mod must;
188#[cfg(feature = "must_cast")]
189#[cfg_attr(feature = "nightly_docs", doc(cfg(feature = "must_cast")))]
190pub use must::*;
191
192mod no_uninit;
193pub use no_uninit::*;
194
195mod contiguous;
196pub use contiguous::*;
197
198mod offset_of;
199// ^ no import, the module only has a macro_rules, which are cursed and don't
200// follow normal import/export rules.
201
202mod transparent;
203pub use transparent::*;
204
205#[cfg(feature = "derive")]
206#[cfg_attr(feature = "nightly_docs", doc(cfg(feature = "derive")))]
207pub use bytemuck_derive::{
208  AnyBitPattern, ByteEq, ByteHash, CheckedBitPattern, Contiguous, NoUninit,
209  Pod, TransparentWrapper, Zeroable,
210};
211
212/// The things that can go wrong when casting between [`Pod`] data forms.
213#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
214pub enum PodCastError {
215  /// You tried to cast a reference into a reference to a type with a higher
216  /// alignment requirement but the input reference wasn't aligned.
217  TargetAlignmentGreaterAndInputNotAligned,
218  /// If the element size of a slice changes, then the output slice changes
219  /// length accordingly. If the output slice wouldn't be a whole number of
220  /// elements, then the conversion fails.
221  OutputSliceWouldHaveSlop,
222  /// When casting an individual `T`, `&T`, or `&mut T` value the
223  /// source size and destination size must be an exact match.
224  SizeMismatch,
225  /// For this type of cast the alignments must be exactly the same and they
226  /// were not so now you're sad.
227  ///
228  /// This error is generated **only** by operations that cast allocated types
229  /// (such as `Box` and `Vec`), because in that case the alignment must stay
230  /// exact.
231  AlignmentMismatch,
232}
233#[cfg(not(target_arch = "spirv"))]
234impl core::fmt::Display for PodCastError {
235  fn fmt(&self, f: &mut core::fmt::Formatter) -> core::fmt::Result {
236    write!(f, "{:?}", self)
237  }
238}
239#[cfg(feature = "extern_crate_std")]
240#[cfg_attr(feature = "nightly_docs", doc(cfg(feature = "extern_crate_std")))]
241impl std::error::Error for PodCastError {}
242
243/// Re-interprets `&T` as `&[u8]`.
244///
245/// Any ZST becomes an empty slice, and in that case the pointer value of that
246/// empty slice might not match the pointer value of the input reference.
247#[inline]
248pub fn bytes_of<T: NoUninit>(t: &T) -> &[u8] {
249  unsafe { internal::bytes_of(t) }
250}
251
252/// Re-interprets `&mut T` as `&mut [u8]`.
253///
254/// Any ZST becomes an empty slice, and in that case the pointer value of that
255/// empty slice might not match the pointer value of the input reference.
256#[inline]
257pub fn bytes_of_mut<T: NoUninit + AnyBitPattern>(t: &mut T) -> &mut [u8] {
258  unsafe { internal::bytes_of_mut(t) }
259}
260
261/// Re-interprets `&[u8]` as `&T`.
262///
263/// ## Panics
264///
265/// This is like [`try_from_bytes`] but will panic on error.
266#[inline]
267#[cfg_attr(feature = "track_caller", track_caller)]
268pub fn from_bytes<T: AnyBitPattern>(s: &[u8]) -> &T {
269  unsafe { internal::from_bytes(s) }
270}
271
272/// Re-interprets `&mut [u8]` as `&mut T`.
273///
274/// ## Panics
275///
276/// This is like [`try_from_bytes_mut`] but will panic on error.
277#[inline]
278#[cfg_attr(feature = "track_caller", track_caller)]
279pub fn from_bytes_mut<T: NoUninit + AnyBitPattern>(s: &mut [u8]) -> &mut T {
280  unsafe { internal::from_bytes_mut(s) }
281}
282
283/// Reads from the bytes as if they were a `T`.
284///
285/// Unlike [`from_bytes`], the slice doesn't need to respect alignment of `T`,
286/// only sizes must match.
287///
288/// ## Failure
289/// * If the `bytes` length is not equal to `size_of::<T>()`.
290#[inline]
291pub fn try_pod_read_unaligned<T: AnyBitPattern>(
292  bytes: &[u8],
293) -> Result<T, PodCastError> {
294  unsafe { internal::try_pod_read_unaligned(bytes) }
295}
296
297/// Reads the slice into a `T` value.
298///
299/// Unlike [`from_bytes`], the slice doesn't need to respect alignment of `T`,
300/// only sizes must match.
