Fix UBs and make Miri happy

src/borrow.rs

@@ -52,3 +52,77 @@ impl<'a, T> DormantMutRef<'a, T> {
         unsafe { self.ptr.as_mut() }
     }
 }
+
+/// A "destroyable" immutable reference.
+///
+/// The Rust memory model [assumes][1] that all references passed as function arguments (including
+/// indirect ones, e.g., structure fields of function arguments) must _not_ be invalidated while
+/// the function is running.
+///
+/// [1]: https://github.com/rust-lang/miri/issues/3186#issuecomment-1826253846
+///
+/// However, this assumption is not necessarily true in certain cases. For example, when using
+/// [`DormantMutRef`], we may want to make sure that all derived references are indeed dead so that
+/// the dormant reference can be awakened. To do this, it is necessary to wrap the references in
+/// this destroyable type before passing it to a function, otherwise the references will be alive
+/// until the function returns.
+///
+/// By using this type, a reference is converted to a raw pointer, so no assumptions like the ones
+/// above are made. Meanwhile, the raw pointer can be safely converted back to the reference for
+/// use, since the lifetime is still properly tracked in the type.
+pub(super) struct DestroyableRef<'a, T> {
+    ptr: NonNull<T>,
+    _marker: PhantomData<&'a T>,
+}
+
+impl<'a, T> DestroyableRef<'a, T> {
+    /// Creates a destroyable reference from an immutable reference.
+    pub fn new(val: &'a T) -> Self {
+        DestroyableRef {
+            ptr: NonNull::from(val),
+            _marker: PhantomData,
+        }
+    }
+
+    /// Borrows the immutable reference.
+    pub fn borrow(&self) -> &'a T {
+        // SAFETY: `self` was converted from a value of `&'a T`.
+        unsafe { self.ptr.as_ref() }
+    }
+}
+
+/// A "destroyable" mutable reference.
+///
+/// For the rationale, see [`DestroyableRef`].
+pub(super) struct DestroyableMutRef<'a, T> {
+    ptr: NonNull<T>,
+    _marker: PhantomData<&'a mut T>,
+}
+
+impl<'a, T> DestroyableMutRef<'a, T> {
+    /// Creates a destroyable reference from an immutable reference.
+    pub fn new(val: &'a mut T) -> Self {
+        DestroyableMutRef {
+            ptr: NonNull::from(val),
+            _marker: PhantomData,
+        }
+    }
+
+    /// Borrows the mutable reference as an immutable reference.
+    pub fn borrow(&self) -> &T {
+        // SAFETY: `self` was converted from a value of `&'a mut T`.
+        unsafe { self.ptr.as_ref() }
+    }
+
+    /// Borrows the mutable reference.
+    pub fn borrow_mut(&mut self) -> &mut T {
+        // SAFETY: `self` was converted from a value of `&'a mut T`.
+        unsafe { self.ptr.as_mut() }
+    }
+
+    /// Moves the mutable reference out.
+    pub fn into(mut self) -> &'a mut T {
+        // SAFETY: `self` was converted from a value of `&'a mut T`.
+        unsafe { self.ptr.as_mut() }
+    }
+}

src/cursor.rs

@@ -2,8 +2,8 @@ use core::marker::PhantomData;
 
 use smallvec::SmallVec;
 
-use crate::borrow::DormantMutRef;
-use crate::entry::{ItemEntry, ItemRef, NodeMaybeMut, XEntry};
+use crate::borrow::{DestroyableMutRef, DestroyableRef, DormantMutRef};
+use crate::entry::{ItemEntry, NodeMaybeMut, XEntry};
 use crate::mark::XMark;
 use crate::node::XNode;
 use crate::xarray::{XArray, MAX_HEIGHT, SLOT_SIZE};
@@ -43,11 +43,11 @@ where
 {
     Inactive(PhantomData<O>),
     AtNode {
-        node: &'a XNode<I>,
+        node: DestroyableRef<'a, XNode<I>>,
         operation_offset: u8,
     },
     AtNodeMut {
-        node: &'a mut XNode<I>,
+        node: DestroyableMutRef<'a, XNode<I>>,
         operation_offset: u8,
     },
 }
@@ -62,7 +62,7 @@ impl<'a, I: ItemEntry, O: Operation> CursorState<'a, I, O> {
     fn move_to(&mut self, node: &'a XNode<I>, index: u64) {
         let operation_offset = node.entry_offset(index);
         *self = Self::AtNode {
-            node,
+            node: DestroyableRef::new(node),
             operation_offset,
         };
     }
@@ -72,7 +72,7 @@ impl<'a, I: ItemEntry> CursorState<'a, I, ReadWrite> {
     fn move_to_mut(&mut self, node: &'a mut XNode<I>, index: u64) {
         let operation_offset = node.entry_offset(index);
         *self = Self::AtNodeMut {
-            node,
+            node: DestroyableMutRef::new(node),
             operation_offset,
         };
     }
@@ -91,11 +91,11 @@ impl<'a, I: ItemEntry, O: Operation> CursorState<'a, I, O> {
             Self::AtNode {
                 node,
                 operation_offset,
-            } => Some((node, operation_offset)),
+            } => Some((node.borrow(), operation_offset)),
             Self::AtNodeMut {
                 node,
                 operation_offset,
-            } => Some((node, operation_offset)),
+            } => Some((node.into(), operation_offset)),
             Self::Inactive(..) => None,
         }
     }
@@ -107,7 +107,7 @@ impl<'a, I: ItemEntry> CursorState<'a, I, ReadWrite> {
             Self::AtNodeMut {
                 node,
                 operation_offset,
-            } => Some((node, operation_offset)),
+            } => Some((node.into(), operation_offset)),
             Self::Inactive(..) | Self::AtNode { .. } => None,
         }
     }
@@ -117,11 +117,11 @@ impl<'a, I: ItemEntry> CursorState<'a, I, ReadWrite> {
             Self::AtNode {
                 node,
                 operation_offset,
-            } => Some((NodeMaybeMut::Shared(node), operation_offset)),
+            } => Some((NodeMaybeMut::Shared(node.borrow()), operation_offset)),
             Self::AtNodeMut {
                 node,
                 operation_offset,
-            } => Some((NodeMaybeMut::Exclusive(node), operation_offset)),
+            } => Some((NodeMaybeMut::Exclusive(node.into()), operation_offset)),
             Self::Inactive(..) => None,
         }
     }
@@ -133,7 +133,7 @@ impl<'a, I: ItemEntry> CursorState<'a, I, ReadOnly> {
             Self::AtNode {
                 node,
                 operation_offset,
-            } => Some((*node, *operation_offset)),
+            } => Some((node.borrow(), *operation_offset)),
             Self::Inactive(..) | Self::AtNodeMut { .. } => None,
         }
     }
@@ -145,11 +145,11 @@ impl<'a, I: ItemEntry> CursorState<'a, I, ReadWrite> {
             Self::AtNode {
                 node,
                 operation_offset,
-            } => Some((*node, *operation_offset)),
+            } => Some((node.borrow(), *operation_offset)),
             Self::AtNodeMut {
                 node,
                 operation_offset,
-            } => Some((*node, *operation_offset)),
+            } => Some((node.borrow(), *operation_offset)),
             Self::Inactive(..) => None,
         }
     }
@@ -159,7 +159,7 @@ impl<'a, I: ItemEntry> CursorState<'a, I, ReadWrite> {
             Self::AtNodeMut {
                 node,
                 operation_offset,
-            } => Some((*node, *operation_offset)),
+            } => Some((node.borrow_mut(), *operation_offset)),
             Self::Inactive(..) | Self::AtNode { .. } => None,
         }
     }
@@ -175,8 +175,8 @@ impl<'a, I: ItemEntry, O: Operation> CursorState<'a, I, O> {
 
