[wip] Introduce InitializeIntoBytes

Supports viewing types with padding as `&impl IntoBytes` by first
zeroizing padding.

gherrit-pr-id: G156cc6c0b2e4340c970ae4e097c7f6afdb38158e

Author: jswrenn

src/byteorder.rs

@@ -505,6 +505,9 @@ example of how it can be used for parsing UDP packets.
             impl_or_verify!(O => Unaligned for $name<O>);
         };
 
+        #[cfg(not(any(feature = "derive", test)))]
+        impl_initialize_into_bytes!(O => $name<O>);
+
         impl<O> Default for $name<O> {
             #[inline(always)]
             fn default() -> $name<O> {

src/impls.rs

@@ -750,6 +750,13 @@ impl DstLayout {
     }
 }
 
+/*pub enum Fields {
+    Primitive,
+    Struct { fields: &'static [(usize, DstLayout)] },
+    Union { fields: &'static [(usize, DstLayout)] },
+    Enum,
+}*/
+
 pub(crate) use cast_from::CastFrom;
 mod cast_from {
     use crate::*;

src/layout.rs

@@ -5496,6 +5496,27 @@ fn mut_from_prefix_suffix<T: FromBytes + IntoBytes + KnownLayout + ?Sized>(
     Ok((slf.recall_validity::<_, (_, (_, _))>().as_mut(), prefix_suffix.as_mut()))
 }
 
+/// # Safety
+///
+/// TODO
+pub unsafe trait InitializeIntoBytes {
+    #[doc(hidden)]
+    fn only_derive_is_allowed_to_implement_this_trait()
+    where
+        Self: Sized;
+
+    #[doc(hidden)]
+    fn initialize_padding(
+        ptr: Ptr<'_, Self, (invariant::Exclusive, invariant::Unaligned, invariant::Valid)>,
+    );
+
+    /// Produce an [`IntoBytes`] reference to `Self` by initializing its
+    /// padding.
+    fn initialize_into_bytes(&mut self) -> &(impl IntoBytes + Immutable + ?Sized) {
+        &42
+    }
+}
+
 /// Analyzes whether a type is [`IntoBytes`].
 ///
 /// This derive analyzes, at compile time, whether the annotated type satisfies
@@ -5676,7 +5697,7 @@ pub use zerocopy_derive::IntoBytes;
     not(no_zerocopy_diagnostic_on_unimplemented_1_78_0),
     diagnostic::on_unimplemented(note = "Consider adding `#[derive(IntoBytes)]` to `{Self}`")
 )]
-pub unsafe trait IntoBytes {
+pub unsafe trait IntoBytes: InitializeIntoBytes {
     // The `Self: Sized` bound makes it so that this function doesn't prevent
     // `IntoBytes` from being object safe. Note that other `IntoBytes` methods
     // prevent object safety, but those provide a benefit in exchange for object

src/lib.rs

@@ -128,7 +128,18 @@ macro_rules! unsafe_impl {
             unsafe_impl!(@method $trait $(; |$candidate| $is_bit_valid)?);
         }
     }};
+    (@method InitializeIntoBytes ; |$slf:ident| $initialize_padding:expr) => {
+        #[allow(clippy::missing_inline_in_public_items, dead_code)]
+        #[cfg_attr(all(coverage_nightly, __ZEROCOPY_INTERNAL_USE_ONLY_NIGHTLY_FEATURES_IN_TESTS), coverage(off))]
+        fn only_derive_is_allowed_to_implement_this_trait() {}
 
+        #[allow(unused_mut)]
+        #[inline(always)]
+        fn initialize_padding($slf: Ptr<'_, Self, (invariant::Exclusive, invariant::Unaligned, invariant::Valid)>)
+        {
+            $initialize_padding
+        }
+    };
     (@method TryFromBytes ; |$candidate:ident| $is_bit_valid:expr) => {
         #[allow(clippy::missing_inline_in_public_items, dead_code)]
         #[cfg_attr(all(coverage_nightly, __ZEROCOPY_INTERNAL_USE_ONLY_NIGHTLY_FEATURES_IN_TESTS), coverage(off))]
@@ -174,6 +185,7 @@ macro_rules! impl_for_transmute_from {
         $(#[$attr:meta])*
         $($tyvar:ident $(: $(? $optbound:ident $(+)?)* $($bound:ident $(+)?)* )?)?
         => $trait:ident for $ty:ty [$repr:ty]
+        $(|$slf:ident| $b:block)*
     ) => {
         const _: () = {
             $(#[$attr])*
@@ -214,12 +226,20 @@ macro_rules! impl_for_transmute_from {
                     $(<$tyvar $(: $(? $optbound +)* $($bound +)*)?>)?
                     $trait for $ty [$repr]
                 );
+
+                impl_for_transmute_from!(
+                    @initialize_into_bytes
+                    $(<$tyvar $(: $(? $optbound +)* $($bound +)*)?>)?
+                    $trait for $ty [$repr]
+                    $(|$slf| $b)*
+                );
             }
         };
     };
     (@assert_is_supported_trait TryFromBytes) => {};
     (@assert_is_supported_trait FromZeros) => {};
     (@assert_is_supported_trait FromBytes) => {};
+    (@assert_is_supported_trait InitializeIntoBytes) => {};
     (@assert_is_supported_trait IntoBytes) => {};
     (
         @is_bit_valid
@@ -242,7 +262,29 @@ macro_rules! impl_for_transmute_from {
         $(<$tyvar:ident $(: $(? $optbound:ident $(+)?)* $($bound:ident $(+)?)* )?>)?
         $trait:ident for $ty:ty [$repr:ty]
     ) => {
-        // Trait other than `TryFromBytes`; no `is_bit_valid` impl.
+        // Other trait; no additional items.
+    };
+    (
+        @initialize_into_bytes
+        $(<$tyvar:ident $(: $(? $optbound:ident $(+)?)* $($bound:ident $(+)?)* )?>)?
+        InitializeIntoBytes for $ty:ty [$repr:ty]
+    ) => {
+        #[inline(always)]
+        fn initialize_padding(ptr: Ptr<'_, Self, (invariant::Exclusive, invariant::Unaligned, invariant::Valid)>)
+        {
+            let ptr = ptr.transmute::<$repr, _, (_, (_, _))>();
+            // SAFETY: This macro ensures that `$repr` and `Self` have the same
+            // size and bit validity. Thus, a bit-valid instance of `$repr` is
+            // also a bit-valid instance of `Self`.
+            <$repr as InitializeIntoBytes>::initialize_padding(ptr)
+        }
+    };
+    (
+        @initialize_into_bytes
+        $(<$tyvar:ident $(: $(? $optbound:ident $(+)?)* $($bound:ident $(+)?)* )?>)?
+        $trait:ident for $ty:ty [$repr:ty] $(|$slf:ident| $b:block)*
+    ) => {
+        // Other trait; no additional items.
     };
 }
 
@@ -525,6 +567,36 @@ macro_rules! unsafe_impl_known_layout {
     }};
 }
 
+macro_rules! impl_initialize_into_bytes {
+    ($(const $constvar:ident : $constty:ty, $tyvar:ident $(: ?$optbound:ident)? => $ty:ty),* $(,)?) => {
+        $(impl_initialize_into_bytes!(@inner const $constvar: $constty, $tyvar $(: ?$optbound)? => $ty);)*
+    };
+    ($($tyvar:ident $(: ?$optbound:ident)? => $ty:ty),* $(,)?) => {
+        $(impl_initialize_into_bytes!(@inner , $tyvar $(: ?$optbound)? => $ty);)*
+    };
+    ($($(#[$attrs:meta])* $ty:ty),*) => { $(impl_initialize_into_bytes!(@inner , => $(#[$attrs])* $ty);)* };
+    (@inner $(const $constvar:ident : $constty:ty)? , $($tyvar:ident $(: ?$optbound:ident)?)? => $(#[$attrs:meta])* $ty:ty) => {
+        const _: () = {
+            #[allow(non_local_definitions)]
+            $(#[$attrs])*
+            // SAFETY: TODO
+            unsafe impl<$($tyvar $(: ?$optbound)?)? $(, const $constvar : $constty)?> InitializeIntoBytes for $ty
+            where
+                Self: IntoBytes
+            {
+                #[allow(clippy::missing_inline_in_public_items)]
+                #[cfg_attr(all(coverage_nightly, __ZEROCOPY_INTERNAL_USE_ONLY_NIGHTLY_FEATURES_IN_TESTS), coverage(off))]
+                fn only_derive_is_allowed_to_implement_this_trait() where Self: Sized {}
+
+                #[inline(always)]
+                fn initialize_padding(_: Ptr<'_, Self, (invariant::Exclusive, invariant::Unaligned, invariant::Valid)>) {
+                    // By invariant on `Self: IntoBytes`, values of type `Self` never contain padding.
+                }
+            }
+        };
+    };
+}
+
 /// Uses `align_of` to confirm that a type or set of types have alignment 1.
 ///
 /// Note that `align_of<T>` requires `T: Sized`, so this macro doesn't work for

src/util/macros.rs

@@ -656,6 +656,26 @@ mod len_of {
 
 pub(crate) use len_of::MetadataOf;
 
