//! Types which pin data to its location in memory //! //! It is sometimes useful to have objects that are guaranteed to not move, //! in the sense that their placement in memory does not change, and can thus be relied upon. //! A prime example of such a scenario would be building self-referential structs, //! since moving an object with pointers to itself will invalidate them, //! which could cause undefined behavior. //! //! [`Pin`] ensures that the pointee of any pointer type has a stable location in memory, //! meaning it cannot be moved elsewhere and its memory cannot be deallocated //! until it gets dropped. We say that the pointee is "pinned". //! //! By default, all types in Rust are movable. Rust allows passing all types by-value, //! and common smart-pointer types such as `Box` and `&mut` allow replacing and //! moving the values they contain: you can move out of a `Box`, or you can use [`mem::swap`]. //! [`Pin`] wraps a pointer type, so `Pin>` functions much like a regular `Box` //! (when a `Pin>` gets dropped, so do its contents, and the memory gets deallocated). //! Similarily, `Pin<&mut T>` is a lot like `&mut T`. However, [`Pin`] does not let clients actually //! obtain a `Box` or reference to pinned data, which implies that you cannot use //! operations such as [`mem::swap`]: //! ``` //! fn swap_pins(x: Pin<&mut T>, y: Pin<&mut T>) { //! // `mem::swap` needs `&mut T`, but we cannot get it. //! // We are stuck, we cannot swap the contents of these references. //! // We could use `Pin::get_unchecked_mut`, but that is unsafe for a reason: //! // we are not allowed to use it for moving things out of the `Pin`. //! } //! ``` //! //! It is worth reiterating that [`Pin`] does *not* change the fact that a Rust compiler //! considers all types movable. [`mem::swap`] remains callable for any `T`. Instead, `Pin` //! prevents certain *values* (pointed to by pointers wrapped in `Pin`) from being //! moved by making it impossible to call methods like [`mem::swap`] on them. //! //! # `Unpin` //! //! However, these restrictions are usually not necessary. Many types are always freely //! movable, even when pinned, because they do not rely on having a stable address. //! This includes all the basic types (`bool`, `i32` and friends, references) //! as well as types consisting solely of these types. //! Types that do not care about pinning implement the [`Unpin`] auto-trait, which //! nullifies the effect of [`Pin`]. For `T: Unpin`, `Pin>` and `Box` function //! identically, as do `Pin<&mut T>` and `&mut T`. //! //! Note that pinning and `Unpin` only affect the pointed-to type, not the pointer //! type itself that got wrapped in `Pin`. For example, whether or not `Box` is //! `Unpin` has no effect on the behavior of `Pin>` (here, `T` is the //! pointed-to type). //! //! # Example: self-referential struct //! //! ```rust //! use std::pin::Pin; //! use std::marker::PhantomPinned; //! use std::ptr::NonNull; //! //! // This is a self-referential struct since the slice field points to the data field. //! // We cannot inform the compiler about that with a normal reference, //! // since this pattern cannot be described with the usual borrowing rules. //! // Instead we use a raw pointer, though one which is known to not be null, //! // since we know it's pointing at the string. //! struct Unmovable { //! data: String, //! slice: NonNull, //! _pin: PhantomPinned, //! } //! //! impl Unmovable { //! // To ensure the data doesn't move when the function returns, //! // we place it in the heap where it will stay for the lifetime of the object, //! // and the only way to access it would be through a pointer to it. //! fn new(data: String) -> Pin> { //! let res = