1 // SPDX-License-Identifier: GPL-2.0 2 3 //! Implementation of [`Vec`]. 4 5 use super::{ 6 allocator::{KVmalloc, Kmalloc, Vmalloc, VmallocPageIter}, 7 layout::ArrayLayout, 8 AllocError, Allocator, Box, Flags, 9 }; 10 use crate::{ 11 fmt, 12 page::AsPageIter, 13 }; 14 use core::{ 15 borrow::{Borrow, BorrowMut}, 16 marker::PhantomData, 17 mem::{ManuallyDrop, MaybeUninit}, 18 ops::Deref, 19 ops::DerefMut, 20 ops::Index, 21 ops::IndexMut, 22 ptr, 23 ptr::NonNull, 24 slice, 25 slice::SliceIndex, 26 }; 27 28 mod errors; 29 pub use self::errors::{InsertError, PushError, RemoveError}; 30 31 /// Create a [`KVec`] containing the arguments. 32 /// 33 /// New memory is allocated with `GFP_KERNEL`. 34 /// 35 /// # Examples 36 /// 37 /// ``` 38 /// let mut v = kernel::kvec![]; 39 /// v.push(1, GFP_KERNEL)?; 40 /// assert_eq!(v, [1]); 41 /// 42 /// let mut v = kernel::kvec![1; 3]?; 43 /// v.push(4, GFP_KERNEL)?; 44 /// assert_eq!(v, [1, 1, 1, 4]); 45 /// 46 /// let mut v = kernel::kvec![1, 2, 3]?; 47 /// v.push(4, GFP_KERNEL)?; 48 /// assert_eq!(v, [1, 2, 3, 4]); 49 /// 50 /// # Ok::<(), Error>(()) 51 /// ``` 52 #[macro_export] 53 macro_rules! kvec { 54 () => ( 55 $crate::alloc::KVec::new() 56 ); 57 ($elem:expr; $n:expr) => ( 58 $crate::alloc::KVec::from_elem($elem, $n, GFP_KERNEL) 59 ); 60 ($($x:expr),+ $(,)?) => ( 61 match $crate::alloc::KBox::new_uninit(GFP_KERNEL) { 62 Ok(b) => Ok($crate::alloc::KVec::from($crate::alloc::KBox::write(b, [$($x),+]))), 63 Err(e) => Err(e), 64 } 65 ); 66 } 67 68 /// The kernel's [`Vec`] type. 69 /// 70 /// A contiguous growable array type with contents allocated with the kernel's allocators (e.g. 71 /// [`Kmalloc`], [`Vmalloc`] or [`KVmalloc`]), written `Vec<T, A>`. 72 /// 73 /// For non-zero-sized values, a [`Vec`] will use the given allocator `A` for its allocation. For 74 /// the most common allocators the type aliases [`KVec`], [`VVec`] and [`KVVec`] exist. 75 /// 76 /// For zero-sized types the [`Vec`]'s pointer must be `dangling_mut::<T>`; no memory is allocated. 77 /// 78 /// Generally, [`Vec`] consists of a pointer that represents the vector's backing buffer, the 79 /// capacity of the vector (the number of elements that currently fit into the vector), its length 80 /// (the number of elements that are currently stored in the vector) and the `Allocator` type used 81 /// to allocate (and free) the backing buffer. 82 /// 83 /// A [`Vec`] can be deconstructed into and (re-)constructed from its previously named raw parts 84 /// and manually modified. 85 /// 86 /// [`Vec`]'s backing buffer gets, if required, automatically increased (re-allocated) when elements 87 /// are added to the vector. 88 /// 89 /// # Invariants 90 /// 91 /// - `self.ptr` is always properly aligned and either points to memory allocated with `A` or, for 92 /// zero-sized types, is a dangling, well aligned pointer. 93 /// 94 /// - `self.len` always represents the exact number of elements stored in the vector. 95 /// 96 /// - `self.layout` represents the absolute number of elements that can be stored within the vector 97 /// without re-allocation. For ZSTs `self.layout`'s capacity is zero. However, it is legal for the 98 /// backing buffer to be larger than `layout`. 99 /// 100 /// - `self.len()` is always less than or equal to `self.capacity()`. 101 /// 102 /// - The `Allocator` type `A` of the vector is the exact same `Allocator` type the backing buffer 103 /// was allocated with (and must be freed with). 104 pub struct Vec<T, A: Allocator> { 105 ptr: NonNull<T>, 106 /// Represents the actual buffer size as `cap` times `size_of::<T>` bytes. 107 /// 108 /// Note: This isn't quite the same as `Self::capacity`, which in contrast returns the number of 109 /// elements we can still store without reallocating. 110 layout: ArrayLayout<T>, 111 len: usize, 112 _p: PhantomData<A>, 113 } 114 115 /// Type alias for [`Vec`] with a [`Kmalloc`] allocator. 116 /// 117 /// # Examples 118 /// 119 /// ``` 120 /// let mut v = KVec::new(); 121 /// v.push(1, GFP_KERNEL)?; 122 /// assert_eq!(&v, &[1]); 123 /// 124 /// # Ok::<(), Error>(()) 125 /// ``` 126 pub type KVec<T> = Vec<T, Kmalloc>; 127 128 /// Type alias for [`Vec`] with a [`Vmalloc`] allocator. 129 /// 130 /// # Examples 131 /// 132 /// ``` 133 /// let mut v = VVec::new(); 134 /// v.push(1, GFP_KERNEL)?; 135 /// assert_eq!(&v, &[1]); 136 /// 137 /// # Ok::<(), Error>(()) 138 /// ``` 139 pub type VVec<T> = Vec<T, Vmalloc>; 140 141 /// Type alias for [`Vec`] with a [`KVmalloc`] allocator. 142 /// 143 /// # Examples 144 /// 145 /// ``` 146 /// let mut v = KVVec::new(); 147 /// v.push(1, GFP_KERNEL)?; 148 /// assert_eq!(&v, &[1]); 149 /// 150 /// # Ok::<(), Error>(()) 151 /// ``` 152 pub type KVVec<T> = Vec<T, KVmalloc>; 153 154 // SAFETY: `Vec` is `Send` if `T` is `Send` because `Vec` owns its elements. 155 unsafe impl<T, A> Send for Vec<T, A> 156 where 157 T: Send, 158 A: Allocator, 159 { 160 } 161 162 // SAFETY: `Vec` is `Sync` if `T` is `Sync` because `Vec` owns its elements. 163 unsafe impl<T, A> Sync for Vec<T, A> 164 where 165 T: Sync, 166 A: Allocator, 167 { 168 } 169 170 impl<T, A> Vec<T, A> 171 where 172 A: Allocator, 173 { 174 #[inline] 175 const fn is_zst() -> bool { 176 core::mem::size_of::<T>() == 0 177 } 178 179 /// Returns the number of elements that can be stored within the vector without allocating 180 /// additional memory. 