[WIP] TryFromBytes

TODO: How to support `project!` when `Projectable` is implemented
multiple times for `ByteArray`, `Align`, and `AlignedByteArray`?
If we only emit an impl for `AlignedByteArray`, everything is fine,
but once we emit the other two, type inference fails.

Makes progress on #5

Author: joshlf

src/derive_util.rs

@@ -62,3 +62,29 @@ macro_rules! union_has_padding {
         false $(|| core::mem::size_of::<$t>() != core::mem::size_of::<$ts>())*
     };
 }
+
+#[doc(hidden)]
+pub use project::project as __project;
+
+#[doc(hidden)] // `#[macro_export]` bypasses this module's `#[doc(hidden)]`.
+#[macro_export]
+macro_rules! impl_try_from_bytes {
+    ($ty:ty { $($f:tt: $f_ty:ty),* } $(=> $validation_method:ident)?) => {
+        #[allow(unused_qualifications)]
+        unsafe impl zerocopy::TryFromBytes for $ty {
+            fn is_bit_valid(bytes: &zerocopy::MaybeValid<Self>) -> bool {
+                true $(&& {
+                    let f: &zerocopy::MaybeValid<$f_ty>
+                        = zerocopy::derive_util::__project!(&bytes.$f);
+                    zerocopy::TryFromBytes::is_bit_valid(f)
+                })*
+                $(&& {
+                    let bytes_ptr: *const zerocopy::MaybeValid<Self> = bytes;
+                    let slf = unsafe { &*bytes_ptr.cast::<Self>() };
+                    // TODO: What about interior mutability?
+                    slf.$validation_method()
+                })?
+            }
+        }
+    }
+}

