common/data_model/src/sys.rs - platform/external/crosvm - Git at Google

 // Copyright 2020 The Chromium OS Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 use std::ffi::c_void;
 use std::fmt::{self, Debug};
 use std::marker::PhantomData;
 use std::slice;

 use libc::iovec;

 /// This type is essentialy `std::io::IoBufMut`, and guaranteed to be ABI-compatible with
 /// `libc::iovec`; however, it does NOT automatically deref to `&mut [u8]`, which is critical
 /// because it can point to guest memory. (Guest memory is implicitly mutably borrowed by the
 /// guest, so another mutable borrow would violate Rust assumptions about references.)
 #[derive(Copy, Clone)]
 #[repr(transparent)]
 pub struct IoBufMut<'a> {
     iov: iovec,
     phantom: PhantomData<&'a mut [u8]>,
 }

 impl<'a> IoBufMut<'a> {
     pub fn new(buf: &mut [u8]) -> IoBufMut<'a> {
         // Safe because buf's memory is of the supplied length, and
         // guaranteed to exist for the lifetime of the returned value.
         unsafe { Self::from_raw_parts(buf.as_mut_ptr(), buf.len()) }
     }

     /// Creates a `IoBufMut` from a pointer and a length.
     ///
     /// # Safety
     ///
     /// In order to use this method safely, `addr` must be valid for reads and writes of `len` bytes
     /// and should live for the entire duration of lifetime `'a`.
     pub unsafe fn from_raw_parts(addr: *mut u8, len: usize) -> IoBufMut<'a> {
         IoBufMut {
             iov: iovec {
                 iov_base: addr as *mut c_void,
                 iov_len: len,
             },
             phantom: PhantomData,
         }
     }

     #[inline]
     pub fn len(&self) -> usize {
         self.iov.iov_len as usize
     }

     #[inline]
     pub fn is_empty(&self) -> bool {
         self.iov.iov_len == 0
     }

     /// Gets a const pointer to this slice's memory.
     #[inline]
     pub fn as_ptr(&self) -> *const u8 {
         self.iov.iov_base as *const u8
     }

     /// Gets a mutable pointer to this slice's memory.
     #[inline]
     pub fn as_mut_ptr(&self) -> *mut u8 {
         self.iov.iov_base as *mut u8
     }

     /// Converts a slice of `IoBufMut`s into a slice of `iovec`s.
     #[allow(clippy::wrong_self_convention)]
     #[inline]
     pub fn as_iobufs<'slice>(iovs: &'slice [IoBufMut<'_>]) -> &'slice [iovec] {
         // Safe because `IoBufMut` is ABI-compatible with `iovec`.
         unsafe { slice::from_raw_parts(iovs.as_ptr() as *const libc::iovec, iovs.len()) }
     }
 }

 impl<'a> AsRef<libc::iovec> for IoBufMut<'a> {
     fn as_ref(&self) -> &libc::iovec {
         &self.iov
     }
 }

 impl<'a> AsMut<libc::iovec> for IoBufMut<'a> {
     fn as_mut(&mut self) -> &mut libc::iovec {
         &mut self.iov
     }
 }

 // It's safe to implement Send + Sync for this type for the same reason that `std::io::IoBufMut`
 // is Send + Sync. Internally, it contains a pointer and a length. The integer length is safely Send
 // + Sync.  There's nothing wrong with sending a pointer between threads and de-referencing the
 // pointer requires an unsafe block anyway. See also https://github.com/rust-lang/rust/pull/70342.
 unsafe impl<'a> Send for IoBufMut<'a> {}
 unsafe impl<'a> Sync for IoBufMut<'a> {}

 struct DebugIovec(iovec);
 impl Debug for DebugIovec {
     fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
         f.debug_struct("iovec")
             .field("iov_base", &self.0.iov_base)
             .field("iov_len", &self.0.iov_len)
             .finish()
     }
 }

 impl<'a> Debug for IoBufMut<'a> {
     fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
         f.debug_struct("IoBufMut")
             .field("iov", &DebugIovec(self.iov))
             .field("phantom", &self.phantom)
             .finish()
     }
 }
	// Copyright 2020 The Chromium OS Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	use std::ffi::c_void;
	use std::fmt::{self, Debug};
	use std::marker::PhantomData;
	use std::slice;

	use libc::iovec;

