From patchwork Fri Feb 7 13:58:25 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tamir Duberstein X-Patchwork-Id: 13965031 X-Patchwork-Delegate: bhelgaas@google.com Received: from mail-qk1-f178.google.com (mail-qk1-f178.google.com [209.85.222.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7A1E3217677; Fri, 7 Feb 2025 13:58:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.222.178 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1738936736; cv=none; b=GoSetGRAnbWPT8EVCpSmFMbymWB4C6tWWUPh+vXHTuM4biUbLSh0/zfHqnGjl1+3Q2tcYRDTABB2fobZ7t67gvQ8tjAMRsRYPnpuWNiRoVeZ8Xh7tGFNivSDpDQ+a5EiPfdFPHWPilwsovSI1Nf+R88LQfXG5V+noQyQa8fYID8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1738936736; c=relaxed/simple; bh=cu7D2/Qs6KXy57zpFyny/6cGYI1MldqmQ+blXbEdjJE=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=IZlotaDvGnr3F0IwZX8EkB4xyzkW4TC+BQCdl+8VnmDkKM95DInLdy4QvUSmbWypckUHPeUdM1V2TqcpqKP3Wz54zsQT5k2SZ9EzhnclQ6lz9QQ0HyoXZ0k4uV6eG7439QPClwvv89oyecKkM4QXudSX/ocoN3pWqMm4Tc6ThB0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=g9VKshG2; arc=none smtp.client-ip=209.85.222.178 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="g9VKshG2" Received: by mail-qk1-f178.google.com with SMTP id af79cd13be357-7b8618be68bso186084585a.3; Fri, 07 Feb 2025 05:58:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1738936733; x=1739541533; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=wk48mehN2EwmM7wL9qjrdY9UE3XSglPAw8iFr6BiKdo=; b=g9VKshG28Rz8SNPzAi1uYCClFNczoJiVj/mwCswO8yfkwmlj4b/2xA2u6ZwYT/TO/N m2ZBPSjVQq2AtqV7P61iNwGf4ievju8UbG53Jm+wpB4YAbRnuUrBES0wkKq2YLPuRQJL hdp0kHeGbb91SiL2coAUzG4xzu3lSZ33trp/zTZstEWVHV3VKutISH+7qdp656cbci5e 4kdzeXaDrPYbHPo3ZAFLd5OHtKzVdoxecTpEKrCQf5aBbYoGUhYyLLsSa8p1KgLa3qM0 BTmqLAozpLL0J2LcKf0aED4jR9sHtqgEDDkYvJdOnhZ9KusV9oeIBxh+KZcXtmFvjXIg o0AA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1738936733; x=1739541533; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=wk48mehN2EwmM7wL9qjrdY9UE3XSglPAw8iFr6BiKdo=; b=k/cx6k1xzEjS5IChsPVzpAw2Tvf6i9vNz3494rWaHgzGz0uHOZVkYzpzH1IhddEVj2 gH3fE+e7fqvK933FmNjwHRgVAoOWuq/kUfxq5lkAGEQEgt1Ekr3enGQv7qhDJyvCA/Na KBC44VzhTAKLLrcipMGv+DhLDtMe3ic1zPyNFWpdnRlYIRj4JiUThSi26ED3mxSabKP/ d61XlShg8Z72vFaGY1ybhi7BzQbdQbYzWieJ2/CY+S91KQFWCfX9JWKQrNEYdDvxQYEP 9B5SwlY1azTy71ZfSF3uOPjIv4tMw5y1mLPP4t7xf8fzZJ4LTZQB0iAvlGCqWevdIYQ6 tF7Q== X-Forwarded-Encrypted: i=1; AJvYcCUSG/ptcfWY9iTuy2ngztCLXDEU7AolCmltgB61K3Qs0UFpvPpsCuD7Kx9PrIt0OqLr1LyTn4Hda4/eGL2o@vger.kernel.org, AJvYcCUwlHieDBpNywzzx/nhfJKexM9JysnhI+/S0iRRBe25MJgZ36dtVRtl+7KFEHqTH7RZ8kqzqx46ujUuCe9T@vger.kernel.org, AJvYcCVgcRKhNyIC/GiiL+y2Vz5BGgvUsqvJEEjlvzn2lWLKu5pLGa/iV3LFfFPPZxaQq2cyQq8QutZ5JFKea1z3KIo=@vger.kernel.org, AJvYcCXgR02GtYi8ZCql5sbHdrdg4gkdw+rzI6XRW7FMlTIqeuJAkwo1/NoDc6kjSQZu9p3tRz5u0hUH6U3Y@vger.kernel.org X-Gm-Message-State: AOJu0YxOGakmUd2LS7avgQVp2c9XJV73zZfLc0PvNzNhLTvywbyrWSEZ GpR4Kn4tvZ39tW9BmjxXztlddPKp/NM9bPT87XllqoCN0TpwslOP X-Gm-Gg: ASbGncsktt5xapFC7FyktWM733lUKovM80C4cC1+yxLVDHLExbfLkwsCaP4Azqu5FIP IWIv0L+Bnknx4khobrOGPwHMQmWXyYZCWgXbWmsoZMUdjjPeybKrYnL8+E0sTK7rr9nOu6+weZb b8VzZQ+BSiFoOdo7l6nnS8edhc677pitwel/6h7EihXnn1cOi8YGNrZ30qUrw8rh8/XoqZCxiz5 6Zhxu1nixN2sG1SF1+iWVqF6p3Vgk1BXJ4jO+9BKtUHjcoVVkb1aKboiUV85WLbjdZpvLVBNmnN z+mNhjk59LChuBE+oYtR6+KmtOu3AAdpCK8= X-Google-Smtp-Source: AGHT+IEYr2VH2zbdoE4S3LObPk2XDspgJuoqbJJGa+H8Wc8SaHuHLa2q7r/bd4B35qRRaMb+9/HDpg== X-Received: by 2002:a05:620a:2848:b0:7b6:6e7c:8efc with SMTP id af79cd13be357-7c047c78558mr502039185a.44.1738936733071; Fri, 07 Feb 2025 05:58:53 -0800 (PST) Received: from [192.168.1.159] ([2600:4041:5be7:7c00:fb:aded:686f:8a03]) by smtp.gmail.com with ESMTPSA id af79cd13be357-7c041e11d19sm191919685a.52.2025.02.07.05.58.