+#[doc(hidden)]
+#[inline(always)]
+pub const fn sort_fields<const N: usize>(mut arr: [(usize, usize); N]) -> [(usize, usize); N] {
+    let mut i = 0;
+    while i < N {
+        let mut j = 0;
+        while j + 1 < N - i {
+            if arr[j].0 > arr[j + 1].0 {
+                let temp = arr[j];
+                arr[j] = arr[j + 1];
+                arr[j + 1] = temp;
+            }
+            j += 1;
+        }
+        i += 1;
+    }
+
+    arr
+}
+
 /// Since we support multiple versions of Rust, there are often features which
 /// have been stabilized in the most recent stable release which do not yet
 /// exist (stably) on our MSRV. This module provides polyfills for those

src/util/mod.rs

@@ -153,6 +153,14 @@ const _: () = unsafe {
     );
     impl_or_verify!(T: FromZeros => FromZeros for Unalign<T>);
     impl_or_verify!(T: FromBytes => FromBytes for Unalign<T>);
+    impl_or_verify!(
+        T: InitializeIntoBytes => InitializeIntoBytes for Unalign<T>;
+        |c| {
+            let _ = c;
+            // TODO
+            //T::initialize_padding(c.transmute::<T, pointer::invariant::Valid, (pointer::BecauseMutationCompatible, _)>()
+        }
+    );
     impl_or_verify!(T: IntoBytes => IntoBytes for Unalign<T>);
 };
 
@@ -636,6 +644,14 @@ mod read_only_def {
     }
 
     impl<T: ?Sized> ReadOnly<T> {
+        /// TODO
+        #[inline(always)]
+        pub fn from_mut(t: &mut T) -> &mut ReadOnly<T> {
+            let ptr = crate::Ptr::from_mut(t).transmute::<Self, _, _>();
+            let ptr = unsafe { ptr.assume_alignment() };
+            ptr.as_mut()
+        }
+
         #[inline(always)]
         pub(crate) fn as_mut(r: &mut ReadOnly<T>) -> &mut T {
             // SAFETY: `r: &mut ReadOnly`, so this doesn't violate the invariant
@@ -675,6 +691,10 @@ const _: () = unsafe {
     );
     unsafe_impl!(T: ?Sized + FromZeros => FromZeros for ReadOnly<T>);
     unsafe_impl!(T: ?Sized + FromBytes => FromBytes for ReadOnly<T>);
+    unsafe_impl!(T: ?Sized + InitializeIntoBytes => InitializeIntoBytes for ReadOnly<T>; |slf| {
+        // TODO: Fix alignment.
+        T::initialize_padding(slf.transmute());
+    });
     unsafe_impl!(T: ?Sized + IntoBytes => IntoBytes for ReadOnly<T>);
 };
 

