Struct wiggle::GuestPtr

source · 
pub struct GuestPtr<'a, T: ?Sized + Pointee> { /* private fields */ }
Expand description

A guest pointer into host memory.

This type represents a pointer from the guest that points into host memory. Internally a GuestPtr contains a handle to its original GuestMemory as well as the offset into the memory that the pointer is pointing at.

Presence of a GuestPtr does not imply any form of validity. Pointers can be out-of-bounds, misaligned, etc. It is safe to construct a GuestPtr with any offset at any time. Consider a GuestPtr<T> roughly equivalent to *mut T, although there are a few more safety guarantees around this type.

§Slices and Strings

Note that the type parameter does not need to implement the Sized trait, so you can implement types such as this:

  • GuestPtr<'_, str> - a pointer to a guest string. Has the methods GuestPtr::as_str_mut, which gives a dynamically borrow-checked GuestStrMut<'_>, which DerefMuts to a &mut str, and GuestPtr::as_str, which is the shareable version of same.
  • GuestPtr<'_, [T]> - a pointer to a guest array. Has methods GuestPtr::as_slice_mut, which gives a dynamically borrow-checked GuestSliceMut<'_, T>, which DerefMuts to a &mut [T] and GuestPtr::as_slice, which is the shareable version of same.

Unsized types such as this may have extra methods and won’t have methods like GuestPtr::read or GuestPtr::write.

§Type parameter and pointee

The T type parameter is largely intended for more static safety in Rust as well as having a better handle on what we’re pointing to. A GuestPtr<T>, however, does not necessarily literally imply a guest pointer pointing to type T. Instead the GuestType trait is a layer of abstraction where GuestPtr<T> may actually be a pointer to U in guest memory, but you can construct a T from a U.

For example GuestPtr<GuestPtr<T>> is a valid type, but this is actually more equivalent to GuestPtr<u32> because guest pointers are always 32-bits. That being said you can create a GuestPtr<T> from a u32.

Additionally GuestPtr<MyEnum> will actually delegate, typically, to and implementation which loads the underlying data as GuestPtr<u8> (or similar) and then the bytes loaded are validated to fit within the definition of MyEnum before MyEnum is returned.

For more information see the GuestPtr::read and GuestPtr::write methods. In general though be extremely careful about writing unsafe code when working with a GuestPtr if you’re not using one of the already-attached helper methods.

Implementations§

source§

impl<'a, T: ?Sized + Pointee> GuestPtr<'a, T>

source

pub fn new( mem: &'a (dyn GuestMemory + 'a), pointer: T::Pointer ) -> GuestPtr<'a, T>

Creates a new GuestPtr from the given mem and pointer values.

Note that for sized types like u32, GuestPtr<T>, etc, the pointer value is a u32 offset into guest memory. For slices and strings, pointer is a (u32, u32) offset/length pair.

source

pub fn offset(&self) -> T::Pointer

Returns the offset of this pointer in guest memory.

Note that for sized types this returns a u32, but for slices and strings it returns a (u32, u32) pointer/length pair.

source

pub fn mem(&self) -> &'a (dyn GuestMemory + 'a)

Returns the guest memory that this pointer is coming from.

source

pub fn cast<U>(&self) -> GuestPtr<'a, U>
where U: Pointee<Pointer = T::Pointer> + ?Sized,

Casts this GuestPtr type to a different type.

This is a safe method which is useful for simply reinterpreting the type parameter on this GuestPtr. Note that this is a safe method, where again there’s no guarantees about alignment, validity, in-bounds-ness, etc of the returned pointer.

source

pub fn read(&self) -> Result<T, GuestError>
where T: GuestType<'a>,

Safely read a value from this pointer.

This is a fun method, and is one of the lynchpins of this implementation. The highlight here is that this is a safe operation, not an unsafe one like *mut T. This works for a few reasons:

  • The unsafe contract of the GuestMemory trait means that there’s always at least some backing memory for this GuestPtr<T>.

  • This does not use Rust-intrinsics to read the type T, but rather it delegates to T’s implementation of GuestType to actually read the underlying data. This again is a safe method, so any unsafety, if any, must be internally documented.