301///
302/// ## Panics
303/// * This is like `try_pod_read_unaligned` but will panic on failure.
304#[inline]
305#[cfg_attr(feature = "track_caller", track_caller)]
306pub fn pod_read_unaligned<T: AnyBitPattern>(bytes: &[u8]) -> T {
307  unsafe { internal::pod_read_unaligned(bytes) }
308}
309
310/// Re-interprets `&[u8]` as `&T`.
311///
312/// ## Failure
313///
314/// * If the slice isn't aligned for the new type
315/// * If the slice's length isn’t exactly the size of the new type
316#[inline]
317pub fn try_from_bytes<T: AnyBitPattern>(s: &[u8]) -> Result<&T, PodCastError> {
318  unsafe { internal::try_from_bytes(s) }
319}
320
321/// Re-interprets `&mut [u8]` as `&mut T`.
322///
323/// ## Failure
324///
325/// * If the slice isn't aligned for the new type
326/// * If the slice's length isn’t exactly the size of the new type
327#[inline]
328pub fn try_from_bytes_mut<T: NoUninit + AnyBitPattern>(
329  s: &mut [u8],
330) -> Result<&mut T, PodCastError> {
331  unsafe { internal::try_from_bytes_mut(s) }
332}
333
334/// Cast `A` into `B`
335///
336/// ## Panics
337///
338/// * This is like [`try_cast`], but will panic on a size mismatch.
339#[inline]
340#[cfg_attr(feature = "track_caller", track_caller)]
341pub fn cast<A: NoUninit, B: AnyBitPattern>(a: A) -> B {
342  unsafe { internal::cast(a) }
343}
344
345/// Cast `&mut A` into `&mut B`.
346///
347/// ## Panics
348///
349/// This is [`try_cast_mut`] but will panic on error.
350#[inline]
351#[cfg_attr(feature = "track_caller", track_caller)]
352pub fn cast_mut<A: NoUninit + AnyBitPattern, B: NoUninit + AnyBitPattern>(
353  a: &mut A,
354) -> &mut B {
355  unsafe { internal::cast_mut(a) }
356}
357
358/// Cast `&A` into `&B`.
359///
360/// ## Panics
361///
362/// This is [`try_cast_ref`] but will panic on error.
363#[inline]
364#[cfg_attr(feature = "track_caller", track_caller)]
365pub fn cast_ref<A: NoUninit, B: AnyBitPattern>(a: &A) -> &B {
366  unsafe { internal::cast_ref(a) }
367}
368
369/// Cast `&[A]` into `&[B]`.
370///
371/// ## Panics
372///
373/// This is [`try_cast_slice`] but will panic on error.
374#[inline]
375#[cfg_attr(feature = "track_caller", track_caller)]
376pub fn cast_slice<A: NoUninit, B: AnyBitPattern>(a: &[A]) -> &[B] {
377  unsafe { internal::cast_slice(a) }
378}
379
380/// Cast `&mut [A]` into `&mut [B]`.
381///
382/// ## Panics
383///
384/// This is [`try_cast_slice_mut`] but will panic on error.
385#[inline]
386#[cfg_attr(feature = "track_caller", track_caller)]
387pub fn cast_slice_mut<
388  A: NoUninit + AnyBitPattern,
389  B: NoUninit + AnyBitPattern,
390>(
391  a: &mut [A],
392) -> &mut [B] {
393  unsafe { internal::cast_slice_mut(a) }
394}
395
396/// As [`align_to`](https://doc.rust-lang.org/std/primitive.slice.html#method.align_to),
397/// but safe because of the [`Pod`] bound.
398#[inline]
399pub fn pod_align_to<T: NoUninit, U: AnyBitPattern>(
400  vals: &[T],
401) -> (&[T], &[U], &[T]) {
402  unsafe { vals.align_to::<U>() }
403}
404
405/// As [`align_to_mut`](https://doc.rust-lang.org/std/primitive.slice.html#method.align_to_mut),
406/// but safe because of the [`Pod`] bound.
407#[inline]
408pub fn pod_align_to_mut<
409  T: NoUninit + AnyBitPattern,
410  U: NoUninit + AnyBitPattern,
411>(
412  vals: &mut [T],
413) -> (&mut [T], &mut [U], &mut [T]) {
414  unsafe { vals.align_to_mut::<U>() }
415}
416
417/// Try to cast `A` into `B`.
418///
419/// Note that for this particular type of cast, alignment isn't a factor. The
420/// input value is semantically copied into the function and then returned to a
421/// new memory location which will have whatever the required alignment of the
422/// output type is.
423///
424/// ## Failure
425///
426/// * If the types don't have the same size this fails.
