xref: /qemu/rust/qemu-api/src/qom.rs (revision 3a1c694d74deb478d9822e585e90c5903852eb84) 
15a5110d2SManos Pitsidianakis // Copyright 2024, Linaro Limited
25a5110d2SManos Pitsidianakis // Author(s): Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
35a5110d2SManos Pitsidianakis // SPDX-License-Identifier: GPL-2.0-or-later
45a5110d2SManos Pitsidianakis 
54aed0296SPaolo Bonzini //! Bindings to access QOM functionality from Rust.
64aed0296SPaolo Bonzini //!
7f50cd85cSPaolo Bonzini //! The QEMU Object Model (QOM) provides inheritance and dynamic typing for QEMU
8ba3b81f3SPaolo Bonzini //! devices. This module makes QOM's features available in Rust through three
9ba3b81f3SPaolo Bonzini //! main mechanisms:
10f50cd85cSPaolo Bonzini //!
11f50cd85cSPaolo Bonzini //! * Automatic creation and registration of `TypeInfo` for classes that are
12f50cd85cSPaolo Bonzini //!   written in Rust, as well as mapping between Rust traits and QOM vtables.
13f50cd85cSPaolo Bonzini //!
14f50cd85cSPaolo Bonzini //! * Type-safe casting between parent and child classes, through the [`IsA`]
15f50cd85cSPaolo Bonzini //!   trait and methods such as [`upcast`](ObjectCast::upcast) and
16f50cd85cSPaolo Bonzini //!   [`downcast`](ObjectCast::downcast).
174aed0296SPaolo Bonzini //!
18ba3b81f3SPaolo Bonzini //! * Automatic delegation of parent class methods to child classes. When a
19ba3b81f3SPaolo Bonzini //!   trait uses [`IsA`] as a bound, its contents become available to all child
20ba3b81f3SPaolo Bonzini //!   classes through blanket implementations. This works both for class methods
21ba3b81f3SPaolo Bonzini //!   and for instance methods accessed through references or smart pointers.
22ba3b81f3SPaolo Bonzini //!
234aed0296SPaolo Bonzini //! # Structure of a class
244aed0296SPaolo Bonzini //!
254aed0296SPaolo Bonzini //! A leaf class only needs a struct holding instance state. The struct must
26f50cd85cSPaolo Bonzini //! implement the [`ObjectType`] and [`IsA`] traits, as well as any `*Impl`
27f50cd85cSPaolo Bonzini //! traits that exist for its superclasses.
284aed0296SPaolo Bonzini //!
294aed0296SPaolo Bonzini //! If a class has subclasses, it will also provide a struct for instance data,
304aed0296SPaolo Bonzini //! with the same characteristics as for concrete classes, but it also needs
314aed0296SPaolo Bonzini //! additional components to support virtual methods:
324aed0296SPaolo Bonzini //!
334aed0296SPaolo Bonzini //! * a struct for class data, for example `DeviceClass`. This corresponds to
344aed0296SPaolo Bonzini //!   the C "class struct" and holds the vtable that is used by instances of the
354aed0296SPaolo Bonzini //!   class and its subclasses. It must start with its parent's class struct.
364aed0296SPaolo Bonzini //!
374aed0296SPaolo Bonzini //! * a trait for virtual method implementations, for example `DeviceImpl`.
384aed0296SPaolo Bonzini //!   Child classes implement this trait to provide their own behavior for
394aed0296SPaolo Bonzini //!   virtual methods. The trait's methods take `&self` to access instance data.
40ac5699c5SPaolo Bonzini //!   The traits have the appropriate specialization of `IsA<>` as a supertrait,
41ac5699c5SPaolo Bonzini //!   for example `IsA<DeviceState>` for `DeviceImpl`.
424aed0296SPaolo Bonzini //!
43ba3b81f3SPaolo Bonzini //! * a trait for instance methods, for example `DeviceMethods`. This trait is
44ba3b81f3SPaolo Bonzini //!   automatically implemented for any reference or smart pointer to a device
45ba3b81f3SPaolo Bonzini //!   instance.  It calls into the vtable provides access across all subclasses
46ba3b81f3SPaolo Bonzini //!   to methods defined for the class.
47ba3b81f3SPaolo Bonzini //!
48ba3b81f3SPaolo Bonzini //! * optionally, a trait for class methods, for example `DeviceClassMethods`.
49ba3b81f3SPaolo Bonzini //!   This provides access to class-wide functionality that doesn't depend on
50ba3b81f3SPaolo Bonzini //!   instance data. Like instance methods, these are automatically inherited by
51ba3b81f3SPaolo Bonzini //!   child classes.
52d556226dSPaolo Bonzini //!
53d556226dSPaolo Bonzini //! # Class structures
54d556226dSPaolo Bonzini //!
55d556226dSPaolo Bonzini //! Each QOM class that has virtual methods describes them in a
56d556226dSPaolo Bonzini //! _class struct_.  Class structs include a parent field corresponding
57d556226dSPaolo Bonzini //! to the vtable of the parent class, all the way up to [`ObjectClass`].
58d556226dSPaolo Bonzini //!
59d556226dSPaolo Bonzini //! As mentioned above, virtual methods are defined via traits such as
60d556226dSPaolo Bonzini //! `DeviceImpl`.  Class structs do not define any trait but, conventionally,
61d556226dSPaolo Bonzini //! all of them have a `class_init` method to initialize the virtual methods
62d556226dSPaolo Bonzini //! based on the trait and then call the same method on the superclass.
63d556226dSPaolo Bonzini //!
64d556226dSPaolo Bonzini //! ```ignore
65d556226dSPaolo Bonzini //! impl YourSubclassClass
66d556226dSPaolo Bonzini //! {
67d556226dSPaolo Bonzini //!     pub fn class_init<T: YourSubclassImpl>(&mut self) {
68d556226dSPaolo Bonzini //!         ...
69d556226dSPaolo Bonzini //!         klass.parent_class::class_init<T>();
70d556226dSPaolo Bonzini //!     }
71d556226dSPaolo Bonzini //! }
72d556226dSPaolo Bonzini //! ```
73d556226dSPaolo Bonzini //!
74d556226dSPaolo Bonzini //! If a class implements a QOM interface.  In that case, the function must
75d556226dSPaolo Bonzini //! contain, for each interface, an extra forwarding call as follows:
76d556226dSPaolo Bonzini //!
77d556226dSPaolo Bonzini //! ```ignore
78d556226dSPaolo Bonzini //! ResettableClass::cast::<Self>(self).class_init::<Self>();
79d556226dSPaolo Bonzini //! ```
80d556226dSPaolo Bonzini //!
81d556226dSPaolo Bonzini //! These `class_init` functions are methods on the class rather than a trait,
82d556226dSPaolo Bonzini //! because the bound on `T` (`DeviceImpl` in this case), will change for every
83d556226dSPaolo Bonzini //! class struct.  The functions are pointed to by the
84d556226dSPaolo Bonzini //! [`ObjectImpl::CLASS_INIT`] function pointer. While there is no default
85d556226dSPaolo Bonzini //! implementation, in most cases it will be enough to write it as follows:
86d556226dSPaolo Bonzini //!
87d556226dSPaolo Bonzini //! ```ignore
88d556226dSPaolo Bonzini //! const CLASS_INIT: fn(&mut Self::Class)> = Self::Class::class_init::<Self>;
89d556226dSPaolo Bonzini //! ```
90d556226dSPaolo Bonzini //!
91d556226dSPaolo Bonzini //! This design incurs a small amount of code duplication but, by not using
92d556226dSPaolo Bonzini //! traits, it allows the flexibility of implementing bindings in any crate,
93d556226dSPaolo Bonzini //! without incurring into violations of orphan rules for traits.
