Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add FromBytes::zero_and_get_bytes #2369

Draft
wants to merge 1 commit into
base: v0.8.x
Choose a base branch
from
+38 −0
Draft

Add FromBytes::zero_and_get_bytes #2369

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 38 additions & 0 deletions src/lib.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3453,6 +3453,44 @@ pub unsafe trait FromBytes: FromZeros {
where
Self: Sized;

/// Zeroes the bytes of `self` and returns them as a `&mut [u8]`.
///
/// This permits accessing the bytes of a type which may not implement
/// [`IntoBytes`] by first zeroing any padding bytes which would be unsound
/// to expose via [`IntoBytes::as_bytes`].
///
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe it's worth mentioning why this has to be on FromBytes and can't be on FromZeros? It's obvious to me but it could help solidify the concepts of the library to new users.

/// # Examples
///
/// TODO
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TODO

#[inline]
fn zero_and_get_bytes(&mut self) -> &mut [u8] {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TODO: Bikeshed name

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My thoughts on the name:

  • zero_and_get_bytes is a good and clear name, though its length is right on that border of being verbose.
  • mut could be mentioned but is not necessary when the name zero implies mutation.
  • fn zero(&mut self) on FromZeros could yield &[u8] of all zeros, and that could be given the same name. I struggle to consider a situation where it's practically useful to have access to an all-zeros &[u8] with the same address as some &mut T, so 🤷🏻‍♀️

self.zero();

let len = mem::size_of_val(self);
let data: *mut Self = self;
let data = data.cast::<u8>();

// SAFETY:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps FromBytes::read_from_io could be refactored to use this in this PR, keeping the total number of unsafe the same and simplifying its implementation further. It still needs the one unsafe at the end.

// - `data` is non-null by invariant on `&mut self`.
// - `data` is valid for reads and writes of `len` bytes:
// - `data` refers to a block of `len` bytes within a single allocated
// object by invariant on `&mut self`
// - TODO: Others? https://doc.rust-lang.org/std/ptr/index.html#safety
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TODO

// - Thanks to the preceding `self.zero()`, it is guaranteed that `data`
// points to `len` bytes with the value `0u8`, which is a valid value
// for `u8`
// - Because `self: &mut Self`, `self` is guaranteed to be the only live
// reference to this data. Because `self` and the returned `&mut [u8]`
// have the same lifetime, `self` is guaranteed not to be live so long
// as the returned `&mut [u8]` is live, and thus it is the only
// reference which is permitted to access the referent bytes for the
// duration of its lifetime.
// - By invariant on `&mut self`, the referent is not larger than
// `isize::MAX` bytes, and the referent does not wrap around the
// address space
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: period consistency

unsafe { core::slice::from_raw_parts_mut(data, len) }
}

/// Interprets the given `source` as a `&Self`.
///
/// This method attempts to return a reference to `source` interpreted as a
Expand Down