	/// This type is essentialy `std::io::IoBufMut`, and guaranteed to be ABI-compatible with
	/// `libc::iovec`; however, it does NOT automatically deref to `&mut [u8]`, which is critical
	/// because it can point to guest memory. (Guest memory is implicitly mutably borrowed by the
	/// guest, so another mutable borrow would violate Rust assumptions about references.)
	#[derive(Copy, Clone)]
	#[repr(transparent)]
	pub struct IoBufMut<'a> {
	iov: iovec,
	phantom: PhantomData<&'a mut [u8]>,
	}

	impl<'a> IoBufMut<'a> {
	pub fn new(buf: &mut [u8]) -> IoBufMut<'a> {
	// Safe because buf's memory is of the supplied length, and
	// guaranteed to exist for the lifetime of the returned value.
	unsafe { Self::from_raw_parts(buf.as_mut_ptr(), buf.len()) }
	}

	/// Creates a `IoBufMut` from a pointer and a length.
	///
	/// # Safety
	///
	/// In order to use this method safely, `addr` must be valid for reads and writes of `len` bytes
	/// and should live for the entire duration of lifetime `'a`.
	pub unsafe fn from_raw_parts(addr: *mut u8, len: usize) -> IoBufMut<'a> {
	IoBufMut {
	iov: iovec {
	iov_base: addr as *mut c_void,
	iov_len: len,
	},
	phantom: PhantomData,
	}
	}

	#[inline]
	pub fn len(&self) -> usize {
	self.iov.iov_len as usize
	}

	#[inline]
	pub fn is_empty(&self) -> bool {
	self.iov.iov_len == 0
	}

	/// Gets a const pointer to this slice's memory.
	#[inline]
	pub fn as_ptr(&self) -> *const u8 {
	self.iov.iov_base as *const u8
	}

	/// Gets a mutable pointer to this slice's memory.
	#[inline]
	pub fn as_mut_ptr(&self) -> *mut u8 {
	self.iov.iov_base as *mut u8
	}

	/// Converts a slice of `IoBufMut`s into a slice of `iovec`s.
	#[allow(clippy::wrong_self_convention)]
	#[inline]
	pub fn as_iobufs<'slice>(iovs: &'slice [IoBufMut<'_>]) -> &'slice [iovec] {
	// Safe because `IoBufMut` is ABI-compatible with `iovec`.
	unsafe { slice::from_raw_parts(iovs.as_ptr() as *const libc::iovec, iovs.len()) }
	}
	}

	impl<'a> AsRef<libc::iovec> for IoBufMut<'a> {
	fn as_ref(&self) -> &libc::iovec {
	&self.iov
	}
	}

	impl<'a> AsMut<libc::iovec> for IoBufMut<'a> {
	fn as_mut(&mut self) -> &mut libc::iovec {
	&mut self.iov
	}
	}

	// It's safe to implement Send + Sync for this type for the same reason that `std::io::IoBufMut`
	// is Send + Sync. Internally, it contains a pointer and a length. The integer length is safely Send
	// + Sync. There's nothing wrong with sending a pointer between threads and de-referencing the
	// pointer requires an unsafe block anyway. See also https://github.com/rust-lang/rust/pull/70342.
	unsafe impl<'a> Send for IoBufMut<'a> {}
	unsafe impl<'a> Sync for IoBufMut<'a> {}

	struct DebugIovec(iovec);
	impl Debug for DebugIovec {
	fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
	f.debug_struct("iovec")
	.field("iov_base", &self.0.iov_base)
	.field("iov_len", &self.0.iov_len)
	.finish()
	}
	}

	impl<'a> Debug for IoBufMut<'a> {
	fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
	f.debug_struct("IoBufMut")
	.field("iov", &DebugIovec(self.iov))
	.field("phantom", &self.phantom)
	.finish()
	}
	}