[WIP] Break TransmuteFrom into Shrink vs Overwrite

Also, only implement TryTransmuteFromPtr once in terms of
MutationCompatible.

gherrit-pr-id: I1e15473bf871e5b53a6c093e6a79f48e6498aa04

Author: joshlf

src/impls.rs

@@ -105,7 +105,8 @@ assert_unaligned!(bool);
 //   pattern 0x01.
 const _: () = unsafe {
     unsafe_impl!(=> TryFromBytes for bool; |byte| {
-        let byte = byte.transmute::<u8, invariant::Valid, _>();
+        let mut byte = byte;
+        let byte = byte.reborrow().into_shared().transmute::<u8, invariant::Valid, _>();
         *byte.unaligned_as_ref() < 2
     })
 };
@@ -135,7 +136,8 @@ const _: () = unsafe { unsafe_impl!(char: Immutable, FromZeros, IntoBytes) };
 //   `char`.
 const _: () = unsafe {
     unsafe_impl!(=> TryFromBytes for char; |c| {
-        let c = c.transmute::<Unalign<u32>, invariant::Valid, _>();
+        let mut c = c;
+        let c = c.reborrow().into_shared().transmute::<Unalign<u32>, invariant::Valid, _>();
         let c = c.read_unaligned().into_inner();
         char::from_u32(c).is_some()
     });
@@ -168,7 +170,8 @@ const _: () = unsafe { unsafe_impl!(str: Immutable, FromZeros, IntoBytes, Unalig
 //   Returns `Err` if the slice is not UTF-8.
 const _: () = unsafe {
     unsafe_impl!(=> TryFromBytes for str; |c| {
-        let c = c.transmute::<[u8], invariant::Valid, _>();
+        let mut c = c;
+        let c = c.reborrow().into_shared().transmute::<[u8], invariant::Valid, _>();
         let c = c.unaligned_as_ref();
         core::str::from_utf8(c).is_ok()
     })
@@ -181,7 +184,8 @@ macro_rules! unsafe_impl_try_from_bytes_for_nonzero {
         $(
             unsafe_impl!(=> TryFromBytes for $nonzero; |n| {
                 impl_size_compat!($nonzero, Unalign<$prim>);
-                let n = n.transmute::<Unalign<$prim>, invariant::Valid, _>();
+                let mut n = n;
+                let n = n.reborrow().into_shared().transmute::<Unalign<$prim>, invariant::Valid, _>();
                 $nonzero::new(n.read_unaligned().into_inner()).is_some()
             });
         )*

src/lib.rs

@@ -384,7 +384,7 @@ use core::{
 #[cfg(feature = "std")]
 use std::io;
 
-use crate::pointer::invariant::{self, BecauseExclusive};
+use crate::pointer::{invariant, BecauseBidirectional};
 
