fdf_channel/message.rs
1// Copyright 2024 The Fuchsia Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5//! A helper for managing a self-contained arena-allocated buffer along with its arena handle.
6
7use crate::arena::{Arena, ArenaBox};
8use core::marker::PhantomData;
9use core::mem::MaybeUninit;
10use core::ops::{Deref, DerefMut};
11use core::ptr::NonNull;
12use fdf_core::handle::MixedHandle;
13
14use fdf_sys::*;
15
16/// A struct that holds both an arena along with a data buffer that is allocated within that arena.
17#[derive(Debug)]
18pub struct Message<T: ?Sized + 'static> {
19 data: Option<ArenaBox<'static, T>>,
20 // note: `[Option<MixedHandle>]` is byte-equivalent to a C array of `fdf_handle_t`.
21 handles: Option<ArenaBox<'static, [Option<MixedHandle>]>>,
22 // note: this must maintain its position as the last item of the struct
23 // to ensure that it is freed after the data and handle pointers.
24 arena: Arena,
25 _p: PhantomData<T>,
26}
27
28impl<T: ?Sized> Message<T> {
29 /// Consumes the given arena, data buffer, and handles buffers and returns a message that holds
30 /// all three.
31 ///
32 /// # Panics
33 ///
34 /// This function panics if either of the [`ArenaBox`]s are not allocated by [`Arena`].
35 pub fn new<'a>(
36 arena: &'a Arena,
37 data: Option<ArenaBox<'a, T>>,
38 handles: Option<ArenaBox<'a, [Option<MixedHandle>]>>,
39 ) -> Self {
40 let data = data.map(|data| {
41 assert!(
42 arena.contains(&data),
43 "Data buffer pointer is not in the arena being included in the message"
44 );
45 // SAFETY: we will store this ArenaBox with a clone of the Arena that
46 // owns it.
47 unsafe { ArenaBox::erase_lifetime(data) }
48 });
49 let handles = handles.map(|handles| {
50 assert!(
51 arena.contains(&handles),
52 "Handle buffer pointer is not in the arena being included in the message"
53 );
54 // SAFETY: we will store this ArenaBox with a clone of the Arena that
55 // owns it.
56 unsafe { ArenaBox::erase_lifetime(handles) }
57 });
58 // SAFETY: We just checked that both boxes were allocated from the arena.
59 unsafe { Self::new_unchecked(arena.clone(), data, handles) }
60 }
61
62 /// Given the [`Arena`], allocates a new [`Message`] and runs the given `f` to allow the caller
63 /// to allocate data and handles into the [`Message`] without requiring a check that the
64 /// correct [`Arena`] was used to allocate the data.
65 ///
66 /// Note that it may be possible to sneak an `ArenaBox<'static, T>` into this [`Message`]
67 /// object with this function by using an [`Arena`] with static lifetime to allocate it. This
68 /// will not cause any unsoundness, but if you try to send that message through a [`Channel`]
69 /// it will cause a runtime error when the arenas don't match.
70 pub fn new_with<F>(arena: Arena, f: F) -> Self
71 where
72 F: for<'a> FnOnce(
73 &'a Arena,
74 )
75 -> (Option<ArenaBox<'a, T>>, Option<ArenaBox<'a, [Option<MixedHandle>]>>),
76 {
77 let (data, handles) = f(&arena);
78 // SAFETY: The `for<'a>` in the callback definition makes it so that the caller must
79 // (without resorting to unsafe themselves) allocate the [`ArenaBox`] from the given
80 // [`Arena`].
81 Self {
82 data: data.map(|data| unsafe { ArenaBox::erase_lifetime(data) }),
83 handles: handles.map(|handles| unsafe { ArenaBox::erase_lifetime(handles) }),
84 arena,
85 _p: PhantomData,
86 }
87 }
88
89 /// A shorthand for [`Self::new_with`] when there's definitely a data body and nothing else.
