Fix unsoundness in Metadata union API

Closes rkyv#586

This is a breaking change, but is necessary for soundness. I doubt
anyone is using this corner of the API in such a way that they can't fix
any breakages themselves.

Author: djkoloski

rkyv/src/de/pooling/mod.rs

@@ -51,25 +51,36 @@ impl<T: ?Sized> From<DynMetadata<T>> for Metadata {
     }
 }
 
+/// A type which can be extracted from `Metadata`.
+pub trait FromMetadata {
+    /// Extracts this type from [`Metadata`].
+    ///
+    /// # Safety
+    ///
+    /// The metadata must have been created by calling `Metadata::from` on a
+    /// value of this type.
+    unsafe fn from_metadata(metadata: Metadata) -> Self;
+}
+
 // These impls are sound because `Metadata` has the type-level invariant that
 // `From` will only be called on `Metadata` created from pointers with the
 // corresponding metadata.
 
-impl From<Metadata> for () {
-    fn from(value: Metadata) -> Self {
-        unsafe { value.unit }
+impl FromMetadata for () {
+    unsafe fn from_metadata(metadata: Metadata) -> Self {
+        unsafe { metadata.unit }
     }
 }
 
-impl From<Metadata> for usize {
-    fn from(value: Metadata) -> Self {
-        unsafe { value.usize }
+impl FromMetadata for usize {
+    unsafe fn from_metadata(metadata: Metadata) -> Self {
+        unsafe { metadata.usize }
     }
 }
 
-impl<T: ?Sized> From<Metadata> for DynMetadata<T> {
-    fn from(value: Metadata) -> Self {
-        unsafe { transmute::<DynMetadata<()>, DynMetadata<T>>(value.vtable) }
+impl<T: ?Sized> FromMetadata for DynMetadata<T> {
+    unsafe fn from_metadata(metadata: Metadata) -> Self {
+        unsafe { transmute::<DynMetadata<()>, DynMetadata<T>>(metadata.vtable) }
     }
 }
 
@@ -107,9 +118,11 @@ impl ErasedPtr {
     unsafe fn downcast_unchecked<T>(&self) -> *mut T
     where
         T: Pointee + ?Sized,
-        Metadata: Into<T::Metadata>,
+        T::Metadata: FromMetadata,
     {
-        from_raw_parts_mut(self.data_address.as_ptr(), self.metadata.into())
+        from_raw_parts_mut(self.data_address.as_ptr(), unsafe {
+            T::Metadata::from_metadata(self.metadata)
+        })
     }
 }
 
@@ -223,8 +236,7 @@ pub trait PoolingExt<E>: Pooling<E> {
     ) -> Result<*mut T, Self::Error>
     where
         T: ArchiveUnsized + Pointee + LayoutRaw + ?Sized,
-        T::Metadata: Into<Metadata>,
-        Metadata: Into<T::Metadata>,
+        T::Metadata: Into<Metadata> + FromMetadata,
         T::Archived: DeserializeUnsized<T, Self>,
         P: SharedPointer<T>,
         Self: Fallible<Error = E>,
@@ -233,7 +245,7 @@ pub trait PoolingExt<E>: Pooling<E> {
         unsafe fn drop_shared<T, P>(ptr: ErasedPtr)
         where
             T: Pointee + ?Sized,
-            Metadata: Into<T::Metadata>,
+            T::Metadata: FromMetadata,
             P: SharedPointer<T>,
         {
             unsafe { P::drop(ptr.downcast_unchecked::<T>()) }

rkyv/src/impls/alloc/rc/atomic.rs

@@ -5,7 +5,7 @@ use rancor::{Fallible, Source};
 
