1 // SPDX-License-Identifier: GPL-2.0 2 3 // Copyright (C) 2024 Google LLC. 4 5 //! A linked list implementation. 6 7 // May not be needed in Rust 1.87.0 (pending beta backport). 8 #![allow(clippy::ptr_eq)] 9 10 use crate::sync::ArcBorrow; 11 use crate::types::Opaque; 12 use core::iter::{DoubleEndedIterator, FusedIterator}; 13 use core::marker::PhantomData; 14 use core::ptr; 15 use pin_init::PinInit; 16 17 mod impl_list_item_mod; 18 pub use self::impl_list_item_mod::{ 19 impl_has_list_links, impl_has_list_links_self_ptr, impl_list_item, HasListLinks, HasSelfPtr, 20 }; 21 22 mod arc; 23 pub use self::arc::{impl_list_arc_safe, AtomicTracker, ListArc, ListArcSafe, TryNewListArc}; 24 25 mod arc_field; 26 pub use self::arc_field::{define_list_arc_field_getter, ListArcField}; 27 28 /// A linked list. 29 /// 30 /// All elements in this linked list will be [`ListArc`] references to the value. Since a value can 31 /// only have one `ListArc` (for each pair of prev/next pointers), this ensures that the same 32 /// prev/next pointers are not used for several linked lists. 33 /// 34 /// # Invariants 35 /// 36 /// * If the list is empty, then `first` is null. Otherwise, `first` points at the `ListLinks` 37 /// field of the first element in the list. 38 /// * All prev/next pointers in `ListLinks` fields of items in the list are valid and form a cycle. 39 /// * For every item in the list, the list owns the associated [`ListArc`] reference and has 40 /// exclusive access to the `ListLinks` field. 41 pub struct List<T: ?Sized + ListItem<ID>, const ID: u64 = 0> { 42 first: *mut ListLinksFields, 43 _ty: PhantomData<ListArc<T, ID>>, 44 } 45 46 // SAFETY: This is a container of `ListArc<T, ID>`, and access to the container allows the same 47 // type of access to the `ListArc<T, ID>` elements. 48 unsafe impl<T, const ID: u64> Send for List<T, ID> 49 where 50 ListArc<T, ID>: Send, 51 T: ?Sized + ListItem<ID>, 52 { 53 } 54 // SAFETY: This is a container of `ListArc<T, ID>`, and access to the container allows the same 55 // type of access to the `ListArc<T, ID>` elements. 56 unsafe impl<T, const ID: u64> Sync for List<T, ID> 57 where 58 ListArc<T, ID>: Sync, 59 T: ?Sized + ListItem<ID>, 60 { 61 } 62 63 /// Implemented by types where a [`ListArc<Self>`] can be inserted into a [`List`]. 64 /// 65 /// # Safety 66 /// 67 /// Implementers must ensure that they provide the guarantees documented on methods provided by 68 /// this trait. 69 /// 70 /// [`ListArc<Self>`]: ListArc 71 pub unsafe trait ListItem<const ID: u64 = 0>: ListArcSafe<ID> { 72 /// Views the [`ListLinks`] for this value. 73 /// 74 /// # Guarantees 75 /// 76 /// If there is a previous call to `prepare_to_insert` and there is no call to `post_remove` 77 /// since the most recent such call, then this returns the same pointer as the one returned by 78 /// the most recent call to `prepare_to_insert`. 79 /// 80 /// Otherwise, the returned pointer points at a read-only [`ListLinks`] with two null pointers. 81 /// 82 /// # Safety 83 /// 84 /// The provided pointer must point at a valid value. (It need not be in an `Arc`.) view_links(me: *const Self) -> *mut ListLinks<ID>85 unsafe fn view_links(me: *const Self) -> *mut ListLinks<ID>; 86 87 /// View the full value given its [`ListLinks`] field. 88 /// 89 /// Can only be used when the value is in a list. 90 /// 91 /// # Guarantees 92 /// 93 /// * Returns the same pointer as the one passed to the most recent call to `prepare_to_insert`. 94 /// * The returned pointer is valid until the next call to `post_remove`. 95 /// 96 /// # Safety 97 /// 98 /// * The provided pointer must originate from the most recent call to `prepare_to_insert`, or 99 /// from a call to `view_links` that happened after the most recent call to 100 /// `prepare_to_insert`. 101 /// * Since the most recent call to `prepare_to_insert`, the `post_remove` method must not have 102 /// been called. view_value(me: *mut ListLinks<ID>) -> *const Self103 unsafe fn view_value(me: *mut ListLinks<ID>) -> *const Self; 104 105 /// This is called when an item is inserted into a [`List`]. 106 /// 107 /// # Guarantees 108 /// 109 /// The caller is granted exclusive access to the returned [`ListLinks`] until `post_remove` is 110 /// called. 111 /// 112 /// # Safety 113 /// 114 /// * The provided pointer must point at a valid value in an [`Arc`]. 115 /// * Calls to `prepare_to_insert` and `post_remove` on the same value must alternate. 116 /// * The caller must own the [`ListArc`] for this value. 117 /// * The caller must not give up ownership of the [`ListArc`] unless `post_remove` has been 118 /// called after this call to `prepare_to_insert`. 