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 07 Feb 2025 05:58:51 -0800 (PST) From: Tamir Duberstein Date: Fri, 07 Feb 2025 08:58:25 -0500 Subject: [PATCH v16 2/4] rust: types: add `ForeignOwnable::PointedTo` Precedence: bulk X-Mailing-List: linux-pci@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Message-Id: <20250207-rust-xarray-bindings-v16-2-256b0cf936bd@gmail.com> References: <20250207-rust-xarray-bindings-v16-0-256b0cf936bd@gmail.com> In-Reply-To: <20250207-rust-xarray-bindings-v16-0-256b0cf936bd@gmail.com> To: Danilo Krummrich , Miguel Ojeda , Alex Gaynor , Boqun Feng , Gary Guo , =?utf-8?q?Bj=C3=B6rn_Roy_Baron?= , Benno Lossin , Andreas Hindborg , Alice Ryhl , Trevor Gross , Matthew Wilcox , Bjorn Helgaas , Greg Kroah-Hartman , "Rafael J. Wysocki" , Tamir Duberstein , FUJITA Tomonori , "Rob Herring (Arm)" Cc: =?utf-8?q?Ma=C3=ADra_Canal?= , Asahi Lina , rust-for-linux@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-pci@vger.kernel.org, Fiona Behrens X-Mailer: b4 0.15-dev Allow implementors to specify the foreign pointer type; this exposes information about the pointed-to type such as its alignment. This requires the trait to be `unsafe` since it is now possible for implementors to break soundness by returning a misaligned pointer. Encoding the pointer type in the trait (and avoiding pointer casts) allows the compiler to check that implementors return the correct pointer type. This is preferable to directly encoding the alignment in the trait using a constant as the compiler would be unable to check it. Reviewed-by: Alice Ryhl Reviewed-by: Andreas Hindborg Reviewed-by: Fiona Behrens Signed-off-by: Tamir Duberstein --- rust/kernel/alloc/kbox.rs | 38 ++++++++++++++++++++------------------ rust/kernel/miscdevice.rs | 7 ++++++- rust/kernel/pci.rs | 2 ++ rust/kernel/platform.rs | 2 ++ rust/kernel/sync/arc.rs | 21 ++++++++++++--------- rust/kernel/types.rs | 46 +++++++++++++++++++++++++++++++--------------- 6 files changed, 73 insertions(+), 43 deletions(-) diff --git a/rust/kernel/alloc/kbox.rs b/rust/kernel/alloc/kbox.rs index cb4ebea3b074..55529832db54 100644 --- a/rust/kernel/alloc/kbox.rs +++ b/rust/kernel/alloc/kbox.rs @@ -349,68 +349,70 @@ fn try_init(init: impl Init, flags: Flags) -> Result } } -impl ForeignOwnable for Box +// SAFETY: The `into_foreign` function returns a pointer that is well-aligned. +unsafe impl ForeignOwnable for Box where A: Allocator, { + type PointedTo = T; type Borrowed<'a> = &'a T; type BorrowedMut<'a> = &'a mut T; - fn into_foreign(self) -> *mut crate::ffi::c_void { - Box::into_raw(self).cast() + fn into_foreign(self) -> *mut Self::PointedTo { + Box::into_raw(self) } - unsafe fn from_foreign(ptr: *mut crate::ffi::c_void) -> Self { + unsafe fn from_foreign(ptr: *mut Self::PointedTo) -> Self { // SAFETY: The