winmmf 0.6.2

A mostly safe Rust wrapper around Named Shared Memory on Windows. WIP
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381

#![deny(clippy::missing_docs_in_private_items)]
#![deny(missing_docs)]
//! # States and Locks for MMFs
//!
//! These are the cursed things required to prevent you from footgunning yourself. When not using the default lock
//! implementation, you'll need to implement locking yourself. If you're down for that, good luck and read on.
//! If you're not, you can skip reading this module's documentation. Just use the `impl_lock` feature and enjoy life.
//!
//! The [`MMFLock`] trait is all you'll really care about. It tells you the things the main
//! [`MemoryMappedFile`][crate::mmf::MemoryMappedFile] wants to call so it can safely do its thing. The [`RWLock`]
//! struct provides a way to implement that stuff, as well as some sprinkled on additions of its own relevant to how
//! this lock was designed. Things to note are that any one instance of an [`RWLock`] does not do internal bookkeeping
//! to see if holds any locks itself. This means you should _never_ call the `unlock_*` functions for locks you didn't
//! request yourself. The functions are public only because they need to be implemented and called from the MMF wrapper.
//! The lock _does_ ensure it never claims a lock when it can't, e.g. no readlocks will be taken while a writelock is
//! held. This means that if you want to use MMFs in a place where several things are touching the memory at the same
//! time, you'll deal with errors. Luckily these are usually just abstractions that tell you all is well, unless things
//! go very wrong. And in that case, good luck.
//!
//! The errors in this crate still need some work. They're in active development.
//!
//! Assuming you're comfortable waiting on the locks to be claimable, [`MMFLock::spin_and_lock_read`] and
//! [`MMFLock::spin_and_lock_write`] will be your friends, as you'd only need to handle the case where you spin more
//! than what your native pointer size holds, and you should be seeing problems long before then.
//!
//! No guarantees are made about the usefulness and safety of this code, and the project maintainer is not liable for
//! any damages, be they to your PC or your (mental) health.

use std::sync::atomic::{fence, AtomicU32, Ordering};

use super::err::{Error, MMFResult};

/// Blanket trait for implementing locks to be used with MMFs.
///
/// The default implementation applied to [`RWLock`] can be used with a custom MMF implementation,
/// but either way would require accounting for the fact this lock is designed to be stored inside the MMF.
/// From the lock's point of view, a pointer to some other u32 would work just as well but this requires some other
/// form of synchronizing access accross thread and application boundaries.
///
/// Users are free to use the default lock and MMF implementations independently of one another.
pub trait MMFLock {
    /// Acquire a readlock, if at all possible. Otherwise error.
    fn lock_read(&self) -> MMFResult<()>;
    /// Release a readlock, clearing the readlock state if this was the last lock.
    fn unlock_read(&self) -> MMFResult<()>;
    /// Lock this file for writing if possible.
    fn lock_write(&self) -> MMFResult<()>;
    /// Nuke all existing write locks as there can only be one, legally.
    fn unlock_write(&self) -> MMFResult<()>;
    /// Check if the lock is initialized
    fn initialized(&self) -> bool;
    /// Spin until the lock can be taken, then take it.
    fn spin_and_lock_read(&self, max_tries: usize) -> MMFResult<()>
    where
        Self: Sized;
    /// Spin until the lock can be taken, then take it.
    fn spin_and_lock_write(&self, max_tries: usize) -> MMFResult<()>
    where
        Self: Sized;
    /// Create a new lock at the location of an existing pointer.
    ///
    /// # Safety
    /// Only call this to a pointer where the underlying data is from the same trait impl.
    unsafe fn from_existing(pointer: *mut u8) -> Self
    where
        Self: Sized;
    /// Create a new lock from a raw pointer
    ///
    /// # Safety
    /// Only pass this a pointer with enough space to hold the lock.
    unsafe fn from_raw(pointer: *mut u8) -> Self
    where
        Self: Sized;
    /// Set the lock's first byte to an initialized state.
    fn set_init(&self);
    /// Self-consuming wrapper to chain initialization with [`set_init`][`MMFLock::set_init`]
    fn initialize(self) -> Self
    where
        Self: Sized;
}

/// Packed binary data to represent the locking state of the MMF.
///
/// The wrapper implementation must set these bytes depending on the situation and actions being taken.
/// Due to the fact Windows only guarantees atomic operations on 32-bit ints, (and 64-bit ones only for 64-bit
/// applications on 64-bit Windows), the safest option here is to ensure we're using a 32-bit Atomic.
///
/// This atomic will be split into the following data:
/// - First bit: write lock state. A single writer should prevent all other access.
/// - First byte: after the writelock we have a few left, this serves for tracking init state.
/// - The remaining three are for read lock counting. Beware though, that while this allows you to have a count of up to
///   16_777_215 locks, the OS limits all processes to that number of open handles. This means nobody should ever be
///   remotely close to the actual limit. It also means that if for some reason there _are_ (2^24) - 1 locks, we get to
///   call upon "implementation defined results" which are implemented here as [`Error::MaxReaders`]. Enjoy!
#[cfg(feature = "impl_lock")]
#[derive(Debug)]
pub struct RWLock<'a> {
    /// An Atomic reference to the first 4 bytes in the MemoryMappedView.
    /// Alignment is not an issue considering Windows aligns views to pointers by default.
    chunk: &'a AtomicU32,
}

