|  | // Copyright 2021 Google LLC | 
|  | // | 
|  | // Licensed under the Apache License, Version 2.0 (the "License"); | 
|  | // you may not use this file except in compliance with the License. | 
|  | // You may obtain a copy of the License at | 
|  | // | 
|  | //      http://www.apache.org/licenses/LICENSE-2.0 | 
|  | // | 
|  | // Unless required by applicable law or agreed to in writing, software | 
|  | // distributed under the License is distributed on an "AS IS" BASIS, | 
|  | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | 
|  | // See the License for the specific language governing permissions and | 
|  | // limitations under the License. | 
|  |  | 
|  | //! Drop flags. | 
|  | //! | 
|  | //! The [`Pin<P>`] guarantees state that if we have a `T` allocated somewhere, | 
|  | //! and we construct a pinned reference to it such as a `Pin<&'a mut T>`, then | 
|  | //! before that "somewhere" in memory is reused by another Rust object, `T`'s | 
|  | //! destructor must run. | 
|  | //! | 
|  | //! Normally, this isn't a problem for Rust code, since the storage of an object | 
|  | //! is destroyed immediately after it is destroyed. [`DerefMove`], however, | 
|  | //! breaks this expectation: it separates the destructors from its storage and | 
|  | //! contents into two separately destroyed objects: a [`AsMove::Storage`] and a | 
|  | //! [`MoveRef`]. If the [`MoveRef`] is [`mem::forget`]'ed, we lose: the storage | 
|  | //! will potentially be re-used. | 
|  | //! | 
|  | //! Therefore, we must somehow detect that [`MoveRef`]s fail to be destroyed | 
|  | //! when the destructor for the corresponding storage is run, and remediate it, | 
|  | //! either by leaking heap storage or aborting if we would free stack storage | 
|  | //! (a panic is insufficient, since that location can be reused if the panic is | 
|  | //! caught). | 
|  | //! | 
|  | //! A [`DropFlag`] allows us to achieve this. It is a generalized, library-level | 
|  | //! version of the Rust language's drop flags, which it uses to dynamically | 
|  | //! determine whether to run destructors of stack-allocated values that might | 
|  | //! have been moved from. Unlike Rust language drop flags, a [`DropFlag`] is | 
|  | //! actually a counter, rather than a boolean. This allows storage that holds | 
|  | //! many objects, like a vector, ensure that all contents have been properly | 
|  | //! destroyed. | 
|  | //! | 
|  | //! This module also provides two helper types simplify safe creation and | 
|  | //! management of drop flags. | 
|  | //! | 
|  | //! See the [Rustonomicon entry](https://doc.rust-lang.org/nomicon/drop-flags.html) | 
|  | //! for the Rust language equivalent. | 
|  | //! | 
|  | //! # Safety | 
|  | //! | 
|  | //! No function in this module is `unsafe`: instead, functions that construct | 
|  | //! [`MoveRef`]s out of [`DropFlag`]s are `unsafe`, and their callers are | 
|  | //! responsible for ensuring that the passed-in [`DropFlag`] helps uphold the | 
|  | //! relevant invariants. | 
|  |  | 
|  | use core::cell::Cell; | 
|  | use core::mem; | 
|  | use core::mem::ManuallyDrop; | 
|  | use core::ops::Deref; | 
|  | use core::ops::DerefMut; | 
|  |  | 
|  | #[cfg(doc)] | 
|  | use { | 
|  | crate::move_ref::{AsMove, DerefMove, MoveRef}, | 
|  | alloc::boxed::Box, | 
|  | core::pin::Pin, | 
|  | }; | 
|  |  | 
|  | /// A drop flag, for tracking successful destruction. | 
|  | /// | 
|  | /// A `DropFlag` is a reference to a counter somewhere on the stack that lives | 
|  | /// adjacent to storage for some value. It is just a counter: `unsafe` code is | 
|  | /// expected to associate semantic meaning to it. | 
|  | /// | 
|  | /// A flag with a value of zero is usually called "dead", and setting a flag to | 
|  | /// the dead state is called clearing it. | 
|  | /// | 
|  | /// See the [module documentation][self] for more information. | 
|  | #[derive(Clone, Copy)] | 
|  | pub struct DropFlag<'frame> { | 
|  | counter: &'frame Cell<usize>, | 
|  | } | 
|  |  | 