119 /// 120 /// [`Arc`]: crate::sync::Arc prepare_to_insert(me: *const Self) -> *mut ListLinks<ID>121 unsafe fn prepare_to_insert(me: *const Self) -> *mut ListLinks<ID>; 122 123 /// This undoes a previous call to `prepare_to_insert`. 124 /// 125 /// # Guarantees 126 /// 127 /// The returned pointer is the pointer that was originally passed to `prepare_to_insert`. 128 /// 129 /// # Safety 130 /// 131 /// The provided pointer must be the pointer returned by the most recent call to 132 /// `prepare_to_insert`. post_remove(me: *mut ListLinks<ID>) -> *const Self133 unsafe fn post_remove(me: *mut ListLinks<ID>) -> *const Self; 134 } 135 136 #[repr(C)] 137 #[derive(Copy, Clone)] 138 struct ListLinksFields { 139 next: *mut ListLinksFields, 140 prev: *mut ListLinksFields, 141 } 142 143 /// The prev/next pointers for an item in a linked list. 144 /// 145 /// # Invariants 146 /// 147 /// The fields are null if and only if this item is not in a list. 148 #[repr(transparent)] 149 pub struct ListLinks<const ID: u64 = 0> { 150 // This type is `!Unpin` for aliasing reasons as the pointers are part of an intrusive linked 151 // list. 152 inner: Opaque<ListLinksFields>, 153 } 154 155 // SAFETY: The only way to access/modify the pointers inside of `ListLinks<ID>` is via holding the 156 // associated `ListArc<T, ID>`. Since that type correctly implements `Send`, it is impossible to 157 // move this an instance of this type to a different thread if the pointees are `!Send`. 158 unsafe impl<const ID: u64> Send for ListLinks<ID> {} 159 // SAFETY: The type is opaque so immutable references to a ListLinks are useless. Therefore, it's 160 // okay to have immutable access to a ListLinks from several threads at once. 161 unsafe impl<const ID: u64> Sync for ListLinks<ID> {} 162 163 impl<const ID: u64> ListLinks<ID> { 164 /// Creates a new initializer for this type. new() -> impl PinInit<Self>165 pub fn new() -> impl PinInit<Self> { 166 // INVARIANT: Pin-init initializers can't be used on an existing `Arc`, so this value will 167 // not be constructed in an `Arc` that already has a `ListArc`. 168 ListLinks { 169 inner: Opaque::new(ListLinksFields { 170 prev: ptr::null_mut(), 171 next: ptr::null_mut(), 172 }), 173 } 174 } 175 176 /// # Safety 177 /// 178 /// `me` must be dereferenceable. 179 #[inline] fields(me: *mut Self) -> *mut ListLinksFields180 unsafe fn fields(me: *mut Self) -> *mut ListLinksFields { 181 // SAFETY: The caller promises that the pointer is valid. 182 unsafe { Opaque::raw_get(ptr::addr_of!((*me).inner)) } 183 } 184 185 /// # Safety 186 /// 187 /// `me` must be dereferenceable. 188 #[inline] from_fields(me: *mut ListLinksFields) -> *mut Self189 unsafe fn from_fields(me: *mut ListLinksFields) -> *mut Self { 190 me.cast() 191 } 192 } 193 194 /// Similar to [`ListLinks`], but also contains a pointer to the full value. 195 /// 196 /// This type can be used instead of [`ListLinks`] to support lists with trait objects. 197 #[repr(C)] 198 pub struct ListLinksSelfPtr<T: ?Sized, const ID: u64 = 0> { 199 /// The `ListLinks` field inside this value. 200 /// 201 /// This is public so that it can be used with `impl_has_list_links!`. 202 pub inner: ListLinks<ID>, 203 // UnsafeCell is not enough here because we use `Opaque::uninit` as a dummy value, and 204 // `ptr::null()` doesn't work for `T: ?Sized`. 205 self_ptr: Opaque<*const T>, 206 } 207 208 // SAFETY: The fields of a ListLinksSelfPtr can be moved across thread boundaries. 209 unsafe impl<T: ?Sized + Send, const ID: u64> Send for ListLinksSelfPtr<T, ID> {} 210 // SAFETY: The type is opaque so immutable references to a ListLinksSelfPtr are useless. Therefore, 211 // it's okay to have immutable access to a ListLinks from several threads at once. 212 // 213 // Note that `inner` being a public field does not prevent this type from being opaque, since 214 // `inner` is a opaque type. 215 unsafe impl<T: ?Sized + Sync, const ID: u64> Sync for ListLinksSelfPtr<T, ID> {} 216 217 impl<T: ?Sized, const ID: u64> ListLinksSelfPtr<T, ID> { 218 /// The offset from the [`ListLinks`] to the self pointer field. 219 pub const LIST_LINKS_SELF_PTR_OFFSET: usize = core::mem::offset_of!(Self, self_ptr); 220 221 /// Creates a new initializer for this type. new() -> impl PinInit<Self>222 pub fn new() -> impl PinInit<Self> { 223 // INVARIANT: Pin-init initializers can't be used on an existing `Arc`, so this value will 224 // not be constructed in an `Arc` that already has a `ListArc`. 225 Self { 226 inner: ListLinks { 227 inner: Opaque::new(ListLinksFields { 228 prev: ptr::null_mut(), 229 next: ptr::null_mut(), 230 }), 231 }, 232 self_ptr: Opaque::uninit(), 233 } 234 } 235 } 236 237 impl<T: ?Sized + ListItem<ID>, const ID: u64> List<T, ID> { 238 /// Creates a new empty list. new() -> Self239 pub const fn new() -> Self { 240 Self { 241 first: ptr::null_mut(), 242 _ty: PhantomData, 243 } 244 } 245 246 /// Returns whether this list is empty. is_empty(&self) -> bool247 pub fn is_empty(&self) -> bool { 248 self.first.is_null() 249 } 250 251 /// Inserts `item` before `next` in the cycle. 