1 // SPDX-License-Identifier: GPL-2.0 2 3 // Copyright (C) 2024 Google LLC. 4 5 //! A linked list implementation. 6 7 use crate::init::PinInit; 8 use crate::sync::ArcBorrow; 9 use crate::types::Opaque; 10 use core::iter::{DoubleEndedIterator, FusedIterator}; 11 use core::marker::PhantomData; 12 use core::ptr; 13 14 mod impl_list_item_mod; 15 pub use self::impl_list_item_mod::{impl_has_list_links, impl_list_item, HasListLinks}; 16 17 mod arc; 18 pub use self::arc::{impl_list_arc_safe, AtomicTracker, ListArc, ListArcSafe, TryNewListArc}; 19 20 /// A linked list. 21 /// 22 /// All elements in this linked list will be [`ListArc`] references to the value. Since a value can 23 /// only have one `ListArc` (for each pair of prev/next pointers), this ensures that the same 24 /// prev/next pointers are not used for several linked lists. 25 /// 26 /// # Invariants 27 /// 28 /// * If the list is empty, then `first` is null. Otherwise, `first` points at the `ListLinks` 29 /// field of the first element in the list. 30 /// * All prev/next pointers in `ListLinks` fields of items in the list are valid and form a cycle. 31 /// * For every item in the list, the list owns the associated [`ListArc`] reference and has 32 /// exclusive access to the `ListLinks` field. 33 pub struct List<T: ?Sized + ListItem<ID>, const ID: u64 = 0> { 34 first: *mut ListLinksFields, 35 _ty: PhantomData<ListArc<T, ID>>, 36 } 37 38 // SAFETY: This is a container of `ListArc<T, ID>`, and access to the container allows the same 39 // type of access to the `ListArc<T, ID>` elements. 40 unsafe impl<T, const ID: u64> Send for List<T, ID> 41 where 42 ListArc<T, ID>: Send, 43 T: ?Sized + ListItem<ID>, 44 { 45 } 46 // SAFETY: This is a container of `ListArc<T, ID>`, and access to the container allows the same 47 // type of access to the `ListArc<T, ID>` elements. 48 unsafe impl<T, const ID: u64> Sync for List<T, ID> 49 where 50 ListArc<T, ID>: Sync, 51 T: ?Sized + ListItem<ID>, 52 { 53 } 54 55 /// Implemented by types where a [`ListArc<Self>`] can be inserted into a [`List`]. 56 /// 57 /// # Safety 58 /// 59 /// Implementers must ensure that they provide the guarantees documented on methods provided by 60 /// this trait. 61 /// 62 /// [`ListArc<Self>`]: ListArc 63 pub unsafe trait ListItem<const ID: u64 = 0>: ListArcSafe<ID> { 64 /// Views the [`ListLinks`] for this value. 65 /// 66 /// # Guarantees 67 /// 68 /// If there is a previous call to `prepare_to_insert` and there is no call to `post_remove` 69 /// since the most recent such call, then this returns the same pointer as the one returned by 70 /// the most recent call to `prepare_to_insert`. 71 /// 72 /// Otherwise, the returned pointer points at a read-only [`ListLinks`] with two null pointers. 73 /// 74 /// # Safety 75 /// 76 /// The provided pointer must point at a valid value. (It need not be in an `Arc`.) 77 unsafe fn view_links(me: *const Self) -> *mut ListLinks<ID>; 78 79 /// View the full value given its [`ListLinks`] field. 80 /// 81 /// Can only be used when the value is in a list. 82 /// 83 /// # Guarantees 84 /// 85 /// * Returns the same pointer as the one passed to the most recent call to `prepare_to_insert`. 86 /// * The returned pointer is valid until the next call to `post_remove`. 87 /// 88 /// # Safety 89 /// 90 /// * The provided pointer must originate from the most recent call to `prepare_to_insert`, or 91 /// from a call to `view_links` that happened after the most recent call to 92 /// `prepare_to_insert`. 93 /// * Since the most recent call to `prepare_to_insert`, the `post_remove` method must not have 94 /// been called. 95 unsafe fn view_value(me: *mut ListLinks<ID>) -> *const Self; 96 97 /// This is called when an item is inserted into a [`List`]. 98 /// 99 /// # Guarantees 100 /// 101 /// The caller is granted exclusive access to the returned [`ListLinks`] until `post_remove` is 102 /// called. 103 /// 104 /// # Safety 105 /// 106 /// * The provided pointer must point at a valid value in an [`Arc`]. 107 /// * Calls to `prepare_to_insert` and `post_remove` on the same value must alternate. 108 /// * The caller must own the [`ListArc`] for this value. 