1 // Copyright 2024, Linaro Limited
2 // Author(s): Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
3 // SPDX-License-Identifier: GPL-2.0-or-later
4
5 //! Bindings to access QOM functionality from Rust.
6 //!
7 //! The QEMU Object Model (QOM) provides inheritance and dynamic typing for QEMU
8 //! devices. This module makes QOM's features available in Rust through three
9 //! main mechanisms:
10 //!
11 //! * Automatic creation and registration of `TypeInfo` for classes that are
12 //! written in Rust, as well as mapping between Rust traits and QOM vtables.
13 //!
14 //! * Type-safe casting between parent and child classes, through the [`IsA`]
15 //! trait and methods such as [`upcast`](ObjectCast::upcast) and
16 //! [`downcast`](ObjectCast::downcast).
17 //!
18 //! * Automatic delegation of parent class methods to child classes. When a
19 //! trait uses [`IsA`] as a bound, its contents become available to all child
20 //! classes through blanket implementations. This works both for class methods
21 //! and for instance methods accessed through references or smart pointers.
22 //!
23 //! # Structure of a class
24 //!
25 //! A leaf class only needs a struct holding instance state. The struct must
26 //! implement the [`ObjectType`] and [`IsA`] traits, as well as any `*Impl`
27 //! traits that exist for its superclasses.
28 //!
29 //! If a class has subclasses, it will also provide a struct for instance data,
30 //! with the same characteristics as for concrete classes, but it also needs
31 //! additional components to support virtual methods:
32 //!
33 //! * a struct for class data, for example `DeviceClass`. This corresponds to
34 //! the C "class struct" and holds the vtable that is used by instances of the
35 //! class and its subclasses. It must start with its parent's class struct.
36 //!
37 //! * a trait for virtual method implementations, for example `DeviceImpl`.
38 //! Child classes implement this trait to provide their own behavior for
39 //! virtual methods. The trait's methods take `&self` to access instance data.
40 //! The traits have the appropriate specialization of `IsA<>` as a supertrait,
41 //! for example `IsA<DeviceState>` for `DeviceImpl`.
42 //!
43 //! * a trait for instance methods, for example `DeviceMethods`. This trait is
44 //! automatically implemented for any reference or smart pointer to a device
45 //! instance. It calls into the vtable provides access across all subclasses
46 //! to methods defined for the class.
47 //!
48 //! * optionally, a trait for class methods, for example `DeviceClassMethods`.
49 //! This provides access to class-wide functionality that doesn't depend on
50 //! instance data. Like instance methods, these are automatically inherited by
51 //! child classes.
52 //!
53 //! # Class structures
54 //!
55 //! Each QOM class that has virtual methods describes them in a
56 //! _class struct_. Class structs include a parent field corresponding
57 //! to the vtable of the parent class, all the way up to [`ObjectClass`].
58 //!
59 //! As mentioned above, virtual methods are defined via traits such as
60 //! `DeviceImpl`. Class structs do not define any trait but, conventionally,
61 //! all of them have a `class_init` method to initialize the virtual methods
62 //! based on the trait and then call the same method on the superclass.
63 //!
64 //! ```ignore
65 //! impl YourSubclassClass
66 //! {
67 //! pub fn class_init<T: YourSubclassImpl>(&mut self) {
68 //! ...
69 //! klass.parent_class::class_init<T>();
70 //! }
71 //! }
72 //! ```
73 //!
74 //! If a class implements a QOM interface. In that case, the function must
75 //! contain, for each interface, an extra forwarding call as follows:
76 //!
77 //! ```ignore
78 //! ResettableClass::cast::<Self>(self).class_init::<Self>();
79 //! ```
80 //!
81 //! These `class_init` functions are methods on the class rather than a trait,
82 //! because the bound on `T` (`DeviceImpl` in this case), will change for every
83 //! class struct. The functions are pointed to by the
84 //! [`ObjectImpl::CLASS_INIT`] function pointer. While there is no default
85 //! implementation, in most cases it will be enough to write it as follows:
86 //!
87 //! ```ignore
88 //! const CLASS_INIT: fn(&mut Self::Class)> = Self::Class::class_init::<Self>;
89 //! ```
90 //!
91 //! This design incurs a small amount of code duplication but, by not using
92 //! traits, it allows the flexibility of implementing bindings in any crate,
93 //! without incurring into violations of orphan rules for traits.
