fdf_core/

dispatcher.rs

// Copyright 2024 The Fuchsia Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

//! Safe bindings for the driver runtime dispatcher stable ABI

use fdf_sys::*;

use core::cell::RefCell;
use core::ffi;
use core::marker::PhantomData;
use core::mem::ManuallyDrop;
use core::ptr::{NonNull, null_mut};
use std::sync::atomic::{AtomicPtr, Ordering};
use std::sync::{Arc, Weak};

use zx::Status;

use crate::shutdown_observer::ShutdownObserver;

pub use fdf_sys::fdf_dispatcher_t;
pub use libasync::{
    AfterDeadline, AsyncDispatcher, AsyncDispatcherRef, JoinHandle, OnDispatcher, Task,
};

/// A marker trait for a function type that can be used as a shutdown observer for [`Dispatcher`].
pub trait ShutdownObserverFn: FnOnce(DispatcherRef<'_>) + Send + 'static {}
impl<T> ShutdownObserverFn for T where T: FnOnce(DispatcherRef<'_>) + Send + 'static {}

/// A builder for [`Dispatcher`]s
#[derive(Default)]
pub struct DispatcherBuilder {
    #[doc(hidden)]
    pub options: u32,
    #[doc(hidden)]
    pub name: String,
    #[doc(hidden)]
    pub scheduler_role: String,
    #[doc(hidden)]
    pub shutdown_observer: Option<Box<dyn ShutdownObserverFn>>,
}

impl DispatcherBuilder {
    /// See `FDF_DISPATCHER_OPTION_UNSYNCHRONIZED` in the C API
    pub(crate) const UNSYNCHRONIZED: u32 = fdf_sys::FDF_DISPATCHER_OPTION_UNSYNCHRONIZED;
    /// See `FDF_DISPATCHER_OPTION_ALLOW_SYNC_CALLS` in the C API
    pub(crate) const ALLOW_THREAD_BLOCKING: u32 = fdf_sys::FDF_DISPATCHER_OPTION_ALLOW_SYNC_CALLS;
    /// See `FDF_DISPATCHER_OPTION_NO_THREAD_MIGRATION` in the C API
    pub(crate) const NO_THREAD_MIGRATION: u32 = fdf_sys::FDF_DISPATCHER_OPTION_NO_THREAD_MIGRATION;

    /// Creates a new [`DispatcherBuilder`] that can be used to configure a new dispatcher.
    /// For more information on the threading-related flags for the dispatcher, see
    /// https://fuchsia.dev/fuchsia-src/concepts/drivers/driver-dispatcher-and-threads
    pub fn new() -> Self {
        Self::default()
    }

    /// Sets whether parallel callbacks in the callbacks set in the dispatcher are allowed. May
    /// not be set with [`Self::allow_thread_blocking`].
    ///
    /// See https://fuchsia.dev/fuchsia-src/concepts/drivers/driver-dispatcher-and-threads
    /// for more information on the threading model of driver dispatchers.
    pub fn unsynchronized(mut self) -> Self {
        assert!(
            !self.allows_thread_blocking(),
            "you may not create an unsynchronized dispatcher that allows synchronous calls"
        );
        self.options |= Self::UNSYNCHRONIZED;
        self
    }

    /// Whether or not this is an unsynchronized dispatcher
    pub fn is_unsynchronized(&self) -> bool {
        (self.options & Self::UNSYNCHRONIZED) == Self::UNSYNCHRONIZED
    }

    /// This dispatcher may not share zircon threads with other drivers. May not be set with
    /// [`Self::unsynchronized`].
    ///
    /// See https://fuchsia.dev/fuchsia-src/concepts/drivers/driver-dispatcher-and-threads
    /// for more information on the threading model of driver dispatchers.
    pub fn allow_thread_blocking(mut self) -> Self {
        assert!(
            !self.is_unsynchronized(),
            "you may not create an unsynchronized dispatcher that allows synchronous calls"
        );
        self.options |= Self::ALLOW_THREAD_BLOCKING;
        self
    }

    /// Whether or not this dispatcher allows synchronous calls
    pub fn allows_thread_blocking(&self) -> bool {
        (self.options & Self::ALLOW_THREAD_BLOCKING) == Self::ALLOW_THREAD_BLOCKING
    }

