1 // Copyright 2024, Linaro Limited 2 // Author(s): Manos Pitsidianakis <manos.pitsidianakis@linaro.org> 3 // SPDX-License-Identifier: GPL-2.0-or-later 4 5 //! Bindings to access QOM functionality from Rust. 6 //! 7 //! The QEMU Object Model (QOM) provides inheritance and dynamic typing for QEMU 8 //! devices. This module makes QOM's features available in Rust through three 9 //! main mechanisms: 10 //! 11 //! * Automatic creation and registration of `TypeInfo` for classes that are 12 //! written in Rust, as well as mapping between Rust traits and QOM vtables. 13 //! 14 //! * Type-safe casting between parent and child classes, through the [`IsA`] 15 //! trait and methods such as [`upcast`](ObjectCast::upcast) and 16 //! [`downcast`](ObjectCast::downcast). 17 //! 18 //! * Automatic delegation of parent class methods to child classes. When a 19 //! trait uses [`IsA`] as a bound, its contents become available to all child 20 //! classes through blanket implementations. This works both for class methods 21 //! and for instance methods accessed through references or smart pointers. 22 //! 23 //! # Structure of a class 24 //! 25 //! A leaf class only needs a struct holding instance state. The struct must 26 //! implement the [`ObjectType`] and [`IsA`] traits, as well as any `*Impl` 27 //! traits that exist for its superclasses. 28 //! 29 //! If a class has subclasses, it will also provide a struct for instance data, 30 //! with the same characteristics as for concrete classes, but it also needs 31 //! additional components to support virtual methods: 32 //! 33 //! * a struct for class data, for example `DeviceClass`. This corresponds to 34 //! the C "class struct" and holds the vtable that is used by instances of the 35 //! class and its subclasses. It must start with its parent's class struct. 36 //! 37 //! * a trait for virtual method implementations, for example `DeviceImpl`. 38 //! Child classes implement this trait to provide their own behavior for 39 //! virtual methods. The trait's methods take `&self` to access instance data. 40 //! The traits have the appropriate specialization of `IsA<>` as a supertrait, 41 //! for example `IsA<DeviceState>` for `DeviceImpl`. 42 //! 43 //! * a trait for instance methods, for example `DeviceMethods`. This trait is 44 //! automatically implemented for any reference or smart pointer to a device 45 //! instance. It calls into the vtable provides access across all subclasses 46 //! to methods defined for the class. 47 //! 48 //! * optionally, a trait for class methods, for example `DeviceClassMethods`. 49 //! This provides access to class-wide functionality that doesn't depend on 50 //! instance data. Like instance methods, these are automatically inherited by 51 //! child classes. 52 //! 53 //! # Class structures 54 //! 55 //! Each QOM class that has virtual methods describes them in a 56 //! _class struct_. Class structs include a parent field corresponding 57 //! to the vtable of the parent class, all the way up to [`ObjectClass`]. 58 //! 59 //! As mentioned above, virtual methods are defined via traits such as 60 //! `DeviceImpl`. Class structs do not define any trait but, conventionally, 61 //! all of them have a `class_init` method to initialize the virtual methods 62 //! based on the trait and then call the same method on the superclass. 63 //! 64 //! ```ignore 65 //! impl YourSubclassClass 66 //! { 67 //! pub fn class_init<T: YourSubclassImpl>(&mut self) { 68 //! ... 69 //! klass.parent_class::class_init<T>(); 70 //! } 71 //! } 72 //! ``` 73 //! 74 //! If a class implements a QOM interface. In that case, the function must 75 //! contain, for each interface, an extra forwarding call as follows: 76 //! 77 //! ```ignore 78 //! ResettableClass::cast::<Self>(self).class_init::<Self>(); 79 //! ``` 80 //! 81 //! These `class_init` functions are methods on the class rather than a trait, 82 //! because the bound on `T` (`DeviceImpl` in this case), will change for every 83 //! class struct. The functions are pointed to by the 84 //! [`ObjectImpl::CLASS_INIT`] function pointer. While there is no default 85 //! implementation, in most cases it will be enough to write it as follows: 86 //! 87 //! ```ignore 88 //! const CLASS_INIT: fn(&mut Self::Class)> = Self::Class::class_init::<Self>; 89 //! ``` 90 //! 91 //! This design incurs a small amount of code duplication but, by not using 92 //! traits, it allows the flexibility of implementing bindings in any crate, 93 //! without incurring into violations of orphan rules for traits. 