system/libfmq/libfmq.rs

*be431cd8SAndroid Build Coastguard Worker//! libfmq Rust wrapper
*be431cd8SAndroid Build Coastguard Worker
*be431cd8SAndroid Build Coastguard Worker/*
*be431cd8SAndroid Build Coastguard Worker* Copyright (C) 2024 The Android Open Source Project
*be431cd8SAndroid Build Coastguard Worker*
*be431cd8SAndroid Build Coastguard Worker* Licensed under the Apache License, Version 2.0 (the "License");
*be431cd8SAndroid Build Coastguard Worker* you may not use this file except in compliance with the License.
*be431cd8SAndroid Build Coastguard Worker* You may obtain a copy of the License at
*be431cd8SAndroid Build Coastguard Worker*
*be431cd8SAndroid Build Coastguard Worker*      http://www.apache.org/licenses/LICENSE-2.0
*be431cd8SAndroid Build Coastguard Worker*
*be431cd8SAndroid Build Coastguard Worker* Unless required by applicable law or agreed to in writing, software
*be431cd8SAndroid Build Coastguard Worker* distributed under the License is distributed on an "AS IS" BASIS,
*be431cd8SAndroid Build Coastguard Worker* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
*be431cd8SAndroid Build Coastguard Worker* See the License for the specific language governing permissions and
*be431cd8SAndroid Build Coastguard Worker* limitations under the License.
*be431cd8SAndroid Build Coastguard Worker*/
*be431cd8SAndroid Build Coastguard Worker
*be431cd8SAndroid Build Coastguard Workeruse fmq_bindgen::{
*be431cd8SAndroid Build Coastguard Worker    convertDesc, convertGrantor, descFlags, descGrantors, descHandleFDs, descHandleInts,
*be431cd8SAndroid Build Coastguard Worker    descHandleNumFDs, descHandleNumInts, descNumGrantors, descQuantum, freeDesc,
*be431cd8SAndroid Build Coastguard Worker    ndk_ScopedFileDescriptor, ErasedMessageQueue, ErasedMessageQueueDesc, GrantorDescriptor,
*be431cd8SAndroid Build Coastguard Worker    MQDescriptor, MemTransaction, NativeHandle, ParcelFileDescriptor, SynchronizedReadWrite,
*be431cd8SAndroid Build Coastguard Worker};
*be431cd8SAndroid Build Coastguard Worker
*be431cd8SAndroid Build Coastguard Workeruse std::ptr::addr_of_mut;
*be431cd8SAndroid Build Coastguard Worker
*be431cd8SAndroid Build Coastguard Workeruse log::error;
*be431cd8SAndroid Build Coastguard Worker
*be431cd8SAndroid Build Coastguard Worker/// A trait indicating that a type is safe to pass through shared memory.
*be431cd8SAndroid Build Coastguard Worker///
*be431cd8SAndroid Build Coastguard Worker/// # Safety
*be431cd8SAndroid Build Coastguard Worker///
*be431cd8SAndroid Build Coastguard Worker/// This requires that the type must not contain any capabilities such as file
*be431cd8SAndroid Build Coastguard Worker/// descriptors or heap allocations, and that it must be permitted to access
*be431cd8SAndroid Build Coastguard Worker/// all bytes of its representation (so it must not contain any padding bytes).
*be431cd8SAndroid Build Coastguard Worker///
*be431cd8SAndroid Build Coastguard Worker/// Because being stored in shared memory the allows the type to be accessed
*be431cd8SAndroid Build Coastguard Worker/// from different processes, it may also be accessed from different threads in
*be431cd8SAndroid Build Coastguard Worker/// the same process. As such, `Share` is a supertrait of `Sync`.
*be431cd8SAndroid Build Coastguard Workerpub unsafe trait Share: Sync {}
*be431cd8SAndroid Build Coastguard Worker
*be431cd8SAndroid Build Coastguard Worker// SAFETY: All types implementing the `zerocopy::AsBytes` trait implement `Share`.
*be431cd8SAndroid Build Coastguard Workerunsafe impl<T: zerocopy::AsBytes + zerocopy::FromBytes + Send + Sync> Share for T {}
*be431cd8SAndroid Build Coastguard Worker
*be431cd8SAndroid Build Coastguard Worker/// An IPC message queue for values of type T.
*be431cd8SAndroid Build Coastguard Workerpub struct MessageQueue<T> {
*be431cd8SAndroid Build Coastguard Worker    inner: ErasedMessageQueue,
*be431cd8SAndroid Build Coastguard Worker    ty: core::marker::PhantomData<T>,
*be431cd8SAndroid Build Coastguard Worker}
*be431cd8SAndroid Build Coastguard Worker
*be431cd8SAndroid Build Coastguard Worker/** A write completion from the MessageQueue::write() method.
*be431cd8SAndroid Build Coastguard Worker
*be431cd8SAndroid Build Coastguard WorkerThis completion mutably borrows the MessageQueue to prevent concurrent writes;
*be431cd8SAndroid Build Coastguard Workerthese must be forbidden because the underlying AidlMessageQueue only stores the
*be431cd8SAndroid Build Coastguard Workernumber of outstanding writes, not which have and have not completed, so they
*be431cd8SAndroid Build Coastguard Workermust complete in order. */
*be431cd8SAndroid Build Coastguard Worker#[must_use]
*be431cd8SAndroid Build Coastguard Workerpub struct WriteCompletion<'a, T: Share> {
*be431cd8SAndroid Build Coastguard Worker    inner: MemTransaction,
*be431cd8SAndroid Build Coastguard Worker    queue: &'a mut MessageQueue<T>,
*be431cd8SAndroid Build Coastguard Worker    n_elems: usize,
*be431cd8SAndroid Build Coastguard Worker    n_written: usize,
*be431cd8SAndroid Build Coastguard Worker}
*be431cd8SAndroid Build Coastguard Worker
*be431cd8SAndroid Build Coastguard Workerimpl<'a, T: Share> WriteCompletion<'a, T> {
*be431cd8SAndroid Build Coastguard Worker    /// Obtain a pointer to the location at which the idx'th item should be
*be431cd8SAndroid Build Coastguard Worker    /// stored.