|  | impl DropFlag<'_> { | 
|  | /// Increments the internal counter. | 
|  | /// | 
|  | /// This function does not provide any overflow protection; `unsafe` code is | 
|  | /// responsible for making sure that cannot happen. | 
|  | #[inline] | 
|  | pub fn inc(self) { | 
|  | self.counter.set(self.counter.get() + 1) | 
|  | } | 
|  |  | 
|  | /// Decrements the internal counter and returns true if it became zero. | 
|  | /// | 
|  | /// This function will return `false` if the counter was already zero. | 
|  | #[inline] | 
|  | pub fn dec_and_check_if_died(self) -> bool { | 
|  | if self.counter.get() == 0 { | 
|  | return false; | 
|  | } | 
|  | self.counter.set(self.counter.get() - 1); | 
|  | self.is_dead() | 
|  | } | 
|  |  | 
|  | /// Returns whether the internal counter is zero. | 
|  | #[inline] | 
|  | pub fn is_dead(self) -> bool { | 
|  | self.counter.get() == 0 | 
|  | } | 
|  |  | 
|  | /// Lengthens the lifetime of `self`. | 
|  | #[inline] | 
|  | #[allow(unused)] | 
|  | pub(crate) unsafe fn longer_lifetime<'a>(self) -> DropFlag<'a> { | 
|  | DropFlag { | 
|  | counter: mem::transmute(self.counter), | 
|  | } | 
|  | } | 
|  | } | 
|  |  | 
|  | /// A wrapper for managing when a value gets dropped via a [`DropFlag`]. | 
|  | /// | 
|  | /// This type tracks the destruction state of some value relative to another | 
|  | /// value via its [`DropFlag`]: for example, it might be the storage of a value | 
|  | /// wrapped up in a [`MoveRef`]. When a `DroppingFlag` is destroyed, it will | 
|  | /// run the destructor for the wrapped value if and only if the [`DropFlag`] | 
|  | /// is dead. | 
|  | /// | 
|  | /// This type can be viewed as using a [`DropFlag`] to "complete" a | 
|  | /// [`ManuallyDrop<T>`] by explicitly tracking whether it has been dropped. The | 
|  | /// flag can be used to signal whether to destroy or leak the value, but the | 
|  | /// destruction occurs lazily rather than immediately when the flag is flipped. | 
|  | /// | 
|  | /// This is useful as an [`AsMove::Storage`] type for types where the storage | 
|  | /// should be leaked if the inner type was somehow not destroyed, such as in | 
|  | /// the case of heap-allocated storage like [`Box<T>`]. | 
|  | pub struct DroppingFlag<T> { | 
|  | value: ManuallyDrop<T>, | 
|  | counter: Cell<usize>, | 
|  | } | 
|  |  | 
|  | impl<T> DroppingFlag<T> { | 
|  | /// Wraps a new value to have its drop state managed by a `DropFlag`. | 
|  | /// | 
|  | /// The drop flag will start out dead and needs to be manually incremented. | 
|  | pub fn new(value: T) -> Self { | 
|  | Self { | 
|  | value: ManuallyDrop::new(value), | 
|  | counter: Cell::new(0), | 
|  | } | 
|  | } | 
|  |  | 
|  | /// Gets a reference to the drop flag. | 
|  | /// | 
|  | /// This function is safe; the returned reference to the drop flag cannot be | 
|  | /// used to make a previously dropped value live again. | 
|  | pub fn flag(slot: &Self) -> DropFlag { | 
|  | DropFlag { | 
|  | counter: &slot.counter, | 
|  | } | 
|  | } | 
|  |  | 
|  | /// Splits this slot into a reference to the wrapped value plus a reference to | 
|  | /// the drop flag. | 
|  | /// | 
|  | /// This function is safe; the returned reference to the drop flag cannot be | 
|  | /// used to make a previously dropped value live again, since the value is | 
|  | /// not destroyed before the wrapper is. | 
|  | pub fn as_parts(slot: &Self) -> (&T, DropFlag) { | 
|  | ( | 
|  | &slot.value, | 
|  | DropFlag { | 
|  | counter: &slot.counter, | 
|  | }, | 
|  | ) | 
|  | } | 
|  |  | 
|  | /// Splits this slot into a reference to the wrapped value plus a reference to | 
|  | /// the drop flag. | 
|  | /// | 
|  | /// This function is safe; the returned reference to the drop flag cannot be | 
|  | /// used to make a previously dropped value live again, since the value is | 
|  | /// not destroyed before the wrapper is. | 
|  | pub fn as_parts_mut(slot: &mut Self) -> (&mut T, DropFlag) { | 
|  | ( | 
|  | &mut slot.value, | 
|  | DropFlag { | 
