On Wed Jun 3, 2026 at 2:10 AM BST, Danilo Krummrich wrote:
> Add a new ForLt trait as a base for CovariantForLt:
>
> - ForLt (non-unsafe): represents a type generic over a lifetime, with
> no covariance guarantee. Provides unsafe fn cast_ref_unchecked()
> for callers that can justify lifetime shortening via a round-trip
> safety argument.
>
> - CovariantForLt (unsafe): becomes a subtrait of ForLt that
> additionally proves the type is covariant over its lifetime
> parameter, providing a safe cast_ref() method.
>
> This split allows non-covariant types (e.g. types behind a Mutex) to
> implement ForLt and participate in DevresLt / registration data patterns
> where the round-trip argument suffices, without requiring a covariance
> proof that would fail to compile.
>
> The internal macro backend is split accordingly: ForLt! emits ForLtImpl
> (no covariance proof), CovariantForLt! emits CovariantForLtImpl (with
> compile-time covariance proof).
>
> No existing callers change; they all use CovariantForLt.
>
> Signed-off-by: Danilo Krummrich <[email protected]>
> ---
> rust/kernel/types.rs | 1 +
> rust/kernel/types/for_lt.rs | 101 ++++++++++++++++++++++++++++++------
> rust/macros/for_lt.rs | 50 ++++++++++++++----
> rust/macros/lib.rs | 19 ++++++-
> 4 files changed, 145 insertions(+), 26 deletions(-)
>
> diff --git a/rust/kernel/types.rs b/rust/kernel/types.rs
> index cbe6907042d3..c1ed05d1046c 100644
> --- a/rust/kernel/types.rs
> +++ b/rust/kernel/types.rs
> @@ -14,6 +14,7 @@
> #[doc(hidden)]
> pub mod for_lt;
> pub use for_lt::CovariantForLt;
> +pub use for_lt::ForLt;
>
> /// Used to transfer ownership to and from foreign (non-Rust) languages.
> ///
> diff --git a/rust/kernel/types/for_lt.rs b/rust/kernel/types/for_lt.rs
> index ef510ab6c092..e1774b03dd1f 100644
> --- a/rust/kernel/types/for_lt.rs
> +++ b/rust/kernel/types/for_lt.rs
> @@ -1,17 +1,74 @@
> // SPDX-License-Identifier: Apache-2.0 OR MIT
>
> -//! Provide implementation and test of the `CovariantForLt` trait and macro.
> +//! Provide implementation and test of the `ForLt` and `CovariantForLt`
> traits and macros.
> //!
> -//! This module is hidden and user should just use `CovariantForLt!`
> directly.
> +//! This module is hidden and users should just use `ForLt!` /
> `CovariantForLt!` directly.
>
> use core::marker::PhantomData;
>
> /// Representation of types generic over a lifetime.
> ///
> -/// The type must be covariant over the generic lifetime, i.e. the lifetime
> parameter
> -/// can be soundly shortened.
> +/// # Macro
> +///
> +/// It is not recommended to implement this trait directly. `ForLt!` macro
> is provided to obtain a
> +/// type that implements this trait.
> +///
> +/// The full syntax is
> +///
> +/// ```
> +/// # use kernel::types::ForLt;
> +/// # fn expect_lt<F: ForLt>() {}
> +/// # struct TypeThatUse<'a>(&'a ());
> +/// # expect_lt::<
> +/// ForLt!(for<'a> TypeThatUse<'a>)
> +/// # >();
> +/// ```
> +///
> +/// which gives a type so that `<ForLt!(for<'a> TypeThatUse<'a>) as
> ForLt>::Of<'b>`
> +/// is `TypeThatUse<'b>`.
> +///
> +/// You may also use a short-hand syntax which works similar to lifetime
> elision.
> +/// The macro also accepts types that do not involve a lifetime at all.
> +///
> +/// ```
> +/// # use kernel::types::ForLt;
> +/// # fn expect_lt<F: ForLt>() {}
> +/// # struct TypeThatUse<'a>(&'a ());
> +/// # expect_lt::<
> +/// ForLt!(TypeThatUse<'_>) // Equivalent to `ForLt!(for<'a>
> TypeThatUse<'a>)`.
> +/// # >();
> +/// # expect_lt::<
> +/// ForLt!(&u32) // Equivalent to `ForLt!(for<'a> &'a u32)`.
> +/// # >();
> +/// # expect_lt::<
> +/// ForLt!(u32) // Equivalent to `ForLt!(for<'a> u32)`.
> +/// # >();
> +/// ```
> +pub trait ForLt {
> + /// The type parameterized by the lifetime.
> + type Of<'a>: 'a;
> +
> + /// Cast a reference to a shorter lifetime.
> + ///
> + /// # Safety
> + ///
> + /// The caller must ensure that the lifetime shortening is sound for
> their use case,
> + /// e.g. because the `'long` reference originated from a
> `'short`-to-`'static` transmute
> + /// and this is the reverse leg of that round-trip.
