##// END OF EJS Templates
rust-cpython: mark all PyLeaked methods as unsafe...
Yuya Nishihara -
r44668:71457ff6 default draft
parent child Browse files
Show More
@@ -1,633 +1,664 b''
1 // ref_sharing.rs
1 // ref_sharing.rs
2 //
2 //
3 // Copyright 2019 Raphaël Gomès <rgomes@octobus.net>
3 // Copyright 2019 Raphaël Gomès <rgomes@octobus.net>
4 //
4 //
5 // Permission is hereby granted, free of charge, to any person obtaining a copy
5 // Permission is hereby granted, free of charge, to any person obtaining a copy
6 // of this software and associated documentation files (the "Software"), to
6 // of this software and associated documentation files (the "Software"), to
7 // deal in the Software without restriction, including without limitation the
7 // deal in the Software without restriction, including without limitation the
8 // rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
8 // rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
9 // sell copies of the Software, and to permit persons to whom the Software is
9 // sell copies of the Software, and to permit persons to whom the Software is
10 // furnished to do so, subject to the following conditions:
10 // furnished to do so, subject to the following conditions:
11 //
11 //
12 // The above copyright notice and this permission notice shall be included in
12 // The above copyright notice and this permission notice shall be included in
13 // all copies or substantial portions of the Software.
13 // all copies or substantial portions of the Software.
14 //
14 //
15 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
15 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16 // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
17 // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
18 // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
19 // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
20 // FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
20 // FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
21 // IN THE SOFTWARE.
21 // IN THE SOFTWARE.
22
22
23 //! Macros for use in the `hg-cpython` bridge library.
23 //! Macros for use in the `hg-cpython` bridge library.
24
24
25 use cpython::{exc, PyClone, PyErr, PyObject, PyResult, Python};
25 use cpython::{exc, PyClone, PyErr, PyObject, PyResult, Python};
26 use std::cell::{BorrowMutError, Ref, RefCell, RefMut};
26 use std::cell::{BorrowMutError, Ref, RefCell, RefMut};
27 use std::ops::{Deref, DerefMut};
27 use std::ops::{Deref, DerefMut};
28 use std::result;
28 use std::result;
29 use std::sync::atomic::{AtomicUsize, Ordering};
29 use std::sync::atomic::{AtomicUsize, Ordering};
30
30
31 /// Manages the shared state between Python and Rust
31 /// Manages the shared state between Python and Rust
32 ///
32 ///
33 /// `PySharedState` is owned by `PySharedRefCell`, and is shared across its
33 /// `PySharedState` is owned by `PySharedRefCell`, and is shared across its
34 /// derived references. The consistency of these references are guaranteed
34 /// derived references. The consistency of these references are guaranteed
35 /// as follows:
35 /// as follows:
36 ///
36 ///
37 /// - The immutability of `py_class!` object fields. Any mutation of
37 /// - The immutability of `py_class!` object fields. Any mutation of
38 /// `PySharedRefCell` is allowed only through its `borrow_mut()`.
38 /// `PySharedRefCell` is allowed only through its `borrow_mut()`.
39 /// - The `py: Python<'_>` token, which makes sure that any data access is
39 /// - The `py: Python<'_>` token, which makes sure that any data access is
40 /// synchronized by the GIL.
40 /// synchronized by the GIL.
41 /// - The underlying `RefCell`, which prevents `PySharedRefCell` data from
41 /// - The underlying `RefCell`, which prevents `PySharedRefCell` data from
42 /// being directly borrowed or leaked while it is mutably borrowed.
42 /// being directly borrowed or leaked while it is mutably borrowed.
43 /// - The `borrow_count`, which is the number of references borrowed from
43 /// - The `borrow_count`, which is the number of references borrowed from
44 /// `PyLeaked`. Just like `RefCell`, mutation is prohibited while `PyLeaked`
44 /// `PyLeaked`. Just like `RefCell`, mutation is prohibited while `PyLeaked`
45 /// is borrowed.
45 /// is borrowed.
46 /// - The `generation` counter, which increments on `borrow_mut()`. `PyLeaked`
46 /// - The `generation` counter, which increments on `borrow_mut()`. `PyLeaked`
47 /// reference is valid only if the `current_generation()` equals to the
47 /// reference is valid only if the `current_generation()` equals to the
48 /// `generation` at the time of `leak_immutable()`.
48 /// `generation` at the time of `leak_immutable()`.
49 #[derive(Debug, Default)]
49 #[derive(Debug, Default)]
50 struct PySharedState {
50 struct PySharedState {
51 // The counter variable could be Cell<usize> since any operation on
51 // The counter variable could be Cell<usize> since any operation on
52 // PySharedState is synchronized by the GIL, but being "atomic" makes
52 // PySharedState is synchronized by the GIL, but being "atomic" makes
53 // PySharedState inherently Sync. The ordering requirement doesn't
53 // PySharedState inherently Sync. The ordering requirement doesn't
54 // matter thanks to the GIL.
54 // matter thanks to the GIL.
55 borrow_count: AtomicUsize,
55 borrow_count: AtomicUsize,
56 generation: AtomicUsize,
56 generation: AtomicUsize,
57 }
57 }
58
58
59 impl PySharedState {
59 impl PySharedState {
60 fn current_borrow_count(&self, _py: Python) -> usize {
60 fn current_borrow_count(&self, _py: Python) -> usize {
61 self.borrow_count.load(Ordering::Relaxed)
61 self.borrow_count.load(Ordering::Relaxed)
62 }
62 }
63
63
64 fn increase_borrow_count(&self, _py: Python) {
64 fn increase_borrow_count(&self, _py: Python) {
65 // Note that this wraps around if there are more than usize::MAX
65 // Note that this wraps around if there are more than usize::MAX
66 // borrowed references, which shouldn't happen due to memory limit.
66 // borrowed references, which shouldn't happen due to memory limit.
