1 // SPDX-License-Identifier: Apache-2.0 OR MIT 2 3 //! This module contains library internal items. 4 //! 5 //! These items must not be used outside of this crate and the pin-init-internal crate located at 6 //! `../internal`. 7 8 use super::*; 9 10 /// Zero-sized type used to mark a type as invariant. 11 /// 12 /// This is a polyfill for the [unstable type] in the standard library of the same name. 13 /// 14 /// See the [nomicon] for what subtyping is. See also [this table]. 15 /// 16 /// [unstable type]: https://doc.rust-lang.org/nightly/std/marker/struct.PhantomInvariant.html 17 /// [nomicon]: https://doc.rust-lang.org/nomicon/subtyping.html 18 /// [this table]: https://doc.rust-lang.org/nomicon/phantom-data.html#table-of-phantomdata-patterns 19 #[repr(transparent)] 20 pub struct PhantomInvariant<T: ?Sized>(PhantomData<fn(T) -> T>); 21 22 impl<T: ?Sized> Clone for PhantomInvariant<T> { 23 #[inline(always)] 24 fn clone(&self) -> Self { 25 *self 26 } 27 } 28 29 impl<T: ?Sized> Copy for PhantomInvariant<T> {} 30 31 impl<T: ?Sized> Default for PhantomInvariant<T> { 32 #[inline(always)] 33 fn default() -> Self { 34 Self::new() 35 } 36 } 37 38 impl<T: ?Sized> PhantomInvariant<T> { 39 #[inline(always)] 40 pub const fn new() -> Self { 41 Self(PhantomData) 42 } 43 } 44 45 /// Zero-sized type used to mark a lifetime as invariant. 46 /// 47 /// This is a polyfill for the [unstable type] in the standard library of the same name. 48 /// 49 /// [unstable type]: https://doc.rust-lang.org/nightly/std/marker/struct.PhantomInvariantLifetime.html 50 #[repr(transparent)] 51 #[derive(Clone, Copy, Default)] 52 pub struct PhantomInvariantLifetime<'a>(PhantomInvariant<&'a ()>); 53 54 impl PhantomInvariantLifetime<'_> { 55 #[inline(always)] 56 pub const fn new() -> Self { 57 Self(PhantomInvariant::new()) 58 } 59 } 60 61 /// Token type to signify successful initialization. 62 /// 63 /// Can only be constructed via the unsafe [`Self::new`] function. The initializer macros use this 64 /// token type to prevent returning `Ok` from an initializer without initializing all fields. 65 pub struct InitOk(()); 66 67 impl InitOk { 68 /// Creates a new token. 69 /// 70 /// # Safety 71 /// 72 /// This function may only be called from the `init!` macro in `../internal/src/init.rs`. 73 #[inline(always)] 74 pub unsafe fn new() -> Self { 75 Self(()) 76 } 77 } 78 79 /// This trait is only implemented via the `#[pin_data]` proc-macro. It is used to facilitate 80 /// the pin projections within the initializers. 81 /// 82 /// # Safety 83 /// 84 /// Only the `init` module is allowed to use this trait. 85 pub unsafe trait HasPinData { 86 type PinData; 87 88 #[expect(clippy::missing_safety_doc)] 89 unsafe fn __pin_data() -> Self::PinData; 90 } 91 92 /// This trait is automatically implemented for every type. It aims to provide the same type 93 /// inference help as `HasPinData`. 94 /// 95 /// # Safety 96 /// 97 /// Only the `init` module is allowed to use this trait. 98 pub unsafe trait HasInitData { 99 type InitData; 100 101 #[expect(clippy::missing_safety_doc)] 102 unsafe fn __init_data() -> Self::InitData; 103 } 104 105 pub struct AllData<T: ?Sized>(PhantomInvariant<T>); 106 107 impl<T: ?Sized> Clone for AllData<T> { 108 fn clone(&self) -> Self { 109 *self 110 } 111 } 112 113 impl<T: ?Sized> Copy for AllData<T> {} 114 115 impl<T: ?Sized> AllData<T> { 116 /// Type inference helper function. 117 #[inline(always)] 118 pub fn __make_closure<F, E>(self, f: F) -> F 119 where 120 F: FnOnce(*mut T) -> Result<InitOk, E>, 121 { 122 f 123 } 124 } 125 126 // SAFETY: TODO. 127 unsafe impl<T: ?Sized> HasInitData for T { 128 type InitData = AllData<T>; 129 130 unsafe fn __init_data() -> Self::InitData { 131 AllData(PhantomInvariant::new()) 132 } 133 } 134 135 /// Stack initializer helper type. Use [`stack_pin_init`] instead of this primitive. 136 /// 137 /// # Invariants 138 /// 139 /// If `self.is_init` is true, then `self.value` is initialized. 