1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363
// Copyright 2024 The Fuchsia Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//! A helper for managing a self-contained arena-allocated buffer along with its arena handle.
use crate::{Arena, ArenaBox, MixedHandle};
use core::marker::PhantomData;
use core::mem::MaybeUninit;
use core::ops::{Deref, DerefMut};
use core::ptr::NonNull;
use fdf_sys::*;
/// A struct that holds both an arena along with a data buffer that is allocated within that arena.
#[derive(Debug)]
pub struct Message<T: ?Sized + 'static> {
data: Option<ArenaBox<'static, T>>,
// note: `[Option<MixedHandle>]` is byte-equivalent to a C array of `fdf_handle_t`.
handles: Option<ArenaBox<'static, [Option<MixedHandle>]>>,
// note: this must maintain its position as the last item of the struct
// to ensure that it is freed after the data and handle pointers.
arena: Arena,
_p: PhantomData<T>,
}
impl<T: ?Sized> Message<T> {
/// Consumes the given arena, data buffer, and handles buffers and returns a message that holds
/// all three.
///
/// # Panics
///
/// This function panics if either of the [`ArenaBox`]s are not allocated by [`Arena`].
pub fn new<'a>(
arena: &'a Arena,
data: Option<ArenaBox<'a, T>>,
handles: Option<ArenaBox<'a, [Option<MixedHandle>]>>,
) -> Self {
let data = data.map(|data| {
assert!(
arena.contains(&data),
"Data buffer pointer is not in the arena being included in the message"
);
// SAFETY: we will store this ArenaBox with a clone of the Arena that
// owns it.
unsafe { ArenaBox::erase_lifetime(data) }
});
let handles = handles.map(|handles| {
assert!(
arena.contains(&handles),
"Handle buffer pointer is not in the arena being included in the message"
);
// SAFETY: we will store this ArenaBox with a clone of the Arena that
// owns it.
unsafe { ArenaBox::erase_lifetime(handles) }
});
// SAFETY: We just checked that both boxes were allocated from the arena.
unsafe { Self::new_unchecked(arena.clone(), data, handles) }
}
/// Given the [`Arena`], allocates a new [`Message`] and runs the given `f` to allow the caller
/// to allocate data and handles into the [`Message`] without requiring a check that the
/// correct [`Arena`] was used to allocate the data.
///
/// Note that it may be possible to sneak an `ArenaBox<'static, T>` into this [`Message`]
/// object with this function by using an [`Arena`] with static lifetime to allocate it. This
/// will not cause any unsoundness, but if you try to send that message through a [`Channel`]
/// it will cause a runtime error when the arenas don't match.
pub fn new_with<F>(arena: Arena, f: F) -> Self
where
F: for<'a> FnOnce(
&'a Arena,
)
-> (Option<ArenaBox<'a, T>>, Option<ArenaBox<'a, [Option<MixedHandle>]>>),
{
let (data, handles) = f(&arena);
// SAFETY: The `for<'a>` in the callback definition makes it so that the caller must
// (without resorting to unsafe themselves) allocate the [`ArenaBox`] from the given
// [`Arena`].
Self {
data: data.map(|data| unsafe { ArenaBox::erase_lifetime(data) }),
handles: handles.map(|handles| unsafe { ArenaBox::erase_lifetime(handles) }),
arena,
_p: PhantomData,
}
}
/// A shorthand for [`Self::new_with`] when there's definitely a data body and nothing else.
pub fn new_with_data<F>(arena: Arena, f: F) -> Self
where
F: for<'a> FnOnce(&'a Arena) -> ArenaBox<'a, T>,
{
// SAFETY: The `for<'a>` in the callback definition makes it so that the caller must
// (without resorting to unsafe themselves) allocate the [`ArenaBox`] from the given
// [`Arena`].
let data = Some(unsafe { ArenaBox::erase_lifetime(f(&arena)) });
Self { data, handles: None, arena, _p: PhantomData }
}
/// As with [`Self::new`], this consumes the arguments to produce a message object that holds
/// all of them together to be extracted again later, but does not validate that the pointers
/// came from the same arena.
///
/// # Safety
///
/// The caller is responsible for:
/// - ensuring that the [`ArenaBox`]es came from the same arena as is being passed in to this
/// function, or the erased lifetime of the arena boxes might cause use-after-free.