94
95 use std::{
96 ffi::CStr,
97 fmt,
98 mem::ManuallyDrop,
99 ops::{Deref, DerefMut},
100 os::raw::c_void,
101 ptr::NonNull,
102 };
103
104 pub use bindings::ObjectClass;
105
106 use crate::{
107 bindings::{
108 self, object_class_dynamic_cast, object_dynamic_cast, object_get_class,
109 object_get_typename, object_new, object_ref, object_unref, TypeInfo,
110 },
111 cell::{bql_locked, Opaque},
112 };
113
114 /// A safe wrapper around [`bindings::Object`].
115 #[repr(transparent)]
116 #[derive(Debug, qemu_api_macros::Wrapper)]
117 pub struct Object(Opaque<bindings::Object>);
118
119 unsafe impl Send for Object {}
120 unsafe impl Sync for Object {}
121
122 /// Marker trait: `Self` can be statically upcasted to `P` (i.e. `P` is a direct
123 /// or indirect parent of `Self`).
124 ///
125 /// # Safety
126 ///
127 /// The struct `Self` must be `#[repr(C)]` and must begin, directly or
128 /// indirectly, with a field of type `P`. This ensures that invalid casts,
129 /// which rely on `IsA<>` for static checking, are rejected at compile time.
130 pub unsafe trait IsA<P: ObjectType>: ObjectType {}
131
132 // SAFETY: it is always safe to cast to your own type
133 unsafe impl<T: ObjectType> IsA<T> for T {}
134
135 /// Macro to mark superclasses of QOM classes. This enables type-safe
136 /// up- and downcasting.
137 ///
138 /// # Safety
139 ///
140 /// This macro is a thin wrapper around the [`IsA`] trait and performs
141 /// no checking whatsoever of what is declared. It is the caller's
142 /// responsibility to have $struct begin, directly or indirectly, with
143 /// a field of type `$parent`.
144 #[macro_export]
145 macro_rules! qom_isa {
146 ($struct:ty : $($parent:ty),* ) => {
147 $(
148 // SAFETY: it is the caller responsibility to have $parent as the
149 // first field
150 unsafe impl $crate::qom::IsA<$parent> for $struct {}
151
152 impl AsRef<$parent> for $struct {
153 fn as_ref(&self) -> &$parent {
154 // SAFETY: follows the same rules as for IsA<U>, which is
155 // declared above.
156 let ptr: *const Self = self;
157 unsafe { &*ptr.cast::<$parent>() }
158 }
159 }
160 )*
161 };
162 }
163
164 /// This is the same as [`ManuallyDrop<T>`](std::mem::ManuallyDrop), though
165 /// it hides the standard methods of `ManuallyDrop`.
166 ///
167 /// The first field of an `ObjectType` must be of type `ParentField<T>`.
168 /// (Technically, this is only necessary if there is at least one Rust
169 /// superclass in the hierarchy). This is to ensure that the parent field is
170 /// dropped after the subclass; this drop order is enforced by the C
171 /// `object_deinit` function.
172 ///
173 /// # Examples
174 ///
175 /// ```ignore
176 /// #[repr(C)]
177 /// #[derive(qemu_api_macros::Object)]
178 /// pub struct MyDevice {
179 /// parent: ParentField<DeviceState>,
180 /// ...