*be431cd8SAndroid Build Coastguard Worker    ///
*be431cd8SAndroid Build Coastguard Worker    /// The returned pointer is only valid while `self` has not been dropped and
*be431cd8SAndroid Build Coastguard Worker    /// is invalidated by any call to `self.write`. The pointer should be used
*be431cd8SAndroid Build Coastguard Worker    /// with `std::ptr::write` or a DMA API to initialize the underlying storage
*be431cd8SAndroid Build Coastguard Worker    /// before calling `assume_written` to indicate how many elements were
*be431cd8SAndroid Build Coastguard Worker    /// written.
*be431cd8SAndroid Build Coastguard Worker    ///
*be431cd8SAndroid Build Coastguard Worker    /// It is only permitted to access at most `contiguous_count(idx)` items
*be431cd8SAndroid Build Coastguard Worker    /// via offsets from the returned address.
*be431cd8SAndroid Build Coastguard Worker    ///
*be431cd8SAndroid Build Coastguard Worker    /// Calling this method with a greater `idx` may return a pointer to another
*be431cd8SAndroid Build Coastguard Worker    /// memory region of different size than the first.
*be431cd8SAndroid Build Coastguard Worker    pub fn ptr(&self, idx: usize) -> *mut T {
*be431cd8SAndroid Build Coastguard Worker        if idx >= self.n_elems {
*be431cd8SAndroid Build Coastguard Worker            panic!(
*be431cd8SAndroid Build Coastguard Worker                "indexing out of bound: ReadCompletion for {} elements but idx {} accessed",
*be431cd8SAndroid Build Coastguard Worker                self.n_elems, idx
*be431cd8SAndroid Build Coastguard Worker            )
*be431cd8SAndroid Build Coastguard Worker        }
*be431cd8SAndroid Build Coastguard Worker        ptr(&self.inner, idx)
*be431cd8SAndroid Build Coastguard Worker    }
*be431cd8SAndroid Build Coastguard Worker
*be431cd8SAndroid Build Coastguard Worker    /// Return the number of contiguous elements that may be stored starting at
*be431cd8SAndroid Build Coastguard Worker    /// the given index in the backing buffer corresponding to the given index.
*be431cd8SAndroid Build Coastguard Worker    ///
*be431cd8SAndroid Build Coastguard Worker    /// Intended for use with the `ptr` method.
*be431cd8SAndroid Build Coastguard Worker    ///
*be431cd8SAndroid Build Coastguard Worker    /// Returns 0 if `idx` is greater than or equal to the completion's element
*be431cd8SAndroid Build Coastguard Worker    /// count.
*be431cd8SAndroid Build Coastguard Worker    pub fn contiguous_count(&self, idx: usize) -> usize {
*be431cd8SAndroid Build Coastguard Worker        contiguous_count(&self.inner, idx, self.n_elems)
*be431cd8SAndroid Build Coastguard Worker    }
*be431cd8SAndroid Build Coastguard Worker
*be431cd8SAndroid Build Coastguard Worker    /// Returns how many elements still must be written to this WriteCompletion
*be431cd8SAndroid Build Coastguard Worker    /// before dropping it.
*be431cd8SAndroid Build Coastguard Worker    pub fn required_elements(&self) -> usize {
*be431cd8SAndroid Build Coastguard Worker        assert!(self.n_written <= self.n_elems);
*be431cd8SAndroid Build Coastguard Worker        self.n_elems - self.n_written
*be431cd8SAndroid Build Coastguard Worker    }
*be431cd8SAndroid Build Coastguard Worker
*be431cd8SAndroid Build Coastguard Worker    /// Write one item to `self`. Fails and returns the item if `self` is full.
*be431cd8SAndroid Build Coastguard Worker    pub fn write(&mut self, data: T) -> Result<(), T> {
*be431cd8SAndroid Build Coastguard Worker        if self.required_elements() > 0 {
*be431cd8SAndroid Build Coastguard Worker            // SAFETY: `self.ptr(self.n_written)` is known to be uninitialized.
*be431cd8SAndroid Build Coastguard Worker            // The dtor of data, if any, will not run because `data` is moved
*be431cd8SAndroid Build Coastguard Worker            // out of here.
*be431cd8SAndroid Build Coastguard Worker            unsafe { self.ptr(self.n_written).write(data) };
*be431cd8SAndroid Build Coastguard Worker            self.n_written += 1;
*be431cd8SAndroid Build Coastguard Worker            Ok(())
*be431cd8SAndroid Build Coastguard Worker        } else {
*be431cd8SAndroid Build Coastguard Worker            Err(data)
*be431cd8SAndroid Build Coastguard Worker        }
*be431cd8SAndroid Build Coastguard Worker    }
*be431cd8SAndroid Build Coastguard Worker
*be431cd8SAndroid Build Coastguard Worker    /// Promise to the `WriteCompletion` that `n_newly_written` elements have
*be431cd8SAndroid Build Coastguard Worker    /// been written with unsafe code or DMA to the pointer returned by the
*be431cd8SAndroid Build Coastguard Worker    /// `ptr` method.
*be431cd8SAndroid Build Coastguard Worker    ///
*be431cd8SAndroid Build Coastguard Worker    /// Panics if `n_newly_written` exceeds the number of elements yet required.
