2018-12-06 23:36:28 -05:00
|
|
|
//! ## `debug_assert!` for your memory usage
|
2018-11-10 21:59:39 -05:00
|
|
|
//!
|
2018-12-06 23:02:44 -05:00
|
|
|
//! This allocator is a helper for writing high-performance code that is memory-sensitive;
|
|
|
|
//! a thread panic will be triggered if a function annotated with `#[no_alloc]`,
|
|
|
|
//! or code inside an `assert_no_alloc!` macro interacts with the allocator in any way.
|
|
|
|
//! Wanton allocations and unforeseen drops no more - this library lets you focus on
|
|
|
|
//! writing code without worrying if Rust properly managed to inline the variable into the stack.
|
2018-12-06 23:19:37 -05:00
|
|
|
//!
|
2018-12-06 23:02:44 -05:00
|
|
|
//! Now, an allocator blowing up in production is a scary thought; that's why QADAPT
|
|
|
|
//! is designed to strip its own code out whenever you're running with a release build.
|
|
|
|
//! Just like the [`debug_assert!` macro](https://doc.rust-lang.org/std/macro.debug_assert.html)
|
|
|
|
//! in Rust's standard library, it's safe to use without worrying about a unforeseen
|
|
|
|
//! circumstance causing your application to crash.
|
2018-12-06 23:19:37 -05:00
|
|
|
//!
|
2018-12-06 23:02:44 -05:00
|
|
|
//! # Usage
|
2018-12-06 23:19:37 -05:00
|
|
|
//!
|
2018-12-06 23:02:44 -05:00
|
|
|
//! Actually making use of QADAPT is straight-forward. To set up the allocator,
|
|
|
|
//! place the following snippet in either your program binaries (main.rs) or tests:
|
2018-12-06 23:19:37 -05:00
|
|
|
//!
|
2018-12-06 23:02:44 -05:00
|
|
|
//! ```rust,ignore
|
|
|
|
//! use qadapt::QADAPT;
|
2018-12-06 23:19:37 -05:00
|
|
|
//!
|
2018-12-06 23:02:44 -05:00
|
|
|
//! #[global_allocator]
|
|
|
|
//! static Q: QADAPT = QADAPT;
|
|
|
|
//! ```
|
2018-12-06 23:19:37 -05:00
|
|
|
//!
|
2018-12-06 23:02:44 -05:00
|
|
|
//! After that, there are two ways of telling QADAPT that it should trigger a panic:
|
2018-12-06 23:19:37 -05:00
|
|
|
//!
|
2018-12-06 23:02:44 -05:00
|
|
|
//! 1. Annotate functions with the `#[no_alloc]` proc macro:
|
|
|
|
//! ```rust,no_run
|
|
|
|
//! use qadapt::no_alloc;
|
2018-12-06 23:19:37 -05:00
|
|
|
//!
|
2018-12-15 15:50:48 -05:00
|
|
|
//! // This function is fine, there are no allocations here
|
2018-12-06 23:02:44 -05:00
|
|
|
//! #[no_alloc]
|
|
|
|
//! fn do_math() -> u8 {
|
|
|
|
//! 2 + 2
|
|
|
|
//! }
|
2018-12-15 15:50:48 -05:00
|
|
|
//!
|
|
|
|
//! // This function will trigger a panic when called
|
|
|
|
//! #[no_alloc]
|
|
|
|
//! fn does_panic() -> Box<u32> {
|
|
|
|
//! Box::new(5)
|
|
|
|
//! }
|
|
|
|
//!
|
|
|
|
//! fn main() {
|
|
|
|
//! do_math();
|
|
|
|
//! does_panic();
|
|
|
|
//! }
|
2018-12-06 23:02:44 -05:00
|
|
|
//! ```
|
2018-12-06 23:19:37 -05:00
|
|
|
//!
|
2018-12-06 23:02:44 -05:00
|
|
|
//! 2. Evaluate expressions with the `assert_no_alloc!` macro
|
|
|
|
//! ```rust,no_run
|
|
|
|
//! use qadapt::assert_no_alloc;
|
2018-12-06 23:19:37 -05:00
|
|
|
//!
