summaryrefslogtreecommitdiffstats
path: root/third_party/rust/atomic_refcell/src
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 19:33:14 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 19:33:14 +0000
commit36d22d82aa202bb199967e9512281e9a53db42c9 (patch)
tree105e8c98ddea1c1e4784a60a5a6410fa416be2de /third_party/rust/atomic_refcell/src
parentInitial commit. (diff)
downloadfirefox-esr-upstream.tar.xz
firefox-esr-upstream.zip
Adding upstream version 115.7.0esr.upstream/115.7.0esrupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'third_party/rust/atomic_refcell/src')
-rw-r--r--third_party/rust/atomic_refcell/src/lib.rs482
1 files changed, 482 insertions, 0 deletions
diff --git a/third_party/rust/atomic_refcell/src/lib.rs b/third_party/rust/atomic_refcell/src/lib.rs
new file mode 100644
index 0000000000..b1afc324e7
--- /dev/null
+++ b/third_party/rust/atomic_refcell/src/lib.rs
@@ -0,0 +1,482 @@
+//! Implements a container type providing RefCell-like semantics for objects
+//! shared across threads.
+//!
+//! RwLock is traditionally considered to be the |Sync| analogue of RefCell.
+//! However, for consumers that can guarantee that they will never mutably
+//! borrow the contents concurrently with immutable borrows, an RwLock is
+//! overkill, and has key disadvantages:
+//! * Performance: Even the fastest existing implementation of RwLock (that of
+//! parking_lot) performs at least two atomic operations during immutable
+//! borrows. This makes mutable borrows significantly cheaper than immutable
+//! borrows, leading to weird incentives when writing performance-critical
+//! code.
+//! * Features: Implementing AtomicRefCell on top of RwLock makes it impossible
+//! to implement useful things like AtomicRef{,Mut}::map.
+//!
+//! As such, we re-implement RefCell semantics from scratch with a single atomic
+//! reference count. The primary complication of this scheme relates to keeping
+//! things in a consistent state when one thread performs an illegal borrow and
+//! panics. Since an AtomicRefCell can be accessed by multiple threads, and since
+//! panics are recoverable, we need to ensure that an illegal (panicking) access by
+//! one thread does not lead to undefined behavior on other, still-running threads.
+//!
+//! So we represent things as follows:
+//! * Any value with the high bit set (so half the total refcount space) indicates
+//! a mutable borrow.
+//! * Mutable borrows perform an atomic compare-and-swap, swapping in the high bit
+//! if the current value is zero. If the current value is non-zero, the thread
+//! panics and the value is left undisturbed.
+//! * Immutable borrows perform an atomic increment. If the new value has the high
+//! bit set, the thread panics. The incremented refcount is left as-is, since it
+//! still represents a valid mutable borrow. When the mutable borrow is released,
+//! the refcount is set unconditionally to zero, clearing any stray increments by
+//! panicked threads.
+//!
+//! There are a few additional purely-academic complications to handle overflow,
+//! which are documented in the implementation.
+//!
+//! The rest of this module is mostly derived by copy-pasting the implementation of
+//! RefCell and fixing things up as appropriate. Certain non-threadsafe methods
+//! have been removed. We segment the concurrency logic from the rest of the code to
+//! keep the tricky parts small and easy to audit.
+
+#![no_std]
+#![allow(unsafe_code)]
+#![deny(missing_docs)]
+
+use core::cell::UnsafeCell;
+use core::cmp;
+use core::fmt;
+use core::fmt::{Debug, Display};
+use core::ops::{Deref, DerefMut};
+use core::sync::atomic;
+use core::sync::atomic::AtomicUsize;
+
+/// A threadsafe analogue to RefCell.
+pub struct AtomicRefCell<T: ?Sized> {
+ borrow: AtomicUsize,
+ value: UnsafeCell<T>,
+}
+
+/// An error returned by [`AtomicRefCell::try_borrow`](struct.AtomicRefCell.html#method.try_borrow).
+pub struct BorrowError {
+ _private: (),
+}
+
+impl Debug for BorrowError {
+ fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+ f.debug_struct("BorrowError").finish()
+ }
+}
+
+impl Display for BorrowError {
+ fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+ Display::fmt("already mutably borrowed", f)
+ }
+}
+
+/// An error returned by [`AtomicRefCell::try_borrow_mut`](struct.AtomicRefCell.html#method.try_borrow_mut).
+pub struct BorrowMutError {
+ _private: (),
+}
+
+impl Debug for BorrowMutError {
+ fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+ f.debug_struct("BorrowMutError").finish()
+ }
+}
+
+impl Display for BorrowMutError {
+ fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+ Display::fmt("already borrowed", f)
+ }
+}
+
+impl<T> AtomicRefCell<T> {
+ /// Creates a new `AtomicRefCell` containing `value`.