safety requirements of this function ensure that `ptr` comes from a previous // call to `Self::into_foreign`. - unsafe { Box::from_raw(ptr.cast()) } + unsafe { Box::from_raw(ptr) } } - unsafe fn borrow<'a>(ptr: *mut crate::ffi::c_void) -> &'a T { + unsafe fn borrow<'a>(ptr: *mut Self::PointedTo) -> &'a T { // SAFETY: The safety requirements of this method ensure that the object remains alive and // immutable for the duration of 'a. - unsafe { &*ptr.cast() } + unsafe { &*ptr } } - unsafe fn borrow_mut<'a>(ptr: *mut crate::ffi::c_void) -> &'a mut T { - let ptr = ptr.cast(); + unsafe fn borrow_mut<'a>(ptr: *mut Self::PointedTo) -> &'a mut T { // SAFETY: The safety requirements of this method ensure that the pointer is valid and that // nothing else will access the value for the duration of 'a. unsafe { &mut *ptr } } } -impl ForeignOwnable for Pin> +// SAFETY: The `into_foreign` function returns a pointer that is well-aligned. +unsafe impl ForeignOwnable for Pin> where A: Allocator, { + type PointedTo = T; type Borrowed<'a> = Pin<&'a T>; type BorrowedMut<'a> = Pin<&'a mut T>; - fn into_foreign(self) -> *mut crate::ffi::c_void { + fn into_foreign(self) -> *mut Self::PointedTo { // SAFETY: We are still treating the box as pinned. - Box::into_raw(unsafe { Pin::into_inner_unchecked(self) }).cast() + Box::into_raw(unsafe { Pin::into_inner_unchecked(self) }) } - unsafe fn from_foreign(ptr: *mut crate::ffi::c_void) -> Self { + unsafe fn from_foreign(ptr: *mut Self::PointedTo) -> Self { // SAFETY: The safety requirements of this function ensure that `ptr` comes from a previous // call to `Self::into_foreign`. - unsafe { Pin::new_unchecked(Box::from_raw(ptr.cast())) } + unsafe { Pin::new_unchecked(Box::from_raw(ptr)) } } - unsafe fn borrow<'a>(ptr: *mut crate::ffi::c_void) -> Pin<&'a T> { + unsafe fn borrow<'a>(ptr: *mut Self::PointedTo) -> Pin<&'a T> { // SAFETY: The safety requirements for this function ensure that the object is still alive, // so it is safe to dereference the raw pointer. // The safety requirements of `from_foreign` also ensure that the object remains alive for // the lifetime of the returned value. - let r = unsafe { &*ptr.cast() }; + let r = unsafe { &*ptr }; // SAFETY: This pointer originates from a `Pin>`. unsafe { Pin::new_unchecked(r) } } - unsafe fn borrow_mut<'a>(ptr: *mut crate::ffi::c_void) -> Pin<&'a mut T> { - let ptr = ptr.cast(); + unsafe fn borrow_mut<'a>(ptr: *mut Self::PointedTo) -> Pin<&'a mut T> { // SAFETY: The safety requirements for this function ensure that the object is still alive, // so it is safe to dereference the raw pointer. // The safety requirements of `from_foreign` also ensure that the object remains alive for diff --git a/rust/kernel/miscdevice.rs b/rust/kernel/miscdevice.rs index e14433b2ab9d..f1a081dd64c7 100644 --- a/rust/kernel/miscdevice.rs +++ b/rust/kernel/miscdevice.rs @@ -225,13 +225,15 @@ impl VtableHelper { Ok(ptr) => ptr, Err(err) => return err.to_errno(), }; + let ptr = ptr.into_foreign(); + let ptr = ptr.cast(); // This overwrites the private data with the value specified by the user, changing the type of // this file's private data. All future accesses to the private data is performed by other // fops_* methods in this file, which