945a5110d2SManos Pitsidianakis 
95f50cd85cSPaolo Bonzini use std::{
96e4fb0be1SPaolo Bonzini     ffi::{c_void, CStr},
97ca0d60a6SPaolo Bonzini     fmt,
980fcccf3fSPaolo Bonzini     mem::ManuallyDrop,
99f50cd85cSPaolo Bonzini     ops::{Deref, DerefMut},
1007d052039SPaolo Bonzini     ptr::NonNull,
101f50cd85cSPaolo Bonzini };
1025a5110d2SManos Pitsidianakis 
1037fb4a99dSPaolo Bonzini pub use bindings::ObjectClass;
104716d89f9SPaolo Bonzini 
1050fcccf3fSPaolo Bonzini use crate::{
1060fcccf3fSPaolo Bonzini     bindings::{
107688c6741SPaolo Bonzini         self, object_class_dynamic_cast, object_dynamic_cast, object_get_class,
108688c6741SPaolo Bonzini         object_get_typename, object_new, object_ref, object_unref, TypeInfo,
1090fcccf3fSPaolo Bonzini     },
1107fb4a99dSPaolo Bonzini     cell::{bql_locked, Opaque},
1110fcccf3fSPaolo Bonzini };
112f50cd85cSPaolo Bonzini 
1137fb4a99dSPaolo Bonzini /// A safe wrapper around [`bindings::Object`].
1147fb4a99dSPaolo Bonzini #[repr(transparent)]
1157fb4a99dSPaolo Bonzini #[derive(Debug, qemu_api_macros::Wrapper)]
1167fb4a99dSPaolo Bonzini pub struct Object(Opaque<bindings::Object>);
1177fb4a99dSPaolo Bonzini 
1187fb4a99dSPaolo Bonzini unsafe impl Send for Object {}
1197fb4a99dSPaolo Bonzini unsafe impl Sync for Object {}
1207fb4a99dSPaolo Bonzini 
121f50cd85cSPaolo Bonzini /// Marker trait: `Self` can be statically upcasted to `P` (i.e. `P` is a direct
122f50cd85cSPaolo Bonzini /// or indirect parent of `Self`).
123f50cd85cSPaolo Bonzini ///
124f50cd85cSPaolo Bonzini /// # Safety
125f50cd85cSPaolo Bonzini ///
126f50cd85cSPaolo Bonzini /// The struct `Self` must be `#[repr(C)]` and must begin, directly or
127f50cd85cSPaolo Bonzini /// indirectly, with a field of type `P`.  This ensures that invalid casts,
128f50cd85cSPaolo Bonzini /// which rely on `IsA<>` for static checking, are rejected at compile time.
129f50cd85cSPaolo Bonzini pub unsafe trait IsA<P: ObjectType>: ObjectType {}
130f50cd85cSPaolo Bonzini 
131f50cd85cSPaolo Bonzini // SAFETY: it is always safe to cast to your own type
132f50cd85cSPaolo Bonzini unsafe impl<T: ObjectType> IsA<T> for T {}
133f50cd85cSPaolo Bonzini 
134f50cd85cSPaolo Bonzini /// Macro to mark superclasses of QOM classes.  This enables type-safe
135f50cd85cSPaolo Bonzini /// up- and downcasting.
136f50cd85cSPaolo Bonzini ///
137f50cd85cSPaolo Bonzini /// # Safety
138f50cd85cSPaolo Bonzini ///
139f50cd85cSPaolo Bonzini /// This macro is a thin wrapper around the [`IsA`] trait and performs
140f50cd85cSPaolo Bonzini /// no checking whatsoever of what is declared.  It is the caller's
141f50cd85cSPaolo Bonzini /// responsibility to have $struct begin, directly or indirectly, with
142f50cd85cSPaolo Bonzini /// a field of type `$parent`.
143f50cd85cSPaolo Bonzini #[macro_export]
144f50cd85cSPaolo Bonzini macro_rules! qom_isa {
145f50cd85cSPaolo Bonzini     ($struct:ty : $($parent:ty),* ) => {
146f50cd85cSPaolo Bonzini         $(
147f50cd85cSPaolo Bonzini             // SAFETY: it is the caller responsibility to have $parent as the
148f50cd85cSPaolo Bonzini             // first field
149f50cd85cSPaolo Bonzini             unsafe impl $crate::qom::IsA<$parent> for $struct {}
150f50cd85cSPaolo Bonzini 
151f50cd85cSPaolo Bonzini             impl AsRef<$parent> for $struct {
152f50cd85cSPaolo Bonzini                 fn as_ref(&self) -> &$parent {
153f50cd85cSPaolo Bonzini                     // SAFETY: follows the same rules as for IsA<U>, which is
154f50cd85cSPaolo Bonzini                     // declared above.
155f50cd85cSPaolo Bonzini                     let ptr: *const Self = self;
156f50cd85cSPaolo Bonzini                     unsafe { &*ptr.cast::<$parent>() }
157f50cd85cSPaolo Bonzini                 }
158f50cd85cSPaolo Bonzini             }
159f50cd85cSPaolo Bonzini         )*
160f50cd85cSPaolo Bonzini     };
161f50cd85cSPaolo Bonzini }
1625a5110d2SManos Pitsidianakis 
163ca0d60a6SPaolo Bonzini /// This is the same as [`ManuallyDrop<T>`](std::mem::ManuallyDrop), though
164ca0d60a6SPaolo Bonzini /// it hides the standard methods of `ManuallyDrop`.
165ca0d60a6SPaolo Bonzini ///
166ca0d60a6SPaolo Bonzini /// The first field of an `ObjectType` must be of type `ParentField<T>`.
167ca0d60a6SPaolo Bonzini /// (Technically, this is only necessary if there is at least one Rust
168ca0d60a6SPaolo Bonzini /// superclass in the hierarchy).  This is to ensure that the parent field is
169ca0d60a6SPaolo Bonzini /// dropped after the subclass; this drop order is enforced by the C
170ca0d60a6SPaolo Bonzini /// `object_deinit` function.
171ca0d60a6SPaolo Bonzini ///
172ca0d60a6SPaolo Bonzini /// # Examples
173ca0d60a6SPaolo Bonzini ///
174ca0d60a6SPaolo Bonzini /// ```ignore
175ca0d60a6SPaolo Bonzini /// #[repr(C)]
176ca0d60a6SPaolo Bonzini /// #[derive(qemu_api_macros::Object)]
177ca0d60a6SPaolo Bonzini /// pub struct MyDevice {
178ca0d60a6SPaolo Bonzini ///     parent: ParentField<DeviceState>,
179ca0d60a6SPaolo Bonzini ///     ...