90 pub fn new_with_data<F>(arena: Arena, f: F) -> Self
91 where
92 F: for<'a> FnOnce(&'a Arena) -> ArenaBox<'a, T>,
93 {
94 // SAFETY: The `for<'a>` in the callback definition makes it so that the caller must
95 // (without resorting to unsafe themselves) allocate the [`ArenaBox`] from the given
96 // [`Arena`].
97 let data = Some(unsafe { ArenaBox::erase_lifetime(f(&arena)) });
98 Self { data, handles: None, arena, _p: PhantomData }
99 }
100
101 /// As with [`Self::new`], this consumes the arguments to produce a message object that holds
102 /// all of them together to be extracted again later, but does not validate that the pointers
103 /// came from the same arena.
104 ///
105 /// # Safety
106 ///
107 /// The caller is responsible for:
108 /// - ensuring that the [`ArenaBox`]es came from the same arena as is being passed in to this
109 /// function, or the erased lifetime of the arena boxes might cause use-after-free.
110 /// - the bytes in `data` are actually of type `T`, and are properly aligned for type `T`.
111 pub(crate) unsafe fn new_unchecked(
112 arena: Arena,
113 data_ptr: Option<ArenaBox<'static, T>>,
114 handles_ptr: Option<ArenaBox<'static, [Option<MixedHandle>]>>,
115 ) -> Self {
116 Self { arena, data: data_ptr, handles: handles_ptr, _p: PhantomData }
117 }
118
119 /// Gets a reference to the arena this message was allocated with.
120 pub fn arena(&self) -> &Arena {
121 &self.arena
122 }
123
124 /// Takes the arena and drops any data or handle bodies held in this message
125 pub fn take_arena(self) -> Arena {
126 self.arena
127 }
128
129 /// Gets a reference to the data in this message, if there is any
130 pub fn data(&self) -> Option<&T> {
131 self.data.as_ref().map(ArenaBox::deref)
132 }
133
134 /// Gets a mutable reference to the data in this message, if there is any
135 pub fn data_mut(&mut self) -> Option<&mut T> {
136 self.data.as_mut().map(ArenaBox::deref_mut)
137 }
138
139 /// Maps the message data to a new [`ArenaBox`] based on the arena and the old data.
140 pub fn map_data<F, R: ?Sized>(self, f: F) -> Message<R>
141 where
142 F: for<'a> FnOnce(&'a Arena, ArenaBox<'a, T>) -> ArenaBox<'a, R>,
143 {
144 let Self { arena, data: data_ptr, handles: handles_ptr, .. } = self;
145 let data_ptr = data_ptr.map(|data_ptr| {
146 // SAFETY: The `ArenaBox` being returned is tied to the lifetime
147 // of the arena we gave the closure, and we will now be moving
148 // into the new `Message`. So just like the old one,
149 // the new box is tied to the life of the message and the arena
150 // within it.
151 unsafe { ArenaBox::erase_lifetime(f(&arena, data_ptr)) }
152 });
153 Message { arena, data: data_ptr, handles: handles_ptr, _p: PhantomData }
154 }
155
156 /// Gets a reference to the handles array in this message, if there is one.
157 pub fn handles(&self) -> Option<&[Option<MixedHandle>]> {
158 self.handles.as_ref().map(ArenaBox::deref)
159 }
160
161 /// Gets a mutable reference to the handles array in this message, if there is one.
162 pub fn handles_mut(&mut self) -> Option<&mut [Option<MixedHandle>]> {
163 self.handles.as_mut().map(ArenaBox::deref_mut)
164 }
165
166 /// Gets a reference to all three of the arena, data, and handles of the message
167 pub fn as_refs(&self) -> (&Arena, Option<&T>, Option<&[Option<MixedHandle>]>) {
168 (
169 &self.arena,
170 self.data.as_ref().map(ArenaBox::deref),
171 self.handles.as_ref().map(ArenaBox::deref),
172 )
173 }
174
175 /// Gets a reference to the arena and mutable references to the data handles of the message
176 pub fn as_mut_refs(&mut self) -> (&Arena, Option<&mut T>, Option<&mut [Option<MixedHandle>]>) {
177 (
178 &self.arena,
179 self.data.as_mut().map(ArenaBox::deref_mut),
180 self.handles.as_mut().map(ArenaBox::deref_mut),
181 )
182 }
183
184 /// Unpacks the arena and buffers in this message to the caller.