     fn is_leaf(&self) -> bool {
         match self {
-            Self::AtNodeMut { node, .. } => node.is_leaf(),
-            Self::AtNode { node, .. } => node.is_leaf(),
+            Self::AtNodeMut { node, .. } => node.borrow().is_leaf(),
+            Self::AtNode { node, .. } => node.borrow().is_leaf(),
             Self::Inactive(..) => false,
         }
     }
@@ -274,9 +274,9 @@ impl<'a, I: ItemEntry, M: Into<XMark>> Cursor<'a, I, M> {
 
     /// Loads the item at the target index.
     ///
-    /// If the target item exists, this method will return a [`ItemRef`] that acts exactly like a
-    /// `&'a I` wrapped in `Some(_)`. Otherwises, it will return `None`.
-    pub fn load(&mut self) -> Option<ItemRef<'a, I>> {
+    /// If the target item exists, this method will return a [`ItemEntry::Ref`] that acts exactly
+    /// like a `&'a I` wrapped in `Some(_)`. Otherwises, it will return `None`.
+    pub fn load(&mut self) -> Option<I::Ref<'a>> {
         self.traverse_to_target();
         self.state
             .as_node()
@@ -500,9 +500,9 @@ impl<'a, I: ItemEntry, M: Into<XMark>> CursorMut<'a, I, M> {
 
     /// Loads the item at the target index.
     ///
-    /// If the target item exists, this method will return a [`ItemRef`] that acts exactly like a
-    /// `&'_ I` wrapped in `Some(_)`. Otherwises, it will return `None`.
-    pub fn load(&mut self) -> Option<ItemRef<'_, I>> {
+    /// If the target item exists, this method will return a [`ItemEntry::Ref`] that acts exactly
+    /// like a `&'_ I` wrapped in `Some(_)`. Otherwises, it will return `None`.
+    pub fn load(&mut self) -> Option<I::Ref<'_>> {
         self.traverse_to_target();
         self.state
             .as_node()

src/entry.rs

@@ -8,76 +8,137 @@ use crate::node::{TryClone, XNode};
 
 /// A trait for the types users wish to store in an `XArray`.
 ///
-/// Items stored in an `XArray` must be representable by a `usize` aligned to 4.
+/// Items stored in an `XArray` must be representable by a `*const ()` aligned to 4. We prefer
+/// `*const ()` than `usize` to make the implementation conform to [Strict Provenance][1].
+///
+///  [1]: https://doc.rust-lang.org/std/ptr/index.html#strict-provenance
 ///
 /// # Safety
 ///
-/// Users must ensure that `into_raw()` always produce `usize`s that meet the above alignment
-/// requirements.
+/// Users must ensure that [`ItemEntry::into_raw`] always produce `*const ()`s that meet the above
+/// alignment requirements.
 ///
-/// Users must also ensure that as long as the value does not get dropped (e.g., by making use of
-/// [`core::mem::ManuallyDrop`]), it is legal to invoke [`ItemEntry::from_raw`] multiple times on
-/// the raw `usize` produced by invoking [`ItemEntry::into_raw`] only one time.
+/// Users must also ensure that as long as the value does not get dropped (e.g., by dropping the
+/// value obtaining from [`ItemEntry::from_raw`]), it is safe to invoke [`ItemEntry::raw_as_ref`]
+/// multiple times to obtain values of [`ItemEntry::Ref`] that behave just like shared references
+/// to the underleying data.
 pub unsafe trait ItemEntry {
-    /// Converts the original value into a `usize`, consuming the ownership of the original value.
-    fn into_raw(self) -> usize;
+    /// A type that behaves just like a shared references to the underleying data.
+    type Ref<'a>: Deref<Target = Self>
+    where
+        Self: 'a;
+
+    /// Converts the original value into a `*const ()`, consuming the ownership of the original
+    /// value.
+    fn into_raw(self) -> *const ();
+
+    /// Recovers the original value from a `*const ()`, reclaiming the ownership of the original
+    /// value.
+    ///
+    /// # Safety
+    ///
+    /// The original value must have not been dropped, and all references obtained from
+    /// [`ItemEntry::raw_as_ref`] must be dead.
+    unsafe fn from_raw(raw: *const ()) -> Self;
 
