|  | // Protocol Buffers - Google's data interchange format | 
|  | // Copyright 2023 Google LLC.  All rights reserved. | 
|  | // | 
|  | // Use of this source code is governed by a BSD-style | 
|  | // license that can be found in the LICENSE file or at | 
|  | // https://developers.google.com/open-source/licenses/bsd | 
|  |  | 
|  | //! Operating on borrowed data owned by a message is a central concept in | 
|  | //! Protobuf (and Rust in general). The way this is normally accomplished in | 
|  | //! Rust is to pass around references and operate on those. Unfortunately, | 
|  | //! references come with two major drawbacks: | 
|  | //! | 
|  | //! * We must store the value somewhere in the memory to create a reference to | 
|  | //!   it. The value must be readable by a single load. However for Protobuf | 
|  | //!   fields it happens that the actual memory representation of a value differs | 
|  | //!   from what users expect and it is an implementation detail that can change | 
|  | //!   as more optimizations are implemented. For example, rarely accessed | 
|  | //!   `int64` fields can be represented in a packed format with 32 bits for the | 
|  | //!   value in the common case. Or, a single logical value can be spread across | 
|  | //!   multiple memory locations. For example, presence information for all the | 
|  | //!   fields in a protobuf message is centralized in a bitset. | 
|  | //! * We cannot store extra data on the reference that might be necessary for | 
|  | //!   correctly manipulating it (and custom-metadata DSTs do not exist yet in | 
|  | //!   Rust). Concretely, messages, string, bytes, and repeated fields in UPB | 
|  | //!   need to carry around an arena parameter separate from the data pointer to | 
|  | //!   enable mutation (for example adding an element to a repeated field) or | 
|  | //!   potentially to enable optimizations (for example referencing a string | 
|  | //!   value using a Cord-like type instead of copying it if the source and | 
|  | //!   target messages are on the same arena already). Mutable references to | 
|  | //!   messages have one additional drawback: Rust allows users to | 
|  | //!   indiscriminately run a bytewise swap() on mutable references, which could | 
|  | //!   result in pointers to the wrong arena winding up on a message. For | 
|  | //!   example, imagine swapping a submessage across two root messages allocated | 
|  | //!   on distinct arenas A and B; after the swap, the message allocated in A may | 
|  | //!   contain pointers from B by way of the submessage, because the swap does | 
|  | //!   not know to fix up those pointers as needed. The C++ API uses | 
|  | //!   message-owned arenas, and this ends up resembling self-referential types, | 
|  | //!   which need `Pin` in order to be sound. However, `Pin` has much stronger | 
|  | //!   guarantees than we need to uphold. | 
|  | //! | 
|  | //! These drawbacks put the "idiomatic Rust" goal in conflict with the | 
|  | //! "performance", "evolvability", and "safety" goals. Given the project design | 
|  | //! priorities we decided to not use plain Rust references. Instead, we | 
|  | //! implemented the concept of "proxy" types. Proxy types are a reference-like | 
|  | //! indirection between the user and the internal memory representation. | 
|  |  | 
|  | use crate::__internal::{Private, SealedInternal}; | 