 use crate::{
     alloc::{alloc::alloc, boxed::Box, sync},
-    de::{Metadata, Pooling, PoolingExt as _, SharedPointer},
+    de::{FromMetadata, Metadata, Pooling, PoolingExt as _, SharedPointer},
     rc::{ArcFlavor, ArchivedRc, ArchivedRcWeak, RcResolver, RcWeakResolver},
     ser::{Sharing, Writer},
     traits::{ArchivePointee, LayoutRaw},
@@ -67,8 +67,7 @@ impl<T, D> Deserialize<sync::Arc<T>, D> for ArchivedRc<T::Archived, ArcFlavor>
 where
     T: ArchiveUnsized + LayoutRaw + Pointee + ?Sized + 'static,
     T::Archived: DeserializeUnsized<T, D>,
-    T::Metadata: Into<Metadata>,
-    Metadata: Into<T::Metadata>,
+    T::Metadata: Into<Metadata> + FromMetadata,
     D: Fallible + Pooling + ?Sized,
     D::Error: Source,
 {
@@ -139,8 +138,7 @@ where
         + Pointee // + ?Sized
         + 'static,
     T::Archived: DeserializeUnsized<T, D>,
-    T::Metadata: Into<Metadata>,
-    Metadata: Into<T::Metadata>,
+    T::Metadata: Into<Metadata> + FromMetadata,
     D: Fallible + Pooling + ?Sized,
     D::Error: Source,
 {

rkyv/src/impls/alloc/rc/mod.rs

@@ -8,7 +8,7 @@ use rancor::{Fallible, Source};
 
 use crate::{
     alloc::{alloc::alloc, boxed::Box, rc},
-    de::{Metadata, Pooling, PoolingExt as _, SharedPointer},
+    de::{FromMetadata, Metadata, Pooling, PoolingExt as _, SharedPointer},
     rc::{ArchivedRc, ArchivedRcWeak, RcFlavor, RcResolver, RcWeakResolver},
     ser::{Sharing, Writer},
     traits::{ArchivePointee, LayoutRaw},
@@ -70,8 +70,7 @@ impl<T, D> Deserialize<rc::Rc<T>, D> for ArchivedRc<T::Archived, RcFlavor>
 where
     T: ArchiveUnsized + LayoutRaw + Pointee + ?Sized + 'static,
     T::Archived: DeserializeUnsized<T, D>,
-    T::Metadata: Into<Metadata>,
-    Metadata: Into<T::Metadata>,
+    T::Metadata: Into<Metadata> + FromMetadata,
     D: Fallible + Pooling + ?Sized,
     D::Error: Source,
 {
@@ -136,8 +135,7 @@ where
         + Pointee // + ?Sized
         + 'static,
     T::Archived: DeserializeUnsized<T, D>,
-    T::Metadata: Into<Metadata>,
-    Metadata: Into<T::Metadata>,
+    T::Metadata: Into<Metadata> + FromMetadata,
     D: Fallible + Pooling + ?Sized,
     D::Error: Source,
 {

rkyv/src/impls/ext/triomphe_0_1.rs

@@ -8,7 +8,7 @@ use rancor::{Fallible, Source};
 use triomphe_0_1::Arc;
 
 use crate::{
-    de::{Metadata, Pooling, PoolingExt, SharedPointer},
+    de::{FromMetadata, Metadata, Pooling, PoolingExt, SharedPointer},
     rc::{ArchivedRc, Flavor, RcResolver},
     ser::{Sharing, Writer},
     Archive, ArchiveUnsized, Deserialize, DeserializeUnsized, Place, Serialize,
@@ -66,8 +66,7 @@ where
 impl<T, D> Deserialize<Arc<T>, D> for ArchivedRc<T::Archived, TriompheArcFlavor>
 where
     T: ArchiveUnsized + 'static,
-    T::Metadata: Into<Metadata>,
-    Metadata: Into<T::Metadata>,
+    T::Metadata: Into<Metadata> + FromMetadata,
     T::Archived: DeserializeUnsized<T, D>,
     D: Pooling + Fallible + ?Sized,
     D::Error: Source,