181 pub const fn capacity(&self) -> usize { 182 if const { Self::is_zst() } { 183 usize::MAX 184 } else { 185 self.layout.len() 186 } 187 } 188 189 /// Returns the number of elements stored within the vector. 190 #[inline] 191 pub const fn len(&self) -> usize { 192 self.len 193 } 194 195 /// Increments `self.len` by `additional`. 196 /// 197 /// # Safety 198 /// 199 /// - `additional` must be less than or equal to `self.capacity - self.len`. 200 /// - All elements within the interval [`self.len`,`self.len + additional`) must be initialized. 201 #[inline] 202 pub const unsafe fn inc_len(&mut self, additional: usize) { 203 // Guaranteed by the type invariant to never underflow. 204 debug_assert!(additional <= self.capacity() - self.len()); 205 // INVARIANT: By the safety requirements of this method this represents the exact number of 206 // elements stored within `self`. 207 self.len += additional; 208 } 209 210 /// Decreases `self.len` by `count`. 211 /// 212 /// Returns a mutable slice to the elements forgotten by the vector. It is the caller's 213 /// responsibility to drop these elements if necessary. 214 /// 215 /// # Safety 216 /// 217 /// - `count` must be less than or equal to `self.len`. 218 unsafe fn dec_len(&mut self, count: usize) -> &mut [T] { 219 debug_assert!(count <= self.len()); 220 // INVARIANT: We relinquish ownership of the elements within the range `[self.len - count, 221 // self.len)`, hence the updated value of `set.len` represents the exact number of elements 222 // stored within `self`. 223 self.len -= count; 224 // SAFETY: The memory after `self.len()` is guaranteed to contain `count` initialized 225 // elements of type `T`. 226 unsafe { slice::from_raw_parts_mut(self.as_mut_ptr().add(self.len), count) } 227 } 228 229 /// Returns a slice of the entire vector. 230 /// 231 /// # Examples 232 /// 233 /// ``` 234 /// let mut v = KVec::new(); 235 /// v.push(1, GFP_KERNEL)?; 236 /// v.push(2, GFP_KERNEL)?; 237 /// assert_eq!(v.as_slice(), &[1, 2]); 238 /// # Ok::<(), Error>(()) 239 /// ``` 240 #[inline] 241 pub fn as_slice(&self) -> &[T] { 242 self 243 } 244 245 /// Returns a mutable slice of the entire vector. 246 #[inline] 247 pub fn as_mut_slice(&mut self) -> &mut [T] { 248 self 249 } 250 251 /// Returns a mutable raw pointer to the vector's backing buffer, or, if `T` is a ZST, a 252 /// dangling raw pointer. 253 #[inline] 254 pub fn as_mut_ptr(&mut self) -> *mut T { 255 self.ptr.as_ptr() 256 } 257 258 /// Returns a raw pointer to the vector's backing buffer, or, if `T` is a ZST, a dangling raw 259 /// pointer. 260 #[inline] 261 pub const fn as_ptr(&self) -> *const T { 262 self.ptr.as_ptr() 263 } 264 265 /// Returns `true` if the vector contains no elements, `false` otherwise. 266 /// 267 /// # Examples 268 /// 269 /// ``` 270 /// let mut v = KVec::new(); 271 /// assert!(v.is_empty()); 272 /// 273 /// v.push(1, GFP_KERNEL); 274 /// assert!(!v.is_empty()); 275 /// ``` 276 #[inline] 277 pub const fn is_empty(&self) -> bool { 278 self.len() == 0 279 } 280 281 /// Creates a new, empty `Vec<T, A>`. 282 /// 283 /// This method does not allocate by itself. 284 #[inline] 285 pub const fn new() -> Self { 286 // INVARIANT: Since this is a new, empty `Vec` with no backing memory yet, 287 // - `ptr` is a properly aligned dangling pointer for type `T`, 288 // - `layout` is an empty `ArrayLayout` (zero capacity) 289 // - `len` is zero, since no elements can be or have been stored, 290 // - `A` is always valid. 291 Self { 292 ptr: NonNull::dangling(), 293 layout: ArrayLayout::empty(), 294 len: 0, 295 _p: PhantomData::<A>, 296 } 297 } 298 299 /// Returns a slice of `MaybeUninit<T>` for the remaining spare capacity of the vector. 300 pub fn spare_capacity_mut(&mut self) -> &mut [MaybeUninit<T>] { 301 // SAFETY: 302 // - `self.len` is smaller than `self.capacity` by the type invariant and hence, the 303 // resulting pointer is guaranteed to be part of the same allocated object. 304 // - `self.len` can not overflow `isize`. 305 let ptr = unsafe { self.as_mut_ptr().add(self.len) }.cast::<MaybeUninit<T>>(); 306 307 // SAFETY: The memory between `self.len` and `self.capacity` is guaranteed to be allocated 308 // and valid, but uninitialized. 309 unsafe { slice::from_raw_parts_mut(ptr, self.capacity() - self.len) } 310 } 311 312 /// Appends an element to the back of the [`Vec`] instance. 313 /// 314 /// # Examples 315 /// 316 /// ``` 317 /// let mut v = KVec::new(); 318 /// v.push(1, GFP_KERNEL)?; 319 /// assert_eq!(&v, &[1]); 320 /// 321 /// v.push(2, GFP_KERNEL)?; 322 /// assert_eq!(&v, &[1, 2]); 323 /// # Ok::<(), Error>(()) 324 /// ``` 325 pub fn push(&mut self, v: T, flags: Flags) -> Result<(), AllocError> { 326 self.reserve(1, flags)?; 327 // SAFETY: The call to `reserve` was successful, so the capacity is at least one greater 328 // than the length. 329 unsafe { self.push_within_capacity_unchecked(v) }; 330 Ok(()) 331 } 332 333 /// Appends an element to the back of the [`Vec`] instance without reallocating. 334 /// 335 /// Fails if the vector does not have capacity for the new element. 336 /// 337 /// # Examples 338 /// 339 /// ``` 340 /// let mut v = KVec::with_capacity(10, GFP_KERNEL)?; 341 /// for i in 0..10 { 342 /// v.push_within_capacity(i)?; 343 /// } 344 /// 345 /// assert!