|  | counter: &slot.counter, | 
|  | }, | 
|  | ) | 
|  | } | 
|  | } | 
|  |  | 
|  | impl<T> Deref for DroppingFlag<T> { | 
|  | type Target = T; | 
|  | #[inline] | 
|  | fn deref(&self) -> &T { | 
|  | &self.value | 
|  | } | 
|  | } | 
|  |  | 
|  | impl<T> DerefMut for DroppingFlag<T> { | 
|  | #[inline] | 
|  | fn deref_mut(&mut self) -> &mut T { | 
|  | &mut self.value | 
|  | } | 
|  | } | 
|  |  | 
|  | impl<T> Drop for DroppingFlag<T> { | 
|  | fn drop(&mut self) { | 
|  | if Self::flag(self).is_dead() { | 
|  | unsafe { | 
|  | ManuallyDrop::drop(&mut self.value); | 
|  | } | 
|  | } | 
|  | } | 
|  | } | 
|  |  | 
|  | /// An RAII trap that ensures a drop flag is correctly cleared. | 
|  | /// | 
|  | /// This type is *similar* to a [`DroppingFlag`], except that it does not wrap | 
|  | /// a value and rather than leaking memory aborts the program if its flag is | 
|  | /// not cleared. | 
|  | /// | 
|  | /// This type is useful for safely constructing [`MoveRef`]s. | 
|  | pub struct TrappedFlag { | 
|  | counter: Cell<usize>, | 
|  |  | 
|  | // In debug mode, we capture the location the trap is created at, to help | 
|  | // connect an eventual failure to the matching storage. | 
|  | #[cfg(debug_assertions)] | 
|  | location: &'static core::panic::Location<'static>, | 
|  | } | 
|  |  | 
|  | impl TrappedFlag { | 
|  | /// Creates a new trap with a dead flag. | 
|  | #[cfg(debug_assertions)] | 
|  | #[track_caller] | 
|  | pub fn new() -> Self { | 
|  | Self { | 
|  | counter: Cell::new(0), | 
|  | location: core::panic::Location::caller(), | 
|  | } | 
|  | } | 
|  |  | 
|  | /// Creates a new trap with a dead flag. | 
|  | #[cfg(not(debug_assertions))] | 
|  | pub fn new() -> Self { | 
|  | Self { | 
|  | counter: Cell::new(0), | 
|  | } | 
|  | } | 
|  |  | 
|  | /// Returns a reference to the [`DropFlag`]. | 
|  | pub fn flag(&self) -> DropFlag { | 
|  | DropFlag { | 
|  | counter: &self.counter, | 
|  | } | 
|  | } | 
|  |  | 
|  | /// Preemptively checks that this flag has been cleared. | 
|  | /// | 
|  | /// Aborts (rather than panicking!) if the assertion fails. | 
|  | pub fn assert_cleared(&self) { | 
|  | if self.flag().is_dead() { | 
|  | return; | 
|  | } | 
|  |  | 
|  | // We can force an abort by triggering a panic mid-unwind. | 
|  | // This is the only way to force an LLVM abort from inside of `core`. | 
|  | struct DoublePanic; | 
|  | impl Drop for DoublePanic { | 
|  | fn drop(&mut self) { | 
|  | // In tests, we don't double-panic so that we can observe the | 
|  | // failure correctly. | 
|  | if cfg!(not(test)) { | 
|  | panic!() | 
|  | } | 
|  | } | 
|  | } | 
|  |  | 
|  | let _dp = DoublePanic; | 
|  |  | 
|  | #[cfg(debug_assertions)] | 
|  | panic!("a critical drop flag at {} was not cleared!", self.location); | 
|  |  | 
|  | #[cfg(not(debug_assertions))] | 
|  | panic!("a critical drop flag was not cleared!"); | 
|  | } | 
|  | } | 
|  |  | 
|  | impl Default for TrappedFlag { | 
|  | fn default() -> Self { | 
|  | Self::new() | 
|  | } | 
|  | } | 
|  |  | 
|  | impl Drop for TrappedFlag { | 
|  | fn drop(&mut self) { | 
|  | self.assert_cleared(); | 
|  | } | 
|  | } | 
|  |  | 
|  | /// A [`DropFlag`] source that doesn't do anything with it. | 
|  | /// | 
|  | /// This is similar to `TrappedFlag`, but where it does not abort the program | 
|  | /// if used incorrectly. This type is generally only useful when some separate | 
|  | /// mechanism is ensuring that invariants are not violated. | 
|  | pub struct QuietFlag { | 
|  | counter: Cell<usize>, | 
|  | } | 
|  |  | 
|  | impl QuietFlag { | 
|  | /// Creates a new dead flag. | 
|  | pub fn new() -> Self { | 
|  | Self { | 
|  | counter: Cell::new(0), | 
|  | } | 
|  | } | 
|  |  | 
|  | /// Returns a reference to the [`DropFlag`]. | 
|  | pub fn flag(&self) -> DropFlag { | 
|  | DropFlag { | 
|  | counter: &self.counter, | 
|  | } | 
|  | } | 
|  | } | 
|  |  | 
|  | impl Default for QuietFlag { | 
|  | fn default() -> Self { | 
|  | Self::new() | 
|  | } | 
|  | } |