185 ///
186 /// The `arena` argument provides a place to put the [`Arena`] from this message
187 /// in the local lifetime of the caller so that the [`ArenaBox`]es can be tied to
188 /// its lifetime.
189 pub fn into_arena_boxes<'a>(
190 self,
191 arena: &'a mut Option<Arena>,
192 ) -> (Option<ArenaBox<'a, T>>, Option<ArenaBox<'a, [Option<MixedHandle>]>>) {
193 arena.replace(self.arena);
194 // SAFETY: the lifetime we're giving these [`ArenaBox`]es is the same one
195 // as the lifetime of the place we're putting the [`Arena`] they belong to.
196 let data = self.data.map(|ptr| unsafe { ArenaBox::erase_lifetime(ptr) });
197 let handles = self.handles.map(|ptr| unsafe { ArenaBox::erase_lifetime(ptr) });
198 (data, handles)
199 }
200
201 /// Takes the `ArenaBox`es for the data and handles from this [`Message`], but leaves
202 /// the [`Arena`] in the [`Message`] to act as a holder of the arena lifetime.
203 pub fn take_arena_boxes(
204 &mut self,
205 ) -> (&Arena, Option<ArenaBox<'_, T>>, Option<ArenaBox<'_, [Option<MixedHandle>]>>) {
206 (&self.arena, self.data.take(), self.handles.take())
207 }
208
209 /// Unpacks the arena and buffers into raw pointers
210 ///
211 /// Care must be taken to ensure that the data and handle pointers are not used
212 /// if the arena is freed. If they are never reconstituted into a [`Message`]
213 /// or an [`Arena`] and [`ArenaBox`]es, they will be leaked.
214 pub fn into_raw(
215 self,
216 ) -> (NonNull<fdf_arena_t>, Option<NonNull<T>>, Option<NonNull<[Option<MixedHandle>]>>) {
217 let arena = self.arena.into_raw();
218 // SAFETY: the arena and the pointers we're returning will all have the same
219 // effectively 'static lifetime, and it is up to the caller to make sure that
220 // they free them in the correct order.
221 let data = self.data.map(|data| unsafe { ArenaBox::into_ptr(data) });
222 let handles = self.handles.map(|handles| unsafe { ArenaBox::into_ptr(handles) });
223 (arena, data, handles)
224 }
225}
226
227impl<T> Message<T> {
228 /// Takes the data from the message, dropping the [`Arena`] and handles
229 /// array in the process.
230 pub fn take_data(self) -> Option<T> {
231 self.data.map(ArenaBox::take)
232 }
233
234 /// Takes the data from the message, dropping the [`Arena`] and handles
235 /// array in the process.
236 pub fn take_data_boxed(self) -> Option<Box<T>> {
237 self.data.map(ArenaBox::take_boxed)
238 }
239}
240
241impl<T> Message<[T]> {
242 /// Takes the data from the message, dropping the [`Arena`] and handles
243 /// array in the process.
244 pub fn take_data_boxed_slice(self) -> Option<Box<[T]>> {
245 self.data.map(ArenaBox::take_boxed_slice)
246 }
247}
248
249impl<T> Message<MaybeUninit<T>> {
250 /// Assumes the contents of the data payload of this message are initialized.
251 ///
252 /// # Safety
253 ///
254 /// The caller is responsible for ensuring that the value is initialized
255 /// properly. See [`MaybeUninit::assume_init`] for more details on the
256 /// safety requirements of this.
257 pub unsafe fn assume_init(self) -> Message<T> {
258 // SAFETY: the caller is responsible for ensuring the contents
259 // of the data pointer are initialized.
260 self.map_data(|_, data_ptr| unsafe { ArenaBox::assume_init(data_ptr) })
261 }
262}
263
264impl<T> Message<[MaybeUninit<T>]> {
265 /// Assumes the contents of the data payload of this message are initialized.