252 /// 253 /// Returns a pointer to the newly inserted element. Never changes `self.first` unless the list 254 /// is empty. 255 /// 256 /// # Safety 257 /// 258 /// * `next` must be an element in this list or null. 259 /// * if `next` is null, then the list must be empty. insert_inner( &mut self, item: ListArc<T, ID>, next: *mut ListLinksFields, ) -> *mut ListLinksFields260 unsafe fn insert_inner( 261 &mut self, 262 item: ListArc<T, ID>, 263 next: *mut ListLinksFields, 264 ) -> *mut ListLinksFields { 265 let raw_item = ListArc::into_raw(item); 266 // SAFETY: 267 // * We just got `raw_item` from a `ListArc`, so it's in an `Arc`. 268 // * Since we have ownership of the `ListArc`, `post_remove` must have been called after 269 // the most recent call to `prepare_to_insert`, if any. 270 // * We own the `ListArc`. 271 // * Removing items from this list is always done using `remove_internal_inner`, which 272 // calls `post_remove` before giving up ownership. 273 let list_links = unsafe { T::prepare_to_insert(raw_item) }; 274 // SAFETY: We have not yet called `post_remove`, so `list_links` is still valid. 275 let item = unsafe { ListLinks::fields(list_links) }; 276 277 // Check if the list is empty. 278 if next.is_null() { 279 // SAFETY: The caller just gave us ownership of these fields. 280 // INVARIANT: A linked list with one item should be cyclic. 281 unsafe { 282 (*item).next = item; 283 (*item).prev = item; 284 } 285 self.first = item; 286 } else { 287 // SAFETY: By the type invariant, this pointer is valid or null. We just checked that 288 // it's not null, so it must be valid. 289 let prev = unsafe { (*next).prev }; 290 // SAFETY: Pointers in a linked list are never dangling, and the caller just gave us 291 // ownership of the fields on `item`. 292 // INVARIANT: This correctly inserts `item` between `prev` and `next`. 293 unsafe { 294 (*item).next = next; 295 (*item).prev = prev; 296 (*prev).next = item; 297 (*next).prev = item; 298 } 299 } 300 301 item 302 } 303 304 /// Add the provided item to the back of the list. push_back(&mut self, item: ListArc<T, ID>)305 pub fn push_back(&mut self, item: ListArc<T, ID>) { 306 // SAFETY: 307 // * `self.first` is null or in the list. 308 // * `self.first` is only null if the list is empty. 309 unsafe { self.insert_inner(item, self.first) }; 310 } 311 312 /// Add the provided item to the front of the list. push_front(&mut self, item: ListArc<T, ID>)313 pub fn push_front(&mut self, item: ListArc<T, ID>) { 314 // SAFETY: 315 // * `self.first` is null or in the list. 316 // * `self.first` is only null if the list is empty. 317 let new_elem = unsafe { self.insert_inner(item, self.first) }; 318 319 // INVARIANT: `new_elem` is in the list because we just inserted it. 320 self.first = new_elem; 321 } 322 323 /// Removes the last item from this list. pop_back(&mut self) -> Option<ListArc<T, ID>>324 pub fn pop_back(&mut self) -> Option<ListArc<T, ID>> { 325 if self.first.is_null() { 326 return None; 327 } 328 329 // SAFETY: We just checked that the list is not empty. 330 let last = unsafe { (*self.first).prev }; 331 // SAFETY: The last item of this list is in this list. 332 Some(unsafe { self.remove_internal(last) }) 333 } 334 335 /// Removes the first item from this list. pop_front(&mut self) -> Option<ListArc<T, ID>>336 pub fn pop_front(&mut self) -> Option<ListArc<T, ID>> { 337 if self.first.is_null() { 338 return None; 339 } 340 341 // SAFETY: The first item of this list is in this list. 342 Some(unsafe { self.remove_internal(self.first) }) 343 } 344 345 /// Removes the provided item from this list and returns it. 346 /// 347 /// This returns `None` if the item is not in the list. (Note that by the safety requirements, 348 /// this means that the item is not in any list.) 349 /// 350 /// # Safety 351 /// 352 /// `item` must not be in a different linked list (with the same id). remove(&mut self, item: &T) -> Option<ListArc<T, ID>>353 pub unsafe fn remove(&mut self, item: &T) -> Option<ListArc<T, ID>> { 354 // SAFETY: TODO. 355 let mut item = unsafe { ListLinks::fields(T::view_links(item)) }; 356 // SAFETY: The user provided a reference, and reference are never dangling. 357 // 358 // As for why this is not a data race, there are two cases: 359 // 360 // * If `item` is not in any list, then these fields are read-only and null. 361 // * If `item` is in this list, then we have exclusive access to these fields since we 362 // have a mutable reference to the list. 363 // 364 // In either case, there's no race. 365 let ListLinksFields { next, prev } = unsafe { *item }; 366 367 debug_assert_eq!