94 95 use std::{ 96 ffi::{c_void, CStr}, 97 fmt, 98 marker::PhantomData, 99 mem::{ManuallyDrop, MaybeUninit}, 100 ops::{Deref, DerefMut}, 101 ptr::NonNull, 102 }; 103 104 pub use bindings::ObjectClass; 105 106 use crate::{ 107 bindings::{ 108 self, object_class_dynamic_cast, object_dynamic_cast, object_get_class, 109 object_get_typename, object_new, object_ref, object_unref, TypeInfo, 110 }, 111 cell::{bql_locked, Opaque}, 112 }; 113 114 /// A safe wrapper around [`bindings::Object`]. 115 #[repr(transparent)] 116 #[derive(Debug, qemu_api_macros::Wrapper)] 117 pub struct Object(Opaque<bindings::Object>); 118 119 unsafe impl Send for Object {} 120 unsafe impl Sync for Object {} 121 122 /// Marker trait: `Self` can be statically upcasted to `P` (i.e. `P` is a direct 123 /// or indirect parent of `Self`). 124 /// 125 /// # Safety 126 /// 127 /// The struct `Self` must be `#[repr(C)]` and must begin, directly or 128 /// indirectly, with a field of type `P`. This ensures that invalid casts, 129 /// which rely on `IsA<>` for static checking, are rejected at compile time. 130 pub unsafe trait IsA<P: ObjectType>: ObjectType {} 131 132 // SAFETY: it is always safe to cast to your own type 133 unsafe impl<T: ObjectType> IsA<T> for T {} 134 135 /// Macro to mark superclasses of QOM classes. This enables type-safe 136 /// up- and downcasting. 137 /// 138 /// # Safety 139 /// 140 /// This macro is a thin wrapper around the [`IsA`] trait and performs 141 /// no checking whatsoever of what is declared. It is the caller's 142 /// responsibility to have $struct begin, directly or indirectly, with 143 /// a field of type `$parent`. 144 #[macro_export] 145 macro_rules! qom_isa { 146 ($struct:ty : $($parent:ty),* ) => { 147 $( 148 // SAFETY: it is the caller responsibility to have $parent as the 149 // first field 150 unsafe impl $crate::qom::IsA<$parent> for $struct {} 151 152 impl AsRef<$parent> for $struct { 153 fn as_ref(&self) -> &$parent { 154 // SAFETY: follows the same rules as for IsA<U>, which is 155 // declared above. 156 let ptr: *const Self = self; 157 unsafe { &*ptr.cast::<$parent>() } 158 } 159 } 160 )* 161 }; 162 } 163 164 /// This is the same as [`ManuallyDrop<T>`](std::mem::ManuallyDrop), though 165 /// it hides the standard methods of `ManuallyDrop`. 166 /// 167 /// The first field of an `ObjectType` must be of type `ParentField<T>`. 168 /// (Technically, this is only necessary if there is at least one Rust 169 /// superclass in the hierarchy). This is to ensure that the parent field is 170 /// dropped after the subclass; this drop order is enforced by the C 171 /// `object_deinit` function. 172 /// 173 /// # Examples 174 /// 175 /// ```ignore 176 /// #[repr(C)] 177 /// #[derive(qemu_api_macros::Object)] 178 /// pub struct MyDevice { 179 /// parent: ParentField<DeviceState>, 180 /// ... 181 /// } 182 /// ``` 183 #[derive(Debug)] 184 #[repr(transparent)] 185 pub struct ParentField<T: ObjectType>(std::mem::ManuallyDrop<T>); 186 187 impl<T: ObjectType> Deref for ParentField<T> { 188 type Target = T; 189 190 #[inline(always)] 191 fn deref(&self) -> &Self::Target { 192 &self.0 193 } 194 } 195 196 impl<T: ObjectType> DerefMut for ParentField<T> { 197 #[inline(always)] 198 fn deref_mut(&mut self) -> &mut Self::Target { 199 &mut self.0 200 } 201 } 202 203 impl<T: fmt::Display + ObjectType> fmt::Display for ParentField<T> { 204 #[inline(always)] 205 fn fmt(&self, f: &mut fmt::Formatter<'_>) -> Result<(), fmt::Error> { 206 self.0.fmt(f) 207 } 208 } 209 210 /// This struct knows that the superclasses of the object have already been 211 /// initialized. 212 /// 213 /// The declaration of `ParentInit` is.. *"a kind of magic"*. It uses a 214 /// technique that is found in several crates, the main ones probably being 215 /// `ghost-cell` (in fact it was introduced by the [`GhostCell` paper](https://plv.mpi-sws.org/rustbelt/ghostcell/)) 216 /// and `generativity`. 217 /// 218 /// The `PhantomData` makes the `ParentInit` type *invariant* with respect to 219 /// the lifetime argument `'init`. This, together with the `for<'...>` in 220 /// `[ParentInit::with]`, block any attempt of the compiler to be creative when 221 /// operating on types of type `ParentInit` and to extend their lifetimes. In 222 /// particular, it ensures that the `ParentInit` cannot be made to outlive the 223 /// `rust_instance_init()` function that creates it, and therefore that the 224 /// `&'init T` reference is valid. 