> + #[inline(always)]
> + unsafe fn cast_ref_unchecked<'r, 'short: 'r, 'long: 'short>(
> + long: &'r Self::Of<'long>,
> + ) -> &'r Self::Of<'short> {
> + // SAFETY: Caller guarantees the lifetime shortening is sound.
> + unsafe { core::mem::transmute(long) }
> + }
I think this method should just be gone.
> +}
> +pub use macros::ForLt;
> +
> +/// [`trait@ForLt`] subtrait for types that are covariant over their
> lifetime parameter.
> ///
> -/// The lifetime involved must be covariant.
> +/// Provides a safe [`cast_ref`](CovariantForLt::cast_ref) method for types
> that are proven to be
> +/// covariant. The `CovariantForLt!` macro syntax is the same as `ForLt!`.
> ///
> /// # Macro
> ///
> @@ -84,10 +141,7 @@
> /// # Safety
> ///
> /// `Self::Of<'a>` must be covariant over the lifetime `'a`.
> -pub unsafe trait CovariantForLt {
> - /// The type parameterized by the lifetime.
> - type Of<'a>: 'a;
> -
> +pub unsafe trait CovariantForLt: ForLt {
> /// Cast a reference to a shorter lifetime.
> #[inline(always)]
> fn cast_ref<'r, 'short: 'r, 'long: 'short>(long: &'r Self::Of<'long>) ->
> &'r Self::Of<'short> {
> @@ -97,27 +151,44 @@ fn cast_ref<'r, 'short: 'r, 'long: 'short>(long: &'r
> Self::Of<'long>) -> &'r Sel
> }
> pub use macros::CovariantForLt;
>
> -/// Helper type for the `CovariantForLt!` macro.
> +/// Helper type for the `ForLt!` macro.
> ///
> -/// Must only be used by the `CovariantForLt!` macro.
> +/// Must only be used by the `ForLt!` macro.
> ///
> /// `T` is the magic `dyn for<'a> WithLt<'a, TypeThatUse<'a>>` generated by
> macro.
> ///
> /// `WF` is a type that the macro can use to assert some specific type is
> well-formed.
> +#[doc(hidden)]
> +pub struct ForLtImpl<T: ?Sized, WF>(PhantomData<(WF, T)>);
The `N` is still needed for `ForLtImpl` in case there needs to be a
wellformedness check. Currently the macro emits a `struct` to serve
wellformedness-check purpose and a `fn` to check for covariance, and the first
part still needs to be kept (at least until Rust starts checking WF-ness for
`dyn`).
If you follow my suggestion in patch 1, you should be able to share macro impl
for `CovariantForLt` and `ForLt`, and just have a boolean to decide whether to
to emit the function that check for variance.
Best,
Gary
> +
> +/// Helper type for the `CovariantForLt!` macro.
> +///
> +/// Must only be used by the `CovariantForLt!` macro.
> +///
> +/// `T` and `WF` are the same as in [`ForLtImpl`].
> ///
> /// `N` is to provide the macro a place to emit arbitrary items, in case it
> needs to prove
> /// additional properties.
> #[doc(hidden)]
> pub struct CovariantForLtImpl<T: ?Sized, WF, const N:
> usize>(PhantomData<(WF, T)>);
>
> -// This is a helper trait for implementation `CovariantForLt` to be able to
> use HRTB.
> +// This is a helper trait for implementation `ForLt` to be able to use HRTB.
> #[doc(hidden)]
> pub trait WithLt<'a> {
> type Of: 'a;
> }
>
> -// SAFETY: In `CovariantForLt!` macro, a covariance proof is generated when
> naming
> -// `CovariantForLtImpl` and it will fail to evaluate if the type is not
> covariant.
> -unsafe impl<T: ?Sized + for<'a> WithLt<'a>, WF> CovariantForLt for
> CovariantForLtImpl<T, WF, 0> {
> +impl<T: ?Sized + for<'a> WithLt<'a>, WF> ForLt for ForLtImpl<T, WF> {
> + type Of<'a> = <T as WithLt<'a>>::Of;
> +}
> +
> +impl<T: ?Sized + for<'a> WithLt<'a>, WF, const N: usize> ForLt for
> CovariantForLtImpl<T, WF, N> {
> type Of<'a> = <T as WithLt<'a>>::Of;
> }
> +
> +// SAFETY: In `CovariantForLt!` macro, a covariance proof is generated in
> the `N` const generic
> +// and it will fail to evaluate if the type is not covariant.