(next.is_null(), prev.is_null()); 368 if !next.is_null() { 369 // This is really a no-op, but this ensures that `item` is a raw pointer that was 370 // obtained without going through a pointer->reference->pointer conversion roundtrip. 371 // This ensures that the list is valid under the more restrictive strict provenance 372 // ruleset. 373 // 374 // SAFETY: We just checked that `next` is not null, and it's not dangling by the 375 // list invariants. 376 unsafe { 377 debug_assert_eq!(item, (*next).prev); 378 item = (*next).prev; 379 } 380 381 // SAFETY: We just checked that `item` is in a list, so the caller guarantees that it 382 // is in this list. The pointers are in the right order. 383 Some(unsafe { self.remove_internal_inner(item, next, prev) }) 384 } else { 385 None 386 } 387 } 388 389 /// Removes the provided item from the list. 390 /// 391 /// # Safety 392 /// 393 /// `item` must point at an item in this list. remove_internal(&mut self, item: *mut ListLinksFields) -> ListArc<T, ID>394 unsafe fn remove_internal(&mut self, item: *mut ListLinksFields) -> ListArc<T, ID> { 395 // SAFETY: The caller promises that this pointer is not dangling, and there's no data race 396 // since we have a mutable reference to the list containing `item`. 397 let ListLinksFields { next, prev } = unsafe { *item }; 398 // SAFETY: The pointers are ok and in the right order. 399 unsafe { self.remove_internal_inner(item, next, prev) } 400 } 401 402 /// Removes the provided item from the list. 403 /// 404 /// # Safety 405 /// 406 /// The `item` pointer must point at an item in this list, and we must have `(*item).next == 407 /// next` and `(*item).prev == prev`. remove_internal_inner( &mut self, item: *mut ListLinksFields, next: *mut ListLinksFields, prev: *mut ListLinksFields, ) -> ListArc<T, ID>408 unsafe fn remove_internal_inner( 409 &mut self, 410 item: *mut ListLinksFields, 411 next: *mut ListLinksFields, 412 prev: *mut ListLinksFields, 413 ) -> ListArc<T, ID> { 414 // SAFETY: We have exclusive access to the pointers of items in the list, and the prev/next 415 // pointers are always valid for items in a list. 416 // 417 // INVARIANT: There are three cases: 418 // * If the list has at least three items, then after removing the item, `prev` and `next` 419 // will be next to each other. 420 // * If the list has two items, then the remaining item will point at itself. 421 // * If the list has one item, then `next == prev == item`, so these writes have no 422 // effect. The list remains unchanged and `item` is still in the list for now. 423 unsafe { 424 (*next).prev = prev; 425 (*prev).next = next; 426 } 427 // SAFETY: We have exclusive access to items in the list. 428 // INVARIANT: `item` is being removed, so the pointers should be null. 429 unsafe { 430 (*item).prev = ptr::null_mut(); 431 (*item).next = ptr::null_mut(); 432 } 433 // INVARIANT: There are three cases: 434 // * If `item` was not the first item, then `self.first` should remain unchanged. 435 // * If `item` was the first item and there is another item, then we just updated 436 // `prev->next` to `next`, which is the new first item, and setting `item->next` to null 437 // did not modify `prev->next`. 438 // * If `item` was the only item in the list, then `prev == item`, and we just set 439 // `item->next` to null, so this correctly sets `first` to null now that the list is 440 // empty. 441 if self.first == item { 442 // SAFETY: The `prev` pointer is the value that `item->prev` had when it was in this 443 // list, so it must be valid. There is no race since `prev` is still in the list and we 444 // still have exclusive access to the list. 445 self.first = unsafe { (*prev).next }; 446 } 447 448 // SAFETY: `item` used to be in the list, so it is dereferenceable by the type invariants 449 // of `List`. 450 let list_links = unsafe { ListLinks::from_fields(item) }; 451 // SAFETY: Any pointer in the list originates from a `prepare_to_insert` call. 452 let raw_item = unsafe { T::post_remove(list_links) }; 453 // SAFETY: The above call to `post_remove` guarantees that we can recreate the `ListArc`. 454 unsafe { ListArc::from_raw(raw_item) } 455 } 456 457 /// Moves all items from `other` into `self`. 458 /// 459 /// The items of `other` are added to the back of `self`, so the last item of `other` becomes 460 /// the last item of `self`. push_all_back(&mut self, other: &mut List<T, ID>)461 pub fn push_all_back(&mut self, other: &mut List<T, ID>) { 462 // First, we insert the elements into `self`. At the end, we make `other` empty. 463 if self.is_empty() { 464 // INVARIANT: All of the elements in `other` become elements of `self`. 