|
2018-12-06 23:02:44 -05:00
|
|
|
//! fn do_work() {
|
|
|
|
//! // This code is allowed to trigger an allocation
|
|
|
|
//! let b = Box::new(8);
|
|
|
|
//!
|
|
|
|
//! // This code would panic if an allocation occurred inside it
|
|
|
|
//! let x = assert_no_alloc!(*b + 2);
|
|
|
|
//! assert_eq!(x, 10);
|
|
|
|
//! }
|
2018-11-10 21:36:23 -05:00
|
|
|
#![deny(missing_docs)]
|
2018-12-06 22:12:21 -05:00
|
|
|
|
2018-11-10 21:54:13 -05:00
|
|
|
// thread_id is necessary because `std::thread::current()` panics if we have not yet
|
|
|
|
// allocated a `thread_local!{}` it depends on.
|
2018-12-06 22:12:21 -05:00
|
|
|
use thread_id;
|
2018-09-21 22:34:42 -04:00
|
|
|
|
2018-11-14 23:38:21 -05:00
|
|
|
// Re-export the proc macros to use by other code
|
|
|
|
pub use qadapt_macro::*;
|
|
|
|
|
2018-12-15 15:50:48 -05:00
|
|
|
use qadapt_spin::RwLock;
|
2018-11-05 21:58:33 -05:00
|
|
|
use std::alloc::GlobalAlloc;
|
2018-11-10 21:59:39 -05:00
|
|
|
use std::alloc::Layout;
|
2018-12-16 16:29:25 -05:00
|
|
|
use std::alloc::System;
|
2018-11-10 01:30:39 -05:00
|
|
|
use std::thread;
|
2018-09-21 22:34:42 -04:00
|
|
|
|
2018-11-10 01:30:39 -05:00
|
|
|
thread_local! {
|
2018-11-10 21:54:13 -05:00
|
|
|
static PROTECTION_LEVEL: RwLock<usize> = RwLock::new(0);
|
2018-11-10 01:30:39 -05:00
|
|
|
}
|
2018-09-23 12:37:07 -04:00
|
|
|
|
2018-12-08 18:05:46 -05:00
|
|
|
/// The QADAPT allocator itself
|
|
|
|
///
|
2018-12-07 00:15:41 -05:00
|
|
|
/// To make use of the allocator, include this code block in your program
|
|
|
|
/// binaries/tests:
|
2018-12-08 18:05:46 -05:00
|
|
|
///
|
2018-12-07 00:15:41 -05:00
|
|
|
/// ```rust,ignore
|
|
|
|
/// use qadapt::QADAPT;
|
2018-12-08 18:05:46 -05:00
|
|
|
///
|
2018-12-07 00:15:41 -05:00
|
|
|
/// #[global_allocator]
|
|
|
|
/// static Q: QADAPT = QADAPT;
|
|
|
|
/// ```
|
2018-11-05 21:58:33 -05:00
|
|
|
pub struct QADAPT;
|
2018-09-22 16:13:36 -04:00
|
|
|
|
2018-12-16 16:29:25 -05:00
|
|
|
static SYSTEM_ALLOC: System = System;
|
|
|
|
|
2018-11-10 21:36:23 -05:00
|
|
|
/// Let QADAPT know that we are now entering a protected region and that
|
|
|
|
/// panics should be triggered if allocations/drops happen while we are running.
