fdf_core/

dispatcher.rs

// Copyright 2024 The Fuchsia Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

//! Safe bindings for the driver runtime dispatcher stable ABI

use fdf_sys::*;

use core::cell::RefCell;
use core::ffi;
use core::marker::PhantomData;
use core::mem::ManuallyDrop;
use core::ptr::{NonNull, null_mut};
use std::sync::atomic::{AtomicPtr, Ordering};
use std::sync::{Arc, Weak};

use zx::Status;

use crate::shutdown_observer::ShutdownObserver;

pub use fdf_sys::fdf_dispatcher_t;
pub use libasync::{
    AfterDeadline, AsyncDispatcher, AsyncDispatcherRef, JoinHandle, OnDispatcher, Task,
};

/// A marker trait for a function type that can be used as a shutdown observer for [`Dispatcher`].
pub trait ShutdownObserverFn: FnOnce(DispatcherRef<'_>) + Send + 'static {}
impl<T> ShutdownObserverFn for T where T: FnOnce(DispatcherRef<'_>) + Send + 'static {}

/// A builder for [`Dispatcher`]s
#[derive(Default)]
pub struct DispatcherBuilder {
    #[doc(hidden)]
    pub options: u32,
    #[doc(hidden)]
    pub name: String,
    #[doc(hidden)]
    pub scheduler_role: String,
    #[doc(hidden)]
    pub shutdown_observer: Option<Box<dyn ShutdownObserverFn>>,
}

impl DispatcherBuilder {
    /// See `FDF_DISPATCHER_OPTION_UNSYNCHRONIZED` in the C API
    pub(crate) const UNSYNCHRONIZED: u32 = fdf_sys::FDF_DISPATCHER_OPTION_UNSYNCHRONIZED;
    /// See `FDF_DISPATCHER_OPTION_ALLOW_SYNC_CALLS` in the C API
    pub(crate) const ALLOW_THREAD_BLOCKING: u32 = fdf_sys::FDF_DISPATCHER_OPTION_ALLOW_SYNC_CALLS;

    /// Creates a new [`DispatcherBuilder`] that can be used to configure a new dispatcher.
    /// For more information on the threading-related flags for the dispatcher, see
    /// https://fuchsia.dev/fuchsia-src/concepts/drivers/driver-dispatcher-and-threads
    pub fn new() -> Self {
        Self::default()
    }

    /// Sets whether parallel callbacks in the callbacks set in the dispatcher are allowed. May
    /// not be set with [`Self::allow_thread_blocking`].
    ///
    /// See https://fuchsia.dev/fuchsia-src/concepts/drivers/driver-dispatcher-and-threads
    /// for more information on the threading model of driver dispatchers.
    pub fn unsynchronized(mut self) -> Self {
        assert!(
            !self.allows_thread_blocking(),
            "you may not create an unsynchronized dispatcher that allows synchronous calls"
        );
        self.options |= Self::UNSYNCHRONIZED;
        self
    }

    /// Whether or not this is an unsynchronized dispatcher
    pub fn is_unsynchronized(&self) -> bool {
        (self.options & Self::UNSYNCHRONIZED) == Self::UNSYNCHRONIZED
    }

    /// This dispatcher may not share zircon threads with other drivers. May not be set with
    /// [`Self::unsynchronized`].
    ///
    /// See https://fuchsia.dev/fuchsia-src/concepts/drivers/driver-dispatcher-and-threads
    /// for more information on the threading model of driver dispatchers.
    pub fn allow_thread_blocking(mut self) -> Self {
        assert!(
            !self.is_unsynchronized(),
            "you may not create an unsynchronized dispatcher that allows synchronous calls"
        );
        self.options |= Self::ALLOW_THREAD_BLOCKING;
        self
    }

    /// Whether or not this dispatcher allows synchronous calls
    pub fn allows_thread_blocking(&self) -> bool {
        (self.options & Self::ALLOW_THREAD_BLOCKING) == Self::ALLOW_THREAD_BLOCKING
    }

    /// A descriptive name for this dispatcher that is used in debug output and process
    /// lists.
    pub fn name(mut self, name: &str) -> Self {
        self.name = name.to_string();
        self
    }