180ca0d60a6SPaolo Bonzini /// }
181ca0d60a6SPaolo Bonzini /// ```
182ca0d60a6SPaolo Bonzini #[derive(Debug)]
183ca0d60a6SPaolo Bonzini #[repr(transparent)]
184ca0d60a6SPaolo Bonzini pub struct ParentField<T: ObjectType>(std::mem::ManuallyDrop<T>);
185ca0d60a6SPaolo Bonzini 
186ca0d60a6SPaolo Bonzini impl<T: ObjectType> Deref for ParentField<T> {
187ca0d60a6SPaolo Bonzini     type Target = T;
188ca0d60a6SPaolo Bonzini 
189ca0d60a6SPaolo Bonzini     #[inline(always)]
190ca0d60a6SPaolo Bonzini     fn deref(&self) -> &Self::Target {
191ca0d60a6SPaolo Bonzini         &self.0
192ca0d60a6SPaolo Bonzini     }
193ca0d60a6SPaolo Bonzini }
194ca0d60a6SPaolo Bonzini 
195ca0d60a6SPaolo Bonzini impl<T: ObjectType> DerefMut for ParentField<T> {
196ca0d60a6SPaolo Bonzini     #[inline(always)]
197ca0d60a6SPaolo Bonzini     fn deref_mut(&mut self) -> &mut Self::Target {
198ca0d60a6SPaolo Bonzini         &mut self.0
199ca0d60a6SPaolo Bonzini     }
200ca0d60a6SPaolo Bonzini }
201ca0d60a6SPaolo Bonzini 
202ca0d60a6SPaolo Bonzini impl<T: fmt::Display + ObjectType> fmt::Display for ParentField<T> {
203ca0d60a6SPaolo Bonzini     #[inline(always)]
204ca0d60a6SPaolo Bonzini     fn fmt(&self, f: &mut fmt::Formatter<'_>) -> Result<(), fmt::Error> {
205ca0d60a6SPaolo Bonzini         self.0.fmt(f)
206ca0d60a6SPaolo Bonzini     }
207ca0d60a6SPaolo Bonzini }
208ca0d60a6SPaolo Bonzini 
2097fb4a99dSPaolo Bonzini unsafe extern "C" fn rust_instance_init<T: ObjectImpl>(obj: *mut bindings::Object) {
2107d052039SPaolo Bonzini     let mut state = NonNull::new(obj).unwrap().cast::<T>();
2111f9d52c9SPaolo Bonzini     // SAFETY: obj is an instance of T, since rust_instance_init<T>
2121f9d52c9SPaolo Bonzini     // is called from QOM core as the instance_init function
2131f9d52c9SPaolo Bonzini     // for class T
2147d052039SPaolo Bonzini     unsafe {
2157d052039SPaolo Bonzini         T::INSTANCE_INIT.unwrap()(state.as_mut());
2167d052039SPaolo Bonzini     }
2171f9d52c9SPaolo Bonzini }
2181f9d52c9SPaolo Bonzini 
2197fb4a99dSPaolo Bonzini unsafe extern "C" fn rust_instance_post_init<T: ObjectImpl>(obj: *mut bindings::Object) {
2207d052039SPaolo Bonzini     let state = NonNull::new(obj).unwrap().cast::<T>();
2211f9d52c9SPaolo Bonzini     // SAFETY: obj is an instance of T, since rust_instance_post_init<T>
2221f9d52c9SPaolo Bonzini     // is called from QOM core as the instance_post_init function
2231f9d52c9SPaolo Bonzini     // for class T
2247d052039SPaolo Bonzini     T::INSTANCE_POST_INIT.unwrap()(unsafe { state.as_ref() });
2251f9d52c9SPaolo Bonzini }
2261f9d52c9SPaolo Bonzini 
2274551f342SPaolo Bonzini unsafe extern "C" fn rust_class_init<T: ObjectType + ObjectImpl>(
2286dd818fbSPaolo Bonzini     klass: *mut ObjectClass,
22912d1a768SPhilippe Mathieu-Daudé     _data: *const c_void,
2306dd818fbSPaolo Bonzini ) {
2317d052039SPaolo Bonzini     let mut klass = NonNull::new(klass)
2327d052039SPaolo Bonzini         .unwrap()
2337d052039SPaolo Bonzini         .cast::<<T as ObjectType>::Class>();
2346dd818fbSPaolo Bonzini     // SAFETY: klass is a T::Class, since rust_class_init<T>
2356dd818fbSPaolo Bonzini     // is called from QOM core as the class_init function
2366dd818fbSPaolo Bonzini     // for class T
2374551f342SPaolo Bonzini     <T as ObjectImpl>::CLASS_INIT(unsafe { klass.as_mut() })
2386dd818fbSPaolo Bonzini }
2396dd818fbSPaolo Bonzini 
2407fb4a99dSPaolo Bonzini unsafe extern "C" fn drop_object<T: ObjectImpl>(obj: *mut bindings::Object) {
24133aa6605SPaolo Bonzini     // SAFETY: obj is an instance of T, since drop_object<T> is called
24233aa6605SPaolo Bonzini     // from the QOM core function object_deinit() as the instance_finalize
24333aa6605SPaolo Bonzini     // function for class T.  Note that while object_deinit() will drop the
24433aa6605SPaolo Bonzini     // superclass field separately after this function returns, `T` must
24533aa6605SPaolo Bonzini     // implement the unsafe trait ObjectType; the safety rules for the
24633aa6605SPaolo Bonzini     // trait mandate that the parent field is manually dropped.
24733aa6605SPaolo Bonzini     unsafe { std::ptr::drop_in_place(obj.cast::<T>()) }
24833aa6605SPaolo Bonzini }
24933aa6605SPaolo Bonzini 
2507bd8e3efSPaolo Bonzini /// Trait exposed by all structs corresponding to QOM objects.
2511f9d52c9SPaolo Bonzini ///
2521f9d52c9SPaolo Bonzini /// # Safety
2531f9d52c9SPaolo Bonzini ///
2547bd8e3efSPaolo Bonzini /// For classes declared in C:
2551f9d52c9SPaolo Bonzini ///
2567bd8e3efSPaolo Bonzini /// - `Class` and `TYPE` must match the data in the `TypeInfo`;
2577bd8e3efSPaolo Bonzini ///
2587bd8e3efSPaolo Bonzini /// - the first field of the struct must be of the instance type corresponding
2597bd8e3efSPaolo Bonzini ///   to the superclass, as declared in the `TypeInfo`
2607bd8e3efSPaolo Bonzini ///
2617bd8e3efSPaolo Bonzini /// - likewise, the first field of the `Class` struct must be of the class type
2627bd8e3efSPaolo Bonzini ///   corresponding to the superclass
2637bd8e3efSPaolo Bonzini ///
2647bd8e3efSPaolo Bonzini /// For classes declared in Rust and implementing [`ObjectImpl`]:
2657bd8e3efSPaolo Bonzini ///
2667bd8e3efSPaolo Bonzini /// - the struct must be `#[repr(C)]`;
2671f9d52c9SPaolo Bonzini ///
268ca0d60a6SPaolo Bonzini /// - the first field of the struct must be of type
269ca0d60a6SPaolo Bonzini ///   [`ParentField<T>`](ParentField), where `T` is the parent type
270ca0d60a6SPaolo Bonzini ///   [`ObjectImpl::ParentType`]
2717bd8e3efSPaolo Bonzini ///
272ca0d60a6SPaolo Bonzini /// - the first field of the `Class` must be of the class struct corresponding
273ca0d60a6SPaolo Bonzini ///   to the superclass, which is `ObjectImpl::ParentType::Class`. `ParentField`
274ca0d60a6SPaolo Bonzini ///   is not needed here.
275ca0d60a6SPaolo Bonzini ///
276ca0d60a6SPaolo Bonzini /// In both cases, having a separate class type is not necessary if the subclass
277ca0d60a6SPaolo Bonzini /// does not add any field.
2787bd8e3efSPaolo Bonzini pub unsafe trait ObjectType: Sized {
2796dd818fbSPaolo Bonzini     /// The QOM class object corresponding to this struct.  This is used
2806dd818fbSPaolo Bonzini     /// to automatically generate a `class_init` method.
281c6c4f3e0SPaolo Bonzini     type Class;
2821f9d52c9SPaolo Bonzini 
2831f9d52c9SPaolo Bonzini     /// The name of the type, which can be passed to `object_new()` to
2841f9d52c9SPaolo Bonzini     /// generate an instance of this type.
2855a5110d2SManos Pitsidianakis     const TYPE_NAME: &'static CStr;
286f50cd85cSPaolo Bonzini 
287f50cd85cSPaolo Bonzini     /// Return the receiver as an Object.  This is always safe, even
288f50cd85cSPaolo Bonzini     /// if this type represents an interface.
289f50cd85cSPaolo Bonzini     fn as_object(&self) -> &Object {
2907fb4a99dSPaolo Bonzini         unsafe { &*self.as_ptr().cast() }
2917bd8e3efSPaolo Bonzini     }
2921f9d52c9SPaolo Bonzini 
293f50cd85cSPaolo Bonzini     /// Return the receiver as a const raw pointer to Object.