|
2018-12-08 18:05:46 -05:00
|
|
|
///
|
2018-12-07 00:15:41 -05:00
|
|
|
/// **Example**:
|
2018-12-08 18:05:46 -05:00
|
|
|
///
|
2018-12-07 00:15:41 -05:00
|
|
|
/// ```rust,no_run
|
|
|
|
/// use qadapt::enter_protected;
|
2018-12-08 16:08:36 -05:00
|
|
|
/// use qadapt::exit_protected;
|
2018-12-08 18:05:46 -05:00
|
|
|
///
|
2018-12-07 00:15:41 -05:00
|
|
|
/// fn main() {
|
|
|
|
/// // Force an allocation by using a Box
|
|
|
|
/// let x = Box::new(2);
|
2018-12-08 18:05:46 -05:00
|
|
|
///
|
2018-12-07 00:15:41 -05:00
|
|
|
/// enter_protected();
|
|
|
|
/// // We're now in a memory-protected region - allocations and drops
|
|
|
|
/// // here will trigger thread panic
|
|
|
|
/// let y = *x * 4;
|
|
|
|
/// exit_protected();
|
2018-12-08 18:05:46 -05:00
|
|
|
///
|
2018-12-07 00:15:41 -05:00
|
|
|
/// // It's now safe to allocate/drop again
|
|
|
|
/// let z = Box::new(y);
|
|
|
|
/// }
|
2018-11-10 01:30:39 -05:00
|
|
|
pub fn enter_protected() {
|
2018-11-18 21:29:32 -05:00
|
|
|
#[cfg(debug_assertions)]
|
|
|
|
{
|
|
|
|
if thread::panicking() {
|
|
|
|
return;
|
|
|
|
}
|
2018-11-06 20:51:44 -05:00
|
|
|
|
2018-12-06 22:14:43 -05:00
|
|
|
if !*IS_ACTIVE.read() {
|
2018-12-06 23:02:44 -05:00
|
|
|
panic!("QADAPT not initialized when using allocation guards; please verify `#[global_allocator]` is set!");
|
2018-11-22 11:19:31 -05:00
|
|
|
}
|
|
|
|
|
2018-11-18 21:29:32 -05:00
|
|
|
PROTECTION_LEVEL
|
|
|
|
.try_with(|v| {
|
|
|
|
*v.write() += 1;
|
|
|
|
})
|
|
|
|
.unwrap_or_else(|_e| ());
|
|
|
|
}
|
2018-09-21 22:34:42 -04:00
|
|
|
}
|
|
|
|
|
2018-11-10 21:36:23 -05:00
|
|
|
/// Let QADAPT know that we are exiting a protected region. Will panic
|
|
|
|
/// if we attempt to [`exit_protected`] more times than we [`enter_protected`].
|
2018-12-08 18:05:46 -05:00
|
|
|
///
|
2018-12-07 00:15:41 -05:00
|
|
|
/// **Example**:
|
2018-12-08 18:05:46 -05:00
|
|
|
///
|
2018-12-07 00:15:41 -05:00
|
|
|
/// ```rust,no_run
|
|
|
|
/// use qadapt::enter_protected;
|
2018-12-08 16:08:36 -05:00
|
|
|
/// use qadapt::exit_protected;
|
2018-12-08 18:05:46 -05:00
|
|
|
///
|
2018-12-07 00:15:41 -05:00
|
|
|
/// fn main() {
|
|
|
|
/// // Force an allocation by using a Box
|
|
|
|
/// let x = Box::new(2);
|
2018-12-08 18:05:46 -05:00
|
|
|
///
|
2018-12-07 00:15:41 -05:00
|
|
|
/// enter_protected();
|
|
|
|
/// // We're now in a memory-protected region - allocations and drops
|
|
|
|
/// // here will trigger thread panic
|
|
|
|
/// let y = *x * 4;
|
|
|
|
/// exit_protected();
|
2018-12-08 18:05:46 -05:00
|
|
|
///
|
2018-12-07 00:15:41 -05:00
|
|
|
/// // It's now safe to allocate/drop again
|
|
|
|
/// let z = Box::new(y);
|
|
|
|
/// }
|
2018-11-10 01:30:39 -05:00
|
|
|
pub fn exit_protected() {
|
2018-11-18 21:29:32 -05:00
|
|
|
#[cfg(debug_assertions)]
|
|
|
|
{
|
|
|
|
if thread::panicking() {
|
|
|
|
return;
|
|
|
|
}
|
2018-11-10 01:30:39 -05:00
|
|
|
|
2018-11-18 21:29:32 -05:00
|
|
|
PROTECTION_LEVEL
|
|
|
|
.try_with(|v| {
|
|
|
|
let val = { *v.read() };
|
|
|
|
match val {
|
|
|
|
v if v == 0 => panic!("Attempt to exit protected too many times"),
|
|
|
|
_ => {
|
|
|
|
*v.write() -= 1;
|
|
|
|
}
|
2018-11-10 21:59:39 -05:00
|
|
|
}
|
2018-11-18 21:29:32 -05:00
|
|
|
})
|
|
|
|
.unwrap_or_else(|_e| ());
|
|
|
|
}
|
2018-09-22 17:26:52 -04:00
|
|
|
}
|
|
|
|
|
2018-12-06 23:05:14 -05:00
|
|
|
/// Get the result of an expression, guaranteeing that no memory accesses occur
|
2018-12-06 23:02:44 -05:00
|
|
|
/// during its evaluation.
