1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417

//! An implementation of STAtically allocated Ring Buffers.
//!
//! This is a simple ring-buffer structure that lives on the stack,
//! rather than the heap, so that it can be used in `no-std`
//! environments, such as embedded.
#![no_std]

use core::{
    cell::UnsafeCell,
    cmp,
    mem::MaybeUninit,
    ptr,
    sync::atomic::{self, AtomicUsize, Ordering},
};

/// Underlying buffer capacity. Needs to be hard-coded for now,
/// because the size of the structure needs to be known at compile
/// time so it can be statically allocated or created on the stack.
///
/// This will disappear when const generics appear.
pub const CAPACITY: usize = 1024;

/// Errors that can be made when interacting with the ring buffer.
#[derive(Debug, PartialEq)]
pub enum Error {
    /// The buffer is at capacity and cannot fit any more
    /// elements. You need to `unshift` at least once to make some
    /// space.
    BufferFull,
}

/// A lock-free concurrent ring buffer that prevents overwriting data
/// before it is read.
pub struct RingBuffer<T> {
    head: AtomicUsize,
    tail: AtomicUsize,

    // Backing store needs to be UnsafeCell to make sure it's not
    // stored in read-only data sections.
    buf: UnsafeCell<MaybeUninit<[T; CAPACITY]>>,
}

impl<T> RingBuffer<T> {
    /// Create a new RingBuffer.
    pub const fn new() -> Self {
        Self {
            head: AtomicUsize::new(0),
            tail: AtomicUsize::new(0),
            buf: UnsafeCell::new(MaybeUninit::uninit()),
        }
    }

    /// Splits the ring buffer into a consumer/producer pair
    /// (`Reader`/`Writer` respectively). These structures can be used
    /// safely across threads.
    // Honestly, this should consume `self` or at least be `mut`, but
    // it needs to be available in const static contexts, which
    // prevents that. Basically all the rest of the unsafe stuff in
    // here is a consequence of that.
    //
    // No, lazy_static is not an option, because it doesn't work on
    // architectures where CAS atomics are missing.
    pub const fn split(&self) -> (Reader<T>, Writer<T>) {
        let rbr = Reader { rb: &self };
        let rbw = Writer { rb: &self };
        (rbr, rbw)
    }
}
unsafe impl<T> Send for RingBuffer<T> where T: Send {}

/// Consumer of `RingBuffer`.
pub struct Reader<'a, T> {
    rb: &'a RingBuffer<T>,
}
unsafe impl<T> Send for Reader<'_, T> where T: Send {}

/// Producer for `Ringbuffer`.
pub struct Writer<'a, T> {
    rb: &'a RingBuffer<T>,
}
unsafe impl<T> Send for Writer<'_, T> where T: Send {}

impl<T> Reader<'_, T> {
    /// The number of elements currently available for reading.
    ///
    /// NB: Because the `Writer` half of the ring buffer may be adding
    /// elements in another thread, the value read from `len` is a
    /// *minimum* of what may actually be available by the time the
    /// reading takes place.
    pub fn len(&self) -> usize {
        let h = self.rb.head.load(Ordering::Relaxed);
        let t = self.rb.tail.load(Ordering::Relaxed);
        atomic::fence(Ordering::Acquire);

        (t + CAPACITY - h) % CAPACITY
    }

    /// Whether or not the ring buffer is empty.
    pub fn is_empty(&self) -> bool {
        self.len() == 0
    }

    /// Returns the value at the start of the buffer and advances the
    /// start of the buffer to the next element.
    ///
    /// If nothing is available in the buffer, returns `None`
    pub fn shift(&mut self) -> Option<T> {
        let h = self.rb.head.load(Ordering::Relaxed);
        let t = self.rb.tail.load(Ordering::Relaxed);

        if h == t {
            None
        } else {
            atomic::fence(Ordering::Acquire);
            let nh = (h + 1) % CAPACITY;
            let rc = unsafe {
                let buf: &MaybeUninit<[T; CAPACITY]> = &*self.rb.buf.get();
                Some(Self::load_val_at(h, buf))
            };
            atomic::fence(Ordering::Release);
            self.rb.head.store(nh, Ordering::Relaxed);
            rc
        }
    }

    /// Shift all available data into `buf` up to the size of `buf`.
    ///
    /// Returns the number of items written into `buf`.
    pub fn shift_into(&mut self, buf: &mut [T]) -> usize {
        let mut h = self.rb.head.load(Ordering::Relaxed);
        let t = self.rb.tail.load(Ordering::Relaxed);
        atomic::fence(Ordering::Acquire);

        let mylen = (t + CAPACITY - h) % CAPACITY;
        let buflen = buf.len();
        let len = cmp::min(mylen, buflen);

        unsafe {
            let rbuf: &MaybeUninit<[T; CAPACITY]> = &*self.rb.buf.get();
            for i in 0..len {
                *buf.get_unchecked_mut(i) = Self::load_val_at(h, rbuf);
                h = (h + 1) % CAPACITY;
            }
        }

        atomic::fence(Ordering::Release);
        self.rb.head.store(h, Ordering::Relaxed);
        len
    }

