Make SizeEq safe

joshlf · joshlf · commit 591b5562bd10 · 2026-01-22T20:38:45.000Z
Make `SizeEq` safe by moving its safety invariant to a new `CastExact` trait which now bounds the associated `SizeEq::CastFrom` type. This permits us to write safety proofs in fewer places, since there are certain `CastFrom` impls which we can re-use for many `SizeEq` impls. Makes progress on #2701, #1940, #1852 gherrit-pr-id: Gda7c06c9a8e54f5afd6aa5a093406a7b71259fd3
diff --git a/src/impls.rs b/src/impls.rs
@@ -436,29 +436,17 @@ mod atomics {
                 // the same size and bit validity.
                 unsafe impl<$($tyvar)?> TransmuteFrom<$prim, Valid, Valid> for $atomic {}
 
-                // SAFETY: The caller promised that `$atomic` and `$prim` have
-                // the same size.
-                unsafe impl<$($tyvar)?> SizeEq<$atomic> for $prim {
-                    type CastFrom = $crate::pointer::cast::CastSized;
+                impl<$($tyvar)?> SizeEq<$atomic> for $prim {
+                    type CastFrom = $crate::pointer::cast::CastSizedExact;
                 }
-                // SAFETY: See previous safety comment.
-                unsafe impl<$($tyvar)?> SizeEq<$prim> for $atomic {
-                    type CastFrom = $crate::pointer::cast::CastSized;
+                impl<$($tyvar)?> SizeEq<$prim> for $atomic {
+                    type CastFrom = $crate::pointer::cast::CastSizedExact;
                 }
-                // SAFETY: The caller promised that `$atomic` and `$prim` have
-                // the same size. `UnsafeCell<T>` has the same size as `T` [1].
-                //
-                // [1] Per https://doc.rust-lang.org/1.85.0/std/cell/struct.UnsafeCell.html#memory-layout:
-                //
-                //   `UnsafeCell<T>` has the same in-memory representation as
-                //   its inner type `T`. A consequence of this guarantee is that
-                //   it is possible to convert between `T` and `UnsafeCell<T>`.
-                unsafe impl<$($tyvar)?> SizeEq<$atomic> for UnsafeCell<$prim> {
-                    type CastFrom = $crate::pointer::cast::CastSized;
+                impl<$($tyvar)?> SizeEq<$atomic> for UnsafeCell<$prim> {
+                    type CastFrom = $crate::pointer::cast::CastSizedExact;
                 }
-                // SAFETY: See previous safety comment.
-                unsafe impl<$($tyvar)?> SizeEq<UnsafeCell<$prim>> for $atomic {
-                    type CastFrom = $crate::pointer::cast::CastSized;
+                impl<$($tyvar)?> SizeEq<UnsafeCell<$prim>> for $atomic {
+                    type CastFrom = $crate::pointer::cast::CastSizedExact;
                 }
 
                 // SAFETY: The caller promised that `$atomic` and `$prim` have
diff --git a/src/layout.rs b/src/layout.rs
@@ -756,6 +756,15 @@ mod cast_from {
     {
     }
 
+    // SAFETY: The implementation of `Project::project` preserves the size of
+    // the referent (see inline comments for a more detailed proof of this).
+    unsafe impl<Src, Dst> crate::pointer::cast::CastExact<Src, Dst> for CastFrom<Dst>
+    where
+        Src: KnownLayout<PointerMetadata = usize> + ?Sized,
+        Dst: KnownLayout<PointerMetadata = usize> + ?Sized,
+    {
+    }
+
     // SAFETY: `project` produces a pointer which refers to the same referent
     // bytes as its input, or to a subset of them (see inline comments for a
     // more detailed proof of this). It does this using provenance-preserving
diff --git a/src/pointer/mod.rs b/src/pointer/mod.rs
@@ -78,6 +78,13 @@ pub mod cast {
     /// shrink the set of referent bytes, and it may change the referent's type.
     pub unsafe trait Cast<Src: ?Sized, Dst: ?Sized>: Project<Src, Dst> {}
 