  • Eventually what typically happens it that this bottoms out in the read implementations for primitives types (like i32) which can safely be read at any time, and then it’s up to the runtime to determine what to do with the bytes it read in a safe manner.

Naturally lots of things can still go wrong, such as out-of-bounds checks, alignment checks, validity checks (e.g. for enums), etc. All of these check failures, however, are returned as a GuestError in the Result here, and Ok is only returned if all the checks passed.

source

pub fn write(&self, val: T) -> Result<(), GuestError>
where T: GuestType<'a>,

Safely write a value to this pointer.

This method, like GuestPtr::read, is pretty crucial for the safe operation of this crate. All the same reasons apply though for why this method is safe, even eventually bottoming out in primitives like writing an i32 which is safe to write bit patterns into memory at any time due to the guarantees of GuestMemory.

Like read, write can fail due to any manner of pointer checks, but any failure is returned as a GuestError.

source

pub fn add(&self, amt: u32) -> Result<GuestPtr<'a, T>, GuestError>
where T: GuestType<'a> + Pointee<Pointer = u32>,

Performs pointer arithmetic on this pointer, moving the pointer forward amt slots.

This will either return the resulting pointer or Err if the pointer arithmetic calculation would overflow around the end of the address space.

source

pub fn as_array(&self, elems: u32) -> GuestPtr<'a, [T]>
where T: GuestType<'a> + Pointee<Pointer = u32>,

Returns a GuestPtr for an array of Ts using this pointer as the base.

source

pub fn is_shared_memory(&self) -> bool

Check if this pointer references WebAssembly shared memory.

source§

impl<'a, T> GuestPtr<'a, [T]>

source

pub fn offset_base(&self) -> u32

For slices, specifically returns the relative pointer to the base of the array.

This is similar to <[T]>::as_ptr()

source

pub fn len(&self) -> u32

For slices, returns the length of the slice, in elements.

source

pub fn iter<'b>( &'b self ) -> impl ExactSizeIterator<Item = Result<GuestPtr<'a, T>, GuestError>> + 'b
where T: GuestType<'a>,

Returns an iterator over interior pointers.

Each item is a Result indicating whether it overflowed past the end of the address space or not.

source

pub fn as_cow(&self) -> Result<GuestCow<'a, T>, GuestError>
where T: GuestTypeTransparent<'a> + Copy + 'a,

Attempts to create a [GuestCow<'_, T>] from this pointer, performing bounds checks and type validation. Whereas GuestPtr::as_slice will fail with None if attempting to access Wasm shared memory, this call will succeed: if used on shared memory, this function will copy the slice into GuestCow::Copied. If the memory is non-shared, this returns a GuestCow::Borrowed (a thin wrapper over [GuestSlice<'_, T>]).

source

pub fn as_slice(&self) -> Result<Option<GuestSlice<'a, T>>, GuestError>
where T: GuestTypeTransparent<'a>,

Attempts to create a [GuestSlice<'_, T>] from this pointer, performing bounds checks and type validation. The GuestSlice is a smart pointer that can be used as a &[T] via the Deref trait.

This method will flag the entire linear memory as marked with a shared borrow. This means that any writes to memory are disallowed until the returned GuestSlice is dropped.

This function will return a GuestSlice into host memory if all checks succeed (valid utf-8, valid pointers, memory is not borrowed, etc.). If any checks fail then GuestError will be returned.

Additionally, because it is unsafe to have a GuestSlice of shared memory, this function will return None in this case (see GuestPtr::as_cow).

source

pub fn as_slice_mut(&self) -> Result<Option<GuestSliceMut<'a, T>>, GuestError>
where T: GuestTypeTransparent<'a>,

Attempts to create a [GuestSliceMut<'_, T>] from this pointer, performing bounds checks and type validation. The GuestSliceMut is a smart pointer that can be used as a &[T] or a &mut [T] via the Deref and DerefMut traits.

This method will flag the entire linear memory as marked with a mutable borrow. This means that all reads/writes to memory are disallowed until the returned GuestSliceMut type is dropped.

This function will return a GuestSliceMut into host memory if all checks succeed (valid utf-8, valid pointers, memory is not borrowed, etc). If any checks fail then GuestError will be returned.