427#[inline]
428pub fn try_cast<A: NoUninit, B: AnyBitPattern>(
429  a: A,
430) -> Result<B, PodCastError> {
431  unsafe { internal::try_cast(a) }
432}
433
434/// Try to convert a `&A` into `&B`.
435///
436/// ## Failure
437///
438/// * If the reference isn't aligned in the new type
439/// * If the source type and target type aren't the same size.
440#[inline]
441pub fn try_cast_ref<A: NoUninit, B: AnyBitPattern>(
442  a: &A,
443) -> Result<&B, PodCastError> {
444  unsafe { internal::try_cast_ref(a) }
445}
446
447/// Try to convert a `&mut A` into `&mut B`.
448///
449/// As [`try_cast_ref`], but `mut`.
450#[inline]
451pub fn try_cast_mut<
452  A: NoUninit + AnyBitPattern,
453  B: NoUninit + AnyBitPattern,
454>(
455  a: &mut A,
456) -> Result<&mut B, PodCastError> {
457  unsafe { internal::try_cast_mut(a) }
458}
459
460/// Try to convert `&[A]` into `&[B]` (possibly with a change in length).
461///
462/// * `input.as_ptr() as usize == output.as_ptr() as usize`
463/// * `input.len() * size_of::<A>() == output.len() * size_of::<B>()`
464///
465/// ## Failure
466///
467/// * If the target type has a greater alignment requirement and the input slice
468///   isn't aligned.
469/// * If the target element type is a different size from the current element
470///   type, and the output slice wouldn't be a whole number of elements when
471///   accounting for the size change (eg: 3 `u16` values is 1.5 `u32` values, so
472///   that's a failure).
473/// * Similarly, you can't convert between a [ZST](https://doc.rust-lang.org/nomicon/exotic-sizes.html#zero-sized-types-zsts)
474///   and a non-ZST.
475#[inline]
476pub fn try_cast_slice<A: NoUninit, B: AnyBitPattern>(
477  a: &[A],
478) -> Result<&[B], PodCastError> {
479  unsafe { internal::try_cast_slice(a) }
480}
481
482/// Try to convert `&mut [A]` into `&mut [B]` (possibly with a change in
483/// length).
484///
485/// As [`try_cast_slice`], but `&mut`.
486#[inline]
487pub fn try_cast_slice_mut<
488  A: NoUninit + AnyBitPattern,
489  B: NoUninit + AnyBitPattern,
490>(
491  a: &mut [A],
492) -> Result<&mut [B], PodCastError> {
493  unsafe { internal::try_cast_slice_mut(a) }
494}
495
496/// Fill all bytes of `target` with zeroes (see [`Zeroable`]).
497///
498/// This is similar to `*target = Zeroable::zeroed()`, but guarantees that any
499/// padding bytes in `target` are zeroed as well.
500///
501/// See also [`fill_zeroes`], if you have a slice rather than a single value.
502#[inline]
503pub fn write_zeroes<T: Zeroable>(target: &mut T) {
504  struct EnsureZeroWrite<T>(*mut T);
505  impl<T> Drop for EnsureZeroWrite<T> {
506    #[inline(always)]
507    fn drop(&mut self) {
508      unsafe {
509        core::ptr::write_bytes(self.0, 0u8, 1);
510      }
511    }
512  }
513  unsafe {
514    let guard = EnsureZeroWrite(target);
515    core::ptr::drop_in_place(guard.0);
516    drop(guard);
517  }
518}
519
520/// Fill all bytes of `slice` with zeroes (see [`Zeroable`]).
521///
522/// This is similar to `slice.fill(Zeroable::zeroed())`, but guarantees that any
523/// padding bytes in `slice` are zeroed as well.
524///
525/// See also [`write_zeroes`], which zeroes all bytes of a single value rather
526/// than a slice.
527#[inline]
528pub fn fill_zeroes<T: Zeroable>(slice: &mut [T]) {
529  if core::mem::needs_drop::<T>() {
530    // If `T` needs to be dropped then we have to do this one item at a time, in
531    // case one of the intermediate drops does a panic.
532    slice.iter_mut().for_each(write_zeroes);
533  } else {
534    // Otherwise we can be really fast and just fill everthing with zeros.
535    let len = slice.len();
536    unsafe { core::ptr::write_bytes(slice.as_mut_ptr(), 0u8, len) }
537  }
538}
539
540/// Same as [`Zeroable::zeroed`], but as a `const fn` const.
541#[cfg(feature = "const_zeroed")]
542#[inline]
543#[must_use]
544pub const fn zeroed<T: Zeroable>() -> T {
545  unsafe { core::mem::zeroed() }
546}