*be431cd8SAndroid Build Coastguard Worker    ///
*be431cd8SAndroid Build Coastguard Worker    /// # Safety
*be431cd8SAndroid Build Coastguard Worker    /// It is UB to call this method except after calling the `ptr` method and
*be431cd8SAndroid Build Coastguard Worker    /// writing the specified number of values of type T to that location.
*be431cd8SAndroid Build Coastguard Worker    pub unsafe fn assume_written(&mut self, n_newly_written: usize) {
*be431cd8SAndroid Build Coastguard Worker        assert!(n_newly_written < self.required_elements());
*be431cd8SAndroid Build Coastguard Worker        self.n_written += n_newly_written;
*be431cd8SAndroid Build Coastguard Worker    }
*be431cd8SAndroid Build Coastguard Worker}
*be431cd8SAndroid Build Coastguard Worker
*be431cd8SAndroid Build Coastguard Workerimpl<'a, T: Share> Drop for WriteCompletion<'a, T> {
*be431cd8SAndroid Build Coastguard Worker    fn drop(&mut self) {
*be431cd8SAndroid Build Coastguard Worker        if self.n_written < self.n_elems {
*be431cd8SAndroid Build Coastguard Worker            error!(
*be431cd8SAndroid Build Coastguard Worker                "WriteCompletion dropped without writing to all elements ({}/{} written)",
*be431cd8SAndroid Build Coastguard Worker                self.n_written, self.n_elems
*be431cd8SAndroid Build Coastguard Worker            );
*be431cd8SAndroid Build Coastguard Worker        }
*be431cd8SAndroid Build Coastguard Worker        let txn = std::mem::take(&mut self.inner);
*be431cd8SAndroid Build Coastguard Worker        self.queue.commit_write(txn);
*be431cd8SAndroid Build Coastguard Worker    }
*be431cd8SAndroid Build Coastguard Worker}
*be431cd8SAndroid Build Coastguard Worker
*be431cd8SAndroid Build Coastguard Workerimpl<T: Share> MessageQueue<T> {
*be431cd8SAndroid Build Coastguard Worker    const fn type_size() -> usize {
*be431cd8SAndroid Build Coastguard Worker        std::mem::size_of::<T>()
*be431cd8SAndroid Build Coastguard Worker    }
*be431cd8SAndroid Build Coastguard Worker
*be431cd8SAndroid Build Coastguard Worker    /// Create a new MessageQueue with capacity for `elems` elements.
*be431cd8SAndroid Build Coastguard Worker    pub fn new(elems: usize, event_word: bool) -> Self {
*be431cd8SAndroid Build Coastguard Worker        Self {
*be431cd8SAndroid Build Coastguard Worker            // SAFETY: Calling bindgen'd constructor. The only argument that
*be431cd8SAndroid Build Coastguard Worker            // can't be validated by the implementation is the quantum, which
*be431cd8SAndroid Build Coastguard Worker            // must equal the element size.
*be431cd8SAndroid Build Coastguard Worker            inner: unsafe { ErasedMessageQueue::new1(elems, event_word, Self::type_size()) },
*be431cd8SAndroid Build Coastguard Worker            ty: core::marker::PhantomData,
*be431cd8SAndroid Build Coastguard Worker        }
*be431cd8SAndroid Build Coastguard Worker    }
*be431cd8SAndroid Build Coastguard Worker
*be431cd8SAndroid Build Coastguard Worker    /// Create a MessageQueue connected to another existing instance from its
*be431cd8SAndroid Build Coastguard Worker    /// descriptor.
*be431cd8SAndroid Build Coastguard Worker    pub fn from_desc(desc: &MQDescriptor<T, SynchronizedReadWrite>, reset_pointers: bool) -> Self {
*be431cd8SAndroid Build Coastguard Worker        let mut grantors = desc
*be431cd8SAndroid Build Coastguard Worker            .grantors
*be431cd8SAndroid Build Coastguard Worker            .iter()
*be431cd8SAndroid Build Coastguard Worker            // SAFETY: this just forwards the integers to the GrantorDescriptor
*be431cd8SAndroid Build Coastguard Worker            // constructor; GrantorDescriptor is POD.
*be431cd8SAndroid Build Coastguard Worker            .map(|g| unsafe { convertGrantor(g.fdIndex, g.offset, g.extent) })
*be431cd8SAndroid Build Coastguard Worker            .collect::<Vec<_>>();
*be431cd8SAndroid Build Coastguard Worker
*be431cd8SAndroid Build Coastguard Worker        // SAFETY: These pointer/length pairs come from Vecs that will outlive
*be431cd8SAndroid Build Coastguard Worker        // this function call, and the call itself copies all data it needs out
*be431cd8SAndroid Build Coastguard Worker        // of them.
*be431cd8SAndroid Build Coastguard Worker        let cpp_desc = unsafe {
*be431cd8SAndroid Build Coastguard Worker            convertDesc(
*be431cd8SAndroid Build Coastguard Worker                grantors.as_mut_ptr(),
*be431cd8SAndroid Build Coastguard Worker                grantors.len(),
*be431cd8SAndroid Build Coastguard Worker                desc.handle.fds.as_ptr().cast(),
*be431cd8SAndroid Build Coastguard Worker                desc.handle.fds.len(),
*be431cd8SAndroid Build Coastguard Worker                desc.handle.ints.as_ptr(),
*be431cd8SAndroid Build Coastguard Worker                desc.handle.ints.len(),
*be431cd8SAndroid Build Coastguard Worker                desc.quantum,
*be431cd8SAndroid Build Coastguard Worker                desc.flags,
*be431cd8SAndroid Build Coastguard Worker            )
*be431cd8SAndroid Build Coastguard Worker        };
*be431cd8SAndroid Build Coastguard Worker        // SAFETY: Calling bindgen'd constructor which does not store cpp_desc,
*be431cd8SAndroid Build Coastguard Worker        // but just passes it to the initializer of AidlMQDescriptorShim, which
*be431cd8SAndroid Build Coastguard Worker        // deep-copies it.