+ #[inline]
+ pub const fn new(value: T) -> AtomicRefCell<T> {
+ AtomicRefCell {
+ borrow: AtomicUsize::new(0),
+ value: UnsafeCell::new(value),
+ }
+ }
+
+ /// Consumes the `AtomicRefCell`, returning the wrapped value.
+ #[inline]
+ pub fn into_inner(self) -> T {
+ debug_assert!(self.borrow.load(atomic::Ordering::Acquire) == 0);
+ self.value.into_inner()
+ }
+}
+
+impl<T: ?Sized> AtomicRefCell<T> {
+ /// Immutably borrows the wrapped value.
+ #[inline]
+ pub fn borrow(&self) -> AtomicRef<T> {
+ match AtomicBorrowRef::try_new(&self.borrow) {
+ Ok(borrow) => AtomicRef {
+ value: unsafe { &*self.value.get() },
+ borrow,
+ },
+ Err(s) => panic!("{}", s),
+ }
+ }
+
+ /// Attempts to immutably borrow the wrapped value, but instead of panicking
+ /// on a failed borrow, returns `Err`.
+ #[inline]
+ pub fn try_borrow(&self) -> Result<AtomicRef<T>, BorrowError> {
+ match AtomicBorrowRef::try_new(&self.borrow) {
+ Ok(borrow) => Ok(AtomicRef {
+ value: unsafe { &*self.value.get() },
+ borrow,
+ }),
+ Err(_) => Err(BorrowError { _private: () }),
+ }
+ }
+
+ /// Mutably borrows the wrapped value.
+ #[inline]
+ pub fn borrow_mut(&self) -> AtomicRefMut<T> {
+ match AtomicBorrowRefMut::try_new(&self.borrow) {
+ Ok(borrow) => AtomicRefMut {
+ value: unsafe { &mut *self.value.get() },
+ borrow,
+ },
+ Err(s) => panic!("{}", s),
+ }
+ }
+
+ /// Attempts to mutably borrow the wrapped value, but instead of panicking
+ /// on a failed borrow, returns `Err`.
+ #[inline]
+ pub fn try_borrow_mut(&self) -> Result<AtomicRefMut<T>, BorrowMutError> {
+ match AtomicBorrowRefMut::try_new(&self.borrow) {
+ Ok(borrow) => Ok(AtomicRefMut {
+ value: unsafe { &mut *self.value.get() },
+ borrow,
+ }),
+ Err(_) => Err(BorrowMutError { _private: () }),
+ }
+ }
+
+ /// Returns a raw pointer to the underlying data in this cell.
+ ///
+ /// External synchronization is needed to avoid data races when dereferencing
+ /// the pointer.
+ #[inline]
+ pub fn as_ptr(&self) -> *mut T {
+ self.value.get()
+ }
+
+ /// Returns a mutable reference to the wrapped value.
+ ///
+ /// No runtime checks take place (unless debug assertions are enabled)
+ /// because this call borrows `AtomicRefCell` mutably at compile-time.
+ #[inline]
+ pub fn get_mut(&mut self) -> &mut T {
+ debug_assert!(self.borrow.load(atomic::Ordering::Acquire) == 0);
+ unsafe { &mut *self.value.get() }
+ }
+}
+
+//
+// Core synchronization logic. Keep this section small and easy to audit.
+//
+
+const HIGH_BIT: usize = !(::core::usize::MAX >> 1);
+const MAX_FAILED_BORROWS: usize = HIGH_BIT + (HIGH_BIT >> 1);
+
+struct AtomicBorrowRef<'b> {
+ borrow: &'b AtomicUsize,
+}
+
+impl<'b> AtomicBorrowRef<'b> {
+ #[inline]
+ fn try_new(borrow: &'b AtomicUsize) -> Result<Self, &'static str> {
+ let new = borrow.fetch_add(1, atomic::Ordering::Acquire) + 1;
+ if new & HIGH_BIT != 0 {
+ // If the new count has the high bit set, that almost certainly
+ // means there's an pre-existing mutable borrow. In that case,
+ // we simply leave the increment as a benign side-effect and
+ // return `Err`. Once the mutable borrow is released, the
+ // count will be reset to zero unconditionally.
+ //
+ // The overflow check here ensures that an unbounded number of
+ // immutable borrows during the scope of one mutable borrow
+ // will soundly trigger a panic (or abort) rather than UB.
+ Self::check_overflow(borrow, new);
+ Err("already mutably borrowed")
+ } else {
+ Ok(AtomicBorrowRef { borrow: borrow })
+ }
+ }
+
+ #[cold]
+ #[inline(never)]
+ fn check_overflow(borrow: &'b AtomicUsize, new: usize) {
+ if new == HIGH_BIT {
+ // We overflowed into the reserved upper half of the refcount
+ // space. Before panicking, decrement the refcount to leave things
+ // in a consistent immutable-borrow state.
