google
diff --git a/‎src/impls.rs‎
Lines changed: 78 additions & 60 deletions b/‎src/impls.rs‎
Lines changed: 78 additions & 60 deletions
diff --git a/‎src/lib.rs‎
Lines changed: 5 additions & 3 deletions b/‎src/lib.rs‎
Lines changed: 5 additions & 3 deletions
diff --git a/‎src/macros.rs‎
Lines changed: 4 additions & 8 deletions b/‎src/macros.rs‎
Lines changed: 4 additions & 8 deletions
diff --git a/‎src/pointer/mod.rs‎
Lines changed: 13 additions & 2 deletions b/‎src/pointer/mod.rs‎
Lines changed: 13 additions & 2 deletions
@@ -108,11 +108,11 @@ assert_unaligned!(bool);
 //   pattern 0x01.
 const _: () = unsafe {
     unsafe_impl!(=> TryFromBytes for bool; |byte| {
-        let byte = byte.transmute::<u8, invariant::Valid, _>();
+        let byte = byte.transmute::<u8, invariant::Valid, BecauseImmutable>();
         *byte.unaligned_as_ref() < 2
     })
 };
-impl_size_eq!(bool, u8);
+impl_size_eq!(=> bool, u8);
 
 // SAFETY:
 // - `Immutable`: `char` self-evidently does not contain any `UnsafeCell`s.
@@ -138,13 +138,13 @@ const _: () = unsafe { unsafe_impl!(char: Immutable, FromZeros, IntoBytes) };
 //   `char`.
 const _: () = unsafe {
     unsafe_impl!(=> TryFromBytes for char; |c| {
-        let c = c.transmute::<Unalign<u32>, invariant::Valid, _>();
+        let c = c.transmute::<Unalign<u32>, invariant::Valid, BecauseImmutable>();
         let c = c.read_unaligned().into_inner();
         char::from_u32(c).is_some()
     });
 };
 
-impl_size_eq!(char, Unalign<u32>);
+impl_size_eq!(=> char, Unalign<u32>);
 
 // SAFETY: Per the Reference [1], `str` has the same layout as `[u8]`.
 // - `Immutable`: `[u8]` does not contain any `UnsafeCell`s.
@@ -173,21 +173,21 @@ const _: () = unsafe { unsafe_impl!(str: Immutable, FromZeros, IntoBytes, Unalig
 //   Returns `Err` if the slice is not UTF-8.
 const _: () = unsafe {
     unsafe_impl!(=> TryFromBytes for str; |c| {
-        let c = c.transmute::<[u8], invariant::Valid, _>();
+        let c = c.transmute::<[u8], invariant::Valid, BecauseImmutable>();
         let c = c.unaligned_as_ref();
         core::str::from_utf8(c).is_ok()
     })
 };
 
-impl_size_eq!(str, [u8]);
+impl_size_eq!(=> str, [u8]);
 
 macro_rules! unsafe_impl_try_from_bytes_for_nonzero {
     ($($nonzero:ident[$prim:ty]),*) => {
         $(
             unsafe_impl!(=> TryFromBytes for $nonzero; |n| {
-                impl_size_eq!($nonzero, Unalign<$prim>);
+                impl_size_eq!(=> $nonzero, Unalign<$prim>);
 
-                let n = n.transmute::<Unalign<$prim>, invariant::Valid, _>();
+                let n = n.transmute::<Unalign<$prim>, invariant::Valid, BecauseImmutable>();
                 $nonzero::new(n.read_unaligned().into_inner()).is_some()
             });
         )*
@@ -403,13 +403,23 @@ const _: () = unsafe {
 mod atomics {
     use super::*;
 
