The qdev_init_gpio_{in|out} are qdev interfaces, so that it's natural to wrap them as DeviceState's methods in Rust API, which could eliminate unsafe cases in the device lib.
Wrap qdev_init_gpio_{in|out} as methods in a new trait DeviceGPIOImpl. In addition, for qdev_init_gpio_in(), to convert the idiomatic Rust callback into a C-style callback qemu_irq_handler, add a handler pointer member in DeviceGPIOImpl. For any device needs to initialize GPIO in, it needs to define a handler. And for device which just wants to initialize GPIO out, it can leave the GPIO_IRQ_HANDLER as None. Then device could use init_gpio_in() and init_gpio_out() to initialize GPIO in and out, like C code. Note, for qemu_irq_handler, assume the opaque parameter refers to the self DeviceState, and this is enough as for now, as it's the most common case in QEMU. Signed-off-by: Zhao Liu <zhao1....@intel.com> --- rust/qemu-api/src/qdev.rs | 55 +++++++++++++++++++++++++++++++++++++-- 1 file changed, 53 insertions(+), 2 deletions(-) diff --git a/rust/qemu-api/src/qdev.rs b/rust/qemu-api/src/qdev.rs index 23a06b377b2c..5e6580b6f261 100644 --- a/rust/qemu-api/src/qdev.rs +++ b/rust/qemu-api/src/qdev.rs @@ -4,12 +4,17 @@ //! Bindings to create devices and access device functionality from Rust. -use std::ffi::CStr; +use std::{ + ffi::CStr, + os::raw::{c_int, c_void}, + ptr::{addr_of, NonNull}, +}; pub use bindings::{DeviceClass, DeviceState, Property}; use crate::{ - bindings::{self, Error}, + bindings::{self, qdev_init_gpio_in, qdev_init_gpio_out, Error}, + irq::InterruptSource, qom::{ClassInitImpl, Object, ObjectClass, ObjectType}, qom_isa, vmstate::VMStateDescription, @@ -144,3 +149,49 @@ unsafe impl ObjectType for DeviceState { unsafe { CStr::from_bytes_with_nul_unchecked(bindings::TYPE_DEVICE) }; } qom_isa!(DeviceState: Object); + +/// # Safety +/// +/// We expect the FFI user of this function to pass a valid pointer that +/// can be downcasted to type `T`. We also expect the device is +/// readable/writeable from one thread at any time. +/// +/// Note: Always assume opaque is referred to the self DeviceState, and +/// this is also the most common case in QEMU. +unsafe extern "C" fn rust_irq_handler<T: DeviceGPIOImpl>( + opaque: *mut c_void, + lines_num: c_int, + level: c_int, +) { + // SAFETY: + // the pointer is convertible to a reference + let state = unsafe { NonNull::new(opaque.cast::<T>()).unwrap().as_mut() }; + + T::GPIO_IRQ_HANDLER.unwrap()(state, lines_num as u32, level as u32); +} + +/// Trait that defines the irq handler for GPIO in. +pub trait DeviceGPIOImpl { + const GPIO_IRQ_HANDLER: Option<fn(&mut Self, lines_num: u32, level: u32)> = None; + + fn init_gpio_in(&self, lines_num: u32) + where + Self: Sized, + { + assert!(Self::GPIO_IRQ_HANDLER.is_some()); + + unsafe { + qdev_init_gpio_in( + addr_of!(*self) as *mut _, + Some(rust_irq_handler::<Self>), + lines_num as c_int, + ); + } + } + + fn init_gpio_out(&self, pins: &InterruptSource, lines_num: u32) { + unsafe { + qdev_init_gpio_out(addr_of!(*self) as *mut _, pins.as_ptr(), lines_num as c_int); + } + } +} -- 2.34.1