*be431cd8SAndroid Build Coastguard Worker        let inner = unsafe { ErasedMessageQueue::new(cpp_desc, reset_pointers) };
*be431cd8SAndroid Build Coastguard Worker        // SAFETY: we must free the desc returned by convertDesc; the pointer
*be431cd8SAndroid Build Coastguard Worker        // was just returned above so we know it is valid.
*be431cd8SAndroid Build Coastguard Worker        unsafe { freeDesc(cpp_desc) };
*be431cd8SAndroid Build Coastguard Worker        Self { inner, ty: core::marker::PhantomData }
*be431cd8SAndroid Build Coastguard Worker    }
*be431cd8SAndroid Build Coastguard Worker
*be431cd8SAndroid Build Coastguard Worker    /// Obtain a copy of the MessageQueue's descriptor, which may be used to
*be431cd8SAndroid Build Coastguard Worker    /// access it remotely.
*be431cd8SAndroid Build Coastguard Worker    pub fn dupe_desc(&self) -> MQDescriptor<T, SynchronizedReadWrite> {
*be431cd8SAndroid Build Coastguard Worker        // SAFETY: dupeDesc may be called on any valid ErasedMessageQueue; it
*be431cd8SAndroid Build Coastguard Worker        // simply forwards to dupeDesc on the inner AidlMessageQueue and wraps
*be431cd8SAndroid Build Coastguard Worker        // in a heap allocation.
*be431cd8SAndroid Build Coastguard Worker        let erased_desc: *mut ErasedMessageQueueDesc = unsafe { self.inner.dupeDesc() };
*be431cd8SAndroid Build Coastguard Worker        let grantor_to_rust =
*be431cd8SAndroid Build Coastguard Worker            |g: &fmq_bindgen::aidl_android_hardware_common_fmq_GrantorDescriptor| {
*be431cd8SAndroid Build Coastguard Worker                GrantorDescriptor { fdIndex: g.fdIndex, offset: g.offset, extent: g.extent }
*be431cd8SAndroid Build Coastguard Worker            };
*be431cd8SAndroid Build Coastguard Worker
*be431cd8SAndroid Build Coastguard Worker        let scoped_to_parcel_fd = |fd: &ndk_ScopedFileDescriptor| {
*be431cd8SAndroid Build Coastguard Worker            use std::os::fd::{BorrowedFd, FromRawFd, OwnedFd};
*be431cd8SAndroid Build Coastguard Worker            // SAFETY: the fd is already open as an invariant of ndk::ScopedFileDescriptor, so
*be431cd8SAndroid Build Coastguard Worker            // it will not be -1, as required by BorrowedFd.
*be431cd8SAndroid Build Coastguard Worker            let borrowed = unsafe { BorrowedFd::borrow_raw(fd._base as i32) };
*be431cd8SAndroid Build Coastguard Worker            ParcelFileDescriptor::new(match borrowed.try_clone_to_owned() {
*be431cd8SAndroid Build Coastguard Worker                Ok(fd) => fd,
*be431cd8SAndroid Build Coastguard Worker                Err(e) => {
*be431cd8SAndroid Build Coastguard Worker                    error!("could not dup NativeHandle fd {}: {}", fd._base, e);
*be431cd8SAndroid Build Coastguard Worker                    // SAFETY: OwnedFd requires the fd is not -1. If we failed to dup the fd,
*be431cd8SAndroid Build Coastguard Worker                    // other code downstream will fail, but we can do no better than pass it on.
*be431cd8SAndroid Build Coastguard Worker                    unsafe { OwnedFd::from_raw_fd(fd._base as i32) }
*be431cd8SAndroid Build Coastguard Worker                }
*be431cd8SAndroid Build Coastguard Worker            })
*be431cd8SAndroid Build Coastguard Worker        };
*be431cd8SAndroid Build Coastguard Worker
*be431cd8SAndroid Build Coastguard Worker        // First, we create a desc with the wrong type, because we cannot create one whole cloth of
*be431cd8SAndroid Build Coastguard Worker        // our desired return type unless T implements Default. This Default requirement is
*be431cd8SAndroid Build Coastguard Worker        // superfluous (T::default() is never called), so we then transmute to our desired type.
*be431cd8SAndroid Build Coastguard Worker        let desc = MQDescriptor::<(), SynchronizedReadWrite>::default();
*be431cd8SAndroid Build Coastguard Worker        // SAFETY: This transmute changes only the element type parameter of the MQDescriptor. The
*be431cd8SAndroid Build Coastguard Worker        // layout of an MQDescriptor does not depend on T as T appears in it only in PhantomData.
*be431cd8SAndroid Build Coastguard Worker        let mut desc: MQDescriptor<T, SynchronizedReadWrite> = unsafe { std::mem::transmute(desc) };
*be431cd8SAndroid Build Coastguard Worker        // SAFETY: These slices are created out of the pointer and length pairs exposed by the
*be431cd8SAndroid Build Coastguard Worker        // individual descFoo accessors, so we know they are valid pointer/lengths and point to
*be431cd8SAndroid Build Coastguard Worker        // data that will continue to exist as long as the desc does.
*be431cd8SAndroid Build Coastguard Worker        //
*be431cd8SAndroid Build Coastguard Worker        // Calls to the descFoo accessors on erased_desc are sound because we know inner.dupeDesc
*be431cd8SAndroid Build Coastguard Worker        // returns a valid pointer to a new heap-allocated ErasedMessageQueueDesc.