67 self.borrow_count.fetch_add(1, Ordering::Relaxed);
67 self.borrow_count.fetch_add(1, Ordering::Relaxed);
68 }
68 }
69
69
70 fn decrease_borrow_count(&self, _py: Python) {
70 fn decrease_borrow_count(&self, _py: Python) {
71 let prev_count = self.borrow_count.fetch_sub(1, Ordering::Relaxed);
71 let prev_count = self.borrow_count.fetch_sub(1, Ordering::Relaxed);
72 assert!(prev_count > 0);
72 assert!(prev_count > 0);
73 }
73 }
74
74
75 fn current_generation(&self, _py: Python) -> usize {
75 fn current_generation(&self, _py: Python) -> usize {
76 self.generation.load(Ordering::Relaxed)
76 self.generation.load(Ordering::Relaxed)
77 }
77 }
78
78
79 fn increment_generation(&self, py: Python) {
79 fn increment_generation(&self, py: Python) {
80 assert_eq!(self.current_borrow_count(py), 0);
80 assert_eq!(self.current_borrow_count(py), 0);
81 // Note that this wraps around to the same value if mutably
81 // Note that this wraps around to the same value if mutably
82 // borrowed more than usize::MAX times, which wouldn't happen
82 // borrowed more than usize::MAX times, which wouldn't happen
83 // in practice.
83 // in practice.
84 self.generation.fetch_add(1, Ordering::Relaxed);
84 self.generation.fetch_add(1, Ordering::Relaxed);
85 }
85 }
86 }
86 }
87
87
88 /// Helper to keep the borrow count updated while the shared object is
88 /// Helper to keep the borrow count updated while the shared object is
89 /// immutably borrowed without using the `RefCell` interface.
89 /// immutably borrowed without using the `RefCell` interface.
90 struct BorrowPyShared<'a> {
90 struct BorrowPyShared<'a> {
91 py: Python<'a>,
91 py: Python<'a>,
92 py_shared_state: &'a PySharedState,
92 py_shared_state: &'a PySharedState,
93 }
93 }
94
94
95 impl<'a> BorrowPyShared<'a> {
95 impl<'a> BorrowPyShared<'a> {
96 fn new(
96 fn new(
97 py: Python<'a>,
97 py: Python<'a>,
98 py_shared_state: &'a PySharedState,
98 py_shared_state: &'a PySharedState,
99 ) -> BorrowPyShared<'a> {
99 ) -> BorrowPyShared<'a> {
100 py_shared_state.increase_borrow_count(py);
100 py_shared_state.increase_borrow_count(py);
101 BorrowPyShared {
101 BorrowPyShared {
102 py,
102 py,
103 py_shared_state,
103 py_shared_state,
104 }
104 }
105 }
105 }
106 }
106 }
107
107
108 impl Drop for BorrowPyShared<'_> {
108 impl Drop for BorrowPyShared<'_> {
109 fn drop(&mut self) {
109 fn drop(&mut self) {
110 self.py_shared_state.decrease_borrow_count(self.py);
110 self.py_shared_state.decrease_borrow_count(self.py);
111 }
111 }
112 }
112 }
113
113
114 /// `RefCell` wrapper to be safely used in conjunction with `PySharedState`.
114 /// `RefCell` wrapper to be safely used in conjunction with `PySharedState`.
115 ///
115 ///
116 /// This object can be stored in a `py_class!` object as a data field. Any
116 /// This object can be stored in a `py_class!` object as a data field. Any
117 /// operation is allowed through the `PySharedRef` interface.
117 /// operation is allowed through the `PySharedRef` interface.
118 #[derive(Debug)]
118 #[derive(Debug)]
119 pub struct PySharedRefCell<T> {
119 pub struct PySharedRefCell<T> {
120 inner: RefCell<T>,
120 inner: RefCell<T>,
121 py_shared_state: PySharedState,
121 py_shared_state: PySharedState,
122 }
122 }
123
123
124 impl<T> PySharedRefCell<T> {
124 impl<T> PySharedRefCell<T> {
125 pub fn new(value: T) -> PySharedRefCell<T> {
125 pub fn new(value: T) -> PySharedRefCell<T> {
126 Self {
126 Self {
127 inner: RefCell::new(value),
127 inner: RefCell::new(value),
128 py_shared_state: PySharedState::default(),
128 py_shared_state: PySharedState::default(),
129 }
129 }
130 }
130 }
131
131
132 fn borrow<'a>(&'a self, _py: Python<'a>) -> Ref<'a, T> {
132 fn borrow<'a>(&'a self, _py: Python<'a>) -> Ref<'a, T> {
133 // py_shared_state isn't involved since
133 // py_shared_state isn't involved since
134 // - inner.borrow() would fail if self is mutably borrowed,
134 // - inner.borrow() would fail if self is mutably borrowed,
135 // - and inner.try_borrow_mut() would fail while self is borrowed.
135 // - and inner.try_borrow_mut() would fail while self is borrowed.
136 self.inner.borrow()
136 self.inner.borrow()
137 }
137 }
138
138
139 fn try_borrow_mut<'a>(
139 fn try_borrow_mut<'a>(
140 &'a self,
140 &'a self,
141 py: Python<'a>,
141 py: Python<'a>,
142 ) -> result::Result<RefMut<'a, T>, BorrowMutError> {
142 ) -> result::Result<RefMut<'a, T>, BorrowMutError> {
143 if self.py_shared_state.current_borrow_count(py) > 0 {
143 if self.py_shared_state.current_borrow_count(py) > 0 {
144 // propagate borrow-by-leaked state to inner to get BorrowMutError
144 // propagate borrow-by-leaked state to inner to get BorrowMutError
145 let _dummy = self.inner.borrow();
145 let _dummy = self.inner.borrow();
146 self.inner.try_borrow_mut()?;
146 self.inner.try_borrow_mut()?;
147 unreachable!("BorrowMutError must be returned");
147 unreachable!("BorrowMutError must be returned");
148 }
148 }
149 let inner_ref = self.inner.try_borrow_mut()?;
149 let inner_ref = self.inner.try_borrow_mut()?;
150 self.py_shared_state.increment_generation(py);
150 self.py_shared_state.increment_generation(py);
151 Ok(inner_ref)
151 Ok(inner_ref)
152 }
152 }
153 }
153 }
154
154
155 /// Sharable data member of type `T` borrowed from the `PyObject`.