(v.push_within_capacity(10).is_err()); 346 /// # Ok::<(), Error>(()) 347 /// ``` 348 pub fn push_within_capacity(&mut self, v: T) -> Result<(), PushError<T>> { 349 if self.len() < self.capacity() { 350 // SAFETY: The length is less than the capacity. 351 unsafe { self.push_within_capacity_unchecked(v) }; 352 Ok(()) 353 } else { 354 Err(PushError(v)) 355 } 356 } 357 358 /// Appends an element to the back of the [`Vec`] instance without reallocating. 359 /// 360 /// # Safety 361 /// 362 /// The length must be less than the capacity. 363 unsafe fn push_within_capacity_unchecked(&mut self, v: T) { 364 let spare = self.spare_capacity_mut(); 365 366 // SAFETY: By the safety requirements, `spare` is non-empty. 367 unsafe { spare.get_unchecked_mut(0) }.write(v); 368 369 // SAFETY: We just initialised the first spare entry, so it is safe to increase the length 370 // by 1. We also know that the new length is <= capacity because the caller guarantees that 371 // the length is less than the capacity at the beginning of this function. 372 unsafe { self.inc_len(1) }; 373 } 374 375 /// Inserts an element at the given index in the [`Vec`] instance. 376 /// 377 /// Fails if the vector does not have capacity for the new element. Panics if the index is out 378 /// of bounds. 379 /// 380 /// # Examples 381 /// 382 /// ``` 383 /// use kernel::alloc::kvec::InsertError; 384 /// 385 /// let mut v = KVec::with_capacity(5, GFP_KERNEL)?; 386 /// for i in 0..5 { 387 /// v.insert_within_capacity(0, i)?; 388 /// } 389 /// 390 /// assert!(matches!(v.insert_within_capacity(0, 5), Err(InsertError::OutOfCapacity(_)))); 391 /// assert!(matches!(v.insert_within_capacity(1000, 5), Err(InsertError::IndexOutOfBounds(_)))); 392 /// assert_eq!(v, [4, 3, 2, 1, 0]); 393 /// # Ok::<(), Error>(()) 394 /// ``` 395 pub fn insert_within_capacity( 396 &mut self, 397 index: usize, 398 element: T, 399 ) -> Result<(), InsertError<T>> { 400 let len = self.len(); 401 if index > len { 402 return Err(InsertError::IndexOutOfBounds(element)); 403 } 404 405 if len >= self.capacity() { 406 return Err(InsertError::OutOfCapacity(element)); 407 } 408 409 // SAFETY: This is in bounds since `index <= len < capacity`. 410 let p = unsafe { self.as_mut_ptr().add(index) }; 411 // INVARIANT: This breaks the Vec invariants by making `index` contain an invalid element, 412 // but we restore the invariants below. 413 // SAFETY: Both the src and dst ranges end no later than one element after the length. 414 // Since the length is less than the capacity, both ranges are in bounds of the allocation. 415 unsafe { ptr::copy(p, p.add(1), len - index) }; 416 // INVARIANT: This restores the Vec invariants. 417 // SAFETY: The pointer is in-bounds of the allocation. 418 unsafe { ptr::write(p, element) }; 419 // SAFETY: Index `len` contains a valid element due to the above copy and write. 420 unsafe { self.inc_len(1) }; 421 Ok(()) 422 } 423 424 /// Removes the last element from a vector and returns it, or `None` if it is empty. 425 /// 426 /// # Examples 427 /// 428 /// ``` 429 /// let mut v = KVec::new(); 430 /// v.push(1, GFP_KERNEL)?; 431 /// v.push(2, GFP_KERNEL)?; 432 /// assert_eq!(&v, &[1, 2]); 433 /// 434 /// assert_eq!(v.pop(), Some(2)); 435 /// assert_eq!(v.pop(), Some(1)); 436 /// assert_eq!(v.pop(), None); 437 /// # Ok::<(), Error>(()) 438 /// ``` 439 pub fn pop(&mut self) -> Option<T> { 440 if self.is_empty() { 441 return None; 442 } 443 444 let removed: *mut T = { 445 // SAFETY: We just checked that the length is at least one. 446 let slice = unsafe { self.dec_len(1) }; 447 // SAFETY: The argument to `dec_len` was 1 so this returns a slice of length 1. 448 unsafe { slice.get_unchecked_mut(0) } 449 }; 450 451 // SAFETY: The guarantees of `dec_len` allow us to take ownership of this value. 452 Some(unsafe { removed.read() }) 453 } 454 455 /// Removes the element at the given index. 456 /// 457 /// # Examples 458 /// 459 /// ``` 460 /// let mut v = kernel::kvec![1, 2, 3]?; 461 /// assert_eq!(v.remove(1)?, 2); 462 /// assert_eq!(v, [1, 3]); 463 /// # Ok::<(), Error>(()) 464 /// ``` 465 pub fn remove(&mut self, i: usize) -> Result<T, RemoveError> { 466 let value = { 467 let value_ref = self.get(i).ok_or(RemoveError)?; 468 // INVARIANT: This breaks the invariants by invalidating the value at index `i`, but we 469 // restore the invariants below. 470 // SAFETY: The value at index `i` is valid, because otherwise we would have already 471 // failed with `RemoveError`. 472 unsafe { ptr::read(value_ref) } 473 }; 474 475 // SAFETY: We checked that `i` is in-bounds. 476 let p = unsafe { self.as_mut_ptr().add(i) }; 477 478 // INVARIANT: After this call, the invalid value is at the last slot, so the Vec invariants 479 // are restored after the below call to `dec_len(1)`. 480 // SAFETY: `p.add(1).add(self.len - i - 1)` is `i+1+len-i-1 == len` elements after the 481 // beginning of the vector, so this is in-bounds of the vector's allocation. 482 unsafe { ptr::copy(p.add(1), p, self.len - i - 1) }; 483 484 // SAFETY: Since the check at the beginning of this call did not fail with `RemoveError`, 485 // the length is at least one. 486 unsafe { self.dec_len(1) }; 487 488 Ok(value) 489 } 490 491 /// Creates a new [`Vec`] instance with at least the given capacity. 492 /// 493 /// # Examples 494 /// 495 /// ``` 496 /// let v = KVec::<u32>::with_capacity(20, GFP_KERNEL)?; 497 /// 498 /// assert!