181 /// }
182 /// ```
183 #[derive(Debug)]
184 #[repr(transparent)]
185 pub struct ParentField<T: ObjectType>(std::mem::ManuallyDrop<T>);
186
187 impl<T: ObjectType> Deref for ParentField<T> {
188 type Target = T;
189
190 #[inline(always)]
deref(&self) -> &Self::Target191 fn deref(&self) -> &Self::Target {
192 &self.0
193 }
194 }
195
196 impl<T: ObjectType> DerefMut for ParentField<T> {
197 #[inline(always)]
deref_mut(&mut self) -> &mut Self::Target198 fn deref_mut(&mut self) -> &mut Self::Target {
199 &mut self.0
200 }
201 }
202
203 impl<T: fmt::Display + ObjectType> fmt::Display for ParentField<T> {
204 #[inline(always)]
fmt(&self, f: &mut fmt::Formatter<'_>) -> Result<(), fmt::Error>205 fn fmt(&self, f: &mut fmt::Formatter<'_>) -> Result<(), fmt::Error> {
206 self.0.fmt(f)
207 }
208 }
209
rust_instance_init<T: ObjectImpl>(obj: *mut bindings::Object)210 unsafe extern "C" fn rust_instance_init<T: ObjectImpl>(obj: *mut bindings::Object) {
211 let mut state = NonNull::new(obj).unwrap().cast::<T>();
212 // SAFETY: obj is an instance of T, since rust_instance_init<T>
213 // is called from QOM core as the instance_init function
214 // for class T
215 unsafe {
216 T::INSTANCE_INIT.unwrap()(state.as_mut());
217 }
218 }
219
rust_instance_post_init<T: ObjectImpl>(obj: *mut bindings::Object)220 unsafe extern "C" fn rust_instance_post_init<T: ObjectImpl>(obj: *mut bindings::Object) {
221 let state = NonNull::new(obj).unwrap().cast::<T>();
222 // SAFETY: obj is an instance of T, since rust_instance_post_init<T>
223 // is called from QOM core as the instance_post_init function
224 // for class T
225 T::INSTANCE_POST_INIT.unwrap()(unsafe { state.as_ref() });
226 }
227
rust_class_init<T: ObjectType + ObjectImpl>( klass: *mut ObjectClass, _data: *mut c_void, )228 unsafe extern "C" fn rust_class_init<T: ObjectType + ObjectImpl>(
229 klass: *mut ObjectClass,
230 _data: *mut c_void,
231 ) {
232 let mut klass = NonNull::new(klass)
233 .unwrap()
234 .cast::<<T as ObjectType>::Class>();
235 // SAFETY: klass is a T::Class, since rust_class_init<T>
236 // is called from QOM core as the class_init function
237 // for class T
238 <T as ObjectImpl>::CLASS_INIT(unsafe { klass.as_mut() })
239 }
240
drop_object<T: ObjectImpl>(obj: *mut bindings::Object)241 unsafe extern "C" fn drop_object<T: ObjectImpl>(obj: *mut bindings::Object) {
242 // SAFETY: obj is an instance of T, since drop_object<T> is called
243 // from the QOM core function object_deinit() as the instance_finalize
244 // function for class T. Note that while object_deinit() will drop the
245 // superclass field separately after this function returns, `T` must
246 // implement the unsafe trait ObjectType; the safety rules for the
247 // trait mandate that the parent field is manually dropped.
248 unsafe { std::ptr::drop_in_place(obj.cast::<T>()) }
249 }
250
251 /// Trait exposed by all structs corresponding to QOM objects.
252 ///
253 /// # Safety
254 ///
255 /// For classes declared in C:
256 ///
257 /// - `Class` and `TYPE` must match the data in the `TypeInfo`;
258 ///
259 /// - the first field of the struct must be of the instance type corresponding
260 /// to the superclass, as declared in the `TypeInfo`
261 ///
262 /// - likewise, the first field of the `Class` struct must be of the class type
263 /// corresponding to the superclass
264 ///
265 /// For classes declared in Rust and implementing [`ObjectImpl`]:
266 ///
267 /// - the struct must be `#[repr(C)]`;
268 ///
269 /// - the first field of the struct must be of type
270 /// [`ParentField<T>`](ParentField), where `T` is the parent type
271 /// [`ObjectImpl::ParentType`]
272 ///
273 /// - the first field of the `Class` must be of the class struct corresponding
274 /// to the superclass, which is `ObjectImpl::ParentType::Class`. `ParentField`
275 /// is not needed here.
276 ///
277 /// In both cases, having a separate class type is not necessary if the subclass
278 /// does not add any field.
279 pub unsafe trait ObjectType: Sized {
280 /// The QOM class object corresponding to this struct. This is used
281 /// to automatically generate a `class_init` method.
282 type Class;
283
284 /// The name of the type, which can be passed to `object_new()` to
285 /// generate an instance of this type.
286 const TYPE_NAME: &'static CStr;
287
288 /// Return the receiver as an Object. This is always safe, even
289 /// if this type represents an interface.
as_object(&self) -> &Object290 fn as_object(&self) -> &Object {
291 unsafe { &*self.as_ptr().cast() }
292 }
293
294 /// Return the receiver as a const raw pointer to Object.
