mirror of
https://github.com/trezor/trezor-firmware.git
synced 2025-01-25 14:50:57 +00:00
refactor(core/rust): more explicit buffer semantics, StrBuffer::alloc
[no changelog]
This commit is contained in:
parent
5a2e831214
commit
7ba7eff118
@ -1,152 +1,65 @@
|
||||
use core::{
|
||||
convert::TryFrom,
|
||||
ops::{Deref, DerefMut},
|
||||
ptr, slice, str,
|
||||
};
|
||||
use core::{convert::TryFrom, ops::Deref, ptr, slice, str};
|
||||
|
||||
use crate::{error::Error, micropython::obj::Obj};
|
||||
|
||||
use super::ffi;
|
||||
|
||||
/// Represents an immutable slice of bytes stored on the MicroPython heap and
|
||||
/// owned by values that obey the `MP_BUFFER_READ` buffer protocol, such as
|
||||
/// `bytes`, `str`, `bytearray` or `memoryview`.
|
||||
/// Represents an immutable UTF-8 string managed by MicroPython GC.
|
||||
/// This either means static data, or a valid GC object.
|
||||
///
|
||||
/// # Safety
|
||||
///
|
||||
/// In most cases, it is unsound to store `Buffer` values in a GC-unreachable
|
||||
/// location, such as static data. It is also unsound to let the contents be
|
||||
/// modified while a reference to them is being held.
|
||||
pub struct Buffer {
|
||||
/// We assume that MicroPython is handling strings according to Python
|
||||
/// semantics, i.e., that string data is immutable.
|
||||
/// Furthermore, we assume that string data is always either static or a GC head
|
||||
/// pointer, i.e., we can never obtain a pointer into the middle of a GC string.
|
||||
///
|
||||
/// Given the above assumptions about MicroPython strings, working with
|
||||
/// StrBuffers in Rust is safe.
|
||||
pub struct StrBuffer {
|
||||
ptr: *const u8,
|
||||
len: usize,
|
||||
}
|
||||
|
||||
impl Buffer {
|
||||
pub fn empty() -> Self {
|
||||
Self::from(b"")
|
||||
}
|
||||
}
|
||||
|
||||
impl TryFrom<Obj> for Buffer {
|
||||
type Error = Error;
|
||||
|
||||
fn try_from(obj: Obj) -> Result<Self, Self::Error> {
|
||||
let bufinfo = get_buffer_info(obj, ffi::MP_BUFFER_READ)?;
|
||||
|
||||
Ok(Self {
|
||||
ptr: bufinfo.buf as _,
|
||||
len: bufinfo.len as _,
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
impl Default for Buffer {
|
||||
fn default() -> Self {
|
||||
Self::empty()
|
||||
}
|
||||
}
|
||||
|
||||
impl Deref for Buffer {
|
||||
type Target = [u8];
|
||||
|
||||
fn deref(&self) -> &Self::Target {
|
||||
self.as_ref()
|
||||
}
|
||||
}
|
||||
|
||||
impl AsRef<[u8]> for Buffer {
|
||||
fn as_ref(&self) -> &[u8] {
|
||||
buffer_as_ref(self.ptr, self.len)
|
||||
}
|
||||
}
|
||||
|
||||
impl From<&'static [u8]> for Buffer {
|
||||
fn from(val: &'static [u8]) -> Self {
|
||||
Buffer {
|
||||
ptr: val.as_ptr(),
|
||||
len: val.len(),
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
impl<const N: usize> From<&'static [u8; N]> for Buffer {
|
||||
fn from(val: &'static [u8; N]) -> Self {
|
||||
Buffer {
|
||||
ptr: val.as_ptr(),
|
||||
len: val.len(),
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/// Represents a mutable slice of bytes stored on the MicroPython heap and
|
||||
/// owned by values that obey the `MP_BUFFER_WRITE` buffer protocol, such as
|
||||
/// `bytearray` or `memoryview`.
