indexbus_core/internal/

state.rs

//! State-stream publisher/reader algorithms.
//!
//! The state layout uses a sequence-parity protocol:
//! - writer increments `seq` to odd (write in progress)
//! - writes bytes + publishes `len`
//! - writer increments `seq` to even (stable)
//!
//! Readers only accept snapshots where `seq` is even and unchanged across the read.
use core::cell::UnsafeCell;
use core::sync::atomic::{AtomicU64, Ordering};

use indexbus_abi::layouts::state::StateLayout;

use crate::internal::atomics::{atomic_u32, atomic_u64};
use crate::{internal, Error};

/// `StateLayout` wrapper that explicitly opts into interior mutability.
///
/// The v1 state layout is designed for concurrent mutation through atomics and raw pointers.
/// Rust requires such mutation through a shared reference to be mediated by [`UnsafeCell`].
#[repr(transparent)]
pub struct StateLayoutCell<const STATE_MAX: usize>(UnsafeCell<StateLayout<STATE_MAX>>);

impl<const STATE_MAX: usize> StateLayoutCell<STATE_MAX> {
    /// Borrow a `StateLayoutCell` view over a uniquely-mutable `StateLayout`.
    #[inline]
    pub fn from_mut(inner: &mut StateLayout<STATE_MAX>) -> &StateLayoutCell<STATE_MAX> {
        // Safety: `StateLayoutCell` is `repr(transparent)` over `UnsafeCell<StateLayout<_>>`, and
        // `UnsafeCell<T>` is `repr(transparent)` over `T`.
        unsafe { &*(inner as *mut StateLayout<STATE_MAX> as *const StateLayoutCell<STATE_MAX>) }
    }

    /// Borrow a `StateLayoutCell` view over a raw pointer.
    ///
    /// # Safety
    /// `ptr` must be valid for reads/writes for the lifetime `'a`.
    #[inline]
    pub unsafe fn from_ptr<'a>(ptr: *mut StateLayout<STATE_MAX>) -> &'a StateLayoutCell<STATE_MAX> {
        unsafe { &*(ptr as *const StateLayoutCell<STATE_MAX>) }
    }

    #[inline]
    fn as_ptr(&self) -> *mut StateLayout<STATE_MAX> {
        self.0.get()
    }
}

/// Publisher handle for a state layout.
///
/// ## Contract
///
/// - Intended for a single writer.
/// - Each call to [`StatePublisher::publish`] overwrites the entire state value.
/// - Publication uses the v1 parity protocol: readers should only accept snapshots observed at
///   an even `seq` before and after the read.
pub struct StatePublisher<const STATE_MAX: usize> {
    inner: *mut StateLayout<STATE_MAX>,
}

/// Reader handle for a state layout.
///
/// Readers use the parity protocol to avoid torn reads: they only return a snapshot if `seq`
/// was even and unchanged across the read.
pub struct StateReader<const STATE_MAX: usize> {
    inner: *mut StateLayout<STATE_MAX>,
}

// Thread-safety notes:
// - Handles are thin wrappers around a raw pointer to a shared-memory mapping. The caller must
//   ensure the mapped memory outlives all handles.
// - `StatePublisher` is intended for a single writer thread at a time.
// - `StateReader` only performs atomic loads + raw memory copies and may be used concurrently.
unsafe impl<const STATE_MAX: usize> Send for StatePublisher<STATE_MAX> {}
unsafe impl<const STATE_MAX: usize> Send for StateReader<STATE_MAX> {}
unsafe impl<const STATE_MAX: usize> Sync for StateReader<STATE_MAX> {}

impl<const STATE_MAX: usize> StatePublisher<STATE_MAX> {
    #[inline]
    /// Create a publisher over a mapped layout without validating it.
    ///
    /// Prefer `try_new` when constructing from an untrusted mapping.
    pub fn new(inner: &StateLayoutCell<STATE_MAX>) -> Self {
        Self {
            inner: inner.as_ptr(),
        }
    }

    /// Create a publisher after validating the mapped layout.
    #[inline]
    pub fn try_new(inner: &StateLayoutCell<STATE_MAX>) -> Result<Self, Error> {
        let ptr = inner.as_ptr();
        internal::validate::validate_state_layout::<STATE_MAX>(unsafe { &*ptr })?;
        Ok(Self { inner: ptr })
    }

    /// Overwrite the current state and return the new stable sequence number.
    ///
    /// On success, the returned `seq` is even and can be used by readers as a monotonic marker.
    ///
    /// # Errors
    ///
    /// Returns `Err(required_len)` when `bytes.len() > STATE_MAX`. No bytes are published in
    /// this case.
    pub fn publish(&self, bytes: &[u8]) -> Result<u64, usize> {
        if bytes.len() > STATE_MAX {
            return Err(bytes.len());
        }