-    /// Recovers the original value from a `usize`, reclaiming the ownership of the original value.
+    /// Obtains a shared reference to the original value.
     ///
     /// # Safety
     ///
-    /// The original value must have not been dropped, and the raw value must be previously
-    /// returned by [`ItemEntry::into_raw`].
-    unsafe fn from_raw(raw: usize) -> Self;
+    /// The original value must outlive the lifetime parameter `'a`, and during `'a` no mutable
+    /// references to the value will exist.
+    unsafe fn raw_as_ref<'a>(raw: *const ()) -> Self::Ref<'a>;
+}
+
+/// A type that represents `&'a Arc<T>`.
+#[derive(PartialEq, Debug)]
+pub struct ArcRef<'a, T> {
+    inner: ManuallyDrop<Arc<T>>,
+    _marker: PhantomData<&'a Arc<T>>,
+}
+
+impl<'a, T> Deref for ArcRef<'a, T> {
+    type Target = Arc<T>;
+
+    fn deref(&self) -> &Self::Target {
+        &*self.inner
+    }
 }
 
 // SAFETY: `Arc<T>` meets the safety requirements of `ItemEntry`.
 unsafe impl<T> ItemEntry for Arc<T> {
-    fn into_raw(self) -> usize {
-        let raw_ptr = Arc::into_raw(self);
-        raw_ptr as usize
-    }
+    type Ref<'a> = ArcRef<'a, T> where Self: 'a;
+
+    fn into_raw(self) -> *const () {
+        // A contant expression, so compilers should be smart enough to optimize it away.
+        assert!((core::mem::align_of::<T>() & XEntry::<Self>::TYPE_MASK) == 0);
 
-    // SAFETY: `Arc::<T>::from_raw` and `Arc::<T>::into_raw` meet the safety requirements of
-    // `ItemEntry::from_raw`.
-    unsafe fn from_raw(raw: usize) -> Self {
-        unsafe { Arc::from_raw(raw as *mut _) }
+        Arc::into_raw(self).cast()
     }
-}
 
-// SAFETY: `Box<T>` meets the safety requirements of `ItemEntry`.
-unsafe impl<T> ItemEntry for Box<T> {
-    fn into_raw(self) -> usize {
-        let raw_ptr = Box::into_raw(self);
-        raw_ptr as usize
+    unsafe fn from_raw(raw: *const ()) -> Self {
+        // SAFETY: By the safety requirements of `ItemEntry::from_raw`, the original value has not
+        // been dropped and there are no outstanding references to it. Thus, the ownership of the
+        // original value can be taken.
+        unsafe { Arc::from_raw(raw.cast()) }
     }
 
-    // SAFETY: `Box::<T>::from_raw` and `Box::<T>::into_raw` meet the safety requirements of
-    // `ItemEntry::from_raw`.
-    unsafe fn from_raw(raw: usize) -> Self {
-        unsafe { Box::from_raw(raw as *mut _) }
+    unsafe fn raw_as_ref<'a>(raw: *const ()) -> Self::Ref<'a> {
+        // SAFETY: By the safety requirements of `ItemEntry::raw_as_ref`, the original value
+        // outlives the lifetime parameter `'a` and during `'a` no mutable references to it can
+        // exist. Thus, a shared reference to the original value can be created.
+        unsafe {
+            ArcRef {
+                inner: ManuallyDrop::new(Arc::from_raw(raw.cast())),
+                _marker: PhantomData,
+            }
+        }
     }
 }
 
-/// A type that behaves exactly the same as `&I`.
-///
-/// This works around some implementation limitations where `&I` must be returned, but it is not
-/// technically possible because the memory bits of the value are complexly encoded. Therefore a
-/// wrapper type that represents `&I` comes to the rescue.
+/// A type that represents `&'a Box<T>`.
 #[derive(PartialEq, Debug)]
-pub struct ItemRef<'a, I>
-where
-    I: ItemEntry,
-{
-    item: ManuallyDrop<I>,
-    _marker: PhantomData<&'a I>,
+pub struct BoxRef<'a, T> {
+    inner: *mut T,
+    _marker: PhantomData<&'a Box<T>>,
 }
 
-impl<'a, I: ItemEntry> Deref for ItemRef<'a, I> {
-    type Target = I;
+impl<'a, T> Deref for BoxRef<'a, T> {
+    type Target = Box<T>;
 
-    fn deref(&self) -> &I {
-        &*self.item
+    fn deref(&self) -> &Self::Target {
+        // SAFETY: A `Box<T>` is guaranteed to be represented by a single pointer [1] and a shared
+        // reference to the `Box<T>` during the lifetime `'a` can be created according to the
+        // safety requirements of `ItemEntry::raw_as_ref`.
+        //
+        // [1]: https://doc.rust-lang.org/std/boxed/#memory-layout
+        unsafe { core::mem::transmute(&self.inner) }
+    }
+}
+
+// SAFETY: `Box<T>` meets the safety requirements of `ItemEntry`.
+unsafe impl<T> ItemEntry for Box<T> {
+    type Ref<'a> = BoxRef<'a, T> where Self: 'a;
+
+    fn into_raw(self) -> *const () {
+        // A contant expression, so compilers should be smart enough to optimize it away.
+        assert!((core::mem::align_of::<T>() & XEntry::<Self>::TYPE_MASK) == 0);
+
+        Box::into_raw(self).cast_const().cast()
+    }
+
+    unsafe fn from_raw(raw: *const ()) -> Self {
+        // SAFETY: By the safety requirements of `ItemEntry::from_raw`, the original value has not
+        // been dropped and there are no outstanding references to it. Thus, the ownership of the
+        // original value can be taken.
+        unsafe { Box::from_raw(raw.cast_mut().cast()) }
+    }
+
+    unsafe fn raw_as_ref<'a>(raw: *const ()) -> Self::Ref<'a> {
+        BoxRef {
+            inner: raw.cast_mut().cast(),
+            _marker: PhantomData,
+        }
     }
 }
 
@@ -99,7 +160,7 @@ pub(super) struct XEntry<I>
 where
     I: ItemEntry,
 {
-    raw: usize,
+    raw: *const (),
     _marker: core::marker::PhantomData<(Arc<XNode<I>>, I)>,
 }
 
@@ -126,33 +187,36 @@ impl<I: ItemEntry> XEntry<I> {
     const TYPE_MASK: usize = 3;
 
     pub const EMPTY: Self = Self {
-        raw: 0,
+        raw: core::ptr::null(),
         _marker: PhantomData,
     };
 