294f50cd85cSPaolo Bonzini     /// This is preferrable to `as_object_mut_ptr()` if a C
295f50cd85cSPaolo Bonzini     /// function only needs a `const Object *`.
2967fb4a99dSPaolo Bonzini     fn as_object_ptr(&self) -> *const bindings::Object {
2977fb4a99dSPaolo Bonzini         self.as_object().as_ptr()
298f50cd85cSPaolo Bonzini     }
299f50cd85cSPaolo Bonzini 
300f50cd85cSPaolo Bonzini     /// Return the receiver as a mutable raw pointer to Object.
301f50cd85cSPaolo Bonzini     ///
302f50cd85cSPaolo Bonzini     /// # Safety
303f50cd85cSPaolo Bonzini     ///
304f50cd85cSPaolo Bonzini     /// This cast is always safe, but because the result is mutable
305f50cd85cSPaolo Bonzini     /// and the incoming reference is not, this should only be used
306f50cd85cSPaolo Bonzini     /// for calls to C functions, and only if needed.
3077fb4a99dSPaolo Bonzini     unsafe fn as_object_mut_ptr(&self) -> *mut bindings::Object {
3087fb4a99dSPaolo Bonzini         self.as_object().as_mut_ptr()
309f50cd85cSPaolo Bonzini     }
310f50cd85cSPaolo Bonzini }
311f50cd85cSPaolo Bonzini 
312688c6741SPaolo Bonzini /// Trait exposed by all structs corresponding to QOM interfaces.
313688c6741SPaolo Bonzini /// Unlike `ObjectType`, it is implemented on the class type (which provides
314688c6741SPaolo Bonzini /// the vtable for the interfaces).
315688c6741SPaolo Bonzini ///
316688c6741SPaolo Bonzini /// # Safety
317688c6741SPaolo Bonzini ///
318688c6741SPaolo Bonzini /// `TYPE` must match the contents of the `TypeInfo` as found in the C code;
319688c6741SPaolo Bonzini /// right now, interfaces can only be declared in C.
320688c6741SPaolo Bonzini pub unsafe trait InterfaceType: Sized {
321688c6741SPaolo Bonzini     /// The name of the type, which can be passed to
322688c6741SPaolo Bonzini     /// `object_class_dynamic_cast()` to obtain the pointer to the vtable
323688c6741SPaolo Bonzini     /// for this interface.
324688c6741SPaolo Bonzini     const TYPE_NAME: &'static CStr;
325688c6741SPaolo Bonzini 
326d556226dSPaolo Bonzini     /// Return the vtable for the interface; `U` is the type that
327688c6741SPaolo Bonzini     /// lists the interface in its `TypeInfo`.
328688c6741SPaolo Bonzini     ///
329d556226dSPaolo Bonzini     /// # Examples
330d556226dSPaolo Bonzini     ///
331d556226dSPaolo Bonzini     /// This function is usually called by a `class_init` method in `U::Class`.
332d556226dSPaolo Bonzini     /// For example, `DeviceClass::class_init<T>` initializes its `Resettable`
333d556226dSPaolo Bonzini     /// interface as follows:
334d556226dSPaolo Bonzini     ///
335d556226dSPaolo Bonzini     /// ```ignore
336d556226dSPaolo Bonzini     /// ResettableClass::cast::<DeviceState>(self).class_init::<T>();
337d556226dSPaolo Bonzini     /// ```
338d556226dSPaolo Bonzini     ///
339d556226dSPaolo Bonzini     /// where `T` is the concrete subclass that is being initialized.
340d556226dSPaolo Bonzini     ///
341688c6741SPaolo Bonzini     /// # Panics
342688c6741SPaolo Bonzini     ///
343688c6741SPaolo Bonzini     /// Panic if the incoming argument if `T` does not implement the interface.
344d556226dSPaolo Bonzini     fn cast<U: ObjectType>(klass: &mut U::Class) -> &mut Self {
345688c6741SPaolo Bonzini         unsafe {
346688c6741SPaolo Bonzini             // SAFETY: upcasting to ObjectClass is always valid, and the
347688c6741SPaolo Bonzini             // return type is either NULL or the argument itself
348688c6741SPaolo Bonzini             let result: *mut Self = object_class_dynamic_cast(
349688c6741SPaolo Bonzini                 (klass as *mut U::Class).cast(),
350688c6741SPaolo Bonzini                 Self::TYPE_NAME.as_ptr(),
351688c6741SPaolo Bonzini             )
352688c6741SPaolo Bonzini             .cast();
353d556226dSPaolo Bonzini             result.as_mut().unwrap()
354688c6741SPaolo Bonzini         }
355688c6741SPaolo Bonzini     }
356688c6741SPaolo Bonzini }
357688c6741SPaolo Bonzini 
358f50cd85cSPaolo Bonzini /// This trait provides safe casting operations for QOM objects to raw pointers,
359f50cd85cSPaolo Bonzini /// to be used for example for FFI. The trait can be applied to any kind of
360f50cd85cSPaolo Bonzini /// reference or smart pointers, and enforces correctness through the [`IsA`]
361f50cd85cSPaolo Bonzini /// trait.
362f50cd85cSPaolo Bonzini pub trait ObjectDeref: Deref
363f50cd85cSPaolo Bonzini where
364f50cd85cSPaolo Bonzini     Self::Target: ObjectType,
365f50cd85cSPaolo Bonzini {
366f50cd85cSPaolo Bonzini     /// Convert to a const Rust pointer, to be used for example for FFI.
367f50cd85cSPaolo Bonzini     /// The target pointer type must be the type of `self` or a superclass
368f50cd85cSPaolo Bonzini     fn as_ptr<U: ObjectType>(&self) -> *const U
369f50cd85cSPaolo Bonzini     where
370f50cd85cSPaolo Bonzini         Self::Target: IsA<U>,
371f50cd85cSPaolo Bonzini     {
372f50cd85cSPaolo Bonzini         let ptr: *const Self::Target = self.deref();
373f50cd85cSPaolo Bonzini         ptr.cast::<U>()
374f50cd85cSPaolo Bonzini     }
375f50cd85cSPaolo Bonzini 
376f50cd85cSPaolo Bonzini     /// Convert to a mutable Rust pointer, to be used for example for FFI.
377f50cd85cSPaolo Bonzini     /// The target pointer type must be the type of `self` or a superclass.
378f50cd85cSPaolo Bonzini     /// Used to implement interior mutability for objects.
379f50cd85cSPaolo Bonzini     ///
380f50cd85cSPaolo Bonzini     /// # Safety
381f50cd85cSPaolo Bonzini     ///
3820fcccf3fSPaolo Bonzini     /// This method is safe because only the actual dereference of the pointer
3830fcccf3fSPaolo Bonzini     /// has to be unsafe.  Bindings to C APIs will use it a lot, but care has
3840fcccf3fSPaolo Bonzini     /// to be taken because it overrides the const-ness of `&self`.
3850fcccf3fSPaolo Bonzini     fn as_mut_ptr<U: ObjectType>(&self) -> *mut U
386f50cd85cSPaolo Bonzini     where
387f50cd85cSPaolo Bonzini         Self::Target: IsA<U>,
388f50cd85cSPaolo Bonzini     {
389f50cd85cSPaolo Bonzini         #[allow(clippy::as_ptr_cast_mut)]
390f50cd85cSPaolo Bonzini         {
391f50cd85cSPaolo Bonzini             self.as_ptr::<U>() as *mut _
392f50cd85cSPaolo Bonzini         }
393f50cd85cSPaolo Bonzini     }
394f50cd85cSPaolo Bonzini }
395f50cd85cSPaolo Bonzini 
396f50cd85cSPaolo Bonzini /// Trait that adds extra functionality for `&T` where `T` is a QOM
397f50cd85cSPaolo Bonzini /// object type.  Allows conversion to/from C objects in generic code.