/// - the bytes in `data` are actually of type `T`, and are properly aligned for type `T`.
pub(crate) unsafe fn new_unchecked(
arena: Arena,
data_ptr: Option<ArenaBox<'static, T>>,
handles_ptr: Option<ArenaBox<'static, [Option<MixedHandle>]>>,
) -> Self {
Self { arena, data: data_ptr, handles: handles_ptr, _p: PhantomData }
}
/// Gets a reference to the arena this message was allocated with.
pub fn arena(&self) -> &Arena {
&self.arena
}
/// Takes the arena and drops any data or handle bodies held in this message
pub fn take_arena(self) -> Arena {
self.arena
}
/// Gets a reference to the data in this message, if there is any
pub fn data(&self) -> Option<&T> {
self.data.as_ref().map(ArenaBox::deref)
}
/// Gets a mutable reference to the data in this message, if there is any
pub fn data_mut(&mut self) -> Option<&mut T> {
self.data.as_mut().map(ArenaBox::deref_mut)
}
/// Maps the message data to a new [`ArenaBox`] based on the arena and the old data.
pub fn map_data<F, R: ?Sized>(self, f: F) -> Message<R>
where
F: for<'a> FnOnce(&'a Arena, ArenaBox<'a, T>) -> ArenaBox<'a, R>,
{
let Self { arena, data: data_ptr, handles: handles_ptr, .. } = self;
let data_ptr = data_ptr.map(|data_ptr| {
// SAFETY: The `ArenaBox` being returned is tied to the lifetime
// of the arena we gave the closure, and we will now be moving
// into the new `Message`. So just like the old one,
// the new box is tied to the life of the message and the arena
// within it.
unsafe { ArenaBox::erase_lifetime(f(&arena, data_ptr)) }
});
Message { arena, data: data_ptr, handles: handles_ptr, _p: PhantomData }
}
/// Gets a reference to the handles array in this message, if there is one.
pub fn handles(&self) -> Option<&[Option<MixedHandle>]> {
self.handles.as_ref().map(ArenaBox::deref)
}
/// Gets a mutable reference to the handles array in this message, if there is one.
pub fn handles_mut(&mut self) -> Option<&mut [Option<MixedHandle>]> {
self.handles.as_mut().map(ArenaBox::deref_mut)
}
/// Gets a reference to all three of the arena, data, and handles of the message
pub fn as_refs(&self) -> (&Arena, Option<&T>, Option<&[Option<MixedHandle>]>) {
(
&self.arena,
self.data.as_ref().map(ArenaBox::deref),
self.handles.as_ref().map(ArenaBox::deref),
)
}
/// Gets a reference to the arena and mutable references to the data handles of the message
pub fn as_mut_refs(&mut self) -> (&Arena, Option<&mut T>, Option<&mut [Option<MixedHandle>]>) {
(
&self.arena,
self.data.as_mut().map(ArenaBox::deref_mut),
self.handles.as_mut().map(ArenaBox::deref_mut),
)
}
/// Unpacks the arena and buffers in this message to the caller.
///
/// The `arena` argument provides a place to put the [`Arena`] from this message
/// in the local lifetime of the caller so that the [`ArenaBox`]es can be tied to
/// its lifetime.
pub fn into_arena_boxes<'a>(
self,
arena: &'a mut Option<Arena>,
) -> (Option<ArenaBox<'a, T>>, Option<ArenaBox<'a, [Option<MixedHandle>]>>) {
arena.replace(self.arena);
// SAFETY: the lifetime we're giving these [`ArenaBox`]es is the same one
// as the lifetime of the place we're putting the [`Arena`] they belong to.
let data = self.data.map(|ptr| unsafe { ArenaBox::erase_lifetime(ptr) });
let handles = self.handles.map(|ptr| unsafe { ArenaBox::erase_lifetime(ptr) });
(data, handles)
}
/// Takes the `ArenaBox`es for the data and handles from this [`Message`], but leaves
/// the [`Arena`] in the [`Message`] to act as a holder of the arena lifetime.
pub fn take_arena_boxes(
&mut self,
) -> (&Arena, Option<ArenaBox<'_, T>>, Option<ArenaBox<'_, [Option<MixedHandle>]>>) {
(&self.arena, self.data.take(), self.handles.take())
}
/// Unpacks the arena and buffers into raw pointers
///
/// Care must be taken to ensure that the data and handle pointers are not used
/// if the arena is freed. If they are never reconstituted into a [`Message`]
/// or an [`Arena`] and [`ArenaBox`]es, they will be leaked.
pub fn into_raw(
self,
) -> (NonNull<fdf_arena_t>, Option<NonNull<T>>, Option<NonNull<[Option<MixedHandle>]>>) {
let arena = self.arena.into_raw();
// SAFETY: the arena and the pointers we're returning will all have the same
// effectively 'static lifetime, and it is up to the caller to make sure that
// they free them in the correct order.
let data = self.data.map(|data| unsafe { ArenaBox::into_ptr(data) });
let handles = self.handles.map(|handles| unsafe { ArenaBox::into_ptr(handles) });
(arena, data, handles)
}
}
impl<T> Message<T> {
/// Takes the data from the message, dropping the [`Arena`] and handles
/// array in the process.
pub fn take_data(self) -> Option<T> {
self.data.map(ArenaBox::take)
}
/// Takes the data from the message, dropping the [`Arena`] and handles
/// array in the process.
pub fn take_data_boxed(self) -> Option<Box<T>> {
self.data.map(ArenaBox::take_boxed)
}
}
impl<T> Message<[T]> {
/// Takes the data from the message, dropping the [`Arena`] and handles
/// array in the process.
pub fn take_data_boxed_slice(self) -> Option<Box<[T]>> {
self.data.map(ArenaBox::take_boxed_slice)
}
}
impl<T> Message<MaybeUninit<T>> {
/// Assumes the contents of the data payload of this message are initialized.