155 /// Sharable data member of type `T` borrowed from the `PyObject`.
156 pub struct PySharedRef<'a, T> {
156 pub struct PySharedRef<'a, T> {
157 py: Python<'a>,
157 py: Python<'a>,
158 owner: &'a PyObject,
158 owner: &'a PyObject,
159 data: &'a PySharedRefCell<T>,
159 data: &'a PySharedRefCell<T>,
160 }
160 }
161
161
162 impl<'a, T> PySharedRef<'a, T> {
162 impl<'a, T> PySharedRef<'a, T> {
163 /// # Safety
163 /// # Safety
164 ///
164 ///
165 /// The `data` must be owned by the `owner`. Otherwise, the leak count
165 /// The `data` must be owned by the `owner`. Otherwise, the leak count
166 /// would get wrong.
166 /// would get wrong.
167 pub unsafe fn new(
167 pub unsafe fn new(
168 py: Python<'a>,
168 py: Python<'a>,
169 owner: &'a PyObject,
169 owner: &'a PyObject,
170 data: &'a PySharedRefCell<T>,
170 data: &'a PySharedRefCell<T>,
171 ) -> Self {
171 ) -> Self {
172 Self { py, owner, data }
172 Self { py, owner, data }
173 }
173 }
174
174
175 pub fn borrow(&self) -> Ref<'a, T> {
175 pub fn borrow(&self) -> Ref<'a, T> {
176 self.data.borrow(self.py)
176 self.data.borrow(self.py)
177 }
177 }
178
178
179 /// Mutably borrows the wrapped value.
179 /// Mutably borrows the wrapped value.
180 ///
180 ///
181 /// # Panics
181 /// # Panics
182 ///
182 ///
183 /// Panics if the value is currently borrowed through `PySharedRef`
183 /// Panics if the value is currently borrowed through `PySharedRef`
184 /// or `PyLeaked`.
184 /// or `PyLeaked`.
185 pub fn borrow_mut(&self) -> RefMut<'a, T> {
185 pub fn borrow_mut(&self) -> RefMut<'a, T> {
186 self.try_borrow_mut().expect("already borrowed")
186 self.try_borrow_mut().expect("already borrowed")
187 }
187 }
188
188
189 /// Mutably borrows the wrapped value, returning an error if the value
189 /// Mutably borrows the wrapped value, returning an error if the value
190 /// is currently borrowed.
190 /// is currently borrowed.
191 pub fn try_borrow_mut(
191 pub fn try_borrow_mut(
192 &self,
192 &self,
193 ) -> result::Result<RefMut<'a, T>, BorrowMutError> {
193 ) -> result::Result<RefMut<'a, T>, BorrowMutError> {
194 self.data.try_borrow_mut(self.py)
194 self.data.try_borrow_mut(self.py)
195 }
195 }
196
196
197 /// Returns a leaked reference.
197 /// Returns a leaked reference.
198 ///
198 ///
199 /// # Panics
199 /// # Panics
200 ///
200 ///
201 /// Panics if this is mutably borrowed.
201 /// Panics if this is mutably borrowed.
202 pub fn leak_immutable(&self) -> PyLeaked<&'static T> {
202 pub fn leak_immutable(&self) -> PyLeaked<&'static T> {
203 let state = &self.data.py_shared_state;
203 let state = &self.data.py_shared_state;
204 // make sure self.data isn't mutably borrowed; otherwise the
204 // make sure self.data isn't mutably borrowed; otherwise the
205 // generation number can't be trusted.
205 // generation number can't be trusted.
206 let data_ref = self.borrow();
206 let data_ref = self.borrow();
207
207
208 // &'static cast is safe because data_ptr and state_ptr are owned
208 // &'static cast is safe because data_ptr and state_ptr are owned
209 // by self.owner, and we do have the GIL for thread safety.
209 // by self.owner, and we do have the GIL for thread safety.
210 let data_ptr: *const T = &*data_ref;
210 let data_ptr: *const T = &*data_ref;
211 let state_ptr: *const PySharedState = state;
211 let state_ptr: *const PySharedState = state;
212 PyLeaked::<&'static T> {
212 PyLeaked::<&'static T> {
213 inner: self.owner.clone_ref(self.py),
213 inner: self.owner.clone_ref(self.py),
214 data: unsafe { &*data_ptr },
214 data: unsafe { &*data_ptr },
215 py_shared_state: unsafe { &*state_ptr },
215 py_shared_state: unsafe { &*state_ptr },
216 generation: state.current_generation(self.py),
216 generation: state.current_generation(self.py),
217 }
217 }
218 }
218 }
219 }
219 }
220
220
221 /// Allows a `py_class!` generated struct to share references to one of its
221 /// Allows a `py_class!` generated struct to share references to one of its
222 /// data members with Python.
222 /// data members with Python.
223 ///
223 ///
224 /// # Parameters
224 /// # Parameters
225 ///
225 ///
226 /// * `$name` is the same identifier used in for `py_class!` macro call.
226 /// * `$name` is the same identifier used in for `py_class!` macro call.
227 /// * `$inner_struct` is the identifier of the underlying Rust struct
227 /// * `$inner_struct` is the identifier of the underlying Rust struct
228 /// * `$data_member` is the identifier of the data member of `$inner_struct`
228 /// * `$data_member` is the identifier of the data member of `$inner_struct`
229 /// that will be shared.
229 /// that will be shared.
230 /// * `$shared_accessor` is the function name to be generated, which allows
230 /// * `$shared_accessor` is the function name to be generated, which allows
231 /// safe access to the data member.
231 /// safe access to the data member.
