1 // Copyright 2024, Linaro Limited
2 // Author(s): Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
3 // SPDX-License-Identifier: GPL-2.0-or-later
4
5 //! Bindings to access QOM functionality from Rust.
6 //!
7 //! The QEMU Object Model (QOM) provides inheritance and dynamic typing for QEMU
8 //! devices. This module makes QOM's features available in Rust through three
9 //! main mechanisms:
10 //!
11 //! * Automatic creation and registration of `TypeInfo` for classes that are
12 //! written in Rust, as well as mapping between Rust traits and QOM vtables.
13 //!
14 //! * Type-safe casting between parent and child classes, through the [`IsA`]
15 //! trait and methods such as [`upcast`](ObjectCast::upcast) and
16 //! [`downcast`](ObjectCast::downcast).
17 //!
18 //! * Automatic delegation of parent class methods to child classes. When a
19 //! trait uses [`IsA`] as a bound, its contents become available to all child
20 //! classes through blanket implementations. This works both for class methods
21 //! and for instance methods accessed through references or smart pointers.
22 //!
23 //! # Structure of a class
24 //!
25 //! A leaf class only needs a struct holding instance state. The struct must
26 //! implement the [`ObjectType`] and [`IsA`] traits, as well as any `*Impl`
27 //! traits that exist for its superclasses.
28 //!
29 //! If a class has subclasses, it will also provide a struct for instance data,
30 //! with the same characteristics as for concrete classes, but it also needs
31 //! additional components to support virtual methods:
32 //!
33 //! * a struct for class data, for example `DeviceClass`. This corresponds to
34 //! the C "class struct" and holds the vtable that is used by instances of the
35 //! class and its subclasses. It must start with its parent's class struct.
36 //!
37 //! * a trait for virtual method implementations, for example `DeviceImpl`.
38 //! Child classes implement this trait to provide their own behavior for
39 //! virtual methods. The trait's methods take `&self` to access instance data.
40 //! The traits have the appropriate specialization of `IsA<>` as a supertrait,
41 //! for example `IsA<DeviceState>` for `DeviceImpl`.
42 //!
43 //! * a trait for instance methods, for example `DeviceMethods`. This trait is
44 //! automatically implemented for any reference or smart pointer to a device
45 //! instance. It calls into the vtable provides access across all subclasses
46 //! to methods defined for the class.
47 //!
48 //! * optionally, a trait for class methods, for example `DeviceClassMethods`.
49 //! This provides access to class-wide functionality that doesn't depend on
50 //! instance data. Like instance methods, these are automatically inherited by
51 //! child classes.
52 //!
53 //! # Class structures
54 //!
55 //! Each QOM class that has virtual methods describes them in a
56 //! _class struct_. Class structs include a parent field corresponding
57 //! to the vtable of the parent class, all the way up to [`ObjectClass`].
58 //!
59 //! As mentioned above, virtual methods are defined via traits such as
60 //! `DeviceImpl`. Class structs do not define any trait but, conventionally,
61 //! all of them have a `class_init` method to initialize the virtual methods
62 //! based on the trait and then call the same method on the superclass.
63 //!
64 //! ```ignore
65 //! impl YourSubclassClass
66 //! {
67 //! pub fn class_init<T: YourSubclassImpl>(&mut self) {
68 //! ...
69 //! klass.parent_class::class_init<T>();
70 //! }
71 //! }
72 //! ```
73 //!
74 //! If a class implements a QOM interface. In that case, the function must
75 //! contain, for each interface, an extra forwarding call as follows:
76 //!
77 //! ```ignore
78 //! ResettableClass::cast::<Self>(self).class_init::<Self>();
79 //! ```
80 //!
81 //! These `class_init` functions are methods on the class rather than a trait,
82 //! because the bound on `T` (`DeviceImpl` in this case), will change for every
83 //! class struct. The functions are pointed to by the
84 //! [`ObjectImpl::CLASS_INIT`] function pointer. While there is no default
85 //! implementation, in most cases it will be enough to write it as follows:
86 //!
87 //! ```ignore
88 //! const CLASS_INIT: fn(&mut Self::Class)> = Self::Class::class_init::<Self>;
89 //! ```
90 //!
91 //! This design incurs a small amount of code duplication but, by not using
92 //! traits, it allows the flexibility of implementing bindings in any crate,
93 //! without incurring into violations of orphan rules for traits.
94
95 use std::{
96 ffi::{c_void, CStr},
97 fmt,
98 marker::PhantomData,
99 mem::{ManuallyDrop, MaybeUninit},
100 ops::{Deref, DerefMut},
101 ptr::NonNull,
102 };
103
104 pub use bindings::ObjectClass;
105
106 use crate::{
107 bindings::{
108 self, object_class_dynamic_cast, object_dynamic_cast, object_get_class,
109 object_get_typename, object_new, object_ref, object_unref, TypeInfo,
110 },
111 cell::{bql_locked, Opaque},
112 };
113
114 /// A safe wrapper around [`bindings::Object`].
115 #[repr(transparent)]
116 #[derive(Debug, qemu_api_macros::Wrapper)]
117 pub struct Object(Opaque<bindings::Object>);
118
119 unsafe impl Send for Object {}
120 unsafe impl Sync for Object {}
121
122 /// Marker trait: `Self` can be statically upcasted to `P` (i.e. `P` is a direct
123 /// or indirect parent of `Self`).