(v.capacity() >= 20); 499 /// # Ok::<(), Error>(()) 500 /// ``` 501 pub fn with_capacity(capacity: usize, flags: Flags) -> Result<Self, AllocError> { 502 let mut v = Vec::new(); 503 504 v.reserve(capacity, flags)?; 505 506 Ok(v) 507 } 508 509 /// Creates a `Vec<T, A>` from a pointer, a length and a capacity using the allocator `A`. 510 /// 511 /// # Examples 512 /// 513 /// ``` 514 /// let mut v = kernel::kvec![1, 2, 3]?; 515 /// v.reserve(1, GFP_KERNEL)?; 516 /// 517 /// let (mut ptr, mut len, cap) = v.into_raw_parts(); 518 /// 519 /// // SAFETY: We've just reserved memory for another element. 520 /// unsafe { ptr.add(len).write(4) }; 521 /// len += 1; 522 /// 523 /// // SAFETY: We only wrote an additional element at the end of the `KVec`'s buffer and 524 /// // correspondingly increased the length of the `KVec` by one. Otherwise, we construct it 525 /// // from the exact same raw parts. 526 /// let v = unsafe { KVec::from_raw_parts(ptr, len, cap) }; 527 /// 528 /// assert_eq!(v, [1, 2, 3, 4]); 529 /// 530 /// # Ok::<(), Error>(()) 531 /// ``` 532 /// 533 /// # Safety 534 /// 535 /// If `T` is a ZST: 536 /// 537 /// - `ptr` must be a dangling, well aligned pointer. 538 /// 539 /// Otherwise: 540 /// 541 /// - `ptr` must have been allocated with the allocator `A`. 542 /// - `ptr` must satisfy or exceed the alignment requirements of `T`. 543 /// - `ptr` must point to memory with a size of at least `size_of::<T>() * capacity` bytes. 544 /// - The allocated size in bytes must not be larger than `isize::MAX`. 545 /// - `length` must be less than or equal to `capacity`. 546 /// - The first `length` elements must be initialized values of type `T`. 547 /// 548 /// It is also valid to create an empty `Vec` passing a dangling pointer for `ptr` and zero for 549 /// `cap` and `len`. 550 pub unsafe fn from_raw_parts(ptr: *mut T, length: usize, capacity: usize) -> Self { 551 let layout = if Self::is_zst() { 552 ArrayLayout::empty() 553 } else { 554 // SAFETY: By the safety requirements of this function, `capacity * size_of::<T>()` is 555 // smaller than `isize::MAX`. 556 unsafe { ArrayLayout::new_unchecked(capacity) } 557 }; 558 559 // INVARIANT: For ZSTs, we store an empty `ArrayLayout`, all other type invariants are 560 // covered by the safety requirements of this function. 561 Self { 562 // SAFETY: By the safety requirements, `ptr` is either dangling or pointing to a valid 563 // memory allocation, allocated with `A`. 564 ptr: unsafe { NonNull::new_unchecked(ptr) }, 565 layout, 566 len: length, 567 _p: PhantomData::<A>, 568 } 569 } 570 571 /// Consumes the `Vec<T, A>` and returns its raw components `pointer`, `length` and `capacity`. 572 /// 573 /// This will not run the destructor of the contained elements and for non-ZSTs the allocation 574 /// will stay alive indefinitely. Use [`Vec::from_raw_parts`] to recover the [`Vec`], drop the 575 /// elements and free the allocation, if any. 576 pub fn into_raw_parts(self) -> (*mut T, usize, usize) { 577 let mut me = ManuallyDrop::new(self); 578 let len = me.len(); 579 let capacity = me.capacity(); 580 let ptr = me.as_mut_ptr(); 581 (ptr, len, capacity) 582 } 583 584 /// Clears the vector, removing all values. 585 /// 586 /// Note that this method has no effect on the allocated capacity 587 /// of the vector. 588 /// 589 /// # Examples 590 /// 591 /// ``` 592 /// let mut v = kernel::kvec![1, 2, 3]?; 593 /// 594 /// v.clear(); 595 /// 596 /// assert!(v.is_empty()); 597 /// # Ok::<(), Error>(()) 598 /// ``` 599 #[inline] 600 pub fn clear(&mut self) { 601 self.truncate(0); 602 } 603 604 /// Ensures that the capacity exceeds the length by at least `additional` elements. 605 /// 606 /// # Examples 607 /// 608 /// ``` 609 /// let mut v = KVec::new(); 610 /// v.push(1, GFP_KERNEL)?; 611 /// 612 /// v.reserve(10, GFP_KERNEL)?; 613 /// let cap = v.capacity(); 614 /// assert!(cap >= 10); 615 /// 616 /// v.reserve(10, GFP_KERNEL)?; 617 /// let new_cap = v.capacity(); 618 /// assert_eq!(new_cap, cap); 619 /// 620 /// # Ok::<(), Error>(()) 621 /// ``` 622 pub fn reserve(&mut self, additional: usize, flags: Flags) -> Result<(), AllocError> { 623 let len = self.len(); 624 let cap = self.capacity(); 625 626 if cap - len >= additional { 627 return Ok(()); 628 } 629 630 if Self::is_zst() { 631 // The capacity is already `usize::MAX` for ZSTs, we can't go higher. 632 return Err(AllocError); 633 } 634 635 // We know that `cap <= isize::MAX` because of the type invariants of `Self`. So the 636 // multiplication by two won't overflow. 637 let new_cap = core::cmp::max(cap * 2, len.checked_add(additional).ok_or(AllocError)?); 638 let layout = ArrayLayout::new(new_cap).map_err(|_| AllocError)?; 639 640 // SAFETY: 641 // - `ptr` is valid because it's either `None` or comes from a previous call to 642 // `A::realloc`. 643 // - `self.layout` matches the `ArrayLayout` of the preceding allocation. 644 let ptr = unsafe { 645 A::realloc( 646 Some(self.ptr.cast()), 647 layout.into(), 648 self.layout.into(), 649 flags, 650 )? 651 }; 652 653 // INVARIANT: 654 // - `layout` is some `ArrayLayout::<T>`, 655 // - `ptr` has been created by `A::realloc` from `layout`. 656 self.ptr = ptr.cast(); 657 self.layout = layout; 658 659 Ok(()) 660 } 661 662 /// Shortens the vector, setting the length to `len` and drops the removed values. 