///
/// # Safety
///
/// The caller is responsible for ensuring that the value is initialized
/// properly. See [`MaybeUninit::assume_init`] for more details on the
/// safety requirements of this.
pub unsafe fn assume_init(self) -> Message<T> {
// SAFETY: the caller is responsible for ensuring the contents
// of the data pointer are initialized.
self.map_data(|_, data_ptr| unsafe { ArenaBox::assume_init(data_ptr) })
}
}
impl<T> Message<[MaybeUninit<T>]> {
/// Assumes the contents of the data payload of this message are initialized.
///
/// # Safety
///
/// The caller is responsible for ensuring that the value is initialized
/// properly. See [`MaybeUninit::assume_init`] for more details on the
/// safety requirements of this.
pub unsafe fn assume_init(self) -> Message<[T]> {
// SAFETY: the caller is responsible for ensuring the contents
// of the data pointer are initialized.
self.map_data(|_, data_ptr| unsafe { ArenaBox::assume_init_slice(data_ptr) })
}
}
impl Message<[MaybeUninit<u8>]> {
/// Transforms the message body into a message of type `T`
///
/// # Safety
///
/// The caller is responsible for ensuring that the data portion of this
/// message originated from a source with a properly allocated `T` with correct
/// alignment
pub unsafe fn cast_unchecked<T>(self) -> Message<T> {
// SAFETY: the caller is responsible for ensuring the contents
// of the data pointer are an initialized value of `T` and are
// correctly aligned.
self.map_data(|_, data_ptr| unsafe { ArenaBox::cast_unchecked(data_ptr) })
}
}
#[cfg(test)]
mod test {
use zx::HandleBased;
use super::*;
use crate::*;
#[test]
#[should_panic]
fn bad_data_pointer() {
let arena = Arena::new().unwrap();
let other_arena = Arena::new().unwrap();
Message::new(&arena, Some(other_arena.insert(1)), None);
}
#[test]
#[should_panic]
fn bad_handle_pointer() {
let arena = Arena::new().unwrap();
let other_arena = Arena::new().unwrap();
Message::<()>::new(&arena, None, Some(other_arena.insert_boxed_slice(Box::new([]))));
}
#[test]
fn round_trip_data() {
let arena = Arena::new().unwrap();
let data = arena.insert(1);
let message = Message::new(&arena, Some(data), None);
let mut arena = None;
let (data, _) = message.into_arena_boxes(&mut arena);
assert_eq!(*data.unwrap(), 1);
}
#[test]
fn round_trip_handles() {
let arena = Arena::new().unwrap();
let zircon_handle = MixedHandle::from_zircon_handle(zx::Port::create().into_handle());
let (driver_handle1, driver_handle2) = Channel::create().unwrap();
driver_handle2
.write(Message::new_with_data(arena.clone(), |arena| arena.insert(1)))
.unwrap();
let handles = arena
.insert_boxed_slice(Box::new([zircon_handle, Some(MixedHandle::from(driver_handle1))]));
let message = Message::<()>::new(&arena, None, Some(handles));
let mut arena = None;
let (_, Some(mut handles)) = message.into_arena_boxes(&mut arena) else {
panic!("didn't get handles back");
};
assert_eq!(handles.len(), 2);
let MixedHandleType::Zircon(_zircon_handle) = handles[0].take().unwrap().resolve() else {
panic!("first handle in the handle set wasn't a zircon handle");
};
let MixedHandleType::Driver(driver_handle1) = handles[1].take().unwrap().resolve() else {
panic!("second handle in the handle set wasn't a driver handle");
};
let driver_handle1 = unsafe { Channel::<i32>::from_driver_handle(driver_handle1) };
assert_eq!(driver_handle1.try_read().unwrap().unwrap().data().unwrap(), &1);
}
#[test]
fn map_data() {
let arena = Arena::new().unwrap();
let data = arena.insert(1);
let message = Message::new(&arena, Some(data), None);
let message = message.map_data(|arena, i| arena.insert(*i + 1));
assert_eq!(message.data().unwrap(), &2);
}
}