 #[cfg(any(feature = "alloc", test, kani))]
 extern crate alloc;
@@ -1843,7 +1843,7 @@ pub unsafe trait TryFromBytes {
         Self: KnownLayout + IntoBytes,
     {
         static_assert_dst_is_not_zst!(Self);
-        match Ptr::from_mut(bytes).try_cast_into_no_leftover::<Self, BecauseExclusive>(None) {
+        match Ptr::from_mut(bytes).try_cast_into_no_leftover(None) {
             Ok(source) => {
                 // This call may panic. If that happens, it doesn't cause any soundness
                 // issues, as we have not generated any invalid state which we need to
@@ -1855,9 +1855,7 @@ pub unsafe trait TryFromBytes {
                 // condition will not happen.
                 match source.try_into_valid() {
                     Ok(source) => Ok(source.as_mut()),
-                    Err(e) => {
-                        Err(e.map_src(|src| src.as_bytes::<BecauseExclusive>().as_mut()).into())
-                    }
+                    Err(e) => Err(e.map_src(|src| src.as_bytes().as_mut()).into()),
                 }
             }
             Err(e) => Err(e.map_src(Ptr::as_mut).into()),
@@ -2424,8 +2422,7 @@ pub unsafe trait TryFromBytes {
     where
         Self: KnownLayout<PointerMetadata = usize> + IntoBytes,
     {
-        match Ptr::from_mut(source).try_cast_into_no_leftover::<Self, BecauseExclusive>(Some(count))
-        {
+        match Ptr::from_mut(source).try_cast_into_no_leftover(Some(count)) {
             Ok(source) => {
                 // This call may panic. If that happens, it doesn't cause any soundness
                 // issues, as we have not generated any invalid state which we need to
@@ -2437,9 +2434,7 @@ pub unsafe trait TryFromBytes {
                 // condition will not happen.
                 match source.try_into_valid() {
                     Ok(source) => Ok(source.as_mut()),
-                    Err(e) => {
-                        Err(e.map_src(|src| src.as_bytes::<BecauseExclusive>().as_mut()).into())
-                    }
+                    Err(e) => Err(e.map_src(|src| src.as_bytes().as_mut()).into()),
                 }
             }
             Err(e) => Err(e.map_src(Ptr::as_mut).into()),
@@ -2847,7 +2842,7 @@ fn try_mut_from_prefix_suffix<T: IntoBytes + TryFromBytes + KnownLayout + ?Sized
     cast_type: CastType,
     meta: Option<T::PointerMetadata>,
 ) -> Result<(&mut T, &mut [u8]), TryCastError<&mut [u8], T>> {
-    match Ptr::from_mut(candidate).try_cast_into::<T, BecauseExclusive>(cast_type, meta) {
+    match Ptr::from_mut(candidate).try_cast_into(cast_type, meta) {
         Ok((candidate, prefix_suffix)) => {
             // This call may panic. If that happens, it doesn't cause any soundness
             // issues, as we have not generated any invalid state which we need to
@@ -2859,7 +2854,7 @@ fn try_mut_from_prefix_suffix<T: IntoBytes + TryFromBytes + KnownLayout + ?Sized
             // condition will not happen.
             match candidate.try_into_valid() {
                 Ok(valid) => Ok((valid.as_mut(), prefix_suffix.as_mut())),
-                Err(e) => Err(e.map_src(|src| src.as_bytes::<BecauseExclusive>().as_mut()).into()),
+                Err(e) => Err(e.map_src(|src| src.as_bytes().as_mut()).into()),
             }
         }
         Err(e) => Err(e.map_src(Ptr::as_mut).into()),
@@ -3838,8 +3833,8 @@ pub unsafe trait FromBytes: FromZeros {
         Self: IntoBytes + KnownLayout,
     {
         static_assert_dst_is_not_zst!(Self);
-        match Ptr::from_mut(source).try_cast_into_no_leftover::<_, BecauseExclusive>(None) {
-            Ok(ptr) => Ok(ptr.recall_validity::<_, (_, (_, _))>().as_mut()),
+        match Ptr::from_mut(source).try_cast_into_no_leftover(None) {
+            Ok(ptr) => Ok(ptr.recall_validity::<_, BecauseBidirectional>().as_mut()),
             Err(err) => Err(err.map_src(|src| src.as_mut())),
         }
     }
@@ -4307,11 +4302,9 @@ pub unsafe trait FromBytes: FromZeros {
         Self: IntoBytes + KnownLayout<PointerMetadata = usize> + Immutable,
     {
         let source = Ptr::from_mut(source);
-        let maybe_slf = source.try_cast_into_no_leftover::<_, BecauseImmutable>(Some(count));
+        let maybe_slf = source.try_cast_into_no_leftover(Some(count));
         match maybe_slf {
-            Ok(slf) => Ok(slf
-                .recall_validity::<_, (_, (_, (BecauseExclusive, BecauseExclusive)))>()
-                .as_mut()),
+            Ok(slf) => Ok(slf.recall_validity::<_, BecauseBidirectional>().as_mut()),
             Err(err) => Err(err.map_src(|s| s.as_mut())),
         }
     }
@@ -4668,7 +4661,7 @@ pub unsafe trait FromBytes: FromZeros {
         // cannot be violated even though `buf` may have more permissive bit
         // validity than `ptr`.
         let ptr = unsafe { ptr.assume_validity::<invariant::Initialized>() };
-        let ptr = ptr.as_bytes::<BecauseExclusive>();
+        let ptr = ptr.as_bytes();
         src.read_exact(ptr.as_mut())?;
         // SAFETY: `buf` entirely consists of initialized bytes, and `Self` is
         // `FromBytes`.
@@ -4787,9 +4780,9 @@ fn mut_from_prefix_suffix<T: FromBytes + IntoBytes + KnownLayout + ?Sized>(
     cast_type: CastType,
 ) -> Result<(&mut T, &mut [u8]), CastError<&mut [u8], T>> {
     let (slf, prefix_suffix) = Ptr::from_mut(source)
-        .try_cast_into::<_, BecauseExclusive>(cast_type, meta)
+        .try_cast_into(cast_type, meta)
         .map_err(|err| err.map_src(|s| s.as_mut()))?;
-    Ok((slf.recall_validity::<_, (_, (_, _))>().as_mut(), prefix_suffix.as_mut()))
+    Ok((slf.recall_validity::<_, BecauseBidirectional>().as_mut(), prefix_suffix.as_mut()))
 }
 
