Introduce ReadOnly<T> which is unconditionally Immutable

[joshlf]

In order to make this sound, we change the safety invariant on
Immutable to narrowly ban interior mutation. In other words, the
presence of UnsafeCells is acceptable so long as no interior mutation
is performed in practice.

While we're here, remove the final remaining references to Immutable's
old name, NoCell.

Makes progress on #2336
Closes #1760

---

• 　 [derive] Allow TryFromBytes on non-Immutable unions #2876
• 　 [WIP] Use ReadOnly in is_bit_valid #2873
• 　 [WIP] Wrapped projections #2919
• 👉 Introduce ReadOnly<T> which is unconditionally Immutable #2866

Latest Update: v61 — Compare vs v60

📚 Full Patch History

Links show the diff between the row version and the column version.

Version	v60	v59	v58	v57	v56	v55	v54	v53	v52	v51	v50	v49	v48	v47	v46	v45	v44	v43	v42	v41	v40	v39	v38	v37	v36	v35	v34	v33	v32	v31	v30	v29	v28	v27	v26	v25	v24	v23	v22	v21	v20	v19	v18	v17	v16	v15	v14	v13	v12	v11	v10	v9	v8	v7	v6	v5	v4	v3	v2	v1	Base
v61	v60	v59	v58	v57	v56	v55	v54	v53	v52	v51	v50	v49	v48	v47	v46	v45	v44	v43	v42	v41	v40	v39	v38	v37	v36	v35	v34	v33	v32	v31	v30	v29	v28	v27	v26	v25	v24	v23	v22	v21	v20	v19	v18	v17	v16	v15	v14	v13	v12	v11	v10	v9	v8	v7	v6	v5	v4	v3	v2	v1	Base
v60		v59																																																											Base
v59			v58																																																										Base
v58				v57																																																									Base
v57					v56																																																								Base
v56						v55																																																							Base
v55							v54																																																						Base
v54								v53																																																					Base
v53									v52																																																				Base
v52										v51																																																			Base
v51											v50																																																		Base
v50												v49																																																	Base
v49													v48																																																Base
v48														v47																																															Base
v47															v46																																														Base
v46																v45																																													Base
v45																	v44																																												Base
v44																		v43																																											Base
v43																			v42																																										Base
v42																				v41																																									Base
v41																					v40																																								Base
v40																						v39																																							Base
v39																							v38																																						Base
v38																								v37																																					Base
v37																									v36																																				Base
v36																										v35																																			Base
v35																											v34																																		Base
v34																												v33																																	Base
v33																													v32																																Base
v32																														v31																															Base
v31																															v30																														Base
v30																																v29																													Base
v29																																	v28																												Base
v28																																		v27																											Base
v27																																			v26																										Base
v26																																				v25																									Base
v25																																					v24																								Base
v24																																						v23																							Base
v23																																							v22																						Base
v22																																								v21																					Base
v21																																									v20																				Base
v20																																										v19																			Base
v19																																											v18																		Base
v18																																												v17																	Base
v17																																													v16																Base
v16																																														v15															Base
v15																																															v14														Base
v14																																																v13													Base
v13																																																	v12												Base
v12																																																		v11											Base
v11																																																			v10										Base
v10																																																				v9									Base
v9																																																					v8								Base
v8																																																						v7							Base
v7																																																							v6						Base
v6																																																								v5					Base
v5																																																									v4				Base
v4																																																										v3			Base
v3																																																											v2		Base
v2																																																												v1	Base
v1																																																													Base

[gemini-code-assist]

Summary of Changes

Hello @joshlf, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a new ReadOnly<T> wrapper type designed to enforce read-only access to its inner value, integrating it deeply into the existing type system for low-level memory and pointer manipulation. It also lays the groundwork for handling projections through wrapped types by defining new Wrapped and HasWrappedField traits, which are then implemented for ReadOnly<T> as well as standard library types like MaybeUninit and Wrapping. This work is currently in progress, as indicated by the [WIP] title and numerous TODO comments, signifying that further documentation and safety considerations are pending.

Highlights

• Introduction of ReadOnly: A new #[repr(transparent)] struct ReadOnly<T> is added, intended to provide a read-only view of an underlying type T. This wrapper is designed to integrate seamlessly with the existing type system for low-level memory and pointer manipulation.
• New Pointer Casting Traits: The src/pointer/mod.rs file introduces new unsafe traits, Wrapped and HasWrappedField, which are crucial for facilitating advanced casting and projection operations involving wrapped types. These traits define how to 'unwrap' a type and how to project fields within wrapped structures.
• Integration with Existing Type System: ReadOnly<T> is extensively integrated with various existing traits, including KnownLayout, Unaligned, TryFromBytes, FromZeros, FromBytes, IntoBytes, Immutable, SizeEq, and TransmuteFrom. It also implements the newly introduced Wrapped and HasWrappedField traits, ensuring its compatibility and utility within the framework.
• Standard Library Type Support: The new Wrapped and HasWrappedField traits are implemented for standard library types such as MaybeUninit<T> and Wrapping<T>, demonstrating their general applicability and laying the groundwork for consistent handling of wrapped data structures.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a new ReadOnly<T> wrapper type. While it's a work in progress, there are two critical issues with the current implementation that need to be addressed. First, ReadOnly<T> incorrectly implements DerefMut, which contradicts its purpose and allows mutation of the wrapped data. Second, it has an unsound unconditional unsafe impl of the Immutable trait, which can lead to undefined behavior by violating one of the core safety invariants of zerocopy. I've provided detailed comments and suggestions for both of these critical issues.

[codecov-commenter]

Codecov Report

❌ Patch coverage is 0% with 24 lines in your changes missing coverage. Please review.
✅ Project coverage is 91.55%. Comparing base (dce155c) to head (1d2095f).

Files with missing lines	Patch %	Lines
src/wrappers.rs	0.00%	23 Missing ⚠️
src/lib.rs	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2866      +/-   ##
==========================================
- Coverage   91.90%   91.55%   -0.36%     
==========================================
  Files          20       20              
  Lines        5883     5906      +23     
==========================================
  Hits         5407     5407              
- Misses        476      499      +23     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[joshlf]

/gemini review

[gemini-code-assist]

Code Review

This pull request refactors the Immutable trait's safety invariant to focus on preventing interior mutation rather than strictly banning UnsafeCells. This change is reflected in updated documentation and the introduction of a new ReadOnly<T> wrapper type. The ReadOnly<T> wrapper ensures that a &ReadOnly<T> is genuinely read-only, making it unconditionally Immutable regardless of whether the wrapped T is. The changes also include renaming derive_no_cell to derive_immutable for consistency.

[joshlf]

Also need to update this comment on TryTransmuteFromPtr in transmute.rs:

///   - `Src: Immutable` and `Dst: Immutable`, and so `UnsafeCell`s trivially
///     cover the same byte ranges in both types.