109 /// * The caller must not give up ownership of the [`ListArc`] unless `post_remove` has been 110 /// called after this call to `prepare_to_insert`. 111 /// 112 /// [`Arc`]: crate::sync::Arc 113 unsafe fn prepare_to_insert(me: *const Self) -> *mut ListLinks<ID>; 114 115 /// This undoes a previous call to `prepare_to_insert`. 116 /// 117 /// # Guarantees 118 /// 119 /// The returned pointer is the pointer that was originally passed to `prepare_to_insert`. 120 /// 121 /// # Safety 122 /// 123 /// The provided pointer must be the pointer returned by the most recent call to 124 /// `prepare_to_insert`. 125 unsafe fn post_remove(me: *mut ListLinks<ID>) -> *const Self; 126 } 127 128 #[repr(C)] 129 #[derive(Copy, Clone)] 130 struct ListLinksFields { 131 next: *mut ListLinksFields, 132 prev: *mut ListLinksFields, 133 } 134 135 /// The prev/next pointers for an item in a linked list. 136 /// 137 /// # Invariants 138 /// 139 /// The fields are null if and only if this item is not in a list. 140 #[repr(transparent)] 141 pub struct ListLinks<const ID: u64 = 0> { 142 // This type is `!Unpin` for aliasing reasons as the pointers are part of an intrusive linked 143 // list. 144 inner: Opaque<ListLinksFields>, 145 } 146 147 // SAFETY: The only way to access/modify the pointers inside of `ListLinks<ID>` is via holding the 148 // associated `ListArc<T, ID>`. Since that type correctly implements `Send`, it is impossible to 149 // move this an instance of this type to a different thread if the pointees are `!Send`. 150 unsafe impl<const ID: u64> Send for ListLinks<ID> {} 151 // SAFETY: The type is opaque so immutable references to a ListLinks are useless. Therefore, it's 152 // okay to have immutable access to a ListLinks from several threads at once. 153 unsafe impl<const ID: u64> Sync for ListLinks<ID> {} 154 155 impl<const ID: u64> ListLinks<ID> { 156 /// Creates a new initializer for this type. 157 pub fn new() -> impl PinInit<Self> { 158 // INVARIANT: Pin-init initializers can't be used on an existing `Arc`, so this value will 159 // not be constructed in an `Arc` that already has a `ListArc`. 160 ListLinks { 161 inner: Opaque::new(ListLinksFields { 162 prev: ptr::null_mut(), 163 next: ptr::null_mut(), 164 }), 165 } 166 } 167 168 /// # Safety 169 /// 170 /// `me` must be dereferenceable. 171 #[inline] 172 unsafe fn fields(me: *mut Self) -> *mut ListLinksFields { 173 // SAFETY: The caller promises that the pointer is valid. 174 unsafe { Opaque::raw_get(ptr::addr_of!((*me).inner)) } 175 } 176 177 /// # Safety 178 /// 179 /// `me` must be dereferenceable. 180 #[inline] 181 unsafe fn from_fields(me: *mut ListLinksFields) -> *mut Self { 182 me.cast() 183 } 184 } 185 186 impl<T: ?Sized + ListItem<ID>, const ID: u64> List<T, ID> { 187 /// Creates a new empty list. 188 pub const fn new() -> Self { 189 Self { 190 first: ptr::null_mut(), 191 _ty: PhantomData, 192 } 193 } 194 195 /// Returns whether this list is empty. 196 pub fn is_empty(&self) -> bool { 197 self.first.is_null() 198 } 199 200 /// Add the provided item to the back of the list. 201 pub fn push_back(&mut self, item: ListArc<T, ID>) { 202 let raw_item = ListArc::into_raw(item); 203 // SAFETY: 204 // * We just got `raw_item` from a `ListArc`, so it's in an `Arc`. 205 // * Since we have ownership of the `ListArc`, `post_remove` must have been called after 206 // the most recent call to `prepare_to_insert`, if any. 207 // * We own the `ListArc`. 208 // * Removing items from this list is always done using `remove_internal_inner`, which 209 // calls `post_remove` before giving up ownership. 210 let list_links = unsafe { T::prepare_to_insert(raw_item) }; 211 // SAFETY: We have not yet called `post_remove`, so `list_links` is still valid. 212 let item = unsafe { ListLinks::fields(list_links) }; 213 214 if self.first.is_null() { 215 self.first = item; 216 // SAFETY: The caller just gave us ownership of these fields. 217 // INVARIANT: A linked list with one item should be cyclic. 218 unsafe { 219 (*item).next = item; 220 (*item).prev = item; 221 } 222 } else { 223 let next = self.first; 224 // SAFETY: By the type invariant, this pointer is valid or null. We just checked that 225 // it's not null, so it must be valid. 