124 ///
125 /// # Safety
126 ///
127 /// The struct `Self` must be `#[repr(C)]` and must begin, directly or
128 /// indirectly, with a field of type `P`. This ensures that invalid casts,
129 /// which rely on `IsA<>` for static checking, are rejected at compile time.
130 pub unsafe trait IsA<P: ObjectType>: ObjectType {}
131
132 // SAFETY: it is always safe to cast to your own type
133 unsafe impl<T: ObjectType> IsA<T> for T {}
134
135 /// Macro to mark superclasses of QOM classes. This enables type-safe
136 /// up- and downcasting.
137 ///
138 /// # Safety
139 ///
140 /// This macro is a thin wrapper around the [`IsA`] trait and performs
141 /// no checking whatsoever of what is declared. It is the caller's
142 /// responsibility to have $struct begin, directly or indirectly, with
143 /// a field of type `$parent`.
144 #[macro_export]
145 macro_rules! qom_isa {
146 ($struct:ty : $($parent:ty),* ) => {
147 $(
148 // SAFETY: it is the caller responsibility to have $parent as the
149 // first field
150 unsafe impl $crate::qom::IsA<$parent> for $struct {}
151
152 impl AsRef<$parent> for $struct {
153 fn as_ref(&self) -> &$parent {
154 // SAFETY: follows the same rules as for IsA<U>, which is
155 // declared above.
156 let ptr: *const Self = self;
157 unsafe { &*ptr.cast::<$parent>() }
158 }
159 }
160 )*
161 };
162 }
163
164 /// This is the same as [`ManuallyDrop<T>`](std::mem::ManuallyDrop), though
165 /// it hides the standard methods of `ManuallyDrop`.
166 ///
167 /// The first field of an `ObjectType` must be of type `ParentField<T>`.
168 /// (Technically, this is only necessary if there is at least one Rust
169 /// superclass in the hierarchy). This is to ensure that the parent field is
170 /// dropped after the subclass; this drop order is enforced by the C
171 /// `object_deinit` function.
172 ///
173 /// # Examples
174 ///
175 /// ```ignore
176 /// #[repr(C)]
177 /// #[derive(qemu_api_macros::Object)]
178 /// pub struct MyDevice {
179 /// parent: ParentField<DeviceState>,
180 /// ...
181 /// }
182 /// ```
183 #[derive(Debug)]
184 #[repr(transparent)]
185 pub struct ParentField<T: ObjectType>(std::mem::ManuallyDrop<T>);
186
187 impl<T: ObjectType> Deref for ParentField<T> {
188 type Target = T;
189
190 #[inline(always)]
deref(&self) -> &Self::Target191 fn deref(&self) -> &Self::Target {
192 &self.0
193 }
194 }
195
196 impl<T: ObjectType> DerefMut for ParentField<T> {
197 #[inline(always)]
deref_mut(&mut self) -> &mut Self::Target198 fn deref_mut(&mut self) -> &mut Self::Target {
199 &mut self.0
200 }
201 }
202
203 impl<T: fmt::Display + ObjectType> fmt::Display for ParentField<T> {
204 #[inline(always)]
fmt(&self, f: &mut fmt::Formatter<'_>) -> Result<(), fmt::Error>205 fn fmt(&self, f: &mut fmt::Formatter<'_>) -> Result<(), fmt::Error> {
206 self.0.fmt(f)
207 }
208 }
209
210 /// This struct knows that the superclasses of the object have already been
211 /// initialized.
212 ///
213 /// The declaration of `ParentInit` is.. *"a kind of magic"*. It uses a
214 /// technique that is found in several crates, the main ones probably being
215 /// `ghost-cell` (in fact it was introduced by the [`GhostCell` paper](https://plv.mpi-sws.org/rustbelt/ghostcell/))
216 /// and `generativity`.
217 ///
218 /// The `PhantomData` makes the `ParentInit` type *invariant* with respect to
219 /// the lifetime argument `'init`. This, together with the `for<'...>` in
220 /// `[ParentInit::with]`, block any attempt of the compiler to be creative when
221 /// operating on types of type `ParentInit` and to extend their lifetimes. In
222 /// particular, it ensures that the `ParentInit` cannot be made to outlive the
223 /// `rust_instance_init()` function that creates it, and therefore that the
224 /// `&'init T` reference is valid.
225 ///
226 /// This implementation of the same concept, without the QOM baggage, can help
227 /// understanding the effect:
228 ///
229 /// ```
230 /// use std::marker::PhantomData;
231 ///
232 /// #[derive(PartialEq, Eq)]
233 /// pub struct Jail<'closure, T: Copy>(&'closure T, PhantomData<fn(&'closure ()) -> &'closure ()>);
234 ///
235 /// impl<'closure, T: Copy> Jail<'closure, T> {
236 /// fn get(&self) -> T {
237 /// *self.0
238 /// }
239 ///
240 /// #[inline]
241 /// fn with<U>(v: T, f: impl for<'id> FnOnce(Jail<'id, T>) -> U) -> U {
242 /// let parent_init = Jail(&v, PhantomData);
243 /// f(parent_init)
244 /// }
245 /// }
246 /// ```
247 ///
248 /// It's impossible to escape the `Jail`; `token1` cannot be moved out of the
249 /// closure:
250 ///
251 /// ```ignore
252 /// let x = 42;
253 /// let escape = Jail::with(&x, |token1| {
254 /// println!("{}", token1.get());
255 /// // fails to compile...