-    macro_rules! impl_traits_for_atomics {
-        ($($atomics:ident [$primitives:ident]),* $(,)?) => {
+    macro_rules! impl_layout_traits_for_atomics {
+        ($($($tyvar:ident)? => $atomics:ty [$primitives:ty]),* $(,)?) => {
+            $(
+                impl_known_layout!($($tyvar => )? $atomics);
+
+                impl_size_eq!($($tyvar)? => $atomics, $primitives);
+                impl_size_eq!($($tyvar)? => $atomics, UnsafeCell<$primitives>);
+            )*
+        };
+    }
+
+    macro_rules! impl_validity_traits_for_atomics {
+        ($($atomics:tt [$primitives:ty]),* $(,)?) => {
             $(
-                impl_known_layout!($atomics);
-                impl_for_transmute_from!(=> TryFromBytes for $atomics [UnsafeCell<$primitives>]);
                 impl_for_transmute_from!(=> FromZeros for $atomics [UnsafeCell<$primitives>]);
                 impl_for_transmute_from!(=> FromBytes for $atomics [UnsafeCell<$primitives>]);
+                impl_for_transmute_from!(=> TryFromBytes for $atomics [UnsafeCell<$primitives>]);
                 impl_for_transmute_from!(=> IntoBytes for $atomics [UnsafeCell<$primitives>]);
             )*
         };
@@ -425,8 +435,7 @@ mod atomics {
         ($($($tyvar:ident)? => $atomic:ty [$prim:ty]),*) => {{
             crate::util::macros::__unsafe();
 
-            use core::cell::UnsafeCell;
-            use crate::pointer::{SizeEq, TransmuteFrom, invariant::Valid};
+            use crate::pointer::{TransmuteFrom, invariant::Valid};
 
             $(
                 // SAFETY: The caller promised that `$atomic` and `$prim` have
@@ -436,18 +445,18 @@ mod atomics {
                 // the same size and bit validity.
                 unsafe impl<$($tyvar)?> TransmuteFrom<$prim, Valid, Valid> for $atomic {}
 
-                impl<$($tyvar)?> SizeEq<$atomic> for $prim {
-                    type CastFrom = $crate::pointer::cast::CastSizedExact;
-                }
-                impl<$($tyvar)?> SizeEq<$prim> for $atomic {
-                    type CastFrom = $crate::pointer::cast::CastSizedExact;
-                }
-                impl<$($tyvar)?> SizeEq<$atomic> for UnsafeCell<$prim> {
-                    type CastFrom = $crate::pointer::cast::CastSizedExact;
-                }
-                impl<$($tyvar)?> SizeEq<UnsafeCell<$prim>> for $atomic {
-                    type CastFrom = $crate::pointer::cast::CastSizedExact;
-                }
+                // impl<$($tyvar)?> SizeEq<$atomic> for $prim {
+                //     type CastFrom = $crate::pointer::cast::CastSizedExact;
+                // }
+                // impl<$($tyvar)?> SizeEq<$prim> for $atomic {
+                //     type CastFrom = $crate::pointer::cast::CastSizedExact;
+                // }
+                // impl<$($tyvar)?> SizeEq<$atomic> for UnsafeCell<$prim> {
+                //     type CastFrom = $crate::pointer::cast::CastSizedExact;
+                // }
+                // impl<$($tyvar)?> SizeEq<UnsafeCell<$prim>> for $atomic {
+                //     type CastFrom = $crate::pointer::cast::CastSizedExact;
+                // }
 
                 // SAFETY: The caller promised that `$atomic` and `$prim` have
                 // the same bit validity. `UnsafeCell<T>` has the same bit
@@ -472,12 +481,11 @@ mod atomics {
 
         use super::*;
 
-        impl_traits_for_atomics!(AtomicU8[u8], AtomicI8[i8]);
-
-        impl_known_layout!(AtomicBool);
+        impl_layout_traits_for_atomics!(=> AtomicBool [bool], => AtomicU8[u8], => AtomicI8[i8]);
+        impl_validity_traits_for_atomics!(AtomicU8[u8], AtomicI8[i8]);
 
-        impl_for_transmute_from!(=> TryFromBytes for AtomicBool [UnsafeCell<bool>]);
         impl_for_transmute_from!(=> FromZeros for AtomicBool [UnsafeCell<bool>]);
+        impl_for_transmute_from!(=> TryFromBytes for AtomicBool [UnsafeCell<bool>]);
         impl_for_transmute_from!(=> IntoBytes for AtomicBool [UnsafeCell<bool>]);
 
         // SAFETY: Per [1], `AtomicBool`, `AtomicU8`, and `AtomicI8` have the
@@ -539,7 +547,8 @@ mod atomics {
 
         use super::*;
 
-        impl_traits_for_atomics!(AtomicU16[u16], AtomicI16[i16]);
+        impl_layout_traits_for_atomics!(=> AtomicU16[u16], => AtomicI16[i16]);
+        impl_validity_traits_for_atomics!(AtomicU16[u16], AtomicI16[i16]);
 