266 ///
267 /// # Safety
268 ///
269 /// The caller is responsible for ensuring that the value is initialized
270 /// properly. See [`MaybeUninit::assume_init`] for more details on the
271 /// safety requirements of this.
272 pub unsafe fn assume_init(self) -> Message<[T]> {
273 // SAFETY: the caller is responsible for ensuring the contents
274 // of the data pointer are initialized.
275 self.map_data(|_, data_ptr| unsafe { ArenaBox::assume_init_slice(data_ptr) })
276 }
277}
278
279impl Message<[MaybeUninit<u8>]> {
280 /// Transforms the message body into a message of type `T`
281 ///
282 /// # Safety
283 ///
284 /// The caller is responsible for ensuring that the data portion of this
285 /// message originated from a source with a properly allocated `T` with correct
286 /// alignment
287 pub unsafe fn cast_unchecked<T>(self) -> Message<T> {
288 // SAFETY: the caller is responsible for ensuring the contents
289 // of the data pointer are an initialized value of `T` and are
290 // correctly aligned.
291 self.map_data(|_, data_ptr| unsafe { ArenaBox::cast_unchecked(data_ptr) })
292 }
293}
294
295#[cfg(test)]
296mod test {
297 use crate::channel::Channel;
298 use fdf_core::handle::MixedHandleType;
299 use zx::HandleBased;
300
301 use super::*;
302
303 #[test]
304 #[should_panic]
305 fn bad_data_pointer() {
306 let arena = Arena::new();
307 let other_arena = Arena::new();
308 Message::new(&arena, Some(other_arena.insert(1)), None);
309 }
310
311 #[test]
312 #[should_panic]
313 fn bad_handle_pointer() {
314 let arena = Arena::new();
315 let other_arena = Arena::new();
316 Message::<()>::new(&arena, None, Some(other_arena.insert_boxed_slice(Box::new([]))));
317 }
318
319 #[test]
320 fn round_trip_data() {
321 let arena = Arena::new();
322 let data = arena.insert(1);
323 let message = Message::new(&arena, Some(data), None);
324 let mut arena = None;
325 let (data, _) = message.into_arena_boxes(&mut arena);
326 assert_eq!(*data.unwrap(), 1);
327 }
328
329 #[test]
330 fn round_trip_handles() {
331 let arena = Arena::new();
332 let zircon_handle = MixedHandle::from_zircon_handle(zx::Port::create().into_handle());
333 let (driver_handle1, driver_handle2) = Channel::create();
334 driver_handle2
335 .write(Message::new_with_data(arena.clone(), |arena| arena.insert(1)))
336 .unwrap();
337
338 let handles = arena
339 .insert_boxed_slice(Box::new([zircon_handle, Some(MixedHandle::from(driver_handle1))]));
340 let message = Message::<()>::new(&arena, None, Some(handles));
341
342 let mut arena = None;
343 let (_, Some(mut handles)) = message.into_arena_boxes(&mut arena) else {
344 panic!("didn't get handles back");
345 };
346 assert_eq!(handles.len(), 2);
347 let MixedHandleType::Zircon(_zircon_handle) = handles[0].take().unwrap().resolve() else {
348 panic!("first handle in the handle set wasn't a zircon handle");
349 };
350 let MixedHandleType::Driver(driver_handle1) = handles[1].take().unwrap().resolve() else {
351 panic!("second handle in the handle set wasn't a driver handle");
352 };
353 let driver_handle1 = unsafe { Channel::<i32>::from_driver_handle(driver_handle1) };
354 assert_eq!(driver_handle1.try_read().unwrap().unwrap().data().unwrap(), &1);
355 }
356
357 #[test]
358 fn map_data() {
359 let arena = Arena::new();
360 let data = arena.insert(1);
361 let message = Message::new(&arena, Some(data), None);
362 let message = message.map_data(|arena, i| arena.insert(*i + 1));
363 assert_eq!(message.data().unwrap(), &2);
364 }
365}