465 self.first = other.first; 466 } else if !other.is_empty() { 467 let other_first = other.first; 468 // SAFETY: The other list is not empty, so this pointer is valid. 469 let other_last = unsafe { (*other_first).prev }; 470 let self_first = self.first; 471 // SAFETY: The self list is not empty, so this pointer is valid. 472 let self_last = unsafe { (*self_first).prev }; 473 474 // SAFETY: We have exclusive access to both lists, so we can update the pointers. 475 // INVARIANT: This correctly sets the pointers to merge both lists. We do not need to 476 // update `self.first` because the first element of `self` does not change. 477 unsafe { 478 (*self_first).prev = other_last; 479 (*other_last).next = self_first; 480 (*self_last).next = other_first; 481 (*other_first).prev = self_last; 482 } 483 } 484 485 // INVARIANT: The other list is now empty, so update its pointer. 486 other.first = ptr::null_mut(); 487 } 488 489 /// Returns a cursor that points before the first element of the list. cursor_front(&mut self) -> Cursor<'_, T, ID>490 pub fn cursor_front(&mut self) -> Cursor<'_, T, ID> { 491 // INVARIANT: `self.first` is in this list. 492 Cursor { 493 next: self.first, 494 list: self, 495 } 496 } 497 498 /// Returns a cursor that points after the last element in the list. cursor_back(&mut self) -> Cursor<'_, T, ID>499 pub fn cursor_back(&mut self) -> Cursor<'_, T, ID> { 500 // INVARIANT: `next` is allowed to be null. 501 Cursor { 502 next: core::ptr::null_mut(), 503 list: self, 504 } 505 } 506 507 /// Creates an iterator over the list. iter(&self) -> Iter<'_, T, ID>508 pub fn iter(&self) -> Iter<'_, T, ID> { 509 // INVARIANT: If the list is empty, both pointers are null. Otherwise, both pointers point 510 // at the first element of the same list. 511 Iter { 512 current: self.first, 513 stop: self.first, 514 _ty: PhantomData, 515 } 516 } 517 } 518 519 impl<T: ?Sized + ListItem<ID>, const ID: u64> Default for List<T, ID> { default() -> Self520 fn default() -> Self { 521 List::new() 522 } 523 } 524 525 impl<T: ?Sized + ListItem<ID>, const ID: u64> Drop for List<T, ID> { drop(&mut self)526 fn drop(&mut self) { 527 while let Some(item) = self.pop_front() { 528 drop(item); 529 } 530 } 531 } 532 533 /// An iterator over a [`List`]. 534 /// 535 /// # Invariants 536 /// 537 /// * There must be a [`List`] that is immutably borrowed for the duration of `'a`. 538 /// * The `current` pointer is null or points at a value in that [`List`]. 539 /// * The `stop` pointer is equal to the `first` field of that [`List`]. 540 #[derive(Clone)] 541 pub struct Iter<'a, T: ?Sized + ListItem<ID>, const ID: u64 = 0> { 542 current: *mut ListLinksFields, 543 stop: *mut ListLinksFields, 544 _ty: PhantomData<&'a ListArc<T, ID>>, 545 } 546 547 impl<'a, T: ?Sized + ListItem<ID>, const ID: u64> Iterator for Iter<'a, T, ID> { 548 type Item = ArcBorrow<'a, T>; 549 next(&mut self) -> Option<ArcBorrow<'a, T>>550 fn next(&mut self) -> Option<ArcBorrow<'a, T>> { 551 if self.current.is_null() { 552 return None; 553 } 554 555 let current = self.current; 556 557 // SAFETY: We just checked that `current` is not null, so it is in a list, and hence not 558 // dangling. There's no race because the iterator holds an immutable borrow to the list. 559 let next = unsafe { (*current).next }; 560 // INVARIANT: If `current` was the last element of the list, then this updates it to null. 561 // Otherwise, we update it to the next element. 562 self.current = if next != self.stop { 563 next 564 } else { 565 ptr::null_mut() 566 }; 567 568 // SAFETY: The `current` pointer points at a value in the list. 569 let item = unsafe { T::view_value(ListLinks::from_fields(current)) }; 570 // SAFETY: 571 // * All values in a list are stored in an `Arc`. 572 // * The value cannot be removed from the list for the duration of the lifetime annotated 573 // on the returned `ArcBorrow`, because removing it from the list would require mutable 574 // access to the list. However, the `ArcBorrow` is annotated with the iterator's 575 // lifetime, and the list is immutably borrowed for that lifetime. 576 // * Values in a list never have a `UniqueArc` reference. 577 Some(unsafe { ArcBorrow::from_raw(item) }) 578 } 579 } 580 581 /// A cursor into a [`List`]. 582 /// 583 /// A cursor always rests between two elements in the list. This means that a cursor has a previous 584 /// and next element, but no current element. It also means that it's possible to have a cursor 585 /// into an empty list. 586 /// 587 /// # Examples 588 /// 589 /// ``` 590 /// use kernel::prelude::*; 591 /// use kernel::list::{List, ListArc, ListLinks}; 592 /// 593 /// #[pin_data] 594 /// struct ListItem { 595 /// value: u32, 596 /// #[pin] 597 /// links: ListLinks, 598 /// } 599 /// 600 /// impl ListItem { 601 /// fn new(value: u32) -> Result<ListArc<Self>> { 602 /// ListArc::pin_init(try_pin_init!