    /// This dispatcher may not run on more than one thread. This can only be set if the
    /// dispatcher is being run on a scheduler role that does not allow sync calls on
    /// any of its dispatchers.
    ///
    /// See https://fuchsia.dev/fuchsia-src/concepts/drivers/driver-dispatcher-and-threads
    /// for more information on the threading model of driver dispatchers.
    pub fn no_thread_migration(mut self) -> Self {
        self.options |= Self::NO_THREAD_MIGRATION;
        self
    }

    /// Whether or not this dispatcher is allowed to run on multiple threads
    pub fn allows_thread_migration(&self) -> bool {
        (self.options & Self::NO_THREAD_MIGRATION) == 0
    }

    /// A descriptive name for this dispatcher that is used in debug output and process
    /// lists.
    pub fn name(mut self, name: &str) -> Self {
        self.name = name.to_string();
        self
    }

    /// A hint string for the runtime that may or may not impact the priority the work scheduled
    /// by this dispatcher is handled at. It may or may not impact the ability for other drivers
    /// to share zircon threads with the dispatcher.
    pub fn scheduler_role(mut self, role: &str) -> Self {
        self.scheduler_role = role.to_string();
        self
    }

    /// A callback to be called before after the dispatcher has completed asynchronous shutdown.
    pub fn shutdown_observer<F: ShutdownObserverFn>(mut self, shutdown_observer: F) -> Self {
        self.shutdown_observer = Some(Box::new(shutdown_observer));
        self
    }

    /// Create the dispatcher as configured by this object. This must be called from a
    /// thread managed by the driver runtime. The dispatcher returned is owned by the caller,
    /// and will initiate asynchronous shutdown when the object is dropped unless
    /// [`Dispatcher::release`] is called on it to convert it into an unowned [`DispatcherRef`].
    pub fn create(self) -> Result<Dispatcher, Status> {
        let mut out_dispatcher = null_mut();
        let options = self.options;
        let name = self.name.as_ptr() as *mut ffi::c_char;
        let name_len = self.name.len();
        let scheduler_role = self.scheduler_role.as_ptr() as *mut ffi::c_char;
        let scheduler_role_len = self.scheduler_role.len();
        let observer =
            ShutdownObserver::new(self.shutdown_observer.unwrap_or_else(|| Box::new(|_| {})))
                .into_ptr();
        // SAFETY: all arguments point to memory that will be available for the duration
        // of the call, except `observer`, which will be available until it is unallocated
        // by the dispatcher exit handler.
        Status::ok(unsafe {
            fdf_dispatcher_create(
                options,
                name,
                name_len,
                scheduler_role,
                scheduler_role_len,
                observer,
                &mut out_dispatcher,
            )
        })?;
        // SAFETY: `out_dispatcher` is valid by construction if `fdf_dispatcher_create` returns
        // ZX_OK.
        Ok(Dispatcher(unsafe { NonNull::new_unchecked(out_dispatcher) }))
    }

    /// As with [`Self::create`], this creates a new dispatcher as configured by this object, but
    /// instead of returning an owned reference it immediately releases the reference to be
    /// managed by the driver runtime.
    pub fn create_released(self) -> Result<DispatcherRef<'static>, Status> {
        self.create().map(Dispatcher::release)
    }
}

/// An owned handle for a dispatcher managed by the driver runtime.
#[derive(Debug)]
pub struct Dispatcher(pub(crate) NonNull<fdf_dispatcher_t>);

// SAFETY: The api of fdf_dispatcher_t is thread safe.
unsafe impl Send for Dispatcher {}
unsafe impl Sync for Dispatcher {}
thread_local! {
    pub(crate) static OVERRIDE_DISPATCHER: RefCell<Option<NonNull<fdf_dispatcher_t>>> = const { RefCell::new(None) };
}

impl Dispatcher {
    /// Creates a dispatcher ref from a raw handle.
    ///
    /// # Safety
    ///
    /// Caller is responsible for ensuring that the given handle is valid and
    /// not owned by any other wrapper that will free it at an arbitrary
    /// time.
    pub unsafe fn from_raw(handle: NonNull<fdf_dispatcher_t>) -> Self {
        Self(handle)
    }

    fn get_raw_flags(&self) -> u32 {
        // SAFETY: the inner fdf_dispatcher_t is valid by construction
        unsafe { fdf_dispatcher_get_options(self.0.as_ptr()) }
    }