225 /// 226 /// This implementation of the same concept, without the QOM baggage, can help 227 /// understanding the effect: 228 /// 229 /// ``` 230 /// use std::marker::PhantomData; 231 /// 232 /// #[derive(PartialEq, Eq)] 233 /// pub struct Jail<'closure, T: Copy>(&'closure T, PhantomData<fn(&'closure ()) -> &'closure ()>); 234 /// 235 /// impl<'closure, T: Copy> Jail<'closure, T> { 236 /// fn get(&self) -> T { 237 /// *self.0 238 /// } 239 /// 240 /// #[inline] 241 /// fn with<U>(v: T, f: impl for<'id> FnOnce(Jail<'id, T>) -> U) -> U { 242 /// let parent_init = Jail(&v, PhantomData); 243 /// f(parent_init) 244 /// } 245 /// } 246 /// ``` 247 /// 248 /// It's impossible to escape the `Jail`; `token1` cannot be moved out of the 249 /// closure: 250 /// 251 /// ```ignore 252 /// let x = 42; 253 /// let escape = Jail::with(&x, |token1| { 254 /// println!("{}", token1.get()); 255 /// // fails to compile... 256 /// token1 257 /// }); 258 /// // ... so you cannot do this: 259 /// println!("{}", escape.get()); 260 /// ``` 261 /// 262 /// Likewise, in the QOM case the `ParentInit` cannot be moved out of 263 /// `instance_init()`. Without this trick it would be possible to stash a 264 /// `ParentInit` and use it later to access uninitialized memory. 265 /// 266 /// Here is another example, showing how separately-created "identities" stay 267 /// isolated: 268 /// 269 /// ```ignore 270 /// impl<'closure, T: Copy> Clone for Jail<'closure, T> { 271 /// fn clone(&self) -> Jail<'closure, T> { 272 /// Jail(self.0, PhantomData) 273 /// } 274 /// } 275 /// 276 /// fn main() { 277 /// Jail::with(42, |token1| { 278 /// // this works and returns true: the clone has the same "identity" 279 /// println!("{}", token1 == token1.clone()); 280 /// Jail::with(42, |token2| { 281 /// // here the outer token remains accessible... 282 /// println!("{}", token1.get()); 283 /// // ... but the two are separate: this fails to compile: 284 /// println!("{}", token1 == token2); 285 /// }); 286 /// }); 287 /// } 288 /// ``` 289 pub struct ParentInit<'init, T>( 290 &'init mut MaybeUninit<T>, 291 PhantomData<fn(&'init ()) -> &'init ()>, 292 ); 293 294 impl<'init, T> ParentInit<'init, T> { 295 #[inline] 296 pub fn with(obj: &'init mut MaybeUninit<T>, f: impl for<'id> FnOnce(ParentInit<'id, T>)) { 297 let parent_init = ParentInit(obj, PhantomData); 298 f(parent_init) 299 } 300 } 301 302 impl<T: ObjectType> ParentInit<'_, T> { 303 /// Return the receiver as a mutable raw pointer to Object. 304 /// 305 /// # Safety 306 /// 307 /// Fields beyond `Object` could be uninitialized and it's your 308 /// responsibility to avoid that they're used when the pointer is 309 /// dereferenced, either directly or through a cast. 310 pub fn as_object_mut_ptr(&self) -> *mut bindings::Object { 311 self.as_object_ptr().cast_mut() 312 } 313 314 /// Return the receiver as a mutable raw pointer to Object. 315 /// 316 /// # Safety 317 /// 318 /// Fields beyond `Object` could be uninitialized and it's your 319 /// responsibility to avoid that they're used when the pointer is 320 /// dereferenced, either directly or through a cast. 321 pub fn as_object_ptr(&self) -> *const bindings::Object { 322 self.0.as_ptr().cast() 323 } 324 } 325 326 impl<'a, T: ObjectImpl> ParentInit<'a, T> { 327 /// Convert from a derived type to one of its parent types, which 328 /// have already been initialized. 329 /// 330 /// # Safety 331 /// 332 /// Structurally this is always a safe operation; the [`IsA`] trait 333 /// provides static verification trait that `Self` dereferences to `U` or 334 /// a child of `U`, and only parent types of `T` are allowed. 335 /// 336 /// However, while the fields of the resulting reference are initialized, 337 /// calls might use uninitialized fields of the subclass. It is your 338 /// responsibility to avoid this. 339 pub unsafe fn upcast<U: ObjectType>(&self) -> &'a U 340 where 341 T::ParentType: IsA<U>, 342 { 343 // SAFETY: soundness is declared via IsA<U>, which is an unsafe trait; 344 // the parent has been initialized before `instance_init `is called 345 unsafe { &*(self.0.as_ptr().cast::<U>()) } 346 } 347 348 /// Convert from a derived type to one of its parent types, which 349 /// have already been initialized. 350 /// 351 /// # Safety 352 /// 353 /// Structurally this is always a safe operation; the [`IsA`] trait 354 /// provides static verification trait that `Self` dereferences to `U` or 355 /// a child of `U`, and only parent types of `T` are allowed. 