Unify lazy atomics in entropy backends

Replace ad-hoc atomic lazy caches with shared lazy helpers in the
Linux/Android fallback, NetBSD, RDRAND, and RNDR backends. Add `LazyPtr`
alongside `LazyUsize` and `LazyBool` so pointer and boolean caches use
the same initialization contract.

This reduces duplicated cache logic and keeps backend probing/fallback
semantics aligned while preserving the existing retry-until-cached
behavior.

Author: tamird

src/backends/linux_android_with_fallback.rs

@@ -4,8 +4,7 @@ use crate::Error;
 use core::{
     ffi::c_void,
     mem::{MaybeUninit, transmute},
-    ptr::NonNull,
-    sync::atomic::{AtomicPtr, Ordering},
+    ptr,
 };
 use use_file::utils;
 
@@ -15,57 +14,48 @@ type GetRandomFn = unsafe extern "C" fn(*mut c_void, libc::size_t, libc::c_uint)
 
 /// Sentinel value which indicates that `libc::getrandom` either not available,
 /// or not supported by kernel.
-const NOT_AVAILABLE: NonNull<c_void> = unsafe { NonNull::new_unchecked(usize::MAX as *mut c_void) };
-
-static GETRANDOM_FN: AtomicPtr<c_void> = AtomicPtr::new(core::ptr::null_mut());
+const NOT_AVAILABLE: *mut c_void = usize::MAX as *mut c_void;
 
 #[cold]
 #[inline(never)]
-fn init() -> NonNull<c_void> {
+fn init() -> *mut c_void {
     // Use static linking to `libc::getrandom` on MUSL targets and `dlsym` everywhere else
     #[cfg(not(target_env = "musl"))]
-    let raw_ptr = {
-        static NAME: &[u8] = b"getrandom\0";
-        let name_ptr = NAME.as_ptr().cast::<libc::c_char>();
-        unsafe { libc::dlsym(libc::RTLD_DEFAULT, name_ptr) }
-    };
+    let fptr = unsafe { libc::dlsym(libc::RTLD_DEFAULT, c"getrandom".as_ptr()) };
     #[cfg(target_env = "musl")]
-    let raw_ptr = {
+    let fptr = {
         let fptr: GetRandomFn = libc::getrandom;
         unsafe { transmute::<GetRandomFn, *mut c_void>(fptr) }
     };
 
-    let res_ptr = match NonNull::new(raw_ptr) {
-        Some(fptr) => {
-            let getrandom_fn = unsafe { transmute::<NonNull<c_void>, GetRandomFn>(fptr) };
-            let dangling_ptr = NonNull::dangling().as_ptr();
-            // Check that `getrandom` syscall is supported by kernel
-            let res = unsafe { getrandom_fn(dangling_ptr, 0, 0) };
-            if cfg!(getrandom_test_linux_fallback) {
-                NOT_AVAILABLE
-            } else if res.is_negative() {
-                match utils::get_errno() {
-                    libc::ENOSYS => NOT_AVAILABLE, // No kernel support
-                    // The fallback on EPERM is intentionally not done on Android since this workaround
-                    // seems to be needed only for specific Linux-based products that aren't based
-                    // on Android. See https://github.com/rust-random/getrandom/issues/229.
-                    #[cfg(target_os = "linux")]
-                    libc::EPERM => NOT_AVAILABLE, // Blocked by seccomp
-                    _ => fptr,
-                }
-            } else {
-                fptr
+    let res_ptr = if !fptr.is_null() {
+        let getrandom_fn = unsafe { transmute::<*mut c_void, GetRandomFn>(fptr) };
+        // Check that `getrandom` syscall is supported by kernel
+        let res = unsafe { getrandom_fn(ptr::dangling_mut(), 0, 0) };
+        if cfg!(getrandom_test_linux_fallback) {
+            NOT_AVAILABLE
+        } else if res.is_negative() {
+            match utils::get_errno() {
+                libc::ENOSYS => NOT_AVAILABLE, // No kernel support
+                // The fallback on EPERM is intentionally not done on Android since this workaround
+                // seems to be needed only for specific Linux-based products that aren't based
+                // on Android. See https://github.com/rust-random/getrandom/issues/229.
+                #[cfg(target_os = "linux")]
+                libc::EPERM => NOT_AVAILABLE, // Blocked by seccomp
+                _ => fptr,
             }
+        } else {
+            fptr
         }
-        None => NOT_AVAILABLE,
+    } else {
+        NOT_AVAILABLE
     };
 
     #[cfg(getrandom_test_linux_without_fallback)]
     if res_ptr == NOT_AVAILABLE {
         panic!("Fallback is triggered with enabled `getrandom_test_linux_without_fallback`")
     }
 
-    GETRANDOM_FN.store(res_ptr.as_ptr(), Ordering::Release);
     res_ptr
 }
 
@@ -77,23 +67,17 @@ fn use_file_fallback(dest: &mut [MaybeUninit<u8>]) -> Result<(), Error> {
 