256 /// token1
257 /// });
258 /// // ... so you cannot do this:
259 /// println!("{}", escape.get());
260 /// ```
261 ///
262 /// Likewise, in the QOM case the `ParentInit` cannot be moved out of
263 /// `instance_init()`. Without this trick it would be possible to stash a
264 /// `ParentInit` and use it later to access uninitialized memory.
265 ///
266 /// Here is another example, showing how separately-created "identities" stay
267 /// isolated:
268 ///
269 /// ```ignore
270 /// impl<'closure, T: Copy> Clone for Jail<'closure, T> {
271 /// fn clone(&self) -> Jail<'closure, T> {
272 /// Jail(self.0, PhantomData)
273 /// }
274 /// }
275 ///
276 /// fn main() {
277 /// Jail::with(42, |token1| {
278 /// // this works and returns true: the clone has the same "identity"
279 /// println!("{}", token1 == token1.clone());
280 /// Jail::with(42, |token2| {
281 /// // here the outer token remains accessible...
282 /// println!("{}", token1.get());
283 /// // ... but the two are separate: this fails to compile:
284 /// println!("{}", token1 == token2);
285 /// });
286 /// });
287 /// }
288 /// ```
289 pub struct ParentInit<'init, T>(
290 &'init mut MaybeUninit<T>,
291 PhantomData<fn(&'init ()) -> &'init ()>,
292 );
293
294 impl<'init, T> ParentInit<'init, T> {
295 #[inline]
with(obj: &'init mut MaybeUninit<T>, f: impl for<'id> FnOnce(ParentInit<'id, T>))296 pub fn with(obj: &'init mut MaybeUninit<T>, f: impl for<'id> FnOnce(ParentInit<'id, T>)) {
297 let parent_init = ParentInit(obj, PhantomData);
298 f(parent_init)
299 }
300 }
301
302 impl<T: ObjectType> ParentInit<'_, T> {
303 /// Return the receiver as a mutable raw pointer to Object.
304 ///
305 /// # Safety
306 ///
307 /// Fields beyond `Object` could be uninitialized and it's your
308 /// responsibility to avoid that they're used when the pointer is
309 /// dereferenced, either directly or through a cast.
as_object_mut_ptr(&self) -> *mut bindings::Object310 pub fn as_object_mut_ptr(&self) -> *mut bindings::Object {
311 self.as_object_ptr().cast_mut()
312 }
313
314 /// Return the receiver as a mutable raw pointer to Object.
315 ///
316 /// # Safety
317 ///
318 /// Fields beyond `Object` could be uninitialized and it's your
319 /// responsibility to avoid that they're used when the pointer is
320 /// dereferenced, either directly or through a cast.
as_object_ptr(&self) -> *const bindings::Object321 pub fn as_object_ptr(&self) -> *const bindings::Object {
322 self.0.as_ptr().cast()
323 }
324 }
325
326 impl<'a, T: ObjectImpl> ParentInit<'a, T> {
327 /// Convert from a derived type to one of its parent types, which
328 /// have already been initialized.
329 ///
330 /// # Safety
331 ///
332 /// Structurally this is always a safe operation; the [`IsA`] trait
333 /// provides static verification trait that `Self` dereferences to `U` or
334 /// a child of `U`, and only parent types of `T` are allowed.
335 ///
336 /// However, while the fields of the resulting reference are initialized,
337 /// calls might use uninitialized fields of the subclass. It is your
338 /// responsibility to avoid this.
upcast<U: ObjectType>(&self) -> &'a U where T::ParentType: IsA<U>,339 pub unsafe fn upcast<U: ObjectType>(&self) -> &'a U
340 where
341 T::ParentType: IsA<U>,
342 {
343 // SAFETY: soundness is declared via IsA<U>, which is an unsafe trait;
344 // the parent has been initialized before `instance_init `is called
345 unsafe { &*(self.0.as_ptr().cast::<U>()) }
346 }
347
348 /// Convert from a derived type to one of its parent types, which
349 /// have already been initialized.
350 ///
351 /// # Safety
352 ///
353 /// Structurally this is always a safe operation; the [`IsA`] trait
354 /// provides static verification trait that `Self` dereferences to `U` or
355 /// a child of `U`, and only parent types of `T` are allowed.
356 ///
357 /// However, while the fields of the resulting reference are initialized,
358 /// calls might use uninitialized fields of the subclass. It is your
359 /// responsibility to avoid this.
upcast_mut<U: ObjectType>(&mut self) -> &'a mut U where T::ParentType: IsA<U>,360 pub unsafe fn upcast_mut<U: ObjectType>(&mut self) -> &'a mut U
361 where
362 T::ParentType: IsA<U>,
363 {
364 // SAFETY: soundness is declared via IsA<U>, which is an unsafe trait;
365 // the parent has been initialized before `instance_init `is called
366 unsafe { &mut *(self.0.as_mut_ptr().cast::<U>()) }
367 }
368 }
369
370 impl<T> Deref for ParentInit<'_, T> {
371 type Target = MaybeUninit<T>;
372
deref(&self) -> &Self::Target373 fn deref(&self) -> &Self::Target {
374 self.0
375 }
376 }
377
378 impl<T> DerefMut for ParentInit<'_, T> {
deref_mut(&mut self) -> &mut Self::Target379 fn deref_mut(&mut self) -> &mut Self::Target {
380 self.0
381 }
382 }
383
rust_instance_init<T: ObjectImpl>(obj: *mut bindings::Object)384 unsafe extern "C" fn rust_instance_init<T: ObjectImpl>(obj: *mut bindings::Object) {
385 let mut state = NonNull::new(obj).unwrap().cast::<MaybeUninit<T>>();
386
387 // SAFETY: obj is an instance of T, since rust_instance_init<T>
388 // is called from QOM core as the instance_init function
389 // for class T
390 unsafe {
391 ParentInit::with(state.as_mut(), |parent_init| {
392 T::INSTANCE_INIT.unwrap()(parent_init);
393 });
394 }
395 }
396
rust_instance_post_init<T: ObjectImpl>(obj: *mut bindings::Object)397 unsafe extern "C" fn rust_instance_post_init<T: ObjectImpl>(obj: *mut bindings::Object) {
398 let state = NonNull::new(obj).unwrap().cast::<T>();
399 // SAFETY: obj is an instance of T, since rust_instance_post_init<T>
400 // is called from QOM core as the instance_post_init function
401 // for class T
402 T::INSTANCE_POST_INIT.unwrap()(unsafe { state.as_ref() });
403 }
404
rust_class_init<T: ObjectType + ObjectImpl>( klass: *mut ObjectClass, _data: *const c_void, )405 unsafe extern "C" fn rust_class_init<T: ObjectType + ObjectImpl>(
406 klass: *mut ObjectClass,
407 _data: *const c_void,
408 ) {
409 let mut klass = NonNull::new(klass)
410 .unwrap()
411 .cast::<<T as ObjectType>::Class>();
412 // SAFETY: klass is a T::Class, since rust_class_init<T>
413 // is called from QOM core as the class_init function
414 // for class T
415 <T as ObjectImpl>::CLASS_INIT(unsafe { klass.as_mut() })
416 }
417
drop_object<T: ObjectImpl>(obj: *mut bindings::Object)418 unsafe extern "C" fn drop_object<T: ObjectImpl>(obj: *mut bindings::Object) {
419 // SAFETY: obj is an instance of T, since drop_object<T> is called
420 // from the QOM core function object_deinit() as the instance_finalize
421 // function for class T. Note that while object_deinit() will drop the
422 // superclass field separately after this function returns, `T` must
423 // implement the unsafe trait ObjectType; the safety rules for the
424 // trait mandate that the parent field is manually dropped.
425 unsafe { std::ptr::drop_in_place(obj.cast::<T>()) }
426 }
427
428 /// Trait exposed by all structs corresponding to QOM objects.
429 ///
430 /// # Safety
431 ///
432 /// For classes declared in C:
433 ///
434 /// - `Class` and `TYPE` must match the data in the `TypeInfo`;
435 ///
436 /// - the first field of the struct must be of the instance type corresponding
437 /// to the superclass, as declared in the `TypeInfo`
438 ///
439 /// - likewise, the first field of the `Class` struct must be of the class type
440 /// corresponding to the superclass
441 ///
442 /// For classes declared in Rust and implementing [`ObjectImpl`]:
443 ///
444 /// - the struct must be `#[repr(C)]`;
445 ///
446 /// - the first field of the struct must be of type
447 /// [`ParentField<T>`](ParentField), where `T` is the parent type
448 /// [`ObjectImpl::ParentType`]
449 ///
450 /// - the first field of the `Class` must be of the class struct corresponding
451 /// to the superclass, which is `ObjectImpl::ParentType::Class`. `ParentField`
452 /// is not needed here.
453 ///
454 /// In both cases, having a separate class type is not necessary if the subclass
455 /// does not add any field.
456 pub unsafe trait ObjectType: Sized {
457 /// The QOM class object corresponding to this struct. This is used
458 /// to automatically generate a `class_init` method.
459 type Class;
460
461 /// The name of the type, which can be passed to `object_new()` to
462 /// generate an instance of this type.
463 const TYPE_NAME: &'static CStr;
464
465 /// Return the receiver as an Object. This is always safe, even
466 /// if this type represents an interface.
as_object(&self) -> &Object467 fn as_object(&self) -> &Object {
468 unsafe { &*self.as_ptr().cast() }
469 }
470
471 /// Return the receiver as a const raw pointer to Object.
472 /// This is preferable to `as_object_mut_ptr()` if a C
473 /// function only needs a `const Object *`.
as_object_ptr(&self) -> *const bindings::Object474 fn as_object_ptr(&self) -> *const bindings::Object {
475 self.as_object().as_ptr()
476 }
477
478 /// Return the receiver as a mutable raw pointer to Object.
