ndk: Use BorrowedFd and OwnedFd to clarify ownership transitions
#417
Conversation
MarijnS95
force-pushed
the
ownedfd
branch
2 times, most recently
from
a1e3d36 to
3cba71b
Compare
| /// # Safety | ||
| /// The caller should guarantee that this file descriptor remains open after it was added | ||
| /// via [`ForeignLooper::add_fd()`] or [`ForeignLooper::add_fd_with_callback()`]. | ||
| fd: BorrowedFd<'fd>, |
There was a problem hiding this comment.
I will think about this a bit more before merging (cc @rib).
This is an fd the user gave to us (as a BorrowedFd, though) so they're already required to make sure it isn't closed until it is removed from the Looper. Second, as written above the unsafe block that creates this:
// SAFETY: Even though this FD at least shouldn't outlive self, a user could have
// closed it after calling add_fd or add_fd_with_callback.There's barely any relevance to self here; the user can totally keep using their own fd outside the scope of Looper, we really have no clue what its lifetime should be.
Most importantly, let's check if winit can easily handle the lifetime that we've now added to Poll<'fd>.
MarijnS95
force-pushed
the
ownedfd
branch
2 times, most recently
from
080a3b8 to
ddff788
Compare
|
Turns out I made the biggest mistake I could here: by calling Converted this PR to draft for that as I want to test out the new codepaths first before merging this... and while setting up a test-case I ran into more lifetime/reference issues in the NDK 😩. Release will probably be bleeding into next week. |
Some functions consume a file descriptor (will close them on their own regard) or return ownership over a file descriptor (expect the caller to close it), but this is not always clarified in the documentation nor upheld by the caller. Use the new stabilized `BorrowedFd` and `OwnedFd` types since Rust 1.63 to clarify this in the API, noting that `OwnedFd` will instinctively `close()` the file descriptor on drop and doesn't implement `Copy` nor `Clone` (but does provide a `try_clone()` helper using `fcntl()` to create a new owned file descriptor if needed, and if possible by the kernel). For example, while not obvious from `AHardwareBuffer_lock()` docs (though there are hints in the [graphics sync docs]) the source for gralloc buffer locking many function calls down clarifies that the [`acquireFence` is indeed owned and will be closed]. The same [applies to `AImageReader` and its async aquire functions]. [graphics sync docs]: https://source.android.com/docs/core/graphics/sync [`acquireFence` is indeed owned and will be closed]: https://cs.android.com/android/platform/superproject/main/+/refs/heads/main:frameworks/native/libs/ui/Gralloc4.cpp;l=320-323;drc=34edaadf5297f2c066d2cb09a5cc9366dc35b24b [applies to `AImageReader` and its async aquire functions]: https://cs.android.com/android/platform/superproject/main/+/refs/heads/main:frameworks/av/media/ndk/NdkImageReader.cpp;l=498-501;drc=34edaadf5297f2c066d2cb09a5cc9366dc35b24b
|
I managed to test the |
Depends on #416
Some functions consume a file descriptor (will close them on their own regard) or return ownership over a file descriptor (expect the caller to close it), but this is not always clarified in the documentation nor upheld by the caller. Use the new stabilized
BorrowedFdandOwnedFdtypes since Rust 1.63 to clarify this in the API, noting thatOwnedFdwill instinctivelyclose()the file descriptor on drop and doesn't implementCopynorClone(but does provide atry_clone()helper usingfcntl()to create a new owned file descriptor if needed, and if possible by the kernel).For example, while not obvious from
AHardwareBuffer_lock()docs (though there are hints in the graphics sync docs) the source for gralloc buffer locking many function calls down clarifies that theacquireFenceis indeed owned and will be closed. The same applies toAImageReaderand its async aquire functions.