1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417

use crate::{fz_string_t, FzString};
use std::ffi::{CStr, CString};

// These functions are used in downstream creates via the `reexport!` macro, which generates a
// function in that crate, wrapping one of these functions.  As a result, none of these functions
// are `extern "C"`, and all are tagged with `inline(always)` so that they are inlined into the
// downstream crate.
//
// NOTE: if you add a function to this module, also add it to `reexport!` in string/src/macros.rs.

// This type is used in the `reexport!` macro.
#[doc(hidden)]
pub type c_char = libc::c_char;

/// Create a new fz_string_t containing a pointer to the given C string.
///
/// # Safety
///
/// The C string must remain valid and unchanged until after the `fz_string_t` is freed.  It's
/// typically easiest to ensure this by using a static string.
///
/// The resulting `fz_string_t` must be freed.
///
/// ```c
/// fz_string_t fz_string_borrow(const char *);
/// ```
#[inline(always)]
pub unsafe fn fz_string_borrow(cstr: *const c_char) -> fz_string_t {
    debug_assert!(!cstr.is_null());
    // SAFETY:
    //  - cstr is not NULL (promised by caller, verified by assertion)
    //  - cstr's lifetime exceeds that of the fz_string_t (promised by caller)
    //  - cstr contains a valid NUL terminator (promised by caller)
    //  - cstr's content will not change before it is destroyed (promised by caller)
    let cstr: &CStr = unsafe { CStr::from_ptr(cstr) };
    // SAFETY:
    //  - caller promises to free this string
    unsafe { FzString::return_val(FzString::CStr(cstr)) }
}

#[allow(clippy::missing_safety_doc)] // not actually terribly unsafe
/// Create a new, null `fz_string_t`.  Note that this is _not_ the zero value of `fz_string_t`.
///
/// # Safety
///
/// The resulting `fz_string_t` must be freed.
///
/// ```c
/// `fz_string_t` fz_string_null();
/// ```
#[inline(always)]
pub unsafe fn fz_string_null() -> fz_string_t {
    // SAFETY:
    //  - caller promises to free this string
    unsafe { FzString::return_val(FzString::Null) }
}

/// Create a new `fz_string_t` by cloning the content of the given C string.  The resulting `fz_string_t`
/// is independent of the given string.
///
/// # Safety
///
/// The given pointer must not be NULL.
/// The resulting `fz_string_t` must be freed.
///
/// ```c
/// fz_string_t fz_string_clone(const char *);
/// ```
#[inline(always)]
pub unsafe fn fz_string_clone(cstr: *const c_char) -> fz_string_t {
    debug_assert!(!cstr.is_null());
    // SAFETY:
    //  - cstr is not NULL (promised by caller, verified by assertion)
    //  - cstr's lifetime exceeds that of this function (by C convention)
    //  - cstr contains a valid NUL terminator (promised by caller)
    //  - cstr's content will not change before it is destroyed (by C convention)
    let cstr: &CStr = unsafe { CStr::from_ptr(cstr) };
    let cstring: CString = cstr.into();
    // SAFETY:
    //  - caller promises to free this string
    unsafe { FzString::return_val(FzString::CString(cstring)) }
}

/// Create a new `fz_string_t` containing the given string with the given length. This allows creation
/// of strings containing embedded NUL characters.  As with `fz_string_clone`, the resulting
/// `fz_string_t` is independent of the passed buffer.
///
/// The given length should _not_ include any NUL terminator.  The given length must be less than
/// half the maximum value of usize.
///
/// # Safety
///
/// The given pointer must not be NULL.
/// The resulting `fz_string_t` must be freed.
///
/// ```c
/// fz_string_t fz_string_clone_with_len(const char *ptr, usize len);
/// ```
#[inline(always)]
pub unsafe fn fz_string_clone_with_len(buf: *const c_char, len: usize) -> fz_string_t {
    debug_assert!(!buf.is_null());
    debug_assert!(len < isize::MAX as usize);
    // SAFETY:
    //  - buf is valid for len bytes (by C convention)
    //  - (no alignment requirements for a byte slice)
    //  - content of buf will not be mutated during the lifetime of this slice (lifetime
    //    does not outlive this function call)
    //  - the length of the buffer is less than isize::MAX (promised by caller)
    let slice = unsafe { std::slice::from_raw_parts(buf as *const u8, len) };