         // SAFETY: `AtomicU16` and `AtomicI16` have the same size and bit
         // validity as `u16` and `i16` respectively [1][2].
@@ -566,7 +575,8 @@ mod atomics {
 
         use super::*;
 
-        impl_traits_for_atomics!(AtomicU32[u32], AtomicI32[i32]);
+        impl_layout_traits_for_atomics!(=> AtomicU32[u32], => AtomicI32[i32]);
+        impl_validity_traits_for_atomics!(AtomicU32[u32], AtomicI32[i32]);
 
         // SAFETY: `AtomicU32` and `AtomicI32` have the same size and bit
         // validity as `u32` and `i32` respectively [1][2].
@@ -593,7 +603,8 @@ mod atomics {
 
         use super::*;
 
-        impl_traits_for_atomics!(AtomicU64[u64], AtomicI64[i64]);
+        impl_layout_traits_for_atomics!(=> AtomicU64[u64], => AtomicI64[i64]);
+        impl_validity_traits_for_atomics!(AtomicU64[u64], AtomicI64[i64]);
 
         // SAFETY: `AtomicU64` and `AtomicI64` have the same size and bit
         // validity as `u64` and `i64` respectively [1][2].
@@ -620,9 +631,8 @@ mod atomics {
 
         use super::*;
 
-        impl_traits_for_atomics!(AtomicUsize[usize], AtomicIsize[isize]);
-
-        impl_known_layout!(T => AtomicPtr<T>);
+        impl_layout_traits_for_atomics!(T => AtomicPtr<T> [*mut T], => AtomicUsize[usize], => AtomicIsize[isize]);
+        impl_validity_traits_for_atomics!(AtomicUsize[usize], AtomicIsize[isize]);
 
         // FIXME(#170): Implement `FromBytes` and `IntoBytes` once we implement
         // those traits for `*mut T`.
@@ -851,29 +861,30 @@ unsafe impl<T: TryFromBytes + ?Sized> TryFromBytes for UnsafeCell<T> {
     }
 
     #[inline]
-    fn is_bit_valid<A: invariant::Reference>(candidate: Maybe<'_, Self, A>) -> bool {
-        // The only way to implement this function is using an exclusive-aliased
-        // pointer. `UnsafeCell`s cannot be read via shared-aliased pointers
-        // (other than by using `unsafe` code, which we can't use since we can't
-        // guarantee how our users are accessing or modifying the `UnsafeCell`).
-        //
-        // `is_bit_valid` is documented as panicking or failing to monomorphize
-        // if called with a shared-aliased pointer on a type containing an
-        // `UnsafeCell`. In practice, it will always be a monomorphization error.
-        // Since `is_bit_valid` is `#[doc(hidden)]` and only called directly
-        // from this crate, we only need to worry about our own code incorrectly
-        // calling `UnsafeCell::is_bit_valid`. The post-monomorphization error
-        // makes it easier to test that this is truly the case, and also means
-        // that if we make a mistake, it will cause downstream code to fail to
-        // compile, which will immediately surface the mistake and give us a
-        // chance to fix it quickly.
-        let c = candidate.into_exclusive_or_pme();
-
-        // SAFETY: Since `UnsafeCell<T>` and `T` have the same layout and bit
-        // validity, `UnsafeCell<T>` is bit-valid exactly when its wrapped `T`
-        // is. Thus, this is a sound implementation of
-        // `UnsafeCell::is_bit_valid`.
-        T::is_bit_valid(c.get_mut())
+    fn is_bit_valid(candidate: Maybe<'_, Self>) -> bool {
+        T::is_bit_valid(candidate.transmute::<_, _, BecauseImmutable>())
+        // // The only way to implement this function is using an exclusive-aliased
+        // // pointer. `UnsafeCell`s cannot be read via shared-aliased pointers
+        // // (other than by using `unsafe` code, which we can't use since we can't
+        // // guarantee how our users are accessing or modifying the `UnsafeCell`).
+        // //
+        // // `is_bit_valid` is documented as panicking or failing to monomorphize
+        // // if called with a shared-aliased pointer on a type containing an
+        // // `UnsafeCell`. In practice, it will always be a monomorphization error.
+        // // Since `is_bit_valid` is `#[doc(hidden)]` and only called directly
+        // // from this crate, we only need to worry about our own code incorrectly
+        // // calling `UnsafeCell::is_bit_valid`. The post-monomorphization error
+        // // makes it easier to test that this is truly the case, and also means
+        // // that if we make a mistake, it will cause downstream code to fail to
+        // // compile, which will immediately surface the mistake and give us a
+        // // chance to fix it quickly.
+        // let c = candidate.into_exclusive_or_pme();
+
+        // // SAFETY: Since `UnsafeCell<T>` and `T` have the same layout and bit
+        // // validity, `UnsafeCell<T>` is bit-valid exactly when its wrapped `T`
+        // // is. Thus, this is a sound implementation of
+        // // `UnsafeCell::is_bit_valid`.
+        // T::is_bit_valid(c.get_mut())
     }
 }
 
