xref: /linux/rust/kernel/sync/aref.rs (revision 6b3f7af57881f6d6250c6dcc4d910fe8e855a607) 
1 // SPDX-License-Identifier: GPL-2.0
2 
3 //! Internal reference counting support.
4 //!
5 //! Many C types already have their own reference counting mechanism (e.g. by storing a
6 //! `refcount_t`). This module provides support for directly using their internal reference count
7 //! from Rust; instead of making users have to use an additional Rust-reference count in the form of
8 //! [`Arc`].
9 //!
10 //! The smart pointer [`ARef<T>`] acts similarly to [`Arc<T>`] in that it holds a refcount on the
11 //! underlying object, but this refcount is internal to the object. It essentially is a Rust
12 //! implementation of the `get_` and `put_` pattern used in C for reference counting.
13 //!
14 //! To make use of [`ARef<MyType>`], `MyType` needs to implement [`AlwaysRefCounted`]. It is a trait
15 //! for accessing the internal reference count of an object of the `MyType` type.
16 //!
17 //! [`Arc`]: crate::sync::Arc
18 //! [`Arc<T>`]: crate::sync::Arc
19 
20 use core::{
21     marker::PhantomData,
22     mem::ManuallyDrop,
23     ops::Deref,
24     ptr::NonNull, //
25 };
26 
27 /// Types that are _always_ reference counted.
28 ///
29 /// It allows such types to define their own custom ref increment and decrement functions.
30 /// Additionally, it allows users to convert from a shared reference `&T` to an owned reference
31 /// [`ARef<T>`].
32 ///
33 /// This is usually implemented by wrappers to existing structures on the C side of the code. For
34 /// Rust code, the recommendation is to use [`Arc`](crate::sync::Arc) to create reference-counted
35 /// instances of a type.
36 ///
37 /// # Safety
38 ///
39 /// Implementers must ensure that increments to the reference count keep the object alive in memory
40 /// at least until matching decrements are performed.
41 ///
42 /// Implementers must also ensure that all instances are reference-counted. (Otherwise they
43 /// won't be able to honour the requirement that [`AlwaysRefCounted::inc_ref`] keep the object
44 /// alive.)
45 pub unsafe trait AlwaysRefCounted {
46     /// Increments the reference count on the object.
47     fn inc_ref(&self);
48 
49     /// Decrements the reference count on the object.
50     ///
51     /// Frees the object when the count reaches zero.
52     ///
53     /// # Safety
54     ///
55     /// Callers must ensure that there was a previous matching increment to the reference count,
56     /// and that the object is no longer used after its reference count is decremented (as it may
57     /// result in the object being freed), unless the caller owns another increment on the refcount
58     /// (e.g., it calls [`AlwaysRefCounted::inc_ref`] twice, then calls
59     /// [`AlwaysRefCounted::dec_ref`] once).
60     unsafe fn dec_ref(obj: NonNull<Self>);
61 }
62 
63 /// An owned reference to an always-reference-counted object.
64 ///
65 /// The object's reference count is automatically decremented when an instance of [`ARef`] is
66 /// dropped. It is also automatically incremented when a new instance is created via
67 /// [`ARef::clone`].
68 ///
69 /// # Invariants
70 ///
71 /// The pointer stored in `ptr` is non-null and valid for the lifetime of the [`ARef`] instance. In
72 /// particular, the [`ARef`] instance owns an increment on the underlying object's reference count.
73 pub struct ARef<T: AlwaysRefCounted> {
74     ptr: NonNull<T>,
75     _p: PhantomData<T>,
76 }
77 
78 // SAFETY: It is safe to send `ARef<T>` to another thread when the underlying `T` is `Sync` because
79 // it effectively means sharing `&T` (which is safe because `T` is `Sync`); additionally, it needs
80 // `T` to be `Send` because any thread that has an `ARef<T>` may ultimately access `T` using a
81 // mutable reference, for example, when the reference count reaches zero and `T` is dropped.
82 unsafe impl<T: AlwaysRefCounted + Sync + Send> Send for ARef<T> {}
83 
84 // SAFETY: It is safe to send `&ARef<T>` to another thread when the underlying `T` is `Sync`
85 // because it effectively means sharing `&T` (which is safe because `T` is `Sync`); additionally,
86 // it needs `T` to be `Send` because any thread that has a `&ARef<T>` may clone it and get an
87 // `ARef<T>` on that thread, so the thread may ultimately access `T` using a mutable reference, for
88 // example, when the reference count reaches zero and `T` is dropped.