232 ///
232 ///
233 /// # Safety
233 /// # Safety
234 ///
234 ///
235 /// `$data_member` must persist while the `$name` object is alive. In other
235 /// `$data_member` must persist while the `$name` object is alive. In other
236 /// words, it must be an accessor to a data field of the Python object.
236 /// words, it must be an accessor to a data field of the Python object.
237 ///
237 ///
238 /// # Example
238 /// # Example
239 ///
239 ///
240 /// ```
240 /// ```
241 /// struct MyStruct {
241 /// struct MyStruct {
242 /// inner: Vec<u32>;
242 /// inner: Vec<u32>;
243 /// }
243 /// }
244 ///
244 ///
245 /// py_class!(pub class MyType |py| {
245 /// py_class!(pub class MyType |py| {
246 /// data inner: PySharedRefCell<MyStruct>;
246 /// data inner: PySharedRefCell<MyStruct>;
247 /// });
247 /// });
248 ///
248 ///
249 /// py_shared_ref!(MyType, MyStruct, inner, inner_shared);
249 /// py_shared_ref!(MyType, MyStruct, inner, inner_shared);
250 /// ```
250 /// ```
251 macro_rules! py_shared_ref {
251 macro_rules! py_shared_ref {
252 (
252 (
253 $name: ident,
253 $name: ident,
254 $inner_struct: ident,
254 $inner_struct: ident,
255 $data_member: ident,
255 $data_member: ident,
256 $shared_accessor: ident
256 $shared_accessor: ident
257 ) => {
257 ) => {
258 impl $name {
258 impl $name {
259 /// Returns a safe reference to the shared `$data_member`.
259 /// Returns a safe reference to the shared `$data_member`.
260 ///
260 ///
261 /// This function guarantees that `PySharedRef` is created with
261 /// This function guarantees that `PySharedRef` is created with
262 /// the valid `self` and `self.$data_member(py)` pair.
262 /// the valid `self` and `self.$data_member(py)` pair.
263 fn $shared_accessor<'a>(
263 fn $shared_accessor<'a>(
264 &'a self,
264 &'a self,
265 py: Python<'a>,
265 py: Python<'a>,
266 ) -> $crate::ref_sharing::PySharedRef<'a, $inner_struct> {
266 ) -> $crate::ref_sharing::PySharedRef<'a, $inner_struct> {
267 use cpython::PythonObject;
267 use cpython::PythonObject;
268 use $crate::ref_sharing::PySharedRef;
268 use $crate::ref_sharing::PySharedRef;
269 let owner = self.as_object();
269 let owner = self.as_object();
270 let data = self.$data_member(py);
270 let data = self.$data_member(py);
271 unsafe { PySharedRef::new(py, owner, data) }
271 unsafe { PySharedRef::new(py, owner, data) }
272 }
272 }
273 }
273 }
274 };
274 };
275 }
275 }
276
276
277 /// Manage immutable references to `PyObject` leaked into Python iterators.
277 /// Manage immutable references to `PyObject` leaked into Python iterators.
278 ///
278 ///
279 /// This reference will be invalidated once the original value is mutably
279 /// This reference will be invalidated once the original value is mutably
280 /// borrowed.
280 /// borrowed.
281 pub struct PyLeaked<T> {
281 pub struct PyLeaked<T> {
282 inner: PyObject,
282 inner: PyObject,
283 data: T,
283 data: T,
284 py_shared_state: &'static PySharedState,
284 py_shared_state: &'static PySharedState,
285 /// Generation counter of data `T` captured when PyLeaked is created.
285 /// Generation counter of data `T` captured when PyLeaked is created.
286 generation: usize,
286 generation: usize,
287 }
287 }
288
288
289 // DO NOT implement Deref for PyLeaked<T>! Dereferencing PyLeaked
289 // DO NOT implement Deref for PyLeaked<T>! Dereferencing PyLeaked
290 // without taking Python GIL wouldn't be safe. Also, the underling reference
290 // without taking Python GIL wouldn't be safe. Also, the underling reference
291 // is invalid if generation != py_shared_state.generation.
291 // is invalid if generation != py_shared_state.generation.
292
292
293 impl<T> PyLeaked<T> {
293 impl<T> PyLeaked<T> {
294 /// Immutably borrows the wrapped value.
294 /// Immutably borrows the wrapped value.
295 ///
295 ///
296 /// Borrowing fails if the underlying reference has been invalidated.
296 /// Borrowing fails if the underlying reference has been invalidated.
297 pub fn try_borrow<'a>(
297 ///
298 /// # Safety
299 ///
300 /// The lifetime of the innermost object is cheated. Do not obtain and
301 /// copy it out of the borrow scope. See the example of `try_borrow_mut()`
302 /// for details.
303 pub unsafe fn try_borrow<'a>(
298 &'a self,
304 &'a self,
299 py: Python<'a>,
305 py: Python<'a>,
300 ) -> PyResult<PyLeakedRef<'a, T>> {
306 ) -> PyResult<PyLeakedRef<'a, T>> {
301 self.validate_generation(py)?;
307 self.validate_generation(py)?;
302 Ok(PyLeakedRef {
308 Ok(PyLeakedRef {
303 _borrow: BorrowPyShared::new(py, self.py_shared_state),
309 _borrow: BorrowPyShared::new(py, self.py_shared_state),
304 data: &self.data,
310 data: &self.data,
305 })
311 })
306 }
312 }
307
313
308 /// Mutably borrows the wrapped value.
314 /// Mutably borrows the wrapped value.
309 ///
315 ///
310 /// Borrowing fails if the underlying reference has been invalidated.
316 /// Borrowing fails if the underlying reference has been invalidated.
311 ///
317 ///
312 /// Typically `T` is an iterator. If `T` is an immutable reference,
318 /// Typically `T` is an iterator. If `T` is an immutable reference,
313 /// `get_mut()` is useless since the inner value can't be mutated.
319 /// `get_mut()` is useless since the inner value can't be mutated.