*be431cd8SAndroid Build Coastguard Worker        let (grantors, fds, ints, quantum, flags) = unsafe {
*be431cd8SAndroid Build Coastguard Worker            let grantors = slice_from_raw_parts_or_empty(
*be431cd8SAndroid Build Coastguard Worker                descGrantors(erased_desc),
*be431cd8SAndroid Build Coastguard Worker                descNumGrantors(erased_desc),
*be431cd8SAndroid Build Coastguard Worker            );
*be431cd8SAndroid Build Coastguard Worker            let fds = slice_from_raw_parts_or_empty(
*be431cd8SAndroid Build Coastguard Worker                descHandleFDs(erased_desc),
*be431cd8SAndroid Build Coastguard Worker                descHandleNumFDs(erased_desc),
*be431cd8SAndroid Build Coastguard Worker            );
*be431cd8SAndroid Build Coastguard Worker            let ints = slice_from_raw_parts_or_empty(
*be431cd8SAndroid Build Coastguard Worker                descHandleInts(erased_desc),
*be431cd8SAndroid Build Coastguard Worker                descHandleNumInts(erased_desc),
*be431cd8SAndroid Build Coastguard Worker            );
*be431cd8SAndroid Build Coastguard Worker            let quantum = descQuantum(erased_desc);
*be431cd8SAndroid Build Coastguard Worker            let flags = descFlags(erased_desc);
*be431cd8SAndroid Build Coastguard Worker            (grantors, fds, ints, quantum, flags)
*be431cd8SAndroid Build Coastguard Worker        };
*be431cd8SAndroid Build Coastguard Worker        let fds = fds.iter().map(scoped_to_parcel_fd).collect();
*be431cd8SAndroid Build Coastguard Worker        let ints = ints.to_vec();
*be431cd8SAndroid Build Coastguard Worker        desc.grantors = grantors.iter().map(grantor_to_rust).collect();
*be431cd8SAndroid Build Coastguard Worker        desc.handle = NativeHandle { fds, ints };
*be431cd8SAndroid Build Coastguard Worker        desc.quantum = quantum;
*be431cd8SAndroid Build Coastguard Worker        desc.flags = flags;
*be431cd8SAndroid Build Coastguard Worker        // SAFETY: we must free the desc returned by dupeDesc; the pointer was
*be431cd8SAndroid Build Coastguard Worker        // just returned above so we know it is valid.
*be431cd8SAndroid Build Coastguard Worker        unsafe { freeDesc(erased_desc) };
*be431cd8SAndroid Build Coastguard Worker        desc
*be431cd8SAndroid Build Coastguard Worker    }
*be431cd8SAndroid Build Coastguard Worker
*be431cd8SAndroid Build Coastguard Worker    /// Begin a write transaction. The returned WriteCompletion can be used to
*be431cd8SAndroid Build Coastguard Worker    /// write into the region allocated for the transaction.
*be431cd8SAndroid Build Coastguard Worker    pub fn write(&mut self) -> Option<WriteCompletion<T>> {
*be431cd8SAndroid Build Coastguard Worker        self.write_many(1)
*be431cd8SAndroid Build Coastguard Worker    }
*be431cd8SAndroid Build Coastguard Worker
*be431cd8SAndroid Build Coastguard Worker    /// Begin a write transaction for multiple items. See `MessageQueue::write`.
*be431cd8SAndroid Build Coastguard Worker    pub fn write_many(&mut self, n: usize) -> Option<WriteCompletion<T>> {
*be431cd8SAndroid Build Coastguard Worker        let txn = self.begin_write(n)?;
*be431cd8SAndroid Build Coastguard Worker        Some(WriteCompletion { inner: txn, queue: self, n_elems: n, n_written: 0 })
*be431cd8SAndroid Build Coastguard Worker    }
*be431cd8SAndroid Build Coastguard Worker
*be431cd8SAndroid Build Coastguard Worker    fn commit_write(&mut self, txn: MemTransaction) -> bool {
*be431cd8SAndroid Build Coastguard Worker        // SAFETY: simply calls commitWrite with the txn length. The txn must
*be431cd8SAndroid Build Coastguard Worker        // only use its first MemRegion.
*be431cd8SAndroid Build Coastguard Worker        unsafe { self.inner.commitWrite(txn.first.length + txn.second.length) }
*be431cd8SAndroid Build Coastguard Worker    }
*be431cd8SAndroid Build Coastguard Worker
*be431cd8SAndroid Build Coastguard Worker    fn begin_write(&self, n: usize) -> Option<MemTransaction> {
*be431cd8SAndroid Build Coastguard Worker        let mut txn: MemTransaction = Default::default();
*be431cd8SAndroid Build Coastguard Worker        // SAFETY: we pass a raw pointer to txn, which is used only during the
*be431cd8SAndroid Build Coastguard Worker        // call to beginWrite to write the txn's MemRegion fields, which are raw
*be431cd8SAndroid Build Coastguard Worker        // pointers and lengths pointing into the queue. The pointer to txn is
*be431cd8SAndroid Build Coastguard Worker        // not stored.
*be431cd8SAndroid Build Coastguard Worker        unsafe { self.inner.beginWrite(n, addr_of_mut!(txn)) }.then_some(txn)
*be431cd8SAndroid Build Coastguard Worker    }
*be431cd8SAndroid Build Coastguard Worker}
*be431cd8SAndroid Build Coastguard Worker
*be431cd8SAndroid Build Coastguard Worker/// Forms a slice from a pointer and a length.
*be431cd8SAndroid Build Coastguard Worker///
*be431cd8SAndroid Build Coastguard Worker/// Returns an empty slice when `data` is a null pointer and `len` is zero.