295 /// This is preferrable to `as_object_mut_ptr()` if a C
296 /// function only needs a `const Object *`.
as_object_ptr(&self) -> *const bindings::Object297 fn as_object_ptr(&self) -> *const bindings::Object {
298 self.as_object().as_ptr()
299 }
300
301 /// Return the receiver as a mutable raw pointer to Object.
302 ///
303 /// # Safety
304 ///
305 /// This cast is always safe, but because the result is mutable
306 /// and the incoming reference is not, this should only be used
307 /// for calls to C functions, and only if needed.
as_object_mut_ptr(&self) -> *mut bindings::Object308 unsafe fn as_object_mut_ptr(&self) -> *mut bindings::Object {
309 self.as_object().as_mut_ptr()
310 }
311 }
312
313 /// Trait exposed by all structs corresponding to QOM interfaces.
314 /// Unlike `ObjectType`, it is implemented on the class type (which provides
315 /// the vtable for the interfaces).
316 ///
317 /// # Safety
318 ///
319 /// `TYPE` must match the contents of the `TypeInfo` as found in the C code;
320 /// right now, interfaces can only be declared in C.
321 pub unsafe trait InterfaceType: Sized {
322 /// The name of the type, which can be passed to
323 /// `object_class_dynamic_cast()` to obtain the pointer to the vtable
324 /// for this interface.
325 const TYPE_NAME: &'static CStr;
326
327 /// Return the vtable for the interface; `U` is the type that
328 /// lists the interface in its `TypeInfo`.
329 ///
330 /// # Examples
331 ///
332 /// This function is usually called by a `class_init` method in `U::Class`.
333 /// For example, `DeviceClass::class_init<T>` initializes its `Resettable`
334 /// interface as follows:
335 ///
336 /// ```ignore
337 /// ResettableClass::cast::<DeviceState>(self).class_init::<T>();
338 /// ```
339 ///
340 /// where `T` is the concrete subclass that is being initialized.
341 ///
342 /// # Panics
343 ///
344 /// Panic if the incoming argument if `T` does not implement the interface.
cast<U: ObjectType>(klass: &mut U::Class) -> &mut Self345 fn cast<U: ObjectType>(klass: &mut U::Class) -> &mut Self {
346 unsafe {
347 // SAFETY: upcasting to ObjectClass is always valid, and the
348 // return type is either NULL or the argument itself
349 let result: *mut Self = object_class_dynamic_cast(
350 (klass as *mut U::Class).cast(),
351 Self::TYPE_NAME.as_ptr(),
352 )
353 .cast();
354 result.as_mut().unwrap()
355 }
356 }
357 }
358
359 /// This trait provides safe casting operations for QOM objects to raw pointers,
360 /// to be used for example for FFI. The trait can be applied to any kind of
361 /// reference or smart pointers, and enforces correctness through the [`IsA`]
362 /// trait.
363 pub trait ObjectDeref: Deref
364 where
365 Self::Target: ObjectType,
366 {
367 /// Convert to a const Rust pointer, to be used for example for FFI.
368 /// The target pointer type must be the type of `self` or a superclass
as_ptr<U: ObjectType>(&self) -> *const U where Self::Target: IsA<U>,369 fn as_ptr<U: ObjectType>(&self) -> *const U
370 where
371 Self::Target: IsA<U>,
372 {
373 let ptr: *const Self::Target = self.deref();
374 ptr.cast::<U>()
375 }
376
377 /// Convert to a mutable Rust pointer, to be used for example for FFI.
378 /// The target pointer type must be the type of `self` or a superclass.
379 /// Used to implement interior mutability for objects.
380 ///
381 /// # Safety
382 ///
383 /// This method is safe because only the actual dereference of the pointer
384 /// has to be unsafe. Bindings to C APIs will use it a lot, but care has
385 /// to be taken because it overrides the const-ness of `&self`.
as_mut_ptr<U: ObjectType>(&self) -> *mut U where Self::Target: IsA<U>,386 fn as_mut_ptr<U: ObjectType>(&self) -> *mut U
387 where
388 Self::Target: IsA<U>,
389 {
390 #[allow(clippy::as_ptr_cast_mut)]
391 {
392 self.as_ptr::<U>() as *mut _
393 }
394 }
395 }
396
397 /// Trait that adds extra functionality for `&T` where `T` is a QOM
398 /// object type. Allows conversion to/from C objects in generic code.