    // allocate and copy into Rust-controlled memory
    let vec = slice.to_vec();

    // SAFETY:
    //  - caller promises to free this string
    unsafe { FzString::return_val(FzString::Bytes(vec)) }
}

/// Get the content of the string as a regular C string.
///
/// A string contianing NUL bytes will result in a NULL return value.  In general, prefer
/// `fz_string_content_with_len` except when it's certain that the string is NUL-free.
///
/// The Null variant also results in a NULL return value.
///
/// This function takes the `fz_string_t` by pointer because it may be modified in-place to add a NUL
/// terminator.  The pointer must not be NULL.
///
/// # Safety
///
/// The returned string is "borrowed" and remains valid only until the `fz_string_t` is freed or
/// passed to any other API function.
///
/// ```c
/// const char *fz_string_content(fz_string_t *);
/// ```
#[inline(always)]
pub unsafe fn fz_string_content(fzstr: *mut fz_string_t) -> *const c_char {
    // SAFETY;
    //  - fzstr is not NULL (promised by caller, verified)
    //  - *fzstr is valid (promised by caller)
    //  - *fzstr is not accessed concurrently (single-threaded)
    unsafe {
        FzString::with_ref_mut(fzstr, |fzstr| match fzstr.as_cstr() {
            // SAFETY:
            //  - implied lifetime here is FzString's lifetime; valid until another mutable
            //    reference is made (see docstring)
            Ok(Some(cstr)) => cstr.as_ptr(),
            _ => std::ptr::null(),
        })
    }
}

/// Get the content of the string as a pointer and length.
///
/// This function can return any string, even one including NUL bytes or invalid UTF-8.
/// If the FzString is the Null variant, this returns NULL and the length is set to zero.
///
/// # Safety
///
/// The returned string is "borrowed" and remains valid only until the `fz_string_t` is freed or
/// passed to any other API function.
///
/// ```c
/// const char *fz_string_content_with_len(const struct fz_string_t *, len_out *usize);
/// ```
#[inline(always)]
pub unsafe fn fz_string_content_with_len(
    fzstr: *mut fz_string_t,
    len_out: *mut usize,
) -> *const c_char {
    // SAFETY;
    //  - fzstr is not NULL (promised by caller)
    //  - *fzstr is valid (promised by caller)
    //  - *fzstr is not accessed concurrently (single-threaded)
    unsafe {
        FzString::with_ref(fzstr, |fzstr| {
            let bytes = match fzstr.as_bytes() {
                Some(bytes) => bytes,
                None => {
                    // SAFETY:
                    //  - len_out is not NULL (promised by caller)
                    //  - len_out points to valid memory (promised by caller)
                    //  - len_out is properly aligned (C convention)
                    unsafe {
                        *len_out = 0;
                    }
                    return std::ptr::null();
                }
            };

            // SAFETY:
            //  - len_out is not NULL (promised by caller)
            //  - len_out points to valid memory (promised by caller)
            //  - len_out is properly aligned (C convention)
            unsafe {
                *len_out = bytes.len();
            }
            bytes.as_ptr() as *const c_char
        })
    }
}

#[allow(clippy::missing_safety_doc)] // NULL pointer is OK so not actually unsafe
/// Determine whether the given `fz_string_t` is a Null variant.
///
/// ```c
/// bool fz_string_is_null(fz_string_t *);
/// ```
#[inline(always)]
pub unsafe fn fz_string_is_null(fzstr: *const fz_string_t) -> bool {
    unsafe { FzString::with_ref(fzstr, |fzstr| fzstr.is_null()) }
}