    /// Whether this dispatcher's tasks and futures can run on multiple threads at the same time.
    pub fn is_unsynchronized(&self) -> bool {
        (self.get_raw_flags() & DispatcherBuilder::UNSYNCHRONIZED) != 0
    }

    /// Whether this dispatcher is allowed to call blocking functions or not
    pub fn allows_thread_blocking(&self) -> bool {
        (self.get_raw_flags() & DispatcherBuilder::ALLOW_THREAD_BLOCKING) != 0
    }

    /// Whether this dispatcher is allowed to migrate threads, in which case it can't
    /// be used for non-[`Send`] tasks.
    pub fn allows_thread_migration(&self) -> bool {
        (self.get_raw_flags() & DispatcherBuilder::NO_THREAD_MIGRATION) == 0
    }

    /// Whether this is the dispatcher the current thread is running on
    pub fn is_current_dispatcher(&self) -> bool {
        // SAFETY: we don't do anything with the dispatcher pointer, and NULL is returned if this
        // isn't a dispatcher-managed thread.
        self.0.as_ptr() == unsafe { fdf_dispatcher_get_current_dispatcher() }
    }

    /// Releases ownership over this dispatcher and returns a [`DispatcherRef`]
    /// that can be used to access it. The lifetime of this reference is static because it will
    /// exist so long as this current driver is loaded, but the driver runtime will shut it down
    /// when the driver is unloaded.
    pub fn release(self) -> DispatcherRef<'static> {
        DispatcherRef(ManuallyDrop::new(self), PhantomData)
    }

    /// Returns a [`DispatcherRef`] that references this dispatcher with a lifetime constrained by
    /// `self`.
    pub fn as_dispatcher_ref(&self) -> DispatcherRef<'_> {
        DispatcherRef(ManuallyDrop::new(Dispatcher(self.0)), PhantomData)
    }
}

impl AsyncDispatcher for Dispatcher {
    fn as_async_dispatcher_ref(&self) -> AsyncDispatcherRef<'_> {
        let async_dispatcher =
            NonNull::new(unsafe { fdf_dispatcher_get_async_dispatcher(self.0.as_ptr()) })
                .expect("No async dispatcher on driver dispatcher");
        unsafe { AsyncDispatcherRef::from_raw(async_dispatcher) }
    }
}

impl Drop for Dispatcher {
    fn drop(&mut self) {
        // SAFETY: we only ever provide an owned `Dispatcher` to one owner, so when
        // that one is dropped we can invoke the shutdown of the dispatcher
        unsafe { fdf_dispatcher_shutdown_async(self.0.as_mut()) }
    }
}

/// An owned reference to a driver runtime dispatcher that auto-releases when dropped. This gives
/// you the best of both worlds of having an `Arc<Dispatcher>` and a `DispatcherRef<'static>`
/// created by [`Dispatcher::release`]:
///
/// - You can vend [`Weak`]-like pointers to it that will not cause memory access errors if used
///   after the dispatcher has shut down, like an [`Arc`].
/// - You can tie its terminal lifetime to that of the driver itself.
///
/// This is particularly useful in tests.
#[derive(Debug)]
pub struct AutoReleaseDispatcher(Arc<AtomicPtr<fdf_dispatcher>>);

impl AutoReleaseDispatcher {
    /// Returns a weakened reference to this dispatcher. This weak reference will only be valid so
    /// long as the [`AutoReleaseDispatcher`] object that spawned it is alive, after which it will
    /// no longer be usable to spawn tasks on.
    pub fn downgrade(&self) -> WeakDispatcher {
        WeakDispatcher::from(self)
    }
}

impl AsyncDispatcher for AutoReleaseDispatcher {
    fn as_async_dispatcher_ref(&self) -> AsyncDispatcherRef<'_> {
        let dispatcher = NonNull::new(self.0.load(Ordering::Relaxed))
            .expect("tried to obtain async dispatcher after drop");
        // SAFETY: the validity of this dispatcher is ensured by use of NonNull above and this
        // object's exclusive ownership over the dispatcher while it's alive.
        unsafe {
            AsyncDispatcherRef::from_raw(
                NonNull::new(fdf_dispatcher_get_async_dispatcher(dispatcher.as_ptr())).unwrap(),
            )
        }
    }
}

impl From<Dispatcher> for AutoReleaseDispatcher {
    fn from(dispatcher: Dispatcher) -> Self {
        let dispatcher_ptr = dispatcher.release().0.0.as_ptr();
        Self(Arc::new(AtomicPtr::new(dispatcher_ptr)))
    }
}