    #[inline(always)]
    unsafe fn load_val_at(i: usize, buf: &MaybeUninit<[T; CAPACITY]>) -> T {
        let b: &[T; CAPACITY] = &*buf.as_ptr();
        ptr::read(b.get_unchecked(i))
    }
}

impl<T> Iterator for Reader<'_, T> {
    type Item = T;
    fn next(&mut self) -> Option<Self::Item> {
        self.shift()
    }
}

impl<T> Writer<'_, T> {
    /// Put `v` at the end of the buffer.
    ///
    /// Returns `BufferFull` if appending `v` would overlap with the
    /// start of the buffer.
    pub fn unshift(&mut self, v: T) -> Result<(), Error> {
        let h = self.rb.head.load(Ordering::Relaxed);
        let t = self.rb.tail.load(Ordering::Relaxed);

        let nt = (t + 1) % CAPACITY;
        // We can't allow overwrites of the head position, because it
        // would then be possible to write to the same memory location
        // that is being read. If reading a value of `T` takes more
        // than one memory read, then reading from the head would
        // produce garbage in this scenario.
        if nt == h {
            // FIXME: this comparison is wrong in the trivial
            // 1-element buffer case which would never allow an
            // `unshift`. In larger buffers it wastes a buffer slot.
            Err(Error::BufferFull)
        } else {
            atomic::fence(Ordering::Acquire);
            unsafe {
                let buf = &mut *self.rb.buf.get();
                Self::store_val_at(t, buf, v);
            }
            atomic::fence(Ordering::Release);
            self.rb.tail.store(nt, Ordering::Relaxed);
            Ok(())
        }
    }

    #[inline(always)]
    unsafe fn store_val_at(i: usize, buf: &mut MaybeUninit<[T; CAPACITY]>, val: T) {
        let b: &mut [T; CAPACITY] = &mut *buf.as_mut_ptr();
        ptr::write(b.get_unchecked_mut(i), val);
    }
}

// TODO: this needs to be `Copy` because we're pulling data from a
// slice, and we can't just take stuff out of an index without
// replacing it, and there's no good value for that.
impl<T> Writer<'_, T>
where
    T: Copy,
{
    /// Copy as much of `buf` into the ring buffer as possible.
    ///
    /// Returns the number of items copied.
    pub fn unshift_from(&mut self, buf: &[T]) -> usize {
        let h = self.rb.head.load(Ordering::Relaxed);
        let mut t = self.rb.tail.load(Ordering::Relaxed);
        atomic::fence(Ordering::Acquire);

        let mylen = (t + CAPACITY - h) % CAPACITY;
        let buflen = buf.len();
        let len = cmp::min(CAPACITY - mylen - 1, buflen);

        unsafe {
            let rbuf = &mut *self.rb.buf.get();
            for i in 0..len {
                Self::store_val_at(t, rbuf, *buf.get_unchecked(i));
                t = (t + 1) % CAPACITY;
            }
        }

        atomic::fence(Ordering::Release);
        self.rb.tail.store(t, Ordering::Relaxed);
        len
    }
}

#[cfg(test)]
mod test {
    use super::*;

    #[test]
    fn detects_empty() {
        let rb = RingBuffer::<bool>::new();
        let (mut rbr, mut rbw) = rb.split();
        assert!(rbr.is_empty());
        rbw.unshift(true).ok();
        assert!(!rbr.is_empty());
        rbr.shift();
        assert!(rbr.is_empty());
    }

    #[test]
    fn len_matches() {
        let rb = RingBuffer::<bool>::new();
        let (mut rbr, mut rbw) = rb.split();

        // Count length up.
        for i in 0..CAPACITY - 1 {
            assert_eq!(rbr.len(), i);
            assert_eq!(rbw.unshift(true), Ok(()));
        }

        // ...and back down again.
        for i in 0..CAPACITY - 1 {
            assert_eq!(rbr.len(), CAPACITY - 1 - i);
            rbr.shift();
        }

        // Final check for empty.
        assert_eq!(rbr.len(), 0);
    }

    #[test]
    fn can_wrap() {
        let rb = RingBuffer::<usize>::new();
        let (mut rbr, mut rbw) = rb.split();

        // Make sure we can store n-1 elements.
        for i in 0..CAPACITY - 1 {
            assert_eq!(rbw.unshift(i), Ok(()))
        }

