upstream/mercurial-mirror Files · rust/hg-cpython/src/cindex.rs

rust-cpython: mark all PyLeaked methods as unsafe...

rust-cpython: mark all PyLeaked methods as unsafe Unfortunately, these methods can be abused to obtain the inner 'static reference. The simplest (pseudo-code) example is: let leaked: PyLeaked<&'static _> = shared.leak_immutable(); let static_ref: &'static _ = &*leaked.try_borrow(py)?; // PyLeakedRef::deref() tries to bound the lifetime to itself, but // the underlying data is a &'static reference, so the returned // reference can be &'static. This problem can be easily fixed by coercing the lifetime, but there are many other ways to achieve that, and there wouldn't be a generic solution: let leaked: PyLeaked<&'static [_]> = shared.leak_immutable(); let leaked_iter: PyLeaked<slice::Iter<'static, _>> = unsafe { leaked.map(|v| v.iter()) }; let static_slice: &'static [_] = leaked_iter.try_borrow(py)?.as_slice(); So basically I failed to design the safe borrowing interface. Maybe we'll instead have to add much more restricted interface on top of the unsafe PyLeaked methods? For instance, Iterator::next() could be implemented if its Item type is not &'a (where 'a may be cheated.) Anyway, this seems not an easy issue, so it's probably better to leave the current interface as unsafe, and get broader comments while upstreaming this feature.

Georges Racinet - - Load All Authors

File last commit:

r44523:f5d2720f default


                r44689:e960c30d

default

Download file

             cindex.rs
        
                    133 lines
            
             | 4.1 KiB
            
                | application/rls-services+xml
            
             |
                RustLexer
            
             / rust / hg-cpython / src / cindex.rs
          
                    History
                
                 |
                  Annotation
                 | Raw
                 |Copy content
                 |Copy permalink

      // cindex.rs

      //

      // Copyright 2018 Georges Racinet <gracinet@anybox.fr>

      //

      // This software may be used and distributed according to the terms of the

      // GNU General Public License version 2 or any later version.

      //! Bindings to use the Index defined by the parsers C extension

      //!

      //! Ideally, we should use an Index entirely implemented in Rust,

      //! but this will take some time to get there.

      use cpython::{exc::ImportError, PyClone, PyErr, PyObject, PyResult, Python};

      use hg::{Graph, GraphError, Revision, WORKING_DIRECTORY_REVISION};

      use libc::c_int;

      const REVLOG_CABI_VERSION: c_int = 1;

      #[repr(C)]

      pub struct Revlog_CAPI {

          abi_version: c_int,

          index_parents: unsafe extern "C" fn(

              index: *mut revlog_capi::RawPyObject,

              rev: c_int,

              ps: *mut [c_int; 2],

          ) -> c_int,

      }

      py_capsule!(

          from mercurial.cext.parsers import revlog_CAPI

              as revlog_capi for Revlog_CAPI);

      /// A `Graph` backed up by objects and functions from revlog.c

      ///

      /// This implementation of the `Graph` trait, relies on (pointers to)

      /// - the C index object (`index` member)

      /// - the `index_get_parents()` function (`parents` member)

      ///

      /// # Safety

      ///

      /// The C index itself is mutable, and this Rust exposition is **not

      /// protected by the GIL**, meaning that this construct isn't safe with respect

      /// to Python threads.

      ///

      /// All callers of this `Index` must acquire the GIL and must not release it

      /// while working.

      ///

      /// # TODO find a solution to make it GIL safe again.

      ///

      /// This is non trivial, and can wait until we have a clearer picture with

      /// more Rust Mercurial constructs.

      ///

      /// One possibility would be to a `GILProtectedIndex` wrapper enclosing

      /// a `Python<'p>` marker and have it be the one implementing the

      /// `Graph` trait, but this would mean the `Graph` implementor would become

      /// likely to change between subsequent method invocations of the `hg-core`

      /// objects (a serious change of the `hg-core` API):

      /// either exposing ways to mutate the `Graph`, or making it a non persistent

      /// parameter in the relevant methods that need one.

      ///

      /// Another possibility would be to introduce an abstract lock handle into

      /// the core API, that would be tied to `GILGuard` / `Python<'p>`

      /// in the case of the `cpython` crate bindings yet could leave room for other

      /// mechanisms in other contexts.

      pub struct Index {

          index: PyObject,

          capi: &'static Revlog_CAPI,

      }

      impl Index {

          pub fn new(py: Python, index: PyObject) -> PyResult<Self> {

              let capi = unsafe { revlog_capi::retrieve(py)? };

              if capi.abi_version != REVLOG_CABI_VERSION {

                  return Err(PyErr::new::<ImportError, _>(

                      py,

                      format!(

                          "ABI version mismatch: the C ABI revlog version {} \

                           does not match the {} expected by Rust hg-cpython",

                          capi.abi_version, REVLOG_CABI_VERSION

                      ),

                  ));

              }

              Ok(Index {

                  index: index,

                  capi: capi,

              })

          }

          /// return a reference to the CPython Index object in this Struct

          pub fn inner(&self) -> &PyObject {

              &self.index

          }

      }

      impl Clone for Index {

          fn clone(&self) -> Self {

              let guard = Python::acquire_gil();