impl Drop for AutoReleaseDispatcher {
    fn drop(&mut self) {
        // Store nullptr into the atomic so that any future attempts to obtain a strong reference
        // through a WeakDispatcher will not successfully upgrade.
        self.0.store(null_mut(), Ordering::Relaxed);
        // We want to allow for any outstanding `on_dispatcher` calls to finish before returning
        // from drop, so we're going to loop until the strong reference count goes down to zero,
        // after which any future attempts to call `on_dispatcher` on a `WeakDispatcher` will fail.
        while Arc::strong_count(&self.0) > 1 {
            // This sleep is kind of gross, but it should happen extremely rarely and
            // `on_dispatcher` calls should not be performing any blocking work.
            std::thread::sleep(std::time::Duration::from_nanos(100))
        }
    }
}

/// An unowned but reference counted reference to a dispatcher. This would usually come from
/// an [`AutoReleaseDispatcher`] reference to a dispatcher.
///
/// The advantage to using this instead of using [`Weak`] directly is that it controls the lifetime
/// of any given strong reference to the dispatcher, since the only way to access that strong
/// reference is through [`OnDispatcher::on_dispatcher`]. This makes it much easier to be sure
/// that you aren't leaving any dangling strong references to the dispatcher object around.
#[derive(Clone, Debug)]
pub struct WeakDispatcher(Weak<AtomicPtr<fdf_dispatcher>>);

impl From<&AutoReleaseDispatcher> for WeakDispatcher {
    fn from(value: &AutoReleaseDispatcher) -> Self {
        Self(Arc::downgrade(&value.0))
    }
}

impl OnDispatcher for WeakDispatcher {
    fn on_dispatcher<R>(&self, f: impl FnOnce(Option<AsyncDispatcherRef<'_>>) -> R) -> R {
        let Some(dispatcher_ptr) = self.0.upgrade() else {
            return f(None);
        };
        let Some(dispatcher) = NonNull::new(dispatcher_ptr.load(Ordering::Relaxed)) else {
            return f(None);
        };
        // SAFETY: As long as we hold the strong reference in dispatcher_ptr, the
        // AutoReleaseDispatcher will not allow its drop to finish and the dispatcher should still
        // be valid.
        f(Some(unsafe { DispatcherRef::from_raw(dispatcher) }.as_async_dispatcher_ref()))
    }
}

impl OnDriverDispatcher for WeakDispatcher {}

/// An unowned reference to a driver runtime dispatcher such as is produced by calling
/// [`Dispatcher::release`]. When this object goes out of scope it won't shut down the dispatcher,
/// leaving that up to the driver runtime or another owner.
#[derive(Debug)]
pub struct DispatcherRef<'a>(ManuallyDrop<Dispatcher>, PhantomData<&'a Dispatcher>);

impl<'a> DispatcherRef<'a> {
    /// Creates a dispatcher ref from a raw handle.
    ///
    /// # Safety
    ///
    /// Caller is responsible for ensuring that the given handle is valid for
    /// the lifetime `'a`.
    pub unsafe fn from_raw(handle: NonNull<fdf_dispatcher_t>) -> Self {
        // SAFETY: Caller promises the handle is valid.
        Self(ManuallyDrop::new(unsafe { Dispatcher::from_raw(handle) }), PhantomData)
    }

    /// Creates a dispatcher ref from an [`AsyncDispatcherRef`].
    ///
    /// # Panics
    ///
    /// Note that this will cause an assert if the [`AsyncDispatcherRef`] was not created from a
    /// driver dispatcher in the first place.
    pub fn from_async_dispatcher(dispatcher: AsyncDispatcherRef<'a>) -> Self {
        let handle = NonNull::new(unsafe {
            fdf_dispatcher_downcast_async_dispatcher(dispatcher.inner().as_ptr())
        })
        .unwrap();
        unsafe { Self::from_raw(handle) }
    }

    /// Gets the raw handle from this dispatcher ref.
    ///
    /// # Safety
    ///
    /// Caller is responsible for ensuring that the dispatcher handle is used safely.
    pub unsafe fn as_raw(&mut self) -> *mut fdf_dispatcher_t {
        unsafe { self.0.0.as_mut() }
    }
}

