Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp2411226rwb; Fri, 2 Dec 2022 09:22:48 -0800 (PST) X-Google-Smtp-Source: AA0mqf4F1WC86DShg+FYo+2NKYl6CtFJwWQihD1nLFAMtsD/JW/t6qDiLqzvvARqPplRqKMkiTy0 X-Received: by 2002:a17:906:1b4a:b0:7c0:a9de:18dc with SMTP id p10-20020a1709061b4a00b007c0a9de18dcmr8840390ejg.15.1670001768305; Fri, 02 Dec 2022 09:22:48 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1670001768; cv=none; d=google.com; s=arc-20160816; b=W64Y8xm3+5w8lZB9ieNiUh2TLQrvN/TaxkbQmVZR2NMy05xPiniowZH0BM8x0eW/qg NpoA3VgaBbfrNelnadadWDSesuM2gvlE8oA5hdlF74q2IxCS+9CnPCSg9ZxneNJhYg4S lP5yWHhscQqYduTaUI/8ww1cqjSrtskKKV9Cg6juxYEfQuXUm79BhLdO8N4xS+an/cyz vfZjvY80AV+sloV8jyULGEN35Xwku2EgizDUlXdS7jedg4gs971H7cYrWPP1CoVCxdL0 6AK1iRtj1izZVougZJ3V4+A8PH4GA2q2vNDoJXL9eNiiFEScJNP/i7anSPMDq4Nnc5al 3rIg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=djJf389MCljGKDr5goBzN1hIDcJx9OzcBdYO52eGY/Y=; b=i69duT8SAQk6pUwX+Y6hI4L8nDEgxouwoUG9ZLwIz7dcQfMyUZZf0SaGqq6mMzgVDv cEVmZunOMP6MShMiepoetYSvFxntDeLy67eoBOOR60+pumkprWHbg+coTTrhfv497Ta6 MW/c/EFcmp2R2UsAwtSON+kJLB/3BqDRCkpT4AkOHjMQnhXR6jYssLIK/lPxUD9IFIMX QlDTiEuBbyQrmAWoYpVdUOMlgYEaBFjl4FIksfPdo0syVgUgkNDAT/b4D1lXvdrsTBbH EIXKkEICKscKz58ttJpbL2ov6r2wPb3GRt4pJL6q0mxHx6bTWcAoXuyN+VlYdiR533UI mG/A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=ZwWOTuAJ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id gs31-20020a1709072d1f00b0078e1d1d6005si1955994ejc.23.2022.12.02.09.22.27; Fri, 02 Dec 2022 09:22:48 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=ZwWOTuAJ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233986AbiLBQRi (ORCPT + 82 others); Fri, 2 Dec 2022 11:17:38 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53312 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233806AbiLBQQs (ORCPT ); Fri, 2 Dec 2022 11:16:48 -0500 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C69C8D11DE; Fri, 2 Dec 2022 08:16:28 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 646B4622E3; Fri, 2 Dec 2022 16:16:28 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id CC616C433D7; Fri, 2 Dec 2022 16:16:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1669997787; bh=DYkcTUv5/lPaD/adaMiKk/N3Pcv655DbMeZ9Xrx7hYQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ZwWOTuAJw4gHJZ2bp+Can+Q60PDd2B0VwNoqffCGlUi8Us275cyhXsKLTgjq2oMdb oQ10UVVYNtuou+Nq8p4RHZudJfT46E6JQYKauxmgAQF+4qEQqRmtibjWs5Pwkg6Lo4 tebWkFdxt5FcDsn2/irAIokyTifad9UyZaVOzWWJRESfV3okAkQyrDgpCz40o44qx9 19kCUAvty7MSH31aYqCjJbbU+VcTseOFlBCNKV8gkw0IBEGAvYTRzzvp+8NSu7uwUj aRHI41oRmqQ48jVxiG0kTWwvjyMhDVaQegIKXn5yUUTZPLb18UAs7tG9iVtwcOM5QG 52J3hVsXoldBg== From: ojeda@kernel.org To: Miguel Ojeda , Wedson Almeida Filho , Alex Gaynor , Boqun Feng , Gary Guo , =?UTF-8?q?Bj=C3=B6rn=20Roy=20Baron?= Cc: rust-for-linux@vger.kernel.org, linux-kernel@vger.kernel.org, patches@lists.linux.dev Subject: [PATCH v2 21/28] rust: str: add `CString` type Date: Fri, 2 Dec 2022 17:14:52 +0100 Message-Id: <20221202161502.385525-22-ojeda@kernel.org> In-Reply-To: <20221202161502.385525-1-ojeda@kernel.org> References: <20221202161502.385525-1-ojeda@kernel.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Wedson Almeida Filho Add the `CString` type, which is an owned string that is guaranteed to have exactly one `NUL` byte at the end, i.e. the owned equivalent to `CStr` introduced earlier. It is used for interoperability with kernel APIs that take C strings. In order to do so, implement the `RawFormatter::new()` constructor and the `RawFormatter::bytes_written()` method as well. Signed-off-by: Wedson Almeida Filho [Reworded, adapted for upstream and applied latest changes] Signed-off-by: Miguel Ojeda --- rust/kernel/str.rs | 91 +++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 89 insertions(+), 2 deletions(-) diff --git a/rust/kernel/str.rs b/rust/kernel/str.rs index ce207d1b3d2a..17dc8d273302 100644 --- a/rust/kernel/str.rs +++ b/rust/kernel/str.rs @@ -2,6 +2,7 @@ //! String representations. +use alloc::vec::Vec; use