#[cfg(feature = "impl_lock")]
impl RWLock<'_> {
    /// Mask to check if the lock is initialized
    pub const INITIALIZE_MASK: u32 = 255 << 24;
    /// Mask to check if it's locked for WRITING
    pub const WRITE_LOCK_MASK: u32 = 0b1 << 31;
    /// Mask to check if it's locked for READING
    pub const READ_LOCK_MASK: u32 = !Self::INITIALIZE_MASK;

    /// Check if this lock has been initialized at all.
    ///
    /// Regardless of locking state, and abuse of the 7 empty bits, a lock _should_ not have all bits on the first byte
    /// set to one. If it does, either the lock isn't initialized, or the user is not being very smart.
    fn initialized(chunk: u32) -> bool {
        (chunk & Self::INITIALIZE_MASK) < Self::INITIALIZE_MASK
    }

    /// Check if the lock is held for reading. This should only prevent new write locks.
    fn readlocked(chunk: u32) -> bool {
        (chunk & Self::READ_LOCK_MASK) > 0
    }

    /// Check if the lock is held for writing. This should prevent ALL other locking operations.
    fn writelocked(chunk: u32) -> bool {
        (chunk & Self::WRITE_LOCK_MASK) == Self::WRITE_LOCK_MASK
    }
}

#[cfg(feature = "impl_lock")]
/// Implements a good enough implementation of a lock for MMFs
impl MMFLock for RWLock<'_> {
    /// Construct a lock from existing pointers.
    ///
    /// This is meant to be used with some external mechanism to allow reading and writing lock state directly to and
    /// from some larger struct. The lock will claim the first four bytes behind this pointer; if you do not intend to
    /// have the lock state at the start of the data, make sure to offset the pointer provided.
    ///
    /// # Safety
    /// there is no way of ensuring this pointer is valid after the first byte without moving out of bounds when
    /// it's not. Users should take care to ensure the first 4 bytes in the pointer are valid. A lock created through
    /// this method provides NO guarantees about the lock states and assumes the user has zeroed out all values behind
    /// it if necessary. This initializer is meant to be used with a pointer for an existing lock, or a pointer whose
    /// values you know will provide correct results. If the data behind the pointer is wrong, this effectively
    /// constructs a poisoned lock.
    /// It _is_ safe to assume the size and alignment are valid on Windows, however, as pointers are 0x4/0x4 or 0x8/0x8
    /// depending on 32-bit or 64-bit. Either is safe for use with AtomicU32 which is 0x4/0x4 on these platforms.
    ///
    /// ## Panics
    /// This function _will_ panic if called with a null pointer; ensuring initialization is hard, but ensuring non-null
    /// should not prove difficult to anyone working with raw pointers.
    ///
    /// ## example
    /// ```
    /// # use std::sync::atomic::AtomicU32;
    /// # use winmmf::{states::*, *};
    /// # unsafe {
    /// let bop = AtomicU32::new(0);
    /// let ptr = bop.as_ptr();
    /// let lock = RWLock::from_raw(ptr.cast());
    /// lock.set_init();
    /// // You're now free to do anything with the lock while `bop` lives
    /// let new_ptr = bop.as_ptr();
    /// let other_lock = RWLock::from_existing(new_ptr.cast());
    ///
    /// lock.lock_write().unwrap();
    ///
    /// assert_eq!(other_lock.lock_read(), Err(err::Error::WriteLocked));
    ///
    /// assert!(other_lock.unlock_read().is_err());
    /// assert!(lock.unlock_write().is_ok());
    /// # }
    /// ```
    unsafe fn from_existing(pointer: *mut u8) -> Self {
        if pointer.is_null() {
            panic!("Never, ever pass a null pointer into a lock!")
        }
        Self { chunk: AtomicU32::from_ptr(pointer.cast()) }
    }

    /// Similar to [`Self::from_existing`], except it clears all state and ensures [`Self::initialized`] returns false.
    ///
    /// # Safety
    /// The same safety bounds apply as for `from_existing` with the exception of poisoned lock risks. It does mean,
    /// however, that it invalidates any other locks that use the same pointer and clears any data.
    unsafe fn from_raw(pointer: *mut u8) -> Self {
        if pointer.is_null() {
            panic!("Never, ever pass a null pointer into a lock!")
        }
        let lock = Self { chunk: AtomicU32::from_ptr(pointer.cast()) };
        lock.chunk.store(Self::INITIALIZE_MASK, Ordering::Release);
        lock
    }

    /// Mark this lock as initialized if it isn't yet.
    ///
    /// In pre-0.3 versions of this crate, this would clear existing locks. This is a bad idea though, as a naive caller
    /// might not realize they're not the only process using the MMF.
    fn set_init(&self) {
        _ = self.chunk.compare_exchange(Self::INITIALIZE_MASK, 0, Ordering::Release, Ordering::Relaxed);
    }