314 pub fn try_borrow_mut<'a>(
320 ///
321 /// # Safety
322 ///
323 /// The lifetime of the innermost object is cheated. Do not obtain and
324 /// copy it out of the borrow scope. For example, the following code
325 /// is unsafe:
326 ///
327 /// ```compile_fail
328 /// let slice;
329 /// {
330 /// let iter = leaked.try_borrow_mut(py);
331 /// // slice can outlive since the iterator is of Iter<'static, T>
332 /// // type, but it shouldn't.
333 /// slice = iter.as_slice();
334 /// }
335 /// println!("{:?}", slice);
336 /// ```
337 pub unsafe fn try_borrow_mut<'a>(
315 &'a mut self,
338 &'a mut self,
316 py: Python<'a>,
339 py: Python<'a>,
317 ) -> PyResult<PyLeakedRefMut<'a, T>> {
340 ) -> PyResult<PyLeakedRefMut<'a, T>> {
318 self.validate_generation(py)?;
341 self.validate_generation(py)?;
319 Ok(PyLeakedRefMut {
342 Ok(PyLeakedRefMut {
320 _borrow: BorrowPyShared::new(py, self.py_shared_state),
343 _borrow: BorrowPyShared::new(py, self.py_shared_state),
321 data: &mut self.data,
344 data: &mut self.data,
322 })
345 })
323 }
346 }
324
347
325 /// Converts the inner value by the given function.
348 /// Converts the inner value by the given function.
326 ///
349 ///
327 /// Typically `T` is a static reference to a container, and `U` is an
350 /// Typically `T` is a static reference to a container, and `U` is an
328 /// iterator of that container.
351 /// iterator of that container.
329 ///
352 ///
330 /// # Panics
353 /// # Panics
331 ///
354 ///
332 /// Panics if the underlying reference has been invalidated.
355 /// Panics if the underlying reference has been invalidated.
333 ///
356 ///
334 /// This is typically called immediately after the `PyLeaked` is obtained.
357 /// This is typically called immediately after the `PyLeaked` is obtained.
335 /// In which case, the reference must be valid and no panic would occur.
358 /// In which case, the reference must be valid and no panic would occur.
336 ///
359 ///
337 /// # Safety
360 /// # Safety
338 ///
361 ///
339 /// The lifetime of the object passed in to the function `f` is cheated.
362 /// The lifetime of the object passed in to the function `f` is cheated.
340 /// It's typically a static reference, but is valid only while the
363 /// It's typically a static reference, but is valid only while the
341 /// corresponding `PyLeaked` is alive. Do not copy it out of the
364 /// corresponding `PyLeaked` is alive. Do not copy it out of the
342 /// function call.
365 /// function call.
343 pub unsafe fn map<U>(
366 pub unsafe fn map<U>(
344 self,
367 self,
345 py: Python,
368 py: Python,
346 f: impl FnOnce(T) -> U,
369 f: impl FnOnce(T) -> U,
347 ) -> PyLeaked<U> {
370 ) -> PyLeaked<U> {
348 // Needs to test the generation value to make sure self.data reference
371 // Needs to test the generation value to make sure self.data reference
349 // is still intact.
372 // is still intact.
350 self.validate_generation(py)
373 self.validate_generation(py)
351 .expect("map() over invalidated leaked reference");
374 .expect("map() over invalidated leaked reference");
352
375
353 // f() could make the self.data outlive. That's why map() is unsafe.
376 // f() could make the self.data outlive. That's why map() is unsafe.
354 // In order to make this function safe, maybe we'll need a way to
377 // In order to make this function safe, maybe we'll need a way to
355 // temporarily restrict the lifetime of self.data and translate the
378 // temporarily restrict the lifetime of self.data and translate the
356 // returned object back to Something<'static>.
379 // returned object back to Something<'static>.
357 let new_data = f(self.data);
380 let new_data = f(self.data);
358 PyLeaked {
381 PyLeaked {
359 inner: self.inner,
382 inner: self.inner,
360 data: new_data,
383 data: new_data,
361 py_shared_state: self.py_shared_state,
384 py_shared_state: self.py_shared_state,
362 generation: self.generation,
385 generation: self.generation,
363 }
386 }
364 }
387 }
365
388
366 fn validate_generation(&self, py: Python) -> PyResult<()> {
389 fn validate_generation(&self, py: Python) -> PyResult<()> {
367 if self.py_shared_state.current_generation(py) == self.generation {
390 if self.py_shared_state.current_generation(py) == self.generation {
368 Ok(())
391 Ok(())
369 } else {
392 } else {
370 Err(PyErr::new::<exc::RuntimeError, _>(
393 Err(PyErr::new::<exc::RuntimeError, _>(
371 py,
394 py,
372 "Cannot access to leaked reference after mutation",
395 "Cannot access to leaked reference after mutation",
373 ))
396 ))
374 }
397 }
375 }
398 }
376 }
399 }
377
400
378 /// Immutably borrowed reference to a leaked value.
401 /// Immutably borrowed reference to a leaked value.
379 pub struct PyLeakedRef<'a, T> {
402 pub struct PyLeakedRef<'a, T> {
380 _borrow: BorrowPyShared<'a>,
403 _borrow: BorrowPyShared<'a>,
381 data: &'a T,
404 data: &'a T,
382 }
405 }
383
406
384 impl<T> Deref for PyLeakedRef<'_, T> {
407 impl<T> Deref for PyLeakedRef<'_, T> {
385 type Target = T;
408 type Target = T;
386
409
387 fn deref(&self) -> &T {
410 fn deref(&self) -> &T {
388 self.data
411 self.data
389 }
412 }
390 }
413 }
391
414
392 /// Mutably borrowed reference to a leaked value.
415 /// Mutably borrowed reference to a leaked value.
