rust-raspberrypi-OS-tutorials/05_safe_globals
2019-10-27 23:12:09 +01:00
..
.vscode Tiny rustfmt and vscode changes 2019-10-27 23:11:51 +01:00
src Defer BSP driver init to BSP code 2019-10-27 23:11:56 +01:00
.rustfmt.toml Tiny rustfmt and vscode changes 2019-10-27 23:11:51 +01:00
Cargo.lock Add code for tutorial 05 2019-10-27 23:10:58 +01:00
Cargo.toml Add code for tutorial 05 2019-10-27 23:10:58 +01:00
kernel Big restructuring for more modularity 2019-10-27 23:11:52 +01:00
kernel8.img Add code for tutorial 05 2019-10-27 23:10:58 +01:00
Makefile Add code for tutorial 05 2019-10-27 23:10:58 +01:00
README.md Add write_char() function early 2019-10-27 23:12:09 +01:00

Tutorial 05 - Safe Globals

A slightly longer tl;dr

When we introduced the globally usable print! macros in tutorial 03, we cheated a bit. Calling core::fmt's write_fmt() function, which takes an &mut self, was only working because on each call, a new instance of QEMUOutput was created.

If we would want to preserve some state, e.g. statistics about the number of characters written, we need to make a single global instance of QEMUOutput (in Rust, using the static keyword).

A static QEMU_OUTPUT, however, would not allow to call functions taking &mut self. For that, we would need a static mut, but calling functions that mutate state on static muts is unsafe. The Rust compiler's reasoning for this is that it can then not prevent anymore that multiple cores/threads are mutating the data concurrently (it is a global, so everyone can reference it from anywhere. The borrow checker can't help here).

The solution to this problem is to wrap the global into a synchronization primitive. In our case, a variant of a MUTual EXclusion primivite. Mutex is introduced as a trait in interfaces.rs, and implemented by the name of NullLock in sync.rs in the arch folder. For teaching purposes, to make the code lean, it leaves out the actual architecture-specific logic for protection against concurrent access, since we don't need it as long as the kernel only executes on a single core with interrupts disabled.

Instead, it focuses on showcasing the Rust core concept of interior mutability. Make sure to read up on it. I also recommend to read this article about an accurate mental model for Rust's reference types.

If you want to compare the NullLock to some real-world mutex implementations, you can check out implemntations in the spin crate or the parking lot crate.

Diff to previous


diff -uNr 04_zero_overhead_abstraction/src/arch/aarch64/sync.rs 05_safe_globals/src/arch/aarch64/sync.rs
--- 04_zero_overhead_abstraction/src/arch/aarch64/sync.rs
+++ 05_safe_globals/src/arch/aarch64/sync.rs
@@ -0,0 +1,47 @@
+// SPDX-License-Identifier: MIT
+//
+// Copyright (c) 2018-2019 Andre Richter <andre.o.richter@gmail.com>
+
+//! Synchronization primitives.
+
+use crate::interface;
+use core::cell::UnsafeCell;
+
+/// A pseudo-lock for teaching purposes.
+///
+/// Used to introduce [interior mutability].
+///
+/// In contrast to a real Mutex implementation, does not protect against
+/// concurrent access to the contained data. This part is preserved for later
+/// lessons.
+///
+/// The lock will only be used as long as it is safe to do so, i.e. as long as
+/// the kernel is executing single-threaded, aka only running on a single core
+/// with interrupts disabled.
+///
+/// [interior mutability]: https://doc.rust-lang.org/std/cell/index.html
+pub struct NullLock<T: ?Sized> {
+    data: UnsafeCell<T>,
+}
+
+unsafe impl<T: ?Sized + Send> Send for NullLock<T> {}
+unsafe impl<T: ?Sized + Send> Sync for NullLock<T> {}
+
+impl<T> NullLock<T> {
+    pub const fn new(data: T) -> NullLock<T> {
+        NullLock {
+            data: UnsafeCell::new(data),
+        }
+    }
+}
+
+impl<T> interface::sync::Mutex for &NullLock<T> {
+    type Data = T;
+
+    fn lock<R>(&mut self, f: impl FnOnce(&mut Self::Data) -> R) -> R {
+        // In a real lock, there would be code encapsulating this line that
+        // ensures that this mutable reference will ever only be given out once
+        // at a time.
+        f(unsafe { &mut *self.data.get() })
+    }
+}

diff -uNr 04_zero_overhead_abstraction/src/arch/aarch64.rs 05_safe_globals/src/arch/aarch64.rs
--- 04_zero_overhead_abstraction/src/arch/aarch64.rs
+++ 05_safe_globals/src/arch/aarch64.rs
@@ -4,6 +4,8 @@

 //! AArch64.