|  | use std::fmt::Debug; | 
|  |  | 
|  | /// A type that can be accessed through a reference-like proxy. | 
|  | /// | 
|  | /// An instance of a `Proxied` can be accessed immutably via `Proxied::View`. | 
|  | /// | 
|  | /// All Protobuf field types implement `Proxied`. | 
|  | pub trait Proxied: SealedInternal + AsView<Proxied = Self> + Sized { | 
|  | /// The proxy type that provides shared access to a `T`, like a `&'msg T`. | 
|  | /// | 
|  | /// Most code should use the type alias [`View`]. | 
|  | type View<'msg>: ViewProxy<'msg, Proxied = Self> | 
|  | where | 
|  | Self: 'msg; | 
|  | } | 
|  |  | 
|  | /// A type that can be be accessed through a reference-like proxy. | 
|  | /// | 
|  | /// An instance of a `MutProxied` can be accessed mutably via `MutProxied::Mut` | 
|  | /// and immutably via `MutProxied::View`. | 
|  | /// | 
|  | /// `MutProxied` is implemented by message, map and repeated field types. | 
|  | pub trait MutProxied: SealedInternal + Proxied + AsMut<MutProxied = Self> { | 
|  | /// The proxy type that provides exclusive mutable access to a `T`, like a | 
|  | /// `&'msg mut T`. | 
|  | /// | 
|  | /// Most code should use the type alias [`Mut`]. | 
|  | type Mut<'msg>: MutProxy<'msg, MutProxied = Self> | 
|  | where | 
|  | Self: 'msg; | 
|  | } | 
|  |  | 
|  | /// A proxy type that provides shared access to a `T`, like a `&'msg T`. | 
|  | /// | 
|  | /// This is more concise than fully spelling the associated type. | 
|  | #[allow(dead_code)] | 
|  | pub type View<'msg, T> = <T as Proxied>::View<'msg>; | 
|  |  | 
|  | /// A proxy type that provides exclusive mutable access to a `T`, like a | 
|  | /// `&'msg mut T`. | 
|  | /// | 
|  | /// This is more concise than fully spelling the associated type. | 
|  | #[allow(dead_code)] | 
|  | pub type Mut<'msg, T> = <T as MutProxied>::Mut<'msg>; | 
|  |  | 
|  | /// Used to semantically do a cheap "to-reference" conversion. This is | 
|  | /// implemented on both owned `Proxied` types as well as ViewProxy and MutProxy | 
|  | /// types. | 
|  | /// | 
|  | /// On ViewProxy this will behave as a reborrow into a shorter lifetime. | 
|  | pub trait AsView: SealedInternal { | 
|  | type Proxied: Proxied; | 
|  |  | 
|  | /// Converts a borrow into a `View` with the lifetime of that borrow. | 
|  | /// | 
|  | /// In non-generic code we don't need to use `as_view` because the proxy | 
|  | /// types are covariant over `'msg`. However, generic code conservatively | 
|  | /// treats `'msg` as [invariant], therefore we need to call | 
|  | /// `as_view` to explicitly perform the operation that in concrete code | 
|  | /// coercion would perform implicitly. | 
|  | /// | 
|  | /// For example, the call to `.as_view()` in the following snippet | 
|  | /// wouldn't be necessary in concrete code: | 
|  | /// ```ignore | 
|  | /// fn reborrow<'a, 'b, T>(x: &'b View<'a, T>) -> View<'b, T> | 
|  | /// where 'a: 'b, T: Proxied | 
|  | /// { | 
|  | ///   x.as_view() | 
|  | /// } | 
|  | /// ``` | 
|  | /// | 
|  | /// [invariant]: https://doc.rust-lang.org/nomicon/subtyping.html#variance | 
|  | fn as_view(&self) -> View<'_, Self::Proxied>; | 
|  | } | 
|  |  | 
|  | /// Used to turn another 'borrow' into a ViewProxy. | 
|  | /// | 
|  | /// On a MutProxy this borrows to a View (semantically matching turning a `&mut | 
