sem_safe 0.2.1

Safe usage of POSIX Semaphores (`sem_post`, `sem_wait`, etc).
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210

#[cfg(not(target_os = "macos"))]
use core::ffi::c_int;
#[cfg(feature = "named")]
use core::marker::PhantomData;
#[cfg(all(feature = "unnamed", not(target_os = "macos")))]
use core::pin::Pin;
use core::{cell::UnsafeCell,
           fmt::{self, Debug, Display, Formatter},
           ptr};


/// Like a `sem_t *` as a borrow of a semaphore that is known to be initialized and so valid to do
/// operations on.
#[derive(Copy, Clone)]
pub struct SemaphoreRef<'l>(Kind<'l>);

#[derive(Copy, Clone)]
enum Kind<'l> {
    #[cfg(all(feature = "unnamed", not(target_os = "macos")))]
    Unnamed(Pin<&'l UnsafeCell<libc::sem_t>>),
    #[cfg(feature = "named")]
    Named(
        *mut libc::sem_t,
        // Needed for when this variant is the only variant (otherwise, there'd be an error about
        // "`'l` is never used").
        PhantomData<&'l UnsafeCell<libc::sem_t>>,
    ),
}


/// SAFETY: The POSIX Semaphores API intends for `sem_t *`, after the pointed-to instance is
/// initialized, to be shared between threads and its operations are thread-safe (similar to
/// atomic types).  Our API ensures by construction that multiple threads can only operate on a
/// `sem_t *` after initialization.  Therefore we can expose this in Rust as having "thread-safe
/// interior mutability".
unsafe impl Sync for SemaphoreRef<'_> {}
/// SAFETY: Ditto.
unsafe impl Send for SemaphoreRef<'_> {}


macro_rules! mem_sync_of_wait_et_al {
        () => {
        "\n\nThis synchronizes memory with respect to other threads on all successful calls.  \
        That is a primary use-case so that other threads' memory writes to other objects, \
        sequenced before [`Self::post()`], will be visible to the current thread \
        after returning from this.  If this returns an error, it is unspecified whether the \
        invocation causes memory to be synchronized.  (See: [POSIX's requirements](\
        https://pubs.opengroup.org/onlinepubs/9799919799/basedefs/V1_chap04.html#tag_04_15_02).)"
        }
    }

impl<'l> SemaphoreRef<'l> {
    #![cfg_attr(
        not(all(feature = "unnamed", not(target_os = "macos"))),
        allow(single_use_lifetimes)
    )]
    #[cfg(all(feature = "unnamed", not(target_os = "macos")))]
    /// This function is async-signal-safe, and so it's safe for this to be called from a signal
    /// handler.
    ///
    /// # Safety
    /// The given `sem_t` must already have been initialized by `sem_init()`.  (Otherwise,
    /// becoming a `Self` would allow the operations on it when uninitialized but that would be
    /// UB.)
    pub(crate) unsafe fn unnamed(inited: Pin<&'l UnsafeCell<libc::sem_t>>) -> Self {
        Self(Kind::Unnamed(inited))
    }

    #[cfg(feature = "named")]
    /// This function is async-signal-safe, and so it's safe for this to be called from a signal
    /// handler.
    ///
    /// # Safety
    /// The given `sem_t *` must already have been initialized by `sem_open()`.  (Otherwise,
    /// becoming a `Self` would allow the operations on it when uninitialized but that would be
    /// UB.)  The semaphore referenced by `opened` must remain open for the duration of the
    /// returned `Self`.
    pub(crate) unsafe fn named(opened: *mut libc::sem_t) -> Self {
        Self(Kind::Named(opened, PhantomData))
    }

    fn raw(&self) -> *mut libc::sem_t {
        match self.0 {
            #[cfg(all(feature = "unnamed", not(target_os = "macos")))]
            Kind::Unnamed(cell) => cell.get(),
            #[cfg(feature = "named")]
            Kind::Named(ptr, _) => ptr,
        }
    }