|
2018-12-08 18:05:46 -05:00
|
|
|
///
|
2018-12-07 00:15:41 -05:00
|
|
|
/// **Example**:
|
2018-12-08 18:05:46 -05:00
|
|
|
///
|
2018-12-07 00:15:41 -05:00
|
|
|
/// ```rust,no_run
|
|
|
|
/// use qadapt::assert_no_alloc;
|
2018-12-08 18:05:46 -05:00
|
|
|
///
|
2018-12-07 00:15:41 -05:00
|
|
|
/// fn main() {
|
|
|
|
/// assert_no_alloc!(2 + 2);
|
|
|
|
/// }
|
|
|
|
/// ```
|
2018-12-06 23:19:37 -05:00
|
|
|
///
|
2018-12-07 00:15:41 -05:00
|
|
|
/// **Warning**: Unexpected behavior will occur when using the `return` keyword.
|
|
|
|
/// Because QADAPT doesn't have an opportunity to clean up, there may be a panic
|
|
|
|
/// in code that was not intended to be allocation-free. The compiler will warn you
|
|
|
|
/// that there is an unreachable statement if this happens.
|
2018-12-08 18:05:46 -05:00
|
|
|
///
|
2018-12-07 00:15:41 -05:00
|
|
|
/// ```rust,no_run
|
|
|
|
/// use qadapt::assert_no_alloc;
|
2018-12-08 18:05:46 -05:00
|
|
|
///
|
2018-12-07 00:15:41 -05:00
|
|
|
/// fn early_return() -> usize {
|
|
|
|
/// assert_no_alloc!(return 8);
|
|
|
|
/// }
|
2018-12-08 18:05:46 -05:00
|
|
|
///
|
2018-12-07 00:15:41 -05:00
|
|
|
/// fn main() {
|
|
|
|
/// let x = early_return();
|
|
|
|
///
|
|
|
|
/// // This triggers a panic - `Box::new` forces an allocation,
|
|
|
|
/// // and QADAPT still thinks we're in a protected region because
|
|
|
|
/// // of a return in the `early_return()` function
|
|
|
|
/// let b = Box::new(x);
|
|
|
|
/// }
|
2018-12-06 23:02:44 -05:00
|
|
|
#[macro_export]
|
|
|
|
macro_rules! assert_no_alloc {
|
|
|
|
($e:expr) => {{
|
|
|
|
::qadapt::enter_protected();
|
|
|
|
let e = { $e };
|
|
|
|
::qadapt::exit_protected();
|
|
|
|
e
|
|
|
|
}};
|
|
|
|
}
|
|
|
|
|
2018-11-22 11:19:31 -05:00
|
|
|
static IS_ACTIVE: RwLock<bool> = RwLock::new(false);
|
2018-11-10 21:54:13 -05:00
|
|
|
static INTERNAL_ALLOCATION: RwLock<usize> = RwLock::new(usize::max_value());
|
2018-11-10 20:54:35 -05:00
|
|
|
|
2018-11-11 22:22:24 -05:00
|
|
|
/// Get the current "protection level" in QADAPT: calls to enter_protected() - exit_protected()
|
2018-12-08 18:05:46 -05:00
|
|
|
///
|
2018-12-07 00:15:41 -05:00
|
|
|
/// **Example**:
|
2018-12-08 18:05:46 -05:00
|
|
|
///
|
2018-12-07 00:15:41 -05:00
|
|
|
/// ```rust,no_run
|
|
|
|
/// use qadapt::enter_protected;
|
|
|
|
/// use qadapt::exit_protected;
|
|
|
|
/// use qadapt::protection_level;
|
2018-12-08 18:05:46 -05:00
|
|
|
///
|
2018-12-07 00:15:41 -05:00
|
|
|
/// fn main() {
|
|
|
|
/// enter_protected();
|
|
|
|
/// // We're now in an allocation-protected code region
|