|  | /// T` into a `&T`). | 
|  | /// | 
|  | /// On a ViewProxy this will behave as a reborrow into a shorter lifetime | 
|  | /// (semantically matching a `&'a T` into a `&'b T` where `'a: 'b`). | 
|  | pub trait IntoView<'msg>: SealedInternal + AsView { | 
|  | /// Converts into a `View` with a potentially shorter lifetime. | 
|  | /// | 
|  | /// In non-generic code we don't need to use `into_view` because the proxy | 
|  | /// types are covariant over `'msg`. However, generic code conservatively | 
|  | /// treats `'msg` as [invariant], therefore we need to call | 
|  | /// `into_view` to explicitly perform the operation that in concrete | 
|  | /// code coercion would perform implicitly. | 
|  | /// | 
|  | /// ```ignore | 
|  | /// fn reborrow_generic_view_into_view<'a, 'b, T>( | 
|  | ///     x: View<'a, T>, | 
|  | ///     y: View<'b, T>, | 
|  | /// ) -> [View<'b, T>; 2] | 
|  | /// where | 
|  | ///     T: MutProxied, | 
|  | ///     'a: 'b, | 
|  | /// { | 
|  | ///     // `[x, y]` fails to compile because `'a` is not the same as `'b` and the `View` | 
|  | ///     // lifetime parameter is (conservatively) invariant. | 
|  | ///     // `[x.as_view(), y]` fails because that borrow cannot outlive `'b`. | 
|  | ///     [x.into_view(), y] | 
|  | /// } | 
|  | /// ``` | 
|  | /// | 
|  | /// [invariant]: https://doc.rust-lang.org/nomicon/subtyping.html#variance | 
|  | fn into_view<'shorter>(self) -> View<'shorter, Self::Proxied> | 
|  | where | 
|  | 'msg: 'shorter; | 
|  | } | 
|  |  | 
|  | /// Used to semantically do a cheap "to-mut-reference" conversion. This is | 
|  | /// implemented on both owned `Proxied` types as well as MutProxy types. | 
|  | /// | 
|  | /// On MutProxy this will behave as a reborrow into a shorter lifetime. | 
|  | pub trait AsMut: SealedInternal + AsView<Proxied = Self::MutProxied> { | 
|  | type MutProxied: MutProxied; | 
|  |  | 
|  | /// Converts a borrow into a `Mut` with the lifetime of that borrow. | 
|  | fn as_mut(&mut self) -> Mut<'_, Self::MutProxied>; | 
|  | } | 
|  |  | 
|  | /// Used to turn another 'borrow' into a MutProxy. | 
|  | /// | 
|  | /// On a MutProxy this will behave as a reborrow into a shorter lifetime | 
|  | /// (semantically matching a `&mut 'a T` into a `&mut 'b T` where `'a: 'b`). | 
|  | pub trait IntoMut<'msg>: SealedInternal + AsMut { | 
|  | /// Converts into a `Mut` with a potentially shorter lifetime. | 
|  | /// | 
|  | /// In non-generic code we don't need to use `into_mut` because the proxy | 
|  | /// types are covariant over `'msg`. However, generic code conservatively | 
|  | /// treats `'msg` as [invariant], therefore we need to call | 
|  | /// `into_mut` to explicitly perform the operation that in concrete code | 
|  | /// coercion would perform implicitly. | 
|  | /// | 
|  | /// ```ignore | 
|  | /// fn reborrow_generic_mut_into_mut<'a, 'b, T>(x: Mut<'a, T>, y: Mut<'b, T>) -> [Mut<'b, T>; 2] | 
|  | /// where | 
|  | ///     T: Proxied, | 
|  | ///     'a: 'b, | 
|  | /// { | 
|  | ///     // `[x, y]` fails to compile because `'a` is not the same as `'b` and the `Mut` | 
|  | ///     // lifetime parameter is (conservatively) invariant. | 
|  | ///     // `[x.as_mut(), y]` fails because that borrow cannot outlive `'b`. | 
|  | ///     [x.into_mut(), y] | 
|  | /// } | 
|  | /// ``` | 
|  | /// | 