+    /// A [`Cast`] which does not shrink the set of referent bytes.
+    ///
+    /// # Safety
+    ///
+    /// A `CastExact` projection must preserve the set of referent bytes.
+    pub unsafe trait CastExact<Src: ?Sized, Dst: ?Sized>: Cast<Src, Dst> {}
+
     /// A no-op pointer cast.
     #[derive(Default, Copy, Clone)]
     #[allow(missing_debug_implementations)]
@@ -96,6 +103,9 @@ pub mod cast {
     // SAFETY: The `Project::project` impl preserves referent address.
     unsafe impl<T: ?Sized> Cast<T, T> for IdCast {}
 
+    // SAFETY: The `Project::project` impl preserves referent size.
+    unsafe impl<T: ?Sized> CastExact<T, T> for IdCast {}
+
     /// A pointer cast which preserves or shrinks the set of referent bytes of
     /// a statically-sized referent.
     ///
@@ -122,6 +132,37 @@ pub mod cast {
     // SAFETY: The `Project::project` impl preserves referent address.
     unsafe impl<Src, Dst> Cast<Src, Dst> for CastSized {}
 
+    /// A pointer cast which preserves the set of referent bytes of a
+    /// statically-sized referent.
+    ///
+    /// # Safety
+    ///
+    /// The implementation of [`Project`] uses a compile-time assertion to
+    /// guarantee that `Dst` has the same size as `Src`. Thus, `CastSizedExact`
+    /// has a sound implementation of [`Project`] for all `Src` and `Dst` &ndash; the
+    /// caller may pass any `Src` and `Dst` without being responsible for
+    /// soundness.
+    #[allow(missing_debug_implementations, missing_copy_implementations)]
+    pub enum CastSizedExact {}
+
+    // SAFETY: By the `static_assert!`, `Dst` has the same size as `Src`,
+    // and so all casts preserve the set of referent bytes. All operations
+    // preserve provenance.
+    unsafe impl<Src, Dst> Project<Src, Dst> for CastSizedExact {
+        #[inline(always)]
+        fn project(src: PtrInner<'_, Src>) -> *mut Dst {
+            static_assert!(Src, Dst => mem::size_of::<Src>() == mem::size_of::<Dst>());
+            src.as_ptr().cast::<Dst>()
+        }
+    }
+
+    // SAFETY: The `Project::project_raw` impl preserves referent address.
+    unsafe impl<Src, Dst> Cast<Src, Dst> for CastSizedExact {}
+
+    // SAFETY: By the `static_assert!`, `Project::project_raw` impl preserves
+    // referent size.
+    unsafe impl<Src, Dst> CastExact<Src, Dst> for CastSizedExact {}
+
     /// A pointer cast which preserves or shrinks the set of referent bytes of
     /// a dynamically-sized referent.
     ///
@@ -138,19 +179,19 @@ pub mod cast {
     // SAFETY: By the `static_assert!`, `Src` and `Dst` are either:
     // - Both sized and equal in size
     // - Both slice DSTs with the same trailing slice offset and element size
-    //   and with align_of::<Src>() >= align_of::<Dst>(). These ensure that any
-    //   given pointer metadata encodes the same size or more size for `Src`
-    //   than for `Dst` (note that the alignment is required as it affects the
-    //   amount of trailing padding). Thus, `project` preserves or shrinks the
-    //   set of referent bytes.
+    //   and with align_of::<Src>() == align_of::<Dst>(). These ensure that any
+    //   given pointer metadata encodes the same size for both `Src` and `Dst`
+    //   (note that the alignment is required as it affects the amount of
+    //   trailing padding). Thus, `project` preserves the set of referent bytes.
     unsafe impl<Src, Dst> Project<Src, Dst> for CastUnsized
     where
         Src: ?Sized + KnownLayout,
         Dst: ?Sized + KnownLayout<PointerMetadata = Src::PointerMetadata>,
     {
         #[inline(always)]
         fn project(src: PtrInner<'_, Src>) -> *mut Dst {
-            // FIXME: Do we want this to support shrinking casts as well?
+            // FIXME: Do we want this to support shrinking casts as well? If so,
+            // we'll need to remove the `CastExact` impl.
             static_assert!(Src: ?Sized + KnownLayout, Dst: ?Sized + KnownLayout => {
                 let src = <Src as KnownLayout>::LAYOUT;
                 let dst = <Dst as KnownLayout>::LAYOUT;
@@ -159,7 +200,7 @@ pub mod cast {
                     (
                         SizeInfo::SliceDst(TrailingSliceLayout { offset: src_offset, elem_size: src_elem_size }),
                         SizeInfo::SliceDst(TrailingSliceLayout { offset: dst_offset, elem_size: dst_elem_size })
-                    ) => src.align.get() >= dst.align.get() && src_offset == dst_offset && src_elem_size == dst_elem_size,
+                    ) => src.align.get() == dst.align.get() && src_offset == dst_offset && src_elem_size == dst_elem_size,
                     _ => false,
                 }
             });
@@ -177,6 +218,20 @@ pub mod cast {
     {
     }
 
+    // SAFETY: By the `static_assert!` in `Project::project`, `Src` and `Dst`
+    // are either:
+    // - Both sized and equal in size
+    // - Both slice DSTs with the same alignment, trailing slice offset, and
+    //   element size. These ensure that any given pointer metadata encodes the
+    //   same size for both `Src` and `Dst` (note that the alignment is required
+    //   as it affects the amount of trailing padding).
+    unsafe impl<Src, Dst> CastExact<Src, Dst> for CastUnsized
+    where
+        Src: ?Sized + KnownLayout,
+        Dst: ?Sized + KnownLayout<PointerMetadata = Src::PointerMetadata>,
+    {
+    }
+
     /// A field projection
     ///
     /// A `Projection` is a [`Project`] which implements projection by
@@ -246,6 +301,19 @@ pub mod cast {
     {
     }
 
+    // SAFETY: Since the `Project::project` impl delegates to `TU::project` and
+    // `UV::project`, and since `TU` and `UV` are `CastExact`, the `Project::project`
+    // impl preserves the set of referent bytes.
+    unsafe impl<T, U, V, TU, UV> CastExact<T, V> for TransitiveProject<U, TU, UV>
+    where
+        T: ?Sized,
+        U: ?Sized,
+        V: ?Sized,
+        TU: CastExact<T, U>,
+        UV: CastExact<U, V>,
+    {
+    }
+
     /// A cast from `T` to `[u8]`.
     pub(crate) struct AsBytesCast;
 
@@ -275,4 +343,7 @@ pub mod cast {
 
     // SAFETY: The `Project::project` impl preserves referent address.
     unsafe impl<T: ?Sized + KnownLayout> Cast<T, [u8]> for AsBytesCast {}
+
+    // SAFETY: The `Project::project` impl preserves the set of referent bytes.
+    unsafe impl<T: ?Sized + KnownLayout> CastExact<T, [u8]> for AsBytesCast {}
 }
diff --git a/src/pointer/transmute.rs b/src/pointer/transmute.rs
@@ -73,8 +73,8 @@ use crate::{
 /// any of `src`'s invariants, and that it satisfies all invariants of the
 /// destination `Ptr` type.
 ///
-/// First, by invariant on `SizeEq`, `src`'s address is unchanged, so it still
-/// satisfies its alignment. Since `dst`'s alignment is `Unaligned`, it
+/// First, by `SizeEq::CastFrom: CastExact`, `src`'s address is unchanged, so it
+/// still satisfies its alignment. Since `dst`'s alignment is `Unaligned`, it
 /// trivially satisfies its alignment.
 ///
 /// Second, aliasing is either `Exclusive` or `Shared`:
@@ -112,6 +112,15 @@ pub unsafe trait TryTransmuteFromPtr<Src: ?Sized, A: Aliasing, SV: Validity, DV:
 #[allow(missing_copy_implementations, missing_debug_implementations)]
 pub enum BecauseMutationCompatible {}
 
