1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267

//! Corundum Markers
//! 
use crate::stm::Journal;
use crate::alloc::MemPool;
use std::task::Poll;
use std::task::Context;
use std::pin::Pin;
use std::ops::{Deref, DerefMut};
use std::future::Future;
use std::panic::{RefUnwindSafe, UnwindSafe};
use std::cell::UnsafeCell;
use std::fmt;

/// It marks the implementing type to be free of pointers to the volatile heap,
/// and persistence safe.
///
/// Also, every type that allows interior mutability is not safe in persistence
/// terms, because there might be no log of the value. Atomic types are
/// persistence safe, even though they provide interior mutability.
/// 
/// # Limitation
/// 
/// Function pointers are not completely prevented. Due to Rust's limitation on
/// declaring generic pointers to functions without exact number of arguments,
/// we manually limit all pointers to functions with up to 32 arguments. Function
/// pointers with a number of arguments beyond 32 are inevitably allowed.
/// 
#[rustc_on_unimplemented(
    message = "`{Self}` is not safe to be stored in persistent memory",
    label = "`{Self}` is not safe to be stored in persistent memory"
)]
pub unsafe auto trait PSafe {}

impl<T: ?Sized> !PSafe for *const T {}
impl<T: ?Sized> !PSafe for *mut T {}
impl<T> !PSafe for &T {}
impl<T> !PSafe for &mut T {}
impl !PSafe for std::fs::File {}

impl<R> !PSafe for fn()->R {}

macro_rules! not_safe {
    ($($a:ident),*) => {
        impl<$($a),* , R> !PSafe for fn($($a),*)->R {}
    };
}

not_safe!(A1);
not_safe!(A1,A2);
not_safe!(A1,A2,A3);
not_safe!(A1,A2,A3,A4);
not_safe!(A1,A2,A3,A4,A5);
not_safe!(A1,A2,A3,A4,A5,A6);
not_safe!(A1,A2,A3,A4,A5,A6,A7);
not_safe!(A1,A2,A3,A4,A5,A6,A7,A8);
not_safe!(A1,A2,A3,A4,A5,A6,A7,A8,A9);
not_safe!(A1,A2,A3,A4,A5,A6,A7,A8,A9,A10);
not_safe!(A1,A2,A3,A4,A5,A6,A7,A8,A9,A10,A11);
not_safe!(A1,A2,A3,A4,A5,A6,A7,A8,A9,A10,A11,A12);
not_safe!(A1,A2,A3,A4,A5,A6,A7,A8,A9,A10,A11,A12,A13);
not_safe!(A1,A2,A3,A4,A5,A6,A7,A8,A9,A10,A11,A12,A13,A14);
not_safe!(A1,A2,A3,A4,A5,A6,A7,A8,A9,A10,A11,A12,A13,A14,A15);
not_safe!(A1,A2,A3,A4,A5,A6,A7,A8,A9,A10,A11,A12,A13,A14,A15,A16);
not_safe!(A1,A2,A3,A4,A5,A6,A7,A8,A9,A10,A11,A12,A13,A14,A15,A16,A17);
not_safe!(A1,A2,A3,A4,A5,A6,A7,A8,A9,A10,A11,A12,A13,A14,A15,A16,A17,A18);
not_safe!(A1,A2,A3,A4,A5,A6,A7,A8,A9,A10,A11,A12,A13,A14,A15,A16,A17,A18,A19);
not_safe!(A1,A2,A3,A4,A5,A6,A7,A8,A9,A10,A11,A12,A13,A14,A15,A16,A17,A18,A19,A20);
not_safe!(A1,A2,A3,A4,A5,A6,A7,A8,A9,A10,A11,A12,A13,A14,A15,A16,A17,A18,A19,A20,A21);
not_safe!(A1,A2,A3,A4,A5,A6,A7,A8,A9,A10,A11,A12,A13,A14,A15,A16,A17,A18,A19,A20,A21,A22);
not_safe!(A1,A2,A3,A4,A5,A6,A7,A8,A9,A10,A11,A12,A13,A14,A15,A16,A17,A18,A19,A20,A21,A22,A23);
not_safe!(A1,A2,A3,A4,A5,A6,A7,A8,A9,A10,A11,A12,A13,A14,A15,A16,A17,A18,A19,A20,A21,A22,A23,A24);
not_safe!(A1,A2,A3,A4,A5,A6,A7,A8,A9,A10,A11,A12,A13,A14,A15,A16,A17,A18,A19,A20,A21,A22,A23,A24,A25);
not_safe!(A1,A2,A3,A4,A5,A6,A7,A8,A9,A10,A11,A12,A13,A14,A15,A16,A17,A18,A19,A20,A21,A22,A23,A24,A25,A26);
not_safe!(A1,A2,A3,A4,A5,A6,A7,A8,A9,A10,A11,A12,A13,A14,A15,A16,A17,A18,A19,A20,A21,A22,A23,A24,A25,A26,A27);
not_safe!(A1,A2,A3,A4,A5,A6,A7,A8,A9,A10,A11,A12,A13,A14,A15,A16,A17,A18,A19,A20,A21,A22,A23,A24,A25,A26,A27,A28);
not_safe!(A1,A2,A3,A4,A5,A6,A7,A8,A9,A10,A11,A12,A13,A14,A15,A16,A17,A18,A19,A20,A21,A22,A23,A24,A25,A26,A27,A28,A29);
not_safe!(A1,A2,A3,A4,A5,A6,A7,A8,A9,A10,A11,A12,A13,A14,A15,A16,A17,A18,A19,A20,A21,A22,A23,A24,A25,A26,A27,A28,A29,A30);
not_safe!(A1,A2,A3,A4,A5,A6,A7,A8,A9,A10,A11,A12,A13,A14,A15,A16,A17,A18,A19,A20,A21,A22,A23,A24,A25,A26,A27,A28,A29,A30,A31);
not_safe!(A1,A2,A3,A4,A5,A6,A7,A8,A9,A10,A11,A12,A13,A14,A15,A16,A17,A18,A19,A20,A21,A22,A23,A24,A25,A26,A27,A28,A29,A30,A31,A32);