Additionally, because it is unsafe to have a GuestSliceMut of shared memory, this function will return None in this case.

source

pub fn as_unsafe_slice_mut(&self) -> Result<UnsafeGuestSlice<'a, T>, GuestError>
where T: GuestTypeTransparent<'a>,

Similar to as_slice_mut, this function will attempt to create a smart pointer to the WebAssembly linear memory. All validation and Wiggle borrow checking is the same, but unlike as_slice_mut, the returned &mut slice can point to WebAssembly shared memory. Though the Wiggle borrow checker can guarantee no other Wiggle calls will access this slice, it cannot guarantee that another thread is not modifying the &mut slice in some other way. Thus, access to that slice is marked unsafe.

source

pub fn to_vec(&self) -> Result<Vec<T>, GuestError>
where T: GuestTypeTransparent<'a> + Copy + 'a,

Copies the data in the guest region into a Vec.

This is useful when one cannot use GuestPtr::as_slice, e.g., when pointing to a region of WebAssembly shared memory.

source

pub fn copy_from_slice(&self, slice: &[T]) -> Result<(), GuestError>
where T: GuestTypeTransparent<'a> + Copy + 'a,

Copies the data pointed to by slice into this guest region.

This method is a safe method to copy data from the host to the guest. This requires that self and slice have the same length. The pointee type T requires the GuestTypeTransparent trait which is an assertion that the representation on the host and on the guest is the same.

§Errors

Returns an error if this guest pointer is out of bounds or if the length of this guest pointer is not equal to the length of the slice provided.

source

pub fn as_ptr(&self) -> GuestPtr<'a, T>

Returns a GuestPtr pointing to the base of the array for the interior type T.

source

pub fn get(&self, index: u32) -> Option<GuestPtr<'a, T>>
where T: GuestType<'a>,

source

pub fn get_range(&self, r: Range<u32>) -> Option<GuestPtr<'a, [T]>>
where T: GuestType<'a>,

source§

impl<'a> GuestPtr<'a, str>

source

pub fn offset_base(&self) -> u32

For strings, returns the relative pointer to the base of the string allocation.

source

pub fn len(&self) -> u32

Returns the length, in bytes, of the string.

source

pub fn as_bytes(&self) -> GuestPtr<'a, [u8]>

Returns a raw pointer for the underlying slice of bytes that this pointer points to.

source

pub fn as_str(&self) -> Result<Option<GuestStr<'a>>, GuestError>

Attempts to create a [GuestStr<'_>] from this pointer, performing bounds checks and utf-8 checks. The resulting GuestStr can be used as a &str via the Deref trait. The region of memory backing the str will be marked as shareably borrowed by the GuestMemory until the GuestStr is dropped.

This function will return GuestStr into host memory if all checks succeed (valid utf-8, valid pointers, etc). If any checks fail then GuestError will be returned.

Additionally, because it is unsafe to have a GuestStr of shared memory, this function will return None in this case (see [GuestPtr<'_, str>::as_cow]).

source

pub fn as_str_mut(&self) -> Result<Option<GuestStrMut<'a>>, GuestError>

Attempts to create a [GuestStrMut<'_>] from this pointer, performing bounds checks and utf-8 checks. The resulting GuestStrMut can be used as a &str or &mut str via the Deref and DerefMut traits. The region of memory backing the str will be marked as borrowed by the GuestMemory until the GuestStrMut is dropped.

This function will return GuestStrMut into host memory if all checks succeed (valid utf-8, valid pointers, etc). If any checks fail then GuestError will be returned.

Additionally, because it is unsafe to have a GuestStrMut of shared memory, this function will return None in this case.

source

pub fn as_cow(&self) -> Result<GuestStrCow<'a>, GuestError>

Attempts to create a [GuestStrCow<'_>] from this pointer, performing bounds checks and utf-8 checks. Whereas GuestPtr::as_str will fail with None if attempting to access Wasm shared memory, this call will succeed: if used on shared memory, this function will copy the string into GuestStrCow::Copied. If the memory is non-shared, this returns a GuestStrCow::Borrowed (a thin wrapper over [GuestStr<'_, T>]).

source§

impl<'a> GuestPtr<'a, [u8]>

source

pub fn as_str_ptr(&self) -> GuestPtr<'a, str>

Returns a pointer to the string represented by a [u8] without validating whether each u8 is a utf-8 codepoint.