+ //
+ // This can basically only happen if somebody forget()s AtomicRefs
+ // in a tight loop.
+ borrow.fetch_sub(1, atomic::Ordering::Release);
+ panic!("too many immutable borrows");
+ } else if new >= MAX_FAILED_BORROWS {
+ // During the mutable borrow, an absurd number of threads have
+ // attempted to increment the refcount with immutable borrows.
+ // To avoid hypothetically wrapping the refcount, we abort the
+ // process once a certain threshold is reached.
+ //
+ // This requires billions of borrows to fail during the scope of
+ // one mutable borrow, and so is very unlikely to happen in a real
+ // program.
+ //
+ // To avoid a potential unsound state after overflowing, we make
+ // sure the entire process aborts.
+ //
+ // Right now, there's no stable way to do that without `std`:
+ // https://github.com/rust-lang/rust/issues/67952
+ // As a workaround, we cause an abort by making this thread panic
+ // during the unwinding of another panic.
+ //
+ // On platforms where the panic strategy is already 'abort', the
+ // ForceAbort object here has no effect, as the program already
+ // panics before it is dropped.
+ struct ForceAbort;
+ impl Drop for ForceAbort {
+ fn drop(&mut self) {
+ panic!("Aborting to avoid unsound state of AtomicRefCell");
+ }
+ }
+ let _abort = ForceAbort;
+ panic!("Too many failed borrows");
+ }
+ }
+}
+
+impl<'b> Drop for AtomicBorrowRef<'b> {
+ #[inline]
+ fn drop(&mut self) {
+ let old = self.borrow.fetch_sub(1, atomic::Ordering::Release);
+ // This assertion is technically incorrect in the case where another
+ // thread hits the hypothetical overflow case, since we might observe
+ // the refcount before it fixes it up (and panics). But that never will
+ // never happen in a real program, and this is a debug_assert! anyway.
+ debug_assert!(old & HIGH_BIT == 0);
+ }
+}
+
+struct AtomicBorrowRefMut<'b> {
+ borrow: &'b AtomicUsize,
+}
+
+impl<'b> Drop for AtomicBorrowRefMut<'b> {
+ #[inline]
+ fn drop(&mut self) {
+ self.borrow.store(0, atomic::Ordering::Release);
+ }
+}
+
+impl<'b> AtomicBorrowRefMut<'b> {
+ #[inline]
+ fn try_new(borrow: &'b AtomicUsize) -> Result<AtomicBorrowRefMut<'b>, &'static str> {
+ // Use compare-and-swap to avoid corrupting the immutable borrow count
+ // on illegal mutable borrows.
+ let old = match borrow.compare_exchange(
+ 0,
+ HIGH_BIT,
+ atomic::Ordering::Acquire,
+ atomic::Ordering::Relaxed,
+ ) {
+ Ok(x) => x,
+ Err(x) => x,
+ };
+
+ if old == 0 {
+ Ok(AtomicBorrowRefMut { borrow })
+ } else if old & HIGH_BIT == 0 {
+ Err("already immutably borrowed")
+ } else {
+ Err("already mutably borrowed")
+ }
+ }
+}
+
+unsafe impl<T: ?Sized + Send> Send for AtomicRefCell<T> {}
+unsafe impl<T: ?Sized + Send + Sync> Sync for AtomicRefCell<T> {}
+
+//
+// End of core synchronization logic. No tricky thread stuff allowed below
+// this point.
+//
+
+impl<T: Clone> Clone for AtomicRefCell<T> {
+ #[inline]
+ fn clone(&self) -> AtomicRefCell<T> {
+ AtomicRefCell::new(self.borrow().clone())
+ }
+}
+
+impl<T: Default> Default for AtomicRefCell<T> {
+ #[inline]
+ fn default() -> AtomicRefCell<T> {
+ AtomicRefCell::new(Default::default())
+ }
+}
+
+impl<T: ?Sized + PartialEq> PartialEq for AtomicRefCell<T> {
+ #[inline]
+ fn eq(&self, other: &AtomicRefCell<T>) -> bool {
+ *self.borrow() == *other.borrow()
+ }
+}
+
+impl<T: ?Sized + Eq> Eq for AtomicRefCell<T> {}
+
+impl<T: ?Sized + PartialOrd> PartialOrd for AtomicRefCell<T> {
+ #[inline]
+ fn partial_cmp(&self, other: &AtomicRefCell<T>) -> Option<cmp::Ordering> {
+ self.borrow().partial_cmp(&*other.borrow())
+ }
+}
+
+impl<T: ?Sized + Ord> Ord for AtomicRefCell<T> {
+ #[inline]
+ fn cmp(&self, other: &AtomicRefCell<T>) -> cmp::Ordering {
+ self.borrow().cmp(&*other.borrow())
+ }
+}
+
+impl<T> From<T> for AtomicRefCell<T> {
+ fn from(t: T) -> AtomicRefCell<T> {
+ AtomicRefCell::new(t)
+ }
+}
+
+impl<'b> Clone for AtomicBorrowRef<'b> {
+ #[inline]
+ fn clone(&self) -> AtomicBorrowRef<'b> {
+ AtomicBorrowRef::try_new(self.borrow).unwrap()
+ }
+}
+
+/// A wrapper type for an immutably borrowed value from an `AtomicRefCell<T>`.
