fambox 0.2.0

FamBox data structure for ergonomically and safely using c's flexible array members
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191

use crate::{FamBox, FamBoxOwned, FamHeader};
use core::{
    marker::PhantomData,
    mem::{align_of, size_of, ManuallyDrop},
    ops::ControlFlow,
    ptr::{self, NonNull},
};

/// Incremental builder for [`FamBoxOwned`] to create a [`FamBoxOwned`] one element at a time.
/** ```rust
# use core::ops::ControlFlow;
use fambox::FamBoxBuilder;
struct H(u8, [u16; 0]);
unsafe impl fambox::FamHeader for H {
    type Element = u16;

    fn fam_len(&self) -> usize {
        self.0.into()
    }
}

let ControlFlow::Continue(builder) = FamBoxBuilder::new(H(2, [])) else { unreachable!() };
let ControlFlow::Continue(builder) = builder.add_element(1) else { unreachable!() };
let ControlFlow::Break(fambox) = builder.add_element(2) else { unreachable!() };
assert_eq!(fambox.header().0, 2);
assert_eq!(fambox.fam(), [1, 2]);
```
*/
pub struct FamBoxBuilder<H: FamHeader> {
    // Pointer to start of backing buffer including fam.
    // If `None` haven't allocated yet.
    ptr: NonNull<u8>,
    // Pointer to the next location to write `H::Element`.
    next_write: NonNull<H::Element>,
    // Type markers
    ty: PhantomData<H>,
}
impl<H: FamHeader> FamBoxBuilder<H> {
    /// Create a new [`FamBoxBuilder`]. If `header.fam_len()==0` then done building and return `Break(FamBoxOwned<H>)` otherwise return `Continue(FamBoxBuilder<H>)`.
    pub fn new(header: H) -> ControlFlow<FamBoxOwned<H>, FamBoxBuilder<H>> {
        let size = header.total_size();
        let fam_len = header.fam_len();
        debug_assert!(
            size_of::<H>() <= size,
            "invalid impl: size_of::<H>() > total size"
        );
        if size == 0 {
            // Safety: Since both `H` and `H::Element` are ZST, a dangling pointer is valid for the length of `H` followed by as many `H::Element` as fit in a slice.
            return if fam_len == 0 {
                // Safety: Since both `H` and `H::Element` are ZST the buffer is full with nothing written.
                ControlFlow::Break(unsafe {
                    FamBoxBuilder::<H> {
                        ptr: NonNull::dangling(),
                        next_write: NonNull::dangling(),
                        ty: PhantomData,
                    }
                    .build()
                })
            } else {
                ControlFlow::Continue(FamBoxBuilder::<H> {
                    ptr: NonNull::dangling(),
                    next_write: NonNull::dangling(),
                    ty: PhantomData,
                })
            };
        }

        let layout =
            alloc::alloc::Layout::from_size_align(size, align_of::<H>()).expect("invalid layout");
        // Safety: `layout` is non-zero in size. Alignment of `H` matches the allocation,
        // and the following [`H::Element`] is seperated from `H` by the necessary padding as required in the `FamHeader` trait.
        let Some(ptr) = NonNull::new(unsafe { alloc::alloc::alloc(layout) }.cast::<H>()) else {
            alloc::alloc::handle_alloc_error(layout);
        };

        // Write header
        // Safety: Allocation was created so that an `H` is valid at the start of the buffer.
        unsafe { ptr.as_ptr().write(header) };
        // Already wrote header so skip the header.
        // By the `FamHeader` trait contract ptr+1 is valid for writes of `H::Element`.
        let next_write = unsafe { NonNull::new_unchecked(ptr.as_ptr().add(1)).cast() };

        // Construct `Self` so the buffer is cleaned up on panic.
        if fam_len == 0 {
            // If no elements then done
            // Safety: The buffer is full since no elements to fill and header already written.
            ControlFlow::Break(unsafe {
                FamBoxBuilder {
                    ptr: ptr.cast(),
                    next_write,
                    ty: PhantomData,
                }
                .build()
            })
        } else {
            // Otherwise still need more elements.
            ControlFlow::Continue(FamBoxBuilder {
                ptr: ptr.cast(),
                // Already wrote header so skip the header.
                // By the `FamHeader` trait contract ptr+1 is valid for `H::Element`.
                next_write,
                ty: PhantomData,
            })
        }
    }
    /// Add an element to this [`FamBoxBuilder`]. If more elements are needed return `Continue(FamBoxBuilder<H>)`, otherwise,
    /// if done building return `Break(FamBoxOwned<H>)`.
    pub fn add_element(mut self, val: H::Element) -> ControlFlow<FamBoxOwned<H>, FamBoxBuilder<H>> {
