Proposal

Problem statement

Sometimes code does need to do a transmute that involves generic types. Currently, the way to do so in user code is with transmute_copy or with a union:

pub const unsafe fn transmute_prefix<Src, Dst>(src: Src) -> Dst {
    let src = ManuallyDrop::new(src);
    // SAFETY: guaranteed by the caller
    unsafe { transmute_copy(&src) }
}

pub const unsafe fn transmute_prefix<Src, Dst>(src: Src) -> Dst {
    #[repr(packed)]
    union Transmute<Src, Dst> {
        src: ManuallyDrop<Src>,
        dst: ManuallyDrop<Dst>,
    }
    let u = Transmute { src: ManuallyDrop::new(src) };
    // SAFETY: guaranteed by the caller
    ManuallyDrop::into_inner(unsafe { u.dst })
}

This isn't really any safer than transmute_unchecked; if size_of::<Src>() < size_of::<Dst>(), it's still guaranteed UB, and if size_of::<Dst>() < size_of::<Src>(), reinterpreting a prefix of Src as Dst is still likely incorrect in a way that will cause UB. Furthermore, in the union case, forgetting the repr(packed) is easy but technically unsound

Instead of libraries reimplementing transmute_prefix when they need it, we can provide a transmute_unchecked which does a const assertion that the sizes of Src and Dst are equal, providing a slightly safer to use API by catching a subset of possible errors at build-time (post-mono).

Motivating examples or use cases

The most obvious application is a const concat macro which combines two const strings or arrays into one combined string/array.

Note that zerocopy would not use this, as they do want to allow prefix transmutes.

Solution sketch

// core::mem
pub const unsafe fn transmute_unchecked<Src, Dst>(src: Src) -> Dst {
    const {
        assert!(
            size_of::<Src>() == size_of::<Dst>(),
            "cannot transmute between types of different sizes",
        );
    }
    // SAFETY: guaranteed by the caller
    unsafe { crate::intrinsics::transmute_unchecked(src) }
}

If accepted, I plan to make the PR to core.

Alternatives

• Expose transmute_prefix which only tests size_of::<Dst>() <= size_of::<Src>() instead of or alongside a version that checks size equivalence.
• Do nothing. Libraries that need it can implement it themselves or use a crate that provides transmute_unchecked/transmute_prefix.

Links and related work

What happens now?

This issue contains an API change proposal (or ACP) and is part of the libs-api team feature lifecycle. Once this issue is filed, the libs-api team will review open proposals as capability becomes available. Current response times do not have a clear estimate, but may be up to several months.

Possible responses

The libs team may respond in various different ways. First, the team will consider the problem (this doesn't require any concrete solution or alternatives to have been proposed):

• We think this problem seems worth solving, and the standard library might be the right place to solve it.
• We think that this probably doesn't belong in the standard library.

Second, if there's a concrete solution:

• We think this specific solution looks roughly right, approved, you or someone else should implement this. (Further review will still happen on the subsequent implementation PR.)
• We're not sure this is the right solution, and the alternatives or other materials don't give us enough information to be sure about that. Here are some questions we have that aren't answered, or rough ideas about alternatives we'd want to see discussed.