356 /// 357 /// However, while the fields of the resulting reference are initialized, 358 /// calls might use uninitialized fields of the subclass. It is your 359 /// responsibility to avoid this. 360 pub unsafe fn upcast_mut<U: ObjectType>(&mut self) -> &'a mut U 361 where 362 T::ParentType: IsA<U>, 363 { 364 // SAFETY: soundness is declared via IsA<U>, which is an unsafe trait; 365 // the parent has been initialized before `instance_init `is called 366 unsafe { &mut *(self.0.as_mut_ptr().cast::<U>()) } 367 } 368 } 369 370 impl<T> Deref for ParentInit<'_, T> { 371 type Target = MaybeUninit<T>; 372 373 fn deref(&self) -> &Self::Target { 374 self.0 375 } 376 } 377 378 impl<T> DerefMut for ParentInit<'_, T> { 379 fn deref_mut(&mut self) -> &mut Self::Target { 380 self.0 381 } 382 } 383 384 unsafe extern "C" fn rust_instance_init<T: ObjectImpl>(obj: *mut bindings::Object) { 385 let mut state = NonNull::new(obj).unwrap().cast::<MaybeUninit<T>>(); 386 387 // SAFETY: obj is an instance of T, since rust_instance_init<T> 388 // is called from QOM core as the instance_init function 389 // for class T 390 unsafe { 391 ParentInit::with(state.as_mut(), |parent_init| { 392 T::INSTANCE_INIT.unwrap()(parent_init); 393 }); 394 } 395 } 396 397 unsafe extern "C" fn rust_instance_post_init<T: ObjectImpl>(obj: *mut bindings::Object) { 398 let state = NonNull::new(obj).unwrap().cast::<T>(); 399 // SAFETY: obj is an instance of T, since rust_instance_post_init<T> 400 // is called from QOM core as the instance_post_init function 401 // for class T 402 T::INSTANCE_POST_INIT.unwrap()(unsafe { state.as_ref() }); 403 } 404 405 unsafe extern "C" fn rust_class_init<T: ObjectType + ObjectImpl>( 406 klass: *mut ObjectClass, 407 _data: *const c_void, 408 ) { 409 let mut klass = NonNull::new(klass) 410 .unwrap() 411 .cast::<<T as ObjectType>::Class>(); 412 // SAFETY: klass is a T::Class, since rust_class_init<T> 413 // is called from QOM core as the class_init function 414 // for class T 415 <T as ObjectImpl>::CLASS_INIT(unsafe { klass.as_mut() }) 416 } 417 418 unsafe extern "C" fn drop_object<T: ObjectImpl>(obj: *mut bindings::Object) { 419 // SAFETY: obj is an instance of T, since drop_object<T> is called 420 // from the QOM core function object_deinit() as the instance_finalize 421 // function for class T. Note that while object_deinit() will drop the 422 // superclass field separately after this function returns, `T` must 423 // implement the unsafe trait ObjectType; the safety rules for the 424 // trait mandate that the parent field is manually dropped. 425 unsafe { std::ptr::drop_in_place(obj.cast::<T>()) } 426 } 427 428 /// Trait exposed by all structs corresponding to QOM objects. 429 /// 430 /// # Safety 431 /// 432 /// For classes declared in C: 433 /// 434 /// - `Class` and `TYPE` must match the data in the `TypeInfo`; 435 /// 436 /// - the first field of the struct must be of the instance type corresponding 437 /// to the superclass, as declared in the `TypeInfo` 438 /// 439 /// - likewise, the first field of the `Class` struct must be of the class type 440 /// corresponding to the superclass 441 /// 442 /// For classes declared in Rust and implementing [`ObjectImpl`]: 443 /// 444 /// - the struct must be `#[repr(C)]`; 445 /// 446 /// - the first field of the struct must be of type 447 /// [`ParentField<T>`](ParentField), where `T` is the parent type 448 /// [`ObjectImpl::ParentType`] 449 /// 450 /// - the first field of the `Class` must be of the class struct corresponding 451 /// to the superclass, which is `ObjectImpl::ParentType::Class`. `ParentField` 452 /// is not needed here. 453 /// 454 /// In both cases, having a separate class type is not necessary if the subclass 455 /// does not add any field. 456 pub unsafe trait ObjectType: Sized { 457 /// The QOM class object corresponding to this struct. This is used 458 /// to automatically generate a `class_init` method. 459 type Class; 460 461 /// The name of the type, which can be passed to `object_new()` to 462 /// generate an instance of this type. 463 const TYPE_NAME: &'static CStr; 464 465 /// Return the receiver as an Object. This is always safe, even 466 /// if this type represents an interface. 467 fn as_object(&self) -> &Object { 468 unsafe { &*self.as_ptr().cast() } 469 } 470 471 /// Return the receiver as a const raw pointer to Object. 472 /// This is preferable to `as_object_mut_ptr()` if a C 473 /// function only needs a `const Object *`. 474 fn as_object_ptr(&self) -> *const bindings::Object { 475 self.as_object().as_ptr() 476 } 477 478 /// Return the receiver as a mutable raw pointer to Object. 