fuchsia_rcu/rcu_ptr.rs
1// Copyright 2025 The Fuchsia Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5use crate::rcu_read_scope::RcuReadScope;
6use crate::state_machine::{rcu_assign_pointer, rcu_read_pointer, rcu_replace_pointer};
7use std::ops::Deref;
8use std::sync::atomic::AtomicPtr;
9
10/// A pointer managed by the RCU state machine.
11///
12/// This pointer can be read from multiple threads concurrently without blocking.
13/// When the pointer is written, reads may continue to see the old value of the pointer
14/// for some period of time.
15///
16/// Callers are responsible managing the lifetime of the object referenced by the pointer. When the
17/// the pointer value is written, the caller should typically use `rcu_call` or `rcu_drop` to defer
18/// cleanup of the object referenced by the old pointer value until the RCU state machine has made
19/// sufficient progress to ensure that no concurrent readers are holding read guards.
20#[derive(Debug)]
21pub struct RcuPtr<T> {
22 ptr: AtomicPtr<T>,
23}
24
25impl<T> RcuPtr<T> {
26 /// Create a new RCU pointer from a raw pointer.
27 pub fn new(ptr: *mut T) -> Self {
28 Self { ptr: AtomicPtr::new(ptr) }
29 }
30
31 /// Create a new RCU pointer from a reference.
32 pub fn from_ref(reference: &T) -> Self {
33 Self::new(reference as *const T as *mut T)
34 }
35
36 /// Create a null RCU pointer.
37 pub fn null() -> Self {
38 Self { ptr: AtomicPtr::new(std::ptr::null_mut()) }
39 }
40
41 /// Get the value pointed to by the RCU pointer.
42 ///
43 /// If the RCU pointer is null, this function will panic.
44 ///
45 /// The object referenced by the RCU pointer will remain valid until the `RcuReadGuard` is
46 /// dropped. However, another thread running concurrently might see a different value for the
47 /// object.
48 pub fn get(&self) -> RcuReadGuard<T> {
49 let scope = RcuReadScope::new();
50 let ptr = self.read(&scope).as_ptr();
51 assert!(!ptr.is_null());
52 RcuReadGuard { scope, ptr }
53 }
54
55 /// Get the value pointed to by the RCU pointer.
56 ///
57 /// If the RCU pointer is null, this function will return `None`.
58 ///
59 /// The object referenced by the RCU pointer will remain valid until the `RcuReadGuard` is
60 /// dropped. However, another thread running concurrently might see a different value for the
61 /// object.
62 pub fn maybe_get(&self) -> Option<RcuReadGuard<T>> {
63 let scope = RcuReadScope::new();
64 let ptr = self.read(&scope).as_ptr();
65 if ptr.is_null() { None } else { Some(RcuReadGuard { scope, ptr }) }
66 }
67
68 /// Read the value of the RCU pointer.
69 ///
70 /// The returned pointer will remain valid until the `RcuReadScope` is dropped. However, another
71 /// thread running concurrently might see a different value for the object.
72 pub fn read<'a>(&self, scope: &'a RcuReadScope) -> RcuPtrRef<'a, T> {
73 let ptr = rcu_read_pointer(&self.ptr);
74 // SAFETY: The RCU state machine ensures that the pointer is valid for reads until we drop
75 // the RcuReadScope whose lifetime is described by the lifetime parameter.
76 unsafe { RcuPtrRef::new(scope, ptr) }
77 }
78
79 /// Assign a new value to the RCU pointer.
80 ///
81 /// Concurrent readers may continue to see the old value of the pointer until the RCU state
82 /// machine has made sufficient progress. To wait until all concurrent readers have dropped
83 /// their read guards, call `rcu_synchronize()`.
84 pub fn assign(&self, ptr: *mut T) {
85 rcu_assign_pointer(&self.ptr, ptr);
86 }
87
88 /// Assign a new value to the RCU pointer.
89 ///
90 /// Concurrent readers may continue to see the old value of the pointer until the RCU state
91 /// machine has made sufficient progress. To wait until all concurrent readers have dropped
92 /// their read guards, call `rcu_synchronize()`.
93 pub fn assign_ptr(&self, ptr: RcuPtrRef<'_, T>) {
94 self.assign(ptr.as_mut_ptr());
95 }
96
97 /// Replace the value of the RCU pointer.
98 ///
99 /// Concurrent readers may continue to see the old value of the pointer until the RCU state
100 /// machine has made sufficient progress. To wait until all concurrent readers have dropped
101 /// their read guards, call `rcu_synchronize()`.
102 pub fn replace(&self, ptr: *mut T) -> *mut T {
103 rcu_replace_pointer(&self.ptr, ptr)
104 }
105
106 /// Replace the value of the RCU pointer.
107 ///
108 /// Concurrent readers may continue to see the old value of the pointer until the RCU state
109 /// machine has made sufficient progress. To wait until all concurrent readers have dropped
110 /// their read guards, call `rcu_synchronize()`.
111 pub fn replace_ptr(&self, ptr: RcuPtrRef<'_, T>) -> *mut T {
112 self.replace(ptr.as_mut_ptr())
113 }
114
115 /// Poison the RCU pointer.