663 /// If `len` is greater than or equal to the current length, this does nothing. 664 /// 665 /// This has no effect on the capacity and will not allocate. 666 /// 667 /// # Examples 668 /// 669 /// ``` 670 /// let mut v = kernel::kvec![1, 2, 3]?; 671 /// v.truncate(1); 672 /// assert_eq!(v.len(), 1); 673 /// assert_eq!(&v, &[1]); 674 /// 675 /// # Ok::<(), Error>(()) 676 /// ``` 677 pub fn truncate(&mut self, len: usize) { 678 if let Some(count) = self.len().checked_sub(len) { 679 // SAFETY: `count` is `self.len() - len` so it is guaranteed to be less than or 680 // equal to `self.len()`. 681 let ptr: *mut [T] = unsafe { self.dec_len(count) }; 682 683 // SAFETY: the contract of `dec_len` guarantees that the elements in `ptr` are 684 // valid elements whose ownership has been transferred to the caller. 685 unsafe { ptr::drop_in_place(ptr) }; 686 } 687 } 688 689 /// Takes ownership of all items in this vector without consuming the allocation. 690 /// 691 /// # Examples 692 /// 693 /// ``` 694 /// let mut v = kernel::kvec![0, 1, 2, 3]?; 695 /// 696 /// for (i, j) in v.drain_all().enumerate() { 697 /// assert_eq!(i, j); 698 /// } 699 /// 700 /// assert!(v.capacity() >= 4); 701 /// # Ok::<(), Error>(()) 702 /// ``` 703 pub fn drain_all(&mut self) -> DrainAll<'_, T> { 704 // SAFETY: This does not underflow the length. 705 let elems = unsafe { self.dec_len(self.len()) }; 706 // INVARIANT: The first `len` elements of the spare capacity are valid values, and as we 707 // just set the length to zero, we may transfer ownership to the `DrainAll` object. 708 DrainAll { 709 elements: elems.iter_mut(), 710 } 711 } 712 713 /// Removes all elements that don't match the provided closure. 714 /// 715 /// # Examples 716 /// 717 /// ``` 718 /// let mut v = kernel::kvec![1, 2, 3, 4]?; 719 /// v.retain(|i| *i % 2 == 0); 720 /// assert_eq!(v, [2, 4]); 721 /// # Ok::<(), Error>(()) 722 /// ``` 723 pub fn retain(&mut self, mut f: impl FnMut(&mut T) -> bool) { 724 let mut num_kept = 0; 725 let mut next_to_check = 0; 726 while let Some(to_check) = self.get_mut(next_to_check) { 727 if f(to_check) { 728 self.swap(num_kept, next_to_check); 729 num_kept += 1; 730 } 731 next_to_check += 1; 732 } 733 self.truncate(num_kept); 734 } 735 } 736 737 impl<T: Clone, A: Allocator> Vec<T, A> { 738 /// Extend the vector by `n` clones of `value`. 739 pub fn extend_with(&mut self, n: usize, value: T, flags: Flags) -> Result<(), AllocError> { 740 if n == 0 { 741 return Ok(()); 742 } 743 744 self.reserve(n, flags)?; 745 746 let spare = self.spare_capacity_mut(); 747 748 for item in spare.iter_mut().take(n - 1) { 749 item.write(value.clone()); 750 } 751 752 // We can write the last element directly without cloning needlessly. 753 spare[n - 1].write(value); 754 755 // SAFETY: 756 // - `self.len() + n < self.capacity()` due to the call to reserve above, 757 // - the loop and the line above initialized the next `n` elements. 758 unsafe { self.inc_len(n) }; 759 760 Ok(()) 761 } 762 763 /// Pushes clones of the elements of slice into the [`Vec`] instance. 764 /// 765 /// # Examples 766 /// 767 /// ``` 768 /// let mut v = KVec::new(); 769 /// v.push(1, GFP_KERNEL)?; 770 /// 771 /// v.extend_from_slice(&[20, 30, 40], GFP_KERNEL)?; 772 /// assert_eq!(&v, &[1, 20, 30, 40]); 773 /// 774 /// v.extend_from_slice(&[50, 60], GFP_KERNEL)?; 775 /// assert_eq!(&v, &[1, 20, 30, 40, 50, 60]); 776 /// # Ok::<(), Error>(()) 777 /// ``` 778 pub fn extend_from_slice(&mut self, other: &[T], flags: Flags) -> Result<(), AllocError> { 779 self.reserve(other.len(), flags)?; 780 for (slot, item) in core::iter::zip(self.spare_capacity_mut(), other) { 781 slot.write(item.clone()); 782 } 783 784 // SAFETY: 785 // - `other.len()` spare entries have just been initialized, so it is safe to increase 786 // the length by the same number. 787 // - `self.len() + other.len() <= self.capacity()` is guaranteed by the preceding `reserve` 788 // call. 789 unsafe { self.inc_len(other.len()) }; 790 Ok(()) 791 } 792 793 /// Create a new `Vec<T, A>` and extend it by `n` clones of `value`. 794 pub fn from_elem(value: T, n: usize, flags: Flags) -> Result<Self, AllocError> { 795 let mut v = Self::with_capacity(n, flags)?; 796 797 v.extend_with(n, value, flags)?; 798 799 Ok(v) 800 } 801 802 /// Resizes the [`Vec`] so that `len` is equal to `new_len`. 803 /// 804 /// If `new_len` is smaller than `len`, the `Vec` is [`Vec::truncate`]d. 805 /// If `new_len` is larger, each new slot is filled with clones of `value`. 806 /// 807 /// # Examples 808 /// 809 /// ``` 810 /// let mut v = kernel::kvec![1, 2, 3]?; 811 /// v.resize(1, 42, GFP_KERNEL)?; 812 /// assert_eq!(&v, &[1]); 813 /// 814 /// v.resize(3, 42, GFP_KERNEL)?; 815 /// assert_eq!(&v, &[1, 42, 42]); 816 /// 817 /// # Ok::<(), Error>(()) 818 /// ``` 819 pub fn resize(&mut self, new_len: usize, value: T, flags: Flags) -> Result<(), AllocError> { 820 match new_len.checked_sub(self.len()) { 821 Some(n) => self.extend_with(n, value, flags), 822 None => { 823 self.truncate(new_len); 824 Ok(()) 825 } 826 } 827 } 828 } 829 830 impl<T, A> Drop for Vec<T, A> 831 where 832 A: Allocator, 833 { 834 fn drop(&mut self) { 835 // SAFETY: `self.as_mut_ptr` is guaranteed to be valid by the type invariant. 