/// `UnsafeCell` is marked as PSafe because it exposes interior mutability
/// without taking a log, which is unsafe from persistence perspective.
impl<T: ?Sized> !PSafe for UnsafeCell<T> {}

/// It marks the implementing type to be safe crossing transaction boundaries
///
/// Types that implement this trait may go in/out of a transaction. This
/// guarantees no cross-pool referencing.
#[rustc_on_unimplemented(
    message = "`{Self}` cannot be sent out of a transaction safely",
    label = "`{Self}` cannot be sent out of a transaction safely"
)]
pub unsafe auto trait TxOutSafe {}

impl<T: ?Sized> !TxOutSafe for *const T {}
impl<T: ?Sized> !TxOutSafe for *mut T {}
impl<T: ?Sized> !TxOutSafe for &mut T {}
impl<T: ?Sized> !TxOutSafe for UnsafeCell<T> {}

unsafe impl TxOutSafe for String {}
unsafe impl<T> TxOutSafe for std::thread::JoinHandle<T> {}
unsafe impl<T> TxOutSafe for Vec<std::thread::JoinHandle<T>> {}

/// It is equal to UnwindSafe, but is used to ensure doubly that mutable
/// references cannot go inside a transaction.
///
/// # Safety
///
/// The user can safely specify a type as `UnwindSafe`, but `TxInSafe` is
/// unsafe to implement. This warns the programmer that the non-existence
/// of orphans is not guaranteed anymore.
#[rustc_on_unimplemented(
    message = "`{Self}` cannot be sent to a transaction safely",
    label = "`{Self}` cannot be sent to a transaction safely"
)]
pub unsafe auto trait TxInSafe {}

/// The implementing type can be asserted [`TxInSafe`] albeit being `!TxInSafe`
/// by using [`AssertTxInSafe`](./struct.AssertTxInSafe.html).
/// 
/// [`TxInSafe`]: ./trait.TxInSafe.html
#[rustc_on_unimplemented(
    message = "`{Self}` cannot be asserted as `TxInSafe`",
    label = "`{Self}` cannot be asserted as `TxInSafe`"
)]
pub unsafe auto trait LooseTxInUnsafe {}

/// Any type is okay to be transferred to a transaction
unsafe impl LooseTxInUnsafe for dyn std::any::Any {}
unsafe impl<'a, T> LooseTxInUnsafe for &'a mut T {}
unsafe impl<T> LooseTxInUnsafe for *const T {}
unsafe impl<T> LooseTxInUnsafe for *mut T {}

