[pointer] Match variance of references

joshlf · joshlf · commit 3ab2c004b1d8 · 2024-10-12T15:35:41.000-07:00
When the aliasing mode is `Any`, `Ptr<'a, T>` is invariant in `'a` and `T`. When the aliasing mode is `Shared` or `Exclusive`, `Ptr` has the same variance as `&'a T` and `&'a mut T` respectively. Makes progress on #1839
diff --git a/src/pointer/ptr.rs b/src/pointer/ptr.rs
@@ -56,6 +56,7 @@ mod def {
         ///    [`I::Validity`](invariant::Validity).
         // SAFETY: `PtrInner<'a, T>` is covariant over `'a` and `T`.
         ptr: PtrInner<'a, T>,
+        _variance: PhantomData<<I::Aliasing as Aliasing>::Variance<'a, T>>,
         _invariants: PhantomData<I>,
     }
 
@@ -93,7 +94,7 @@ mod def {
             let ptr = unsafe { PtrInner::new(ptr) };
             // SAFETY: The caller has promised (in 6 - 8) to satisfy all safety
             // invariants of `Ptr`.
-            Self { ptr, _invariants: PhantomData }
+            Self { ptr, _variance: PhantomData, _invariants: PhantomData }
         }
 
         /// Constructs a new `Ptr` from a [`PtrInner`].
@@ -111,7 +112,7 @@ mod def {
         pub(super) const unsafe fn from_inner(ptr: PtrInner<'a, T>) -> Ptr<'a, T, I> {
             // SAFETY: The caller has promised to satisfy all safety invariants
             // of `Ptr`.
-            Self { ptr, _invariants: PhantomData }
+            Self { ptr, _variance: PhantomData, _invariants: PhantomData }
         }
 
         /// Converts this `Ptr<T>` to a [`PtrInner<T>`].
@@ -152,6 +153,12 @@ pub mod invariant {
         /// Is `Self` [`Exclusive`]?
         #[doc(hidden)]
         const IS_EXCLUSIVE: bool;
+
+        /// A type which has the correct variance over `'a` and `T` for this
+        /// aliasing invariant. `Ptr` stores a `<I::Aliasing as
+        /// Aliasing>::Variance<'a, T>` to inherit this variance.
+        #[doc(hidden)]
+        type Variance<'a, T: 'a + ?Sized>;
     }
 
     /// The alignment invariant of a [`Ptr`][super::Ptr].
@@ -172,6 +179,16 @@ pub mod invariant {
     pub enum Any {}
     impl Aliasing for Any {
         const IS_EXCLUSIVE: bool = false;
+        // SAFETY: Since we don't know what aliasing model this is, we have to
+        // be conservative. Invariance is strictly more restrictive than any
+        // other variance model, so this can never cause soundness issues.
+        //
+        // `fn() -> T` and `fn(T) -> ()` are covariant and contravariant in `T`,
+        // respectively. [1] Thus, `fn(T) -> T` is invariant in `T`. Thus,
+        // `fn(&'a T) -> &'a T` is invariant in `'a` and `T`.
+        //
+        // [1] https://doc.rust-lang.org/1.81.0/reference/subtyping.html#variance
+        type Variance<'a, T: 'a + ?Sized> = fn(&'a T) -> &'a T;
     }
     impl Alignment for Any {}
     impl Validity for Any {}
@@ -188,6 +205,7 @@ pub mod invariant {
     pub enum Shared {}
     impl Aliasing for Shared {
         const IS_EXCLUSIVE: bool = false;
+        type Variance<'a, T: 'a + ?Sized> = &'a T;
     }
     impl Reference for Shared {}
 
@@ -199,6 +217,7 @@ pub mod invariant {
     pub enum Exclusive {}
     impl Aliasing for Exclusive {
         const IS_EXCLUSIVE: bool = true;
+        type Variance<'a, T: 'a + ?Sized> = &'a mut T;
     }
     impl Reference for Exclusive {}
 