116 ///
117 /// Poisoning the RCU pointer will cause readers to see a dangling pointer. Useful when the
118 /// pointer is no longer valid for reading.
119 pub fn poison(&self) {
120 rcu_assign_pointer(&self.ptr, std::ptr::dangling_mut());
121 }
122}
123
124/// A read guard for an object managed by the RCU state machine.
125///
126/// This guard ensures that the object remains valid until the guard is dropped.
127pub struct RcuReadGuard<T> {
128 /// The scope in which the object is valid.
129 pub scope: RcuReadScope,
130
131 /// The pointer to the object.
132 ptr: *const T,
133}
134
135impl<T> RcuReadGuard<T> {
136 /// Get the raw pointer to the object.
137 ///
138 /// This function returns the raw pointer to the object. The caller is responsible for ensuring
139 /// that the pointer is not referenced after the guard is dropped.
140 ///
141 /// To use the Rust borrow checker to enforce that the object is not accessed after the guard is
142 /// dropped, use the `Deref` implementation.
143 pub fn as_ptr(&self) -> *const T {
144 self.ptr
145 }
146}
147
148impl<T> Deref for RcuReadGuard<T> {
149 type Target = T;
150 fn deref(&self) -> &Self::Target {
151 // SAFETY: The RCU state machine ensures that the pointer is valid for reads until we drop
152 // the RcuReadScope.
153 unsafe { &*self.ptr }
154 }
155}
156
157/// A pointer to an object managed by the RCU state machine.
158///
159/// This pointer is valid for reading until the `RcuReadScope` is dropped.
160pub struct RcuPtrRef<'a, T> {
161 /// The pointer to the object.
162 ptr: *const T,
163
164 /// The scope in which the pointer is valid.
165 _marker: std::marker::PhantomData<&'a T>,
166}
167
168impl<'a, T> Clone for RcuPtrRef<'a, T> {
169 fn clone(&self) -> Self {
170 Self { ptr: self.ptr, _marker: self._marker }
171 }
172}
173
174impl<'a, T> Copy for RcuPtrRef<'a, T> {}
175
176impl<'a, T> RcuPtrRef<'a, T> {
177 /// Create a new `RcuPtrRef` from a pointer and a scope.
178 ///
179 /// # Safety
180 ///
181 /// The pointer must be valid for reading until the `RcuReadScope` is dropped.
182 pub unsafe fn new(_scope: &'a RcuReadScope, ptr: *const T) -> Self {
183 Self { ptr, _marker: std::marker::PhantomData }
184 }
185
186 /// Create a null `RcuPtrRef`.
187 pub fn null() -> Self {
188 Self { ptr: std::ptr::null(), _marker: std::marker::PhantomData }
189 }
190
191 /// Check if the pointer is null.
192 pub fn is_null(&self) -> bool {
193 self.ptr.is_null()
194 }
195
196 /// Create a new `RcuPtrRef` from a reference.
197 pub fn from_ref(object: &'a T) -> Self {
198 Self { ptr: object as *const T, _marker: std::marker::PhantomData }
199 }
200
201 /// Get a reference to the object.
202 ///
203 /// Returns `None` if the pointer is null.
204 pub fn as_ref(&self) -> Option<&'a T> {
205 if self.is_null() {
206 None
207 } else {
208 // SAFETY: The RCU state machine ensures that the pointer is valid for reads until we
209 // drop the RcuReadScope whose lifetime is described by the lifetime parameter.
210 Some(unsafe { &*self.ptr })
211 }
212 }
213
214 /// Get the raw pointer to the object.
215 pub fn as_ptr(&self) -> *const T {
216 self.ptr
217 }
218
219 /// Get the raw mutable pointer to the object.
220 pub fn as_mut_ptr(&self) -> *mut T {
221 self.ptr as *mut T
222 }
223
224 /// Adds a byte offset to the pointer.
225 ///
226 /// # Safety
227 ///
228 /// The caller must ensure that the offset is within the bounds of the object and points to a
229 /// valid object of type `U`.
230 pub unsafe fn add_byte_offset<U>(&self, offset: usize) -> RcuPtrRef<'a, U> {
231 let ptr = self.ptr as *const u8;
232 // SAFETY: The caller must ensure that the offset is within the bounds of the object and
233 // points to a valid object of type `U`.
234 RcuPtrRef { ptr: unsafe { ptr.add(offset) } as *const U, _marker: std::marker::PhantomData }
235 }
236
237 /// Subtracts a byte offset from the pointer.
238 ///
239 /// # Safety
240 ///
241 /// The caller must ensure that the offset is within the bounds of the object and points to a
242 /// valid object of type `U`.
243 pub unsafe fn sub_byte_offset<U>(&self, offset: usize) -> RcuPtrRef<'a, U> {
244 let ptr = self.ptr as *const u8;
245 // SAFETY: The caller must ensure that the offset is within the bounds of the object and
246 // points to a valid object of type `U`.
247 RcuPtrRef { ptr: unsafe { ptr.sub(offset) } as *const U, _marker: std::marker::PhantomData }
248 }
249}