[WIP] TryFromBytes

TODO: How to support `project!` when `Projectable` is implemented
multiple times for `ByteArray`, `Align`, and `AlignedByteArray`?
If we only emit an impl for `AlignedByteArray`, everything is fine,
but once we emit the other two, type inference fails.

Makes progress on #5

Author: joshlf

src/derive_util.rs

@@ -62,3 +62,29 @@ macro_rules! union_has_padding {
         false $(|| core::mem::size_of::<$t>() != core::mem::size_of::<$ts>())*
     };
 }
+
+#[doc(hidden)]
+pub use project::project as __project;
+
+#[doc(hidden)] // `#[macro_export]` bypasses this module's `#[doc(hidden)]`.
+#[macro_export]
+macro_rules! impl_try_from_bytes {
+    ($ty:ty { $($f:tt: $f_ty:ty),* } $(=> $validation_method:ident)?) => {
+        #[allow(unused_qualifications)]
+        unsafe impl zerocopy::TryFromBytes for $ty {
+            fn is_bit_valid(bytes: &zerocopy::AlignedByteArray<Self>) -> bool {
+                true $(&& {
+                    let f: &zerocopy::AlignedByteArray<$f_ty>
+                        = zerocopy::derive_util::__project!(&bytes.$f);
+                    zerocopy::TryFromBytes::is_bit_valid(f)
+                })*
+                $(&& {
+                    let bytes_ptr: *const zerocopy::AlignedByteArray<Self> = bytes;
+                    let slf = unsafe { &*bytes_ptr.cast::<Self>() };
+                    // TODO: What about interior mutability?
+                    slf.$validation_method()
+                })?
+            }
+        }
+    }
+}

src/lib.rs

@@ -502,6 +502,98 @@ pub unsafe trait FromBytes: FromZeroes {
     }
 }
 
+/// TODO
+pub type AlignedByteArray<T> = Align<ByteArray<T>, T>;
+
+unsafe impl<T, F> Projectable<F, AlignedByteArray<F>> for AlignedByteArray<T> {
+    type Inner = T;
+}
+
+/// TODO
+pub unsafe trait TryFromBytes {
+    /// TODO
+    fn is_bit_valid(bytes: &AlignedByteArray<Self>) -> bool
+    where
+        Self: Sized;
+
+    /// TODO
+    // Note that, in a future in which we distinguish between `FromBytes` and `RefFromBytes`,
+    // this requires `where Self: RefFromBytes` to disallow interior mutability.
+    fn try_from_ref(bytes: &[u8]) -> Option<&Self>
+    where
+        Self: Sized,
+    {
+        let byte_array: &ByteArray<Self> = TryFrom::try_from(bytes).ok()?;
+        let aligned = Align::try_from_ref(byte_array)?;
+
+        if Self::is_bit_valid(aligned) {
+            Some(unsafe { &*bytes.as_ptr().cast::<Self>() })
+        } else {
+            None
+        }
+    }
+
+    /// TODO
+    fn try_from_mut(bytes: &mut [u8]) -> Option<&mut Self>
+    where
+        Self: AsBytes + Sized,
+    {
+        let byte_array: &ByteArray<Self> = TryFrom::try_from(&*bytes).ok()?;
+        let aligned = Align::try_from_ref(byte_array)?;
+
+        if Self::is_bit_valid(aligned) {
+            Some(unsafe { &mut *bytes.as_mut_ptr().cast::<Self>() })
+        } else {
+            None
+        }
+    }
+
+    /// TODO
+    fn try_read_from(bytes: &[u8]) -> Option<Self>
+    where
+        Self: Sized,
+    {
+        let byte_array: &ByteArray<Self> = TryFrom::try_from(bytes).ok()?;
+        let aligned = Align::new(byte_array.clone());
+
+        if Self::is_bit_valid(&aligned) {
+            Some(unsafe { transmute_size_unchecked(aligned) })
+        } else {
+            None
+        }
+    }
+}
+
+unsafe impl<T: FromBytes> TryFromBytes for T {
+    fn is_bit_valid(_bytes: &AlignedByteArray<Self>) -> bool
+    where
+        Self: Sized,
+    {
+        true
+    }
+}
+
+mod try_from_bytes_derive_example {
+    use super::*;
+
+    struct Foo {
+        a: u8,
+        b: u16,
+    }
+
+    impl_try_from_bytes!(Foo { a: u8, b: u16 });
+
+    struct Bar(Foo);
+
+    impl Bar {
+        fn is_valid(&self) -> bool {
+            u16::from(self.0.a) < self.0.b
+        }
+    }
+
+    impl_try_from_bytes!(Bar { 0: Foo } => is_valid);
+}
+
 /// Types which are safe to treat as an immutable byte slice.
 ///
 /// WARNING: Do not implement this trait yourself! Instead, use
@@ -1543,21 +1635,9 @@ impl<T: Display + ?Sized, A> Display for Align<T, A> {
     }
 }
 
-unsafe impl<T: ?Sized, A> Projectable for Align<T, A> {
-    type Inner = T;
-    // SAFETY: We know that `U` can't be more aligned than `T` or else it
-    // couldn't be a field in `T`. Thus, any `U` within `Align<T, A>` is already
-    // aligned to `max(align_of::<U>(), align_of::<A>())`.
-    type Wrapped<U> = Align<U, A>;
-
-    fn foo(&self) -> *const T {
-        self as *const Self as *const T
-    }
-
-    fn foo_mut(&mut self) -> *mut T {
-        self as *mut Self as *mut T
-    }
-}
+// unsafe impl<T: ?Sized, F: ?Sized, A> Projectable<F, Align<F, A>> for Align<T, A> {
+//     type Inner = T;
+// }
 
 /// A type with no alignment requirement.
 ///
@@ -2171,18 +2251,9 @@ impl<T> Ord for ByteArray<T> {
     }
 }
 
-unsafe impl<T> Projectable for ByteArray<T> {
-    type Inner = T;
-    type Wrapped<U> = ByteArray<U>;
-
-    fn foo(&self) -> *const T {
-        self as *const Self as *const T
-    }
-
-    fn foo_mut(&mut self) -> *mut T {
-        self as *mut Self as *mut T
-    }
-}
+// unsafe impl<T, F> Projectable<F, ByteArray<F>> for ByteArray<T> {
+//     type Inner = T;
+// }
 
 // Used in `transmute!` below.
 #[doc(hidden)]
@@ -3668,6 +3739,21 @@ mod alloc_support {
 #[doc(inline)]
 pub use alloc_support::*;
 
+/// Transmutes a `T` into a `U`.
+///
+/// # Safety
+///
+/// Safety requirements are the same as for `core::mem::transmute`, except that
+/// the caller must also ensure that `size_of::<T>() == size_of::<U>()`.
+unsafe fn transmute_size_unchecked<T, U>(t: T) -> U {
+    union Transmute<T, U> {
+        t: ManuallyDrop<T>,
+        u: ManuallyDrop<U>,
+    }
+
+    unsafe { ManuallyDrop::into_inner(Transmute { t: ManuallyDrop::new(t) }.u) }
+}
+
 #[cfg(test)]
 mod tests {
     #![allow(clippy::unreadable_literal)]