Trait Implementations§

source§

impl<T: ?Sized + Pointee> Clone for GuestPtr<'_, T>

source§

fn clone(&self) -> Self

Returns a copy of the value. Read more
1.0.0 · source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
source§

impl<T: ?Sized + Pointee> Debug for GuestPtr<'_, T>

source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
source§

impl<'a, T> GuestType<'a> for GuestPtr<'a, [T]>
where T: GuestType<'a>,

source§

fn guest_size() -> u32

Returns the size, in bytes, of this type in the guest memory.
source§

fn guest_align() -> usize

Returns the required alignment of this type, in bytes, for both guest and host memory.
source§

fn read(ptr: &GuestPtr<'a, Self>) -> Result<Self, GuestError>

Reads this value from the provided ptr. Read more
source§

fn write(ptr: &GuestPtr<'_, Self>, val: Self) -> Result<(), GuestError>

Writes a value to ptr after verifying that ptr is indeed valid to store val. Read more
source§

impl<'a, T> GuestType<'a> for GuestPtr<'a, T>

source§

fn guest_size() -> u32

Returns the size, in bytes, of this type in the guest memory.
source§

fn guest_align() -> usize

Returns the required alignment of this type, in bytes, for both guest and host memory.
source§

fn read(ptr: &GuestPtr<'a, Self>) -> Result<Self, GuestError>

Reads this value from the provided ptr. Read more
source§

fn write(ptr: &GuestPtr<'_, Self>, val: Self) -> Result<(), GuestError>

Writes a value to ptr after verifying that ptr is indeed valid to store val. Read more
source§

impl<T: ?Sized + Pointee> Copy for GuestPtr<'_, T>

Auto Trait Implementations§

§

impl<'a, T> Freeze for GuestPtr<'a, T>
where <T as Pointee>::Pointer: Freeze, T: ?Sized,

§

impl<'a, T> !RefUnwindSafe for GuestPtr<'a, T>

§

impl<'a, T> Send for GuestPtr<'a, T>
where <T as Pointee>::Pointer: Send, T: ?Sized,

§

impl<'a, T> Sync for GuestPtr<'a, T>
where <T as Pointee>::Pointer: Sync, T: ?Sized,

§

impl<'a, T> Unpin for GuestPtr<'a, T>
where <T as Pointee>::Pointer: Unpin, T: ?Sized,

§

impl<'a, T> !UnwindSafe for GuestPtr<'a, T>

Blanket Implementations§

source§

impl<T> Any for T
where T: 'static + ?Sized,

source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
source§

impl<T> Borrow<T> for T
where T: ?Sized,

source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
source§

impl<T> From<T> for T

source§

fn from(t: T) -> T

Returns the argument unchanged.

source§

impl<T> Instrument for T

source§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more
source§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
source§

impl<T, U> Into<U> for T
where U: From<T>,

source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

§

impl<T> Pointable for T

§

const ALIGN: usize = _

The alignment of pointer.
§

type Init = T

The type for initializers.
§

unsafe fn init(init: <T as Pointable>::Init) -> usize

Initializes a with the given initializer. Read more
§

unsafe fn deref<'a>(ptr: usize) -> &'a T

Dereferences the given pointer. Read more
§

unsafe fn deref_mut<'a>(ptr: usize) -> &'a mut T

Mutably dereferences the given pointer. Read more
§

unsafe fn drop(ptr: usize)

Drops the object pointed to by the given pointer. Read more
source§

impl<T> Pointee for T

§

type Pointer = u32

source§

fn debug( pointer: <T as Pointee>::Pointer, f: &mut Formatter<'_> ) -> Result<(), Error>

source§

impl<T> Same for T

§

type Output = T

Should always be Self
source§

impl<T> ToOwned for T
where T: Clone,

§

type Owned = T

The resulting type after obtaining ownership.
source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

§

type Error = Infallible

The type returned in the event of a conversion error.
source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
source§

impl<T> WithSubscriber for T

source§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more
source§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more