(Self { 603 /// value, 604 /// links <- ListLinks::new(), 605 /// }), GFP_KERNEL) 606 /// } 607 /// } 608 /// 609 /// kernel::list::impl_has_list_links! { 610 /// impl HasListLinks<0> for ListItem { self.links } 611 /// } 612 /// kernel::list::impl_list_arc_safe! { 613 /// impl ListArcSafe<0> for ListItem { untracked; } 614 /// } 615 /// kernel::list::impl_list_item! { 616 /// impl ListItem<0> for ListItem { using ListLinks; } 617 /// } 618 /// 619 /// // Use a cursor to remove the first element with the given value. 620 /// fn remove_first(list: &mut List<ListItem>, value: u32) -> Option<ListArc<ListItem>> { 621 /// let mut cursor = list.cursor_front(); 622 /// while let Some(next) = cursor.peek_next() { 623 /// if next.value == value { 624 /// return Some(next.remove()); 625 /// } 626 /// cursor.move_next(); 627 /// } 628 /// None 629 /// } 630 /// 631 /// // Use a cursor to remove the last element with the given value. 632 /// fn remove_last(list: &mut List<ListItem>, value: u32) -> Option<ListArc<ListItem>> { 633 /// let mut cursor = list.cursor_back(); 634 /// while let Some(prev) = cursor.peek_prev() { 635 /// if prev.value == value { 636 /// return Some(prev.remove()); 637 /// } 638 /// cursor.move_prev(); 639 /// } 640 /// None 641 /// } 642 /// 643 /// // Use a cursor to remove all elements with the given value. The removed elements are moved to 644 /// // a new list. 645 /// fn remove_all(list: &mut List<ListItem>, value: u32) -> List<ListItem> { 646 /// let mut out = List::new(); 647 /// let mut cursor = list.cursor_front(); 648 /// while let Some(next) = cursor.peek_next() { 649 /// if next.value == value { 650 /// out.push_back(next.remove()); 651 /// } else { 652 /// cursor.move_next(); 653 /// } 654 /// } 655 /// out 656 /// } 657 /// 658 /// // Use a cursor to insert a value at a specific index. Returns an error if the index is out of 659 /// // bounds. 660 /// fn insert_at(list: &mut List<ListItem>, new: ListArc<ListItem>, idx: usize) -> Result { 661 /// let mut cursor = list.cursor_front(); 662 /// for _ in 0..idx { 663 /// if !cursor.move_next() { 664 /// return Err(EINVAL); 665 /// } 666 /// } 667 /// cursor.insert_next(new); 668 /// Ok(()) 669 /// } 670 /// 671 /// // Merge two sorted lists into a single sorted list. 672 /// fn merge_sorted(list: &mut List<ListItem>, merge: List<ListItem>) { 673 /// let mut cursor = list.cursor_front(); 674 /// for to_insert in merge { 675 /// while let Some(next) = cursor.peek_next() { 676 /// if to_insert.value < next.value { 677 /// break; 678 /// } 679 /// cursor.move_next(); 680 /// } 681 /// cursor.insert_prev(to_insert); 682 /// } 683 /// } 684 /// 685 /// let mut list = List::new(); 686 /// list.push_back(ListItem::new(14)?); 687 /// list.push_back(ListItem::new(12)?); 688 /// list.push_back(ListItem::new(10)?); 689 /// list.push_back(ListItem::new(12)?); 690 /// list.push_back(ListItem::new(15)?); 691 /// list.push_back(ListItem::new(14)?); 692 /// assert_eq!(remove_all(&mut list, 12).iter().count(), 2); 693 /// // [14, 10, 15, 14] 694 /// assert!(remove_first(&mut list, 14).is_some()); 695 /// // [10, 15, 14] 696 /// insert_at(&mut list, ListItem::new(12)?, 2)?; 697 /// // [10, 15, 12, 14] 698 /// assert!(remove_last(&mut list, 15).is_some()); 699 /// // [10, 12, 14] 700 /// 701 /// let mut list2 = List::new(); 702 /// list2.push_back(ListItem::new(11)?); 703 /// list2.push_back(ListItem::new(13)?); 704 /// merge_sorted(&mut list, list2); 705 /// 706 /// let mut items = list.into_iter(); 707 /// assert_eq!(items.next().unwrap().value, 10); 708 /// assert_eq!(items.next().unwrap().value, 11); 709 /// assert_eq!(items.next().unwrap().value, 12); 710 /// assert_eq!(items.next().unwrap().value, 13); 711 /// assert_eq!(items.next().unwrap().value, 14); 712 /// assert!(items.next().is_none()); 713 /// # Result::<(), Error>::Ok(()) 714 /// ``` 715 /// 716 /// # Invariants 717 /// 718 /// The `next` pointer is null or points a value in `list`. 719 pub struct Cursor<'a, T: ?Sized + ListItem<ID>, const ID: u64 = 0> { 720 list: &'a mut List<T, ID>, 721 /// Points at the element after this cursor, or null if the cursor is after the last element. 722 next: *mut ListLinksFields, 723 } 724 725 impl<'a, T: ?Sized + ListItem<ID>, const ID: u64> Cursor<'a, T, ID> { 726 /// Returns a pointer to the element before the cursor. 727 /// 728 /// Returns null if there is no element before the cursor. prev_ptr(&self) -> *mut ListLinksFields729 fn prev_ptr(&self) -> *mut ListLinksFields { 730 let mut next = self.next; 731 let first = self.list.first; 732 if next == first { 733 // We are before the first element. 