140 /// 141 /// [`stack_pin_init`]: crate::stack_pin_init 142 pub struct StackInit<T> { 143 value: MaybeUninit<T>, 144 is_init: bool, 145 } 146 147 impl<T> Drop for StackInit<T> { 148 #[inline] 149 fn drop(&mut self) { 150 if self.is_init { 151 // SAFETY: As we are being dropped, we only call this once. And since `self.is_init` is 152 // true, `self.value` is initialized. 153 unsafe { self.value.assume_init_drop() }; 154 } 155 } 156 } 157 158 impl<T> StackInit<T> { 159 /// Creates a new [`StackInit<T>`] that is uninitialized. Use [`stack_pin_init`] instead of this 160 /// primitive. 161 /// 162 /// [`stack_pin_init`]: crate::stack_pin_init 163 #[inline] 164 pub fn uninit() -> Self { 165 Self { 166 value: MaybeUninit::uninit(), 167 is_init: false, 168 } 169 } 170 171 /// Initializes the contents and returns the result. 172 #[inline] 173 pub fn init<E>(self: Pin<&mut Self>, init: impl PinInit<T, E>) -> Result<Pin<&mut T>, E> { 174 // SAFETY: We never move out of `this`. 175 let this = unsafe { Pin::into_inner_unchecked(self) }; 176 // The value is currently initialized, so it needs to be dropped before we can reuse 177 // the memory (this is a safety guarantee of `Pin`). 178 if this.is_init { 179 this.is_init = false; 180 // SAFETY: `this.is_init` was true and therefore `this.value` is initialized. 181 unsafe { this.value.assume_init_drop() }; 182 } 183 // SAFETY: The memory slot is valid and this type ensures that it will stay pinned. 184 unsafe { init.__pinned_init(this.value.as_mut_ptr())? }; 185 // INVARIANT: `this.value` is initialized above. 186 this.is_init = true; 187 // SAFETY: The slot is now pinned, since we will never give access to `&mut T`. 188 Ok(unsafe { Pin::new_unchecked(this.value.assume_init_mut()) }) 189 } 190 } 191 192 #[test] 193 #[cfg(feature = "std")] 194 fn stack_init_reuse() { 195 use ::std::{borrow::ToOwned, println, string::String}; 196 use core::pin::pin; 197 198 #[derive(Debug)] 199 struct Foo { 200 a: usize, 201 b: String, 202 } 203 let mut slot: Pin<&mut StackInit<Foo>> = pin!(StackInit::uninit()); 204 let value: Result<Pin<&mut Foo>, core::convert::Infallible> = 205 slot.as_mut().init(crate::init!(Foo { 206 a: 42, 207 b: "Hello".to_owned(), 208 })); 209 let value = value.unwrap(); 210 println!("{value:?}"); 211 let value: Result<Pin<&mut Foo>, core::convert::Infallible> = 212 slot.as_mut().init(crate::init!(Foo { 213 a: 24, 214 b: "world!".to_owned(), 215 })); 216 let value = value.unwrap(); 217 println!("{value:?}"); 218 } 219 220 // Marker types that determines type of `DropGuard`'s let bindings. 221 pub struct Pinned; 222 pub struct Unpinned; 223 224 /// Represent an uninitialized field. 225 /// 226 /// # Invariants 227 /// 228 /// - `ptr` is valid, properly aligned and points to uninitialized and exclusively accessed memory. 229 /// - If `P` is `Pinned`, then `ptr` is structurally pinned. 230 pub struct Slot<P, T: ?Sized> { 231 ptr: *mut T, 232 _phantom: PhantomData<P>, 233 } 234 235 impl<P, T: ?Sized> Slot<P, T> { 236 /// # Safety 237 /// 238 /// - `ptr` is valid, properly aligned and points to uninitialized and exclusively accessed 239 /// memory. 240 /// - If `P` is `Pinned`, then `ptr` is structurally pinned. 241 #[inline(always)] 242 pub unsafe fn new(ptr: *mut T) -> Self { 243 // INVARIANT: Per safety requirement. 244 Self { 245 ptr, 246 _phantom: PhantomData, 247 } 248 } 249 250 /// Initialize the field by value. 251 #[inline(always)] 252 pub fn write(self, value: T) -> DropGuard<P, T> 253 where 254 T: Sized, 255 { 256 // SAFETY: `self.ptr` is a valid and aligned pointer for write. 257 unsafe { self.ptr.write(value) } 258 // SAFETY: 259 // - `self.ptr` is valid and properly aligned per type invariant. 260 // - `*self.ptr` is initialized above and the ownership is transferred to the guard. 261 // - If `P` is `Pinned`, `self.ptr` is pinned. 262 unsafe { DropGuard::new(self.ptr) } 263 } 264 } 265 266 impl<T: ?Sized> Slot<Unpinned, T> { 267 /// Initialize the field. 268 #[inline(always)] 269 pub fn init<E>(self, init: impl Init<T, E>) -> Result<DropGuard<Unpinned, T>, E> { 270 // SAFETY: 271 // - `self.ptr` is valid and properly aligned. 272 // - when `Err` is returned, we also propagate the error without touching `slot`; 273 // also `self` is consumed so it cannot be touched further. 