@@ -902,11 +913,15 @@ unsafe impl<T: TryFromBytes + ?Sized> TryFromBytes for UnsafeCell<T> {
 const _: () = unsafe {
     unsafe_impl!(const N: usize, T: Immutable => Immutable for [T; N]);
     unsafe_impl!(const N: usize, T: TryFromBytes => TryFromBytes for [T; N]; |c| {
+        let c: Ptr<'_, [ReadOnly<T>; N], _> = c.cast::<_, crate::pointer::cast::CastSized, _>();
+        let c: Ptr<'_, [ReadOnly<T>], _> = c.as_slice();
+        let c: Ptr<'_, ReadOnly<[T]>, _> = c.cast::<_, crate::pointer::cast::CastUnsized, _>();
+
         // Note that this call may panic, but it would still be sound even if it
         // did. `is_bit_valid` does not promise that it will not panic (in fact,
         // it explicitly warns that it's a possibility), and we have not
         // violated any safety invariants that we must fix before returning.
-        <[T] as TryFromBytes>::is_bit_valid(c.as_slice())
+        <[T] as TryFromBytes>::is_bit_valid(c)
     });
     unsafe_impl!(const N: usize, T: FromZeros => FromZeros for [T; N]);
     unsafe_impl!(const N: usize, T: FromBytes => FromBytes for [T; N]);
@@ -915,6 +930,8 @@ const _: () = unsafe {
     assert_unaligned!([(); 0], [(); 1], [u8; 0], [u8; 1]);
     unsafe_impl!(T: Immutable => Immutable for [T]);
     unsafe_impl!(T: TryFromBytes => TryFromBytes for [T]; |c| {
+        let c: Ptr<'_, [ReadOnly<T>], _> = c.cast::<_, crate::pointer::cast::CastUnsized, _>();
+
         // SAFETY: Per the reference [1]:
         //
         //   An array of `[T; N]` has a size of `size_of::<T>() * N` and the
@@ -1146,6 +1163,7 @@ mod tests {
     use super::*;
     use crate::pointer::invariant;
 
+    #[cfg(never)]
     #[test]
     fn test_impls() {
         // A type that can supply test cases for testing
 
@@ -1103,6 +1103,8 @@ const _: () = unsafe {
 pub const STRUCT_VARIANT_ID: i128 = -1;
 #[doc(hidden)]
 pub const UNION_VARIANT_ID: i128 = -2;
+#[doc(hidden)]
+pub const REPR_C_UNION_VARIANT_ID: i128 = -3;
 
 /// Projects a given field from `Self`.
 ///
@@ -1566,7 +1568,7 @@ pub unsafe trait TryFromBytes {
     /// [`UnsafeCell`]: core::cell::UnsafeCell
     /// [`Shared`]: invariant::Shared
     #[doc(hidden)]
-    fn is_bit_valid<A: invariant::Reference>(candidate: Maybe<'_, Self, A>) -> bool;
+    fn is_bit_valid(candidate: Maybe<'_, Self>) -> bool;
 
     /// Attempts to interpret the given `source` as a `&Self`.
     ///
@@ -2974,7 +2976,7 @@ unsafe fn try_read_from<S, T: TryFromBytes>(
     // via `c_ptr` so long as it is live, so we don't need to worry about the
     // fact that `c_ptr` may have more restricted validity than `candidate`.
     let c_ptr = unsafe { c_ptr.assume_validity::<invariant::Initialized>() };
-    let c_ptr = c_ptr.transmute();
+    let mut c_ptr = c_ptr.cast::<_, crate::pointer::cast::CastSized, _>();
 