src/lib.rs

@@ -502,6 +502,196 @@ pub unsafe trait FromBytes: FromZeroes {
     }
 }
 
+/// TODO
+///
+/// # Safety
+///
+/// `AsMaybeUninit` must only be implemented for types which are `Sized` or
+/// whose last field is a slice whose element type is `Sized` (this includes
+/// slice types themselves; in a slice type, the "last field" simply refers to
+/// the slice itself).
+pub unsafe trait AsMaybeUninit {
+    /// TODO
+    ///
+    /// # Safety
+    ///
+    /// For `T: AsMaybeUninit`, the following must hold:
+    /// - Given `m: T::MaybeUninit`, it is sound to write uninitialized bytes at
+    ///   every byte offset in `m` (this description avoids the "what lengths
+    ///   are valid" problem)
+    /// - `T` and `T::MaybeUninit` have the same alignment requirement (can't
+    ///   use `align_of` to describe this because it requires that its argument
+    ///   is sized)
+    /// - `T` and `T::MaybeUninit` are either both `Sized` or both `!Sized`
+    /// - If they are `Sized`, `size_of::<T>() == size_of::<T::MaybeUninit>()`
+    /// - If they are `!Sized`, then they are both DSTs with a trailing slice.
+    ///   Given `t: &T` and `m: &T::MaybeUninit` with the same number of
+    ///   elements in their trailing slices, `size_of_val(t) == size_of_val(m)`.
+    type MaybeUninit: ?Sized;
+}
+
+unsafe impl<T: Sized> AsMaybeUninit for T {
+    type MaybeUninit = MaybeUninit<T>;
+}
+
+unsafe impl<T: Sized> AsMaybeUninit for [T] {
+    type MaybeUninit = [MaybeUninit<T>];
+}
+
+/// A value which might or might not constitute a valid instance of `T`.
+///
+/// `MaybeValid<T>` has the same layout (size and alignment) and field offsets
+/// as `T`. However, it may contain any bit pattern with a few restrictions:
+/// Given `m: MaybeValid<T>` and a byte offset, `b` in the range `[0,
+/// size_of::<MaybeValid<T>>())`:
+/// - If, in all valid instances `t: T`, the byte at offset `b` in `t` is
+///   initialized, then the byte at offset `b` within `m` is guaranteed to be
+///   initialized.
+/// - Let `s` be the sequence of bytes of length `b` in the offset range `[0,
+///   b)` in `m`. Let `TT` be the subset of valid instances of `T` which contain
+///   this sequence in the offset range `[0, b)`. If, for all instances of `t:
+///   T` in `TT`, the byte at offset `b` in `t` is initialized, then the byte at
+///   offset `b` in `m` is guaranteed to be initialized.
+///
+///   Pragmatically, this means that if `m` is guaranteed to contain an enum
+///   type at a particular offset, and the enum discriminant stored in `m`
+///   corresponds to a valid variant of that enum type, then it is guaranteed
+///   that the appropriate bytes of `m` are initialized as defined by that
+///   variant's layout (although note that the variant's layout may contain
+///   another enum type, in which case the same rules apply depending on the
+///   state of its discriminant, and so on recursively).
+///
+/// # Safety
+///
+/// TODO (make sure to mention enum layout)
+#[repr(transparent)]
+pub struct MaybeValid<T: AsMaybeUninit + ?Sized> {
+    inner: T::MaybeUninit,
+}
+
+impl<T> MaybeValid<T> {
+    /// TODO
+    pub const unsafe fn assume_valid(self) -> T {
+        unsafe { self.inner.assume_init() }
+    }
+}
+
+unsafe impl<T, F> Projectable<F, MaybeValid<F>> for MaybeValid<T> {
+    type Inner = T;
+}
+
+impl<T> From<ByteArray<T>> for MaybeValid<T> {
+    fn from(bytes: ByteArray<T>) -> MaybeValid<T> {
+        todo!()
+    }
+}
+
+impl<'a, T> From<&'a Align<ByteArray<T>, T>> for &'a MaybeValid<T> {
+    fn from(bytes: &'a Align<ByteArray<T>, T>) -> &'a MaybeValid<T> {
+        todo!()
+    }
+}
+
+impl<'a, T> From<&'a mut Align<ByteArray<T>, T>> for &'a mut MaybeValid<T> {
+    fn from(bytes: &'a mut Align<ByteArray<T>, T>) -> &'a mut MaybeValid<T> {
+        todo!()
+    }
+}
+
+impl<T> Debug for MaybeValid<T> {
+    fn fmt(&self, f: &mut Formatter<'_>) -> fmt::Result {
+        f.pad(core::any::type_name::<Self>())
+    }
+}
+
+/// TODO
+pub unsafe trait TryFromBytes: AsMaybeUninit {
+    /// TODO
+    fn is_bit_valid(candidate: &MaybeValid<Self>) -> bool;
+
+    /// TODO
+    // Note that, in a future in which we distinguish between `FromBytes` and `RefFromBytes`,
+    // this requires `where Self: RefFromBytes` to disallow interior mutability.
+    fn try_from_ref(bytes: &[u8]) -> Option<&Self>
+    where
+        // TODO: Remove this bound.
+        Self: Sized,
+    {
+        let byte_array: &ByteArray<Self> = TryFrom::try_from(bytes).ok()?;
+        let aligned = Align::try_from_ref(byte_array)?;
+
+        if Self::is_bit_valid(aligned.into()) {
+            Some(unsafe { &*bytes.as_ptr().cast::<Self>() })
+        } else {
+            None
+        }
+    }
+
+    /// TODO
+    fn try_from_mut(bytes: &mut [u8]) -> Option<&mut Self>
+    where
+        // TODO: Remove the `Sized` bound.
+        Self: AsBytes + Sized,
+    {
+        let byte_array: &ByteArray<Self> = TryFrom::try_from(&*bytes).ok()?;
+        let aligned = Align::try_from_ref(byte_array)?;
+
+        if Self::is_bit_valid(aligned.into()) {
+            Some(unsafe { &mut *bytes.as_mut_ptr().cast::<Self>() })
+        } else {
+            None
+        }
+    }
+
+    /// TODO
+    fn try_read_from(bytes: &[u8]) -> Option<Self>
+    where
+        Self: Sized,
+        // TODO: Why can't Rust infer this based on the blanket impl for `T:
+        // Sized`? It sets `MaybeUninit = MaybeUninit<T>`, which is `Sized`.
+        <Self as AsMaybeUninit>::MaybeUninit: Sized,
+    {
+        let byte_array: &ByteArray<Self> = TryFrom::try_from(bytes).ok()?;
+        let maybe_valid = MaybeValid::from(byte_array.clone());
+
+        if Self::is_bit_valid(&maybe_valid) {
+            Some(unsafe { maybe_valid.assume_valid() })
+        } else {
+            None
+        }
+    }
+}
+
+unsafe impl<T: FromBytes> TryFromBytes for T {
+    fn is_bit_valid(_candidate: &MaybeValid<Self>) -> bool
+    where
+        Self: Sized,
+    {
+        true
+    }
+}
+
+mod try_from_bytes_derive_example {
+    use super::*;
+
+    struct Foo {
+        a: u8,
+        b: u16,
+    }
+
+    impl_try_from_bytes!(Foo { a: u8, b: u16 });
+
+    struct Bar(Foo);
+
+    impl Bar {
+        fn is_valid(&self) -> bool {
+            u16::from(self.0.a) < self.0.b
+        }
+    }
+
+    impl_try_from_bytes!(Bar { 0: Foo } => is_valid);
+}
+
 /// Types which are safe to treat as an immutable byte slice.
 ///
 /// WARNING: Do not implement this trait yourself! Instead, use
@@ -1543,21 +1733,9 @@ impl<T: Display + ?Sized, A> Display for Align<T, A> {
     }
 }
 
-unsafe impl<T: ?Sized, A> Projectable for Align<T, A> {
-    type Inner = T;
-    // SAFETY: We know that `U` can't be more aligned than `T` or else it
-    // couldn't be a field in `T`. Thus, any `U` within `Align<T, A>` is already
-    // aligned to `max(align_of::<U>(), align_of::<A>())`.
-    type Wrapped<U> = Align<U, A>;
-
-    fn foo(&self) -> *const T {
-        self as *const Self as *const T
-    }
-
-    fn foo_mut(&mut self) -> *mut T {
-        self as *mut Self as *mut T
-    }
-}
+// unsafe impl<T: ?Sized, F: ?Sized, A> Projectable<F, Align<F, A>> for Align<T, A> {
+//     type Inner = T;
+// }
 
 /// A type with no alignment requirement.
 ///
@@ -2171,18 +2349,9 @@ impl<T> Ord for ByteArray<T> {
     }
 }
 
-unsafe impl<T> Projectable for ByteArray<T> {
-    type Inner = T;
-    type Wrapped<U> = ByteArray<U>;
-
-    fn foo(&self) -> *const T {
-        self as *const Self as *const T
-    }
-
-    fn foo_mut(&mut self) -> *mut T {
-        self as *mut Self as *mut T
-    }
-}
+// unsafe impl<T, F> Projectable<F, ByteArray<F>> for ByteArray<T> {
+//     type Inner = T;
+// }
 
 // Used in `transmute!` below.
 #[doc(hidden)]