836 unsafe { 837 ptr::drop_in_place(core::ptr::slice_from_raw_parts_mut( 838 self.as_mut_ptr(), 839 self.len, 840 )) 841 }; 842 843 // SAFETY: 844 // - `self.ptr` was previously allocated with `A`. 845 // - `self.layout` matches the `ArrayLayout` of the preceding allocation. 846 unsafe { A::free(self.ptr.cast(), self.layout.into()) }; 847 } 848 } 849 850 impl<T, A, const N: usize> From<Box<[T; N], A>> for Vec<T, A> 851 where 852 A: Allocator, 853 { 854 fn from(b: Box<[T; N], A>) -> Vec<T, A> { 855 let len = b.len(); 856 let ptr = Box::into_raw(b); 857 858 // SAFETY: 859 // - `b` has been allocated with `A`, 860 // - `ptr` fulfills the alignment requirements for `T`, 861 // - `ptr` points to memory with at least a size of `size_of::<T>() * len`, 862 // - all elements within `b` are initialized values of `T`, 863 // - `len` does not exceed `isize::MAX`. 864 unsafe { Vec::from_raw_parts(ptr.cast(), len, len) } 865 } 866 } 867 868 impl<T, A: Allocator> Default for Vec<T, A> { 869 #[inline] 870 fn default() -> Self { 871 Self::new() 872 } 873 } 874 875 impl<T: fmt::Debug, A: Allocator> fmt::Debug for Vec<T, A> { 876 fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { 877 fmt::Debug::fmt(&**self, f) 878 } 879 } 880 881 impl<T, A> Deref for Vec<T, A> 882 where 883 A: Allocator, 884 { 885 type Target = [T]; 886 887 #[inline] 888 fn deref(&self) -> &[T] { 889 // SAFETY: The memory behind `self.as_ptr()` is guaranteed to contain `self.len` 890 // initialized elements of type `T`. 891 unsafe { slice::from_raw_parts(self.as_ptr(), self.len) } 892 } 893 } 894 895 impl<T, A> DerefMut for Vec<T, A> 896 where 897 A: Allocator, 898 { 899 #[inline] 900 fn deref_mut(&mut self) -> &mut [T] { 901 // SAFETY: The memory behind `self.as_ptr()` is guaranteed to contain `self.len` 902 // initialized elements of type `T`. 903 unsafe { slice::from_raw_parts_mut(self.as_mut_ptr(), self.len) } 904 } 905 } 906 907 /// # Examples 908 /// 909 /// ``` 910 /// # use core::borrow::Borrow; 911 /// struct Foo<B: Borrow<[u32]>>(B); 912 /// 913 /// // Owned array. 914 /// let owned_array = Foo([1, 2, 3]); 915 /// 916 /// // Owned vector. 917 /// let owned_vec = Foo(KVec::from_elem(0, 3, GFP_KERNEL)?); 918 /// 919 /// let arr = [1, 2, 3]; 920 /// // Borrowed slice from `arr`. 921 /// let borrowed_slice = Foo(&arr[..]); 922 /// # Ok::<(), Error>(()) 923 /// ``` 924 impl<T, A> Borrow<[T]> for Vec<T, A> 925 where 926 A: Allocator, 927 { 928 fn borrow(&self) -> &[T] { 929 self.as_slice() 930 } 931 } 932 933 /// # Examples 934 /// 935 /// ``` 936 /// # use core::borrow::BorrowMut; 937 /// struct Foo<B: BorrowMut<[u32]>>(B); 938 /// 939 /// // Owned array. 940 /// let owned_array = Foo([1, 2, 3]); 941 /// 942 /// // Owned vector. 943 /// let owned_vec = Foo(KVec::from_elem(0, 3, GFP_KERNEL)?); 944 /// 945 /// let mut arr = [1, 2, 3]; 946 /// // Borrowed slice from `arr`. 947 /// let borrowed_slice = Foo(&mut arr[..]); 948 /// # Ok::<(), Error>(()) 949 /// ``` 950 impl<T, A> BorrowMut<[T]> for Vec<T, A> 951 where 952 A: Allocator, 953 { 954 fn borrow_mut(&mut self) -> &mut [T] { 955 self.as_mut_slice() 956 } 957 } 958 959 impl<T: Eq, A> Eq for Vec<T, A> where A: Allocator {} 960 961 impl<T, I: SliceIndex<[T]>, A> Index<I> for Vec<T, A> 962 where 963 A: Allocator, 964 { 965 type Output = I::Output; 966 967 #[inline] 968 fn index(&self, index: I) -> &Self::Output { 969 Index::index(&**self, index) 970 } 971 } 972 973 impl<T, I: SliceIndex<[T]>, A> IndexMut<I> for Vec<T, A> 974 where 975 A: Allocator, 976 { 977 #[inline] 978 fn index_mut(&mut self, index: I) -> &mut Self::Output { 979 IndexMut::index_mut(&mut **self, index) 980 } 981 } 982 983 macro_rules! impl_slice_eq { 984 ($([$($vars:tt)*] $lhs:ty, $rhs:ty,)*) => { 985 $( 986 impl<T, U, $($vars)*> PartialEq<$rhs> for $lhs 987 where 988 T: PartialEq<U>, 989 { 990 #[inline] 991 fn eq(&self, other: &$rhs) -> bool { self[..] == other[..] } 992 } 993 )* 994 } 995 } 996 997 impl_slice_eq! { 998 [A1: Allocator, A2: Allocator] Vec<T, A1>, Vec<U, A2>, 999 [A: Allocator] Vec<T, A>, &[U], 1000 [A: Allocator] Vec<T, A>, &mut [U], 1001 [A: Allocator] &[T], Vec<U, A>, 1002 [A: Allocator] &mut [T], Vec<U, A>, 1003 [A: Allocator] Vec<T, A>, [U], 1004 [A: Allocator] [T], Vec<U, A>, 1005 [A: Allocator, const N: usize] Vec<T, A>, [U; N], 1006 [A: Allocator, const N: usize] Vec<T, A>, &[U; N], 1007 } 1008 1009 impl<'a, T, A> IntoIterator for &'a Vec<T, A> 1010 where 1011 A: Allocator, 1012 { 1013 type Item = &'a T; 1014 type IntoIter = slice::Iter<'a, T>; 1015 1016 fn into_iter(self) -> Self::IntoIter { 1017 self.iter() 1018 } 1019 } 1020 1021 impl<'a, T, A: Allocator> IntoIterator for &'a mut Vec<T, A> 1022 where 1023 A: Allocator, 1024 { 1025 type Item = &'a mut T; 1026 type IntoIter = slice::IterMut<'a, T>; 1027 1028 fn into_iter(self) -> Self::IntoIter { 1029 self.iter_mut() 1030 } 1031 } 1032 1033 /// # Examples 1034 /// 1035 /// ``` 1036 /// # use kernel::prelude::*; 1037 /// use kernel::alloc::allocator::VmallocPageIter; 1038 /// use kernel::page::{AsPageIter, PAGE_SIZE}; 1039 /// 1040 /// let mut vec = VVec::<u8>::new(); 1041 /// 1042 /// assert!(vec.page_iter().next().is_none()); 1043 /// 1044 /// vec.reserve(PAGE_SIZE, GFP_KERNEL)?; 1045 /// 1046 /// let page = vec.page_iter().next().expect("At least one page should be available.