399 pub trait ObjectCast: ObjectDeref + Copy
400 where
401 Self::Target: ObjectType,
402 {
403 /// Safely convert from a derived type to one of its parent types.
404 ///
405 /// This is always safe; the [`IsA`] trait provides static verification
406 /// trait that `Self` dereferences to `U` or a child of `U`.
upcast<'a, U: ObjectType>(self) -> &'a U where Self::Target: IsA<U>, Self: 'a,407 fn upcast<'a, U: ObjectType>(self) -> &'a U
408 where
409 Self::Target: IsA<U>,
410 Self: 'a,
411 {
412 // SAFETY: soundness is declared via IsA<U>, which is an unsafe trait
413 unsafe { self.unsafe_cast::<U>() }
414 }
415
416 /// Attempt to convert to a derived type.
417 ///
418 /// Returns `None` if the object is not actually of type `U`. This is
419 /// verified at runtime by checking the object's type information.
downcast<'a, U: IsA<Self::Target>>(self) -> Option<&'a U> where Self: 'a,420 fn downcast<'a, U: IsA<Self::Target>>(self) -> Option<&'a U>
421 where
422 Self: 'a,
423 {
424 self.dynamic_cast::<U>()
425 }
426
427 /// Attempt to convert between any two types in the QOM hierarchy.
428 ///
429 /// Returns `None` if the object is not actually of type `U`. This is
430 /// verified at runtime by checking the object's type information.
dynamic_cast<'a, U: ObjectType>(self) -> Option<&'a U> where Self: 'a,431 fn dynamic_cast<'a, U: ObjectType>(self) -> Option<&'a U>
432 where
433 Self: 'a,
434 {
435 unsafe {
436 // SAFETY: upcasting to Object is always valid, and the
437 // return type is either NULL or the argument itself
438 let result: *const U =
439 object_dynamic_cast(self.as_object_mut_ptr(), U::TYPE_NAME.as_ptr()).cast();
440
441 result.as_ref()
442 }
443 }
444
445 /// Convert to any QOM type without verification.
446 ///
447 /// # Safety
448 ///
449 /// What safety? You need to know yourself that the cast is correct; only
450 /// use when performance is paramount. It is still better than a raw
451 /// pointer `cast()`, which does not even check that you remain in the
452 /// realm of QOM `ObjectType`s.
453 ///
454 /// `unsafe_cast::<Object>()` is always safe.
unsafe_cast<'a, U: ObjectType>(self) -> &'a U where Self: 'a,455 unsafe fn unsafe_cast<'a, U: ObjectType>(self) -> &'a U
456 where
457 Self: 'a,
458 {
459 unsafe { &*(self.as_ptr::<Self::Target>().cast::<U>()) }
460 }
461 }
462
463 impl<T: ObjectType> ObjectDeref for &T {}
464 impl<T: ObjectType> ObjectCast for &T {}
465
466 impl<T: ObjectType> ObjectDeref for &mut T {}
467
468 /// Trait a type must implement to be registered with QEMU.
469 pub trait ObjectImpl: ObjectType + IsA<Object> {
470 /// The parent of the type. This should match the first field of the
471 /// struct that implements `ObjectImpl`, minus the `ParentField<_>` wrapper.
472 type ParentType: ObjectType;
473
474 /// Whether the object can be instantiated
475 const ABSTRACT: bool = false;
476
477 /// Function that is called to initialize an object. The parent class will
478 /// have already been initialized so the type is only responsible for
479 /// initializing its own members.
480 ///
481 /// FIXME: The argument is not really a valid reference. `&mut
482 /// MaybeUninit<Self>` would be a better description.
483 const INSTANCE_INIT: Option<unsafe fn(&mut Self)> = None;
484
485 /// Function that is called to finish initialization of an object, once
486 /// `INSTANCE_INIT` functions have been called.
487 const INSTANCE_POST_INIT: Option<fn(&Self)> = None;
488
489 /// Called on descendent classes after all parent class initialization
490 /// has occurred, but before the class itself is initialized. This
491 /// is only useful if a class is not a leaf, and can be used to undo
492 /// the effects of copying the contents of the parent's class struct
493 /// to the descendants.