        // ...and that we can load them back again.
        for i in 0..CAPACITY - 1 {
            assert_eq!(rbr.shift(), Some(i))
        }
    }

    #[test]
    fn cannot_overwrite() {
        let rb = RingBuffer::<usize>::new();
        let (mut rbr, mut rbw) = rb.split();

        for i in 0..CAPACITY - 1 {
            assert_eq!(rbw.unshift(i), Ok(()));
        }
        assert_eq!(rbw.unshift(0xffff), Err(Error::BufferFull));

        // We can drop an element to allow a slot to write to again.
        rbr.shift();
        assert_eq!(rbw.unshift(0xffff), Ok(()));
    }

    #[test]
    fn can_iter() {
        let rb = RingBuffer::<usize>::new();
        let (rbr, mut rbw) = rb.split();

        for i in 0..CAPACITY - 1 {
            assert_eq!(rbw.unshift(i), Ok(()));
        }

        let mut i = 0;
        for e in rbr {
            assert_eq!(e, i);
            i += 1;
        }
    }

    #[test]
    fn shift_into_smaller() {
        let rb = RingBuffer::<usize>::new();
        let (mut rbr, mut rbw) = rb.split();
        for i in 0..CAPACITY - 1 {
            assert_eq!(rbw.unshift(i), Ok(()));
        }

        let mut buf: [usize; CAPACITY / 2] = [0; CAPACITY / 2];
        assert_eq!(rbr.shift_into(&mut buf), CAPACITY / 2, "return len wrong");
        for i in 0..CAPACITY / 2 {
            assert_eq!(buf[i], i, "slot {} wrong", i)
        }

        assert!(!rbr.shift().is_none());
    }

    #[test]
    fn shift_into_bigger() {
        let rb = RingBuffer::<usize>::new();
        let (mut rbr, mut rbw) = rb.split();
        for i in 0..CAPACITY - 1 {
            assert_eq!(rbw.unshift(i), Ok(()));
        }

        let mut buf: [usize; CAPACITY * 2] = [0; CAPACITY * 2];
        assert_eq!(rbr.shift_into(&mut buf), CAPACITY - 1, "return len wrong");
        for i in 0..CAPACITY - 1 {
            assert_eq!(buf[i], i, "first half")
        }
        for i in CAPACITY - 1..CAPACITY * 2 {
            assert_eq!(buf[i], 0, "second half")
        }

        assert!(rbr.shift().is_none());
    }

    #[test]
    fn unshift_from_smaller() {
        let rb = RingBuffer::<usize>::new();
        let (mut rbr, mut rbw) = rb.split();

        let buf: [usize; CAPACITY / 2] = [0xdead; CAPACITY / 2];
        assert_eq!(rbw.unshift_from(&buf), CAPACITY / 2);
        for i in 0..CAPACITY / 2 {
            assert_eq!(rbr.shift(), Some(0xdead), "wrong value at index {}", i);
        }
        assert!(rbr.shift().is_none());
    }

    #[test]
    fn unshift_from_bigger() {
        let rb = RingBuffer::<usize>::new();
        let (mut rbr, mut rbw) = rb.split();

        let buf: [usize; CAPACITY * 2] = [0xdead; CAPACITY * 2];
        assert_eq!(rbw.unshift_from(&buf), CAPACITY - 1);
        assert_eq!(rbw.unshift(0xbeef), Err(Error::BufferFull));
        for i in 0..CAPACITY - 1 {
            assert_eq!(rbr.shift(), Some(0xdead), "wrong value at index {}", i);
        }
        assert!(rbr.shift().is_none());
    }

    #[test]
    fn ownership_passes_through() {
        static mut DROPPED: bool = false;
        struct DropTest {}
        impl DropTest {
            fn i_own_it_now(self) {}
        }
        impl Drop for DropTest {
            fn drop(&mut self) {
                unsafe { DROPPED = true };
            }
        }

        let rb = RingBuffer::<DropTest>::new();
        let (mut rbr, mut rbw) = rb.split();

        // Create a closure to take ownership of a `DropTest` so we
        // can make sure it's not dropped when the closure is over.
        let mut cl = |dt| {
            rbw.unshift(dt).expect("couldn't store item");
        };
        cl(DropTest {});
        assert_eq!(unsafe { DROPPED }, false);

        // Still, nothing should be dropped, since we now own the
        // value.
        let dt = rbr.shift().expect("buffer was empty");
        assert_eq!(unsafe { DROPPED }, false);

        // And, finally, by giving ownership away, it'll get dropped.
        dt.i_own_it_now();
        assert_eq!(unsafe { DROPPED }, true);
    }
}