398f50cd85cSPaolo Bonzini pub trait ObjectCast: ObjectDeref + Copy
399f50cd85cSPaolo Bonzini where
400f50cd85cSPaolo Bonzini     Self::Target: ObjectType,
401f50cd85cSPaolo Bonzini {
402f50cd85cSPaolo Bonzini     /// Safely convert from a derived type to one of its parent types.
403f50cd85cSPaolo Bonzini     ///
404f50cd85cSPaolo Bonzini     /// This is always safe; the [`IsA`] trait provides static verification
405f50cd85cSPaolo Bonzini     /// trait that `Self` dereferences to `U` or a child of `U`.
406f50cd85cSPaolo Bonzini     fn upcast<'a, U: ObjectType>(self) -> &'a U
407f50cd85cSPaolo Bonzini     where
408f50cd85cSPaolo Bonzini         Self::Target: IsA<U>,
409f50cd85cSPaolo Bonzini         Self: 'a,
410f50cd85cSPaolo Bonzini     {
411f50cd85cSPaolo Bonzini         // SAFETY: soundness is declared via IsA<U>, which is an unsafe trait
412f50cd85cSPaolo Bonzini         unsafe { self.unsafe_cast::<U>() }
413f50cd85cSPaolo Bonzini     }
414f50cd85cSPaolo Bonzini 
415f50cd85cSPaolo Bonzini     /// Attempt to convert to a derived type.
416f50cd85cSPaolo Bonzini     ///
417f50cd85cSPaolo Bonzini     /// Returns `None` if the object is not actually of type `U`. This is
418f50cd85cSPaolo Bonzini     /// verified at runtime by checking the object's type information.
419f50cd85cSPaolo Bonzini     fn downcast<'a, U: IsA<Self::Target>>(self) -> Option<&'a U>
420f50cd85cSPaolo Bonzini     where
421f50cd85cSPaolo Bonzini         Self: 'a,
422f50cd85cSPaolo Bonzini     {
423f50cd85cSPaolo Bonzini         self.dynamic_cast::<U>()
424f50cd85cSPaolo Bonzini     }
425f50cd85cSPaolo Bonzini 
426f50cd85cSPaolo Bonzini     /// Attempt to convert between any two types in the QOM hierarchy.
427f50cd85cSPaolo Bonzini     ///
428f50cd85cSPaolo Bonzini     /// Returns `None` if the object is not actually of type `U`. This is
429f50cd85cSPaolo Bonzini     /// verified at runtime by checking the object's type information.
430f50cd85cSPaolo Bonzini     fn dynamic_cast<'a, U: ObjectType>(self) -> Option<&'a U>
431f50cd85cSPaolo Bonzini     where
432f50cd85cSPaolo Bonzini         Self: 'a,
433f50cd85cSPaolo Bonzini     {
434f50cd85cSPaolo Bonzini         unsafe {
435f50cd85cSPaolo Bonzini             // SAFETY: upcasting to Object is always valid, and the
436f50cd85cSPaolo Bonzini             // return type is either NULL or the argument itself
437f50cd85cSPaolo Bonzini             let result: *const U =
438f50cd85cSPaolo Bonzini                 object_dynamic_cast(self.as_object_mut_ptr(), U::TYPE_NAME.as_ptr()).cast();
439f50cd85cSPaolo Bonzini 
440f50cd85cSPaolo Bonzini             result.as_ref()
441f50cd85cSPaolo Bonzini         }
442f50cd85cSPaolo Bonzini     }
443f50cd85cSPaolo Bonzini 
444f50cd85cSPaolo Bonzini     /// Convert to any QOM type without verification.
445f50cd85cSPaolo Bonzini     ///
446f50cd85cSPaolo Bonzini     /// # Safety
447f50cd85cSPaolo Bonzini     ///
448f50cd85cSPaolo Bonzini     /// What safety? You need to know yourself that the cast is correct; only
449f50cd85cSPaolo Bonzini     /// use when performance is paramount.  It is still better than a raw
450f50cd85cSPaolo Bonzini     /// pointer `cast()`, which does not even check that you remain in the
451f50cd85cSPaolo Bonzini     /// realm of QOM `ObjectType`s.
452f50cd85cSPaolo Bonzini     ///
453f50cd85cSPaolo Bonzini     /// `unsafe_cast::<Object>()` is always safe.
454f50cd85cSPaolo Bonzini     unsafe fn unsafe_cast<'a, U: ObjectType>(self) -> &'a U
455f50cd85cSPaolo Bonzini     where
456f50cd85cSPaolo Bonzini         Self: 'a,
457f50cd85cSPaolo Bonzini     {
458f50cd85cSPaolo Bonzini         unsafe { &*(self.as_ptr::<Self::Target>().cast::<U>()) }
459f50cd85cSPaolo Bonzini     }
460f50cd85cSPaolo Bonzini }
461f50cd85cSPaolo Bonzini 
462f50cd85cSPaolo Bonzini impl<T: ObjectType> ObjectDeref for &T {}
463f50cd85cSPaolo Bonzini impl<T: ObjectType> ObjectCast for &T {}
464f50cd85cSPaolo Bonzini 
465f50cd85cSPaolo Bonzini impl<T: ObjectType> ObjectDeref for &mut T {}
466f50cd85cSPaolo Bonzini 
4677bd8e3efSPaolo Bonzini /// Trait a type must implement to be registered with QEMU.
4684551f342SPaolo Bonzini pub trait ObjectImpl: ObjectType + IsA<Object> {
469ca0d60a6SPaolo Bonzini     /// The parent of the type.  This should match the first field of the
470ca0d60a6SPaolo Bonzini     /// struct that implements `ObjectImpl`, minus the `ParentField<_>` wrapper.
471166e8a1fSPaolo Bonzini     type ParentType: ObjectType;
4721f9d52c9SPaolo Bonzini 
4731f9d52c9SPaolo Bonzini     /// Whether the object can be instantiated
474b2a48545SPaolo Bonzini     const ABSTRACT: bool = false;
4753701fb22SPaolo Bonzini 
4761f9d52c9SPaolo Bonzini     /// Function that is called to initialize an object.  The parent class will
4771f9d52c9SPaolo Bonzini     /// have already been initialized so the type is only responsible for
4781f9d52c9SPaolo Bonzini     /// initializing its own members.
4791f9d52c9SPaolo Bonzini     ///
4801f9d52c9SPaolo Bonzini     /// FIXME: The argument is not really a valid reference. `&mut
4811f9d52c9SPaolo Bonzini     /// MaybeUninit<Self>` would be a better description.
4821f9d52c9SPaolo Bonzini     const INSTANCE_INIT: Option<unsafe fn(&mut Self)> = None;
4831f9d52c9SPaolo Bonzini 
4841f9d52c9SPaolo Bonzini     /// Function that is called to finish initialization of an object, once
4851f9d52c9SPaolo Bonzini     /// `INSTANCE_INIT` functions have been called.
48622a18f0aSPaolo Bonzini     const INSTANCE_POST_INIT: Option<fn(&Self)> = None;
4871f9d52c9SPaolo Bonzini 
4886dd818fbSPaolo Bonzini     /// Called on descendent classes after all parent class initialization
4896dd818fbSPaolo Bonzini     /// has occurred, but before the class itself is initialized.  This
4906dd818fbSPaolo Bonzini     /// is only useful if a class is not a leaf, and can be used to undo
4916dd818fbSPaolo Bonzini     /// the effects of copying the contents of the parent's class struct
4926dd818fbSPaolo Bonzini     /// to the descendants.