479 ///
480 /// # Safety
481 ///
482 /// This cast is always safe, but because the result is mutable
483 /// and the incoming reference is not, this should only be used
484 /// for calls to C functions, and only if needed.
as_object_mut_ptr(&self) -> *mut bindings::Object485 unsafe fn as_object_mut_ptr(&self) -> *mut bindings::Object {
486 self.as_object().as_mut_ptr()
487 }
488 }
489
490 /// Trait exposed by all structs corresponding to QOM interfaces.
491 /// Unlike `ObjectType`, it is implemented on the class type (which provides
492 /// the vtable for the interfaces).
493 ///
494 /// # Safety
495 ///
496 /// `TYPE` must match the contents of the `TypeInfo` as found in the C code;
497 /// right now, interfaces can only be declared in C.
498 pub unsafe trait InterfaceType: Sized {
499 /// The name of the type, which can be passed to
500 /// `object_class_dynamic_cast()` to obtain the pointer to the vtable
501 /// for this interface.
502 const TYPE_NAME: &'static CStr;
503
504 /// Return the vtable for the interface; `U` is the type that
505 /// lists the interface in its `TypeInfo`.
506 ///
507 /// # Examples
508 ///
509 /// This function is usually called by a `class_init` method in `U::Class`.
510 /// For example, `DeviceClass::class_init<T>` initializes its `Resettable`
511 /// interface as follows:
512 ///
513 /// ```ignore
514 /// ResettableClass::cast::<DeviceState>(self).class_init::<T>();
515 /// ```
516 ///
517 /// where `T` is the concrete subclass that is being initialized.
518 ///
519 /// # Panics
520 ///
521 /// Panic if the incoming argument if `T` does not implement the interface.
cast<U: ObjectType>(klass: &mut U::Class) -> &mut Self522 fn cast<U: ObjectType>(klass: &mut U::Class) -> &mut Self {
523 unsafe {
524 // SAFETY: upcasting to ObjectClass is always valid, and the
525 // return type is either NULL or the argument itself
526 let result: *mut Self = object_class_dynamic_cast(
527 (klass as *mut U::Class).cast(),
528 Self::TYPE_NAME.as_ptr(),
529 )
530 .cast();
531 result.as_mut().unwrap()
532 }
533 }
534 }
535
536 /// This trait provides safe casting operations for QOM objects to raw pointers,
537 /// to be used for example for FFI. The trait can be applied to any kind of
538 /// reference or smart pointers, and enforces correctness through the [`IsA`]
539 /// trait.
540 pub trait ObjectDeref: Deref
541 where
542 Self::Target: ObjectType,
543 {
544 /// Convert to a const Rust pointer, to be used for example for FFI.
545 /// The target pointer type must be the type of `self` or a superclass
as_ptr<U: ObjectType>(&self) -> *const U where Self::Target: IsA<U>,546 fn as_ptr<U: ObjectType>(&self) -> *const U
547 where
548 Self::Target: IsA<U>,
549 {
550 let ptr: *const Self::Target = self.deref();
551 ptr.cast::<U>()
552 }
553
554 /// Convert to a mutable Rust pointer, to be used for example for FFI.
555 /// The target pointer type must be the type of `self` or a superclass.
556 /// Used to implement interior mutability for objects.
557 ///
558 /// # Safety
559 ///
560 /// This method is safe because only the actual dereference of the pointer
561 /// has to be unsafe. Bindings to C APIs will use it a lot, but care has
562 /// to be taken because it overrides the const-ness of `&self`.
as_mut_ptr<U: ObjectType>(&self) -> *mut U where Self::Target: IsA<U>,563 fn as_mut_ptr<U: ObjectType>(&self) -> *mut U
564 where
565 Self::Target: IsA<U>,
566 {
567 #[allow(clippy::as_ptr_cast_mut)]
568 {
569 self.as_ptr::<U>().cast_mut()
570 }
571 }
572 }
573
574 /// Trait that adds extra functionality for `&T` where `T` is a QOM
575 /// object type. Allows conversion to/from C objects in generic code.
576 pub trait ObjectCast: ObjectDeref + Copy
577 where
578 Self::Target: ObjectType,
579 {
580 /// Safely convert from a derived type to one of its parent types.
581 ///
582 /// This is always safe; the [`IsA`] trait provides static verification
583 /// trait that `Self` dereferences to `U` or a child of `U`.
upcast<'a, U: ObjectType>(self) -> &'a U where Self::Target: IsA<U>, Self: 'a,584 fn upcast<'a, U: ObjectType>(self) -> &'a U
585 where
586 Self::Target: IsA<U>,
587 Self: 'a,
588 {
589 // SAFETY: soundness is declared via IsA<U>, which is an unsafe trait
590 unsafe { self.unsafe_cast::<U>() }
591 }
592
593 /// Attempt to convert to a derived type.
594 ///
595 /// Returns `None` if the object is not actually of type `U`. This is
596 /// verified at runtime by checking the object's type information.
downcast<'a, U: IsA<Self::Target>>(self) -> Option<&'a U> where Self: 'a,597 fn downcast<'a, U: IsA<Self::Target>>(self) -> Option<&'a U>
598 where
599 Self: 'a,
600 {
601 self.dynamic_cast::<U>()
602 }
603
604 /// Attempt to convert between any two types in the QOM hierarchy.