494 const CLASS_BASE_INIT: Option<
495 unsafe extern "C" fn(klass: *mut ObjectClass, data: *mut c_void),
496 > = None;
497
498 const TYPE_INFO: TypeInfo = TypeInfo {
499 name: Self::TYPE_NAME.as_ptr(),
500 parent: Self::ParentType::TYPE_NAME.as_ptr(),
501 instance_size: core::mem::size_of::<Self>(),
502 instance_align: core::mem::align_of::<Self>(),
503 instance_init: match Self::INSTANCE_INIT {
504 None => None,
505 Some(_) => Some(rust_instance_init::<Self>),
506 },
507 instance_post_init: match Self::INSTANCE_POST_INIT {
508 None => None,
509 Some(_) => Some(rust_instance_post_init::<Self>),
510 },
511 instance_finalize: Some(drop_object::<Self>),
512 abstract_: Self::ABSTRACT,
513 class_size: core::mem::size_of::<Self::Class>(),
514 class_init: Some(rust_class_init::<Self>),
515 class_base_init: Self::CLASS_BASE_INIT,
516 class_data: core::ptr::null_mut(),
517 interfaces: core::ptr::null_mut(),
518 };
519
520 // methods on ObjectClass
521 const UNPARENT: Option<fn(&Self)> = None;
522
523 /// Store into the argument the virtual method implementations
524 /// for `Self`. On entry, the virtual method pointers are set to
525 /// the default values coming from the parent classes; the function
526 /// can change them to override virtual methods of a parent class.
527 ///
528 /// Usually defined simply as `Self::Class::class_init::<Self>`;
529 /// however a default implementation cannot be included here, because the
530 /// bounds that the `Self::Class::class_init` method places on `Self` are
531 /// not known in advance.
532 ///
533 /// # Safety
534 ///
535 /// While `klass`'s parent class is initialized on entry, the other fields
536 /// are all zero; it is therefore assumed that all fields in `T` can be
537 /// zeroed, otherwise it would not be possible to provide the class as a
538 /// `&mut T`. TODO: add a bound of [`Zeroable`](crate::zeroable::Zeroable)
539 /// to T; this is more easily done once Zeroable does not require a manual
540 /// implementation (Rust 1.75.0).
541 const CLASS_INIT: fn(&mut Self::Class);
542 }
543
544 /// # Safety
545 ///
546 /// We expect the FFI user of this function to pass a valid pointer that
547 /// can be downcasted to type `T`. We also expect the device is
548 /// readable/writeable from one thread at any time.
rust_unparent_fn<T: ObjectImpl>(dev: *mut bindings::Object)549 unsafe extern "C" fn rust_unparent_fn<T: ObjectImpl>(dev: *mut bindings::Object) {
550 let state = NonNull::new(dev).unwrap().cast::<T>();
551 T::UNPARENT.unwrap()(unsafe { state.as_ref() });
552 }
553
554 impl ObjectClass {
555 /// Fill in the virtual methods of `ObjectClass` based on the definitions in
556 /// the `ObjectImpl` trait.
class_init<T: ObjectImpl>(&mut self)557 pub fn class_init<T: ObjectImpl>(&mut self) {
558 if <T as ObjectImpl>::UNPARENT.is_some() {
559 self.unparent = Some(rust_unparent_fn::<T>);
560 }
561 }
562 }
563
564 unsafe impl ObjectType for Object {
565 type Class = ObjectClass;
566 const TYPE_NAME: &'static CStr =
567 unsafe { CStr::from_bytes_with_nul_unchecked(bindings::TYPE_OBJECT) };
568 }
569
570 /// A reference-counted pointer to a QOM object.
571 ///
572 /// `Owned<T>` wraps `T` with automatic reference counting. It increases the
573 /// reference count when created via [`Owned::from`] or cloned, and decreases
574 /// it when dropped. This ensures that the reference count remains elevated
575 /// as long as any `Owned<T>` references to it exist.
576 ///
577 /// `Owned<T>` can be used for two reasons:
578 /// * because the lifetime of the QOM object is unknown and someone else could
579 /// take a reference (similar to `Arc<T>`, for example): in this case, the
580 /// object can escape and outlive the Rust struct that contains the `Owned<T>`
581 /// field;
582 ///
583 /// * to ensure that the object stays alive until after `Drop::drop` is called
584 /// on the Rust struct: in this case, the object will always die together with
585 /// the Rust struct that contains the `Owned<T>` field.