479 /// 480 /// # Safety 481 /// 482 /// This cast is always safe, but because the result is mutable 483 /// and the incoming reference is not, this should only be used 484 /// for calls to C functions, and only if needed. 485 unsafe fn as_object_mut_ptr(&self) -> *mut bindings::Object { 486 self.as_object().as_mut_ptr() 487 } 488 } 489 490 /// Trait exposed by all structs corresponding to QOM interfaces. 491 /// Unlike `ObjectType`, it is implemented on the class type (which provides 492 /// the vtable for the interfaces). 493 /// 494 /// # Safety 495 /// 496 /// `TYPE` must match the contents of the `TypeInfo` as found in the C code; 497 /// right now, interfaces can only be declared in C. 498 pub unsafe trait InterfaceType: Sized { 499 /// The name of the type, which can be passed to 500 /// `object_class_dynamic_cast()` to obtain the pointer to the vtable 501 /// for this interface. 502 const TYPE_NAME: &'static CStr; 503 504 /// Return the vtable for the interface; `U` is the type that 505 /// lists the interface in its `TypeInfo`. 506 /// 507 /// # Examples 508 /// 509 /// This function is usually called by a `class_init` method in `U::Class`. 510 /// For example, `DeviceClass::class_init<T>` initializes its `Resettable` 511 /// interface as follows: 512 /// 513 /// ```ignore 514 /// ResettableClass::cast::<DeviceState>(self).class_init::<T>(); 515 /// ``` 516 /// 517 /// where `T` is the concrete subclass that is being initialized. 518 /// 519 /// # Panics 520 /// 521 /// Panic if the incoming argument if `T` does not implement the interface. 522 fn cast<U: ObjectType>(klass: &mut U::Class) -> &mut Self { 523 unsafe { 524 // SAFETY: upcasting to ObjectClass is always valid, and the 525 // return type is either NULL or the argument itself 526 let result: *mut Self = object_class_dynamic_cast( 527 (klass as *mut U::Class).cast(), 528 Self::TYPE_NAME.as_ptr(), 529 ) 530 .cast(); 531 result.as_mut().unwrap() 532 } 533 } 534 } 535 536 /// This trait provides safe casting operations for QOM objects to raw pointers, 537 /// to be used for example for FFI. The trait can be applied to any kind of 538 /// reference or smart pointers, and enforces correctness through the [`IsA`] 539 /// trait. 540 pub trait ObjectDeref: Deref 541 where 542 Self::Target: ObjectType, 543 { 544 /// Convert to a const Rust pointer, to be used for example for FFI. 545 /// The target pointer type must be the type of `self` or a superclass 546 fn as_ptr<U: ObjectType>(&self) -> *const U 547 where 548 Self::Target: IsA<U>, 549 { 550 let ptr: *const Self::Target = self.deref(); 551 ptr.cast::<U>() 552 } 553 554 /// Convert to a mutable Rust pointer, to be used for example for FFI. 555 /// The target pointer type must be the type of `self` or a superclass. 556 /// Used to implement interior mutability for objects. 557 /// 558 /// # Safety 559 /// 560 /// This method is safe because only the actual dereference of the pointer 561 /// has to be unsafe. Bindings to C APIs will use it a lot, but care has 562 /// to be taken because it overrides the const-ness of `&self`. 563 fn as_mut_ptr<U: ObjectType>(&self) -> *mut U 564 where 565 Self::Target: IsA<U>, 566 { 567 #[allow(clippy::as_ptr_cast_mut)] 568 { 569 self.as_ptr::<U>().cast_mut() 570 } 571 } 572 } 573 574 /// Trait that adds extra functionality for `&T` where `T` is a QOM 575 /// object type. Allows conversion to/from C objects in generic code. 576 pub trait ObjectCast: ObjectDeref + Copy 577 where 578 Self::Target: ObjectType, 579 { 580 /// Safely convert from a derived type to one of its parent types. 581 /// 582 /// This is always safe; the [`IsA`] trait provides static verification 583 /// trait that `Self` dereferences to `U` or a child of `U`. 584 fn upcast<'a, U: ObjectType>(self) -> &'a U 585 where 586 Self::Target: IsA<U>, 587 Self: 'a, 588 { 589 // SAFETY: soundness is declared via IsA<U>, which is an unsafe trait 590 unsafe { self.unsafe_cast::<U>() } 591 } 592 593 /// Attempt to convert to a derived type. 594 /// 595 /// Returns `None` if the object is not actually of type `U`. This is 596 /// verified at runtime by checking the object's type information. 597 fn downcast<'a, U: IsA<Self::Target>>(self) -> Option<&'a U> 598 where 599 Self: 'a, 600 { 601 self.dynamic_cast::<U>() 602 } 603 604 /// Attempt to convert between any two types in the QOM hierarchy. 605 /// 606 /// Returns `None` if the object is not actually of type `U`. This is 607 /// verified at runtime by checking the object's type information. 