     // SAFETY: `ptr` must be returned from `Arc::<XNode<I>>::into_raw` or `I::into_raw` and be
     // consistent with `ty`. In addition, the ownership of the value of `Arc<XNode<I>>` or `I` must
     // be transferred to the constructed instance of `XEntry`.
-    unsafe fn new(ptr: usize, ty: EntryType) -> Self {
-        debug_assert!(ptr & Self::TYPE_MASK == 0);
+    unsafe fn new(ptr: *const (), ty: EntryType) -> Self {
+        let raw = ptr.map_addr(|addr| {
+            debug_assert!(addr & Self::TYPE_MASK == 0);
+            addr | (ty as usize)
+        });
         Self {
-            raw: ptr | (ty as usize),
+            raw,
             _marker: PhantomData,
         }
     }
 
-    fn ptr(&self) -> usize {
-        self.raw & !Self::TYPE_MASK
+    fn ptr(&self) -> *const () {
+        self.raw.map_addr(|addr| addr & !Self::TYPE_MASK)
     }
 
     fn ty(&self) -> Option<EntryType> {
         self.is_null()
             .not()
-            .then(|| (self.raw & Self::TYPE_MASK).try_into().unwrap())
+            .then(|| (self.raw.addr() & Self::TYPE_MASK).try_into().unwrap())
     }
 
     pub fn is_null(&self) -> bool {
-        self.raw == 0
+        self.raw.is_null()
     }
 }
 
@@ -179,7 +243,7 @@ impl<I: ItemEntry> XEntry<I> {
     pub fn from_node(node: XNode<I>) -> Self {
         let node_ptr = {
             let arc_node = Arc::new(node);
-            Arc::into_raw(arc_node) as usize
+            Arc::into_raw(arc_node).cast()
         };
         // SAFETY: `node_ptr` is returned from `Arc::<Node<I>>::into_raw` and the ownership of the
         // value of `Arc<XNode<I>>` is transferred.
@@ -196,7 +260,7 @@ impl<I: ItemEntry> XEntry<I> {
         }
 
         // SAFETY: `self` owns the value of `Arc<XNode<I>>`.
-        Some(unsafe { &*(self.ptr() as *const XNode<I>) })
+        Some(unsafe { &*self.ptr().cast() })
     }
 
     pub fn as_node_maybe_mut(&mut self) -> Option<NodeMaybeMut<'_, I>> {
@@ -206,10 +270,10 @@ impl<I: ItemEntry> XEntry<I> {
             // and `node_strong_count() == 1` ensures the exclusive access to the value of
             // `XNode<I>`.
             1 => Some(NodeMaybeMut::Exclusive(unsafe {
-                &mut *(self.ptr() as *mut _)
+                &mut *self.ptr().cast_mut().cast()
             })),
             // SAFETY: `self` owns the value of `Arc<XNode<I>>`.
-            _ => Some(NodeMaybeMut::Shared(unsafe { &*(self.ptr() as *const _) })),
+            _ => Some(NodeMaybeMut::Shared(unsafe { &*self.ptr().cast() })),
         }
     }
 
@@ -219,17 +283,17 @@ impl<I: ItemEntry> XEntry<I> {
             // SAFETY: `&mut self` ensures the exclusive access to the value of `Arc<XNode<I>>`,
             // and `node_strong_count() == 1` ensures the exclusive access to the value of
             // `XNode<I>`.
-            1 => return Some(unsafe { &mut *(self.ptr() as *mut _) }),
+            1 => return Some(unsafe { &mut *self.ptr().cast_mut().cast() }),
             _ => (),
         }
 
         // SAFETY: `self` owns the value of `Arc<XNode<I>>`.
-        let node = unsafe { &*(self.ptr() as *const XNode<I>) };
+        let node: &XNode<I> = unsafe { &*self.ptr().cast() };
         let new_node = node.try_clone().unwrap();
 
         *self = Self::from_node(new_node);
         // SAFETY: `node_strong_count() == 1` now holds.
-        Some(unsafe { &mut *(self.ptr() as *mut XNode<I>) })
+        Some(unsafe { &mut *self.ptr().cast_mut().cast() })
     }
 
     fn node_strong_count(&self) -> usize {
@@ -239,14 +303,14 @@ impl<I: ItemEntry> XEntry<I> {
 
         // SAFETY: `self` owns the value of `Arc<XNode<I>>` and the constructed instance of
         // `Arc<XNode<I>>` will not be dropped.
-        let node = unsafe { ManuallyDrop::new(Arc::from_raw(self.ptr() as *const XNode<I>)) };
+        let node = unsafe { ManuallyDrop::new(Arc::<XNode<I>>::from_raw(self.ptr().cast())) };
         Arc::strong_count(&*node)
     }
 }
 
 impl<I: ItemEntry> XEntry<I> {
     pub fn from_item(item: I) -> Self {
-        let item_ptr = I::into_raw(item) as usize;
+        let item_ptr = I::into_raw(item);
         // SAFETY: `item_ptr` is returned from `I::from_raw` and the ownership of the value of `I`
         // is transferred.
         unsafe { Self::new(item_ptr, EntryType::Item) }
@@ -268,19 +332,16 @@ impl<I: ItemEntry> XEntry<I> {
         Some(unsafe { I::from_raw(ptr) })
     }
 
-    pub fn as_item_ref(&self) -> Option<ItemRef<'_, I>> {
+    pub fn as_item_ref(&self) -> Option<I::Ref<'_>> {
         if !self.is_item() {
             return None;
         }
 
         let ptr = self.ptr();
 
-        // SAFETY: `self` owns the value of `I`, the constructed instance of `I` will not be
-        // dropped, and `ItemRef` only allows shared access to the instance.
-        Some(ItemRef {
-            item: unsafe { ManuallyDrop::new(I::from_raw(ptr)) },
-            _marker: PhantomData,
-        })
+        // SAFETY: `self` owns the value of `I` and does not create any mutable references to the
+        // value. Thus, the value of `I` outlives the lifetime of `&self`.
+        Some(unsafe { I::raw_as_ref(ptr) })
     }
 }
 