|
||||
///
|
||||
/// # Safety
|
||||
///
|
||||
/// In most cases, it is unsound to store `Buffer` values in a GC-unreachable
|
||||
/// location, such as static data. It is also unsound to let the contents be
|
||||
/// modified while the reference to them is being held.
|
||||
pub struct BufferMut {
|
||||
ptr: *mut u8,
|
||||
len: usize,
|
||||
}
|
||||
|
||||
impl TryFrom<Obj> for BufferMut {
|
||||
type Error = Error;
|
||||
|
||||
fn try_from(obj: Obj) -> Result<Self, Self::Error> {
|
||||
let bufinfo = get_buffer_info(obj, ffi::MP_BUFFER_WRITE)?;
|
||||
|
||||
Ok(Self {
|
||||
ptr: bufinfo.buf as _,
|
||||
len: bufinfo.len as _,
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
impl Deref for BufferMut {
|
||||
type Target = [u8];
|
||||
|
||||
fn deref(&self) -> &Self::Target {
|
||||
self.as_ref()
|
||||
}
|
||||
}
|
||||
|
||||
impl DerefMut for BufferMut {
|
||||
fn deref_mut(&mut self) -> &mut Self::Target {
|
||||
self.as_mut()
|
||||
}
|
||||
}
|
||||
|
||||
impl AsRef<[u8]> for BufferMut {
|
||||
fn as_ref(&self) -> &[u8] {
|
||||
buffer_as_ref(self.ptr, self.len)
|
||||
}
|
||||
}
|
||||
|
||||
impl AsMut<[u8]> for BufferMut {
|
||||
fn as_mut(&mut self) -> &mut [u8] {
|
||||
buffer_as_mut(self.ptr, self.len)
|
||||
}
|
||||
}
|
||||
|
||||
/// Represents an immutable UTF-8 string stored on the MicroPython heap and
|
||||
/// owned by a `str` object.
|
||||
///
|
||||
/// # Safety
|
||||
///
|
||||
/// In most cases, it is unsound to store `StrBuffer` values in a GC-unreachable
|
||||
/// location, such as static data. It is also unsound to let the contents be
|
||||
/// modified while a reference to them is being held.
|
||||
#[derive(Default)]
|
||||
pub struct StrBuffer(Buffer);
|
||||
|
||||
impl StrBuffer {
|
||||
pub fn empty() -> Self {
|
||||
Self::from("")
|
||||
}
|
||||
|
||||
pub fn alloc(val: &str) -> Result<Self, Error> {
|
||||
// SAFETY:
|
||||
// We assume that if `gc_alloc` returns successfully, the result is a valid
|
||||
// pointer to GC-controlled memory of at least `val.len() + 1` bytes.
|
||||
unsafe {
|
||||
let raw = ffi::gc_alloc(val.len() + 1, 0) as *mut u8;
|
||||
if raw.is_null() {
|
||||
return Err(Error::AllocationFailed);
|
||||
}
|
||||
// SAFETY: Memory should be freshly allocated and as such cannot overlap.
|
||||
ptr::copy_nonoverlapping(val.as_ptr(), raw, val.len());
|
||||
// Null-terminate the string for C ASCIIZ compatibility. This will not be
|
||||
// reflected in Rust-visible slice, the zero byte is after the end.
|
||||
raw.add(val.len()).write(0);
|
||||
Ok(Self {
|
||||
ptr: raw,
|
||||
len: val.len(),
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
fn as_bytes(&self) -> &[u8] {
|
||||
if self.ptr.is_null() {
|
||||
&[]
|
||||
} else {
|
||||
unsafe { slice::from_raw_parts(self.ptr, self.len) }
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
impl Default for StrBuffer {
|
||||
fn default() -> Self {
|
||||
Self::empty()
|
||||
}
|
||||
}
|
||||
|
||||
impl TryFrom<Obj> for StrBuffer {
|
||||
@ -154,7 +67,21 @@ impl TryFrom<Obj> for StrBuffer {
|
||||
|
||||
fn try_from(obj: Obj) -> Result<Self, Self::Error> {
|
||||
if obj.is_qstr() || unsafe { ffi::mp_type_str.is_type_of(obj) } {
|
||||
Ok(Self(Buffer::try_from(obj)?))