*be431cd8SAndroid Build Coastguard Worker///
*be431cd8SAndroid Build Coastguard Worker/// # Safety
*be431cd8SAndroid Build Coastguard Worker///
*be431cd8SAndroid Build Coastguard Worker/// This function has the same safety requirements as [`std::slice::from_raw_parts`],
*be431cd8SAndroid Build Coastguard Worker/// but unlike that function, does not exhibit undefined behavior when `data` is a
*be431cd8SAndroid Build Coastguard Worker/// null pointer and `len` is zero. In this case, it returns an empty slice.
*be431cd8SAndroid Build Coastguard Workerunsafe fn slice_from_raw_parts_or_empty<'a, T>(data: *const T, len: usize) -> &'a [T] {
*be431cd8SAndroid Build Coastguard Worker    if data.is_null() && len == 0 {
*be431cd8SAndroid Build Coastguard Worker        &[]
*be431cd8SAndroid Build Coastguard Worker    } else {
*be431cd8SAndroid Build Coastguard Worker        // SAFETY: The caller must guarantee to satisfy the safety requirements
*be431cd8SAndroid Build Coastguard Worker        // of the standard library function [`std::slice::from_raw_parts`].
*be431cd8SAndroid Build Coastguard Worker        unsafe { std::slice::from_raw_parts(data, len) }
*be431cd8SAndroid Build Coastguard Worker    }
*be431cd8SAndroid Build Coastguard Worker}
*be431cd8SAndroid Build Coastguard Worker
*be431cd8SAndroid Build Coastguard Worker#[inline(always)]
*be431cd8SAndroid Build Coastguard Workerfn ptr<T: Share>(txn: &MemTransaction, idx: usize) -> *mut T {
*be431cd8SAndroid Build Coastguard Worker    let (base, region_idx) = if idx < txn.first.length {
*be431cd8SAndroid Build Coastguard Worker        (txn.first.address, idx)
*be431cd8SAndroid Build Coastguard Worker    } else {
*be431cd8SAndroid Build Coastguard Worker        (txn.second.address, idx - txn.first.length)
*be431cd8SAndroid Build Coastguard Worker    };
*be431cd8SAndroid Build Coastguard Worker    let byte_count: usize = region_idx.checked_mul(MessageQueue::<T>::type_size()).unwrap();
*be431cd8SAndroid Build Coastguard Worker    base.wrapping_byte_offset(byte_count.try_into().unwrap()) as *mut T
*be431cd8SAndroid Build Coastguard Worker}
*be431cd8SAndroid Build Coastguard Worker
*be431cd8SAndroid Build Coastguard Worker#[inline(always)]
*be431cd8SAndroid Build Coastguard Workerfn contiguous_count(txn: &MemTransaction, idx: usize, n_elems: usize) -> usize {
*be431cd8SAndroid Build Coastguard Worker    if idx > n_elems {
*be431cd8SAndroid Build Coastguard Worker        return 0;
*be431cd8SAndroid Build Coastguard Worker    }
*be431cd8SAndroid Build Coastguard Worker    let region_len = if idx < txn.first.length { txn.first.length } else { txn.second.length };
*be431cd8SAndroid Build Coastguard Worker    region_len - idx
*be431cd8SAndroid Build Coastguard Worker}
*be431cd8SAndroid Build Coastguard Worker
*be431cd8SAndroid Build Coastguard Worker/** A read completion from the MessageQueue::read() method.
*be431cd8SAndroid Build Coastguard Worker
*be431cd8SAndroid Build Coastguard WorkerThis completion mutably borrows the MessageQueue to prevent concurrent reads;
*be431cd8SAndroid Build Coastguard Workerthese must be forbidden because the underlying AidlMessageQueue only stores the
*be431cd8SAndroid Build Coastguard Workernumber of outstanding reads, not which have and have not completed, so they
*be431cd8SAndroid Build Coastguard Workermust complete in order. */
*be431cd8SAndroid Build Coastguard Worker#[must_use]
*be431cd8SAndroid Build Coastguard Workerpub struct ReadCompletion<'a, T: Share> {
*be431cd8SAndroid Build Coastguard Worker    inner: MemTransaction,
*be431cd8SAndroid Build Coastguard Worker    queue: &'a mut MessageQueue<T>,
*be431cd8SAndroid Build Coastguard Worker    n_elems: usize,
*be431cd8SAndroid Build Coastguard Worker    n_read: usize,
*be431cd8SAndroid Build Coastguard Worker}
*be431cd8SAndroid Build Coastguard Worker
*be431cd8SAndroid Build Coastguard Workerimpl<'a, T: Share> ReadCompletion<'a, T> {
*be431cd8SAndroid Build Coastguard Worker    /// Obtain a pointer to the location at which the idx'th item is located.
*be431cd8SAndroid Build Coastguard Worker    ///
*be431cd8SAndroid Build Coastguard Worker    /// The returned pointer is only valid while `self` has not been dropped and
*be431cd8SAndroid Build Coastguard Worker    /// is invalidated by any call to `self.read`. The pointer should be used
*be431cd8SAndroid Build Coastguard Worker    /// with `std::ptr::read` or a DMA API before calling `assume_read` to
*be431cd8SAndroid Build Coastguard Worker    /// indicate how many elements were read.
*be431cd8SAndroid Build Coastguard Worker    ///
*be431cd8SAndroid Build Coastguard Worker    /// It is only permitted to access at most `contiguous_count(idx)` items
*be431cd8SAndroid Build Coastguard Worker    /// via offsets from the returned address.
*be431cd8SAndroid Build Coastguard Worker    ///
*be431cd8SAndroid Build Coastguard Worker    /// Calling this method with a greater `idx` may return a pointer to another
*be431cd8SAndroid Build Coastguard Worker    /// memory region of different size than the first.