    /// A hint string for the runtime that may or may not impact the priority the work scheduled
    /// by this dispatcher is handled at. It may or may not impact the ability for other drivers
    /// to share zircon threads with the dispatcher.
    pub fn scheduler_role(mut self, role: &str) -> Self {
        self.scheduler_role = role.to_string();
        self
    }

    /// A callback to be called before after the dispatcher has completed asynchronous shutdown.
    pub fn shutdown_observer<F: ShutdownObserverFn>(mut self, shutdown_observer: F) -> Self {
        self.shutdown_observer = Some(Box::new(shutdown_observer));
        self
    }

    /// Create the dispatcher as configured by this object. This must be called from a
    /// thread managed by the driver runtime. The dispatcher returned is owned by the caller,
    /// and will initiate asynchronous shutdown when the object is dropped unless
    /// [`Dispatcher::release`] is called on it to convert it into an unowned [`DispatcherRef`].
    pub fn create(self) -> Result<Dispatcher, Status> {
        let mut out_dispatcher = null_mut();
        let options = self.options;
        let name = self.name.as_ptr() as *mut ffi::c_char;
        let name_len = self.name.len();
        let scheduler_role = self.scheduler_role.as_ptr() as *mut ffi::c_char;
        let scheduler_role_len = self.scheduler_role.len();
        let observer =
            ShutdownObserver::new(self.shutdown_observer.unwrap_or_else(|| Box::new(|_| {})))
                .into_ptr();
        // SAFETY: all arguments point to memory that will be available for the duration
        // of the call, except `observer`, which will be available until it is unallocated
        // by the dispatcher exit handler.
        Status::ok(unsafe {
            fdf_dispatcher_create(
                options,
                name,
                name_len,
                scheduler_role,
                scheduler_role_len,
                observer,
                &mut out_dispatcher,
            )
        })?;
        // SAFETY: `out_dispatcher` is valid by construction if `fdf_dispatcher_create` returns
        // ZX_OK.
        Ok(Dispatcher(unsafe { NonNull::new_unchecked(out_dispatcher) }))
    }

    /// As with [`Self::create`], this creates a new dispatcher as configured by this object, but
    /// instead of returning an owned reference it immediately releases the reference to be
    /// managed by the driver runtime.
    pub fn create_released(self) -> Result<DispatcherRef<'static>, Status> {
        self.create().map(Dispatcher::release)
    }
}

/// An owned handle for a dispatcher managed by the driver runtime.
#[derive(Debug)]
pub struct Dispatcher(pub(crate) NonNull<fdf_dispatcher_t>);

// SAFETY: The api of fdf_dispatcher_t is thread safe.
unsafe impl Send for Dispatcher {}
unsafe impl Sync for Dispatcher {}
thread_local! {
    pub(crate) static OVERRIDE_DISPATCHER: RefCell<Option<NonNull<fdf_dispatcher_t>>> = const { RefCell::new(None) };
}

impl Dispatcher {
    /// Creates a dispatcher ref from a raw handle.
    ///
    /// # Safety
    ///
    /// Caller is responsible for ensuring that the given handle is valid and
    /// not owned by any other wrapper that will free it at an arbitrary
    /// time.
    pub unsafe fn from_raw(handle: NonNull<fdf_dispatcher_t>) -> Self {
        Self(handle)
    }

    fn get_raw_flags(&self) -> u32 {
        // SAFETY: the inner fdf_dispatcher_t is valid by construction
        unsafe { fdf_dispatcher_get_options(self.0.as_ptr()) }
    }

    /// Whether this dispatcher's tasks and futures can run on multiple threads at the same time.
    pub fn is_unsynchronized(&self) -> bool {
        (self.get_raw_flags() & DispatcherBuilder::UNSYNCHRONIZED) != 0
    }

    /// Whether this dispatcher is allowed to call blocking functions or not
    pub fn allows_thread_blocking(&self) -> bool {
        (self.get_raw_flags() & DispatcherBuilder::ALLOW_THREAD_BLOCKING) != 0
    }

    /// Whether this is the dispatcher the current thread is running on
    pub fn is_current_dispatcher(&self) -> bool {
        // SAFETY: we don't do anything with the dispatcher pointer, and NULL is returned if this
        // isn't a dispatcher-managed thread.
        self.0.as_ptr() == unsafe { fdf_dispatcher_get_current_dispatcher() }
    }