@@ -294,7 +355,7 @@ impl<I: ItemEntry> Drop for XEntry<I> {
             },
             // SAFETY: `self` owns the value of `Arc<XNode<I>>`.
             Some(EntryType::Node) => unsafe {
-                Arc::from_raw(self.ptr() as *const XNode<I>);
+                Arc::<XNode<I>>::from_raw(self.ptr().cast());
             },
         }
     }
@@ -304,16 +365,16 @@ impl<I: ItemEntry + Clone> Clone for XEntry<I> {
     fn clone(&self) -> Self {
         match self.ty() {
             None => Self::EMPTY,
-            // SAFETY: `self` owns the value of `I`, the constructed instance of `I` will not be
-            // dropped, and `clone()` only takes a shared reference to the instance.
-            Some(EntryType::Item) => unsafe {
-                let item_entry = ManuallyDrop::new(I::from_raw(self.ptr()));
+            Some(EntryType::Item) => {
+                // SAFETY: `self` owns the value of `I` and does not create any mutable references to the
+                // value. Thus, the value of `I` outlives the lifetime of `&self`.
+                let item_entry = unsafe { I::raw_as_ref(self.ptr()) };
                 Self::from_item((*item_entry).clone())
-            },
+            }
             // SAFETY: `self` owns the value of `Arc<XNode<T>>`, and `Arc` can be cloned by
             // increasing its strong count.
             Some(EntryType::Node) => unsafe {
-                Arc::increment_strong_count(self.ptr() as *const XNode<I>);
+                Arc::<XNode<I>>::increment_strong_count(self.ptr().cast());
                 Self {
                     raw: self.raw,
                     _marker: PhantomData,

src/lib.rs

@@ -1,15 +1,13 @@
 #![no_std]
 #![allow(incomplete_features)]
-#![feature(pointer_is_aligned)]
 #![feature(specialization)]
-#![feature(associated_type_defaults)]
-#![feature(never_type)]
+#![feature(strict_provenance)]
 #![feature(test)]
 
 extern crate alloc;
 
 pub use cursor::{Cursor, CursorMut};
-pub use entry::{ItemEntry, ItemRef};
+pub use entry::{ArcRef, BoxRef, ItemEntry};
 pub use mark::XMark;
 pub use range::Range;
 pub use xarray::XArray;

src/range.rs

@@ -1,5 +1,5 @@
 use crate::cursor::Cursor;
-use crate::entry::{ItemEntry, ItemRef};
+use crate::entry::ItemEntry;
 use crate::mark::XMark;
 
 /// An iterator over a range of entries in an [`XArray`].
@@ -24,7 +24,7 @@ impl<'a, I: ItemEntry, M: Into<XMark>> Range<'a, I, M> {
 }
 
 impl<'a, I: ItemEntry, M: Into<XMark>> core::iter::Iterator for Range<'a, I, M> {
-    type Item = (u64, ItemRef<'a, I>);
+    type Item = (u64, I::Ref<'a>);
 
     fn next(&mut self) -> Option<Self::Item> {
         loop {

src/test.rs

@@ -1,10 +1,24 @@
 extern crate std;
 use crate::*;
+use std::boxed::Box;
 use std::sync::Arc;
 
 extern crate test;
 use test::Bencher;
 
+#[cfg(not(miri))]
+macro_rules! n {
+    ( $x:expr ) => {
+        $x * 100
+    };
+}
+#[cfg(miri)]
+macro_rules! n {
+    ( $x:expr ) => {
+        $x
+    };
+}
+
 fn init_continuous_with_arc<M: Into<XMark>>(xarray: &mut XArray<Arc<i32>, M>, item_num: i32) {
     for i in 0..item_num {
         let value = Arc::new(i);
@@ -24,8 +38,8 @@ fn init_sparse_with_arc<M: Into<XMark>>(xarray: &mut XArray<Arc<i32>, M>, item_n
 #[test]
 fn test_store_continuous() {
     let mut xarray_arc: XArray<Arc<i32>> = XArray::new();
-    init_continuous_with_arc(&mut xarray_arc, 10000);
-    for i in 0..10000 {
+    init_continuous_with_arc(&mut xarray_arc, n!(100));
+    for i in 0..n!(100) {
         let value = xarray_arc.load(i as u64).unwrap();
         assert_eq!(*value.as_ref(), i);
     }
@@ -34,8 +48,8 @@ fn test_store_continuous() {
 #[test]
 fn test_store_sparse() {
     let mut xarray_arc: XArray<Arc<i32>> = XArray::new();
-    init_sparse_with_arc(&mut xarray_arc, 10000);
-    for i in 0..10000 {
+    init_sparse_with_arc(&mut xarray_arc, n!(100));
+    for i in 0..n!(100) {
         if i % 2 == 0 {
             let value = xarray_arc.load(i as u64).unwrap();
             assert_eq!(*value.as_ref(), i);
@@ -46,7 +60,7 @@ fn test_store_sparse() {
 #[test]
 fn test_store_overwrite() {
     let mut xarray_arc: XArray<Arc<i32>> = XArray::new();
-    init_continuous_with_arc(&mut xarray_arc, 10000);
+    init_continuous_with_arc(&mut xarray_arc, n!(100));
     // Overwrite 20 at index 10.
     let value = Arc::new(20);
     xarray_arc.store(10, value);
@@ -62,10 +76,10 @@ fn test_store_overwrite() {
 #[test]
 fn test_remove() {
     let mut xarray_arc: XArray<Arc<i32>> = XArray::new();
-    assert!(xarray_arc.remove(100).is_none());
-    init_continuous_with_arc(&mut xarray_arc, 10000);
+    assert!(xarray_arc.remove(n!(1)).is_none());
+    init_continuous_with_arc(&mut xarray_arc, n!(100));
 
-    for i in 0..10000 {
+    for i in 0..n!(100) {
         assert_eq!(*xarray_arc.remove(i as u64).unwrap().as_ref(), i);
         let value = xarray_arc.load(i as u64);
         assert_eq!(value, None);
@@ -76,17 +90,17 @@ fn test_remove() {
 #[test]
 fn test_cursor_load() {
     let mut xarray_arc: XArray<Arc<i32>> = XArray::new();
-    init_continuous_with_arc(&mut xarray_arc, 10000);
+    init_continuous_with_arc(&mut xarray_arc, n!(100));
 
     let mut cursor = xarray_arc.cursor(0);
 
-    for i in 0..10000 {
+    for i in 0..n!(100) {
         let value = cursor.load().unwrap();
         assert_eq!(*value.as_ref(), i);
         cursor.next();
     }
 
-    cursor.reset_to(20000);
+    cursor.reset_to(n!(200));
     assert!(cursor.load().is_none());
 }
 