393 pub struct PyLeakedRefMut<'a, T> {
416 pub struct PyLeakedRefMut<'a, T> {
394 _borrow: BorrowPyShared<'a>,
417 _borrow: BorrowPyShared<'a>,
395 data: &'a mut T,
418 data: &'a mut T,
396 }
419 }
397
420
398 impl<T> Deref for PyLeakedRefMut<'_, T> {
421 impl<T> Deref for PyLeakedRefMut<'_, T> {
399 type Target = T;
422 type Target = T;
400
423
401 fn deref(&self) -> &T {
424 fn deref(&self) -> &T {
402 self.data
425 self.data
403 }
426 }
404 }
427 }
405
428
406 impl<T> DerefMut for PyLeakedRefMut<'_, T> {
429 impl<T> DerefMut for PyLeakedRefMut<'_, T> {
407 fn deref_mut(&mut self) -> &mut T {
430 fn deref_mut(&mut self) -> &mut T {
408 self.data
431 self.data
409 }
432 }
410 }
433 }
411
434
412 /// Defines a `py_class!` that acts as a Python iterator over a Rust iterator.
435 /// Defines a `py_class!` that acts as a Python iterator over a Rust iterator.
413 ///
436 ///
414 /// TODO: this is a bit awkward to use, and a better (more complicated)
437 /// TODO: this is a bit awkward to use, and a better (more complicated)
415 /// procedural macro would simplify the interface a lot.
438 /// procedural macro would simplify the interface a lot.
416 ///
439 ///
417 /// # Parameters
440 /// # Parameters
418 ///
441 ///
419 /// * `$name` is the identifier to give to the resulting Rust struct.
442 /// * `$name` is the identifier to give to the resulting Rust struct.
420 /// * `$leaked` corresponds to `$leaked` in the matching `py_shared_ref!` call.
443 /// * `$leaked` corresponds to `$leaked` in the matching `py_shared_ref!` call.
421 /// * `$iterator_type` is the type of the Rust iterator.
444 /// * `$iterator_type` is the type of the Rust iterator.
422 /// * `$success_func` is a function for processing the Rust `(key, value)`
445 /// * `$success_func` is a function for processing the Rust `(key, value)`
423 /// tuple on iteration success, turning it into something Python understands.
446 /// tuple on iteration success, turning it into something Python understands.
424 /// * `$success_func` is the return type of `$success_func`
447 /// * `$success_func` is the return type of `$success_func`
425 ///
448 ///
449 /// # Safety
450 ///
451 /// `$success_func` may take a reference, but it's lifetime may be cheated.
452 /// Do not copy it out of the function call.
453 ///
426 /// # Example
454 /// # Example
427 ///
455 ///
428 /// ```
456 /// ```
429 /// struct MyStruct {
457 /// struct MyStruct {
430 /// inner: HashMap<Vec<u8>, Vec<u8>>;
458 /// inner: HashMap<Vec<u8>, Vec<u8>>;
431 /// }
459 /// }
432 ///
460 ///
433 /// py_class!(pub class MyType |py| {
461 /// py_class!(pub class MyType |py| {
434 /// data inner: PySharedRefCell<MyStruct>;
462 /// data inner: PySharedRefCell<MyStruct>;
435 ///
463 ///
436 /// def __iter__(&self) -> PyResult<MyTypeItemsIterator> {
464 /// def __iter__(&self) -> PyResult<MyTypeItemsIterator> {
437 /// let leaked_ref = self.inner_shared(py).leak_immutable();
465 /// let leaked_ref = self.inner_shared(py).leak_immutable();
438 /// MyTypeItemsIterator::from_inner(
466 /// MyTypeItemsIterator::from_inner(
439 /// py,
467 /// py,
440 /// unsafe { leaked_ref.map(py, |o| o.iter()) },
468 /// unsafe { leaked_ref.map(py, |o| o.iter()) },
441 /// )
469 /// )
442 /// }
470 /// }
443 /// });
471 /// });
444 ///
472 ///
445 /// impl MyType {
473 /// impl MyType {
446 /// fn translate_key_value(
474 /// fn translate_key_value(
447 /// py: Python,
475 /// py: Python,
448 /// res: (&Vec<u8>, &Vec<u8>),
476 /// res: (&Vec<u8>, &Vec<u8>),
449 /// ) -> PyResult<Option<(PyBytes, PyBytes)>> {
477 /// ) -> PyResult<Option<(PyBytes, PyBytes)>> {
450 /// let (f, entry) = res;
478 /// let (f, entry) = res;
451 /// Ok(Some((
479 /// Ok(Some((
452 /// PyBytes::new(py, f),
480 /// PyBytes::new(py, f),
453 /// PyBytes::new(py, entry),
481 /// PyBytes::new(py, entry),
454 /// )))
482 /// )))
455 /// }
483 /// }
456 /// }
484 /// }
457 ///
485 ///
458 /// py_shared_ref!(MyType, MyStruct, inner, MyTypeLeakedRef);
486 /// py_shared_ref!(MyType, MyStruct, inner, MyTypeLeakedRef);
459 ///
487 ///
460 /// py_shared_iterator!(
488 /// py_shared_iterator!(
461 /// MyTypeItemsIterator,
489 /// MyTypeItemsIterator,
462 /// PyLeaked<HashMap<'static, Vec<u8>, Vec<u8>>>,
490 /// PyLeaked<HashMap<'static, Vec<u8>, Vec<u8>>>,
463 /// MyType::translate_key_value,
491 /// MyType::translate_key_value,
464 /// Option<(PyBytes, PyBytes)>
492 /// Option<(PyBytes, PyBytes)>
465 /// );
493 /// );
466 /// ```
494 /// ```
467 macro_rules! py_shared_iterator {
495 macro_rules! py_shared_iterator {
468 (
496 (
469 $name: ident,
497 $name: ident,
470 $leaked: ty,
498 $leaked: ty,
471 $success_func: expr,
499 $success_func: expr,
472 $success_type: ty
500 $success_type: ty
473 ) => {
501 ) => {
474 py_class!(pub class $name |py| {
502 py_class!(pub class $name |py| {
475 data inner: RefCell<$leaked>;
503 data inner: RefCell<$leaked>;
476
504
477 def __next__(&self) -> PyResult<$success_type> {