|  | /// [invariant]: https://doc.rust-lang.org/nomicon/subtyping.html#variance | 
|  | fn into_mut<'shorter>(self) -> Mut<'shorter, Self::MutProxied> | 
|  | where | 
|  | 'msg: 'shorter; | 
|  | } | 
|  |  | 
|  | /// Declares conversion operations common to all proxies (both views and mut | 
|  | /// proxies). | 
|  | /// | 
|  | /// This trait is intentionally made non-object-safe to prevent a potential | 
|  | /// future incompatible change. | 
|  | pub trait Proxy<'msg>: | 
|  | SealedInternal + 'msg + IntoView<'msg> + Sync + Unpin + Sized + Debug | 
|  | { | 
|  | } | 
|  |  | 
|  | /// Declares conversion operations common to view proxies. | 
|  | pub trait ViewProxy<'msg>: SealedInternal + Proxy<'msg> + Send {} | 
|  |  | 
|  | /// Declares operations common to all mut proxies. | 
|  | /// | 
|  | /// This trait is intentionally made non-object-safe to prevent a potential | 
|  | /// future incompatible change. | 
|  | pub trait MutProxy<'msg>: SealedInternal + Proxy<'msg> + AsMut + IntoMut<'msg> { | 
|  | /// Gets an immutable view of this field. This is shorthand for `as_view`. | 
|  | /// | 
|  | /// This provides a shorter lifetime than `into_view` but can also be called | 
|  | /// multiple times - if the result of `get` is not living long enough | 
|  | /// for your use, use that instead. | 
|  | fn get(&self) -> View<'_, Self::Proxied> { | 
|  | self.as_view() | 
|  | } | 
|  | } | 
|  |  | 
|  | /// A value to `Proxied`-value conversion that consumes the input value. | 
|  | /// | 
|  | /// All setter functions accept types that implement `IntoProxied`. The purpose | 
|  | /// of `IntoProxied` is to allow setting arbitrary values on Protobuf fields | 
|  | /// with the minimal number of copies. | 
|  | /// | 
|  | /// This trait must not be implemented on types outside the Protobuf codegen and | 
|  | /// runtime. We expect it to change in backwards incompatible ways in the | 
|  | /// future. | 
|  | pub trait IntoProxied<T: Proxied> { | 
|  | #[doc(hidden)] | 
|  | fn into_proxied(self, _private: Private) -> T; | 
|  | } | 
|  |  | 
|  | impl<T: Proxied> IntoProxied<T> for T { | 
|  | fn into_proxied(self, _private: Private) -> T { | 
|  | self | 
|  | } | 
|  | } | 
|  |  | 
|  | #[cfg(test)] | 
|  | mod tests { | 
|  | use super::*; | 
|  | use googletest::prelude::*; | 
|  |  | 
|  | #[derive(Debug, Default, PartialEq)] | 
|  | struct MyProxied { | 
|  | val: String, | 
|  | } | 
|  |  | 
|  | impl MyProxied { | 
|  | fn as_view(&self) -> View<'_, Self> { | 
|  | MyProxiedView { my_proxied_ref: self } | 
|  | } | 
|  |  | 
|  | fn as_mut(&mut self) -> Mut<'_, Self> { | 
|  | MyProxiedMut { my_proxied_ref: self } | 
|  | } | 
|  | } | 
|  |  | 
|  | impl SealedInternal for MyProxied {} | 
|  |  | 
|  | impl Proxied for MyProxied { | 
|  | type View<'msg> = MyProxiedView<'msg>; | 
|  | } | 
|  |  | 
|  | impl AsView for MyProxied { | 
|  | type Proxied = Self; | 
|  | fn as_view(&self) -> MyProxiedView<'_> { | 
|  | self.as_view() | 
|  | } | 
|  | } | 
|  |  | 
|  | impl MutProxied for MyProxied { | 
|  | type Mut<'msg> = MyProxiedMut<'msg>; | 
|  | } | 
|  |  | 
|  | impl AsMut for MyProxied { | 
|  | type MutProxied = Self; | 
|  | fn as_mut(&mut self) -> MyProxiedMut<'_> { | 
|  | self.as_mut() | 
|  | } | 
|  | } | 
|  |  | 
|  | #[derive(Debug, Clone, Copy)] | 
|  | struct MyProxiedView<'msg> { | 
|  | my_proxied_ref: &'msg MyProxied, | 