@@ -94,11 +108,11 @@ fn test_cursor_load() {
 fn test_cursor_load_very_sparse() {
     let mut xarray_arc: XArray<Arc<i32>> = XArray::new();
     xarray_arc.store(0, Arc::new(1));
-    xarray_arc.store(10000, Arc::new(2));
+    xarray_arc.store(n!(100), Arc::new(2));
 
     let mut cursor = xarray_arc.cursor(0);
     assert_eq!(*cursor.load().unwrap().as_ref(), 1);
-    for _ in 0..10000 {
+    for _ in 0..n!(100) {
         cursor.next();
     }
     assert_eq!(*cursor.load().unwrap().as_ref(), 2);
@@ -109,14 +123,14 @@ fn test_cursor_store_continuous() {
     let mut xarray_arc: XArray<Arc<i32>> = XArray::new();
     let mut cursor = xarray_arc.cursor_mut(0);
 
-    for i in 0..10000 {
+    for i in 0..n!(100) {
         let value = Arc::new(i);
         cursor.store(value);
         cursor.next();
     }
     drop(cursor);
 
-    for i in 0..10000 {
+    for i in 0..n!(100) {
         let value = xarray_arc.load(i as u64).unwrap();
         assert_eq!(*value.as_ref(), i);
     }
@@ -127,7 +141,7 @@ fn test_cursor_store_sparse() {
     let mut xarray_arc: XArray<Arc<i32>> = XArray::new();
     let mut cursor = xarray_arc.cursor_mut(0);
 
-    for i in 0..10000 {
+    for i in 0..n!(100) {
         if i % 2 == 0 {
             let value = Arc::new(i);
             cursor.store(value);
@@ -136,7 +150,7 @@ fn test_cursor_store_sparse() {
     }
     drop(cursor);
 
-    for i in 0..10000 {
+    for i in 0..n!(100) {
         if i % 2 == 0 {
             let value = xarray_arc.load(i as u64).unwrap();
             assert_eq!(*value.as_ref(), i);
@@ -147,23 +161,23 @@ fn test_cursor_store_sparse() {
 #[test]
 fn test_set_mark() {
     let mut xarray_arc: XArray<Arc<i32>, XMark> = XArray::new();
-    init_continuous_with_arc(&mut xarray_arc, 10000);
+    init_continuous_with_arc(&mut xarray_arc, n!(100));
 
-    let mut cursor = xarray_arc.cursor_mut(1000);
+    let mut cursor = xarray_arc.cursor_mut(n!(10));
     cursor.set_mark(XMark::Mark0).unwrap();
     cursor.set_mark(XMark::Mark1).unwrap();
-    cursor.reset_to(2000);
+    cursor.reset_to(n!(20));
     cursor.set_mark(XMark::Mark1).unwrap();
 
-    cursor.reset_to(1000);
+    cursor.reset_to(n!(10));
     let value1_mark0 = cursor.is_marked(XMark::Mark0);
     let value1_mark1 = cursor.is_marked(XMark::Mark1);
 
-    cursor.reset_to(2000);
+    cursor.reset_to(n!(20));
     let value2_mark0 = cursor.is_marked(XMark::Mark0);
     let value2_mark1 = cursor.is_marked(XMark::Mark1);
 
-    cursor.reset_to(3000);
+    cursor.reset_to(n!(30));
     let value3_mark1 = cursor.is_marked(XMark::Mark1);
 
     assert_eq!(value1_mark0, true);
@@ -176,9 +190,9 @@ fn test_set_mark() {
 #[test]
 fn test_unset_mark() {
     let mut xarray_arc: XArray<Arc<i32>, XMark> = XArray::new();
-    init_continuous_with_arc(&mut xarray_arc, 10000);
+    init_continuous_with_arc(&mut xarray_arc, n!(100));
 
-    let mut cursor = xarray_arc.cursor_mut(1000);
+    let mut cursor = xarray_arc.cursor_mut(n!(10));
     cursor.set_mark(XMark::Mark0).unwrap();
     cursor.set_mark(XMark::Mark1).unwrap();
 
@@ -194,9 +208,9 @@ fn test_unset_mark() {
 #[test]
 fn test_mark_overflow() {
     let mut xarray_arc: XArray<Arc<i32>, XMark> = XArray::new();
-    init_continuous_with_arc(&mut xarray_arc, 10000);
+    init_continuous_with_arc(&mut xarray_arc, n!(100));
 
-    let mut cursor = xarray_arc.cursor_mut(20000);
+    let mut cursor = xarray_arc.cursor_mut(n!(200));
     assert_eq!(Err(()), cursor.set_mark(XMark::Mark1));
     assert_eq!(false, cursor.is_marked(XMark::Mark1));
 }
@@ -204,15 +218,21 @@ fn test_mark_overflow() {
 #[test]
 fn test_unset_mark_all() {
     let mut xarray_arc: XArray<Arc<i32>, XMark> = XArray::new();
-    init_continuous_with_arc(&mut xarray_arc, 10000);
-    xarray_arc.cursor_mut(2000).set_mark(XMark::Mark1).unwrap();
-    xarray_arc.cursor_mut(2000).set_mark(XMark::Mark2).unwrap();
-    xarray_arc.cursor_mut(200).set_mark(XMark::Mark1).unwrap();
+    init_continuous_with_arc(&mut xarray_arc, n!(100));
+    xarray_arc
+        .cursor_mut(n!(20))
+        .set_mark(XMark::Mark1)
+        .unwrap();
+    xarray_arc
+        .cursor_mut(n!(20))
+        .set_mark(XMark::Mark2)
+        .unwrap();
+    xarray_arc.cursor_mut(n!(2)).set_mark(XMark::Mark1).unwrap();
     xarray_arc.unset_mark_all(XMark::Mark1);
 
-    assert_eq!(xarray_arc.cursor(2000).is_marked(XMark::Mark1), false);
-    assert_eq!(xarray_arc.cursor(2000).is_marked(XMark::Mark2), true);
-    assert_eq!(xarray_arc.cursor(200).is_marked(XMark::Mark1), false);
+    assert_eq!(xarray_arc.cursor(n!(20)).is_marked(XMark::Mark1), false);
+    assert_eq!(xarray_arc.cursor(n!(20)).is_marked(XMark::Mark2), true);
+    assert_eq!(xarray_arc.cursor(n!(2)).is_marked(XMark::Mark1), false);
 }
 