        // Safety: `next_write` is valid to write an `H::Element` otherwise [`Self`] should have
        // called `self.build()` in a previous call to [`Self::add_element()`].
        unsafe { self.next_write.as_ptr().write(val) };

        // Set next position to write.
        // Safety: Either about to be done writing and pointer will point at 1 byte past the allocation,
        // or the next position is also valid by `FamHeader` trait contract and length of the allocation.
        self.next_write = unsafe { NonNull::new_unchecked(self.next_write.as_ptr().add(1)) };

        // Safety: Beginning is valid for dereference of `H` because `H` is ZST or buffer was allocated and start intialized with `H`.
        let total_size = unsafe { self.ptr.cast::<H>().as_ref() }.total_size();
        // Both pointers have provenance over the same allocation so `as usize` for both make sense.
        if self.next_write.as_ptr() as usize - self.ptr.as_ptr() as usize == total_size {
            // Safety: The elements have been finished writing
            ControlFlow::Break(unsafe { self.build() })
        } else {
            // If more elements need writing.
            ControlFlow::Continue(self)
        }
    }
}

impl<H: FamHeader> FamBoxBuilder<H> {
    /// Create a new `FamBoxBuilder<H>`
    // Used in the crate primarily for the purpose of re-using the builder's [`Drop`] impl.
    /// # Safety
    /// - `ptr` must be a pointer to a valid `FamBoxOwned`'s buffer.
    /// - [`Self::add_element`] must not be called if constructed with this method.
    /// Like from `FamBoxOwned::leak()`.
    pub(crate) unsafe fn from_built(ptr: NonNull<H>) -> Self {
        Self {
            ptr: ptr.cast(),
            // Safety: Since the [`FamBoxOwned`] has already been built the `next_write` pointer should point to 1 byte after the end.
            // Safety: Because the ptr is to a valid FamBoxOwned the pointer points to a valid `H`.
            next_write: unsafe {
                NonNull::new_unchecked(ptr.as_ptr().byte_add(ptr.as_ref().total_size()).cast())
            },
            ty: PhantomData,
        }
    }
    /// Consume the builder and construct a new [`FamBoxOwned<H>`]
    /// # Safety
    /// - The allocated buffer must be full with the layout of one `H` followed by `[H::Element]` of length `H::fam_len()`.
    unsafe fn build(self) -> FamBoxOwned<H> {
        // Safety: Because Self::Done is true the buffer is fully initialized.
        unsafe { FamBox::from_raw(ManuallyDrop::new(self).ptr.cast()) }
    }
}
impl<H: FamHeader> Drop for FamBoxBuilder<H> {
    fn drop(&mut self) {
        // Safety: Either ptr points to a ZST and the address doesn't matter or the header was already written to `ptr` in [`Self::new()`].
        let size = unsafe { self.ptr.cast::<H>().as_ref().total_size() };
        debug_assert!(
            size_of::<H>() <= size,
            "invalid impl: size_of::<H>() > total size"
        );
        // Drop the header.
        // Safety: Either ptr points to a ZST and the address doesn't matter or the header was already written to `ptr` in [`Self::new()`].
        unsafe { ptr::drop_in_place(self.ptr.cast::<H>().as_ptr()) };
        // Safety: A pointer to the end of the header is either pointing to 1 byte past the end of the allocation or the next `H::Element`.
        let mut next_to_drop = unsafe { self.ptr.cast::<H>().as_ptr().add(1).cast::<H::Element>() };

        // Drop the fam elements
        // `next_write` points at the end of the last written element (where the next element would have gone).
        // If `H::Element` is len 0 or `H::Element` is ZST this loop won't run at all.
        while next_to_drop != self.next_write.as_ptr() {
            // Safety: All positions before `self.next_write` have already been written to as valid `H::Element`.
            unsafe { ptr::drop_in_place(next_to_drop) };
            // Safety: The next element will either be after the previous or `next_to_drop` now points to 1 byte past the allocation which matches `self.next_write`.
            next_to_drop = unsafe { next_to_drop.add(1) };
        }
        if size == 0 {
            // If nothing allocated nothing to deallocate.
            return;
        }
        // Now that the entire buffer's elements have been dropped safe to drop the buffer itself without a leak.
        let layout =
            alloc::alloc::Layout::from_size_align(size, align_of::<H>()).expect("invalid layout");
        // Safety: [`Self`] can only be created by the same underlying allocator and layout.
        // `layout` is nonzero because `size` is nonzero.
        unsafe { alloc::alloc::dealloc(self.ptr.as_ptr(), layout) };
    }
}