src/wrappers.rs

@@ -0,0 +1,150 @@
+use proc_macro2::{Span, TokenStream};
+use quote::quote;
+use syn::{Data, DataEnum, DataStruct, DataUnion, Error, Type};
+
+use crate::{
+    repr::{EnumRepr, StructUnionRepr},
+    util::{
+        generate_tag_enum, Ctx, DataExt, FieldBounds, ImplBlockBuilder, PaddingCheck, Trait,
+        TraitBound,
+    },
+    SelfBounds,
+};
+
+pub(crate) fn derive_initialize_into_bytes(
+    ctx: &Ctx,
+    top_level: Trait,
+) -> Result<TokenStream, Error> {
+    try_gen_trivial_initialize_into_bytes(ctx, top_level).map(Ok).unwrap_or_else(|| {
+        match &ctx.ast.data {
+            Data::Struct(strct) => derive_initialize_into_bytes_struct(ctx, strct),
+            Data::Enum(enm) => derive_initialize_into_bytes_enum(ctx, enm),
+            Data::Union(unn) => derive_initialize_into_bytes_union(ctx, unn),
+        }
+    })
+}
+
+fn try_gen_trivial_initialize_into_bytes(
+    ctx: &Ctx,
+    top_level: Trait,
+) -> Option<proc_macro2::TokenStream> {
+    // If the top-level trait is `IntoBytes`, `IntoBytes` derive will fail
+    // compilation if `Self` is not actually soundly `IntoBytes`, and so we can
+    // rely on that for our `zeroize` impl. It's plausible that we could
+    // make changes - or Rust could make changes (such as the "trivial bounds"
+    // language feature) - that make this no longer true. To hedge against
+    // these, we include an explicit `Self: IntoBytes` check in the generated
+    // `is_bit_valid`, which is bulletproof.
+    //
+    // If `ctx.skip_on_error` is true, we can't rely on the `IntoBytes` derive
+    // to fail compilation if `Self` is not actually soundly `IntoBytes`.
+    if matches!(top_level, Trait::IntoBytes)
+        && ctx.ast.generics.params.is_empty()
+        && !ctx.skip_on_error
+    {
+        let zerocopy_crate = &ctx.zerocopy_crate;
+        let core = ctx.core_path();
+
+        Some(
+            ImplBlockBuilder::new(
+                ctx,
+                &ctx.ast.data,
+                Trait::InitializeIntoBytes,
+                FieldBounds::ALL_SELF,
+            )
+            .self_type_trait_bounds(SelfBounds::All(&[Trait::IntoBytes]))
+            .inner_extras(quote!(
+                // SAFETY: See inline.
+                #[inline(always)]
+                fn initialize_padding(ptr: #zerocopy_crate::Ptr<'_, Self, (
+                    #zerocopy_crate::invariant::Exclusive,
+                    #zerocopy_crate::invariant::Unaligned,
+                    #zerocopy_crate::invariant::Valid)>
+                ) {
+                    if false {
+                        fn assert_is_into_bytes<T>()
+                        where
+                            T: #zerocopy_crate::IntoBytes,
+                            T: ?#core::marker::Sized,
+                        {
+                        }
+
+                        assert_is_into_bytes::<Self>();
+                    }
+                }
+            ))
+            .build(),
+        )
+    } else {
+        None
+    }
+}
+
+fn derive_initialize_into_bytes_struct(
+    ctx: &Ctx,
+    strct: &DataStruct,
+) -> Result<TokenStream, Error> {
+    let zerocopy_crate = &ctx.zerocopy_crate;
+    let core: TokenStream = ctx.core_path();
+
+    // TODO: This is just the default-repr sized case. We also need a
+
+    let field_offsets_and_layouts = ctx.ast.data.fields().into_iter().map(
+        |(_, name, ty)| quote!((#core::mem::offset_of!(Self, #name), #core::mem::size_of::<#ty>())),
+    );
+
+    let subfield_zeroizations = ctx.ast.data.fields().into_iter().map(|(_, name, ty)| {
+        quote! {{
+            // TODO: Need to also emit `AsInitialized`/`Valid` projection impls
+            // either here or in `TryFromBytes`.
+            let field = #zerocopy_crate::into_inner!(ptr.reborrow().project::<
+                _,
+                { #zerocopy_crate::STRUCT_VARIANT_ID },
+                { #zerocopy_crate::ident_id!(#name) }
+            >());
+            <#ty as #zerocopy_crate::InitializeIntoBytes>::initialize_padding(field);
+        }}
+    });
+
+    Ok(ImplBlockBuilder::new(ctx, &ctx.ast.data, Trait::InitializeIntoBytes, FieldBounds::ALL_SELF)
+        .self_type_trait_bounds(SelfBounds::All(&[Trait::Sized, Trait::TryFromBytes]))
+        .inner_extras(quote!(
+            // SAFETY: See inline. TODO
+            #[inline(always)]
+            fn initialize_padding(ptr: #zerocopy_crate::Ptr<'_, Self, (
+                #zerocopy_crate::invariant::Exclusive,
+                #zerocopy_crate::invariant::Unaligned,
+                #zerocopy_crate::invariant::Valid)>
+            ) {
+                let fields = &#zerocopy_crate::util::sort_fields([
+                    #(#field_offsets_and_layouts,)*
+                ])[..];
+
+                let mut start = 0;
+                while let [(offset, size), rest @ ..] = fields {
+                    fields = rest;
+
+                    // Zero-out any padding between `start` and the field.
+                    {
+                        let ptr = self as *mut _ as *mut u8;
+                        let ptr = unsafe { ptr.add(start) };
+                        unsafe { #core::ptr::write_bytes(ptr, 0, *offset) };
+                    }
+
+                    // Advance `start`.
+                    start += size;
+                }
+
+                #(#subfield_zeroizations)*
+            }
+        ))
+        .build())
+}
+
+fn derive_initialize_into_bytes_enum(ctx: &Ctx, enm: &DataEnum) -> Result<TokenStream, Error> {
+    todo!()
+}
+
+fn derive_initialize_into_bytes_union(ctx: &Ctx, unn: &DataUnion) -> Result<TokenStream, Error> {
+    todo!()
+}