\n"); 1047 /// 1048 /// // SAFETY: There is no concurrent read or write to the same page. 1049 /// unsafe { page.fill_zero_raw(0, PAGE_SIZE)? }; 1050 /// # Ok::<(), Error>(()) 1051 /// ``` 1052 impl<T> AsPageIter for VVec<T> { 1053 type Iter<'a> 1054 = VmallocPageIter<'a> 1055 where 1056 T: 'a; 1057 1058 fn page_iter(&mut self) -> Self::Iter<'_> { 1059 let ptr = self.ptr.cast(); 1060 let size = self.layout.size(); 1061 1062 // SAFETY: 1063 // - `ptr` is a valid pointer to the beginning of a `Vmalloc` allocation. 1064 // - `ptr` is guaranteed to be valid for the lifetime of `'a`. 1065 // - `size` is the size of the `Vmalloc` allocation `ptr` points to. 1066 unsafe { VmallocPageIter::new(ptr, size) } 1067 } 1068 } 1069 1070 /// An [`Iterator`] implementation for [`Vec`] that moves elements out of a vector. 1071 /// 1072 /// This structure is created by the [`Vec::into_iter`] method on [`Vec`] (provided by the 1073 /// [`IntoIterator`] trait). 1074 /// 1075 /// # Examples 1076 /// 1077 /// ``` 1078 /// let v = kernel::kvec![0, 1, 2]?; 1079 /// let iter = v.into_iter(); 1080 /// 1081 /// # Ok::<(), Error>(()) 1082 /// ``` 1083 pub struct IntoIter<T, A: Allocator> { 1084 ptr: *mut T, 1085 buf: NonNull<T>, 1086 len: usize, 1087 layout: ArrayLayout<T>, 1088 _p: PhantomData<A>, 1089 } 1090 1091 impl<T, A> IntoIter<T, A> 1092 where 1093 A: Allocator, 1094 { 1095 fn into_raw_parts(self) -> (*mut T, NonNull<T>, usize, usize) { 1096 let me = ManuallyDrop::new(self); 1097 let ptr = me.ptr; 1098 let buf = me.buf; 1099 let len = me.len; 1100 let cap = me.layout.len(); 1101 (ptr, buf, len, cap) 1102 } 1103 1104 /// Same as `Iterator::collect` but specialized for `Vec`'s `IntoIter`. 1105 /// 1106 /// # Examples 1107 /// 1108 /// ``` 1109 /// let v = kernel::kvec![1, 2, 3]?; 1110 /// let mut it = v.into_iter(); 1111 /// 1112 /// assert_eq!(it.next(), Some(1)); 1113 /// 1114 /// let v = it.collect(GFP_KERNEL); 1115 /// assert_eq!(v, [2, 3]); 1116 /// 1117 /// # Ok::<(), Error>(()) 1118 /// ``` 1119 /// 1120 /// # Implementation details 1121 /// 1122 /// Currently, we can't implement `FromIterator`. There are a couple of issues with this trait 1123 /// in the kernel, namely: 1124 /// 1125 /// - Rust's specialization feature is unstable. This prevents us to optimize for the special 1126 /// case where `I::IntoIter` equals `Vec`'s `IntoIter` type. 1127 /// - We also can't use `I::IntoIter`'s type ID either to work around this, since `FromIterator` 1128 /// doesn't require this type to be `'static`. 1129 /// - `FromIterator::from_iter` does return `Self` instead of `Result<Self, AllocError>`, hence 1130 /// we can't properly handle allocation failures. 1131 /// - Neither `Iterator::collect` nor `FromIterator::from_iter` can handle additional allocation 1132 /// flags. 1133 /// 1134 /// Instead, provide `IntoIter::collect`, such that we can at least convert a `IntoIter` into a 1135 /// `Vec` again. 1136 /// 1137 /// Note that `IntoIter::collect` doesn't require `Flags`, since it re-uses the existing backing 1138 /// buffer. However, this backing buffer may be shrunk to the actual count of elements. 1139 pub fn collect(self, flags: Flags) -> Vec<T, A> { 1140 let old_layout = self.layout; 1141 let (mut ptr, buf, len, mut cap) = self.into_raw_parts(); 1142 let has_advanced = ptr != buf.as_ptr(); 1143 1144 if has_advanced { 1145 // Copy the contents we have advanced to at the beginning of the buffer. 1146 // 1147 // SAFETY: 1148 // - `ptr` is valid for reads of `len * size_of::<T>()` bytes, 1149 // - `buf.as_ptr()` is valid for writes of `len * size_of::<T>()` bytes, 1150 // - `ptr` and `buf.as_ptr()` are not be subject to aliasing restrictions relative to 1151 // each other, 1152 // - both `ptr` and `buf.ptr()` are properly aligned. 1153 unsafe { ptr::copy(ptr, buf.as_ptr(), len) }; 1154 ptr = buf.as_ptr(); 1155 1156 // SAFETY: `len` is guaranteed to be smaller than `self.layout.len()` by the type 1157 // invariant. 1158 let layout = unsafe { ArrayLayout::<T>::new_unchecked(len) }; 1159 1160 // SAFETY: `buf` points to the start of the backing buffer and `len` is guaranteed by 1161 // the type invariant to be smaller than `cap`. Depending on `realloc` this operation 1162 // may shrink the buffer or leave it as it is. 1163 ptr = match unsafe { 1164 A::realloc(Some(buf.cast()), layout.into(), old_layout.into(), flags) 1165 } { 1166 // If we fail to shrink, which likely can't even happen, continue with the existing 1167 // buffer. 1168 Err(_) => ptr, 1169 Ok(ptr) => { 1170 cap = len; 1171 ptr.as_ptr().cast() 1172 } 1173 }; 1174 } 1175 1176 // SAFETY: If the iterator has been advanced, the advanced elements have been copied to 1177 // the beginning of the buffer and `len` has been adjusted accordingly. 1178 // 1179 // - `ptr` is guaranteed to point to the start of the backing buffer. 1180 // - `cap` is either the original capacity or, after shrinking the buffer, equal to `len`. 1181 // - `alloc` is guaranteed to be unchanged since `into_iter` has been called on the original 1182 // `Vec`. 1183 unsafe { Vec::from_raw_parts(ptr, len, cap) } 1184 } 1185 } 1186 1187 impl<T, A> Iterator for IntoIter<T, A> 1188 where 1189 A: Allocator, 1190 { 1191 type Item = T; 1192 1193 /// # Examples 1194 /// 1195 /// ``` 1196 /// let v = kernel::kvec![1, 2, 3]?; 1197 /// let mut it = v.into_iter(); 1198 /// 1199 /// assert_eq!(it.next(), Some(1)); 1200 /// assert_eq!