              Index {

                  index: self.index.clone_ref(guard.python()),

                  capi: self.capi,

              }

          }

      }

      impl PyClone for Index {

          fn clone_ref(&self, py: Python) -> Self {

              Index {

                  index: self.index.clone_ref(py),

                  capi: self.capi,

              }

          }

      }

      impl Graph for Index {

          /// wrap a call to the C extern parents function

          fn parents(&self, rev: Revision) -> Result<[Revision; 2], GraphError> {

              if rev == WORKING_DIRECTORY_REVISION {

                  return Err(GraphError::WorkingDirectoryUnsupported);

              }

              let mut res: [c_int; 2] = [0; 2];

              let code = unsafe {

                  (self.capi.index_parents)(

                      self.index.as_ptr(),

                      rev as c_int,

                      &mut res as *mut [c_int; 2],

                  )

              };

              match code {

                  0 => Ok(res),

                  _ => Err(GraphError::ParentOutOfRange(rev)),

              }

          }

      }

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

				// cindex.rs
				//
				// Copyright 2018 Georges Racinet <gracinet@anybox.fr>
				//
				// This software may be used and distributed according to the terms of the
				// GNU General Public License version 2 or any later version.

				//! Bindings to use the Index defined by the parsers C extension
				//!
				//! Ideally, we should use an Index entirely implemented in Rust,
				//! but this will take some time to get there.

				use cpython::{exc::ImportError, PyClone, PyErr, PyObject, PyResult, Python};
				use hg::{Graph, GraphError, Revision, WORKING_DIRECTORY_REVISION};
				use libc::c_int;

				const REVLOG_CABI_VERSION: c_int = 1;

				#[repr(C)]
				pub struct Revlog_CAPI {
				abi_version: c_int,
				index_parents: unsafe extern "C" fn(
				index: *mut revlog_capi::RawPyObject,
				rev: c_int,
				ps: *mut [c_int; 2],
				) -> c_int,
				}

				py_capsule!(
				from mercurial.cext.parsers import revlog_CAPI
				as revlog_capi for Revlog_CAPI);

				/// A `Graph` backed up by objects and functions from revlog.c
				///
				/// This implementation of the `Graph` trait, relies on (pointers to)
				/// - the C index object (`index` member)
				/// - the `index_get_parents()` function (`parents` member)
				///
				/// # Safety
				///
				/// The C index itself is mutable, and this Rust exposition is **not
				/// protected by the GIL**, meaning that this construct isn't safe with respect
				/// to Python threads.
				///
				/// All callers of this `Index` must acquire the GIL and must not release it
				/// while working.
				///
				/// # TODO find a solution to make it GIL safe again.
				///
				/// This is non trivial, and can wait until we have a clearer picture with
				/// more Rust Mercurial constructs.
				///
				/// One possibility would be to a `GILProtectedIndex` wrapper enclosing
				/// a `Python<'p>` marker and have it be the one implementing the
				/// `Graph` trait, but this would mean the `Graph` implementor would become
				/// likely to change between subsequent method invocations of the `hg-core`
				/// objects (a serious change of the `hg-core` API):
				/// either exposing ways to mutate the `Graph`, or making it a non persistent
				/// parameter in the relevant methods that need one.
				///
				/// Another possibility would be to introduce an abstract lock handle into
				/// the core API, that would be tied to `GILGuard` / `Python<'p>`
				/// in the case of the `cpython` crate bindings yet could leave room for other
				/// mechanisms in other contexts.
				pub struct Index {
				index: PyObject,
				capi: &'static Revlog_CAPI,
				}

				impl Index {
				pub fn new(py: Python, index: PyObject) -> PyResult<Self> {
				let capi = unsafe { revlog_capi::retrieve(py)? };
				if capi.abi_version != REVLOG_CABI_VERSION {
				return Err(PyErr::new::<ImportError, _>(
				py,
				format!(
				"ABI version mismatch: the C ABI revlog version {} \
				does not match the {} expected by Rust hg-cpython",
				capi.abi_version, REVLOG_CABI_VERSION
				),
				));
				}
				Ok(Index {
				index: index,
				capi: capi,
				})
				}

				/// return a reference to the CPython Index object in this Struct
				pub fn inner(&self) -> &PyObject {
				&self.index
				}
				}

				impl Clone for Index {
				fn clone(&self) -> Self {
				let guard = Python::acquire_gil();
				Index {
				index: self.index.clone_ref(guard.python()),
				capi: self.capi,
				}
				}
				}

				impl PyClone for Index {
				fn clone_ref(&self, py: Python) -> Self {
				Index {
				index: self.index.clone_ref(py),
				capi: self.capi,
				}
				}
				}

				impl Graph for Index {
				/// wrap a call to the C extern parents function
				fn parents(&self, rev: Revision) -> Result<[Revision; 2], GraphError> {
				if rev == WORKING_DIRECTORY_REVISION {
				return Err(GraphError::WorkingDirectoryUnsupported);
				}
				let mut res: [c_int; 2] = [0; 2];
				let code = unsafe {
				(self.capi.index_parents)(
				self.index.as_ptr(),
				rev as c_int,
				&mut res as *mut [c_int; 2],
				)
				};
				match code {
				0 => Ok(res),
				_ => Err(GraphError::ParentOutOfRange(rev)),
				}
				}
				}