|
||||
let bufinfo = get_buffer_info(obj, ffi::MP_BUFFER_READ)?;
|
||||
let new = Self {
|
||||
ptr: bufinfo.buf as _,
|
||||
len: bufinfo.len as _,
|
||||
};
|
||||
|
||||
// MicroPython _should_ ensure that values of type `str` are UTF-8.
|
||||
// Rust seems to be stricter in what it considers UTF-8 though.
|
||||
// If there is a mismatch, we return an error.
|
||||
let bytes = new.as_bytes();
|
||||
if str::from_utf8(bytes).is_err() {
|
||||
return Err(Error::TypeError);
|
||||
}
|
||||
|
||||
Ok(new)
|
||||
} else {
|
||||
Err(Error::TypeError)
|
||||
}
|
||||
@ -171,17 +98,21 @@ impl Deref for StrBuffer {
|
||||
|
||||
impl AsRef<str> for StrBuffer {
|
||||
fn as_ref(&self) -> &str {
|
||||
// MicroPython _should_ ensure that values of type `str` are UTF-8.
|
||||
// Rust seems to be stricter in what it considers UTF-8 though.
|
||||
// In case there's a mismatch, this code will cleanly panic
|
||||
// before attempting to use the data.
|
||||
unwrap!(str::from_utf8(self.0.as_ref()), "Invalid internal UTF-8.")
|
||||
// SAFETY:
|
||||
// - If constructed from a Rust `&str`, this is safe.
|
||||
// - If constructed from a MicroPython string, we check validity of UTF-8 at
|
||||
// construction time. Python semantics promise not to mutate the underlying
|
||||
// data from under us.
|
||||
unsafe { str::from_utf8_unchecked(self.as_bytes()) }
|
||||
}
|
||||
}
|
||||
|
||||
impl From<&'static str> for StrBuffer {
|
||||
fn from(val: &'static str) -> Self {
|
||||
Self(Buffer::from(val.as_bytes()))
|
||||
Self {
|
||||
ptr: val.as_ptr(),
|
||||
len: val.len(),
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -192,9 +123,7 @@ fn get_buffer_info(obj: Obj, flags: u32) -> Result<ffi::mp_buffer_info_t, Error>
|
||||
typecode: 0,
|
||||
};
|
||||
// SAFETY: We assume that if `ffi::mp_get_buffer` returns successfully,
|
||||
// `bufinfo.buf` contains a pointer to data of `bufinfo.len` bytes. Later
|
||||
// we consider this data either GC-allocated or effectively `'static`, embedding
|
||||
// them in `Buffer`/`BufferMut`.
|
||||
// `bufinfo.buf` contains a pointer to data of `bufinfo.len` bytes.
|
||||
// EXCEPTION: Does not raise for Micropython's builtin types, and we don't
|
||||
// implement custom buffer protocols.
|
||||
if unsafe { ffi::mp_get_buffer(obj, &mut bufinfo, flags as _) } {
|
||||
@ -204,36 +133,53 @@ fn get_buffer_info(obj: Obj, flags: u32) -> Result<ffi::mp_buffer_info_t, Error>
|
||||
}
|
||||
}
|
||||
|
||||
fn buffer_as_ref<'a>(ptr: *const u8, len: usize) -> &'a [u8] {
|
||||
if ptr.is_null() {
|
||||
// `ptr` can be null if len == 0.
|
||||
&[]
|
||||
/// Get an immutable reference to a buffer from a MicroPython object.
|
||||
///
|
||||
/// SAFETY:
|
||||
/// The caller is responsible for ensuring immutability of the returned buffer,
|
||||
/// in particular that:
|
||||
/// (a) no mutable reference to the same buffer is held at the same time,
|
||||
/// (b) the buffer is not modified in MicroPython while the reference to it is
|
||||
/// being held.
