@@ -188,6 +188,37 @@ pub trait HrTimerPointer: Sync + Sized {
188188fn start ( self , expires : Ktime ) -> Self :: TimerHandle ;
189189}
190190
191+ /// Unsafe version of [`HrTimerPointer`] for situations where leaking the
192+ /// [`HrTimerHandle`] returned by `start` would be unsound. This is the case for
193+ /// stack allocated timers.
194+ ///
195+ /// Typical implementers are pinned references such as [`Pin<&T>`].
196+ ///
197+ /// # Safety
198+ ///
199+ /// Implementers of this trait must ensure that instances of types implementing
200+ /// [`UnsafeHrTimerPointer`] outlives any associated [`HrTimerPointer::TimerHandle`]
201+ /// instances.
202+ pub unsafe trait UnsafeHrTimerPointer : Sync + Sized {
203+ /// A handle representing a running timer.
204+ ///
205+ /// # Safety
206+ ///
207+ /// If the timer is running, or if the timer callback is executing when the
208+ /// handle is dropped, the drop method of [`Self::TimerHandle`] must not return
209+ /// until the timer is stopped and the callback has completed.
210+ type TimerHandle : HrTimerHandle ;
211+
212+ /// Start the timer after `expires` time units. If the timer was already
213+ /// running, it is restarted at the new expiry time.
214+ ///
215+ /// # Safety
216+ ///
217+ /// Caller promises keep the timer structure alive until the timer is dead.
218+ /// Caller can ensure this by not leaking the returned [`Self::TimerHandle`].
219+ unsafe fn start ( self , expires : Ktime ) -> Self :: TimerHandle ;
220+ }
221+
191222/// Implemented by [`HrTimerPointer`] implementers to give the C timer callback a
192223/// function to call.
193224// This is split from `HrTimerPointer` to make it easier to specify trait bounds.
0 commit comments