Make the Pod/NoUninit derive macros not use transmute, to be more robust against possible future relaxations transmute's size check.

[zachs18]

RFC 3844 is proposing relaxations to std::mem::transmute's semantics, and under some possible relaxations, bytemuck_derive's current usage of it to ensure soundness becomes insufficient¹.

This PR makes the Pod/NoUninit derive not use transmute, and instead emit a const _: () = assert! that ensures there is no padding in the type by asserting that the type's size is the same as the sum of the type's fields' sizes.

Concrete change: For the following source code:

use bytemuck::*;

#[derive(Debug, Clone, Copy, NoUninit)]
#[repr(C)]
struct Foo(u32, u16);

The Pod derive macros' no-padding check is changed from:

// expansion
const _: fn() = || {
    #[doc(hidden)]
    struct TypeWithoutPadding(
        [u8; ::core::mem::size_of::<u32>() + ::core::mem::size_of::<u16>()],
    );
    let _ = ::core::mem::transmute::<Foo, TypeWithoutPadding>;
};

// error
error[E0512]: cannot transmute between types of different sizes, or dependently-sized types
 --> src/lib.rs:3:40
  |
3 | #[derive(Debug, Clone, Copy, Zeroable, Pod)]
  |                                        ^^^
  |
  = note: source type: `Foo` (64 bits)
  = note: target type: `_::{closure#0}::TypeWithoutPadding` (48 bits)
  = note: this error originates in the derive macro `Pod` (in Nightly builds, run with -Z macro-backtrace for more info)

To this:

// expansion
const _: () = {
    assert!(
        ::core::mem::size_of::<Foo>() == (::core::mem::size_of::<u32>() + ::core::mem::size_of::<u16>()),
        "derive(Pod) was applied to a type with padding",
    );
};


// error
error[E0080]: evaluation of constant value failed
 --> src/lib.rs:3:40
  |
3 | #[derive(Debug, Clone, Copy, Zeroable, Pod)]
  |                                        ^^^ evaluation panicked: derive(Pod) was applied to a type with padding

(derive(NoUninit) is the same, but the assert message mentions NoUninit instead of Pod)

Footnotes

1. Currently, the derive macros only mention std::mem::transmute::<Foo, FooWithoutPadding>, they don't call it, and under at least the proposed "just have a const assert that the sizes are the same in the body of transmute" change, this would no longer be enough to ensure a compiler error if Type1 and Type2 have different sizes: playground link ↩

[Lokathor]

I think we should make it be a const eval error using a const block. Regardless of the string formatting being unavailable, it's the "most correct" check to perform, and if transmute isn't doing it implicitly then we should keep doing it ourselves explicitly.

[zachs18]

Latest push makes the derive macros emit a const assert instead of using transmute at all.

[Lokathor]

Seems good, so we should merge and publish as is, or is there more to do?

[zachs18]

I don't think there's anything else needed here; this should be good to publish

[Lokathor]

Published 1.10.1 of the derives