    /// Like [`sem_post`](
    /// https://pubs.opengroup.org/onlinepubs/9799919799/functions/sem_post.html),
    /// and async-signal-safe like that.
    ///
    /// It is safe for this to be called from a signal handler.  That is a primary use-case for
    /// POSIX Semaphores versus other better synchronization APIs (which shouldn't be used in
    /// signal handlers).
    ///
    /// This synchronizes memory with respect to other threads on all successful calls.  That is a
    /// primary use-case so that memory writes to other objects, sequenced before a call to this,
    /// will be visible to other threads after returning from [`Self::wait()`] (et al).  If this
    /// returns an error, it is unspecified whether the invocation causes memory to be
    /// synchronized.  (See: [POSIX's requirements](
    /// https://pubs.opengroup.org/onlinepubs/9799919799/basedefs/V1_chap04.html#tag_04_15_02).)
    ///
    /// # Errors
    /// If `sem_post()` does.  `errno` is set to indicate the error.  Its `EINVAL` case should be
    /// impossible.
    #[inline]
    pub fn post(&self) -> Result<(), ()> {
        // SAFETY: The argument is valid, because the `Semaphore` was initialized.
        let r = unsafe { libc::sem_post(self.raw()) };
        if r == 0 {
            Ok(())
        } else {
            Err(()) // Most likely: EOVERFLOW (max value for a semaphore would be exceeded).
        }
    }

    /// Like [`sem_wait`](
    /// https://pubs.opengroup.org/onlinepubs/9799919799/functions/sem_wait.html).
    ///
    /// Might block the calling thread.
    #[doc = mem_sync_of_wait_et_al!()]
    ///
    /// # Errors
    /// If `sem_wait()` does.  `errno` is set to indicate the error.  Its `EINVAL` case should be
    /// impossible.
    #[inline]
    pub fn wait(&self) -> Result<(), ()> {
        // SAFETY: The argument is valid, because the `Semaphore` was initialized.
        let r = unsafe { libc::sem_wait(self.raw()) };
        if r == 0 {
            Ok(())
        } else {
            Err(()) // Most likely: EINTR (a signal interrupted this function).
        }
    }

    /// Like [`sem_trywait`](
    /// https://pubs.opengroup.org/onlinepubs/9799919799/functions/sem_trywait.html).
    ///
    /// Won't block the calling thread.
    #[doc = mem_sync_of_wait_et_al!()]
    ///
    /// # Errors
    /// If `sem_trywait()` does.  `errno` is set to indicate the error.  Its `EINVAL` case should
    /// be impossible.
    #[inline]
    pub fn try_wait(&self) -> Result<(), ()> {
        // SAFETY: The argument is valid, because the `Semaphore` was initialized.
        let r = unsafe { libc::sem_trywait(self.raw()) };
        if r == 0 {
            Ok(())
        } else {
            Err(()) // Most likely: EAGAIN (would block), or EINTR
        }
    }

    // TODO: `Self::timedwait` that uses `sem_timedwait`.
    // TODO?: `Self::clockwait` that uses the new `sem_clockwait`?
    // TODO: The doc-comments for those will also need `#[doc = mem_sync_of_wait_et_al!()]`.

    #[cfg(not(target_os = "macos"))]
    /// Like [`sem_getvalue`](
    /// https://pubs.opengroup.org/onlinepubs/9799919799/functions/sem_getvalue.html).
    #[must_use]
    #[inline]
    pub fn get_value(&self) -> c_int {
        let mut sval = c_int::MIN;
        // SAFETY: The arguments are valid, because the `Semaphore` was initialized.
        let r = unsafe { libc::sem_getvalue(self.raw(), &mut sval) };
        debug_assert_eq!(r, 0, "the semaphore should be valid");
        sval
    }
}


/// Compare by `sem_t *` pointer equality.
impl PartialEq for SemaphoreRef<'_> {
    #[inline]
    fn eq(&self, other: &Self) -> bool { ptr::eq(self.raw(), other.raw()) }
}

impl Eq for SemaphoreRef<'_> {}


/// Shows the `sem_t *` pointer.
impl Debug for SemaphoreRef<'_> {
    #[inline]
    fn fmt(&self, f: &mut Formatter<'_>) -> fmt::Result {
        f.debug_tuple("SemaphoreRef").field(&self.raw()).finish()
    }
}

#[cfg(not(target_os = "macos"))]
/// Human-readable representation that shows the semaphore's current count value.
impl Display for SemaphoreRef<'_> {
    #[inline]
    fn fmt(&self, f: &mut Formatter<'_>) -> fmt::Result {
        write!(f, "<Semaphore value:{}>", self.get_value())
    }
}

#[cfg(target_os = "macos")]
/// Human-readable representation.  Mac doesn't support getting the current count value.
impl Display for SemaphoreRef<'_> {
    #[inline]
    fn fmt(&self, f: &mut Formatter<'_>) -> fmt::Result { write!(f, "<Semaphore inited>") }
}