/// Used to wrap a non-send future as send when we've dynamically checked that the dispatcher
/// we're going to spawn it on is non-[`Send`]-safe.
///
/// This should only ever be used after validating that the dispatcher is the currently running
/// one and that the dispatcher does not migrate threads.
///
/// This is an internal implementation detail and should never be made public.
struct AddSendFuture<T>(T);

impl<T: Future> Future for AddSendFuture<T> {
    type Output = T::Output;

    fn poll(
        self: std::pin::Pin<&mut Self>,
        cx: &mut std::task::Context<'_>,
    ) -> std::task::Poll<Self::Output> {
        // SAFETY: self.0 is pinned if self is.
        let fut = unsafe { self.map_unchecked_mut(|fut| &mut fut.0) };
        fut.poll(cx)
    }
}

// SAFETY: We are forcing this future to be [`Send`] even though the inner future is not because
// we validate at runtime before spawning the task that the dispatcher is correctly configured to
// do the right thing with it.
unsafe impl<T> Send for AddSendFuture<T> {}

/// Makes available additional functionality available on driver dispatchers on top of what's
/// available on [`OnDispatcher`].
pub trait OnDriverDispatcher: OnDispatcher {
    /// Spawn an asynchronous local task on this dispatcher. If this returns [`Ok`] then the task
    /// has successfully been scheduled and will run or be cancelled and dropped when the dispatcher
    /// shuts down. The returned future's result will be [`Ok`] if the future completed
    /// successfully, or an [`Err`] if the task did not complete for some reason (like the
    /// dispatcher shut down).
    ///
    /// Unlike [`OnDispatcher::spawn`], this will accept a future that does not implement [`Send`]. If
    /// called from a thread other than the one the dispatcher is running on or the dispatcher
    /// is not guaranteed to always poll from the same thread, this will return
    /// [`Status::BAD_STATE`].
    ///
    /// Returns a [`JoinHandle`] that will detach the future when dropped.
    fn spawn_local(
        &self,
        future: impl Future<Output = ()> + 'static,
    ) -> Result<JoinHandle<()>, Status>
    where
        Self: 'static,
    {
        self.on_maybe_dispatcher(|dispatcher| {
            let dispatcher = DispatcherRef::from_async_dispatcher(dispatcher);
            if dispatcher.0.is_current_dispatcher() && !dispatcher.0.allows_thread_migration() {
                OnDispatcher::spawn(self, AddSendFuture(future))
            } else {
                Err(Status::BAD_STATE)
            }
        })
    }

    /// Spawn a local asynchronous task that outputs type 'T' on this dispatcher. The returned future's
    /// result will be [`Ok`] if the task was started and completed successfully, or an [`Err`] if
    /// the task couldn't be started or failed to complete (for example because the dispatcher was
    /// shutting down).
    ///
    /// Returns a [`Task`] that will cancel the future when dropped.
    ///
    /// Unlike [`OnDispatcher::compute`], this will accept a future that does not implement [`Send`]. If
    /// called from a thread other than the one the dispatcher is running on or the dispatcher
    /// is not guaranteed to always poll from the same thread, this will return
    /// [`Status::BAD_STATE`].
    ///
    /// TODO(470088116): This may be the cause of some flakes, so care should be used with it
    /// in critical paths for now.
    fn compute_local<T: Send + 'static>(
        &self,
        future: impl Future<Output = T> + 'static,
    ) -> Result<Task<T>, Status>
    where
        Self: 'static,
    {
        self.on_maybe_dispatcher(|dispatcher| {
            let dispatcher = DispatcherRef::from_async_dispatcher(dispatcher);
            if dispatcher.0.is_current_dispatcher() && !dispatcher.0.allows_thread_migration() {
                Ok(OnDispatcher::compute(self, AddSendFuture(future)))
            } else {
                Err(Status::BAD_STATE)
            }
        })
    }
}

impl OnDriverDispatcher for Arc<Dispatcher> {}
impl OnDriverDispatcher for Weak<Dispatcher> {}

impl<'a> AsyncDispatcher for DispatcherRef<'a> {
    fn as_async_dispatcher_ref(&self) -> AsyncDispatcherRef<'_> {
        self.0.as_async_dispatcher_ref()
    }
}

impl<'a> Clone for DispatcherRef<'a> {
    fn clone(&self) -> Self {
        Self(ManuallyDrop::new(Dispatcher(self.0.0)), PhantomData)
    }
}

impl<'a> core::ops::Deref for DispatcherRef<'a> {
    type Target = Dispatcher;
    fn deref(&self) -> &Self::Target {
        &self.0
    }
}