586 ///
587 /// Child properties are an example of the second case: in C, an object that
588 /// is created with `object_initialize_child` will die *before*
589 /// `instance_finalize` is called, whereas Rust expects the struct to have valid
590 /// contents when `Drop::drop` is called. Therefore Rust structs that have
591 /// child properties need to keep a reference to the child object. Right now
592 /// this can be done with `Owned<T>`; in the future one might have a separate
593 /// `Child<'parent, T>` smart pointer that keeps a reference to a `T`, like
594 /// `Owned`, but does not allow cloning.
595 ///
596 /// Note that dropping an `Owned<T>` requires the big QEMU lock to be taken.
597 #[repr(transparent)]
598 #[derive(PartialEq, Eq, Hash, PartialOrd, Ord)]
599 pub struct Owned<T: ObjectType>(NonNull<T>);
600
601 // The following rationale for safety is taken from Linux's kernel::sync::Arc.
602
603 // SAFETY: It is safe to send `Owned<T>` to another thread when the underlying
604 // `T` is `Sync` because it effectively means sharing `&T` (which is safe
605 // because `T` is `Sync`); additionally, it needs `T` to be `Send` because any
606 // thread that has an `Owned<T>` may ultimately access `T` using a
607 // mutable reference when the reference count reaches zero and `T` is dropped.
608 unsafe impl<T: ObjectType + Send + Sync> Send for Owned<T> {}
609
610 // SAFETY: It is safe to send `&Owned<T>` to another thread when the underlying
611 // `T` is `Sync` because it effectively means sharing `&T` (which is safe
612 // because `T` is `Sync`); additionally, it needs `T` to be `Send` because any
613 // thread that has a `&Owned<T>` may clone it and get an `Owned<T>` on that
614 // thread, so the thread may ultimately access `T` using a mutable reference
615 // when the reference count reaches zero and `T` is dropped.
616 unsafe impl<T: ObjectType + Sync + Send> Sync for Owned<T> {}
617
618 impl<T: ObjectType> Owned<T> {
619 /// Convert a raw C pointer into an owned reference to the QOM
620 /// object it points to. The object's reference count will be
621 /// decreased when the `Owned` is dropped.
622 ///
623 /// # Panics
624 ///
625 /// Panics if `ptr` is NULL.
626 ///
627 /// # Safety
628 ///
629 /// The caller must indeed own a reference to the QOM object.
630 /// The object must not be embedded in another unless the outer
631 /// object is guaranteed to have a longer lifetime.
632 ///
633 /// A raw pointer obtained via [`Owned::into_raw()`] can always be passed
634 /// back to `from_raw()` (assuming the original `Owned` was valid!),
635 /// since the owned reference remains there between the calls to
636 /// `into_raw()` and `from_raw()`.
from_raw(ptr: *const T) -> Self637 pub unsafe fn from_raw(ptr: *const T) -> Self {
638 // SAFETY NOTE: while NonNull requires a mutable pointer, only
639 // Deref is implemented so the pointer passed to from_raw
640 // remains const
641 Owned(NonNull::new(ptr as *mut T).unwrap())
642 }
643
644 /// Obtain a raw C pointer from a reference. `src` is consumed
645 /// and the reference is leaked.
646 #[allow(clippy::missing_const_for_fn)]
into_raw(src: Owned<T>) -> *mut T647 pub fn into_raw(src: Owned<T>) -> *mut T {
648 let src = ManuallyDrop::new(src);
649 src.0.as_ptr()
650 }
651
652 /// Increase the reference count of a QOM object and return
653 /// a new owned reference to it.
654 ///
655 /// # Safety
656 ///
657 /// The object must not be embedded in another, unless the outer
658 /// object is guaranteed to have a longer lifetime.
from(obj: &T) -> Self659 pub unsafe fn from(obj: &T) -> Self {
660 unsafe {
661 object_ref(obj.as_object_mut_ptr().cast::<c_void>());
662
663 // SAFETY NOTE: while NonNull requires a mutable pointer, only
664 // Deref is implemented so the reference passed to from_raw
665 // remains shared
666 Owned(NonNull::new_unchecked(obj.as_mut_ptr()))
667 }
668 }
669 }
670
671 impl<T: ObjectType> Clone for Owned<T> {
clone(&self) -> Self672 fn clone(&self) -> Self {
673 // SAFETY: creation method is unsafe; whoever calls it has
674 // responsibility that the pointer is valid, and remains valid
675 // throughout the lifetime of the `Owned<T>` and its clones.