 #[test]
@@ -240,7 +260,7 @@ fn test_cow() {
     }
     // Init xarray_arc.
     let mut xarray_arc: XArray<Arc<Wrapper>> = XArray::new();
-    for i in 1..10000 {
+    for i in 1..n!(100) {
         let value = Arc::new(Wrapper::new(i * 2));
         xarray_arc.store(i as u64, value);
     }
@@ -248,7 +268,7 @@ fn test_cow() {
     let mut xarray_clone = xarray_arc.clone();
 
     // Store different items in xarray_arc and xarray_clone respectively.
-    for i in 1..10000 {
+    for i in 1..n!(100) {
         if i % 2 == 0 {
             let value = Arc::new(Wrapper::new(i * 6));
             xarray_arc.store(i as u64, value);
@@ -258,7 +278,7 @@ fn test_cow() {
         }
     }
     // Determine whether they do not affect each other
-    for i in 1..10000 {
+    for i in 1..n!(100) {
         let value_origin = xarray_arc.load(i).unwrap();
         let value_clone = xarray_clone.load(i).unwrap();
         if i % 2 == 0 {
@@ -281,19 +301,19 @@ fn test_cow() {
 #[test]
 fn test_cow_after_cow() {
     let mut xarray_arc: XArray<Arc<u64>> = XArray::new();
-    for i in 1..10000 {
+    for i in 1..n!(100) {
         let value = Arc::new(i * 2);
         xarray_arc.store(i as u64, value);
     }
     // First COW.
     let mut xarray_cow1 = xarray_arc.clone();
-    for i in 5000..7000 {
+    for i in n!(50)..n!(70) {
         let value = Arc::new(i * 3);
         xarray_cow1.store(i as u64, value);
     }
     // Second COW.
     let mut xarray_cow2 = xarray_arc.clone();
-    for i in 6000..8000 {
+    for i in n!(60)..n!(80) {
         let value = Arc::new(i * 4);
         xarray_cow2.store(i as u64, value);
     }
@@ -301,46 +321,46 @@ fn test_cow_after_cow() {
     let xarray_cow1_cow = xarray_cow1.clone();
     let xarray_cow2_cow = xarray_cow2.clone();
 
-    assert_eq!(*xarray_cow1_cow.load(2000).unwrap().as_ref(), 2000 * 2);
-    assert_eq!(*xarray_cow1_cow.load(5100).unwrap().as_ref(), 5100 * 3);
-    assert_eq!(*xarray_cow1_cow.load(6100).unwrap().as_ref(), 6100 * 3);
-    assert_eq!(*xarray_cow1_cow.load(7100).unwrap().as_ref(), 7100 * 2);
+    assert_eq!(*xarray_cow1_cow.load(n!(20)).unwrap().as_ref(), n!(20) * 2);
+    assert_eq!(*xarray_cow1_cow.load(n!(51)).unwrap().as_ref(), n!(51) * 3);
+    assert_eq!(*xarray_cow1_cow.load(n!(61)).unwrap().as_ref(), n!(61) * 3);
+    assert_eq!(*xarray_cow1_cow.load(n!(71)).unwrap().as_ref(), n!(71) * 2);
 
-    assert_eq!(*xarray_cow2_cow.load(2000).unwrap().as_ref(), 2000 * 2);
-    assert_eq!(*xarray_cow2_cow.load(5100).unwrap().as_ref(), 5100 * 2);
-    assert_eq!(*xarray_cow2_cow.load(6100).unwrap().as_ref(), 6100 * 4);
-    assert_eq!(*xarray_cow2_cow.load(7100).unwrap().as_ref(), 7100 * 4);
+    assert_eq!(*xarray_cow2_cow.load(n!(20)).unwrap().as_ref(), n!(20) * 2);
+    assert_eq!(*xarray_cow2_cow.load(n!(51)).unwrap().as_ref(), n!(51) * 2);
+    assert_eq!(*xarray_cow2_cow.load(n!(61)).unwrap().as_ref(), n!(61) * 4);
+    assert_eq!(*xarray_cow2_cow.load(n!(71)).unwrap().as_ref(), n!(71) * 4);
 }
 
 #[test]
 fn test_cow_mark() {
     let mut xarray_arc: XArray<Arc<i32>, XMark> = XArray::new();
-    for i in 1..10000 {
+    for i in 1..n!(100) {
         let value = Arc::new(i * 2);
         xarray_arc.store(i as u64, value);
     }
     let mut xarray_clone = xarray_arc.clone();
-    let mut cursor_arc = xarray_arc.cursor_mut(1000);
-    let mut cursor_clone = xarray_clone.cursor_mut(1000);
+    let mut cursor_arc = xarray_arc.cursor_mut(n!(10));
+    let mut cursor_clone = xarray_clone.cursor_mut(n!(10));
     cursor_arc.set_mark(XMark::Mark0).unwrap();
-    cursor_arc.reset_to(2000);
+    cursor_arc.reset_to(n!(20));
     cursor_arc.set_mark(XMark::Mark0).unwrap();
-    cursor_arc.reset_to(3000);
+    cursor_arc.reset_to(n!(30));
     cursor_arc.set_mark(XMark::Mark0).unwrap();
 
     cursor_clone.set_mark(XMark::Mark1).unwrap();
     drop(cursor_arc);
     drop(cursor_clone);
 
-    let mark0_1000_arc = xarray_arc.cursor(1000).is_marked(XMark::Mark0);
-    let mark0_2000_arc = xarray_arc.cursor(2000).is_marked(XMark::Mark0);
-    let mark1_1000_arc = xarray_arc.cursor(1000).is_marked(XMark::Mark1);
-    let mark0_3000_arc = xarray_arc.cursor(3000).is_marked(XMark::Mark0);
+    let mark0_1000_arc = xarray_arc.cursor(n!(10)).is_marked(XMark::Mark0);
+    let mark0_2000_arc = xarray_arc.cursor(n!(20)).is_marked(XMark::Mark0);
+    let mark1_1000_arc = xarray_arc.cursor(n!(10)).is_marked(XMark::Mark1);
+    let mark0_3000_arc = xarray_arc.cursor(n!(30)).is_marked(XMark::Mark0);
 