> +unsafe impl<T: ?Sized + for<'a> WithLt<'a>, WF, const N: usize>
> CovariantForLt
> + for CovariantForLtImpl<T, WF, N>
> +{
> +}
> diff --git a/rust/macros/for_lt.rs b/rust/macros/for_lt.rs
> index 3cb094d00548..ad9809563fab 100644
> --- a/rust/macros/for_lt.rs
> +++ b/rust/macros/for_lt.rs
> @@ -176,8 +176,10 @@ fn prove(&mut self, ty: &'a Type) {
> }
> }
>
> -pub(crate) fn covariant_for_lt(input: HigherRankedType) -> TokenStream {
> - let (ty, lifetime) = match input {
> +/// Resolve the higher-ranked type into a concrete `(ty, lifetime)` pair,
> expanding elided
> +/// lifetimes as needed. Shared by both `for_lt` and `covariant_for_lt`.
> +fn resolve_hrt(input: HigherRankedType) -> (Type, Lifetime) {
> + match input {
> HigherRankedType::Explicit { lifetime, ty, .. } => (ty, lifetime),
> HigherRankedType::Implicit { ty } => {
> // If there's no explicit `for<'a>` binder, inject a synthetic
> `'__elided` lifetime
> @@ -188,7 +190,41 @@ pub(crate) fn covariant_for_lt(input: HigherRankedType)
> -> TokenStream {
> };
> (ty.expand_elided_lifetime(&lifetime), lifetime)
> }
> - };
> + }
> +}
> +
> +/// Produce the `'static`-substituted type for the WF check. Shared by both
> macros.
> +fn ty_static(ty: &Type, lifetime: &Lifetime) -> Type {
> + ty.replace_lifetime(
> + lifetime,
> + &Lifetime {
> + apostrophe: Span::mixed_site(),
> + ident: format_ident!("static"),
> + },
> + )
> +}
> +
> +pub(crate) fn for_lt(input: HigherRankedType) -> TokenStream {
> + let (ty, lifetime) = resolve_hrt(input);
> +
> + // Make sure that the type is wellformed when substituting lifetime with
> `'static`.
> + //
> + // Currently the Rust compiler doesn't check this, see the `ProveWf`
> documentation in
> + // `covariant_for_lt` below.
> + //
> + // We prefer to use this way of proving WF-ness as it can work when
> generics are involved.
> + let ty_static = ty_static(&ty, &lifetime);
> +
> + quote!(
> + ::kernel::types::for_lt::ForLtImpl::<
> + dyn for<#lifetime> ::kernel::types::for_lt::WithLt<#lifetime, Of
> = #ty>,
> + #ty_static,
> + >
> + )
> +}
> +
> +pub(crate) fn covariant_for_lt(input: HigherRankedType) -> TokenStream {
> + let (ty, lifetime) = resolve_hrt(input);
>
> let mut prover = Prover(&lifetime, Vec::new());
> prover.prove(&ty);
> @@ -226,13 +262,7 @@ fn #cov_proof_name<'__short, '__long: '__short>(
> // Currently the Rust compiler doesn't check this, see the above
> `ProveWf` documentation.
> //
> // We prefer to use this way of proving WF-ness as it can work when
> generics are involved.
> - let ty_static = ty.replace_lifetime(
> - &lifetime,
> - &Lifetime {
> - apostrophe: Span::mixed_site(),
> - ident: format_ident!("static"),
> - },
> - );
> + let ty_static = ty_static(&ty, &lifetime);
>
> quote!(
> ::kernel::types::for_lt::CovariantForLtImpl::<
> diff --git a/rust/macros/lib.rs b/rust/macros/lib.rs
> index 2167cb270928..e970769609f3 100644
> --- a/rust/macros/lib.rs
> +++ b/rust/macros/lib.rs
> @@ -491,11 +491,28 @@ pub fn kunit_tests(attr: TokenStream, input:
> TokenStream) -> TokenStream {
> .into()
> }
>
> -/// Obtain a type that implements [`CovariantForLt`] for the given
> higher-ranked type.
> +/// Obtain a type that implements [`ForLt`] for the given higher-ranked type.
> +///
> +/// Please refer to the documentation of the [`ForLt`] trait.
> +///
> +/// [`ForLt`]: trait.ForLt.html
> +#[proc_macro]
> +#[allow(non_snake_case)]
> +pub fn ForLt(input: TokenStream) -> TokenStream {
> + for_lt::for_lt(parse_macro_input!(input)).into()
> +}
> +
> +/// Obtain a type that implements [`CovariantForLt`] (and [`ForLt`]) for the
> given higher-ranked
> +/// type.
> +///
> +/// Unlike [`ForLt!`], this macro additionally proves that the type is
> covariant over the lifetime,
> +/// providing a safe [`CovariantForLt::cast_ref`] method.
> ///
> /// Please refer to the documentation of the [`CovariantForLt`] trait.
> ///
> /// [`CovariantForLt`]: trait.CovariantForLt.html
> +/// [`CovariantForLt::cast_ref`]: trait.CovariantForLt.html#method.cast_ref
> +/// [`ForLt`]: trait.ForLt.html
> #[proc_macro]
> #[allow(non_snake_case)]
> pub fn CovariantForLt(input: TokenStream) -> TokenStream {