/// A simple wrapper around a type to assert that it is safe to go in a
/// transaction.
///
/// When using [`transaction`] it may be the case that some of the closed over
/// variables are not [`TxInSafe`] safe. For example if `&mut T` is captured the
/// compiler will generate a warning indicating that it is not [`TxInSafe`]. It
/// may not be the case, however, that this is actually a problem due to the
/// specific usage of [`transaction`] if transaction inward safety is
/// specifically taken into account. This wrapper struct is useful for a quick
/// and lightweight annotation that a variable is indeed [`TxInSafe`] at the
/// programmer's responsibilities. The `Journal` object cannot be wrapped by 
/// `AssertTxInSafe` to make sure no inter-pool pointer can be made.
///
/// # Examples
/// 
/// You may wrap individual captures, as shown below. This ensures that if a new
/// capture is added which is not [`TxInSafe`], you will get a compilation error
/// at that time, which will allow you to consider whether that new capture in
/// fact represent a bug or not. 
///
/// ```
/// use corundum::alloc::heap::*;
/// use corundum::AssertTxInSafe;
///
/// let mut variable = 4;
/// let other_capture = 3;
///
/// let result = {
///     let mut wrapper = AssertTxInSafe(&mut variable);
///     Heap::transaction(move |_| {
///         **wrapper += other_capture;
///     })
/// };
/// 
/// assert_eq!(variable, 7);
/// // ...
/// ```
/// 
/// [`transaction`]: ./stm/fn.transaction.html
/// [`TxInSafe`]: ./trait.TxInSafe.html
pub struct AssertTxInSafe<T>(pub T);

impl<T: ?Sized> !TxInSafe for *mut T {}
impl<T: ?Sized> !TxInSafe for &mut T {}
impl<T: ?Sized> !TxInSafe for UnsafeCell<T> {}
impl<T: LooseTxInUnsafe> UnwindSafe for AssertTxInSafe<T> {}
impl<T: LooseTxInUnsafe> RefUnwindSafe for AssertTxInSafe<T> {}
unsafe impl<T: LooseTxInUnsafe> TxInSafe for AssertTxInSafe<T> {}

impl<T: LooseTxInUnsafe> Deref for AssertTxInSafe<T> {
    type Target = T;

    fn deref(&self) -> &T {
        &self.0
    }
}

impl<T: LooseTxInUnsafe> DerefMut for AssertTxInSafe<T> {
    fn deref_mut(&mut self) -> &mut T {
        &mut self.0
    }
}

impl<R, P: MemPool, F> FnOnce<(&'static Journal<P>,)> for AssertTxInSafe<F>
where
    R: TxOutSafe,
    F: FnOnce(&'static Journal<P>) -> R
{
    type Output = R;

    #[inline]
    extern "rust-call" fn call_once(self, args: (&'static Journal<P>,)) -> R  
    {
        (self.0)(args.0)
    }
}

impl<T: fmt::Debug + LooseTxInUnsafe> fmt::Debug for AssertTxInSafe<T> {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        f.debug_tuple("AssertTxInSafe").field(&self.0).finish()
    }
}

impl<F: Future + LooseTxInUnsafe> Future for AssertTxInSafe<F> {
    type Output = F::Output;

    fn poll(self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<Self::Output> {
        let pinned_field = unsafe { Pin::map_unchecked_mut(self, |x| &mut x.0) };
        F::poll(pinned_field, cx)
    }
}

/// Safe to be stored in volatile memory useful in `VCell` type to prevent
/// storing persistent pointers in [`VCell`](./cell/struct.VCell.html)
#[rustc_on_unimplemented(
    message = "`{Self}` is not safe to be stored in volatile memory",
    label = "`{Self}` is not safe to be stored in volatile memory"
)]
pub unsafe auto trait VSafe {}

unsafe impl<T: ?Sized> VSafe for *const T {}
unsafe impl<T: ?Sized> VSafe for *mut T {}
unsafe impl<T: ?Sized> VSafe for &T {}
unsafe impl<T: ?Sized> VSafe for &mut T {}

/// Safe to be sent to another thread
/// 
/// This marker is used to allow [`Parc`] to be sent to another thread only if
/// it is wrapped in a [`VWeak`]. The [`Parc`] is not [`Send`] to prevent
/// escaping a newly allocated instance of it from a transaction.
/// 
/// [`Parc`]: ../sync/struct.Parc.html
/// [`Send`]: ../trait.Send.html
/// [`VWeak`]: ../sync/struct.VWeak.html
#[rustc_on_unimplemented(
    message = "`{Self}` cannot be sent to a another thread safely",
    label = "`{Self}` cannot be sent to a another thread safely"
)]
pub unsafe auto trait PSend {}



#[derive(Default)]
#[allow(non_camel_case_types)]
pub struct c_void {}

impl Copy for c_void {}
impl Clone for c_void { 
    fn clone(&self) -> Self { Self { } }
}

impl<P: MemPool> crate::clone::PClone<P> for c_void {
    fn pclone(&self, _: &Journal<P>) -> Self { Self { } }
}