|
||||
pub unsafe fn get_buffer<'a>(obj: Obj) -> Result<&'a [u8], Error> {
|
||||
let bufinfo = get_buffer_info(obj, ffi::MP_BUFFER_READ)?;
|
||||
|
||||
if bufinfo.buf.is_null() {
|
||||
// `bufinfo.buf` can be null if len == 0.
|
||||
Ok(&[])
|
||||
} else {
|
||||
// SAFETY: We assume that `ptr` is pointing to memory:
|
||||
// - without any mutable references,
|
||||
// - valid and immutable in `'a`,
|
||||
// - of at least `len` bytes.
|
||||
unsafe { slice::from_raw_parts(ptr, len) }
|
||||
// SAFETY: We assume that `bufinfo.buf` is pointing to memory:
|
||||
// - valid in `'a`
|
||||
// - of at least `bufinfo.len` bytes
|
||||
// The caller is responsible for ensuring that:
|
||||
// - there are no mutable references
|
||||
// - that the buffer is immutable in `'a`
|
||||
Ok(unsafe { slice::from_raw_parts(bufinfo.buf as _, bufinfo.len) })
|
||||
}
|
||||
}
|
||||
|
||||
fn buffer_as_mut<'a>(ptr: *mut u8, len: usize) -> &'a mut [u8] {
|
||||
if ptr.is_null() {
|
||||
// `ptr` can be null if len == 0.
|
||||
&mut []
|
||||
/// Get a mutable reference to a buffer from a MicroPython object.
|
||||
///
|
||||
/// SAFETY:
|
||||
/// The caller is responsible for ensuring uniqueness of the mutable reference,
|
||||
/// in particular that:
|
||||
/// (a) no other reference to the same buffer is held at the same time,
|
||||
/// (b) the buffer is not modified in MicroPython while the reference to it is
|
||||
/// being held.
|
||||
pub unsafe fn get_buffer_mut<'a>(obj: Obj) -> Result<&'a mut [u8], Error> {
|
||||
let bufinfo = get_buffer_info(obj, ffi::MP_BUFFER_WRITE)?;
|
||||
|
||||
if bufinfo.buf.is_null() {
|
||||
// `bufinfo.buf` can be null if len == 0.
|
||||
Ok(&mut [])
|
||||
} else {
|
||||
// SAFETY: We assume that `ptr` is pointing to memory:
|
||||
// - without any mutable references,
|
||||
// SAFETY: We assume that `bufinfo.buf` is pointing to memory:
|
||||
// - valid and mutable in `'a`,
|
||||
// - of at least `len` bytes.
|
||||
unsafe { slice::from_raw_parts_mut(ptr, len) }
|
||||
}
|
||||
}
|
||||
|
||||
#[cfg(feature = "ui_debug")]
|
||||
impl crate::trace::Trace for Buffer {
|
||||
fn trace(&self, t: &mut dyn crate::trace::Tracer) {
|
||||
self.as_ref().trace(t)
|
||||
// - of at least `bufinfo.len` bytes.
|
||||
// The caller is responsible for ensuring that:
|
||||
// - there are no other references
|
||||
// - the buffer is not mutated outside of Rust's control.
|
||||
Ok(unsafe { slice::from_raw_parts_mut(bufinfo.buf as _, bufinfo.len) })
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -5,7 +5,7 @@ use core::{
|
||||
|
||||
use crate::{
|
||||
error::Error,
|
||||
micropython::{buffer::Buffer, gc::Gc, list::List, map::Map, obj::Obj, qstr::Qstr, util},
|
||||
micropython::{buffer, gc::Gc, list::List, map::Map, obj::Obj, qstr::Qstr, util},
|
||||
};
|
||||
|
||||
use super::{
|
||||
@ -40,7 +40,6 @@ pub extern "C" fn protobuf_type_for_wire(wire_id: Obj) -> Obj {
|
||||
#[no_mangle]
|
||||
pub extern "C" fn protobuf_decode(buf: Obj, msg_def: Obj, enable_experimental: Obj) -> Obj {
|
||||
let block = || {
|
||||
let buf = Buffer::try_from(buf)?;
|
||||
let def = Gc::<MsgDefObj>::try_from(msg_def)?;
|
||||
let enable_experimental = bool::try_from(enable_experimental)?;
|
||||
|
||||
@ -52,7 +51,11 @@ pub extern "C" fn protobuf_decode(buf: Obj, msg_def: Obj, enable_experimental: O
|
||||
return Err(error::experimental_not_enabled());
|
||||
}
|
||||
|
||||
let stream = &mut InputStream::new(&buf);
|
||||
// SAFETY:
|
||||
// We assume that for the lifetime of `buf`, no MicroPython code can run that
|
||||
// would mutate the buffer, nor pass it to another Rust function.
