Expand description
Substrate-level Pod marker.
The Hopper Safety Audit asked for every zero-copy access path -
all the way down to the native substrate, to require a real Pod
bound rather than the loose T: Copy. This module is that marker.
§Bytemuck-backed safety (default)
With the bytemuck feature enabled (default), Pod is declared
as a sub-trait of bytemuck::Pod + bytemuck::Zeroable. That
raises the bar exactly the way the audit recommends: every
unsafe impl Pod for T {} must be accompanied by a
#[derive(bytemuck::Pod, bytemuck::Zeroable)] (or hand-written
impls that satisfy bytemuck’s machine-checked obligations).
Bytemuck’s derive emits a compile-time proof that every field
of T is itself Pod, which mechanically rejects:
bool,char, references, not all bit patterns valid- padded
#[repr(C)]structs, padding bytes aren’t accounted for - non-alignment-1 primitives when alignment-1 was claimed
- enums with niches and non-zero variants
This is the Must-Fix #5 the audit flagged: “enforce field-level
Pod proof at macro expansion time”. Hopper’s #[hopper::pod] and
#[hopper::state] macros now emit the #[derive(…)] automatically
so users never see the bytemuck name in their own sources.
§Disable-able for zero-dep builds
Programs that want to avoid any external dependency can turn off
the bytemuck feature. In that mode Pod is a standalone marker
with the documented four-point contract; the compile-time
obligation falls entirely on the unsafe impl. Existing primitive
impls continue to work either way.
See [hopper_runtime::pod::Pod] (downstream re-export) for the
runtime-side view.
Traits§
- Pod
- Marker for types that can be safely overlaid on raw account bytes.