    /// Releases ownership over this dispatcher and returns a [`DispatcherRef`]
    /// that can be used to access it. The lifetime of this reference is static because it will
    /// exist so long as this current driver is loaded, but the driver runtime will shut it down
    /// when the driver is unloaded.
    pub fn release(self) -> DispatcherRef<'static> {
        DispatcherRef(ManuallyDrop::new(self), PhantomData)
    }

    /// Returns a [`DispatcherRef`] that references this dispatcher with a lifetime constrained by
    /// `self`.
    pub fn as_dispatcher_ref(&self) -> DispatcherRef<'_> {
        DispatcherRef(ManuallyDrop::new(Dispatcher(self.0)), PhantomData)
    }
}

impl AsyncDispatcher for Dispatcher {
    fn as_async_dispatcher_ref(&self) -> AsyncDispatcherRef<'_> {
        let async_dispatcher =
            NonNull::new(unsafe { fdf_dispatcher_get_async_dispatcher(self.0.as_ptr()) })
                .expect("No async dispatcher on driver dispatcher");
        unsafe { AsyncDispatcherRef::from_raw(async_dispatcher) }
    }
}

impl Drop for Dispatcher {
    fn drop(&mut self) {
        // SAFETY: we only ever provide an owned `Dispatcher` to one owner, so when
        // that one is dropped we can invoke the shutdown of the dispatcher
        unsafe { fdf_dispatcher_shutdown_async(self.0.as_mut()) }
    }
}

/// An owned reference to a driver runtime dispatcher that auto-releases when dropped. This gives
/// you the best of both worlds of having an `Arc<Dispatcher>` and a `DispatcherRef<'static>`
/// created by [`Dispatcher::release`]:
///
/// - You can vend [`Weak`]-like pointers to it that will not cause memory access errors if used
///   after the dispatcher has shut down, like an [`Arc`].
/// - You can tie its terminal lifetime to that of the driver itself.
///
/// This is particularly useful in tests.
#[derive(Debug)]
pub struct AutoReleaseDispatcher(Arc<AtomicPtr<fdf_dispatcher>>);

impl AutoReleaseDispatcher {
    /// Returns a weakened reference to this dispatcher. This weak reference will only be valid so
    /// long as the [`AutoReleaseDispatcher`] object that spawned it is alive, after which it will
    /// no longer be usable to spawn tasks on.
    pub fn downgrade(&self) -> WeakDispatcher {
        WeakDispatcher::from(self)
    }
}

impl From<Dispatcher> for AutoReleaseDispatcher {
    fn from(dispatcher: Dispatcher) -> Self {
        let dispatcher_ptr = dispatcher.release().0.0.as_ptr();
        Self(Arc::new(AtomicPtr::new(dispatcher_ptr)))
    }
}

impl Drop for AutoReleaseDispatcher {
    fn drop(&mut self) {
        // Store nullptr into the atomic so that any future attempts to obtain a strong reference
        // through a WeakDispatcher will not successfully upgrade.
        self.0.store(null_mut(), Ordering::Relaxed);
        // We want to allow for any outstanding `on_dispatcher` calls to finish before returning
        // from drop, so we're going to loop until the strong reference count goes down to zero,
        // after which any future attempts to call `on_dispatcher` on a `WeakDispatcher` will fail.
        while Arc::strong_count(&self.0) > 1 {
            // This sleep is kind of gross, but it should happen extremely rarely and
            // `on_dispatcher` calls should not be performing any blocking work.
            std::thread::sleep(std::time::Duration::from_nanos(100))
        }
    }
}

