vasi/
lib.rs

Help
1#![no_std]
2// https://github.com/rust-lang/rfcs/blob/master/text/2585-unsafe-block-in-unsafe-fn.md
3#![deny(unsafe_op_in_unsafe_fn)]
4
5// For use by code generated by vasi_macro::VirtualAddressSpaceIndependent;
6#[doc(hidden)]
7pub use static_assertions::assert_impl_all;
8pub use vasi_macro::VirtualAddressSpaceIndependent;
9/// A type implementing this trait guarantees that accessing instances
10/// of that type outside of their original virtual address space does not
11/// violate Rust's safety requirements.
12///
13/// This is mostly equivalent to them being *self-contained*: not referring to
14/// memory outside of the range `[&self, &self + std::mem::sizeof<T>()]`.
15/// However, they *may* reference memory outside of that range if they somehow
16/// ensure that they only do so from inside the virtual address space where it
17/// is valid to do so.
18///
19/// Types implementing this trait can definitely not contain references.  If
20/// they contain pointers, the type is responsible for ensuring those pointers
21/// aren't dereferenced outside a virtual address space where they are valid.
22///
23/// *Relative* pointers, e.g. as implemented in
24/// [rkyv](https://crates.io/crates/rkyv), are acceptable as long as they point
25/// within the boundaries of the enclosing type.
26///
27/// The type must also be FFI-safe; e.g. have a stable layout (e.g. `[repr(C)]`),
28/// to help ensure that different processes accessing data of a given type
29/// actually agree on its layout.  Note though that is necessary, but not
30/// sufficient, to ensure they agree on the layout; e.g. things can still go
31/// wrong if processes use different versions of the type.  (TODO: maybe split
32/// this property into a separate trait).
33///
34/// # Safety
35///
36/// The type must actually be self-contained, as above.
37pub unsafe trait VirtualAddressSpaceIndependent {
38    /// Used by the derive macro to validate that fields are Vasi.
39    const IGNORE: () = ();
40}
41
42// Types not containing any pointers are trivially VirtualAddressSpaceIndependent.
43unsafe impl VirtualAddressSpaceIndependent for i64 {}
44unsafe impl VirtualAddressSpaceIndependent for u64 {}
45unsafe impl VirtualAddressSpaceIndependent for i32 {}
46unsafe impl VirtualAddressSpaceIndependent for u32 {}
47unsafe impl VirtualAddressSpaceIndependent for i16 {}
48unsafe impl VirtualAddressSpaceIndependent for u16 {}
49unsafe impl VirtualAddressSpaceIndependent for i8 {}
50unsafe impl VirtualAddressSpaceIndependent for u8 {}
51unsafe impl VirtualAddressSpaceIndependent for usize {}
52unsafe impl VirtualAddressSpaceIndependent for isize {}
53unsafe impl VirtualAddressSpaceIndependent for bool {}
54
55// e.g. "This type has the same in-memory representation as the underlying integer type, u64"
56unsafe impl VirtualAddressSpaceIndependent for core::sync::atomic::AtomicU64 {}
57unsafe impl VirtualAddressSpaceIndependent for core::sync::atomic::AtomicI64 {}
58unsafe impl VirtualAddressSpaceIndependent for core::sync::atomic::AtomicU32 {}
59unsafe impl VirtualAddressSpaceIndependent for core::sync::atomic::AtomicI32 {}
60unsafe impl VirtualAddressSpaceIndependent for core::sync::atomic::AtomicU16 {}
61unsafe impl VirtualAddressSpaceIndependent for core::sync::atomic::AtomicI16 {}
62unsafe impl VirtualAddressSpaceIndependent for core::sync::atomic::AtomicU8 {}
63unsafe impl VirtualAddressSpaceIndependent for core::sync::atomic::AtomicI8 {}
64unsafe impl VirtualAddressSpaceIndependent for core::sync::atomic::AtomicBool {}
65
66// An array of T is [VirtualAddressSpaceIndependent] if its elements are.
67unsafe impl<T, const N: usize> VirtualAddressSpaceIndependent for [T; N] where
68    T: VirtualAddressSpaceIndependent
69{
70}
71
72// PhantomData is intrinsically VirtualAddressSpaceIndependent.
73//
74// Conservatively only implement when T is VirtualAddressSpaceIndependent,
75// but unclear whether this restriction is necessary.
76unsafe impl<T> VirtualAddressSpaceIndependent for core::marker::PhantomData<T> where
77    T: VirtualAddressSpaceIndependent
78{
79}
80
81// Cell is `repr(transparent)` around an `UnsafeCell<T>`.
82unsafe impl<T> VirtualAddressSpaceIndependent for core::cell::Cell<T> where
83    T: VirtualAddressSpaceIndependent
84{
85}
86
87// UnsafeCell is `repr(transparent)` around a `T`.
88unsafe impl<T> VirtualAddressSpaceIndependent for core::cell::UnsafeCell<T> where
89    T: VirtualAddressSpaceIndependent
90{
91}
92
93// ManuallyDrop is `repr(transparent)` around a `<T>`.
94unsafe impl<T> VirtualAddressSpaceIndependent for core::mem::ManuallyDrop<T> where
95    T: VirtualAddressSpaceIndependent
96{
97}
98
99// MaybeUninit is `repr(transparent)` around a union of `()` and `ManuallyDrop<T>`.
100unsafe impl<T> VirtualAddressSpaceIndependent for core::mem::MaybeUninit<T> where
101    T: VirtualAddressSpaceIndependent
102{
103}
104
105unsafe impl VirtualAddressSpaceIndependent for () {}
vasi/lib.rs

vasi/
lib.rs