4936dd818fbSPaolo Bonzini     const CLASS_BASE_INIT: Option<
494f1fa787bSPhilippe Mathieu-Daudé         unsafe extern "C" fn(klass: *mut ObjectClass, data: *const c_void),
4956dd818fbSPaolo Bonzini     > = None;
4966dd818fbSPaolo Bonzini 
4973701fb22SPaolo Bonzini     const TYPE_INFO: TypeInfo = TypeInfo {
4983701fb22SPaolo Bonzini         name: Self::TYPE_NAME.as_ptr(),
499166e8a1fSPaolo Bonzini         parent: Self::ParentType::TYPE_NAME.as_ptr(),
5003701fb22SPaolo Bonzini         instance_size: core::mem::size_of::<Self>(),
5013701fb22SPaolo Bonzini         instance_align: core::mem::align_of::<Self>(),
5021f9d52c9SPaolo Bonzini         instance_init: match Self::INSTANCE_INIT {
5031f9d52c9SPaolo Bonzini             None => None,
5041f9d52c9SPaolo Bonzini             Some(_) => Some(rust_instance_init::<Self>),
5051f9d52c9SPaolo Bonzini         },
5061f9d52c9SPaolo Bonzini         instance_post_init: match Self::INSTANCE_POST_INIT {
5071f9d52c9SPaolo Bonzini             None => None,
5081f9d52c9SPaolo Bonzini             Some(_) => Some(rust_instance_post_init::<Self>),
5091f9d52c9SPaolo Bonzini         },
51033aa6605SPaolo Bonzini         instance_finalize: Some(drop_object::<Self>),
5113701fb22SPaolo Bonzini         abstract_: Self::ABSTRACT,
5123701fb22SPaolo Bonzini         class_size: core::mem::size_of::<Self::Class>(),
5136dd818fbSPaolo Bonzini         class_init: Some(rust_class_init::<Self>),
5146dd818fbSPaolo Bonzini         class_base_init: Self::CLASS_BASE_INIT,
515b282b859SPhilippe Mathieu-Daudé         class_data: core::ptr::null(),
516231bf6ddSPhilippe Mathieu-Daudé         interfaces: core::ptr::null(),
5173701fb22SPaolo Bonzini     };
518cb36da9bSPaolo Bonzini 
519cb36da9bSPaolo Bonzini     // methods on ObjectClass
520cb36da9bSPaolo Bonzini     const UNPARENT: Option<fn(&Self)> = None;
5214551f342SPaolo Bonzini 
5224551f342SPaolo Bonzini     /// Store into the argument the virtual method implementations
5234551f342SPaolo Bonzini     /// for `Self`.  On entry, the virtual method pointers are set to
5244551f342SPaolo Bonzini     /// the default values coming from the parent classes; the function
5254551f342SPaolo Bonzini     /// can change them to override virtual methods of a parent class.
5264551f342SPaolo Bonzini     ///
527d556226dSPaolo Bonzini     /// Usually defined simply as `Self::Class::class_init::<Self>`;
528d556226dSPaolo Bonzini     /// however a default implementation cannot be included here, because the
529d556226dSPaolo Bonzini     /// bounds that the `Self::Class::class_init` method places on `Self` are
530d556226dSPaolo Bonzini     /// not known in advance.
53193ea0896SPaolo Bonzini     ///
532d556226dSPaolo Bonzini     /// # Safety
53393ea0896SPaolo Bonzini     ///
534d556226dSPaolo Bonzini     /// While `klass`'s parent class is initialized on entry, the other fields
5356dd818fbSPaolo Bonzini     /// are all zero; it is therefore assumed that all fields in `T` can be
5366dd818fbSPaolo Bonzini     /// zeroed, otherwise it would not be possible to provide the class as a
537*3a1c694dSPaolo Bonzini     /// `&mut T`.  TODO: it may be possible to add an unsafe trait that checks
538*3a1c694dSPaolo Bonzini     /// that all fields *after the parent class* (but not the parent class
539*3a1c694dSPaolo Bonzini     /// itself) are Zeroable.  This unsafe trait can be added via a derive
540*3a1c694dSPaolo Bonzini     /// macro.
541d556226dSPaolo Bonzini     const CLASS_INIT: fn(&mut Self::Class);
5425a5110d2SManos Pitsidianakis }
5435a5110d2SManos Pitsidianakis 
544cb36da9bSPaolo Bonzini /// # Safety
545cb36da9bSPaolo Bonzini ///
546cb36da9bSPaolo Bonzini /// We expect the FFI user of this function to pass a valid pointer that
547cb36da9bSPaolo Bonzini /// can be downcasted to type `T`. We also expect the device is
548cb36da9bSPaolo Bonzini /// readable/writeable from one thread at any time.
5497fb4a99dSPaolo Bonzini unsafe extern "C" fn rust_unparent_fn<T: ObjectImpl>(dev: *mut bindings::Object) {
5507d052039SPaolo Bonzini     let state = NonNull::new(dev).unwrap().cast::<T>();
5517d052039SPaolo Bonzini     T::UNPARENT.unwrap()(unsafe { state.as_ref() });
552cb36da9bSPaolo Bonzini }
553cb36da9bSPaolo Bonzini 
554d556226dSPaolo Bonzini impl ObjectClass {
555d556226dSPaolo Bonzini     /// Fill in the virtual methods of `ObjectClass` based on the definitions in
556d556226dSPaolo Bonzini     /// the `ObjectImpl` trait.
557d556226dSPaolo Bonzini     pub fn class_init<T: ObjectImpl>(&mut self) {
558cb36da9bSPaolo Bonzini         if <T as ObjectImpl>::UNPARENT.is_some() {
559d556226dSPaolo Bonzini             self.unparent = Some(rust_unparent_fn::<T>);
560cb36da9bSPaolo Bonzini         }
561cb36da9bSPaolo Bonzini     }
562cb36da9bSPaolo Bonzini }
563cb36da9bSPaolo Bonzini 
564cb36da9bSPaolo Bonzini unsafe impl ObjectType for Object {
565cb36da9bSPaolo Bonzini     type Class = ObjectClass;
566cb36da9bSPaolo Bonzini     const TYPE_NAME: &'static CStr =
567cb36da9bSPaolo Bonzini         unsafe { CStr::from_bytes_with_nul_unchecked(bindings::TYPE_OBJECT) };
568cb36da9bSPaolo Bonzini }
569ba3b81f3SPaolo Bonzini 
5700fcccf3fSPaolo Bonzini /// A reference-counted pointer to a QOM object.
5710fcccf3fSPaolo Bonzini ///
5720fcccf3fSPaolo Bonzini /// `Owned<T>` wraps `T` with automatic reference counting.  It increases the
5730fcccf3fSPaolo Bonzini /// reference count when created via [`Owned::from`] or cloned, and decreases
5740fcccf3fSPaolo Bonzini /// it when dropped.  This ensures that the reference count remains elevated
5750fcccf3fSPaolo Bonzini /// as long as any `Owned<T>` references to it exist.
5760fcccf3fSPaolo Bonzini ///
5770fcccf3fSPaolo Bonzini /// `Owned<T>` can be used for two reasons:
5780fcccf3fSPaolo Bonzini /// * because the lifetime of the QOM object is unknown and someone else could
5790fcccf3fSPaolo Bonzini ///   take a reference (similar to `Arc<T>`, for example): in this case, the
5800fcccf3fSPaolo Bonzini ///   object can escape and outlive the Rust struct that contains the `Owned<T>`
5810fcccf3fSPaolo Bonzini ///   field;
5820fcccf3fSPaolo Bonzini ///
5830fcccf3fSPaolo Bonzini /// * to ensure that the object stays alive until after `Drop::drop` is called
5840fcccf3fSPaolo Bonzini ///   on the Rust struct: in this case, the object will always die together with
5850fcccf3fSPaolo Bonzini ///   the Rust struct that contains the `Owned<T>` field.