608 fn dynamic_cast<'a, U: ObjectType>(self) -> Option<&'a U> 609 where 610 Self: 'a, 611 { 612 unsafe { 613 // SAFETY: upcasting to Object is always valid, and the 614 // return type is either NULL or the argument itself 615 let result: *const U = 616 object_dynamic_cast(self.as_object_mut_ptr(), U::TYPE_NAME.as_ptr()).cast(); 617 618 result.as_ref() 619 } 620 } 621 622 /// Convert to any QOM type without verification. 623 /// 624 /// # Safety 625 /// 626 /// What safety? You need to know yourself that the cast is correct; only 627 /// use when performance is paramount. It is still better than a raw 628 /// pointer `cast()`, which does not even check that you remain in the 629 /// realm of QOM `ObjectType`s. 630 /// 631 /// `unsafe_cast::<Object>()` is always safe. 632 unsafe fn unsafe_cast<'a, U: ObjectType>(self) -> &'a U 633 where 634 Self: 'a, 635 { 636 unsafe { &*(self.as_ptr::<Self::Target>().cast::<U>()) } 637 } 638 } 639 640 impl<T: ObjectType> ObjectDeref for &T {} 641 impl<T: ObjectType> ObjectCast for &T {} 642 643 impl<T: ObjectType> ObjectDeref for &mut T {} 644 645 /// Trait a type must implement to be registered with QEMU. 646 pub trait ObjectImpl: ObjectType + IsA<Object> { 647 /// The parent of the type. This should match the first field of the 648 /// struct that implements `ObjectImpl`, minus the `ParentField<_>` wrapper. 649 type ParentType: ObjectType; 650 651 /// Whether the object can be instantiated 652 const ABSTRACT: bool = false; 653 654 /// Function that is called to initialize an object. The parent class will 655 /// have already been initialized so the type is only responsible for 656 /// initializing its own members. 657 /// 658 /// FIXME: The argument is not really a valid reference. `&mut 659 /// MaybeUninit<Self>` would be a better description. 660 const INSTANCE_INIT: Option<unsafe fn(ParentInit<Self>)> = None; 661 662 /// Function that is called to finish initialization of an object, once 663 /// `INSTANCE_INIT` functions have been called. 664 const INSTANCE_POST_INIT: Option<fn(&Self)> = None; 665 666 /// Called on descendant classes after all parent class initialization 667 /// has occurred, but before the class itself is initialized. This 668 /// is only useful if a class is not a leaf, and can be used to undo 669 /// the effects of copying the contents of the parent's class struct 670 /// to the descendants. 671 const CLASS_BASE_INIT: Option< 672 unsafe extern "C" fn(klass: *mut ObjectClass, data: *const c_void), 673 > = None; 674 675 const TYPE_INFO: TypeInfo = TypeInfo { 676 name: Self::TYPE_NAME.as_ptr(), 677 parent: Self::ParentType::TYPE_NAME.as_ptr(), 678 instance_size: core::mem::size_of::<Self>(), 679 instance_align: core::mem::align_of::<Self>(), 680 instance_init: match Self::INSTANCE_INIT { 681 None => None, 682 Some(_) => Some(rust_instance_init::<Self>), 683 }, 684 instance_post_init: match Self::INSTANCE_POST_INIT { 685 None => None, 686 Some(_) => Some(rust_instance_post_init::<Self>), 687 }, 688 instance_finalize: Some(drop_object::<Self>), 689 abstract_: Self::ABSTRACT, 690 class_size: core::mem::size_of::<Self::Class>(), 691 class_init: Some(rust_class_init::<Self>), 692 class_base_init: Self::CLASS_BASE_INIT, 693 class_data: core::ptr::null(), 694 interfaces: core::ptr::null(), 695 }; 696 697 // methods on ObjectClass 698 const UNPARENT: Option<fn(&Self)> = None; 699 700 /// Store into the argument the virtual method implementations 701 /// for `Self`. On entry, the virtual method pointers are set to 702 /// the default values coming from the parent classes; the function 703 /// can change them to override virtual methods of a parent class. 704 /// 705 /// Usually defined simply as `Self::Class::class_init::<Self>`; 706 /// however a default implementation cannot be included here, because the 707 /// bounds that the `Self::Class::class_init` method places on `Self` are 708 /// not known in advance. 709 /// 710 /// # Safety 711 /// 712 /// While `klass`'s parent class is initialized on entry, the other fields 713 /// are all zero; it is therefore assumed that all fields in `T` can be 714 /// zeroed, otherwise it would not be possible to provide the class as a 715 /// `&mut T`. TODO: it may be possible to add an unsafe trait that checks 716 /// that all fields *after the parent class* (but not the parent class 717 /// itself) are Zeroable. This unsafe trait can be added via a derive 718 /// macro. 