/// An unowned but reference counted reference to a dispatcher. This would usually come from
/// an [`AutoReleaseDispatcher`] reference to a dispatcher.
///
/// The advantage to using this instead of using [`Weak`] directly is that it controls the lifetime
/// of any given strong reference to the dispatcher, since the only way to access that strong
/// reference is through [`OnDispatcher::on_dispatcher`]. This makes it much easier to be sure
/// that you aren't leaving any dangling strong references to the dispatcher object around.
#[derive(Clone, Debug)]
pub struct WeakDispatcher(Weak<AtomicPtr<fdf_dispatcher>>);

impl From<&AutoReleaseDispatcher> for WeakDispatcher {
    fn from(value: &AutoReleaseDispatcher) -> Self {
        Self(Arc::downgrade(&value.0))
    }
}

impl OnDispatcher for WeakDispatcher {
    fn on_dispatcher<R>(&self, f: impl FnOnce(Option<AsyncDispatcherRef<'_>>) -> R) -> R {
        let Some(dispatcher_ptr) = self.0.upgrade() else {
            return f(None);
        };
        let Some(dispatcher) = NonNull::new(dispatcher_ptr.load(Ordering::Relaxed)) else {
            return f(None);
        };
        // SAFETY: As long as we hold the strong reference in dispatcher_ptr, the
        // AutoReleaseDispatcher will not allow its drop to finish and the dispatcher should still
        // be valid.
        f(Some(unsafe { DispatcherRef::from_raw(dispatcher) }.as_async_dispatcher_ref()))
    }
}

/// An unowned reference to a driver runtime dispatcher such as is produced by calling
/// [`Dispatcher::release`]. When this object goes out of scope it won't shut down the dispatcher,
/// leaving that up to the driver runtime or another owner.
#[derive(Debug)]
pub struct DispatcherRef<'a>(ManuallyDrop<Dispatcher>, PhantomData<&'a Dispatcher>);

impl<'a> DispatcherRef<'a> {
    /// Creates a dispatcher ref from a raw handle.
    ///
    /// # Safety
    ///
    /// Caller is responsible for ensuring that the given handle is valid for
    /// the lifetime `'a`.
    pub unsafe fn from_raw(handle: NonNull<fdf_dispatcher_t>) -> Self {
        // SAFETY: Caller promises the handle is valid.
        Self(ManuallyDrop::new(unsafe { Dispatcher::from_raw(handle) }), PhantomData)
    }

    /// Creates a dispatcher ref from an [`AsyncDispatcherRef`].
    ///
    /// # Panics
    ///
    /// Note that this will cause an assert if the [`AsyncDispatcherRef`] was not created from a
    /// driver dispatcher in the first place.
    pub fn from_async_dispatcher(dispatcher: AsyncDispatcherRef<'a>) -> Self {
        let handle = NonNull::new(unsafe {
            fdf_dispatcher_downcast_async_dispatcher(dispatcher.inner().as_ptr())
        })
        .unwrap();
        unsafe { Self::from_raw(handle) }
    }
}

impl<'a> AsyncDispatcher for DispatcherRef<'a> {
    fn as_async_dispatcher_ref(&self) -> AsyncDispatcherRef<'_> {
        self.0.as_async_dispatcher_ref()
    }
}

impl<'a> Clone for DispatcherRef<'a> {
    fn clone(&self) -> Self {
        Self(ManuallyDrop::new(Dispatcher(self.0.0)), PhantomData)
    }
}

impl<'a> core::ops::Deref for DispatcherRef<'a> {
    type Target = Dispatcher;
    fn deref(&self) -> &Self::Target {
        &self.0
    }
}

impl<'a> core::ops::DerefMut for DispatcherRef<'a> {
    fn deref_mut(&mut self) -> &mut Self::Target {
        &mut self.0
    }
}

impl<'a> OnDispatcher for DispatcherRef<'a> {
    fn on_dispatcher<R>(&self, f: impl FnOnce(Option<AsyncDispatcherRef<'_>>) -> R) -> R {
        f(Some(self.as_async_dispatcher_ref()))
    }
}

/// A placeholder for the currently active dispatcher. Use [`OnDispatcher::on_dispatcher`] to
/// access it when needed.
#[derive(Clone, Copy, Debug, PartialEq)]
pub struct CurrentDispatcher;