        // Make seq odd (writer in progress).
        let inner = self.inner;
        let seq0 = unsafe { atomic_u64(&(*inner).seq) }.fetch_add(1, Ordering::SeqCst) + 1;
        debug_assert!(seq0 % 2 == 1);

        // Publish payload using atomic word stores to avoid data races.
        //
        // Using per-byte atomics is Miri-clean but can allow a reader to observe a mixed snapshot
        // while also observing a stable `seq` (due to weak ordering between independent atomics).
        // Writing/reading the payload via `AtomicU64` words with `SeqCst` ordering keeps the
        // seqlock-style protocol reliable under Miri's memory model.
        unsafe {
            let dst_u8 = core::ptr::addr_of_mut!((*inner).data).cast::<u8>();
            debug_assert_eq!(dst_u8.align_offset(core::mem::align_of::<AtomicU64>()), 0);
            let dst = dst_u8.cast::<AtomicU64>();

            let full_words = bytes.len() / 8;
            for i in 0..full_words {
                let mut chunk = [0u8; 8];
                chunk.copy_from_slice(&bytes[i * 8..i * 8 + 8]);
                (*dst.add(i)).store(u64::from_le_bytes(chunk), Ordering::SeqCst);
            }

            let rem = bytes.len() % 8;
            if rem != 0 {
                let mut chunk = [0u8; 8];
                chunk[..rem].copy_from_slice(&bytes[full_words * 8..]);
                (*dst.add(full_words)).store(u64::from_le_bytes(chunk), Ordering::SeqCst);
            }
        }

        unsafe { atomic_u32(&(*inner).len) }.store(bytes.len() as u32, Ordering::SeqCst);

        // Make seq even (stable).
        let seq1 = unsafe { atomic_u64(&(*inner).seq) }.fetch_add(1, Ordering::SeqCst) + 1;
        debug_assert!(seq1 % 2 == 0);

        Ok(seq1)
    }
}

impl<const STATE_MAX: usize> StateReader<STATE_MAX> {
    #[inline]
    /// Create a reader over a mapped layout without validating it.
    ///
    /// Prefer `try_new` when constructing from an untrusted mapping.
    pub fn new(inner: &StateLayoutCell<STATE_MAX>) -> Self {
        Self {
            inner: inner.as_ptr(),
        }
    }

    /// Create a reader after validating the mapped layout.
    #[inline]
    pub fn try_new(inner: &StateLayoutCell<STATE_MAX>) -> Result<Self, Error> {
        let ptr = inner.as_ptr();
        internal::validate::validate_state_layout::<STATE_MAX>(unsafe { &*ptr })?;
        Ok(Self { inner: ptr })
    }

    /// Load the latest stable state snapshot into `out`.
    ///
    /// Returns `Ok(None)` when:
    /// - there is no published state yet (`len == 0`)
    /// - a writer is in progress (odd `seq`)
    /// - a write raced with the read (sequence changed)
    ///
    /// # Errors
    ///
    /// Returns `Err(required_len)` when `out` is too small to hold the current snapshot.
    pub fn try_load_into(&self, out: &mut [u8]) -> Result<Option<(usize, u64)>, usize> {
        let inner = self.inner;
        let seq0 = unsafe { atomic_u64(&(*inner).seq) }.load(Ordering::SeqCst);
        if seq0 % 2 == 1 {
            return Ok(None);
        }

        let len = unsafe { atomic_u32(&(*inner).len) }.load(Ordering::SeqCst) as usize;
        if len == 0 {
            return Ok(None);
        }
        if out.len() < len {
            return Err(len);
        }

        // Load payload using atomic word loads to avoid data races.
        unsafe {
            let src_u8 = core::ptr::addr_of!((*inner).data).cast::<u8>();
            debug_assert_eq!(src_u8.align_offset(core::mem::align_of::<AtomicU64>()), 0);
            let src = src_u8.cast::<AtomicU64>();

            let full_words = len / 8;
            for i in 0..full_words {
                let word = (*src.add(i)).load(Ordering::SeqCst);
                out[i * 8..i * 8 + 8].copy_from_slice(&word.to_le_bytes());
            }

            let rem = len % 8;
            if rem != 0 {
                let word = (*src.add(full_words)).load(Ordering::SeqCst);
                out[full_words * 8..len].copy_from_slice(&word.to_le_bytes()[..rem]);
            }
        }

        let seq1 = unsafe { atomic_u64(&(*inner).seq) }.load(Ordering::SeqCst);
        if seq1 == seq0 && seq1 % 2 == 0 {
            Ok(Some((len, seq1)))
        } else {
            Ok(None)
        }
    }
}