605 ///
606 /// Returns `None` if the object is not actually of type `U`. This is
607 /// verified at runtime by checking the object's type information.
dynamic_cast<'a, U: ObjectType>(self) -> Option<&'a U> where Self: 'a,608 fn dynamic_cast<'a, U: ObjectType>(self) -> Option<&'a U>
609 where
610 Self: 'a,
611 {
612 unsafe {
613 // SAFETY: upcasting to Object is always valid, and the
614 // return type is either NULL or the argument itself
615 let result: *const U =
616 object_dynamic_cast(self.as_object_mut_ptr(), U::TYPE_NAME.as_ptr()).cast();
617
618 result.as_ref()
619 }
620 }
621
622 /// Convert to any QOM type without verification.
623 ///
624 /// # Safety
625 ///
626 /// What safety? You need to know yourself that the cast is correct; only
627 /// use when performance is paramount. It is still better than a raw
628 /// pointer `cast()`, which does not even check that you remain in the
629 /// realm of QOM `ObjectType`s.
630 ///
631 /// `unsafe_cast::<Object>()` is always safe.
unsafe_cast<'a, U: ObjectType>(self) -> &'a U where Self: 'a,632 unsafe fn unsafe_cast<'a, U: ObjectType>(self) -> &'a U
633 where
634 Self: 'a,
635 {
636 unsafe { &*(self.as_ptr::<Self::Target>().cast::<U>()) }
637 }
638 }
639
640 impl<T: ObjectType> ObjectDeref for &T {}
641 impl<T: ObjectType> ObjectCast for &T {}
642
643 impl<T: ObjectType> ObjectDeref for &mut T {}
644
645 /// Trait a type must implement to be registered with QEMU.
646 pub trait ObjectImpl: ObjectType + IsA<Object> {
647 /// The parent of the type. This should match the first field of the
648 /// struct that implements `ObjectImpl`, minus the `ParentField<_>` wrapper.
649 type ParentType: ObjectType;
650
651 /// Whether the object can be instantiated
652 const ABSTRACT: bool = false;
653
654 /// Function that is called to initialize an object. The parent class will
655 /// have already been initialized so the type is only responsible for
656 /// initializing its own members.
657 ///
658 /// FIXME: The argument is not really a valid reference. `&mut
659 /// MaybeUninit<Self>` would be a better description.
660 const INSTANCE_INIT: Option<unsafe fn(ParentInit<Self>)> = None;
661
662 /// Function that is called to finish initialization of an object, once
663 /// `INSTANCE_INIT` functions have been called.
664 const INSTANCE_POST_INIT: Option<fn(&Self)> = None;
665
666 /// Called on descendant classes after all parent class initialization
667 /// has occurred, but before the class itself is initialized. This
668 /// is only useful if a class is not a leaf, and can be used to undo
669 /// the effects of copying the contents of the parent's class struct
670 /// to the descendants.
671 const CLASS_BASE_INIT: Option<
672 unsafe extern "C" fn(klass: *mut ObjectClass, data: *const c_void),
673 > = None;
674
675 const TYPE_INFO: TypeInfo = TypeInfo {
676 name: Self::TYPE_NAME.as_ptr(),
677 parent: Self::ParentType::TYPE_NAME.as_ptr(),
678 instance_size: core::mem::size_of::<Self>(),
679 instance_align: core::mem::align_of::<Self>(),
680 instance_init: match Self::INSTANCE_INIT {
681 None => None,
682 Some(_) => Some(rust_instance_init::<Self>),
683 },
684 instance_post_init: match Self::INSTANCE_POST_INIT {
685 None => None,
686 Some(_) => Some(rust_instance_post_init::<Self>),
687 },
688 instance_finalize: Some(drop_object::<Self>),
689 abstract_: Self::ABSTRACT,
690 class_size: core::mem::size_of::<Self::Class>(),
691 class_init: Some(rust_class_init::<Self>),
692 class_base_init: Self::CLASS_BASE_INIT,
693 class_data: core::ptr::null(),
694 interfaces: core::ptr::null(),
695 };
696
697 // methods on ObjectClass
698 const UNPARENT: Option<fn(&Self)> = None;
699
700 /// Store into the argument the virtual method implementations
701 /// for `Self`. On entry, the virtual method pointers are set to
702 /// the default values coming from the parent classes; the function
703 /// can change them to override virtual methods of a parent class.
704 ///
705 /// Usually defined simply as `Self::Class::class_init::<Self>`;
706 /// however a default implementation cannot be included here, because the
707 /// bounds that the `Self::Class::class_init` method places on `Self` are
708 /// not known in advance.
709 ///
710 /// # Safety
711 ///
712 /// While `klass`'s parent class is initialized on entry, the other fields
713 /// are all zero; it is therefore assumed that all fields in `T` can be
714 /// zeroed, otherwise it would not be possible to provide the class as a
715 /// `&mut T`. TODO: it may be possible to add an unsafe trait that checks
716 /// that all fields *after the parent class* (but not the parent class
717 /// itself) are Zeroable. This unsafe trait can be added via a derive
718 /// macro.