core::fmt::{self, Write}; use core::ops::{self, Deref, Index}; @@ -384,13 +385,22 @@ mod tests { /// is less than `end`. pub(crate) struct RawFormatter { // Use `usize` to use `saturating_*` functions. - #[allow(dead_code)] beg: usize, pos: usize, end: usize, } impl RawFormatter { + /// Creates a new instance of [`RawFormatter`] with an empty buffer. + fn new() -> Self { + // INVARIANT: The buffer is empty, so the region that needs to be writable is empty. + Self { + beg: 0, + pos: 0, + end: 0, + } + } + /// Creates a new instance of [`RawFormatter`] with the given buffer pointers. /// /// # Safety @@ -429,6 +439,11 @@ impl RawFormatter { pub(crate) fn pos(&self) -> *mut u8 { self.pos as _ } + + /// Return the number of bytes written to the formatter. + pub(crate) fn bytes_written(&self) -> usize { + self.pos - self.beg + } } impl fmt::Write for RawFormatter { @@ -469,7 +484,6 @@ impl Formatter { /// /// The memory region starting at `buf` and extending for `len` bytes must be valid for writes /// for the lifetime of the returned [`Formatter`]. - #[allow(dead_code)] pub(crate) unsafe fn from_buffer(buf: *mut u8, len: usize) -> Self { // SAFETY: The safety requirements of this function satisfy those of the callee. Self(unsafe { RawFormatter::from_buffer(buf, len) }) @@ -496,3 +510,76 @@ impl fmt::Write for Formatter { } } } + +/// An owned string that is guaranteed to have exactly one `NUL` byte, which is at the end. +/// +/// Used for interoperability with kernel APIs that take C strings. +/// +/// # Invariants +/// +/// The string is always `NUL`-terminated and contains no other `NUL` bytes. +/// +/// # Examples +/// +/// ``` +/// use kernel::str::CString; +/// +/// let s = CString::try_from_fmt(fmt!("{}{}{}", "abc", 10, 20)).unwrap(); +/// assert_eq!(s.as_bytes_with_nul(), "abc1020\0".as_bytes()); +/// +/// let tmp = "testing"; +/// let s = CString::try_from_fmt(fmt!("{tmp}{}", 123)).unwrap(); +/// assert_eq!(s.as_bytes_with_nul(), "testing123\0".as_bytes()); +/// +/// // This fails because it has an embedded `NUL` byte. +/// let s = CString::try_from_fmt(fmt!("a\0b{}", 123)); +/// assert_eq!(s.is_ok(), false); +/// ``` +pub struct CString { + buf: Vec, +} + +impl CString { + /// Creates an instance of [`CString`] from the given formatted arguments. + pub fn try_from_fmt(args: fmt::Arguments<'_>) -> Result { + // Calculate the size needed (formatted string plus `NUL` terminator). + let mut f = RawFormatter::new(); + f.write_fmt(args)?; + f.write_str("\0")?; + let size = f.bytes_written(); + + // Allocate a vector with the required number of bytes, and write to it. + let mut buf = Vec::try_with_capacity(size)?; + // SAFETY: The buffer stored in `buf` is at least of size `size` and is valid for writes. + let mut f = unsafe { Formatter::from_buffer(buf.as_mut_ptr(), size) }; + f.write_fmt(args)?; + f.write_str("\0")?; + + // SAFETY: The number of bytes that can be written to `f` is bounded by `size`, which is + // `buf`'s capacity. The contents of the buffer have been initialised by writes to `f`. + unsafe { buf.set_len(f.bytes_written()) }; + + // Check that there are no `NUL` bytes before the end. + // SAFETY: The buffer is valid for read because `f.bytes_written()` is bounded by `size` + // (which the minimum buffer size) and is non-zero (we wrote at least the `NUL` terminator) + // so `f.bytes_written() - 1` doesn't underflow. + let ptr = unsafe { bindings::memchr(buf.as_ptr().cast(), 0, (f.bytes_written() - 1) as _) }; + if !ptr.is_null() { + return Err(EINVAL); + } + + // INVARIANT: We wrote the `NUL` terminator and checked above that no other `NUL` bytes + // exist in the buffer. + Ok(Self { buf }) + } +} + +impl Deref for CString { + type Target = CStr; + + fn deref(&self) -> &Self::Target { + // SAFETY: The type invariants guarantee that the string is `NUL`-terminated and that no + // other `NUL` bytes exist. + unsafe { CStr::from_bytes_with_nul_unchecked(self.buf.as_slice()) } + } +} -- 2.38.1