impl OnDispatcher for CurrentDispatcher {
    fn on_dispatcher<R>(&self, f: impl FnOnce(Option<AsyncDispatcherRef<'_>>) -> R) -> R {
        let dispatcher = OVERRIDE_DISPATCHER
            .with(|global| *global.borrow())
            .or_else(|| {
                // SAFETY: NonNull::new will null-check that we have a current dispatcher.
                NonNull::new(unsafe { fdf_dispatcher_get_current_dispatcher() })
            })
            .map(|dispatcher| {
                // SAFETY: We constrain the lifetime of the `DispatcherRef` we provide to the
                // function below to the span of the current function. Since we are running on
                // the dispatcher, or another dispatcher that is bound to the same lifetime (through
                // override_dispatcher), we can be sure that the dispatcher will not be shut
                // down before that function completes.
                let async_dispatcher = NonNull::new(unsafe {
                    fdf_dispatcher_get_async_dispatcher(dispatcher.as_ptr())
                })
                .expect("No async dispatcher on driver dispatcher");
                unsafe { AsyncDispatcherRef::from_raw(async_dispatcher) }
            });
        f(dispatcher)
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    use std::sync::{Arc, Once, Weak, mpsc};

    use futures::channel::mpsc as async_mpsc;
    use futures::{SinkExt, StreamExt};
    use zx::sys::ZX_OK;

    use core::ffi::{c_char, c_void};
    use core::ptr::null_mut;

    static GLOBAL_DRIVER_ENV: Once = Once::new();

    pub fn ensure_driver_env() {
        GLOBAL_DRIVER_ENV.call_once(|| {
            // SAFETY: calling fdf_env_start, which does not have any soundness
            // concerns for rust code, and this is only used in tests.
            unsafe {
                assert_eq!(fdf_env_start(0), ZX_OK);
            }
        });
    }
    pub fn with_raw_dispatcher<T>(name: &str, p: impl for<'a> FnOnce(Weak<Dispatcher>) -> T) -> T {
        with_raw_dispatcher_flags(name, DispatcherBuilder::ALLOW_THREAD_BLOCKING, p)
    }

    pub(crate) fn with_raw_dispatcher_flags<T>(
        name: &str,
        flags: u32,
        p: impl for<'a> FnOnce(Weak<Dispatcher>) -> T,
    ) -> T {
        ensure_driver_env();

        let (shutdown_tx, shutdown_rx) = mpsc::channel();
        let mut dispatcher = null_mut();
        let mut observer = ShutdownObserver::new(move |dispatcher| {
            // SAFETY: we verify that the dispatcher has no tasks left queued in it,
            // just because this is testing code.
            assert!(!unsafe { fdf_env_dispatcher_has_queued_tasks(dispatcher.0.0.as_ptr()) });
            shutdown_tx.send(()).unwrap();
        })
        .into_ptr();
        let driver_ptr = &mut observer as *mut _ as *mut c_void;
        // SAFETY: The pointers we pass to this function are all stable for the
        // duration of this function, and are not available to copy or clone to
        // client code (only through a ref to the non-`Clone`` `Dispatcher`
        // wrapper).
        let res = unsafe {
            fdf_env_dispatcher_create_with_owner(
                driver_ptr,
                flags,
                name.as_ptr() as *const c_char,
                name.len(),
                "".as_ptr() as *const c_char,
                0_usize,
                observer,
                &mut dispatcher,
            )
        };
        assert_eq!(res, ZX_OK);
        let dispatcher = Arc::new(Dispatcher(NonNull::new(dispatcher).unwrap()));

        let res = p(Arc::downgrade(&dispatcher));

        // this initiates the dispatcher shutdown on a driver runtime
        // thread. When all tasks on the dispatcher have completed, the wait
        // on the shutdown_rx below will end and we can tear it down.
        let weak_dispatcher = Arc::downgrade(&dispatcher);
        drop(dispatcher);
        shutdown_rx.recv().unwrap();
        assert_eq!(
            0,
            weak_dispatcher.strong_count(),
            "a dispatcher reference escaped the test body"
        );

        res
    }

    #[test]
    fn start_test_dispatcher() {
        with_raw_dispatcher("testing", |dispatcher| {
            println!("hello {dispatcher:?}");
        })
    }

    #[test]
    fn post_task_on_dispatcher() {
        with_raw_dispatcher("testing task", |dispatcher| {
            let (tx, rx) = mpsc::channel();
            let dispatcher = Weak::upgrade(&dispatcher).unwrap();
            dispatcher
                .post_task_sync(move |status| {
                    assert_eq!(status, Status::from_raw(ZX_OK));
                    tx.send(status).unwrap();
                })
                .unwrap();
            assert_eq!(rx.recv().unwrap(), Status::from_raw(ZX_OK));
        });
    }