226 let prev = unsafe { (*next).prev }; 227 // SAFETY: Pointers in a linked list are never dangling, and the caller just gave us 228 // ownership of the fields on `item`. 229 // INVARIANT: This correctly inserts `item` between `prev` and `next`. 230 unsafe { 231 (*item).next = next; 232 (*item).prev = prev; 233 (*prev).next = item; 234 (*next).prev = item; 235 } 236 } 237 } 238 239 /// Add the provided item to the front of the list. 240 pub fn push_front(&mut self, item: ListArc<T, ID>) { 241 let raw_item = ListArc::into_raw(item); 242 // SAFETY: 243 // * We just got `raw_item` from a `ListArc`, so it's in an `Arc`. 244 // * If this requirement is violated, then the previous caller of `prepare_to_insert` 245 // violated the safety requirement that they can't give up ownership of the `ListArc` 246 // until they call `post_remove`. 247 // * We own the `ListArc`. 248 // * Removing items] from this list is always done using `remove_internal_inner`, which 249 // calls `post_remove` before giving up ownership. 250 let list_links = unsafe { T::prepare_to_insert(raw_item) }; 251 // SAFETY: We have not yet called `post_remove`, so `list_links` is still valid. 252 let item = unsafe { ListLinks::fields(list_links) }; 253 254 if self.first.is_null() { 255 // SAFETY: The caller just gave us ownership of these fields. 256 // INVARIANT: A linked list with one item should be cyclic. 257 unsafe { 258 (*item).next = item; 259 (*item).prev = item; 260 } 261 } else { 262 let next = self.first; 263 // SAFETY: We just checked that `next` is non-null. 264 let prev = unsafe { (*next).prev }; 265 // SAFETY: Pointers in a linked list are never dangling, and the caller just gave us 266 // ownership of the fields on `item`. 267 // INVARIANT: This correctly inserts `item` between `prev` and `next`. 268 unsafe { 269 (*item).next = next; 270 (*item).prev = prev; 271 (*prev).next = item; 272 (*next).prev = item; 273 } 274 } 275 self.first = item; 276 } 277 278 /// Removes the last item from this list. 279 pub fn pop_back(&mut self) -> Option<ListArc<T, ID>> { 280 if self.first.is_null() { 281 return None; 282 } 283 284 // SAFETY: We just checked that the list is not empty. 285 let last = unsafe { (*self.first).prev }; 286 // SAFETY: The last item of this list is in this list. 287 Some(unsafe { self.remove_internal(last) }) 288 } 289 290 /// Removes the first item from this list. 291 pub fn pop_front(&mut self) -> Option<ListArc<T, ID>> { 292 if self.first.is_null() { 293 return None; 294 } 295 296 // SAFETY: The first item of this list is in this list. 297 Some(unsafe { self.remove_internal(self.first) }) 298 } 299 300 /// Removes the provided item from this list and returns it. 301 /// 302 /// This returns `None` if the item is not in the list. (Note that by the safety requirements, 303 /// this means that the item is not in any list.) 304 /// 305 /// # Safety 306 /// 307 /// `item` must not be in a different linked list (with the same id). 308 pub unsafe fn remove(&mut self, item: &T) -> Option<ListArc<T, ID>> { 309 let mut item = unsafe { ListLinks::fields(T::view_links(item)) }; 310 // SAFETY: The user provided a reference, and reference are never dangling. 311 // 312 // As for why this is not a data race, there are two cases: 313 // 314 // * If `item` is not in any list, then these fields are read-only and null. 315 // * If `item` is in this list, then we have exclusive access to these fields since we 316 // have a mutable reference to the list. 317 // 318 // In either case, there's no race. 319 let ListLinksFields { next, prev } = unsafe { *item }; 320 321 debug_assert_eq!(next.is_null(), prev.is_null()); 322 if !next.is_null() { 323 // This is really a no-op, but this ensures that `item` is a raw pointer that was 324 // obtained without going through a pointer->reference->pointer conversion roundtrip. 325 // This ensures that the list is valid under the more restrictive strict provenance 326 // ruleset. 327 // 328 // SAFETY: We just checked that `next` is not null, and it's not dangling by the 329 // list invariants. 330 unsafe { 331 debug_assert_eq!(item, (*next).prev); 332 item = (*next).prev; 333 } 334 335 // SAFETY: We just checked that `item` is in a list, so the caller guarantees that it 336 // is in this list. The pointers are in the right order. 