|
||||
let buf = unsafe { buffer::get_buffer(buf) }?;
|
||||
let stream = &mut InputStream::new(buf);
|
||||
let decoder = Decoder {
|
||||
enable_experimental,
|
||||
};
|
||||
|
@ -3,7 +3,7 @@ use core::convert::{TryFrom, TryInto};
|
||||
use crate::{
|
||||
error::Error,
|
||||
micropython::{
|
||||
buffer::{Buffer, BufferMut},
|
||||
buffer,
|
||||
gc::Gc,
|
||||
iter::{Iter, IterBuf},
|
||||
list::List,
|
||||
@ -36,10 +36,13 @@ pub extern "C" fn protobuf_encode(buf: Obj, obj: Obj) -> Obj {
|
||||
let block = || {
|
||||
let obj = Gc::<MsgObj>::try_from(obj)?;
|
||||
|
||||
// We assume there are no other refs into `buf` at this point. This specifically
|
||||
// means that no fields of `obj` should reference `buf` memory.
|
||||
let buf = &mut BufferMut::try_from(buf)?;
|
||||
let stream = &mut BufferStream::new(buf.as_mut());
|
||||
// SAFETY:
|
||||
// We assume that:
|
||||
// - there are no other refs into `buf` at this point. This specifically means
|
||||
// that no fields of `obj` should reference `buf` memory.
|
||||
// - for the lifetime of `buf`, no Python code will mutate the contents.
|
||||
let buf = unsafe { buffer::get_buffer_mut(buf)? };
|
||||
let stream = &mut BufferStream::new(buf);
|
||||
|
||||
Encoder.encode_message(stream, &obj.def(), &obj)?;
|
||||
|
||||
@ -125,7 +128,8 @@ impl Encoder {
|
||||
let mut len = 0;
|
||||
let iter = Iter::try_from_obj_with_buf(value, &mut iter_buf)?;
|
||||
for value in iter {
|
||||
let buffer = Buffer::try_from(value)?;
|
||||
// SAFETY: buffer is dropped immediately.
|
||||
let buffer = unsafe { buffer::get_buffer(value) }?;
|
||||
len += buffer.len();
|
||||
}
|
||||
stream.write_uvarint(len as u64)?;
|
||||
@ -133,14 +137,16 @@ impl Encoder {
|
||||
// Serialize the buffers one-by-one.
|
||||
let iter = Iter::try_from_obj_with_buf(value, &mut iter_buf)?;
|
||||
for value in iter {
|
||||
let buffer = Buffer::try_from(value)?;
|
||||
stream.write(&buffer)?;
|
||||
// SAFETY: buffer is dropped immediately.
|
||||
let buffer = unsafe { buffer::get_buffer(value) }?;
|
||||
stream.write(buffer)?;
|
||||
}
|
||||
} else {
|
||||
// Single length-delimited field.
|
||||
let buffer = Buffer::try_from(value)?;
|
||||
// SAFETY: buffer is dropped immediately.
|
||||
let buffer = unsafe { buffer::get_buffer(value) }?;
|
||||
stream.write_uvarint(buffer.len() as u64)?;
|
||||
stream.write(&buffer)?;
|
||||
stream.write(buffer)?;
|
||||
}
|
||||
}
|
||||
FieldType::Msg(msg_type) => {
|
||||
|
Loading…
Reference in New Issue
Block a user