all correctly cast the private data to the new type. // // SAFETY: The open call of a file can access the private data. - unsafe { (*raw_file).private_data = ptr.into_foreign() }; + unsafe { (*raw_file).private_data = ptr }; 0 } @@ -246,6 +248,7 @@ impl VtableHelper { ) -> c_int { // SAFETY: The release call of a file owns the private data. let private = unsafe { (*file).private_data }; + let private = private.cast(); // SAFETY: The release call of a file owns the private data. let ptr = unsafe { ::from_foreign(private) }; @@ -267,6 +270,7 @@ impl VtableHelper { ) -> c_long { // SAFETY: The ioctl call of a file can access the private data. let private = unsafe { (*file).private_data }; + let private = private.cast(); // SAFETY: Ioctl calls can borrow the private data of the file. let device = unsafe { ::borrow(private) }; @@ -316,6 +320,7 @@ impl VtableHelper { ) { // SAFETY: The release call of a file owns the private data. let private = unsafe { (*file).private_data }; + let private = private.cast(); // SAFETY: Ioctl calls can borrow the private data of the file. let device = unsafe { ::borrow(private) }; // SAFETY: diff --git a/rust/kernel/pci.rs b/rust/kernel/pci.rs index 6c3bc14b42ad..eb25fabbff9c 100644 --- a/rust/kernel/pci.rs +++ b/rust/kernel/pci.rs @@ -73,6 +73,7 @@ extern "C" fn probe_callback( match T::probe(&mut pdev, info) { Ok(data) => { let data = data.into_foreign(); + let data = data.cast(); // Let the `struct pci_dev` own a reference of the driver's private data. // SAFETY: By the type invariant `pdev.as_raw` returns a valid pointer to a // `struct pci_dev`. @@ -88,6 +89,7 @@ extern "C" fn remove_callback(pdev: *mut bindings::pci_dev) { // SAFETY: The PCI bus only ever calls the remove callback with a valid pointer to a // `struct pci_dev`. let ptr = unsafe { bindings::pci_get_drvdata(pdev) }; + let ptr = ptr.cast(); // SAFETY: `remove_callback` is only ever called after a successful call to // `probe_callback`, hence it's guaranteed that `ptr` points to a valid and initialized diff --git a/rust/kernel/platform.rs b/rust/kernel/platform.rs index dea104563fa9..53764cb7f804 100644 --- a/rust/kernel/platform.rs +++ b/rust/kernel/platform.rs @@ -64,6 +64,7 @@ extern "C" fn probe_callback(pdev: *mut bindings::platform_device) -> kernel::ff match T::probe(&mut pdev, info) { Ok(data) => { let data = data.into_foreign(); + let data = data.cast(); // Let the `struct platform_device` own a reference of the driver's private data. // SAFETY: By the type invariant `pdev.as_raw` returns a valid pointer to a // `struct platform_device`. @@ -78,6 +79,7 @@ extern "C" fn probe_callback(pdev: *mut bindings::platform_device) -> kernel::ff extern "C" fn remove_callback(pdev: *mut bindings::platform_device) { // SAFETY: `pdev` is a valid pointer to a `struct platform_device`. let ptr = unsafe { bindings::platform_get_drvdata(pdev) }; + let ptr = ptr.cast(); // SAFETY: `remove_callback` is only ever called after a successful call to // `probe_callback`, hence it's guaranteed that `ptr` points to a valid and initialized diff --git a/rust/kernel/sync/arc.rs b/rust/kernel/sync/arc.rs index 3cefda7a4372..dfe4abf82c25 100644 --- a/rust/kernel/sync/arc.rs +++ b/rust/kernel/sync/arc.rs @@ -140,9 +140,10 @@ pub struct Arc { _p: PhantomData>, } +#[doc(hidden)] #[pin_data] #[repr(C)] -struct ArcInner { +pub struct ArcInner { refcount: Opaque, data: T, } @@ -342,18 +343,20 @@ pub fn into_unique_or_drop(self) -> Option>> { } } -impl ForeignOwnable for Arc { +// SAFETY: The `into_foreign` function returns a pointer that is well-aligned. +unsafe impl ForeignOwnable for Arc { + type PointedTo = ArcInner; type Borrowed<'a> = ArcBorrow<'a, T>; type BorrowedMut<'a> = Self::Borrowed<'a>; - fn into_foreign(self) -> *mut crate::ffi::c_void { - ManuallyDrop::new(self).ptr.as_ptr().cast() + fn into_foreign(self) -> *mut Self::PointedTo { + ManuallyDrop::new(self).ptr.as_ptr() } - unsafe fn from_foreign(ptr: *mut crate::ffi::c_void) -> Self { + unsafe fn from_foreign(ptr: *mut Self::PointedTo) -> Self { // SAFETY: The safety requirements of this function ensure that `ptr` comes from a previous // call to `Self::into_foreign`. - let inner = unsafe { NonNull::new_unchecked(ptr.cast::>()) }; + let inner = unsafe { NonNull::new_unchecked(ptr) }; // SAFETY: By the safety requirement of this function, we know that `ptr` came from // a previous call to `Arc::into_foreign`, which guarantees that `ptr` is valid and @@ -361,17 +364,17 @@ unsafe fn from_foreign(ptr: *mut crate::ffi::c_void) -> Self { unsafe { Self::from_inner(inner) } } - unsafe fn borrow<'a>(ptr: *mut crate::ffi::c_void) -> ArcBorrow<'a, T> { + unsafe fn borrow<'a>(ptr: *mut Self::PointedTo) -> ArcBorrow<'a, T> { // SAFETY: The safety requirements of this function ensure that `ptr` comes from a previous // call to `Self::into_foreign`. - let inner = unsafe { NonNull::new_unchecked(ptr.cast::>()) }; + let inner = unsafe { NonNull::new_unchecked(ptr) }; // SAFETY: The safety requirements of `from_foreign` ensure that the object remains alive // for the lifetime of the returned value. unsafe { ArcBorrow::new(inner) } } - unsafe fn borrow_mut<'a>(ptr: *mut crate::ffi::c_void) -> ArcBorrow<'a, T> { + unsafe fn borrow_mut<'a>(ptr: *mut Self::PointedTo) -> ArcBorrow<'a, T> { // SAFETY: The safety requirements for `borrow_mut` are a superset of the safety // requirements for `borrow`. unsafe { Self::borrow(ptr) } diff --git a/rust/kernel/types.rs b/rust/kernel/types.rs index 2bbaab83b9d6..55ddd50e8aaa 100644 --- a/rust/kernel/types.rs +++ b/rust/kernel/types.rs @@ -18,7 +18,19 @@ /// /// This trait is meant to be used in cases when Rust objects are stored in C objects and /// eventually "freed" back to Rust. -pub trait ForeignOwnable: Sized { +/// +/// # Safety +/// +/// Implementers must ensure that [`into_foreign`] returns a pointer which meets the alignment +/// requirements of [`PointedTo`]. +/// +/// [`into_foreign`]: Self::into_foreign +/// [`PointedTo`]: Self::PointedTo +pub unsafe trait ForeignOwnable: Sized { + /// Type used when the value is foreign-owned. In practical terms only defines the alignment of + /// the pointer. + type PointedTo; + /// Type used to immutably borrow a value that is currently foreign-owned. type Borrowed<'a>; @@ -27,16 +39,18 @@ pub trait ForeignOwnable: Sized { /// Converts a Rust-owned object to a foreign-owned one. /// - /// The foreign representation is a pointer to void. There are no guarantees for this pointer. - /// For