734 return core::ptr::null_mut(); 735 } 736 737 if next.is_null() { 738 // We are after the last element, so we need a pointer to the last element, which is 739 // the same as `(*first).prev`. 740 next = first; 741 } 742 743 // SAFETY: `next` can't be null, because then `first` must also be null, but in that case 744 // we would have exited at the `next == first` check. Thus, `next` is an element in the 745 // list, so we can access its `prev` pointer. 746 unsafe { (*next).prev } 747 } 748 749 /// Access the element after this cursor. peek_next(&mut self) -> Option<CursorPeek<'_, 'a, T, true, ID>>750 pub fn peek_next(&mut self) -> Option<CursorPeek<'_, 'a, T, true, ID>> { 751 if self.next.is_null() { 752 return None; 753 } 754 755 // INVARIANT: 756 // * We just checked that `self.next` is non-null, so it must be in `self.list`. 757 // * `ptr` is equal to `self.next`. 758 Some(CursorPeek { 759 ptr: self.next, 760 cursor: self, 761 }) 762 } 763 764 /// Access the element before this cursor. peek_prev(&mut self) -> Option<CursorPeek<'_, 'a, T, false, ID>>765 pub fn peek_prev(&mut self) -> Option<CursorPeek<'_, 'a, T, false, ID>> { 766 let prev = self.prev_ptr(); 767 768 if prev.is_null() { 769 return None; 770 } 771 772 // INVARIANT: 773 // * We just checked that `prev` is non-null, so it must be in `self.list`. 774 // * `self.prev_ptr()` never returns `self.next`. 775 Some(CursorPeek { 776 ptr: prev, 777 cursor: self, 778 }) 779 } 780 781 /// Move the cursor one element forward. 782 /// 783 /// If the cursor is after the last element, then this call does nothing. This call returns 784 /// `true` if the cursor's position was changed. move_next(&mut self) -> bool785 pub fn move_next(&mut self) -> bool { 786 if self.next.is_null() { 787 return false; 788 } 789 790 // SAFETY: `self.next` is an element in the list and we borrow the list mutably, so we can 791 // access the `next` field. 792 let mut next = unsafe { (*self.next).next }; 793 794 if next == self.list.first { 795 next = core::ptr::null_mut(); 796 } 797 798 // INVARIANT: `next` is either null or the next element after an element in the list. 799 self.next = next; 800 true 801 } 802 803 /// Move the cursor one element backwards. 804 /// 805 /// If the cursor is before the first element, then this call does nothing. This call returns 806 /// `true` if the cursor's position was changed. move_prev(&mut self) -> bool807 pub fn move_prev(&mut self) -> bool { 808 if self.next == self.list.first { 809 return false; 810 } 811 812 // INVARIANT: `prev_ptr()` always returns a pointer that is null or in the list. 813 self.next = self.prev_ptr(); 814 true 815 } 816 817 /// Inserts an element where the cursor is pointing and get a pointer to the new element. insert_inner(&mut self, item: ListArc<T, ID>) -> *mut ListLinksFields818 fn insert_inner(&mut self, item: ListArc<T, ID>) -> *mut ListLinksFields { 819 let ptr = if self.next.is_null() { 820 self.list.first 821 } else { 822 self.next 823 }; 824 // SAFETY: 825 // * `ptr` is an element in the list or null. 826 // * if `ptr` is null, then `self.list.first` is null so the list is empty. 827 let item = unsafe { self.list.insert_inner(item, ptr) }; 828 if self.next == self.list.first { 829 // INVARIANT: We just inserted `item`, so it's a member of list. 830 self.list.first = item; 831 } 832 item 833 } 834 835 /// Insert an element at this cursor's location. insert(mut self, item: ListArc<T, ID>)836 pub fn insert(mut self, item: ListArc<T, ID>) { 837 // This is identical to `insert_prev`, but consumes the cursor. This is helpful because it 838 // reduces confusion when the last operation on the cursor is an insertion; in that case, 839 // you just want to insert the element at the cursor, and it is confusing that the call 840 // involves the word prev or next. 841 self.insert_inner(item); 842 } 843 844 /// Inserts an element after this cursor. 845 /// 846 /// After insertion, the new element will be after the cursor. insert_next(&mut self, item: ListArc<T, ID>)847 pub fn insert_next(&mut self, item: ListArc<T, ID>) { 848 self.next = self.insert_inner(item); 849 } 850 851 /// Inserts an element before this cursor. 852 /// 853 /// After insertion, the new element will be before the cursor. insert_prev(&mut self, item: ListArc<T, ID>)854 pub fn insert_prev(&mut self, item: ListArc<T, ID>) { 855 self.insert_inner(item); 856 } 857 858 /// Remove the next element from the list. remove_next(&mut self) -> Option<ListArc<T, ID>>859 pub fn remove_next(&mut self) -> Option<ListArc<T, ID>> { 860 self.peek_next().map(|v| v.remove()) 861 } 862 863 /// Remove the previous element from the list. remove_prev(&mut self) -> Option<ListArc<T, ID>>864 pub fn remove_prev(&mut self) -> Option<ListArc<T, ID>> { 865 self.peek_prev().map(|v| v.remove()) 866 } 867 } 868 869 /// References the element in the list next to the cursor. 