/// Free a `fz_string_t`.
///
/// # Safety
///
/// The string must not be used after this function returns, and must not be freed more than once.
/// It is safe to free Null-variant strings.
///
/// ```c
/// fz_string_free(fz_string_t *);
/// ```
#[inline(always)]
pub unsafe fn fz_string_free(fzstr: *mut fz_string_t) {
    // SAFETY:
    //  - fzstr is not NULL (promised by caller)
    //  - caller will not use this value after return
    drop(unsafe { FzString::take_ptr(fzstr) });
}

#[cfg(test)]
mod test {
    use super::*;

    const INVALID_UTF8: &[u8] = b"abc\xf0\x28\x8c\x28";

    #[test]
    fn borrow() {
        let s = CString::new("hello!").unwrap();
        let ptr = unsafe { s.as_ptr() };

        let mut fzstr = unsafe { fz_string_borrow(ptr) };
        assert!(unsafe { !fz_string_is_null(&fzstr as *const fz_string_t) });

        let content = unsafe { CStr::from_ptr(fz_string_content(&mut fzstr as *mut fz_string_t)) };
        assert_eq!(content.to_str().unwrap(), "hello!");

        drop(s); // make sure s lasts long enough!

        unsafe { fz_string_free(&mut fzstr as *mut fz_string_t) };
    }

    #[test]
    fn borrow_invalid_utf8() {
        let s = CString::new(INVALID_UTF8).unwrap();
        let ptr = unsafe { s.as_ptr() };

        let mut fzstr = unsafe { fz_string_borrow(ptr) };
        assert!(unsafe { !fz_string_is_null(&fzstr as *const fz_string_t) });

        let mut len: usize = 0;
        let ptr = unsafe {
            fz_string_content_with_len(&mut fzstr as *mut fz_string_t, &mut len as *mut usize)
        };
        let slice = unsafe { std::slice::from_raw_parts(ptr as *const u8, len) };
        assert_eq!(slice, INVALID_UTF8);

        drop(s); // make sure s lasts long enough!

        unsafe { fz_string_free(&mut fzstr as *mut fz_string_t) };
    }

    #[test]
    fn clone() {
        let s = CString::new("hello!").unwrap();
        let ptr = unsafe { s.as_ptr() };

        let mut fzstr = unsafe { fz_string_clone(ptr) };
        assert!(unsafe { !fz_string_is_null(&fzstr as *const fz_string_t) });

        drop(s); // fzstr contains a clone of s, so deallocate

        let content = unsafe { CStr::from_ptr(fz_string_content(&mut fzstr as *mut fz_string_t)) };
        assert_eq!(content.to_str().unwrap(), "hello!");

        unsafe { fz_string_free(&mut fzstr as *mut fz_string_t) };
    }

    #[test]
    fn null_and_is_null() {
        let mut fzstr = unsafe { fz_string_null() };
        assert!(unsafe { fz_string_is_null(&fzstr as *const fz_string_t) });

        unsafe { fz_string_free(&mut fzstr as *mut fz_string_t) };
    }

    #[test]
    fn null_ptr_is_null() {
        let mut fzstr = unsafe { fz_string_null() };
        assert!(unsafe { fz_string_is_null(std::ptr::null()) });

        unsafe { fz_string_free(&mut fzstr as *mut fz_string_t) };
    }

    #[test]
    fn clone_invalid_utf8() {
        let s = CString::new(INVALID_UTF8).unwrap();
        let ptr = unsafe { s.as_ptr() };

        let mut fzstr = unsafe { fz_string_clone(ptr) };
        assert!(unsafe { !fz_string_is_null(&fzstr as *const fz_string_t) });