89 unsafe impl<T: AlwaysRefCounted + Sync + Send> Sync for ARef<T> {}
90 
91 // Even if `T` is pinned, pointers to `T` can still move.
92 impl<T: AlwaysRefCounted> Unpin for ARef<T> {}
93 
94 impl<T: AlwaysRefCounted> ARef<T> {
95     /// Creates a new instance of [`ARef`].
96     ///
97     /// It takes over an increment of the reference count on the underlying object.
98     ///
99     /// # Safety
100     ///
101     /// Callers must ensure that the reference count was incremented at least once, and that they
102     /// are properly relinquishing one increment. That is, if there is only one increment, callers
103     /// must not use the underlying object anymore -- it is only safe to do so via the newly
104     /// created [`ARef`].
105     pub unsafe fn from_raw(ptr: NonNull<T>) -> Self {
106         // INVARIANT: The safety requirements guarantee that the new instance now owns the
107         // increment on the refcount.
108         Self {
109             ptr,
110             _p: PhantomData,
111         }
112     }
113 
114     /// Consumes the `ARef`, returning a raw pointer.
115     ///
116     /// This function does not change the refcount. After calling this function, the caller is
117     /// responsible for the refcount previously managed by the `ARef`.
118     ///
119     /// # Examples
120     ///
121     /// ```
122     /// use core::ptr::NonNull;
123     /// use kernel::sync::aref::{ARef, AlwaysRefCounted};
124     ///
125     /// struct Empty {}
126     ///
127     /// # // SAFETY: TODO.
128     /// unsafe impl AlwaysRefCounted for Empty {
129     ///     fn inc_ref(&self) {}
130     ///     unsafe fn dec_ref(_obj: NonNull<Self>) {}
131     /// }
132     ///
133     /// let mut data = Empty {};
134     /// let ptr = NonNull::<Empty>::new(&mut data).unwrap();
135     /// # // SAFETY: TODO.
136     /// let data_ref: ARef<Empty> = unsafe { ARef::from_raw(ptr) };
137     /// let raw_ptr: NonNull<Empty> = ARef::into_raw(data_ref);
138     ///
139     /// assert_eq!(ptr, raw_ptr);
140     /// ```
141     pub fn into_raw(me: Self) -> NonNull<T> {
142         ManuallyDrop::new(me).ptr
143     }
144 }
145 
146 impl<T: AlwaysRefCounted> Clone for ARef<T> {
147     fn clone(&self) -> Self {
148         self.inc_ref();
149         // SAFETY: We just incremented the refcount above.
150         unsafe { Self::from_raw(self.ptr) }
151     }
152 }
153 
154 impl<T: AlwaysRefCounted> Deref for ARef<T> {
155     type Target = T;
156 
157     fn deref(&self) -> &Self::Target {
158         // SAFETY: The type invariants guarantee that the object is valid.
159         unsafe { self.ptr.as_ref() }
160     }
161 }
162 
163 impl<T: AlwaysRefCounted> From<&T> for ARef<T> {
164     fn from(b: &T) -> Self {
165         b.inc_ref();
166         // SAFETY: We just incremented the refcount above.
167         unsafe { Self::from_raw(NonNull::from(b)) }
168     }
169 }
170 
171 impl<T: AlwaysRefCounted> Drop for ARef<T> {
172     fn drop(&mut self) {
173         // SAFETY: The type invariants guarantee that the `ARef` owns the reference we're about to
174         // decrement.
175         unsafe { T::dec_ref(self.ptr) };
176     }
177 }
178 
179 impl<T, U> PartialEq<ARef<U>> for ARef<T>
180 where
181     T: AlwaysRefCounted + PartialEq<U>,
182     U: AlwaysRefCounted,
183 {
184     #[inline]
185     fn eq(&self, other: &ARef<U>) -> bool {
186         T::eq(&**self, &**other)
187     }
188 }
189 impl<T: AlwaysRefCounted + Eq> Eq for ARef<T> {}
190 
191 impl<T, U> PartialEq<&'_ U> for ARef<T>
192 where
193     T: AlwaysRefCounted + PartialEq<U>,
194 {
195     #[inline]
196     fn eq(&self, other: &&U) -> bool {
197         T::eq(&**self, other)
198     }
199 }
200