719 const CLASS_INIT: fn(&mut Self::Class); 720 } 721 722 /// # Safety 723 /// 724 /// We expect the FFI user of this function to pass a valid pointer that 725 /// can be downcasted to type `T`. We also expect the device is 726 /// readable/writeable from one thread at any time. 727 unsafe extern "C" fn rust_unparent_fn<T: ObjectImpl>(dev: *mut bindings::Object) { 728 let state = NonNull::new(dev).unwrap().cast::<T>(); 729 T::UNPARENT.unwrap()(unsafe { state.as_ref() }); 730 } 731 732 impl ObjectClass { 733 /// Fill in the virtual methods of `ObjectClass` based on the definitions in 734 /// the `ObjectImpl` trait. 735 pub fn class_init<T: ObjectImpl>(&mut self) { 736 if <T as ObjectImpl>::UNPARENT.is_some() { 737 self.unparent = Some(rust_unparent_fn::<T>); 738 } 739 } 740 } 741 742 unsafe impl ObjectType for Object { 743 type Class = ObjectClass; 744 const TYPE_NAME: &'static CStr = 745 unsafe { CStr::from_bytes_with_nul_unchecked(bindings::TYPE_OBJECT) }; 746 } 747 748 /// A reference-counted pointer to a QOM object. 749 /// 750 /// `Owned<T>` wraps `T` with automatic reference counting. It increases the 751 /// reference count when created via [`Owned::from`] or cloned, and decreases 752 /// it when dropped. This ensures that the reference count remains elevated 753 /// as long as any `Owned<T>` references to it exist. 754 /// 755 /// `Owned<T>` can be used for two reasons: 756 /// * because the lifetime of the QOM object is unknown and someone else could 757 /// take a reference (similar to `Arc<T>`, for example): in this case, the 758 /// object can escape and outlive the Rust struct that contains the `Owned<T>` 759 /// field; 760 /// 761 /// * to ensure that the object stays alive until after `Drop::drop` is called 762 /// on the Rust struct: in this case, the object will always die together with 763 /// the Rust struct that contains the `Owned<T>` field. 764 /// 765 /// Child properties are an example of the second case: in C, an object that 766 /// is created with `object_initialize_child` will die *before* 767 /// `instance_finalize` is called, whereas Rust expects the struct to have valid 768 /// contents when `Drop::drop` is called. Therefore Rust structs that have 769 /// child properties need to keep a reference to the child object. Right now 770 /// this can be done with `Owned<T>`; in the future one might have a separate 771 /// `Child<'parent, T>` smart pointer that keeps a reference to a `T`, like 772 /// `Owned`, but does not allow cloning. 773 /// 774 /// Note that dropping an `Owned<T>` requires the big QEMU lock to be taken. 775 #[repr(transparent)] 776 #[derive(PartialEq, Eq, Hash, PartialOrd, Ord)] 777 pub struct Owned<T: ObjectType>(NonNull<T>); 778 779 // The following rationale for safety is taken from Linux's kernel::sync::Arc. 780 781 // SAFETY: It is safe to send `Owned<T>` to another thread when the underlying 782 // `T` is `Sync` because it effectively means sharing `&T` (which is safe 783 // because `T` is `Sync`); additionally, it needs `T` to be `Send` because any 784 // thread that has an `Owned<T>` may ultimately access `T` using a 785 // mutable reference when the reference count reaches zero and `T` is dropped. 786 unsafe impl<T: ObjectType + Send + Sync> Send for Owned<T> {} 787 788 // SAFETY: It is safe to send `&Owned<T>` to another thread when the underlying 789 // `T` is `Sync` because it effectively means sharing `&T` (which is safe 790 // because `T` is `Sync`); additionally, it needs `T` to be `Send` because any 791 // thread that has a `&Owned<T>` may clone it and get an `Owned<T>` on that 792 // thread, so the thread may ultimately access `T` using a mutable reference 793 // when the reference count reaches zero and `T` is dropped. 794 unsafe impl<T: ObjectType + Sync + Send> Sync for Owned<T> {} 795 796 impl<T: ObjectType> Owned<T> { 797 /// Convert a raw C pointer into an owned reference to the QOM 798 /// object it points to. The object's reference count will be 799 /// decreased when the `Owned` is dropped. 800 /// 801 /// # Panics 802 /// 803 /// Panics if `ptr` is NULL. 804 /// 805 /// # Safety 806 /// 807 /// The caller must indeed own a reference to the QOM object. 808 /// The object must not be embedded in another unless the outer 809 /// object is guaranteed to have a longer lifetime. 810 /// 811 /// A raw pointer obtained via [`Owned::into_raw()`] can always be passed 812 /// back to `from_raw()` (assuming the original `Owned` was valid!), 813 /// since the owned reference remains there between the calls to 814 /// `into_raw()` and `from_raw()`. 815 pub unsafe fn from_raw(ptr: *const T) -> Self { 816 // SAFETY NOTE: while NonNull requires a mutable pointer, only 817 // Deref is implemented so the pointer passed to from_raw 818 // remains const 819 Owned(NonNull::new(ptr.cast_mut()).unwrap()) 820 } 821 822 /// Obtain a raw C pointer from a reference. `src` is consumed 823 /// and the reference is leaked. 