        drop(s); // fzstr contains a clone of s, so deallocate

        let mut len: usize = 0;
        let ptr = unsafe {
            fz_string_content_with_len(&mut fzstr as *mut fz_string_t, &mut len as *mut usize)
        };
        let slice = unsafe { std::slice::from_raw_parts(ptr as *const u8, len) };
        assert_eq!(slice, INVALID_UTF8);

        unsafe { fz_string_free(&mut fzstr as *mut fz_string_t) };
    }

    #[test]
    fn clone_with_len() {
        let s = CString::new("ABCDEFGH").unwrap();
        let ptr = unsafe { s.as_ptr() };

        let mut fzstr = unsafe { fz_string_clone_with_len(ptr, 4) };
        assert!(unsafe { !fz_string_is_null(&fzstr as *const fz_string_t) });

        drop(s); // fzstr contains a clone of s, so deallocate

        let content = unsafe { CStr::from_ptr(fz_string_content(&mut fzstr as *mut fz_string_t)) };
        assert_eq!(content.to_str().unwrap(), "ABCD"); // only 4 bytes

        unsafe { fz_string_free(&mut fzstr as *mut fz_string_t) };
    }

    #[test]
    fn clone_with_len_invalid_utf8() {
        let s = CString::new(INVALID_UTF8).unwrap();
        let ptr = unsafe { s.as_ptr() };

        let mut fzstr = unsafe { fz_string_clone_with_len(ptr, 4) };
        assert!(unsafe { !fz_string_is_null(&fzstr as *const fz_string_t) });

        drop(s); // fzstr contains a clone of s, so deallocate

        let mut len: usize = 0;
        let ptr = unsafe {
            fz_string_content_with_len(&mut fzstr as *mut fz_string_t, &mut len as *mut usize)
        };
        let slice = unsafe { std::slice::from_raw_parts(ptr as *const u8, len) };
        assert_eq!(slice, &INVALID_UTF8[..4]); // only 4 bytes

        unsafe { fz_string_free(&mut fzstr as *mut fz_string_t) };
    }

    // (fz_string_content's normal operation is tested above)

    #[test]
    fn content_nul_bytes() {
        let s = String::from("hello \0 NUL byte");
        let ptr = unsafe { s.as_ptr() } as *mut c_char;

        let mut fzstr = unsafe { fz_string_clone_with_len(ptr, s.len()) };
        assert!(unsafe { !fz_string_is_null(&fzstr as *const fz_string_t) });

        let ptr = unsafe { fz_string_content(&mut fzstr as *mut fz_string_t) };

        // could not return a string because of the embedded NUL byte
        assert!(ptr.is_null());

        unsafe { fz_string_free(&mut fzstr as *mut fz_string_t) };
    }

    #[test]
    fn content_null_ptr() {
        let ptr = unsafe { fz_string_content(std::ptr::null_mut()) };
        assert!(ptr.is_null());
    }

    #[test]
    fn content_with_len_nul_bytes() {
        let s = String::from("hello \0 NUL byte");
        let ptr = unsafe { s.as_ptr() } as *mut c_char;

        let mut fzstr = unsafe { fz_string_clone_with_len(ptr, s.len()) };
        assert!(unsafe { !fz_string_is_null(&fzstr as *const fz_string_t) });

        let mut len: usize = 0;
        let ptr = unsafe {
            fz_string_content_with_len(&mut fzstr as *mut fz_string_t, &mut len as *mut usize)
        };

        let slice = unsafe { std::slice::from_raw_parts(ptr as *const u8, len) };
        let s = std::str::from_utf8(slice).unwrap();
        assert_eq!(s, "hello \0 NUL byte");

        unsafe { fz_string_free(&mut fzstr as *mut fz_string_t) };
    }

    #[test]
    fn content_with_len_null_ptr() {
        let mut len: usize = 9999;
        let ptr =
            unsafe { fz_string_content_with_len(std::ptr::null_mut(), &mut len as *mut usize) };
        assert!(ptr.is_null());
        assert_eq!(len, 0);
    }

    // (fz_string_free is tested above)
}