     // Since we don't have `T: KnownLayout`, we hack around that by using
     // `Wrapping<T>`, which implements `KnownLayout` even if `T` doesn't.
@@ -2987,7 +2989,7 @@ unsafe fn try_read_from<S, T: TryFromBytes>(
     // `try_into_valid` (and thus `is_bit_valid`) with a shared pointer when
     // `Self: !Immutable`. Since `Self: Immutable`, this panic condition will
     // not happen.
-    if !Wrapping::<T>::is_bit_valid(c_ptr.forget_aligned()) {
+    if !Wrapping::<T>::is_bit_valid(c_ptr.reborrow_shared().forget_aligned()) {
         return Err(ValidityError::new(source).into());
     }
 
 
@@ -895,10 +895,8 @@ macro_rules! cryptocorrosion_derive_traits {
                 $($field_ty: $crate::FromBytes,)*
             )?
         {
-            fn is_bit_valid<A>(_c: $crate::Maybe<'_, Self, A>) -> bool
-            where
-                A: $crate::pointer::invariant::Reference
-            {
+            #[inline]
+            fn is_bit_valid(_c: $crate::Maybe<'_, Self>) -> bool {
                 // SAFETY: This macro only accepts `#[repr(C)]` and
                 // `#[repr(transparent)]` structs, and this `impl` block
                 // requires all field types to be `FromBytes`. Thus, all
@@ -1038,10 +1036,8 @@ macro_rules! cryptocorrosion_derive_traits {
                 $field_ty: $crate::FromBytes,
             )*
         {
-            fn is_bit_valid<A>(_c: $crate::Maybe<'_, Self, A>) -> bool
-            where
-                A: $crate::pointer::invariant::Reference
-            {
+            #[inline]
+            fn is_bit_valid(_c: $crate::Maybe<'_, Self>) -> bool {
                 // SAFETY: This macro only accepts `#[repr(C)]` unions, and this
                 // `impl` block requires all field types to be `FromBytes`.
                 // Thus, all initialized byte sequences constitutes valid
 
@@ -22,12 +22,14 @@ pub use {
     ptr::Ptr,
 };
 
+use crate::wrappers::ReadOnly;
+
 /// A shorthand for a maybe-valid, maybe-aligned reference. Used as the argument
 /// to [`TryFromBytes::is_bit_valid`].
 ///
 /// [`TryFromBytes::is_bit_valid`]: crate::TryFromBytes::is_bit_valid
 pub type Maybe<'a, T, Aliasing = invariant::Shared, Alignment = invariant::Unaligned> =
-    Ptr<'a, T, (Aliasing, Alignment, invariant::Initialized)>;
+    Ptr<'a, ReadOnly<T>, (Aliasing, Alignment, invariant::Initialized)>;
 
 /// Checks if the referent is zeroed.
 pub(crate) fn is_zeroed<T, I>(ptr: Ptr<'_, T, I>) -> bool
@@ -49,7 +51,7 @@ pub mod cast {
 
     use crate::{
         layout::{SizeInfo, TrailingSliceLayout},
-        HasField, KnownLayout, PtrInner,
+        HasField, KnownLayout, PtrInner, REPR_C_UNION_VARIANT_ID,
     };
 
     /// A pointer cast or projection.
@@ -313,6 +315,15 @@ pub mod cast {
         }
     }
 
+    // SAFETY: TODO
+    unsafe impl<W: ?Sized, F, const FIELD_ID: i128>
+        Cast<W, W::WrappedField> for WrappedProjection<W, F, { REPR_C_UNION_VARIANT_ID }, FIELD_ID>
+    where
+        W: Wrapped
+            + HasWrappedField<<<W as Wrapped>::Unwrapped as HasField<F, { REPR_C_UNION_VARIANT_ID }, FIELD_ID>>::Type>,
+        W::Unwrapped: HasField<F, { REPR_C_UNION_VARIANT_ID }, FIELD_ID>,
+    {}
+
     #[allow(missing_debug_implementations, missing_copy_implementations)]
     pub struct TransposeProjection<W: ?Sized, V: ?Sized> {
         _never: core::convert::Infallible,