diff options
| author | Andreas Hindborg <a.hindborg@kernel.org> | 2025-09-02 11:54:58 +0200 |
|---|---|---|
| committer | Jens Axboe <axboe@kernel.dk> | 2025-09-02 05:23:56 -0600 |
| commit | cdde7a1951ff0600adc45718ba251559e4d3fd7c (patch) | |
| tree | f8f4d0925b590b6b4cb49dbd5af1b26d2f46c1e7 /rust/kernel | |
| parent | 8c5ac71cf19bc8a2ad5bc905d1fd3191d887d469 (diff) | |
rust: str: introduce `NullTerminatedFormatter`
Add `NullTerminatedFormatter`, a formatter that writes a null terminated
string to an array or slice buffer. Because this type needs to manage the
trailing null marker, the existing formatters cannot be used to implement
this type.
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Reviewed-by: Daniel Almeida <daniel.almeida@collabora.com>
Signed-off-by: Andreas Hindborg <a.hindborg@kernel.org>
Link: https://lore.kernel.org/r/20250902-rnull-up-v6-16-v7-4-b5212cc89b98@kernel.org
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Diffstat (limited to 'rust/kernel')
| -rw-r--r-- | rust/kernel/str.rs | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/rust/kernel/str.rs b/rust/kernel/str.rs index 46cdc85dad63..d8326f7bc9c1 100644 --- a/rust/kernel/str.rs +++ b/rust/kernel/str.rs @@ -871,6 +871,55 @@ impl fmt::Write for Formatter<'_> { } } +/// A mutable reference to a byte buffer where a string can be written into. +/// +/// The buffer will be automatically null terminated after the last written character. +/// +/// # Invariants +/// +/// * The first byte of `buffer` is always zero. +/// * The length of `buffer` is at least 1. +pub(crate) struct NullTerminatedFormatter<'a> { + buffer: &'a mut [u8], +} + +impl<'a> NullTerminatedFormatter<'a> { + /// Create a new [`Self`] instance. + #[expect(dead_code)] + pub(crate) fn new(buffer: &'a mut [u8]) -> Option<NullTerminatedFormatter<'a>> { + *(buffer.first_mut()?) = 0; + + // INVARIANT: + // - We wrote zero to the first byte above. + // - If buffer was not at least length 1, `buffer.first_mut()` would return None. + Some(Self { buffer }) + } +} + +impl Write for NullTerminatedFormatter<'_> { + fn write_str(&mut self, s: &str) -> fmt::Result { + let bytes = s.as_bytes(); + let len = bytes.len(); + + // We want space for a zero. By type invariant, buffer length is always at least 1, so no + // underflow. + if len > self.buffer.len() - 1 { + return Err(fmt::Error); + } + + let buffer = core::mem::take(&mut self.buffer); + // We break the zero start invariant for a short while. + buffer[..len].copy_from_slice(bytes); + // INVARIANT: We checked above that buffer will have size at least 1 after this assignment. + self.buffer = &mut buffer[len..]; + + // INVARIANT: We write zero to the first byte of the buffer. + self.buffer[0] = 0; + + Ok(()) + } +} + /// An owned string that is guaranteed to have exactly one `NUL` byte, which is at the end. /// /// Used for interoperability with kernel APIs that take C strings. |