505 def __next__(&self) -> PyResult<$success_type> {
478 let mut leaked = self.inner(py).borrow_mut();
506 let mut leaked = self.inner(py).borrow_mut();
479 let mut iter = leaked.try_borrow_mut(py)?;
507 let mut iter = unsafe { leaked.try_borrow_mut(py)? };
480 match iter.next() {
508 match iter.next() {
481 None => Ok(None),
509 None => Ok(None),
510 // res may be a reference of cheated 'static lifetime
482 Some(res) => $success_func(py, res),
511 Some(res) => $success_func(py, res),
483 }
512 }
484 }
513 }
485
514
486 def __iter__(&self) -> PyResult<Self> {
515 def __iter__(&self) -> PyResult<Self> {
487 Ok(self.clone_ref(py))
516 Ok(self.clone_ref(py))
488 }
517 }
489 });
518 });
490
519
491 impl $name {
520 impl $name {
492 pub fn from_inner(
521 pub fn from_inner(
493 py: Python,
522 py: Python,
494 leaked: $leaked,
523 leaked: $leaked,
495 ) -> PyResult<Self> {
524 ) -> PyResult<Self> {
496 Self::create_instance(
525 Self::create_instance(
497 py,
526 py,
498 RefCell::new(leaked),
527 RefCell::new(leaked),
499 )
528 )
500 }
529 }
501 }
530 }
502 };
531 };
503 }
532 }
504
533
505 #[cfg(test)]
534 #[cfg(test)]
506 #[cfg(any(feature = "python27-bin", feature = "python3-bin"))]
535 #[cfg(any(feature = "python27-bin", feature = "python3-bin"))]
507 mod test {
536 mod test {
508 use super::*;
537 use super::*;
509 use cpython::{GILGuard, Python};
538 use cpython::{GILGuard, Python};
510
539
511 py_class!(class Owner |py| {
540 py_class!(class Owner |py| {
512 data string: PySharedRefCell<String>;
541 data string: PySharedRefCell<String>;
513 });
542 });
514 py_shared_ref!(Owner, String, string, string_shared);
543 py_shared_ref!(Owner, String, string, string_shared);
515
544
516 fn prepare_env() -> (GILGuard, Owner) {
545 fn prepare_env() -> (GILGuard, Owner) {
517 let gil = Python::acquire_gil();
546 let gil = Python::acquire_gil();
518 let py = gil.python();
547 let py = gil.python();
519 let owner =
548 let owner =
520 Owner::create_instance(py, PySharedRefCell::new("new".to_owned()))
549 Owner::create_instance(py, PySharedRefCell::new("new".to_owned()))
521 .unwrap();
550 .unwrap();
522 (gil, owner)
551 (gil, owner)
523 }
552 }
524
553
525 #[test]
554 #[test]
526 fn test_leaked_borrow() {
555 fn test_leaked_borrow() {
527 let (gil, owner) = prepare_env();
556 let (gil, owner) = prepare_env();
528 let py = gil.python();
557 let py = gil.python();
529 let leaked = owner.string_shared(py).leak_immutable();
558 let leaked = owner.string_shared(py).leak_immutable();
530 let leaked_ref = leaked.try_borrow(py).unwrap();
559 let leaked_ref = unsafe { leaked.try_borrow(py) }.unwrap();
531 assert_eq!(*leaked_ref, "new");
560 assert_eq!(*leaked_ref, "new");
532 }
561 }
533
562
534 #[test]
563 #[test]
535 fn test_leaked_borrow_mut() {
564 fn test_leaked_borrow_mut() {
536 let (gil, owner) = prepare_env();
565 let (gil, owner) = prepare_env();
537 let py = gil.python();
566 let py = gil.python();
538 let leaked = owner.string_shared(py).leak_immutable();
567 let leaked = owner.string_shared(py).leak_immutable();
539 let mut leaked_iter = unsafe { leaked.map(py, |s| s.chars()) };
568 let mut leaked_iter = unsafe { leaked.map(py, |s| s.chars()) };
540 let mut leaked_ref = leaked_iter.try_borrow_mut(py).unwrap();
569 let mut leaked_ref =
570 unsafe { leaked_iter.try_borrow_mut(py) }.unwrap();
541 assert_eq!(leaked_ref.next(), Some('n'));
571 assert_eq!(leaked_ref.next(), Some('n'));
542 assert_eq!(leaked_ref.next(), Some('e'));
572 assert_eq!(leaked_ref.next(), Some('e'));
543 assert_eq!(leaked_ref.next(), Some('w'));
573 assert_eq!(leaked_ref.next(), Some('w'));
544 assert_eq!(leaked_ref.next(), None);
574 assert_eq!(leaked_ref.next(), None);
545 }
575 }
546
576
547 #[test]
577 #[test]
548 fn test_leaked_borrow_after_mut() {
578 fn test_leaked_borrow_after_mut() {
549 let (gil, owner) = prepare_env();
579 let (gil, owner) = prepare_env();
550 let py = gil.python();
580 let py = gil.python();
551 let leaked = owner.string_shared(py).leak_immutable();
581 let leaked = owner.string_shared(py).leak_immutable();
552 owner.string_shared(py).borrow_mut().clear();
582 owner.string_shared(py).borrow_mut().clear();
553 assert!(leaked.try_borrow(py).is_err());
583 assert!(unsafe { leaked.try_borrow(py) }.is_err());
554 }
584 }
555
585
556 #[test]
586 #[test]
557 fn test_leaked_borrow_mut_after_mut() {
587 fn test_leaked_borrow_mut_after_mut() {
558 let (gil, owner) = prepare_env();
588 let (gil, owner) = prepare_env();
559 let py = gil.python();
589 let py = gil.python();
560 let leaked = owner.string_shared(py).leak_immutable();
590 let leaked = owner.string_shared(py).leak_immutable();
561 let mut leaked_iter = unsafe { leaked.map(py, |s| s.chars()) };
591 let mut leaked_iter = unsafe { leaked.map(py, |s| s.chars()) };
562 owner.string_shared(py).borrow_mut().clear();
592 owner.string_shared(py).borrow_mut().clear();