impl<'a> core::ops::DerefMut for DispatcherRef<'a> {
    fn deref_mut(&mut self) -> &mut Self::Target {
        &mut self.0
    }
}

impl<'a> OnDispatcher for DispatcherRef<'a> {
    fn on_dispatcher<R>(&self, f: impl FnOnce(Option<AsyncDispatcherRef<'_>>) -> R) -> R {
        f(Some(self.as_async_dispatcher_ref()))
    }
}

impl<'a> OnDriverDispatcher for DispatcherRef<'a> {}

/// A placeholder for the currently active dispatcher. Use [`OnDispatcher::on_dispatcher`] to
/// access it when needed.
#[derive(Clone, Copy, Debug, Default, PartialEq)]
pub struct CurrentDispatcher;

impl OnDispatcher for CurrentDispatcher {
    fn on_dispatcher<R>(&self, f: impl FnOnce(Option<AsyncDispatcherRef<'_>>) -> R) -> R {
        let dispatcher = OVERRIDE_DISPATCHER
            .with(|global| *global.borrow())
            .or_else(|| {
                // SAFETY: NonNull::new will null-check that we have a current dispatcher.
                NonNull::new(unsafe { fdf_dispatcher_get_current_dispatcher() })
            })
            .map(|dispatcher| {
                // SAFETY: We constrain the lifetime of the `DispatcherRef` we provide to the
                // function below to the span of the current function. Since we are running on
                // the dispatcher, or another dispatcher that is bound to the same lifetime (through
                // override_dispatcher), we can be sure that the dispatcher will not be shut
                // down before that function completes.
                let async_dispatcher = NonNull::new(unsafe {
                    fdf_dispatcher_get_async_dispatcher(dispatcher.as_ptr())
                })
                .expect("No async dispatcher on driver dispatcher");
                unsafe { AsyncDispatcherRef::from_raw(async_dispatcher) }
            });
        f(dispatcher)
    }
}

impl OnDriverDispatcher for CurrentDispatcher {}

#[cfg(test)]
mod tests {
    use super::*;

    use std::sync::{Arc, Once, Weak, mpsc};

    use futures::channel::mpsc as async_mpsc;
    use futures::{SinkExt, StreamExt};
    use zx::sys::ZX_OK;

    use core::ffi::{c_char, c_void};
    use core::ptr::null_mut;

    static GLOBAL_DRIVER_ENV: Once = Once::new();
    const NO_SYNC_CALLS_ROLE: &str = "no sync calls role";

    pub fn ensure_driver_env() {
        GLOBAL_DRIVER_ENV.call_once(|| {
            // SAFETY: calling fdf_env_start, which does not have any soundness
            // concerns for rust code, and this is only used in tests.
            unsafe {
                assert_eq!(fdf_env_start(0), ZX_OK);
                assert_eq!(
                    fdf_env_set_scheduler_role_opts(
                        NO_SYNC_CALLS_ROLE.as_ptr() as *const c_char,
                        NO_SYNC_CALLS_ROLE.len(),
                        FDF_SCHEDULER_ROLE_OPTION_NO_SYNC_CALLS
                    ),
                    ZX_OK
                );
            }
        });
    }
    pub fn with_raw_dispatcher<T>(name: &str, p: impl for<'a> FnOnce(Weak<Dispatcher>) -> T) -> T {
        with_raw_dispatcher_flags(name, DispatcherBuilder::ALLOW_THREAD_BLOCKING, "", p)
    }

    pub(crate) fn with_raw_dispatcher_flags<T>(
        name: &str,
        flags: u32,
        scheduler_role: &str,
        p: impl for<'a> FnOnce(Weak<Dispatcher>) -> T,
    ) -> T {
        ensure_driver_env();