337 Some(unsafe { self.remove_internal_inner(item, next, prev) }) 338 } else { 339 None 340 } 341 } 342 343 /// Removes the provided item from the list. 344 /// 345 /// # Safety 346 /// 347 /// `item` must point at an item in this list. 348 unsafe fn remove_internal(&mut self, item: *mut ListLinksFields) -> ListArc<T, ID> { 349 // SAFETY: The caller promises that this pointer is not dangling, and there's no data race 350 // since we have a mutable reference to the list containing `item`. 351 let ListLinksFields { next, prev } = unsafe { *item }; 352 // SAFETY: The pointers are ok and in the right order. 353 unsafe { self.remove_internal_inner(item, next, prev) } 354 } 355 356 /// Removes the provided item from the list. 357 /// 358 /// # Safety 359 /// 360 /// The `item` pointer must point at an item in this list, and we must have `(*item).next == 361 /// next` and `(*item).prev == prev`. 362 unsafe fn remove_internal_inner( 363 &mut self, 364 item: *mut ListLinksFields, 365 next: *mut ListLinksFields, 366 prev: *mut ListLinksFields, 367 ) -> ListArc<T, ID> { 368 // SAFETY: We have exclusive access to the pointers of items in the list, and the prev/next 369 // pointers are always valid for items in a list. 370 // 371 // INVARIANT: There are three cases: 372 // * If the list has at least three items, then after removing the item, `prev` and `next` 373 // will be next to each other. 374 // * If the list has two items, then the remaining item will point at itself. 375 // * If the list has one item, then `next == prev == item`, so these writes have no 376 // effect. The list remains unchanged and `item` is still in the list for now. 377 unsafe { 378 (*next).prev = prev; 379 (*prev).next = next; 380 } 381 // SAFETY: We have exclusive access to items in the list. 382 // INVARIANT: `item` is being removed, so the pointers should be null. 383 unsafe { 384 (*item).prev = ptr::null_mut(); 385 (*item).next = ptr::null_mut(); 386 } 387 // INVARIANT: There are three cases: 388 // * If `item` was not the first item, then `self.first` should remain unchanged. 389 // * If `item` was the first item and there is another item, then we just updated 390 // `prev->next` to `next`, which is the new first item, and setting `item->next` to null 391 // did not modify `prev->next`. 392 // * If `item` was the only item in the list, then `prev == item`, and we just set 393 // `item->next` to null, so this correctly sets `first` to null now that the list is 394 // empty. 395 if self.first == item { 396 // SAFETY: The `prev` pointer is the value that `item->prev` had when it was in this 397 // list, so it must be valid. There is no race since `prev` is still in the list and we 398 // still have exclusive access to the list. 399 self.first = unsafe { (*prev).next }; 400 } 401 402 // SAFETY: `item` used to be in the list, so it is dereferenceable by the type invariants 403 // of `List`. 404 let list_links = unsafe { ListLinks::from_fields(item) }; 405 // SAFETY: Any pointer in the list originates from a `prepare_to_insert` call. 406 let raw_item = unsafe { T::post_remove(list_links) }; 407 // SAFETY: The above call to `post_remove` guarantees that we can recreate the `ListArc`. 408 unsafe { ListArc::from_raw(raw_item) } 409 } 410 411 /// Moves all items from `other` into `self`. 412 /// 413 /// The items of `other` are added to the back of `self`, so the last item of `other` becomes 414 /// the last item of `self`. 415 pub fn push_all_back(&mut self, other: &mut List<T, ID>) { 416 // First, we insert the elements into `self`. At the end, we make `other` empty. 417 if self.is_empty() { 418 // INVARIANT: All of the elements in `other` become elements of `self`. 419 self.first = other.first; 420 } else if !other.is_empty() { 421 let other_first = other.first; 422 // SAFETY: The other list is not empty, so this pointer is valid. 423 let other_last = unsafe { (*other_first).prev }; 424 let self_first = self.first; 425 // SAFETY: The self list is not empty, so this pointer is valid. 426 let self_last = unsafe { (*self_first).prev }; 427 428 // SAFETY: We have exclusive access to both lists, so we can update the pointers. 