 /// Analyzes whether a type is [`IntoBytes`].

src/pointer/mod.rs

@@ -18,7 +18,7 @@ mod transmute;
 pub use {inner::PtrInner, transmute::*};
 #[doc(hidden)]
 pub use {
-    invariant::{BecauseExclusive, BecauseImmutable, Read},
+    invariant::{BecauseExclusive, Read},
     ptr::Ptr,
 };
 
@@ -30,11 +30,11 @@ pub type Maybe<'a, T, Aliasing = invariant::Shared, Alignment = invariant::Unali
     Ptr<'a, T, (Aliasing, Alignment, invariant::Initialized)>;
 
 /// Checks if the referent is zeroed.
-pub(crate) fn is_zeroed<T, I>(ptr: Ptr<'_, T, I>) -> bool
+pub(crate) fn is_zeroed<T, I>(mut ptr: Ptr<'_, T, I>) -> bool
 where
     T: crate::Immutable + crate::KnownLayout,
     I: invariant::Invariants<Validity = invariant::Initialized>,
     I::Aliasing: invariant::Reference,
 {
-    ptr.as_bytes::<BecauseImmutable>().as_ref().iter().all(|&byte| byte == 0)
+    ptr.reborrow().into_shared().as_bytes().as_ref().iter().all(|&byte| byte == 0)
 }

src/pointer/ptr.rs

@@ -269,9 +269,8 @@ mod _conversions {
     {
         /// Reborrows `self`, producing another `Ptr`.
         ///
-        /// Since `self` is borrowed immutably, this prevents any mutable
-        /// methods from being called on `self` as long as the returned `Ptr`
-        /// exists.
+        /// Since `self` is borrowed mutably, this prevents `self` from being
+        /// used as long as the returned `Ptr` exists.
         #[doc(hidden)]
         #[inline]
         #[allow(clippy::needless_lifetimes)] // Allows us to name the lifetime in the safety comment below.
@@ -312,6 +311,23 @@ mod _conversions {
             //   memory may be live.
             unsafe { Ptr::from_inner(self.as_inner()) }
         }
+
+        /// Converts `self` to a shared `Ptr`.
+        #[doc(hidden)]
+        #[inline]
+        #[allow(clippy::needless_lifetimes)] // Allows us to name the lifetime in the safety comment below.
+        pub fn into_shared(self) -> Ptr<'a, T, (Shared, I::Alignment, I::Validity)> {
+            // SAFETY: Since `I::Aliasing: Reference`, there are two cases for
+            // `I::Aliasing`:
+            // - For `invariant::Shared`, the returned `Ptr` is identical, so no
+            //   new proof obligations are introduced.
+            // - For `invariant::Exclusive`: Since `self` has `Exclusive`
+            //   aliasing, it is guaranteed that no other `Ptr`s or references
+            //   permit concurrent access to the referent. Thus, the returned
+            //   `Ptr` is the only reference to the referent which may read or
+            //   write the referent during `'a`.
+            unsafe { self.assume_aliasing() }
+        }
     }
 