-    let mark0_1000_clone = xarray_clone.cursor(1000).is_marked(XMark::Mark0);
-    let mark0_2000_clone = xarray_clone.cursor(2000).is_marked(XMark::Mark0);
-    let mark1_1000_clone = xarray_clone.cursor(1000).is_marked(XMark::Mark1);
-    let mark0_3000_clone = xarray_clone.cursor(3000).is_marked(XMark::Mark0);
+    let mark0_1000_clone = xarray_clone.cursor(n!(10)).is_marked(XMark::Mark0);
+    let mark0_2000_clone = xarray_clone.cursor(n!(20)).is_marked(XMark::Mark0);
+    let mark1_1000_clone = xarray_clone.cursor(n!(10)).is_marked(XMark::Mark1);
+    let mark0_3000_clone = xarray_clone.cursor(n!(30)).is_marked(XMark::Mark0);
 
     assert_eq!(mark0_1000_arc, true);
     assert_eq!(mark0_2000_arc, true);
@@ -355,7 +375,7 @@ fn test_cow_mark() {
 #[test]
 fn test_cow_cursor() {
     let mut xarray_arc: XArray<Arc<u64>> = XArray::new();
-    for i in 1..10000 {
+    for i in 1..n!(100) {
         let value = Arc::new(i * 2);
         xarray_arc.store(i as u64, value);
     }
@@ -364,7 +384,7 @@ fn test_cow_cursor() {
     let mut cursor_clone = xarray_clone.cursor_mut(1);
     let mut cursor_arc = xarray_arc.cursor_mut(1);
     // Use cursor to read xarray_clone;
-    while cursor_clone.index() < 10000 {
+    while cursor_clone.index() < n!(100) {
         let index = cursor_clone.index();
         let item = cursor_clone.load().unwrap();
         assert_eq!(*item.as_ref(), index * 2);
@@ -373,7 +393,7 @@ fn test_cow_cursor() {
 
     // Use cursor to write xarray_clone;
     cursor_clone.reset_to(1);
-    while cursor_clone.index() < 10000 {
+    while cursor_clone.index() < n!(100) {
         let value = Arc::new(cursor_clone.index());
         let item = cursor_clone.store(value).unwrap();
         assert_eq!(*item.as_ref(), cursor_clone.index() * 2);
@@ -381,7 +401,7 @@ fn test_cow_cursor() {
     }
 
     // Use cursor to read xarray_arc;
-    while cursor_arc.index() < 10000 {
+    while cursor_arc.index() < n!(100) {
         let index = cursor_arc.index();
         let item = cursor_arc.load().unwrap();
         assert_eq!(*item.as_ref(), index * 2);
@@ -390,7 +410,7 @@ fn test_cow_cursor() {
 
     // Use cursor to write xarray_arc;
     cursor_arc.reset_to(1);
-    while cursor_arc.index() < 10000 {
+    while cursor_arc.index() < n!(100) {
         let value = Arc::new(cursor_arc.index() * 3);
         let item = cursor_arc.store(value).unwrap();
         assert_eq!(*item.as_ref(), cursor_arc.index() * 2);
@@ -400,7 +420,7 @@ fn test_cow_cursor() {
     // Use cursor to read xarray_arc and xarray_clone;
     cursor_arc.reset_to(1);
     cursor_clone.reset_to(1);
-    while cursor_arc.index() < 10000 {
+    while cursor_arc.index() < n!(100) {
         let index_arc = cursor_arc.index();
         let index_clone = cursor_clone.index();
         let item_arc = cursor_arc.load().unwrap();
@@ -412,20 +432,53 @@ fn test_cow_cursor() {
     }
 }
 
+#[test]
+fn test_box() {
+    let mut xarray_box: XArray<Box<i32>> = XArray::new();
+    let mut cursor_mut = xarray_box.cursor_mut(0);
+    for i in 0..n!(100) {
+        if i % 2 == 0 {
+            cursor_mut.store(Box::new(i * 2));
+        }
+        cursor_mut.next();
+    }
+
+    cursor_mut.reset_to(0);
+    for i in 0..n!(100) {
+        if i % 2 == 0 {
+            assert_eq!(*cursor_mut.load().unwrap().as_ref(), i * 2);
+        } else {
+            assert!(cursor_mut.load().is_none());
+        }
+        cursor_mut.next();
+    }
+    drop(cursor_mut);
+
+    let mut cursor = xarray_box.cursor(0);
+    for i in 0..n!(100) {
+        if i % 2 == 0 {
+            assert_eq!(*cursor.load().unwrap().as_ref(), i * 2);
+        } else {
+            assert!(cursor.load().is_none());
+        }
+        cursor.next();
+    }
+}
+
 #[test]
 fn test_range() {
     let mut xarray_arc: XArray<Arc<i32>> = XArray::new();
-    for i in 0..10000 {
+    for i in 0..n!(100) {
         let value = Arc::new(i * 2);
         xarray_arc.store((i * 2) as u64, value);
     }
 
     let mut count = 0;
-    for (index, item) in xarray_arc.range(1000..2000) {
+    for (index, item) in xarray_arc.range(n!(10)..n!(20)) {
         assert_eq!(*item.as_ref() as u64, index);
         count += 1;
     }
-    assert_eq!(count, 500);
+    assert_eq!(count, n!(5));
 }
 
 #[bench]

src/xarray.rs

@@ -2,7 +2,7 @@ use alloc::collections::VecDeque;
 use core::marker::PhantomData;
 
 use crate::cursor::{Cursor, CursorMut};
-use crate::entry::{ItemEntry, ItemRef, XEntry};
+use crate::entry::{ItemEntry, XEntry};
 use crate::mark::{NoneMark, XMark};
 use crate::node::{Height, XNode};
 use crate::range::Range;
@@ -142,7 +142,7 @@ impl<I: ItemEntry, M: Into<XMark>> XArray<I, M> {
     ///
     /// If the target item exists, it will be returned with `Some(_)`, otherwise, `None` will be
     /// returned.
-    pub fn load(&self, index: u64) -> Option<ItemRef<'_, I>> {
+    pub fn load(&self, index: u64) -> Option<I::Ref<'_>> {
         let mut cursor = self.cursor(index);
         cursor.load()
     }