|  | } | 
|  |  | 
|  | impl<'msg> SealedInternal for MyProxiedView<'msg> {} | 
|  |  | 
|  | impl MyProxiedView<'_> { | 
|  | fn val(&self) -> &str { | 
|  | &self.my_proxied_ref.val | 
|  | } | 
|  | } | 
|  |  | 
|  | impl<'msg> Proxy<'msg> for MyProxiedView<'msg> {} | 
|  |  | 
|  | impl<'msg> ViewProxy<'msg> for MyProxiedView<'msg> {} | 
|  |  | 
|  | impl<'msg> AsView for MyProxiedView<'msg> { | 
|  | type Proxied = MyProxied; | 
|  |  | 
|  | fn as_view(&self) -> MyProxiedView<'msg> { | 
|  | *self | 
|  | } | 
|  | } | 
|  |  | 
|  | impl<'msg> IntoView<'msg> for MyProxiedView<'msg> { | 
|  | fn into_view<'shorter>(self) -> MyProxiedView<'shorter> | 
|  | where | 
|  | 'msg: 'shorter, | 
|  | { | 
|  | self | 
|  | } | 
|  | } | 
|  |  | 
|  | #[derive(Debug)] | 
|  | struct MyProxiedMut<'msg> { | 
|  | my_proxied_ref: &'msg mut MyProxied, | 
|  | } | 
|  |  | 
|  | impl<'msg> SealedInternal for MyProxiedMut<'msg> {} | 
|  |  | 
|  | impl<'msg> Proxy<'msg> for MyProxiedMut<'msg> {} | 
|  |  | 
|  | impl<'msg> AsView for MyProxiedMut<'msg> { | 
|  | type Proxied = MyProxied; | 
|  |  | 
|  | fn as_view(&self) -> MyProxiedView<'_> { | 
|  | MyProxiedView { my_proxied_ref: self.my_proxied_ref } | 
|  | } | 
|  | } | 
|  |  | 
|  | impl<'msg> IntoView<'msg> for MyProxiedMut<'msg> { | 
|  | fn into_view<'shorter>(self) -> View<'shorter, MyProxied> | 
|  | where | 
|  | 'msg: 'shorter, | 
|  | { | 
|  | MyProxiedView { my_proxied_ref: self.my_proxied_ref } | 
|  | } | 
|  | } | 
|  |  | 
|  | impl<'msg> AsMut for MyProxiedMut<'msg> { | 
|  | type MutProxied = MyProxied; | 
|  |  | 
|  | fn as_mut(&mut self) -> MyProxiedMut<'_> { | 
|  | MyProxiedMut { my_proxied_ref: self.my_proxied_ref } | 
|  | } | 
|  | } | 
|  |  | 
|  | impl<'msg> IntoMut<'msg> for MyProxiedMut<'msg> { | 
|  | fn into_mut<'shorter>(self) -> MyProxiedMut<'shorter> | 
|  | where | 
|  | 'msg: 'shorter, | 
|  | { | 
|  | self | 
|  | } | 
|  | } | 
|  |  | 
|  | impl<'msg> MutProxy<'msg> for MyProxiedMut<'msg> {} | 
|  |  | 
|  | #[gtest] | 
|  | fn test_as_view() { | 
|  | let my_proxied = MyProxied { val: "Hello World".to_string() }; | 
|  |  | 
|  | let my_view = my_proxied.as_view(); | 
|  |  | 
|  | assert_that!(my_view.val(), eq(&my_proxied.val)); | 
|  | } | 
|  |  | 
|  | fn reborrow_mut_into_view<'msg>(x: Mut<'msg, MyProxied>) -> View<'msg, MyProxied> { | 
|  | // x.as_view() fails to compile with: | 
|  | //   `ERROR: attempt to return function-local borrowed content` | 
|  | x.into_view() // OK: we return the same lifetime as we got in. | 
|  | } | 
|  |  | 
|  | #[gtest] | 
|  | fn test_mut_into_view() { | 
|  | let mut my_proxied = MyProxied { val: "Hello World".to_string() }; | 
|  | reborrow_mut_into_view(my_proxied.as_mut()); | 
|  | } | 
|  |  | 
|  | fn require_unified_lifetimes<'msg>(_x: Mut<'msg, MyProxied>, _y: View<'msg, MyProxied>) {} | 
|  |  | 
|  | #[gtest] | 
|  | fn test_require_unified_lifetimes() { | 
|  | let mut my_proxied = MyProxied { val: "Hello1".to_string() }; | 
|  | let my_mut = my_proxied.as_mut(); | 
|  |  | 
|  | { | 
|  | let other_proxied = MyProxied { val: "Hello2".to_string() }; | 
|  | let other_view = other_proxied.as_view(); | 
|  | require_unified_lifetimes(my_mut, other_view); | 
|  | } | 
|  | } | 
|  |  | 
|  | fn reborrow_generic_as_view<'a, 'b, T>( | 
|  | x: &'b mut Mut<'a, T>, | 