+pub mod sync;
+
 use crate::bsp;
 use cortex_a::{asm, regs::*};


diff -uNr 04_zero_overhead_abstraction/src/bsp/rpi3.rs 05_safe_globals/src/bsp/rpi3.rs
--- 04_zero_overhead_abstraction/src/bsp/rpi3.rs
+++ 05_safe_globals/src/bsp/rpi3.rs
@@ -4,39 +4,115 @@

 //! Board Support Package for the Raspberry Pi 3.

-use crate::interface;
+use crate::{arch::sync::NullLock, interface};
 use core::fmt;

 pub const BOOT_CORE_ID: u64 = 0;
 pub const BOOT_CORE_STACK_START: u64 = 0x80_000;

 /// A mystical, magical device for generating QEMU output out of the void.
-struct QEMUOutput;
+///
+/// The mutex protected part.
+struct QEMUOutputInner {
+    chars_written: usize,
+}
+
+impl QEMUOutputInner {
+    const fn new() -> QEMUOutputInner {
+        QEMUOutputInner { chars_written: 0 }
+    }
+
+    /// Send a character.
+    fn write_char(&mut self, c: char) {
+        unsafe {
+            core::ptr::write_volatile(0x3F21_5040 as *mut u8, c as u8);
+        }
+    }
+}

-/// Implementing `console::Write` enables usage of the `format_args!` macros,
+/// Implementing `core::fmt::Write` enables usage of the `format_args!` macros,
 /// which in turn are used to implement the `kernel`'s `print!` and `println!`
-/// macros.
+/// macros. By implementing `write_str()`, we get `write_fmt()` automatically.
+///
+/// The function takes an `&mut self`, so it must be implemented for the inner
+/// struct.
 ///
 /// See [`src/print.rs`].
 ///
 /// [`src/print.rs`]: ../../print/index.html
-impl interface::console::Write for QEMUOutput {
+impl fmt::Write for QEMUOutputInner {
     fn write_str(&mut self, s: &str) -> fmt::Result {
         for c in s.chars() {
-            unsafe {
-                core::ptr::write_volatile(0x3F21_5040 as *mut u8, c as u8);
+            // Convert newline to carrige return + newline.
+            if c == '
' {
+                self.write_char('
')
             }
+
+            self.write_char(c);
         }

+        self.chars_written += s.len();
+
         Ok(())
     }
 }

 ////////////////////////////////////////////////////////////////////////////////
+// BSP-public
+////////////////////////////////////////////////////////////////////////////////
+
+/// The main struct.
+pub struct QEMUOutput {
+    inner: NullLock<QEMUOutputInner>,
+}
+
+impl QEMUOutput {
+    pub const fn new() -> QEMUOutput {
+        QEMUOutput {
+            inner: NullLock::new(QEMUOutputInner::new()),
+        }
+    }
+}
+
+////////////////////////////////////////////////////////////////////////////////
+// OS interface implementations
+////////////////////////////////////////////////////////////////////////////////
+
+/// Passthrough of `args` to the `core::fmt::Write` implementation, but guarded
+/// by a Mutex to serialize access.
+impl interface::console::Write for QEMUOutput {
+    fn write_fmt(&self, args: core::fmt::Arguments) -> fmt::Result {
+        use interface::sync::Mutex;
+
+        // Fully qualified syntax for the call to
+        // `core::fmt::Write::write:fmt()` to increase readability.
+        let mut r = &self.inner;
+        r.lock(|inner| fmt::Write::write_fmt(inner, args))
+    }
+}
+
+impl interface::console::Read for QEMUOutput {}
+
+impl interface::console::Statistics for QEMUOutput {
+    fn chars_written(&self) -> usize {
+        use interface::sync::Mutex;
+
+        let mut r = &self.inner;
+        r.lock(|inner| inner.chars_written)
+    }
+}
+
+////////////////////////////////////////////////////////////////////////////////
+// Global instances
+////////////////////////////////////////////////////////////////////////////////
+
+static QEMU_OUTPUT: QEMUOutput = QEMUOutput::new();
+
+////////////////////////////////////////////////////////////////////////////////
 // Implementation of the kernel's BSP calls
 ////////////////////////////////////////////////////////////////////////////////