+// TODO: Update this comment to not rely on `SizeEq` implying size equality
+// (but instead rely on *runtime execution* of `SizeEq::CastFrom_inner`
+// guaranteeing size compatibility) and not to rely on size equality (as opposed
+// to size compatibility). Notably, the following lines assume size equality:
+//
+//   - Reverse transmutation: `Src: TransmuteFrom<Dst, DV, SV>`. Since `Dst:
+//     SizeEq<Src>`, this guarantees that the set of `DV`-valid `Dst`s is a
+//     subset of the set of `SV`-valid `Src`s.
+
 // SAFETY:
 // - Forwards transmutation: By `Dst: MutationCompatible<Src, A, SV, DV, _>`, we
 //   know that at least one of the following holds:
@@ -288,17 +297,17 @@ pub unsafe trait TransmuteFrom<Src: ?Sized, SV, DV> {}
 ///
 /// # Safety
 ///
-/// The associated [`CastFrom`] must preserve referent size.
+/// `SizeEq` on its own conveys no safety guarantee. Any safety guarantees come
+/// from the safety invariants on the associated [`CastFrom`] type, specifically
+/// the [`CastExact`] bound.
 ///
 /// [`CastFrom`]: SizeEq::CastFrom
-pub unsafe trait SizeEq<Src: ?Sized> {
-    type CastFrom: cast::Cast<Src, Self>;
+/// [`CastExact`]: cast::CastExact
+pub trait SizeEq<Src: ?Sized> {
+    type CastFrom: cast::CastExact<Src, Self>;
 }
 
-// SAFETY: `T` trivially has the same size and vtable kind as `T`, and since
-// pointer `*mut T -> *mut T` pointer casts are no-ops, this cast trivially
-// preserves referent size (when `T: ?Sized`).
-unsafe impl<T: ?Sized> SizeEq<T> for T {
+impl<T: ?Sized> SizeEq<T> for T {
     type CastFrom = cast::IdCast;
 }
 
@@ -452,19 +461,12 @@ impl_transitive_transmute_from!(T: ?Sized => UnsafeCell<T> => T => Cell<T>);
 // https://doc.rust-lang.org/1.85.0/core/mem/union.MaybeUninit.html
 unsafe impl<T> TransmuteFrom<T, Uninit, Valid> for MaybeUninit<T> {}
 
-// SAFETY: `MaybeUninit<T>` has the same size as `T` [1].
-//
-// [1] Per https://doc.rust-lang.org/1.81.0/std/mem/union.MaybeUninit.html#layout-1:
-//
-//   `MaybeUninit<T>` is guaranteed to have the same size, alignment, and ABI as
-//   `T`
-unsafe impl<T> SizeEq<T> for MaybeUninit<T> {
-    type CastFrom = cast::CastSized;
+impl<T> SizeEq<T> for MaybeUninit<T> {
+    type CastFrom = cast::CastSizedExact;
 }
 
-// SAFETY: See previous safety comment.
-unsafe impl<T> SizeEq<MaybeUninit<T>> for T {
-    type CastFrom = cast::CastSized;
+impl<T> SizeEq<MaybeUninit<T>> for T {
+    type CastFrom = cast::CastSizedExact;
 }
 
 #[cfg(test)]
diff --git a/src/util/macros.rs b/src/util/macros.rs
@@ -732,27 +732,36 @@ macro_rules! define_cast {
 /// # Safety
 ///
 /// `T` and `$wrapper<T>` must have the same bit validity, and must have the
-/// same size in the sense of `SizeEq`.
+/// same size in the sense of `CastExact` (specifically, both a
+/// `T`-to-`$wrapper<T>` cast and a `$wrapper<T>`-to-`T` cast must be
+/// size-preserving).
 macro_rules! unsafe_impl_for_transparent_wrapper {
     ($vis:vis T $(: ?$optbound:ident)? => $wrapper:ident<T>) => {{
         crate::util::macros::__unsafe();
 
-        use crate::pointer::{TransmuteFrom, SizeEq, invariant::Valid};
+        use crate::pointer::{cast::CastExact, TransmuteFrom, SizeEq, invariant::Valid};
 