719 const CLASS_INIT: fn(&mut Self::Class);
720 }
721
722 /// # Safety
723 ///
724 /// We expect the FFI user of this function to pass a valid pointer that
725 /// can be downcasted to type `T`. We also expect the device is
726 /// readable/writeable from one thread at any time.
rust_unparent_fn<T: ObjectImpl>(dev: *mut bindings::Object)727 unsafe extern "C" fn rust_unparent_fn<T: ObjectImpl>(dev: *mut bindings::Object) {
728 let state = NonNull::new(dev).unwrap().cast::<T>();
729 T::UNPARENT.unwrap()(unsafe { state.as_ref() });
730 }
731
732 impl ObjectClass {
733 /// Fill in the virtual methods of `ObjectClass` based on the definitions in
734 /// the `ObjectImpl` trait.
class_init<T: ObjectImpl>(&mut self)735 pub fn class_init<T: ObjectImpl>(&mut self) {
736 if <T as ObjectImpl>::UNPARENT.is_some() {
737 self.unparent = Some(rust_unparent_fn::<T>);
738 }
739 }
740 }
741
742 unsafe impl ObjectType for Object {
743 type Class = ObjectClass;
744 const TYPE_NAME: &'static CStr =
745 unsafe { CStr::from_bytes_with_nul_unchecked(bindings::TYPE_OBJECT) };
746 }
747
748 /// A reference-counted pointer to a QOM object.
749 ///
750 /// `Owned<T>` wraps `T` with automatic reference counting. It increases the
751 /// reference count when created via [`Owned::from`] or cloned, and decreases
752 /// it when dropped. This ensures that the reference count remains elevated
753 /// as long as any `Owned<T>` references to it exist.
754 ///
755 /// `Owned<T>` can be used for two reasons:
756 /// * because the lifetime of the QOM object is unknown and someone else could
757 /// take a reference (similar to `Arc<T>`, for example): in this case, the
758 /// object can escape and outlive the Rust struct that contains the `Owned<T>`
759 /// field;
760 ///
761 /// * to ensure that the object stays alive until after `Drop::drop` is called
762 /// on the Rust struct: in this case, the object will always die together with
763 /// the Rust struct that contains the `Owned<T>` field.
764 ///
765 /// Child properties are an example of the second case: in C, an object that
766 /// is created with `object_initialize_child` will die *before*
767 /// `instance_finalize` is called, whereas Rust expects the struct to have valid
768 /// contents when `Drop::drop` is called. Therefore Rust structs that have
769 /// child properties need to keep a reference to the child object. Right now
770 /// this can be done with `Owned<T>`; in the future one might have a separate
771 /// `Child<'parent, T>` smart pointer that keeps a reference to a `T`, like
772 /// `Owned`, but does not allow cloning.
773 ///
774 /// Note that dropping an `Owned<T>` requires the big QEMU lock to be taken.
775 #[repr(transparent)]
776 #[derive(PartialEq, Eq, Hash, PartialOrd, Ord)]
777 pub struct Owned<T: ObjectType>(NonNull<T>);
778
779 // The following rationale for safety is taken from Linux's kernel::sync::Arc.
780
781 // SAFETY: It is safe to send `Owned<T>` to another thread when the underlying
782 // `T` is `Sync` because it effectively means sharing `&T` (which is safe
783 // because `T` is `Sync`); additionally, it needs `T` to be `Send` because any
784 // thread that has an `Owned<T>` may ultimately access `T` using a
785 // mutable reference when the reference count reaches zero and `T` is dropped.
786 unsafe impl<T: ObjectType + Send + Sync> Send for Owned<T> {}
787
788 // SAFETY: It is safe to send `&Owned<T>` to another thread when the underlying
789 // `T` is `Sync` because it effectively means sharing `&T` (which is safe
790 // because `T` is `Sync`); additionally, it needs `T` to be `Send` because any
791 // thread that has a `&Owned<T>` may clone it and get an `Owned<T>` on that
792 // thread, so the thread may ultimately access `T` using a mutable reference
793 // when the reference count reaches zero and `T` is dropped.
794 unsafe impl<T: ObjectType + Sync + Send> Sync for Owned<T> {}
795
796 impl<T: ObjectType> Owned<T> {
797 /// Convert a raw C pointer into an owned reference to the QOM
798 /// object it points to. The object's reference count will be
799 /// decreased when the `Owned` is dropped.
800 ///
801 /// # Panics
802 ///
803 /// Panics if `ptr` is NULL.
804 ///
805 /// # Safety
806 ///
807 /// The caller must indeed own a reference to the QOM object.
808 /// The object must not be embedded in another unless the outer
809 /// object is guaranteed to have a longer lifetime.
810 ///
811 /// A raw pointer obtained via [`Owned::into_raw()`] can always be passed
812 /// back to `from_raw()` (assuming the original `Owned` was valid!),
813 /// since the owned reference remains there between the calls to
814 /// `into_raw()` and `from_raw()`.
from_raw(ptr: *const T) -> Self815 pub unsafe fn from_raw(ptr: *const T) -> Self {
816 // SAFETY NOTE: while NonNull requires a mutable pointer, only
817 // Deref is implemented so the pointer passed to from_raw
818 // remains const
819 Owned(NonNull::new(ptr.cast_mut()).unwrap())
820 }
821
822 /// Obtain a raw C pointer from a reference. `src` is consumed
823 /// and the reference is leaked.