    /// Thin wrapper around [`Self::set_init`] that returns self for chaining calls.
    ///
    /// ## Usage
    /// ```
    /// # use std::sync::atomic::AtomicU32;
    /// # use winmmf::{states::*, *};
    /// let bop = AtomicU32::new(0);
    /// let ptr = bop.as_ptr();
    /// let lock = unsafe { RWLock::from_existing(ptr.cast()).initialize() };
    /// assert!(lock.initialized());
    /// ```
    fn initialize(self) -> Self {
        self.set_init();
        self
    }

    /// Check if the lock is initialized
    fn initialized(&self) -> bool {
        Self::initialized(self.chunk.load(Ordering::Acquire))
    }

    /// Increment the counter for read locks ***if and only if*** we can safely lock this for reading
    fn lock_read(&self) -> MMFResult<()> {
        loop {
            let chunk = self.chunk.load(Ordering::Acquire);

            if !Self::initialized(chunk) {
                return Err(Error::Uninitialized);
            }

            if Self::writelocked(chunk) {
                return Err(Error::WriteLocked);
            }

            if (chunk & Self::READ_LOCK_MASK) == Self::READ_LOCK_MASK {
                return Err(Error::MaxReaders);
            }

            if self.chunk.compare_exchange_weak(chunk, chunk + 1, Ordering::AcqRel, Ordering::Acquire).is_ok() {
                break;
            }
        }

        fence(Ordering::SeqCst);
        Ok(())
    }

    /// Decrease the read lock counter if we can safely do so.
    fn unlock_read(&self) -> MMFResult<()> {
        loop {
            let chunk = self.chunk.load(Ordering::Acquire);

            if !Self::initialized(chunk) {
                return Err(Error::Uninitialized);
            }

            if Self::writelocked(chunk) {
                // this error code is used in lock_read to indicate you cannot lock it because there is a write lock
                // however this bit uses it to signal that it's write locked and your lock usage is broken.
                // should this be two seperate error codes? ditto for other usages of this error code.
                //
                // states should probably also use a lock type that is seperate from the high level API since that error
                // isn't possible there
                return Err(Error::WriteLocked);
            }

            if chunk == 0 {
                // joel: use a better error code like "NoReaders" or something? indicates bad lock usage
                return Err(Error::GeneralFailure);
            }

            if self.chunk.compare_exchange_weak(chunk, chunk - 1, Ordering::AcqRel, Ordering::Acquire).is_ok() {
                break;
            }
        }

        fence(Ordering::SeqCst);
        Ok(())
    }

    /// Set the write lock bit to 1 if possible.
    fn lock_write(&self) -> MMFResult<()> {
        loop {
            let chunk = self.chunk.load(Ordering::Acquire);

            if !Self::initialized(chunk) {
                return Err(Error::Uninitialized);
            }

            if Self::writelocked(chunk) {
                return Err(Error::WriteLocked);
            }

            if Self::readlocked(chunk) {
                return Err(Error::ReadLocked);
            }

            if self
                .chunk
                .compare_exchange_weak(chunk, chunk | Self::WRITE_LOCK_MASK, Ordering::AcqRel, Ordering::Acquire)
                .is_ok()
            {
                break;
            }
        }

        fence(Ordering::SeqCst);
        Ok(())
    }

    /// Release a write lock if one is being held
    fn unlock_write(&self) -> MMFResult<()> {
        loop {
            let chunk = self.chunk.load(Ordering::Acquire);

            if !Self::initialized(chunk) {
                return Err(Error::Uninitialized);
            }

            if !Self::writelocked(chunk) {
                // this should also probably be a different error code, indicates bad lock usage
                return Err(Error::WriteLocked);
            }

            if Self::readlocked(chunk) {
                // this should also probably be a different error code, indicates bad lock usage
                return Err(Error::ReadLocked);
            }

            if self
                .chunk
                .compare_exchange_weak(chunk, chunk ^ Self::WRITE_LOCK_MASK, Ordering::AcqRel, Ordering::Acquire)
                .is_ok()
            {
                break;
            }
        }

        fence(Ordering::SeqCst);
        Ok(())
    }

    /// Very crude implementation of spinning with no backoff.
    fn spin_and_lock_read(&self, max_tries: usize) -> MMFResult<()> {
        let mut tries = 0;

        while match self.lock_read() {
            Ok(_) => false,
            Err(Error::WriteLocked) => true,
            err => return err,
        } {
            tries += 1;
            if tries >= max_tries {
                return Err(Error::MaxTriesReached);
            }
        }

        Ok(())
    }

    /// Very crude implementation of spinning with no backoff.
    fn spin_and_lock_write(&self, max_tries: usize) -> MMFResult<()> {
        let mut tries = 0;

        while match self.lock_write() {
            Ok(_) => false,
            Err(Error::WriteLocked | Error::ReadLocked) => true,
            err => return err,
        } {
            tries += 1;
            if tries >= max_tries {
                return Err(Error::MaxTriesReached);
            }
        }

        Ok(())
    }
}