        let (shutdown_tx, shutdown_rx) = mpsc::channel();
        let mut dispatcher = null_mut();
        let mut observer = ShutdownObserver::new(move |dispatcher| {
            // SAFETY: we verify that the dispatcher has no tasks left queued in it,
            // just because this is testing code.
            assert!(!unsafe { fdf_env_dispatcher_has_queued_tasks(dispatcher.0.0.as_ptr()) });
            shutdown_tx.send(()).unwrap();
        })
        .into_ptr();
        let driver_ptr = &mut observer as *mut _ as *mut c_void;
        // SAFETY: The pointers we pass to this function are all stable for the
        // duration of this function, and are not available to copy or clone to
        // client code (only through a ref to the non-`Clone`` `Dispatcher`
        // wrapper).
        let res = unsafe {
            fdf_env_dispatcher_create_with_owner(
                driver_ptr,
                flags,
                name.as_ptr() as *const c_char,
                name.len(),
                scheduler_role.as_ptr() as *const c_char,
                scheduler_role.len(),
                observer,
                &mut dispatcher,
            )
        };
        assert_eq!(res, ZX_OK);
        let dispatcher = Arc::new(Dispatcher(NonNull::new(dispatcher).unwrap()));

        let res = p(Arc::downgrade(&dispatcher));

        // this initiates the dispatcher shutdown on a driver runtime
        // thread. When all tasks on the dispatcher have completed, the wait
        // on the shutdown_rx below will end and we can tear it down.
        let weak_dispatcher = Arc::downgrade(&dispatcher);
        drop(dispatcher);
        shutdown_rx.recv().unwrap();
        assert_eq!(
            0,
            weak_dispatcher.strong_count(),
            "a dispatcher reference escaped the test body"
        );

        res
    }

    #[test]
    fn start_test_dispatcher() {
        with_raw_dispatcher("testing", |dispatcher| {
            println!("hello {dispatcher:?}");
        })
    }

    #[test]
    fn post_task_on_dispatcher() {
        with_raw_dispatcher("testing task", |dispatcher| {
            let (tx, rx) = mpsc::channel();
            let dispatcher = Weak::upgrade(&dispatcher).unwrap();
            dispatcher
                .post_task_sync(move |status| {
                    assert_eq!(status, Status::from_raw(ZX_OK));
                    tx.send(status).unwrap();
                })
                .unwrap();
            assert_eq!(rx.recv().unwrap(), Status::from_raw(ZX_OK));
        });
    }

    #[test]
    fn post_task_on_subdispatcher() {
        let (shutdown_tx, shutdown_rx) = mpsc::channel();
        with_raw_dispatcher("testing task top level", move |dispatcher| {
            let (tx, rx) = mpsc::channel();
            let (inner_tx, inner_rx) = mpsc::channel();
            let dispatcher = Weak::upgrade(&dispatcher).unwrap();
            dispatcher
                .post_task_sync(move |status| {
                    assert_eq!(status, Status::from_raw(ZX_OK));
                    let inner = DispatcherBuilder::new()
                        .name("testing task second level")
                        .scheduler_role("")
                        .allow_thread_blocking()
                        .shutdown_observer(move |_dispatcher| {
                            println!("shutdown observer called");
                            shutdown_tx.send(1).unwrap();
                        })
                        .create()
                        .unwrap();
                    inner
                        .post_task_sync(move |status| {
                            assert_eq!(status, Status::from_raw(ZX_OK));
                            tx.send(status).unwrap();
                        })
                        .unwrap();
                    // we want to make sure the inner dispatcher lives long
                    // enough to run the task, so we sent it out to the outer
                    // closure.
                    inner_tx.send(inner).unwrap();
                })
                .unwrap();
            assert_eq!(rx.recv().unwrap(), Status::from_raw(ZX_OK));
            inner_rx.recv().unwrap();
        });
        assert_eq!(shutdown_rx.recv().unwrap(), 1);
    }

    #[test]
    fn spawn_local_fails_on_normal_dispatcher() {
        let (shutdown_tx, shutdown_rx) = mpsc::channel();
        with_raw_dispatcher("spawn local failures", move |dispatcher| {
            let inside_dispatcher = dispatcher.clone();
            dispatcher
                .spawn(async move {
                    assert_eq!(
                        inside_dispatcher.spawn_local(futures::future::ready(())).unwrap_err(),
                        Status::BAD_STATE
                    );
                    assert_eq!(
                        inside_dispatcher.compute_local(futures::future::ready(())).unwrap_err(),
                        Status::BAD_STATE
                    );
                    shutdown_tx.send(()).unwrap();
                })
                .unwrap();
            shutdown_rx.recv().unwrap();
        });
    }