274 unsafe { init.__init(self.ptr)? }; 275 276 // SAFETY: 277 // - `self.ptr` is valid and properly aligned per type invariant. 278 // - `*self.ptr` is initialized above and the ownership is transferred to the guard. 279 Ok(unsafe { DropGuard::new(self.ptr) }) 280 } 281 } 282 283 impl<T: ?Sized> Slot<Pinned, T> { 284 /// Initialize the field. 285 #[inline(always)] 286 pub fn init<E>(self, init: impl PinInit<T, E>) -> Result<DropGuard<Pinned, T>, E> { 287 // SAFETY: 288 // - `self.ptr` is valid and properly aligned. 289 // - when `Err` is returned, we also propagate the error without touching `ptr`; 290 // also `self` is consumed so it cannot be touched further. 291 // - the drop guard will not hand out `&mut` (only `Pin<&mut T>`). 292 unsafe { init.__pinned_init(self.ptr)? }; 293 294 // SAFETY: 295 // - `self.ptr` is valid, properly aligned and pinned per type invariant. 296 // - `*self.ptr` is initialized above and the ownership is transferred to the guard. 297 Ok(unsafe { DropGuard::new(self.ptr) }) 298 } 299 } 300 301 /// When a value of this type is dropped, it drops a `T`. 302 /// 303 /// Can be forgotten to prevent the drop. 304 /// 305 /// # Invariants 306 /// 307 /// - `ptr` is valid and properly aligned. 308 /// - `*ptr` is initialized and owned by this guard. 309 /// - if `P` is `Pinned`, `ptr` is pinned. 310 pub struct DropGuard<P, T: ?Sized> { 311 ptr: *mut T, 312 phantom: PhantomData<P>, 313 } 314 315 impl<P, T: ?Sized> DropGuard<P, T> { 316 /// Creates a drop guard and transfer the ownership of the pointer content. 317 /// 318 /// The ownership is only relinguished if the guard is forgotten via [`core::mem::forget`]. 319 /// 320 /// # Safety 321 /// 322 /// - `ptr` is valid and properly aligned. 323 /// - `*ptr` is initialized, and the ownership is transferred to this guard. 324 /// - if `P` is `Pinned`, `ptr` is pinned. 325 #[inline] 326 pub unsafe fn new(ptr: *mut T) -> Self { 327 // INVARIANT: By safety requirement. 328 Self { 329 ptr, 330 phantom: PhantomData, 331 } 332 } 333 } 334 335 impl<T: ?Sized> DropGuard<Unpinned, T> { 336 /// Create a let binding for accessor use. 337 #[inline] 338 pub fn let_binding(&mut self) -> &mut T { 339 // SAFETY: Per type invariant. 340 unsafe { &mut *self.ptr } 341 } 342 } 343 344 impl<T: ?Sized> DropGuard<Pinned, T> { 345 /// Create a let binding for accessor use. 346 #[inline] 347 pub fn let_binding(&mut self) -> Pin<&mut T> { 348 // SAFETY: `self.ptr` is valid, properly aligned, initialized, exclusively accessible and 349 // pinned per type invariant. 350 unsafe { Pin::new_unchecked(&mut *self.ptr) } 351 } 352 } 353 354 impl<P, T: ?Sized> Drop for DropGuard<P, T> { 355 #[inline] 356 fn drop(&mut self) { 357 // SAFETY: `self.ptr` is valid, properly aligned and `*self.ptr` is owned by this guard. 358 unsafe { ptr::drop_in_place(self.ptr) } 359 } 360 } 361 362 /// Token used by `PinnedDrop` to prevent calling the function without creating this unsafely 363 /// created struct. This is needed, because the `drop` function is safe, but should not be called 364 /// manually. 365 pub struct OnlyCallFromDrop(()); 366 367 impl OnlyCallFromDrop { 368 /// # Safety 369 /// 370 /// This function should only be called from the [`Drop::drop`] function and only be used to 371 /// delegate the destruction to the pinned destructor [`PinnedDrop::drop`] of the same type. 372 pub unsafe fn new() -> Self { 373 Self(()) 374 } 375 } 376 377 /// Initializer that always fails. 378 /// 379 /// Used by [`assert_pinned!`]. 380 /// 381 /// [`assert_pinned!`]: crate::assert_pinned 382 pub struct AlwaysFail<T: ?Sized> { 383 _t: PhantomData<T>, 384 } 385 386 impl<T: ?Sized> AlwaysFail<T> { 387 /// Creates a new initializer that always fails. 388 pub fn new() -> Self { 389 Self { _t: PhantomData } 390 } 391 } 392 393 impl<T: ?Sized> Default for AlwaysFail<T> { 394 fn default() -> Self { 395 Self::new() 396 } 397 } 398 399 // SAFETY: `__pinned_init` always fails, which is always okay. 400 unsafe impl<T: ?Sized> PinInit<T, ()> for AlwaysFail<T> { 401 unsafe fn __pinned_init(self, _slot: *mut T) -> Result<(), ()> { 402 Err(()) 403 } 404 } 405