870 /// 871 /// # Invariants 872 /// 873 /// * `ptr` is an element in `self.cursor.list`. 874 /// * `ISNEXT == (self.ptr == self.cursor.next)`. 875 pub struct CursorPeek<'a, 'b, T: ?Sized + ListItem<ID>, const ISNEXT: bool, const ID: u64> { 876 cursor: &'a mut Cursor<'b, T, ID>, 877 ptr: *mut ListLinksFields, 878 } 879 880 impl<'a, 'b, T: ?Sized + ListItem<ID>, const ISNEXT: bool, const ID: u64> 881 CursorPeek<'a, 'b, T, ISNEXT, ID> 882 { 883 /// Remove the element from the list. remove(self) -> ListArc<T, ID>884 pub fn remove(self) -> ListArc<T, ID> { 885 if ISNEXT { 886 self.cursor.move_next(); 887 } 888 889 // INVARIANT: `self.ptr` is not equal to `self.cursor.next` due to the above `move_next` 890 // call. 891 // SAFETY: By the type invariants of `Self`, `next` is not null, so `next` is an element of 892 // `self.cursor.list` by the type invariants of `Cursor`. 893 unsafe { self.cursor.list.remove_internal(self.ptr) } 894 } 895 896 /// Access this value as an [`ArcBorrow`]. arc(&self) -> ArcBorrow<'_, T>897 pub fn arc(&self) -> ArcBorrow<'_, T> { 898 // SAFETY: `self.ptr` points at an element in `self.cursor.list`. 899 let me = unsafe { T::view_value(ListLinks::from_fields(self.ptr)) }; 900 // SAFETY: 901 // * All values in a list are stored in an `Arc`. 902 // * The value cannot be removed from the list for the duration of the lifetime annotated 903 // on the returned `ArcBorrow`, because removing it from the list would require mutable 904 // access to the `CursorPeek`, the `Cursor` or the `List`. However, the `ArcBorrow` holds 905 // an immutable borrow on the `CursorPeek`, which in turn holds a mutable borrow on the 906 // `Cursor`, which in turn holds a mutable borrow on the `List`, so any such mutable 907 // access requires first releasing the immutable borrow on the `CursorPeek`. 908 // * Values in a list never have a `UniqueArc` reference, because the list has a `ListArc` 909 // reference, and `UniqueArc` references must be unique. 910 unsafe { ArcBorrow::from_raw(me) } 911 } 912 } 913 914 impl<'a, 'b, T: ?Sized + ListItem<ID>, const ISNEXT: bool, const ID: u64> core::ops::Deref 915 for CursorPeek<'a, 'b, T, ISNEXT, ID> 916 { 917 // If you change the `ptr` field to have type `ArcBorrow<'a, T>`, it might seem like you could 918 // get rid of the `CursorPeek::arc` method and change the deref target to `ArcBorrow<'a, T>`. 919 // However, that doesn't work because 'a is too long. You could obtain an `ArcBorrow<'a, T>` 920 // and then call `CursorPeek::remove` without giving up the `ArcBorrow<'a, T>`, which would be 921 // unsound. 922 type Target = T; 923 deref(&self) -> &T924 fn deref(&self) -> &T { 925 // SAFETY: `self.ptr` points at an element in `self.cursor.list`. 926 let me = unsafe { T::view_value(ListLinks::from_fields(self.ptr)) }; 927 928 // SAFETY: The value cannot be removed from the list for the duration of the lifetime 929 // annotated on the returned `&T`, because removing it from the list would require mutable 930 // access to the `CursorPeek`, the `Cursor` or the `List`. However, the `&T` holds an 931 // immutable borrow on the `CursorPeek`, which in turn holds a mutable borrow on the 932 // `Cursor`, which in turn holds a mutable borrow on the `List`, so any such mutable access 933 // requires first releasing the immutable borrow on the `CursorPeek`. 934 unsafe { &*me } 935 } 936 } 937 938 impl<'a, T: ?Sized + ListItem<ID>, const ID: u64> FusedIterator for Iter<'a, T, ID> {} 939 940 impl<'a, T: ?Sized + ListItem<ID>, const ID: u64> IntoIterator for &'a List<T, ID> { 941 type IntoIter = Iter<'a, T, ID>; 942 type Item = ArcBorrow<'a, T>; 943 into_iter(self) -> Iter<'a, T, ID>944 fn into_iter(self) -> Iter<'a, T, ID> { 945 self.iter() 946 } 947 } 948 949 /// An owning iterator into a [`List`]. 950 pub struct IntoIter<T: ?Sized + ListItem<ID>, const ID: u64 = 0> { 951 list: List<T, ID>, 952 } 953 954 impl<T: ?Sized + ListItem<ID>, const ID: u64> Iterator for IntoIter<T, ID> { 955 type Item = ListArc<T, ID>; 956 next(&mut self) -> Option<ListArc<T, ID>>957 fn next(&mut self) -> Option<ListArc<T, ID>> { 958 self.list.pop_front() 959 } 960 } 961 962 impl<T: ?Sized + ListItem<ID>, const ID: u64> FusedIterator for IntoIter<T, ID> {} 963 964 impl<T: ?Sized + ListItem<ID>, const ID: u64> DoubleEndedIterator for IntoIter<T, ID> { next_back(&mut self) -> Option<ListArc<T, ID>>965 fn next_back(&mut self) -> Option<ListArc<T, ID>> { 966 self.list.pop_back() 967 } 968 } 969 970 impl<T: ?Sized + ListItem<ID>, const ID: u64> IntoIterator for List<T, ID> { 971 type IntoIter = IntoIter<T, ID>; 972 type Item = ListArc<T, ID>; 973 into_iter(self) -> IntoIter<T, ID>974 fn into_iter(self) -> IntoIter<T, ID> { 975 IntoIter { list: self } 976 } 977 } 978