(it.next(), Some(2)); 1201 /// assert_eq!(it.next(), Some(3)); 1202 /// assert_eq!(it.next(), None); 1203 /// 1204 /// # Ok::<(), Error>(()) 1205 /// ``` 1206 fn next(&mut self) -> Option<T> { 1207 if self.len == 0 { 1208 return None; 1209 } 1210 1211 let current = self.ptr; 1212 1213 // SAFETY: We can't overflow; decreasing `self.len` by one every time we advance `self.ptr` 1214 // by one guarantees that. 1215 unsafe { self.ptr = self.ptr.add(1) }; 1216 1217 self.len -= 1; 1218 1219 // SAFETY: `current` is guaranteed to point at a valid element within the buffer. 1220 Some(unsafe { current.read() }) 1221 } 1222 1223 /// # Examples 1224 /// 1225 /// ``` 1226 /// let v: KVec<u32> = kernel::kvec![1, 2, 3]?; 1227 /// let mut iter = v.into_iter(); 1228 /// let size = iter.size_hint().0; 1229 /// 1230 /// iter.next(); 1231 /// assert_eq!(iter.size_hint().0, size - 1); 1232 /// 1233 /// iter.next(); 1234 /// assert_eq!(iter.size_hint().0, size - 2); 1235 /// 1236 /// iter.next(); 1237 /// assert_eq!(iter.size_hint().0, size - 3); 1238 /// 1239 /// # Ok::<(), Error>(()) 1240 /// ``` 1241 fn size_hint(&self) -> (usize, Option<usize>) { 1242 (self.len, Some(self.len)) 1243 } 1244 } 1245 1246 impl<T, A> Drop for IntoIter<T, A> 1247 where 1248 A: Allocator, 1249 { 1250 fn drop(&mut self) { 1251 // SAFETY: `self.ptr` is guaranteed to be valid by the type invariant. 1252 unsafe { ptr::drop_in_place(ptr::slice_from_raw_parts_mut(self.ptr, self.len)) }; 1253 1254 // SAFETY: 1255 // - `self.buf` was previously allocated with `A`. 1256 // - `self.layout` matches the `ArrayLayout` of the preceding allocation. 1257 unsafe { A::free(self.buf.cast(), self.layout.into()) }; 1258 } 1259 } 1260 1261 impl<T, A> IntoIterator for Vec<T, A> 1262 where 1263 A: Allocator, 1264 { 1265 type Item = T; 1266 type IntoIter = IntoIter<T, A>; 1267 1268 /// Consumes the `Vec<T, A>` and creates an `Iterator`, which moves each value out of the 1269 /// vector (from start to end). 1270 /// 1271 /// # Examples 1272 /// 1273 /// ``` 1274 /// let v = kernel::kvec![1, 2]?; 1275 /// let mut v_iter = v.into_iter(); 1276 /// 1277 /// let first_element: Option<u32> = v_iter.next(); 1278 /// 1279 /// assert_eq!(first_element, Some(1)); 1280 /// assert_eq!(v_iter.next(), Some(2)); 1281 /// assert_eq!(v_iter.next(), None); 1282 /// 1283 /// # Ok::<(), Error>(()) 1284 /// ``` 1285 /// 1286 /// ``` 1287 /// let v = kernel::kvec![]; 1288 /// let mut v_iter = v.into_iter(); 1289 /// 1290 /// let first_element: Option<u32> = v_iter.next(); 1291 /// 1292 /// assert_eq!(first_element, None); 1293 /// 1294 /// # Ok::<(), Error>(()) 1295 /// ``` 1296 #[inline] 1297 fn into_iter(self) -> Self::IntoIter { 1298 let buf = self.ptr; 1299 let layout = self.layout; 1300 let (ptr, len, _) = self.into_raw_parts(); 1301 1302 IntoIter { 1303 ptr, 1304 buf, 1305 len, 1306 layout, 1307 _p: PhantomData::<A>, 1308 } 1309 } 1310 } 1311 1312 /// An iterator that owns all items in a vector, but does not own its allocation. 1313 /// 1314 /// # Invariants 1315 /// 1316 /// Every `&mut T` returned by the iterator references a `T` that the iterator may take ownership 1317 /// of. 1318 pub struct DrainAll<'vec, T> { 1319 elements: slice::IterMut<'vec, T>, 1320 } 1321 1322 impl<'vec, T> Iterator for DrainAll<'vec, T> { 1323 type Item = T; 1324 1325 fn next(&mut self) -> Option<T> { 1326 let elem: *mut T = self.elements.next()?; 1327 // SAFETY: By the type invariants, we may take ownership of this value. 1328 Some(unsafe { elem.read() }) 1329 } 1330 1331 fn size_hint(&self) -> (usize, Option<usize>) { 1332 self.elements.size_hint() 1333 } 1334 } 1335 1336 impl<'vec, T> Drop for DrainAll<'vec, T> { 1337 fn drop(&mut self) { 1338 if core::mem::needs_drop::<T>() { 1339 let iter = core::mem::take(&mut self.elements); 1340 let ptr: *mut [T] = iter.into_slice(); 1341 // SAFETY: By the type invariants, we own these values so we may destroy them. 1342 unsafe { ptr::drop_in_place(ptr) }; 1343 } 1344 } 1345 } 1346 1347 #[macros::kunit_tests(rust_kvec)] 1348 mod tests { 1349 use super::*; 1350 use crate::prelude::*; 1351 1352 #[test] 1353 fn test_kvec_retain() { 1354 /// Verify correctness for one specific function. 1355 #[expect(clippy::needless_range_loop)] 1356 fn verify(c: &[bool]) { 1357 let mut vec1: KVec<usize> = KVec::with_capacity(c.len(), GFP_KERNEL).unwrap(); 1358 let mut vec2: KVec<usize> = KVec::with_capacity(c.len(), GFP_KERNEL).unwrap(); 1359 1360 for i in 0..c.len() { 1361 vec1.push_within_capacity(i).unwrap(); 1362 if c[i] { 1363 vec2.push_within_capacity(i).unwrap(); 1364 } 1365 } 1366 1367 vec1.retain(|i| c[*i]); 1368 1369 assert_eq!(vec1, vec2); 1370 } 1371 1372 /// Add one to a binary integer represented as a boolean array. 1373 fn add(value: &mut [bool]) { 1374 let mut carry = true; 1375 for v in value { 1376 let new_v = carry != *v; 1377 carry = carry && *v; 1378 *v = new_v; 1379 } 1380 } 1381 1382 // This boolean array represents a function from index to boolean. We check that `retain` 1383 // behaves correctly for all possible boolean arrays of every possible length less than 1384 // ten. 1385 let mut func = KVec::with_capacity(10, GFP_KERNEL).unwrap(); 1386 for len in 0..10 { 1387 for _ in 0u32..1u32 << len { 1388 verify(&func); 1389 add(&mut func); 1390 } 1391 func.push_within_capacity(false).unwrap(); 1392 } 1393 } 1394 } 1395