*be431cd8SAndroid Build Coastguard Worker    pub fn ptr(&self, idx: usize) -> *mut T {
*be431cd8SAndroid Build Coastguard Worker        if idx >= self.n_elems {
*be431cd8SAndroid Build Coastguard Worker            panic!(
*be431cd8SAndroid Build Coastguard Worker                "indexing out of bound: ReadCompletion for {} elements but idx {} accessed",
*be431cd8SAndroid Build Coastguard Worker                self.n_elems, idx
*be431cd8SAndroid Build Coastguard Worker            )
*be431cd8SAndroid Build Coastguard Worker        }
*be431cd8SAndroid Build Coastguard Worker        ptr(&self.inner, idx)
*be431cd8SAndroid Build Coastguard Worker    }
*be431cd8SAndroid Build Coastguard Worker
*be431cd8SAndroid Build Coastguard Worker    /// Return the number of contiguous elements located starting at the given
*be431cd8SAndroid Build Coastguard Worker    /// index in the backing buffer corresponding to the given index.
*be431cd8SAndroid Build Coastguard Worker    ///
*be431cd8SAndroid Build Coastguard Worker    /// Intended for use with the `ptr` method.
*be431cd8SAndroid Build Coastguard Worker    ///
*be431cd8SAndroid Build Coastguard Worker    /// Returns 0 if `idx` is greater than or equal to the completion's element
*be431cd8SAndroid Build Coastguard Worker    /// count.
*be431cd8SAndroid Build Coastguard Worker    pub fn contiguous_count(&self, idx: usize) -> usize {
*be431cd8SAndroid Build Coastguard Worker        contiguous_count(&self.inner, idx, self.n_elems)
*be431cd8SAndroid Build Coastguard Worker    }
*be431cd8SAndroid Build Coastguard Worker
*be431cd8SAndroid Build Coastguard Worker    /// Returns how many elements still must be read from `self` before dropping
*be431cd8SAndroid Build Coastguard Worker    /// it.
*be431cd8SAndroid Build Coastguard Worker    pub fn unread_elements(&self) -> usize {
*be431cd8SAndroid Build Coastguard Worker        assert!(self.n_read <= self.n_elems);
*be431cd8SAndroid Build Coastguard Worker        self.n_elems - self.n_read
*be431cd8SAndroid Build Coastguard Worker    }
*be431cd8SAndroid Build Coastguard Worker
*be431cd8SAndroid Build Coastguard Worker    /// Read one item from the `self`. Fails and returns `()` if `self` is empty.
*be431cd8SAndroid Build Coastguard Worker    pub fn read(&mut self) -> Option<T> {
*be431cd8SAndroid Build Coastguard Worker        if self.unread_elements() > 0 {
*be431cd8SAndroid Build Coastguard Worker            // SAFETY: `self.ptr(self.n_read)`is known to be filled with a valid
*be431cd8SAndroid Build Coastguard Worker            // instance of type `T`.
*be431cd8SAndroid Build Coastguard Worker            let data = unsafe { self.ptr(self.n_read).read() };
*be431cd8SAndroid Build Coastguard Worker            self.n_read += 1;
*be431cd8SAndroid Build Coastguard Worker            Some(data)
*be431cd8SAndroid Build Coastguard Worker        } else {
*be431cd8SAndroid Build Coastguard Worker            None
*be431cd8SAndroid Build Coastguard Worker        }
*be431cd8SAndroid Build Coastguard Worker    }
*be431cd8SAndroid Build Coastguard Worker
*be431cd8SAndroid Build Coastguard Worker    /// Promise to the `ReadCompletion` that `n_newly_read` elements have
*be431cd8SAndroid Build Coastguard Worker    /// been read with unsafe code or DMA from the pointer returned by the
*be431cd8SAndroid Build Coastguard Worker    /// `ptr` method.
*be431cd8SAndroid Build Coastguard Worker    ///
*be431cd8SAndroid Build Coastguard Worker    /// Panics if `n_newly_read` exceeds the number of elements still unread.
*be431cd8SAndroid Build Coastguard Worker    ///
*be431cd8SAndroid Build Coastguard Worker    /// Calling this method without actually reading the elements will result
*be431cd8SAndroid Build Coastguard Worker    /// in them being leaked without destructors (if any) running.
*be431cd8SAndroid Build Coastguard Worker    pub fn assume_read(&mut self, n_newly_read: usize) {
*be431cd8SAndroid Build Coastguard Worker        assert!(n_newly_read < self.unread_elements());
*be431cd8SAndroid Build Coastguard Worker        self.n_read += n_newly_read;
*be431cd8SAndroid Build Coastguard Worker    }
*be431cd8SAndroid Build Coastguard Worker}
*be431cd8SAndroid Build Coastguard Worker
*be431cd8SAndroid Build Coastguard Workerimpl<'a, T: Share> Drop for ReadCompletion<'a, T> {
*be431cd8SAndroid Build Coastguard Worker    fn drop(&mut self) {
*be431cd8SAndroid Build Coastguard Worker        if self.n_read < self.n_elems {
*be431cd8SAndroid Build Coastguard Worker            error!(
*be431cd8SAndroid Build Coastguard Worker                "ReadCompletion dropped without reading all elements ({}/{} read)",
*be431cd8SAndroid Build Coastguard Worker                self.n_read, self.n_elems
*be431cd8SAndroid Build Coastguard Worker            );
*be431cd8SAndroid Build Coastguard Worker        }
*be431cd8SAndroid Build Coastguard Worker        let txn = std::mem::take(&mut self.inner);
*be431cd8SAndroid Build Coastguard Worker        self.queue.commit_read(txn);
*be431cd8SAndroid Build Coastguard Worker    }
*be431cd8SAndroid Build Coastguard Worker}
*be431cd8SAndroid Build Coastguard Worker
*be431cd8SAndroid Build Coastguard Workerimpl<T: Share> MessageQueue<T> {
*be431cd8SAndroid Build Coastguard Worker    /// Begin a read transaction. The returned `ReadCompletion` can be used to
*be431cd8SAndroid Build Coastguard Worker    /// write into the region allocated for the transaction.