5860fcccf3fSPaolo Bonzini ///
5870fcccf3fSPaolo Bonzini /// Child properties are an example of the second case: in C, an object that
5880fcccf3fSPaolo Bonzini /// is created with `object_initialize_child` will die *before*
5890fcccf3fSPaolo Bonzini /// `instance_finalize` is called, whereas Rust expects the struct to have valid
5900fcccf3fSPaolo Bonzini /// contents when `Drop::drop` is called.  Therefore Rust structs that have
5910fcccf3fSPaolo Bonzini /// child properties need to keep a reference to the child object.  Right now
5920fcccf3fSPaolo Bonzini /// this can be done with `Owned<T>`; in the future one might have a separate
5930fcccf3fSPaolo Bonzini /// `Child<'parent, T>` smart pointer that keeps a reference to a `T`, like
5940fcccf3fSPaolo Bonzini /// `Owned`, but does not allow cloning.
5950fcccf3fSPaolo Bonzini ///
5960fcccf3fSPaolo Bonzini /// Note that dropping an `Owned<T>` requires the big QEMU lock to be taken.
5970fcccf3fSPaolo Bonzini #[repr(transparent)]
5980fcccf3fSPaolo Bonzini #[derive(PartialEq, Eq, Hash, PartialOrd, Ord)]
5990fcccf3fSPaolo Bonzini pub struct Owned<T: ObjectType>(NonNull<T>);
6000fcccf3fSPaolo Bonzini 
6010fcccf3fSPaolo Bonzini // The following rationale for safety is taken from Linux's kernel::sync::Arc.
6020fcccf3fSPaolo Bonzini 
6030fcccf3fSPaolo Bonzini // SAFETY: It is safe to send `Owned<T>` to another thread when the underlying
6040fcccf3fSPaolo Bonzini // `T` is `Sync` because it effectively means sharing `&T` (which is safe
6050fcccf3fSPaolo Bonzini // because `T` is `Sync`); additionally, it needs `T` to be `Send` because any
6060fcccf3fSPaolo Bonzini // thread that has an `Owned<T>` may ultimately access `T` using a
6070fcccf3fSPaolo Bonzini // mutable reference when the reference count reaches zero and `T` is dropped.
6080fcccf3fSPaolo Bonzini unsafe impl<T: ObjectType + Send + Sync> Send for Owned<T> {}
6090fcccf3fSPaolo Bonzini 
6100fcccf3fSPaolo Bonzini // SAFETY: It is safe to send `&Owned<T>` to another thread when the underlying
6110fcccf3fSPaolo Bonzini // `T` is `Sync` because it effectively means sharing `&T` (which is safe
6120fcccf3fSPaolo Bonzini // because `T` is `Sync`); additionally, it needs `T` to be `Send` because any
6130fcccf3fSPaolo Bonzini // thread that has a `&Owned<T>` may clone it and get an `Owned<T>` on that
6140fcccf3fSPaolo Bonzini // thread, so the thread may ultimately access `T` using a mutable reference
6150fcccf3fSPaolo Bonzini // when the reference count reaches zero and `T` is dropped.
6160fcccf3fSPaolo Bonzini unsafe impl<T: ObjectType + Sync + Send> Sync for Owned<T> {}
6170fcccf3fSPaolo Bonzini 
6180fcccf3fSPaolo Bonzini impl<T: ObjectType> Owned<T> {
6190fcccf3fSPaolo Bonzini     /// Convert a raw C pointer into an owned reference to the QOM
6200fcccf3fSPaolo Bonzini     /// object it points to.  The object's reference count will be
6210fcccf3fSPaolo Bonzini     /// decreased when the `Owned` is dropped.
6220fcccf3fSPaolo Bonzini     ///
6230fcccf3fSPaolo Bonzini     /// # Panics
6240fcccf3fSPaolo Bonzini     ///
6250fcccf3fSPaolo Bonzini     /// Panics if `ptr` is NULL.
6260fcccf3fSPaolo Bonzini     ///
6270fcccf3fSPaolo Bonzini     /// # Safety
6280fcccf3fSPaolo Bonzini     ///
6290fcccf3fSPaolo Bonzini     /// The caller must indeed own a reference to the QOM object.
6300fcccf3fSPaolo Bonzini     /// The object must not be embedded in another unless the outer
6310fcccf3fSPaolo Bonzini     /// object is guaranteed to have a longer lifetime.
6320fcccf3fSPaolo Bonzini     ///
6330fcccf3fSPaolo Bonzini     /// A raw pointer obtained via [`Owned::into_raw()`] can always be passed
6340fcccf3fSPaolo Bonzini     /// back to `from_raw()` (assuming the original `Owned` was valid!),
6350fcccf3fSPaolo Bonzini     /// since the owned reference remains there between the calls to
6360fcccf3fSPaolo Bonzini     /// `into_raw()` and `from_raw()`.
6370fcccf3fSPaolo Bonzini     pub unsafe fn from_raw(ptr: *const T) -> Self {
6380fcccf3fSPaolo Bonzini         // SAFETY NOTE: while NonNull requires a mutable pointer, only
6390fcccf3fSPaolo Bonzini         // Deref is implemented so the pointer passed to from_raw
6400fcccf3fSPaolo Bonzini         // remains const
6410fcccf3fSPaolo Bonzini         Owned(NonNull::new(ptr as *mut T).unwrap())
6420fcccf3fSPaolo Bonzini     }
6430fcccf3fSPaolo Bonzini 
6440fcccf3fSPaolo Bonzini     /// Obtain a raw C pointer from a reference.  `src` is consumed
6450fcccf3fSPaolo Bonzini     /// and the reference is leaked.
6460fcccf3fSPaolo Bonzini     #[allow(clippy::missing_const_for_fn)]
6470fcccf3fSPaolo Bonzini     pub fn into_raw(src: Owned<T>) -> *mut T {
6480fcccf3fSPaolo Bonzini         let src = ManuallyDrop::new(src);
6490fcccf3fSPaolo Bonzini         src.0.as_ptr()
6500fcccf3fSPaolo Bonzini     }
6510fcccf3fSPaolo Bonzini 
6520fcccf3fSPaolo Bonzini     /// Increase the reference count of a QOM object and return
6530fcccf3fSPaolo Bonzini     /// a new owned reference to it.
6540fcccf3fSPaolo Bonzini     ///
6550fcccf3fSPaolo Bonzini     /// # Safety
6560fcccf3fSPaolo Bonzini     ///
6570fcccf3fSPaolo Bonzini     /// The object must not be embedded in another, unless the outer
6580fcccf3fSPaolo Bonzini     /// object is guaranteed to have a longer lifetime.
6590fcccf3fSPaolo Bonzini     pub unsafe fn from(obj: &T) -> Self {
6600fcccf3fSPaolo Bonzini         unsafe {
6610fcccf3fSPaolo Bonzini             object_ref(obj.as_object_mut_ptr().cast::<c_void>());
6620fcccf3fSPaolo Bonzini 
6630fcccf3fSPaolo Bonzini             // SAFETY NOTE: while NonNull requires a mutable pointer, only
6640fcccf3fSPaolo Bonzini             // Deref is implemented so the reference passed to from_raw
6650fcccf3fSPaolo Bonzini             // remains shared
6660fcccf3fSPaolo Bonzini             Owned(NonNull::new_unchecked(obj.as_mut_ptr()))
6670fcccf3fSPaolo Bonzini         }
6680fcccf3fSPaolo Bonzini     }
6690fcccf3fSPaolo Bonzini }
6700fcccf3fSPaolo Bonzini 
6710fcccf3fSPaolo Bonzini impl<T: ObjectType> Clone for Owned<T> {
6720fcccf3fSPaolo Bonzini     fn clone(&self) -> Self {
6730fcccf3fSPaolo Bonzini         // SAFETY: creation method is unsafe; whoever calls it has
6740fcccf3fSPaolo Bonzini         // responsibility that the pointer is valid, and remains valid
6750fcccf3fSPaolo Bonzini         // throughout the lifetime of the `Owned<T>` and its clones.