824 #[allow(clippy::missing_const_for_fn)]
into_raw(src: Owned<T>) -> *mut T825 pub fn into_raw(src: Owned<T>) -> *mut T {
826 let src = ManuallyDrop::new(src);
827 src.0.as_ptr()
828 }
829
830 /// Increase the reference count of a QOM object and return
831 /// a new owned reference to it.
832 ///
833 /// # Safety
834 ///
835 /// The object must not be embedded in another, unless the outer
836 /// object is guaranteed to have a longer lifetime.
from(obj: &T) -> Self837 pub unsafe fn from(obj: &T) -> Self {
838 unsafe {
839 object_ref(obj.as_object_mut_ptr().cast::<c_void>());
840
841 // SAFETY NOTE: while NonNull requires a mutable pointer, only
842 // Deref is implemented so the reference passed to from_raw
843 // remains shared
844 Owned(NonNull::new_unchecked(obj.as_mut_ptr()))
845 }
846 }
847 }
848
849 impl<T: ObjectType> Clone for Owned<T> {
clone(&self) -> Self850 fn clone(&self) -> Self {
851 // SAFETY: creation method is unsafe; whoever calls it has
852 // responsibility that the pointer is valid, and remains valid
853 // throughout the lifetime of the `Owned<T>` and its clones.
854 unsafe { Owned::from(self.deref()) }
855 }
856 }
857
858 impl<T: ObjectType> Deref for Owned<T> {
859 type Target = T;
860
deref(&self) -> &Self::Target861 fn deref(&self) -> &Self::Target {
862 // SAFETY: creation method is unsafe; whoever calls it has
863 // responsibility that the pointer is valid, and remains valid
864 // throughout the lifetime of the `Owned<T>` and its clones.
865 // With that guarantee, reference counting ensures that
866 // the object remains alive.
867 unsafe { &*self.0.as_ptr() }
868 }
869 }
870 impl<T: ObjectType> ObjectDeref for Owned<T> {}
871
872 impl<T: ObjectType> Drop for Owned<T> {
drop(&mut self)873 fn drop(&mut self) {
874 assert!(bql_locked());
875 // SAFETY: creation method is unsafe, and whoever calls it has
876 // responsibility that the pointer is valid, and remains valid
877 // throughout the lifetime of the `Owned<T>` and its clones.
878 unsafe {
879 object_unref(self.as_object_mut_ptr().cast::<c_void>());
880 }
881 }
882 }
883
884 impl<T: IsA<Object>> fmt::Debug for Owned<T> {
fmt(&self, f: &mut fmt::Formatter) -> fmt::Result885 fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
886 self.deref().debug_fmt(f)
887 }
888 }
889
890 /// Trait for class methods exposed by the Object class. The methods can be
891 /// called on all objects that have the trait `IsA<Object>`.
892 ///
893 /// The trait should only be used through the blanket implementation,
894 /// which guarantees safety via `IsA`
895 pub trait ObjectClassMethods: IsA<Object> {
896 /// Return a new reference counted instance of this class
new() -> Owned<Self>897 fn new() -> Owned<Self> {
898 assert!(bql_locked());
899 // SAFETY: the object created by object_new is allocated on
900 // the heap and has a reference count of 1
901 unsafe {
902 let raw_obj = object_new(Self::TYPE_NAME.as_ptr());
903 let obj = Object::from_raw(raw_obj).unsafe_cast::<Self>();
904 Owned::from_raw(obj)
905 }
906 }
907 }
908
909 /// Trait for methods exposed by the Object class. The methods can be
910 /// called on all objects that have the trait `IsA<Object>`.
911 ///
912 /// The trait should only be used through the blanket implementation,
913 /// which guarantees safety via `IsA`
914 pub trait ObjectMethods: ObjectDeref
915 where
916 Self::Target: IsA<Object>,
917 {
918 /// Return the name of the type of `self`
typename(&self) -> std::borrow::Cow<'_, str>919 fn typename(&self) -> std::borrow::Cow<'_, str> {
920 let obj = self.upcast::<Object>();
921 // SAFETY: safety of this is the requirement for implementing IsA
922 // The result of the C API has static lifetime
923 unsafe {
924 let p = object_get_typename(obj.as_mut_ptr());
925 CStr::from_ptr(p).to_string_lossy()
926 }
927 }
928
get_class(&self) -> &'static <Self::Target as ObjectType>::Class929 fn get_class(&self) -> &'static <Self::Target as ObjectType>::Class {
930 let obj = self.upcast::<Object>();
931
932 // SAFETY: all objects can call object_get_class; the actual class
933 // type is guaranteed by the implementation of `ObjectType` and
934 // `ObjectImpl`.
935 let klass: &'static <Self::Target as ObjectType>::Class =
936 unsafe { &*object_get_class(obj.as_mut_ptr()).cast() };
937
938 klass
939 }
940
941 /// Convenience function for implementing the Debug trait
debug_fmt(&self, f: &mut fmt::Formatter) -> fmt::Result942 fn debug_fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
943 f.debug_tuple(&self.typename())
944 .field(&(self as *const Self))
945 .finish()
946 }
947 }
948
949 impl<T> ObjectClassMethods for T where T: IsA<Object> {}
950 impl<R: ObjectDeref> ObjectMethods for R where R::Target: IsA<Object> {}
951