ca9f33b6d9
This commit rewrites the runtime crate to provide safety in the face of recursive calls to the guest. The basic principle is that `GuestMemory` is now a trait which dynamically returns the pointer/length pair. This also has an implicit contract (hence the `unsafe` trait) that the pointer/length pair point to a valid list of bytes in host memory "until something is reentrant". After this changes the various suite of `Guest*` types were rewritten. `GuestRef` and `GuestRefMut` were both removed since they cannot safely exist. The `GuestPtrMut` type was removed for simplicity, and the final `GuestPtr` type subsumes `GuestString` and `GuestArray`. This means that there's only one guest pointer type, `GuestPtr<'a, T>`, where `'a` is the borrow into host memory, basically borrowing the `GuestMemory` trait object itself. Some core utilities are exposed on `GuestPtr`, but they're all 100% safe. Unsafety is now entirely contained within a few small locations: * Implementations of the `GuestType` for primitive types (e.g. `i8`, `u8`, etc) use `unsafe` to read/write memory. The `unsafe` trait of `GuestMemory` though should prove that they're safe. * `GuestPtr<'_, str>` has a method which validates utf-8 contents, and this requires `unsafe` internally to read all the bytes. This is guaranteed to be safe however given the contract of `GuestMemory`. And that's it! Everything else is a bunch of safe combinators all built up on the various utilities provided by `GuestPtr`. The general idioms are roughly the same as before, with various tweaks here and there. A summary of expected idioms are: * For small values you'd `.read()` or `.write()` very quickly. You'd pass around the type itself. * For strings, you'd pass `GuestPtr<'_, str>` down to the point where it's actually consumed. At that moment you'd either decide to copy it out (a safe operation) or you'd get a raw view to the string (an unsafe operation) and assert that you won't call back into wasm while you're holding that pointer. * Arrays are similar to strings, passing around `GuestPtr<'_, [T]>`. Arrays also have a `iter()` method which yields an iterator of `GuestPtr<'_, T>` for convenience. Overall there's still a lot of missing documentation on the runtime crate specifically around the safety of the `GuestMemory` trait as well as how the utilities/methods are expected to be used. Additionally there's utilities which aren't currently implemented which would be easy to implement. For example there's no method to copy out a string or a slice, although that would be pretty easy to add. In any case I'm curious to get feedback on this approach and see what y'all think!
131 lines
4.3 KiB
Rust
131 lines
4.3 KiB
Rust
use heck::{CamelCase, ShoutySnakeCase, SnakeCase};
|
|
use proc_macro2::{Ident, TokenStream};
|
|
use quote::{format_ident, quote};
|
|
use witx::{AtomType, BuiltinType, Id, TypeRef};
|
|
|
|
use crate::lifetimes::LifetimeExt;
|
|
use crate::Config;
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub struct Names {
|
|
config: Config,
|
|
}
|
|
|
|
impl Names {
|
|
pub fn new(config: Config) -> Names {
|
|
Names { config }
|
|
}
|
|
pub fn ctx_type(&self) -> Ident {
|
|
self.config.ctx.name.clone()
|
|
}
|
|
pub fn type_(&self, id: &Id) -> TokenStream {
|
|
let ident = format_ident!("{}", id.as_str().to_camel_case());