         // SAFETY: The caller promises that `T` and `$wrapper<T>` have the same
         // bit validity.
         unsafe impl<T $(: ?$optbound)?> TransmuteFrom<T, Valid, Valid> for $wrapper<T> {}
         // SAFETY: See previous safety comment.
         unsafe impl<T $(: ?$optbound)?> TransmuteFrom<$wrapper<T>, Valid, Valid> for T {}
+        // SAFETY: The caller promises that a `T` to `$wrapper<T>` cast is
+        // size-preserving.
         define_cast!(unsafe { $vis CastA<T $(: ?$optbound)? > = T => $wrapper<T> });
-        // SAFETY: The caller promises that `T` and `$wrapper<T>` satisfy
-        // `SizeEq`.
-        unsafe impl<T $(: ?$optbound)?> SizeEq<T> for $wrapper<T> {
+        // SAFETY: The caller promises that a `T` to `$wrapper<T>` cast is
+        // size-preserving.
+        unsafe impl<T $(: ?$optbound)?> CastExact<T, $wrapper<T>> for CastA {}
+        impl<T $(: ?$optbound)?> SizeEq<T> for $wrapper<T> {
             type CastFrom = CastA;
         }
+        // SAFETY: The caller promises that a `$wrapper<T>` to `T` cast is
+        // size-preserving.
         define_cast!(unsafe { $vis CastB<T $(: ?$optbound)? > = $wrapper<T> => T });
-        // SAFETY: See previous safety comment.
-        unsafe impl<T $(: ?$optbound)?> SizeEq<$wrapper<T>> for T {
+        // SAFETY: The caller promises that a `$wrapper<T>` to `T` cast is
+        // size-preserving.
+        unsafe impl<T $(: ?$optbound)?> CastExact<$wrapper<T>, T> for CastB {}
+        impl<T $(: ?$optbound)?> SizeEq<$wrapper<T>> for T {
             type CastFrom = CastB;
         }
     }};
@@ -763,9 +772,7 @@ macro_rules! impl_transitive_transmute_from {
         const _: () = {
             use crate::pointer::{TransmuteFrom, SizeEq, invariant::Valid};
 
-            // SAFETY: Since `$u: SizeEq<$t>` and `$v: SizeEq<U>`, this impl is
-            // transitively sound.
-            unsafe impl<$($tyvar $(: ?$optbound)?)?> SizeEq<$t> for $v
+            impl<$($tyvar $(: ?$optbound)?)?> SizeEq<$t> for $v
             where
                 $u: SizeEq<$t>,
                 $v: SizeEq<$u>,
@@ -796,12 +803,10 @@ macro_rules! impl_size_eq {
         const _: () = {
             use $crate::{pointer::{cast::CastUnsized, SizeEq}};
 
-            // SAFETY: See inline.
-            unsafe impl SizeEq<$t> for $u {
+            impl SizeEq<$t> for $u {
                 type CastFrom = CastUnsized;
             }
-            // SAFETY: See previous safety comment.
-            unsafe impl SizeEq<$u> for $t {
+            impl SizeEq<$u> for $t {
                 type CastFrom = CastUnsized;
             }
         };
@@ -847,8 +852,18 @@ macro_rules! unsafe_with_size_eq {
         // no added semantics.
         unsafe impl<T: ?Sized> InvariantsEq<$dst<T>> for T {}
 
+        // SAFETY: `$src<T>` is a `#[repr(transparent)]` wrapper around `T`, and
+        // so this cast exactly preserves the set of referent bytes.
         define_cast!(unsafe { SrcCast<T: ?Sized> = $src<T> => T });
+        // SAFETY: See previous safety comment.
+        unsafe impl<T: ?Sized> crate::pointer::cast::CastExact<$src<T>, T> for SrcCast {}
+        // SAFETY: `$dst<U>` is a `#[repr(transparent)]` wrapper around `U`, and
+        // so this cast exactly preserves the set of referent bytes.
         define_cast!(unsafe { DstCast<U: ?Sized> = U => $dst<U> });
+        // SAFETY: See previous safety comment.
+        unsafe impl<U: ?Sized> crate::pointer::cast::CastExact<U, $dst<U>> for DstCast {}
+
+        // TODO: Remove this safety comment?
 
         // SAFETY: See inline for the soundness of this impl when
         // `CastFrom::project` is actually instantiated (otherwise, PMEs may not
@@ -857,7 +872,7 @@ macro_rules! unsafe_with_size_eq {
         // We manually instantiate `CastFrom::project` below to ensure that this
         // PME can be triggered, and the caller promises not to use `$src` and
         // `$dst` with any wrapped types other than `$t` and `$u` respectively.
-        unsafe impl<T: ?Sized, U: ?Sized> SizeEq<$src<T>> for $dst<U>
+        impl<T: ?Sized, U: ?Sized> SizeEq<$src<T>> for $dst<U>
         where
             T: KnownLayout<PointerMetadata = usize>,
             U: KnownLayout<PointerMetadata = usize>,