+pub struct AtomicRef<'b, T: ?Sized + 'b> {
+ value: &'b T,
+ borrow: AtomicBorrowRef<'b>,
+}
+
+impl<'b, T: ?Sized> Deref for AtomicRef<'b, T> {
+ type Target = T;
+
+ #[inline]
+ fn deref(&self) -> &T {
+ self.value
+ }
+}
+
+impl<'b, T: ?Sized> AtomicRef<'b, T> {
+ /// Copies an `AtomicRef`.
+ #[inline]
+ pub fn clone(orig: &AtomicRef<'b, T>) -> AtomicRef<'b, T> {
+ AtomicRef {
+ value: orig.value,
+ borrow: orig.borrow.clone(),
+ }
+ }
+
+ /// Make a new `AtomicRef` for a component of the borrowed data.
+ #[inline]
+ pub fn map<U: ?Sized, F>(orig: AtomicRef<'b, T>, f: F) -> AtomicRef<'b, U>
+ where
+ F: FnOnce(&T) -> &U,
+ {
+ AtomicRef {
+ value: f(orig.value),
+ borrow: orig.borrow,
+ }
+ }
+
+ /// Make a new `AtomicRef` for an optional component of the borrowed data.
+ #[inline]
+ pub fn filter_map<U: ?Sized, F>(orig: AtomicRef<'b, T>, f: F) -> Option<AtomicRef<'b, U>>
+ where
+ F: FnOnce(&T) -> Option<&U>,
+ {
+ Some(AtomicRef {
+ value: f(orig.value)?,
+ borrow: orig.borrow,
+ })
+ }
+}
+
+impl<'b, T: ?Sized> AtomicRefMut<'b, T> {
+ /// Make a new `AtomicRefMut` for a component of the borrowed data, e.g. an enum
+ /// variant.
+ #[inline]
+ pub fn map<U: ?Sized, F>(orig: AtomicRefMut<'b, T>, f: F) -> AtomicRefMut<'b, U>
+ where
+ F: FnOnce(&mut T) -> &mut U,
+ {
+ AtomicRefMut {
+ value: f(orig.value),
+ borrow: orig.borrow,
+ }
+ }
+
+ /// Make a new `AtomicRefMut` for an optional component of the borrowed data.
+ #[inline]
+ pub fn filter_map<U: ?Sized, F>(orig: AtomicRefMut<'b, T>, f: F) -> Option<AtomicRefMut<'b, U>>
+ where
+ F: FnOnce(&mut T) -> Option<&mut U>,
+ {
+ Some(AtomicRefMut {
+ value: f(orig.value)?,
+ borrow: orig.borrow,
+ })
+ }
+}
+
+/// A wrapper type for a mutably borrowed value from an `AtomicRefCell<T>`.
+pub struct AtomicRefMut<'b, T: ?Sized + 'b> {
+ value: &'b mut T,
+ borrow: AtomicBorrowRefMut<'b>,
+}
+
+impl<'b, T: ?Sized> Deref for AtomicRefMut<'b, T> {
+ type Target = T;
+
+ #[inline]
+ fn deref(&self) -> &T {
+ self.value
+ }
+}
+
+impl<'b, T: ?Sized> DerefMut for AtomicRefMut<'b, T> {
+ #[inline]
+ fn deref_mut(&mut self) -> &mut T {
+ self.value
+ }
+}
+
+impl<'b, T: ?Sized + Debug + 'b> Debug for AtomicRef<'b, T> {
+ fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
+ self.value.fmt(f)
+ }
+}
+
+impl<'b, T: ?Sized + Debug + 'b> Debug for AtomicRefMut<'b, T> {
+ fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
+ self.value.fmt(f)
+ }
+}
+
+impl<T: ?Sized + Debug> Debug for AtomicRefCell<T> {
+ fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
+ write!(f, "AtomicRefCell {{ ... }}")
+ }
+}