*be431cd8SAndroid Build Coastguard Worker    pub fn read(&mut self) -> Option<ReadCompletion<T>> {
*be431cd8SAndroid Build Coastguard Worker        self.read_many(1)
*be431cd8SAndroid Build Coastguard Worker    }
*be431cd8SAndroid Build Coastguard Worker
*be431cd8SAndroid Build Coastguard Worker    /// Begin a read transaction for multiple items. See `MessageQueue::read`.
*be431cd8SAndroid Build Coastguard Worker    pub fn read_many(&mut self, n: usize) -> Option<ReadCompletion<T>> {
*be431cd8SAndroid Build Coastguard Worker        let txn = self.begin_read(n)?;
*be431cd8SAndroid Build Coastguard Worker        Some(ReadCompletion { inner: txn, queue: self, n_elems: n, n_read: 0 })
*be431cd8SAndroid Build Coastguard Worker    }
*be431cd8SAndroid Build Coastguard Worker
*be431cd8SAndroid Build Coastguard Worker    fn commit_read(&mut self, txn: MemTransaction) -> bool {
*be431cd8SAndroid Build Coastguard Worker        // SAFETY: simply calls commitRead with the txn length. The txn must
*be431cd8SAndroid Build Coastguard Worker        // only use its first MemRegion.
*be431cd8SAndroid Build Coastguard Worker        unsafe { self.inner.commitRead(txn.first.length + txn.second.length) }
*be431cd8SAndroid Build Coastguard Worker    }
*be431cd8SAndroid Build Coastguard Worker
*be431cd8SAndroid Build Coastguard Worker    fn begin_read(&self, n: usize) -> Option<MemTransaction> {
*be431cd8SAndroid Build Coastguard Worker        let mut txn: MemTransaction = Default::default();
*be431cd8SAndroid Build Coastguard Worker        // SAFETY: we pass a raw pointer to txn, which is used only during the
*be431cd8SAndroid Build Coastguard Worker        // call to beginRead to write the txn's MemRegion fields, which are raw
*be431cd8SAndroid Build Coastguard Worker        // pointers and lengths pointing into the queue. The pointer to txn is
*be431cd8SAndroid Build Coastguard Worker        // not stored.
*be431cd8SAndroid Build Coastguard Worker        unsafe { self.inner.beginRead(n, addr_of_mut!(txn)) }.then_some(txn)
*be431cd8SAndroid Build Coastguard Worker    }
*be431cd8SAndroid Build Coastguard Worker}
*be431cd8SAndroid Build Coastguard Worker
*be431cd8SAndroid Build Coastguard Worker#[cfg(test)]
*be431cd8SAndroid Build Coastguard Workermod test {
*be431cd8SAndroid Build Coastguard Worker    use super::*;
*be431cd8SAndroid Build Coastguard Worker
*be431cd8SAndroid Build Coastguard Worker    #[test]
*be431cd8SAndroid Build Coastguard Worker    fn slice_from_raw_parts_or_empty_with_nonempty() {
*be431cd8SAndroid Build Coastguard Worker        const SLICE: &[u8] = &[1, 2, 3, 4, 5, 6];
*be431cd8SAndroid Build Coastguard Worker        // SAFETY: We are constructing a slice from the pointer and length of valid slice.
*be431cd8SAndroid Build Coastguard Worker        let from_raw_parts = unsafe {
*be431cd8SAndroid Build Coastguard Worker            let ptr = SLICE.as_ptr();
*be431cd8SAndroid Build Coastguard Worker            let len = SLICE.len();
*be431cd8SAndroid Build Coastguard Worker            slice_from_raw_parts_or_empty(ptr, len)
*be431cd8SAndroid Build Coastguard Worker        };
*be431cd8SAndroid Build Coastguard Worker        assert_eq!(SLICE, from_raw_parts);
*be431cd8SAndroid Build Coastguard Worker    }
*be431cd8SAndroid Build Coastguard Worker
*be431cd8SAndroid Build Coastguard Worker    #[test]
*be431cd8SAndroid Build Coastguard Worker    fn slice_from_raw_parts_or_empty_with_null_pointer_zero_length() {
*be431cd8SAndroid Build Coastguard Worker        // SAFETY: Calling `slice_from_raw_parts_or_empty` with a null pointer
*be431cd8SAndroid Build Coastguard Worker        // and a zero length is explicitly allowed by its safety requirements.
*be431cd8SAndroid Build Coastguard Worker        // In this case, `std::slice::from_raw_parts` has undefined behavior.
*be431cd8SAndroid Build Coastguard Worker        let empty_from_raw_parts = unsafe {
*be431cd8SAndroid Build Coastguard Worker            let ptr: *const u8 = std::ptr::null();
*be431cd8SAndroid Build Coastguard Worker            let len = 0;
*be431cd8SAndroid Build Coastguard Worker            slice_from_raw_parts_or_empty(ptr, len)
*be431cd8SAndroid Build Coastguard Worker        };
*be431cd8SAndroid Build Coastguard Worker        assert_eq!(&[] as &[u8], empty_from_raw_parts);
*be431cd8SAndroid Build Coastguard Worker    }
*be431cd8SAndroid Build Coastguard Worker}