676 unsafe { Owned::from(self.deref()) }
677 }
678 }
679
680 impl<T: ObjectType> Deref for Owned<T> {
681 type Target = T;
682
deref(&self) -> &Self::Target683 fn deref(&self) -> &Self::Target {
684 // SAFETY: creation method is unsafe; whoever calls it has
685 // responsibility that the pointer is valid, and remains valid
686 // throughout the lifetime of the `Owned<T>` and its clones.
687 // With that guarantee, reference counting ensures that
688 // the object remains alive.
689 unsafe { &*self.0.as_ptr() }
690 }
691 }
692 impl<T: ObjectType> ObjectDeref for Owned<T> {}
693
694 impl<T: ObjectType> Drop for Owned<T> {
drop(&mut self)695 fn drop(&mut self) {
696 assert!(bql_locked());
697 // SAFETY: creation method is unsafe, and whoever calls it has
698 // responsibility that the pointer is valid, and remains valid
699 // throughout the lifetime of the `Owned<T>` and its clones.
700 unsafe {
701 object_unref(self.as_object_mut_ptr().cast::<c_void>());
702 }
703 }
704 }
705
706 impl<T: IsA<Object>> fmt::Debug for Owned<T> {
fmt(&self, f: &mut fmt::Formatter) -> fmt::Result707 fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
708 self.deref().debug_fmt(f)
709 }
710 }
711
712 /// Trait for class methods exposed by the Object class. The methods can be
713 /// called on all objects that have the trait `IsA<Object>`.
714 ///
715 /// The trait should only be used through the blanket implementation,
716 /// which guarantees safety via `IsA`
717 pub trait ObjectClassMethods: IsA<Object> {
718 /// Return a new reference counted instance of this class
new() -> Owned<Self>719 fn new() -> Owned<Self> {
720 assert!(bql_locked());
721 // SAFETY: the object created by object_new is allocated on
722 // the heap and has a reference count of 1
723 unsafe {
724 let raw_obj = object_new(Self::TYPE_NAME.as_ptr());
725 let obj = Object::from_raw(raw_obj).unsafe_cast::<Self>();
726 Owned::from_raw(obj)
727 }
728 }
729 }
730
731 /// Trait for methods exposed by the Object class. The methods can be
732 /// called on all objects that have the trait `IsA<Object>`.
733 ///
734 /// The trait should only be used through the blanket implementation,
735 /// which guarantees safety via `IsA`
736 pub trait ObjectMethods: ObjectDeref
737 where
738 Self::Target: IsA<Object>,
739 {
740 /// Return the name of the type of `self`
typename(&self) -> std::borrow::Cow<'_, str>741 fn typename(&self) -> std::borrow::Cow<'_, str> {
742 let obj = self.upcast::<Object>();
743 // SAFETY: safety of this is the requirement for implementing IsA
744 // The result of the C API has static lifetime
745 unsafe {
746 let p = object_get_typename(obj.as_mut_ptr());
747 CStr::from_ptr(p).to_string_lossy()
748 }
749 }
750
get_class(&self) -> &'static <Self::Target as ObjectType>::Class751 fn get_class(&self) -> &'static <Self::Target as ObjectType>::Class {
752 let obj = self.upcast::<Object>();
753
754 // SAFETY: all objects can call object_get_class; the actual class
755 // type is guaranteed by the implementation of `ObjectType` and
756 // `ObjectImpl`.
757 let klass: &'static <Self::Target as ObjectType>::Class =
758 unsafe { &*object_get_class(obj.as_mut_ptr()).cast() };
759
760 klass
761 }
762
763 /// Convenience function for implementing the Debug trait
debug_fmt(&self, f: &mut fmt::Formatter) -> fmt::Result764 fn debug_fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
765 f.debug_tuple(&self.typename())
766 .field(&(self as *const Self))
767 .finish()
768 }
769 }
770
771 impl<T> ObjectClassMethods for T where T: IsA<Object> {}
772 impl<R: ObjectDeref> ObjectMethods for R where R::Target: IsA<Object> {}
773