 #[inline]
 pub fn fill_inner(dest: &mut [MaybeUninit<u8>]) -> Result<(), Error> {
-    // Despite being only a single atomic variable, we still cannot always use
-    // Ordering::Relaxed, as we need to make sure a successful call to `init`
-    // is "ordered before" any data read through the returned pointer (which
-    // occurs when the function is called). Our implementation mirrors that of
-    // the one in libstd, meaning that the use of non-Relaxed operations is
-    // probably unnecessary.
-    let raw_ptr = GETRANDOM_FN.load(Ordering::Acquire);
-    let fptr = match NonNull::new(raw_ptr) {
-        Some(p) => p,
-        None => init(),
-    };
+    #[path = "../utils/lazy.rs"]
+    mod lazy;
+
+    static GETRANDOM_FN: lazy::LazyPtr<c_void> = lazy::LazyPtr::new();
+    let fptr = GETRANDOM_FN.unsync_init(init);
 
     if fptr == NOT_AVAILABLE {
         use_file_fallback(dest)
     } else {
         // note: `transmute` is currently the only way to convert a pointer into a function reference
-        let getrandom_fn = unsafe { transmute::<NonNull<c_void>, GetRandomFn>(fptr) };
+        let getrandom_fn = unsafe { transmute::<*mut c_void, GetRandomFn>(fptr) };
         utils::sys_fill_exact(dest, |buf| unsafe {
             getrandom_fn(buf.as_mut_ptr().cast(), buf.len(), 0)
         })

src/backends/netbsd.rs

@@ -9,7 +9,6 @@ use core::{
     ffi::c_void,
     mem::{self, MaybeUninit},
     ptr,
-    sync::atomic::{AtomicPtr, Ordering},
 };
 
 pub use crate::util::{inner_u32, inner_u64};
@@ -42,35 +41,27 @@ unsafe extern "C" fn polyfill_using_kern_arand(
 
 type GetRandomFn = unsafe extern "C" fn(*mut c_void, libc::size_t, libc::c_uint) -> libc::ssize_t;
 
-static GETRANDOM: AtomicPtr<c_void> = AtomicPtr::new(ptr::null_mut());
-
 #[cold]
 #[inline(never)]
 fn init() -> *mut c_void {
-    static NAME: &[u8] = b"getrandom\0";
-    let name_ptr = NAME.as_ptr().cast::<libc::c_char>();
-    let mut ptr = unsafe { libc::dlsym(libc::RTLD_DEFAULT, name_ptr) };
+    let ptr = unsafe { libc::dlsym(libc::RTLD_DEFAULT, c"getrandom".as_ptr()) };
     if ptr.is_null() || cfg!(getrandom_test_netbsd_fallback) {
         // Verify `polyfill_using_kern_arand` has the right signature.
         const POLYFILL: GetRandomFn = polyfill_using_kern_arand;
-        ptr = POLYFILL as *mut c_void;
+        POLYFILL as *mut c_void
+    } else {
+        ptr
     }
-    GETRANDOM.store(ptr, Ordering::Release);
-    ptr
 }
 
 #[inline]
 pub fn fill_inner(dest: &mut [MaybeUninit<u8>]) -> Result<(), Error> {
-    // Despite being only a single atomic variable, we still cannot always use
-    // Ordering::Relaxed, as we need to make sure a successful call to `init`
-    // is "ordered before" any data read through the returned pointer (which
-    // occurs when the function is called). Our implementation mirrors that of
-    // the one in libstd, meaning that the use of non-Relaxed operations is
-    // probably unnecessary.
-    let mut fptr = GETRANDOM.load(Ordering::Acquire);
-    if fptr.is_null() {
-        fptr = init();
-    }
+    #[path = "../utils/lazy.rs"]
+    mod lazy;
+
+    static GETRANDOM_FN: lazy::LazyPtr<c_void> = lazy::LazyPtr::new();
+
+    let fptr = GETRANDOM_FN.unsync_init(init);
     let fptr = unsafe { mem::transmute::<*mut c_void, GetRandomFn>(fptr) };
     utils::sys_fill_exact(dest, |buf| unsafe {
         fptr(buf.as_mut_ptr().cast::<c_void>(), buf.len(), 0)

src/backends/rdrand.rs

@@ -2,9 +2,6 @@
 use crate::{Error, util::slice_as_uninit};
 use core::mem::{MaybeUninit, size_of};
 
-#[path = "../utils/lazy.rs"]
-mod lazy;
-
 #[cfg(not(any(target_arch = "x86_64", target_arch = "x86")))]
 compile_error!("`rdrand` backend can be enabled only for x86 and x86-64 targets!");
 