    #[test]
    fn post_task_on_subdispatcher() {
        let (shutdown_tx, shutdown_rx) = mpsc::channel();
        with_raw_dispatcher("testing task top level", move |dispatcher| {
            let (tx, rx) = mpsc::channel();
            let (inner_tx, inner_rx) = mpsc::channel();
            let dispatcher = Weak::upgrade(&dispatcher).unwrap();
            dispatcher
                .post_task_sync(move |status| {
                    assert_eq!(status, Status::from_raw(ZX_OK));
                    let inner = DispatcherBuilder::new()
                        .name("testing task second level")
                        .scheduler_role("")
                        .allow_thread_blocking()
                        .shutdown_observer(move |_dispatcher| {
                            println!("shutdown observer called");
                            shutdown_tx.send(1).unwrap();
                        })
                        .create()
                        .unwrap();
                    inner
                        .post_task_sync(move |status| {
                            assert_eq!(status, Status::from_raw(ZX_OK));
                            tx.send(status).unwrap();
                        })
                        .unwrap();
                    // we want to make sure the inner dispatcher lives long
                    // enough to run the task, so we sent it out to the outer
                    // closure.
                    inner_tx.send(inner).unwrap();
                })
                .unwrap();
            assert_eq!(rx.recv().unwrap(), Status::from_raw(ZX_OK));
            inner_rx.recv().unwrap();
        });
        assert_eq!(shutdown_rx.recv().unwrap(), 1);
    }

    async fn ping(mut tx: async_mpsc::Sender<u8>, mut rx: async_mpsc::Receiver<u8>) {
        println!("starting ping!");
        tx.send(0).await.unwrap();
        while let Some(next) = rx.next().await {
            println!("ping! {next}");
            tx.send(next + 1).await.unwrap();
        }
    }

    async fn pong(
        fin_tx: std::sync::mpsc::Sender<()>,
        mut tx: async_mpsc::Sender<u8>,
        mut rx: async_mpsc::Receiver<u8>,
    ) {
        println!("starting pong!");
        while let Some(next) = rx.next().await {
            println!("pong! {next}");
            if next > 10 {
                println!("bye!");
                break;
            }
            tx.send(next + 1).await.unwrap();
        }
        fin_tx.send(()).unwrap();
    }

    #[test]
    fn async_ping_pong() {
        with_raw_dispatcher("async ping pong", |dispatcher| {
            let (fin_tx, fin_rx) = mpsc::channel();
            let (ping_tx, pong_rx) = async_mpsc::channel(10);
            let (pong_tx, ping_rx) = async_mpsc::channel(10);
            dispatcher.spawn(ping(ping_tx, ping_rx)).unwrap();
            dispatcher.spawn(pong(fin_tx, pong_tx, pong_rx)).unwrap();

            fin_rx.recv().expect("to receive final value");
        });
    }

    async fn slow_pong(
        fin_tx: std::sync::mpsc::Sender<()>,
        mut tx: async_mpsc::Sender<u8>,
        mut rx: async_mpsc::Receiver<u8>,
    ) {
        use zx::MonotonicDuration;
        println!("starting pong!");
        while let Some(next) = rx.next().await {
            println!("pong! {next}");
            fuchsia_async::Timer::new(fuchsia_async::MonotonicInstant::after(
                MonotonicDuration::from_seconds(1),
            ))
            .await;
            if next > 10 {
                println!("bye!");
                break;
            }
            tx.send(next + 1).await.unwrap();
        }
        fin_tx.send(()).unwrap();
    }

    #[test]
    fn mixed_executor_async_ping_pong() {
        with_raw_dispatcher("async ping pong", |dispatcher| {
            let (fin_tx, fin_rx) = mpsc::channel();
            let (ping_tx, pong_rx) = async_mpsc::channel(10);
            let (pong_tx, ping_rx) = async_mpsc::channel(10);

            // spawn ping on the driver dispatcher
            dispatcher.spawn(ping(ping_tx, ping_rx)).unwrap();

            // and run pong on the fuchsia_async executor
            let mut executor = fuchsia_async::LocalExecutor::default();
            executor.run_singlethreaded(slow_pong(fin_tx, pong_tx, pong_rx));

            fin_rx.recv().expect("to receive final value");
        });
    }
}