-/// Returns a ready-to-use `console::Write` implementation.
-pub fn console() -> impl interface::console::Write {
-    QEMUOutput {}
+/// Return a reference to a `console::All` implementation.
+pub fn console() -> &'static impl interface::console::All {
+    &QEMU_OUTPUT
 }

diff -uNr 04_zero_overhead_abstraction/src/bsp.rs 05_safe_globals/src/bsp.rs
--- 04_zero_overhead_abstraction/src/bsp.rs
+++ 05_safe_globals/src/bsp.rs
@@ -5,7 +5,7 @@
 //! Conditional exporting of Board Support Packages.

 #[cfg(feature = "bsp_rpi3")]
-pub mod rpi3;
+mod rpi3;

 #[cfg(feature = "bsp_rpi3")]
 pub use rpi3::*;

diff -uNr 04_zero_overhead_abstraction/src/interface.rs 05_safe_globals/src/interface.rs
--- 04_zero_overhead_abstraction/src/interface.rs
+++ 05_safe_globals/src/interface.rs
@@ -20,17 +20,68 @@

 /// System console operations.
 pub mod console {
+    use core::fmt;
+
     /// Console write functions.
-    ///
-    /// `core::fmt::Write` is exactly what we need for now. Re-export it here
-    /// because implementing `console::Write` gives a better hint to the reader
-    /// about the intention.
-    pub use core::fmt::Write;
+    pub trait Write {
+        fn write_fmt(&self, args: fmt::Arguments) -> fmt::Result;
+    }

     /// Console read functions.
     pub trait Read {
-        fn read_char(&mut self) -> char {
+        fn read_char(&self) -> char {
             ' '
         }
     }
+
+    /// Console statistics.
+    pub trait Statistics {
+        /// Return the number of characters written.
+        fn chars_written(&self) -> usize {
+            0
+        }
+
+        /// Return the number of characters read.
+        fn chars_read(&self) -> usize {
+            0
+        }
+    }
+
+    /// Trait alias for a full-fledged console.
+    pub trait All = Write + Read + Statistics;
+}
+
+/// Synchronization primitives.
+pub mod sync {
+    /// Any object implementing this trait guarantees exclusive access to the
+    /// data contained within the mutex for the duration of the lock.
+    ///
+    /// The trait follows the [Rust embedded WG's
+    /// proposal](https://github.com/korken89/wg/blob/master/rfcs/0377-mutex-trait.md)
+    /// and therefore provides some goodness such as [deadlock
+    /// prevention](https://github.com/korken89/wg/blob/master/rfcs/0377-mutex-trait.md#design-decisions-and-compatibility).
+    ///
+    /// # Example
+    ///
+    /// Since the lock function takes an `&mut self` to enable
+    /// deadlock-prevention, the trait is best implemented **for a reference to
+    /// a container struct**, and has a usage pattern that might feel strange at
+    /// first:
+    ///
+    /// ```
+    /// static MUT: Mutex<RefCell<i32>> = Mutex::new(RefCell::new(0));
+    ///
+    /// fn foo() {
+    ///     let mut r = &MUT; // Note that r is mutable
+    ///     r.lock(|data| *data += 1);
+    /// }
+    /// ```
+    pub trait Mutex {
+        /// Type of data encapsulated by the mutex.
+        type Data;
+
+        /// Creates a critical section and grants temporary mutable access to
+        /// the encapsulated data.
+        fn lock<R>(&mut self, f: impl FnOnce(&mut Self::Data) -> R) -> R;
+    }
 }

diff -uNr 04_zero_overhead_abstraction/src/main.rs 05_safe_globals/src/main.rs
--- 04_zero_overhead_abstraction/src/main.rs
+++ 05_safe_globals/src/main.rs
@@ -15,6 +15,7 @@

 #![feature(format_args_nl)]
 #![feature(panic_info_message)]
+#![feature(trait_alias)]
 #![no_main]
 #![no_std]

@@ -35,8 +36,12 @@

 /// Entrypoint of the `kernel`.
 fn kernel_entry() -> ! {
+    use interface::console::Statistics;
+
     println!("[0] Hello from pure Rust!");

-    println!("[1] Stopping here.");
+    println!("[1] Chars written: {}", bsp::console().chars_written());
+
+    println!("[2] Stopping here.");
     arch::wait_forever()
 }