@@ -20,8 +17,6 @@ cfg_if! {
     }
 }
 
-static RDRAND_GOOD: lazy::LazyBool = lazy::LazyBool::new();
-
 // Recommendation from "Intel® Digital Random Number Generator (DRNG) Software
 // Implementation Guide" - Section 5.2.1 and "Intel® 64 and IA-32 Architectures
 // Software Developer’s Manual" - Volume 1 - Section 7.3.17.1.
@@ -73,46 +68,53 @@ fn self_test() -> bool {
 }
 
 fn is_rdrand_good() -> bool {
-    #[cfg(not(target_feature = "rdrand"))]
-    {
-        // SAFETY: All Rust x86 targets are new enough to have CPUID, and we
-        // check that leaf 1 is supported before using it.
-        //
-        // TODO(MSRV 1.94): remove allow(unused_unsafe) and the unsafe blocks for `__cpuid`.
-        #[allow(unused_unsafe)]
-        let cpuid0 = unsafe { arch::__cpuid(0) };
-        if cpuid0.eax < 1 {
-            return false;
-        }
-        #[allow(unused_unsafe)]
-        let cpuid1 = unsafe { arch::__cpuid(1) };
-
-        let vendor_id = [
-            cpuid0.ebx.to_le_bytes(),
-            cpuid0.edx.to_le_bytes(),
-            cpuid0.ecx.to_le_bytes(),
-        ];
-        if vendor_id == [*b"Auth", *b"enti", *b"cAMD"] {
-            let mut family = (cpuid1.eax >> 8) & 0xF;
-            if family == 0xF {
-                family += (cpuid1.eax >> 20) & 0xFF;
-            }
-            // AMD CPUs families before 17h (Zen) sometimes fail to set CF when
-            // RDRAND fails after suspend. Don't use RDRAND on those families.
-            // See https://bugzilla.redhat.com/show_bug.cgi?id=1150286
-            if family < 0x17 {
+    #[path = "../utils/lazy.rs"]
+    mod lazy;
+
+    static RDRAND_GOOD: lazy::LazyBool = lazy::LazyBool::new();
+
+    RDRAND_GOOD.unsync_init(|| {
+        #[cfg(not(target_feature = "rdrand"))]
+        {
+            // SAFETY: All Rust x86 targets are new enough to have CPUID, and we
+            // check that leaf 1 is supported before using it.
+            //
+            // TODO(MSRV 1.94): remove allow(unused_unsafe) and the unsafe blocks for `__cpuid`.
+            #[allow(unused_unsafe)]
+            let cpuid0 = unsafe { arch::__cpuid(0) };
+            if cpuid0.eax < 1 {
                 return false;
             }
-        }
+            #[allow(unused_unsafe)]
+            let cpuid1 = unsafe { arch::__cpuid(1) };
+
+            let vendor_id = [
+                cpuid0.ebx.to_le_bytes(),
+                cpuid0.edx.to_le_bytes(),
+                cpuid0.ecx.to_le_bytes(),
+            ];
+            if vendor_id == [*b"Auth", *b"enti", *b"cAMD"] {
+                let mut family = (cpuid1.eax >> 8) & 0xF;
+                if family == 0xF {
+                    family += (cpuid1.eax >> 20) & 0xFF;
+                }
+                // AMD CPUs families before 17h (Zen) sometimes fail to set CF when
+                // RDRAND fails after suspend. Don't use RDRAND on those families.
+                // See https://bugzilla.redhat.com/show_bug.cgi?id=1150286
+                if family < 0x17 {
+                    return false;
+                }
+            }
 
-        const RDRAND_FLAG: u32 = 1 << 30;
-        if cpuid1.ecx & RDRAND_FLAG == 0 {
-            return false;
+            const RDRAND_FLAG: u32 = 1 << 30;
+            if cpuid1.ecx & RDRAND_FLAG == 0 {
+                return false;
+            }
         }
-    }
 
-    // SAFETY: We have already checked that rdrand is available.
-    unsafe { self_test() }
+        // SAFETY: We have already checked that rdrand is available.
+        unsafe { self_test() }
+    })
 }
 
 #[target_feature(enable = "rdrand")]
@@ -162,7 +164,7 @@ fn rdrand_u64() -> Option<u64> {
 
 #[inline]
 pub fn inner_u32() -> Result<u32, Error> {
-    if !RDRAND_GOOD.unsync_init(is_rdrand_good) {
+    if !is_rdrand_good() {
         return Err(Error::NO_RDRAND);
     }
     // SAFETY: After this point, we know rdrand is supported.
@@ -171,7 +173,7 @@ pub fn inner_u32() -> Result<u32, Error> {
 
 #[inline]
 pub fn inner_u64() -> Result<u64, Error> {
-    if !RDRAND_GOOD.unsync_init(is_rdrand_good) {
+    if !is_rdrand_good() {
         return Err(Error::NO_RDRAND);
     }
     // SAFETY: After this point, we know rdrand is supported.
@@ -180,7 +182,7 @@ pub fn inner_u64() -> Result<u64, Error> {
 
 #[inline]
 pub fn fill_inner(dest: &mut [MaybeUninit<u8>]) -> Result<(), Error> {
-    if !RDRAND_GOOD.unsync_init(is_rdrand_good) {
+    if !is_rdrand_good() {
         return Err(Error::NO_RDRAND);
     }
     // SAFETY: After this point, we know rdrand is supported.

src/backends/rndr.rs

@@ -71,6 +71,7 @@ fn is_rndr_available() -> bool {
 fn is_rndr_available() -> bool {
     #[path = "../utils/lazy.rs"]
     mod lazy;
+
     static RNDR_GOOD: lazy::LazyBool = lazy::LazyBool::new();
 
     cfg_if::cfg_if! {