     /// `Ptr<'a, T>` → `&'a mut T`
@@ -920,8 +936,10 @@ mod _casts {
             cast: F,
         ) -> Ptr<'a, U, (I::Aliasing, Unaligned, I::Validity)>
         where
-            T: MutationCompatible<U, I::Aliasing, I::Validity, I::Validity, R>,
-            U: 'a + ?Sized + CastableFrom<T, I::Validity, I::Validity>,
+            U: 'a
+                + MutationCompatible<T, I::Aliasing, I::Validity, I::Validity, R>
+                + CastableFrom<T, I::Validity, I::Validity>
+                + ?Sized,
             F: FnOnce(PtrInner<'_, T>) -> PtrInner<'_, U>,
         {
             // SAFETY: Because `T: MutationCompatible<U, I::Aliasing, R>`, one
@@ -947,7 +965,7 @@ mod _casts {
         #[allow(clippy::wrong_self_convention)]
         pub(crate) fn as_bytes<R>(self) -> Ptr<'a, [u8], (I::Aliasing, Aligned, Valid)>
         where
-            T: Read<I::Aliasing, R>,
+            [u8]: MutationCompatible<T, I::Aliasing, I::Validity, I::Validity, R>,
             I::Aliasing: Reference,
         {
             let bytes = match T::size_of_val_raw(self.as_inner().as_non_null()) {
@@ -981,7 +999,7 @@ mod _casts {
             };
 
             let ptr = ptr.bikeshed_recall_aligned();
-            ptr.recall_validity::<_, (_, (_, _))>()
+            ptr.recall_validity::<Valid, _>()
         }
     }
 
@@ -1066,7 +1084,8 @@ mod _casts {
         >
         where
             I::Aliasing: Reference,
-            U: 'a + ?Sized + KnownLayout + Read<I::Aliasing, R>,
+            U: 'a + ?Sized + KnownLayout,
+            [u8]: MutationCompatible<U, I::Aliasing, Initialized, Initialized, R>,
         {
             let (inner, remainder) =
                 self.as_inner().try_cast_into(cast_type, meta).map_err(|err| {
@@ -1129,7 +1148,8 @@ mod _casts {
         ) -> Result<Ptr<'a, U, (I::Aliasing, Aligned, Initialized)>, CastError<Self, U>>
         where
             I::Aliasing: Reference,
-            U: 'a + ?Sized + KnownLayout + Read<I::Aliasing, R>,
+            U: 'a + ?Sized + KnownLayout,
+            [u8]: MutationCompatible<U, I::Aliasing, Initialized, Initialized, R>,
         {
             // FIXME(#67): Remove this allow. See NonNulSlicelExt for more
             // details.
@@ -1261,7 +1281,7 @@ mod tests {
     use super::*;
     #[allow(unused)] // Needed on our MSRV, but considered unused on later toolchains.
     use crate::util::AsAddress;
-    use crate::{pointer::BecauseImmutable, util::testutil::AU64, FromBytes, Immutable};
+    use crate::{pointer::invariant::BecauseImmutable, util::testutil::AU64, FromBytes, Immutable};
 
     mod test_ptr_try_cast_into_soundness {
         use super::*;