|
|
|
/// assert_eq!(1, protection_level());
|
|
|
|
///
|
|
|
|
/// enter_protected();
|
|
|
|
/// // We're still memory protected, but we'll now need to exit twice to be safe
|
|
|
|
/// assert_eq!(2, protection_level());
|
|
|
|
/// exit_protected();
|
|
|
|
/// exit_protected();
|
|
|
|
///
|
|
|
|
/// // It's now safe to allocate/drop
|
|
|
|
/// }
|
2018-11-11 22:22:24 -05:00
|
|
|
pub fn protection_level() -> usize {
|
2018-12-06 23:02:44 -05:00
|
|
|
if cfg!(debug_assertions) {
|
2018-11-18 21:29:32 -05:00
|
|
|
PROTECTION_LEVEL.try_with(|v| *v.read()).unwrap_or(0)
|
2018-12-06 23:02:44 -05:00
|
|
|
} else {
|
2018-11-18 21:29:32 -05:00
|
|
|
0
|
|
|
|
}
|
2018-11-11 22:22:24 -05:00
|
|
|
}
|
|
|
|
|
2018-11-10 22:01:41 -05:00
|
|
|
fn claim_internal_alloc() {
|
2018-11-10 20:54:35 -05:00
|
|
|
loop {
|
|
|
|
match INTERNAL_ALLOCATION.write() {
|
2018-11-10 21:54:13 -05:00
|
|
|
ref mut lock if **lock == usize::max_value() => {
|
|
|
|
**lock = thread_id::get();
|
2018-11-10 21:59:39 -05:00
|
|
|
break;
|
|
|
|
}
|
|
|
|
_ => (),
|
2018-11-10 20:54:35 -05:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2018-11-10 22:01:41 -05:00
|
|
|
fn release_internal_alloc() {
|
2018-11-10 20:54:35 -05:00
|
|
|
match INTERNAL_ALLOCATION.write() {
|
2018-11-10 21:54:13 -05:00
|
|
|
ref mut lock if **lock == thread_id::get() => **lock = usize::max_value(),
|
2018-11-10 21:59:39 -05:00
|
|
|
_ => panic!("Internal allocation tracking error"),
|
2018-11-10 20:54:35 -05:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2018-11-10 22:01:41 -05:00
|
|
|
fn alloc_immediate() -> bool {
|
2018-11-10 21:54:13 -05:00
|
|
|
thread::panicking() || *INTERNAL_ALLOCATION.read() == thread_id::get()
|
2018-11-10 20:54:35 -05:00
|
|
|
}
|
|
|
|
|
2018-09-21 22:34:42 -04:00
|
|
|
unsafe impl GlobalAlloc for QADAPT {
|
|
|
|
unsafe fn alloc(&self, layout: Layout) -> *mut u8 {
|
2018-12-06 22:14:43 -05:00
|
|
|
if !*IS_ACTIVE.read() {
|
2018-11-22 11:19:31 -05:00
|
|
|
*IS_ACTIVE.write() = true;
|
|
|
|
}
|
|
|
|
|
2018-11-10 01:30:39 -05:00
|
|
|
// If we're attempting to allocate our PROTECTION_LEVEL thread local,
|
|
|
|
// just allow it through
|
2018-11-10 20:54:35 -05:00
|
|
|
if alloc_immediate() {
|
2018-12-16 16:29:25 -05:00
|
|
|
return SYSTEM_ALLOC.alloc(layout);
|
2018-11-10 01:30:39 -05:00
|
|
|
}
|
2018-11-05 21:58:33 -05:00
|
|
|
|
2018-11-10 21:59:39 -05:00
|
|
|
// Because accessing PROTECTION_LEVEL has the potential to trigger an allocation,
|
2018-12-06 23:02:44 -05:00
|
|
|
// we need to acquire the INTERNAL_ALLOCATION lock for our thread.