|
|
quote!(#ident)
|
|
}
|
|
pub fn builtin_type(&self, b: BuiltinType, lifetime: TokenStream) -> TokenStream {
|
|
match b {
|
|
BuiltinType::String => quote!(wiggle_runtime::GuestPtr<#lifetime, str>),
|
|
BuiltinType::U8 => quote!(u8),
|
|
BuiltinType::U16 => quote!(u16),
|
|
BuiltinType::U32 => quote!(u32),
|
|
BuiltinType::U64 => quote!(u64),
|
|
BuiltinType::S8 => quote!(i8),
|
|
BuiltinType::S16 => quote!(i16),
|
|
BuiltinType::S32 => quote!(i32),
|
|
BuiltinType::S64 => quote!(i64),
|
|
BuiltinType::F32 => quote!(f32),
|
|
BuiltinType::F64 => quote!(f64),
|
|
BuiltinType::Char8 => quote!(u8),
|
|
BuiltinType::USize => quote!(usize),
|
|
}
|
|
}
|
|
pub fn atom_type(&self, atom: AtomType) -> TokenStream {
|
|
match atom {
|
|
AtomType::I32 => quote!(i32),
|
|
AtomType::I64 => quote!(i64),
|
|
AtomType::F32 => quote!(f32),
|
|
AtomType::F64 => quote!(f64),
|
|
}
|
|
}
|
|
|
|
pub fn type_ref(&self, tref: &TypeRef, lifetime: TokenStream) -> TokenStream {
|
|
match tref {
|
|
TypeRef::Name(nt) => {
|
|
let ident = self.type_(&nt.name);
|
|
if nt.tref.needs_lifetime() {
|
|
quote!(#ident<#lifetime>)
|
|
} else {
|
|
quote!(#ident)
|
|
}
|
|
}
|
|
TypeRef::Value(ty) => match &**ty {
|
|
witx::Type::Builtin(builtin) => self.builtin_type(*builtin, lifetime.clone()),
|
|
witx::Type::Pointer(pointee) | witx::Type::ConstPointer(pointee) => {
|
|
let pointee_type = self.type_ref(&pointee, lifetime.clone());
|
|
quote!(wiggle_runtime::GuestPtr<#lifetime, #pointee_type>)
|
|
}
|
|
_ => unimplemented!("anonymous type ref"),
|
|
},
|
|
}
|
|
}
|
|
|
|
pub fn enum_variant(&self, id: &Id) -> Ident {
|
|
// FIXME this is a hack - just a proof of concept.
|
|
if id.as_str().starts_with('2') {
|
|
format_ident!("TooBig")
|
|
} else if id.as_str() == "type" {
|
|
format_ident!("Type")
|
|
} else {
|
|
format_ident!("{}", id.as_str().to_camel_case())
|
|
}
|
|
}
|
|
|
|
pub fn flag_member(&self, id: &Id) -> Ident {
|
|
format_ident!("{}", id.as_str().to_shouty_snake_case())
|
|
}
|
|
|
|
pub fn int_member(&self, id: &Id) -> Ident {
|
|
format_ident!("{}", id.as_str().to_shouty_snake_case())
|
|
}
|
|
|
|
pub fn struct_member(&self, id: &Id) -> Ident {
|
|
// FIXME this is a hack - just a proof of concept.
|
|
if id.as_str() == "type" {
|
|
format_ident!("type_")
|
|
} else {
|
|
format_ident!("{}", id.as_str().to_snake_case())
|
|
}
|
|
}
|
|
|
|
pub fn module(&self, id: &Id) -> Ident {
|
|
format_ident!("{}", id.as_str().to_snake_case())
|
|
}
|
|
|
|
pub fn trait_name(&self, id: &Id) -> Ident {
|
|
format_ident!("{}", id.as_str().to_camel_case())
|
|
}
|
|
|
|
pub fn func(&self, id: &Id) -> Ident {
|
|
format_ident!("{}", id.as_str().to_snake_case())
|
|
}
|
|
|
|
pub fn func_param(&self, id: &Id) -> Ident {
|
|
// FIXME this is a hack - just a proof of concept.
|
|
if id.as_str() == "in" {
|
|
format_ident!("in_")
|
|
} else {
|
|
format_ident!("{}", id.as_str().to_snake_case())
|
|
}
|
|
}
|
|
|
|
/// For when you need a {name}_ptr binding for passing a value by reference:
|
|
pub fn func_ptr_binding(&self, id: &Id) -> Ident {
|
|
format_ident!("{}_ptr", id.as_str().to_snake_case())
|
|
}
|
|
|
|
/// For when you need a {name}_len binding for passing an array:
|
|
pub fn func_len_binding(&self, id: &Id) -> Ident {
|
|
format_ident!("{}_len", id.as_str().to_snake_case())
|
|
}
|
|
}
|