    #[test]
    #[ignore = "Pending resolution of b/488397193"]
    fn spawn_local_succeeds_on_no_thread_migration_dispatcher() {
        let (tx, rx) = mpsc::channel();
        with_raw_dispatcher_flags(
            "spawn local success",
            FDF_DISPATCHER_OPTION_NO_THREAD_MIGRATION,
            NO_SYNC_CALLS_ROLE,
            move |dispatcher| {
                let inside_dispatcher = dispatcher.clone();
                dispatcher
                    .spawn(async move {
                        let tx_clone = tx.clone();
                        inside_dispatcher
                            .spawn_local(async move {
                                tx_clone.send(()).unwrap();
                            })
                            .unwrap();
                        inside_dispatcher
                            .compute_local(async move {
                                tx.send(()).unwrap();
                            })
                            .unwrap()
                            .await
                            .unwrap();
                    })
                    .unwrap();
                // one empty object received each for spawn and compute _local.
                rx.recv().unwrap();
                rx.recv().unwrap();
            },
        );
    }

    #[test]
    #[ignore = "Pending resolution of b/488397193"]
    fn spawn_local_fails_on_no_thread_migration_dispatcher_from_different_thread() {
        with_raw_dispatcher_flags(
            "spawn local success",
            FDF_DISPATCHER_OPTION_NO_THREAD_MIGRATION,
            NO_SYNC_CALLS_ROLE,
            move |dispatcher| {
                // we are not currently running in any dispatcher here, so this is a context
                // where the 'current dispatcher' is definitely not the one in question.
                assert_eq!(
                    dispatcher.spawn_local(futures::future::ready(())).unwrap_err(),
                    Status::BAD_STATE
                );
                assert_eq!(
                    dispatcher.compute_local(futures::future::ready(())).unwrap_err(),
                    Status::BAD_STATE
                );
            },
        );
    }

    async fn ping(mut tx: async_mpsc::Sender<u8>, mut rx: async_mpsc::Receiver<u8>) {
        println!("starting ping!");
        tx.send(0).await.unwrap();
        while let Some(next) = rx.next().await {
            println!("ping! {next}");
            tx.send(next + 1).await.unwrap();
        }
    }

    async fn pong(
        fin_tx: std::sync::mpsc::Sender<()>,
        mut tx: async_mpsc::Sender<u8>,
        mut rx: async_mpsc::Receiver<u8>,
    ) {
        println!("starting pong!");
        while let Some(next) = rx.next().await {
            println!("pong! {next}");
            if next > 10 {
                println!("bye!");
                break;
            }
            tx.send(next + 1).await.unwrap();
        }
        fin_tx.send(()).unwrap();
    }

    #[test]
    fn async_ping_pong() {
        with_raw_dispatcher("async ping pong", |dispatcher| {
            let (fin_tx, fin_rx) = mpsc::channel();
            let (ping_tx, pong_rx) = async_mpsc::channel(10);
            let (pong_tx, ping_rx) = async_mpsc::channel(10);
            dispatcher.spawn(ping(ping_tx, ping_rx)).unwrap();
            dispatcher.spawn(pong(fin_tx, pong_tx, pong_rx)).unwrap();

            fin_rx.recv().expect("to receive final value");
        });
    }

    async fn slow_pong(
        fin_tx: std::sync::mpsc::Sender<()>,
        mut tx: async_mpsc::Sender<u8>,
        mut rx: async_mpsc::Receiver<u8>,
    ) {
        use zx::MonotonicDuration;
        println!("starting pong!");
        while let Some(next) = rx.next().await {
            println!("pong! {next}");
            fuchsia_async::Timer::new(fuchsia_async::MonotonicInstant::after(
                MonotonicDuration::from_seconds(1),
            ))
            .await;
            if next > 10 {
                println!("bye!");
                break;
            }
            tx.send(next + 1).await.unwrap();
        }
        fin_tx.send(()).unwrap();
    }

    #[test]
    fn mixed_executor_async_ping_pong() {
        with_raw_dispatcher("async ping pong", |dispatcher| {
            let (fin_tx, fin_rx) = mpsc::channel();
            let (ping_tx, pong_rx) = async_mpsc::channel(10);
            let (pong_tx, ping_rx) = async_mpsc::channel(10);

            // spawn ping on the driver dispatcher
            dispatcher.spawn(ping(ping_tx, ping_rx)).unwrap();

            // and run pong on the fuchsia_async executor
            let mut executor = fuchsia_async::LocalExecutor::default();
            executor.run_singlethreaded(slow_pong(fin_tx, pong_tx, pong_rx));

            fin_rx.recv().expect("to receive final value");
        });
    }
}