429 // INVARIANT: This correctly sets the pointers to merge both lists. We do not need to 430 // update `self.first` because the first element of `self` does not change. 431 unsafe { 432 (*self_first).prev = other_last; 433 (*other_last).next = self_first; 434 (*self_last).next = other_first; 435 (*other_first).prev = self_last; 436 } 437 } 438 439 // INVARIANT: The other list is now empty, so update its pointer. 440 other.first = ptr::null_mut(); 441 } 442 443 /// Creates an iterator over the list. 444 pub fn iter(&self) -> Iter<'_, T, ID> { 445 // INVARIANT: If the list is empty, both pointers are null. Otherwise, both pointers point 446 // at the first element of the same list. 447 Iter { 448 current: self.first, 449 stop: self.first, 450 _ty: PhantomData, 451 } 452 } 453 } 454 455 impl<T: ?Sized + ListItem<ID>, const ID: u64> Default for List<T, ID> { 456 fn default() -> Self { 457 List::new() 458 } 459 } 460 461 impl<T: ?Sized + ListItem<ID>, const ID: u64> Drop for List<T, ID> { 462 fn drop(&mut self) { 463 while let Some(item) = self.pop_front() { 464 drop(item); 465 } 466 } 467 } 468 469 /// An iterator over a [`List`]. 470 /// 471 /// # Invariants 472 /// 473 /// * There must be a [`List`] that is immutably borrowed for the duration of `'a`. 474 /// * The `current` pointer is null or points at a value in that [`List`]. 475 /// * The `stop` pointer is equal to the `first` field of that [`List`]. 476 #[derive(Clone)] 477 pub struct Iter<'a, T: ?Sized + ListItem<ID>, const ID: u64 = 0> { 478 current: *mut ListLinksFields, 479 stop: *mut ListLinksFields, 480 _ty: PhantomData<&'a ListArc<T, ID>>, 481 } 482 483 impl<'a, T: ?Sized + ListItem<ID>, const ID: u64> Iterator for Iter<'a, T, ID> { 484 type Item = ArcBorrow<'a, T>; 485 486 fn next(&mut self) -> Option<ArcBorrow<'a, T>> { 487 if self.current.is_null() { 488 return None; 489 } 490 491 let current = self.current; 492 493 // SAFETY: We just checked that `current` is not null, so it is in a list, and hence not 494 // dangling. There's no race because the iterator holds an immutable borrow to the list. 495 let next = unsafe { (*current).next }; 496 // INVARIANT: If `current` was the last element of the list, then this updates it to null. 497 // Otherwise, we update it to the next element. 498 self.current = if next != self.stop { 499 next 500 } else { 501 ptr::null_mut() 502 }; 503 504 // SAFETY: The `current` pointer points at a value in the list. 505 let item = unsafe { T::view_value(ListLinks::from_fields(current)) }; 506 // SAFETY: 507 // * All values in a list are stored in an `Arc`. 508 // * The value cannot be removed from the list for the duration of the lifetime annotated 509 // on the returned `ArcBorrow`, because removing it from the list would require mutable 510 // access to the list. However, the `ArcBorrow` is annotated with the iterator's 511 // lifetime, and the list is immutably borrowed for that lifetime. 512 // * Values in a list never have a `UniqueArc` reference. 513 Some(unsafe { ArcBorrow::from_raw(item) }) 514 } 515 } 516 517 impl<'a, T: ?Sized + ListItem<ID>, const ID: u64> FusedIterator for Iter<'a, T, ID> {} 518 519 impl<'a, T: ?Sized + ListItem<ID>, const ID: u64> IntoIterator for &'a List<T, ID> { 520 type IntoIter = Iter<'a, T, ID>; 521 type Item = ArcBorrow<'a, T>; 522 523 fn into_iter(self) -> Iter<'a, T, ID> { 524 self.iter() 525 } 526 } 527 528 /// An owning iterator into a [`List`]. 529 pub struct IntoIter<T: ?Sized + ListItem<ID>, const ID: u64 = 0> { 530 list: List<T, ID>, 531 } 532 533 impl<T: ?Sized + ListItem<ID>, const ID: u64> Iterator for IntoIter<T, ID> { 534 type Item = ListArc<T, ID>; 535 536 fn next(&mut self) -> Option<ListArc<T, ID>> { 537 self.list.pop_front() 538 } 539 } 540 541 impl<T: ?Sized + ListItem<ID>, const ID: u64> FusedIterator for IntoIter<T, ID> {} 542 543 impl<T: ?Sized + ListItem<ID>, const ID: u64> DoubleEndedIterator for IntoIter<T, ID> { 544 fn next_back(&mut self) -> Option<ListArc<T, ID>> { 545 self.list.pop_back() 546 } 547 } 548 549 impl<T: ?Sized + ListItem<ID>, const ID: u64> IntoIterator for List<T, ID> { 550 type IntoIter = IntoIter<T, ID>; 551 type Item = ListArc<T, ID>; 552 553 fn into_iter(self) -> IntoIter<T, ID> { 554 IntoIter { list: self } 555 } 556 } 557