|
2018-11-10 20:54:35 -05:00
|
|
|
claim_internal_alloc();
|
2018-11-10 21:59:39 -05:00
|
|
|
let protection_level: Result<usize, ()> =
|
|
|
|
PROTECTION_LEVEL.try_with(|v| *v.read()).or(Ok(0));
|
2018-11-10 20:54:35 -05:00
|
|
|
release_internal_alloc();
|
2018-11-05 21:58:33 -05:00
|
|
|
|
2018-11-10 01:30:39 -05:00
|
|
|
match protection_level {
|
2018-12-16 16:29:25 -05:00
|
|
|
Ok(v) if v == 0 => SYSTEM_ALLOC.alloc(layout),
|
2018-11-10 01:30:39 -05:00
|
|
|
Ok(v) => {
|
2018-11-10 21:54:13 -05:00
|
|
|
// Tripped a bad allocation, but make sure further memory access during unwind
|
2018-11-10 01:30:39 -05:00
|
|
|
// doesn't have issues
|
2018-11-10 20:54:35 -05:00
|
|
|
PROTECTION_LEVEL.with(|v| *v.write() = 0);
|
2018-11-10 21:59:39 -05:00
|
|
|
panic!(
|
|
|
|
"Unexpected allocation for size {}, protection level: {}",
|
|
|
|
layout.size(),
|
|
|
|
v
|
|
|
|
)
|
|
|
|
}
|
|
|
|
Err(_) => unreachable!(),
|
2018-09-22 16:13:36 -04:00
|
|
|
}
|
2018-09-21 22:34:42 -04:00
|
|
|
}
|
|
|
|
|
2018-11-15 20:16:49 -05:00
|
|
|
unsafe fn dealloc(&self, ptr: *mut u8, layout: Layout) {
|
2018-11-10 20:54:35 -05:00
|
|
|
if alloc_immediate() {
|
2018-12-16 16:29:25 -05:00
|
|
|
return SYSTEM_ALLOC.dealloc(ptr, layout);
|
2018-11-10 01:30:39 -05:00
|
|
|
}
|
2018-09-22 17:26:52 -04:00
|
|
|
|
2018-11-10 20:54:35 -05:00
|
|
|
claim_internal_alloc();
|
2018-11-10 21:59:39 -05:00
|
|
|
let protection_level: Result<usize, ()> =
|
|
|
|
PROTECTION_LEVEL.try_with(|v| *v.read()).or(Ok(0));
|
2018-11-10 20:54:35 -05:00
|
|
|
release_internal_alloc();
|
2018-09-22 17:26:52 -04:00
|
|
|
|
2018-11-10 21:54:13 -05:00
|
|
|
// Free before checking panic to make sure we avoid leaks
|
2018-12-16 16:29:25 -05:00
|
|
|
SYSTEM_ALLOC.dealloc(ptr, layout);
|
2018-11-10 01:30:39 -05:00
|
|
|
match protection_level {
|
|
|
|
Ok(v) if v > 0 => {
|
2018-12-06 23:02:44 -05:00
|
|
|
// Tripped a bad drop, but make sure further memory access during unwind
|
2018-11-10 01:30:39 -05:00
|
|
|
// doesn't have issues
|
2018-11-10 20:54:35 -05:00
|
|
|
PROTECTION_LEVEL.with(|v| *v.write() = 0);
|
2018-11-10 21:59:39 -05:00
|
|
|
panic!(
|
|
|
|
"Unexpected deallocation for size {}, protection level: {}",
|
|
|
|
layout.size(),
|
|
|
|
v
|
|
|
|
)
|
|
|
|
}
|
|
|
|
_ => (),
|
2018-09-23 12:37:07 -04:00
|
|
|
}
|
2018-09-21 22:34:42 -04:00
|
|
|
}
|
|
|
|
}
|