563 assert!(leaked_iter.try_borrow_mut(py).is_err());
593 assert!(unsafe { leaked_iter.try_borrow_mut(py) }.is_err());
564 }
594 }
565
595
566 #[test]
596 #[test]
567 #[should_panic(expected = "map() over invalidated leaked reference")]
597 #[should_panic(expected = "map() over invalidated leaked reference")]
568 fn test_leaked_map_after_mut() {
598 fn test_leaked_map_after_mut() {
569 let (gil, owner) = prepare_env();
599 let (gil, owner) = prepare_env();
570 let py = gil.python();
600 let py = gil.python();
571 let leaked = owner.string_shared(py).leak_immutable();
601 let leaked = owner.string_shared(py).leak_immutable();
572 owner.string_shared(py).borrow_mut().clear();
602 owner.string_shared(py).borrow_mut().clear();
573 let _leaked_iter = unsafe { leaked.map(py, |s| s.chars()) };
603 let _leaked_iter = unsafe { leaked.map(py, |s| s.chars()) };
574 }
604 }
575
605
576 #[test]
606 #[test]
577 fn test_try_borrow_mut_while_leaked_ref() {
607 fn test_try_borrow_mut_while_leaked_ref() {
578 let (gil, owner) = prepare_env();
608 let (gil, owner) = prepare_env();
579 let py = gil.python();
609 let py = gil.python();
580 assert!(owner.string_shared(py).try_borrow_mut().is_ok());
610 assert!(owner.string_shared(py).try_borrow_mut().is_ok());
581 let leaked = owner.string_shared(py).leak_immutable();
611 let leaked = owner.string_shared(py).leak_immutable();
582 {
612 {
583 let _leaked_ref = leaked.try_borrow(py).unwrap();
613 let _leaked_ref = unsafe { leaked.try_borrow(py) }.unwrap();
584 assert!(owner.string_shared(py).try_borrow_mut().is_err());
614 assert!(owner.string_shared(py).try_borrow_mut().is_err());
585 {
615 {
586 let _leaked_ref2 = leaked.try_borrow(py).unwrap();
616 let _leaked_ref2 = unsafe { leaked.try_borrow(py) }.unwrap();
587 assert!(owner.string_shared(py).try_borrow_mut().is_err());
617 assert!(owner.string_shared(py).try_borrow_mut().is_err());
588 }
618 }
589 assert!(owner.string_shared(py).try_borrow_mut().is_err());
619 assert!(owner.string_shared(py).try_borrow_mut().is_err());
590 }
620 }
591 assert!(owner.string_shared(py).try_borrow_mut().is_ok());
621 assert!(owner.string_shared(py).try_borrow_mut().is_ok());
592 }
622 }
593
623
594 #[test]
624 #[test]
595 fn test_try_borrow_mut_while_leaked_ref_mut() {
625 fn test_try_borrow_mut_while_leaked_ref_mut() {
596 let (gil, owner) = prepare_env();
626 let (gil, owner) = prepare_env();
597 let py = gil.python();
627 let py = gil.python();
598 assert!(owner.string_shared(py).try_borrow_mut().is_ok());
628 assert!(owner.string_shared(py).try_borrow_mut().is_ok());
599 let leaked = owner.string_shared(py).leak_immutable();
629 let leaked = owner.string_shared(py).leak_immutable();
600 let mut leaked_iter = unsafe { leaked.map(py, |s| s.chars()) };
630 let mut leaked_iter = unsafe { leaked.map(py, |s| s.chars()) };
601 {
631 {
602 let _leaked_ref = leaked_iter.try_borrow_mut(py).unwrap();
632 let _leaked_ref =
633 unsafe { leaked_iter.try_borrow_mut(py) }.unwrap();
603 assert!(owner.string_shared(py).try_borrow_mut().is_err());
634 assert!(owner.string_shared(py).try_borrow_mut().is_err());
604 }
635 }
605 assert!(owner.string_shared(py).try_borrow_mut().is_ok());
636 assert!(owner.string_shared(py).try_borrow_mut().is_ok());
606 }
637 }
607
638
608 #[test]
639 #[test]
609 #[should_panic(expected = "mutably borrowed")]
640 #[should_panic(expected = "mutably borrowed")]
610 fn test_leak_while_borrow_mut() {
641 fn test_leak_while_borrow_mut() {
611 let (gil, owner) = prepare_env();
642 let (gil, owner) = prepare_env();
612 let py = gil.python();
643 let py = gil.python();
613 let _mut_ref = owner.string_shared(py).borrow_mut();
644 let _mut_ref = owner.string_shared(py).borrow_mut();
614 owner.string_shared(py).leak_immutable();
645 owner.string_shared(py).leak_immutable();
615 }
646 }
616
647
617 #[test]
648 #[test]
618 fn test_try_borrow_mut_while_borrow() {
649 fn test_try_borrow_mut_while_borrow() {
619 let (gil, owner) = prepare_env();
650 let (gil, owner) = prepare_env();
620 let py = gil.python();
651 let py = gil.python();
621 let _ref = owner.string_shared(py).borrow();
652 let _ref = owner.string_shared(py).borrow();
622 assert!(owner.string_shared(py).try_borrow_mut().is_err());
653 assert!(owner.string_shared(py).try_borrow_mut().is_err());
623 }
654 }
624
655
625 #[test]
656 #[test]
626 #[should_panic(expected = "already borrowed")]
657 #[should_panic(expected = "already borrowed")]
627 fn test_borrow_mut_while_borrow() {
658 fn test_borrow_mut_while_borrow() {
628 let (gil, owner) = prepare_env();
659 let (gil, owner) = prepare_env();
629 let py = gil.python();
660 let py = gil.python();
630 let _ref = owner.string_shared(py).borrow();
661 let _ref = owner.string_shared(py).borrow();
631 owner.string_shared(py).borrow_mut();
662 owner.string_shared(py).borrow_mut();
632 }
663 }
633 }
664 }
General Comments 0
You need to be logged in to leave comments. Login now