|  | y: &'b View<'a, T>, | 
|  | ) -> [View<'b, T>; 2] | 
|  | where | 
|  | T: MutProxied, | 
|  | 'a: 'b, | 
|  | { | 
|  | // `[x, y]` fails to compile because `'a` is not the same as `'b` and the `View` | 
|  | // lifetime parameter is (conservatively) invariant. | 
|  | [x.as_view(), y.as_view()] | 
|  | } | 
|  |  | 
|  | #[gtest] | 
|  | fn test_reborrow_generic_as_view() { | 
|  | let mut my_proxied = MyProxied { val: "Hello1".to_string() }; | 
|  | let mut my_mut = my_proxied.as_mut(); | 
|  | let my_ref = &mut my_mut; | 
|  |  | 
|  | { | 
|  | let other_proxied = MyProxied { val: "Hello2".to_string() }; | 
|  | let other_view = other_proxied.as_view(); | 
|  | reborrow_generic_as_view::<MyProxied>(my_ref, &other_view); | 
|  | } | 
|  | } | 
|  |  | 
|  | fn reborrow_generic_view_into_view<'a, 'b, T>( | 
|  | x: View<'a, T>, | 
|  | y: View<'b, T>, | 
|  | ) -> [View<'b, T>; 2] | 
|  | where | 
|  | T: Proxied, | 
|  | 'a: 'b, | 
|  | { | 
|  | // `[x, y]` fails to compile because `'a` is not the same as `'b` and the `View` | 
|  | // lifetime parameter is (conservatively) invariant. | 
|  | // `[x.as_view(), y]` fails because that borrow cannot outlive `'b`. | 
|  | [x.into_view(), y] | 
|  | } | 
|  |  | 
|  | #[gtest] | 
|  | fn test_reborrow_generic_into_view() { | 
|  | let my_proxied = MyProxied { val: "Hello1".to_string() }; | 
|  | let my_view = my_proxied.as_view(); | 
|  |  | 
|  | { | 
|  | let other_proxied = MyProxied { val: "Hello2".to_string() }; | 
|  | let other_view = other_proxied.as_view(); | 
|  | reborrow_generic_view_into_view::<MyProxied>(my_view, other_view); | 
|  | } | 
|  | } | 
|  |  | 
|  | fn reborrow_generic_mut_into_view<'a, 'b, T>(x: Mut<'a, T>, y: View<'b, T>) -> [View<'b, T>; 2] | 
|  | where | 
|  | T: MutProxied, | 
|  | 'a: 'b, | 
|  | { | 
|  | [x.into_view(), y] | 
|  | } | 
|  |  | 
|  | #[gtest] | 
|  | fn test_reborrow_generic_mut_into_view() { | 
|  | let mut my_proxied = MyProxied { val: "Hello1".to_string() }; | 
|  | let my_mut = my_proxied.as_mut(); | 
|  |  | 
|  | { | 
|  | let other_proxied = MyProxied { val: "Hello2".to_string() }; | 
|  | let other_view = other_proxied.as_view(); | 
|  | reborrow_generic_mut_into_view::<MyProxied>(my_mut, other_view); | 
|  | } | 
|  | } | 
|  |  | 
|  | fn reborrow_generic_mut_into_mut<'a, 'b, T>(x: Mut<'a, T>, y: Mut<'b, T>) -> [Mut<'b, T>; 2] | 
|  | where | 
|  | T: MutProxied, | 
|  | 'a: 'b, | 
|  | { | 
|  | // `[x, y]` fails to compile because `'a` is not the same as `'b` and the `Mut` | 
|  | // lifetime parameter is (conservatively) invariant. | 
|  | // `[x.as_mut(), y]` fails because that borrow cannot outlive `'b`. | 
|  | let tmp: Mut<'b, T> = x.into_mut(); | 
|  | [tmp, y] | 
|  | } | 
|  |  | 
|  | #[gtest] | 
|  | fn test_reborrow_generic_mut_into_mut() { | 
|  | let mut my_proxied = MyProxied { val: "Hello1".to_string() }; | 
|  | let my_mut = my_proxied.as_mut(); | 
|  |  | 
|  | { | 
|  | let mut other_proxied = MyProxied { val: "Hello2".to_string() }; | 
|  | let other_mut = other_proxied.as_mut(); | 
|  | // No need to reborrow, even though lifetime of &other_view is different | 
|  | // than the lifetiem of my_ref. Rust references are covariant over their | 
|  | // lifetime. | 
|  | reborrow_generic_mut_into_mut::<MyProxied>(my_mut, other_mut); | 
|  | } | 
|  | } | 
|  | } |