6760fcccf3fSPaolo Bonzini         unsafe { Owned::from(self.deref()) }
6770fcccf3fSPaolo Bonzini     }
6780fcccf3fSPaolo Bonzini }
6790fcccf3fSPaolo Bonzini 
6800fcccf3fSPaolo Bonzini impl<T: ObjectType> Deref for Owned<T> {
6810fcccf3fSPaolo Bonzini     type Target = T;
6820fcccf3fSPaolo Bonzini 
6830fcccf3fSPaolo Bonzini     fn deref(&self) -> &Self::Target {
6840fcccf3fSPaolo Bonzini         // SAFETY: creation method is unsafe; whoever calls it has
6850fcccf3fSPaolo Bonzini         // responsibility that the pointer is valid, and remains valid
6860fcccf3fSPaolo Bonzini         // throughout the lifetime of the `Owned<T>` and its clones.
6870fcccf3fSPaolo Bonzini         // With that guarantee, reference counting ensures that
6880fcccf3fSPaolo Bonzini         // the object remains alive.
6890fcccf3fSPaolo Bonzini         unsafe { &*self.0.as_ptr() }
6900fcccf3fSPaolo Bonzini     }
6910fcccf3fSPaolo Bonzini }
6920fcccf3fSPaolo Bonzini impl<T: ObjectType> ObjectDeref for Owned<T> {}
6930fcccf3fSPaolo Bonzini 
6940fcccf3fSPaolo Bonzini impl<T: ObjectType> Drop for Owned<T> {
6950fcccf3fSPaolo Bonzini     fn drop(&mut self) {
6960fcccf3fSPaolo Bonzini         assert!(bql_locked());
6970fcccf3fSPaolo Bonzini         // SAFETY: creation method is unsafe, and whoever calls it has
6980fcccf3fSPaolo Bonzini         // responsibility that the pointer is valid, and remains valid
6990fcccf3fSPaolo Bonzini         // throughout the lifetime of the `Owned<T>` and its clones.
7000fcccf3fSPaolo Bonzini         unsafe {
7010fcccf3fSPaolo Bonzini             object_unref(self.as_object_mut_ptr().cast::<c_void>());
7020fcccf3fSPaolo Bonzini         }
7030fcccf3fSPaolo Bonzini     }
7040fcccf3fSPaolo Bonzini }
7050fcccf3fSPaolo Bonzini 
7060fcccf3fSPaolo Bonzini impl<T: IsA<Object>> fmt::Debug for Owned<T> {
7070fcccf3fSPaolo Bonzini     fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
7080fcccf3fSPaolo Bonzini         self.deref().debug_fmt(f)
7090fcccf3fSPaolo Bonzini     }
7100fcccf3fSPaolo Bonzini }
7110fcccf3fSPaolo Bonzini 
712ec3eba98SPaolo Bonzini /// Trait for class methods exposed by the Object class.  The methods can be
713ec3eba98SPaolo Bonzini /// called on all objects that have the trait `IsA<Object>`.
714ec3eba98SPaolo Bonzini ///
715ec3eba98SPaolo Bonzini /// The trait should only be used through the blanket implementation,
716ec3eba98SPaolo Bonzini /// which guarantees safety via `IsA`
717ec3eba98SPaolo Bonzini pub trait ObjectClassMethods: IsA<Object> {
718ec3eba98SPaolo Bonzini     /// Return a new reference counted instance of this class
719ec3eba98SPaolo Bonzini     fn new() -> Owned<Self> {
720ec3eba98SPaolo Bonzini         assert!(bql_locked());
721ec3eba98SPaolo Bonzini         // SAFETY: the object created by object_new is allocated on
722ec3eba98SPaolo Bonzini         // the heap and has a reference count of 1
723ec3eba98SPaolo Bonzini         unsafe {
7247fb4a99dSPaolo Bonzini             let raw_obj = object_new(Self::TYPE_NAME.as_ptr());
7257fb4a99dSPaolo Bonzini             let obj = Object::from_raw(raw_obj).unsafe_cast::<Self>();
7267fb4a99dSPaolo Bonzini             Owned::from_raw(obj)
727ec3eba98SPaolo Bonzini         }
728ec3eba98SPaolo Bonzini     }
729ec3eba98SPaolo Bonzini }
730ec3eba98SPaolo Bonzini 
731ba3b81f3SPaolo Bonzini /// Trait for methods exposed by the Object class.  The methods can be
732ba3b81f3SPaolo Bonzini /// called on all objects that have the trait `IsA<Object>`.
733ba3b81f3SPaolo Bonzini ///
734ba3b81f3SPaolo Bonzini /// The trait should only be used through the blanket implementation,
735ba3b81f3SPaolo Bonzini /// which guarantees safety via `IsA`
736ba3b81f3SPaolo Bonzini pub trait ObjectMethods: ObjectDeref
737ba3b81f3SPaolo Bonzini where
738ba3b81f3SPaolo Bonzini     Self::Target: IsA<Object>,
739ba3b81f3SPaolo Bonzini {
740ba3b81f3SPaolo Bonzini     /// Return the name of the type of `self`
741ba3b81f3SPaolo Bonzini     fn typename(&self) -> std::borrow::Cow<'_, str> {
742ba3b81f3SPaolo Bonzini         let obj = self.upcast::<Object>();
743ba3b81f3SPaolo Bonzini         // SAFETY: safety of this is the requirement for implementing IsA
744ba3b81f3SPaolo Bonzini         // The result of the C API has static lifetime
745ba3b81f3SPaolo Bonzini         unsafe {
746ba3b81f3SPaolo Bonzini             let p = object_get_typename(obj.as_mut_ptr());
747ba3b81f3SPaolo Bonzini             CStr::from_ptr(p).to_string_lossy()
748ba3b81f3SPaolo Bonzini         }
749ba3b81f3SPaolo Bonzini     }
750ba3b81f3SPaolo Bonzini 
751ba3b81f3SPaolo Bonzini     fn get_class(&self) -> &'static <Self::Target as ObjectType>::Class {
752ba3b81f3SPaolo Bonzini         let obj = self.upcast::<Object>();
753ba3b81f3SPaolo Bonzini 
754ba3b81f3SPaolo Bonzini         // SAFETY: all objects can call object_get_class; the actual class
755ba3b81f3SPaolo Bonzini         // type is guaranteed by the implementation of `ObjectType` and
756ba3b81f3SPaolo Bonzini         // `ObjectImpl`.
757ba3b81f3SPaolo Bonzini         let klass: &'static <Self::Target as ObjectType>::Class =
758ba3b81f3SPaolo Bonzini             unsafe { &*object_get_class(obj.as_mut_ptr()).cast() };
759ba3b81f3SPaolo Bonzini 
760ba3b81f3SPaolo Bonzini         klass
761ba3b81f3SPaolo Bonzini     }
7620fcccf3fSPaolo Bonzini 
7630fcccf3fSPaolo Bonzini     /// Convenience function for implementing the Debug trait
7640fcccf3fSPaolo Bonzini     fn debug_fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
7650fcccf3fSPaolo Bonzini         f.debug_tuple(&self.typename())
7660fcccf3fSPaolo Bonzini             .field(&(self as *const Self))
7670fcccf3fSPaolo Bonzini             .finish()
7680fcccf3fSPaolo Bonzini     }
769ba3b81f3SPaolo Bonzini }
770ba3b81f3SPaolo Bonzini 
771ec3eba98SPaolo Bonzini impl<T> ObjectClassMethods for T where T: IsA<Object> {}
772ba3b81f3SPaolo Bonzini impl<R: ObjectDeref> ObjectMethods for R where R::Target: IsA<Object> {}
773