824 #[allow(clippy::missing_const_for_fn)] 825 pub fn into_raw(src: Owned<T>) -> *mut T { 826 let src = ManuallyDrop::new(src); 827 src.0.as_ptr() 828 } 829 830 /// Increase the reference count of a QOM object and return 831 /// a new owned reference to it. 832 /// 833 /// # Safety 834 /// 835 /// The object must not be embedded in another, unless the outer 836 /// object is guaranteed to have a longer lifetime. 837 pub unsafe fn from(obj: &T) -> Self { 838 unsafe { 839 object_ref(obj.as_object_mut_ptr().cast::<c_void>()); 840 841 // SAFETY NOTE: while NonNull requires a mutable pointer, only 842 // Deref is implemented so the reference passed to from_raw 843 // remains shared 844 Owned(NonNull::new_unchecked(obj.as_mut_ptr())) 845 } 846 } 847 } 848 849 impl<T: ObjectType> Clone for Owned<T> { 850 fn clone(&self) -> Self { 851 // SAFETY: creation method is unsafe; whoever calls it has 852 // responsibility that the pointer is valid, and remains valid 853 // throughout the lifetime of the `Owned<T>` and its clones. 854 unsafe { Owned::from(self.deref()) } 855 } 856 } 857 858 impl<T: ObjectType> Deref for Owned<T> { 859 type Target = T; 860 861 fn deref(&self) -> &Self::Target { 862 // SAFETY: creation method is unsafe; whoever calls it has 863 // responsibility that the pointer is valid, and remains valid 864 // throughout the lifetime of the `Owned<T>` and its clones. 865 // With that guarantee, reference counting ensures that 866 // the object remains alive. 867 unsafe { &*self.0.as_ptr() } 868 } 869 } 870 impl<T: ObjectType> ObjectDeref for Owned<T> {} 871 872 impl<T: ObjectType> Drop for Owned<T> { 873 fn drop(&mut self) { 874 assert!(bql_locked()); 875 // SAFETY: creation method is unsafe, and whoever calls it has 876 // responsibility that the pointer is valid, and remains valid 877 // throughout the lifetime of the `Owned<T>` and its clones. 878 unsafe { 879 object_unref(self.as_object_mut_ptr().cast::<c_void>()); 880 } 881 } 882 } 883 884 impl<T: IsA<Object>> fmt::Debug for Owned<T> { 885 fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { 886 self.deref().debug_fmt(f) 887 } 888 } 889 890 /// Trait for class methods exposed by the Object class. The methods can be 891 /// called on all objects that have the trait `IsA<Object>`. 892 /// 893 /// The trait should only be used through the blanket implementation, 894 /// which guarantees safety via `IsA` 895 pub trait ObjectClassMethods: IsA<Object> { 896 /// Return a new reference counted instance of this class 897 fn new() -> Owned<Self> { 898 assert!(bql_locked()); 899 // SAFETY: the object created by object_new is allocated on 900 // the heap and has a reference count of 1 901 unsafe { 902 let raw_obj = object_new(Self::TYPE_NAME.as_ptr()); 903 let obj = Object::from_raw(raw_obj).unsafe_cast::<Self>(); 904 Owned::from_raw(obj) 905 } 906 } 907 } 908 909 /// Trait for methods exposed by the Object class. The methods can be 910 /// called on all objects that have the trait `IsA<Object>`. 911 /// 912 /// The trait should only be used through the blanket implementation, 913 /// which guarantees safety via `IsA` 914 pub trait ObjectMethods: ObjectDeref 915 where 916 Self::Target: IsA<Object>, 917 { 918 /// Return the name of the type of `self` 919 fn typename(&self) -> std::borrow::Cow<'_, str> { 920 let obj = self.upcast::<Object>(); 921 // SAFETY: safety of this is the requirement for implementing IsA 922 // The result of the C API has static lifetime 923 unsafe { 924 let p = object_get_typename(obj.as_mut_ptr()); 925 CStr::from_ptr(p).to_string_lossy() 926 } 927 } 928 929 fn get_class(&self) -> &'static <Self::Target as ObjectType>::Class { 930 let obj = self.upcast::<Object>(); 931 932 // SAFETY: all objects can call object_get_class; the actual class 933 // type is guaranteed by the implementation of `ObjectType` and 934 // `ObjectImpl`. 935 let klass: &'static <Self::Target as ObjectType>::Class = 936 unsafe { &*object_get_class(obj.as_mut_ptr()).cast() }; 937 938 klass 939 } 940 941 /// Convenience function for implementing the Debug trait 942 fn debug_fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { 943 f.debug_tuple(&self.typename()) 944 .field(&(self as *const Self)) 945 .finish() 946 } 947 } 948 949 impl<T> ObjectClassMethods for T where T: IsA<Object> {} 950 impl<R: ObjectDeref> ObjectMethods for R where R::Target: IsA<Object> {} 951