example, it might be invalid, dangling or pointing to uninitialized memory. Using it in - /// any way except for [`from_foreign`], [`try_from_foreign`], [`borrow`], or [`borrow_mut`] can - /// result in undefined behavior. + /// # Guarantees + /// + /// The return value is guaranteed to be well-aligned, but there are no other guarantees for + /// this pointer. For example, it might be null, dangling, or point to uninitialized memory. + /// Using it in any way except for [`ForeignOwnable::from_foreign`], [`ForeignOwnable::borrow`], + /// [`ForeignOwnable::try_from_foreign`] can result in undefined behavior. /// /// [`from_foreign`]: Self::from_foreign /// [`try_from_foreign`]: Self::try_from_foreign /// [`borrow`]: Self::borrow /// [`borrow_mut`]: Self::borrow_mut - fn into_foreign(self) -> *mut crate::ffi::c_void; + fn into_foreign(self) -> *mut Self::PointedTo; /// Converts a foreign-owned object back to a Rust-owned one. /// @@ -46,7 +60,7 @@ pub trait ForeignOwnable: Sized { /// must not be passed to `from_foreign` more than once. /// /// [`into_foreign`]: Self::into_foreign - unsafe fn from_foreign(ptr: *mut crate::ffi::c_void) -> Self; + unsafe fn from_foreign(ptr: *mut Self::PointedTo) -> Self; /// Tries to convert a foreign-owned object back to a Rust-owned one. /// @@ -58,7 +72,7 @@ pub trait ForeignOwnable: Sized { /// `ptr` must either be null or satisfy the safety requirements for [`from_foreign`]. /// /// [`from_foreign`]: Self::from_foreign - unsafe fn try_from_foreign(ptr: *mut crate::ffi::c_void) -> Option { + unsafe fn try_from_foreign(ptr: *mut Self::PointedTo) -> Option { if ptr.is_null() { None } else { @@ -81,7 +95,7 @@ unsafe fn try_from_foreign(ptr: *mut crate::ffi::c_void) -> Option { /// /// [`into_foreign`]: Self::into_foreign /// [`from_foreign`]: Self::from_foreign - unsafe fn borrow<'a>(ptr: *mut crate::ffi::c_void) -> Self::Borrowed<'a>; + unsafe fn borrow<'a>(ptr: *mut Self::PointedTo) -> Self::Borrowed<'a>; /// Borrows a foreign-owned object mutably. /// @@ -109,21 +123,23 @@ unsafe fn try_from_foreign(ptr: *mut crate::ffi::c_void) -> Option { /// [`from_foreign`]: Self::from_foreign /// [`borrow`]: Self::borrow /// [`Arc`]: crate::sync::Arc - unsafe fn borrow_mut<'a>(ptr: *mut crate::ffi::c_void) -> Self::BorrowedMut<'a>; + unsafe fn borrow_mut<'a>(ptr: *mut Self::PointedTo) -> Self::BorrowedMut<'a>; } -impl ForeignOwnable for () { +// SAFETY: The `into_foreign` function returns a pointer that is dangling, but well-aligned. +unsafe impl ForeignOwnable for () { + type PointedTo = (); type Borrowed<'a> = (); type BorrowedMut<'a> = (); - fn into_foreign(self) -> *mut crate::ffi::c_void { + fn into_foreign(self) -> *mut Self::PointedTo { core::ptr::NonNull::dangling().as_ptr() } - unsafe fn from_foreign(_: *mut crate::ffi::c_void) -> Self {} + unsafe fn from_foreign(_: *mut Self::PointedTo) -> Self {} - unsafe fn borrow<'a>(_: *mut crate::ffi::c_void) -> Self::Borrowed<'a> {} - unsafe fn borrow_mut<'a>(_: *mut crate::ffi::c_void) -> Self::BorrowedMut<'a> {} + unsafe fn borrow<'a>(_: *mut Self::PointedTo) -> Self::Borrowed<'a> {} + unsafe fn borrow_mut<'a>(_: *mut Self::PointedTo) -> Self::BorrowedMut<'a> {} } /// Runs a cleanup function/closure when dropped.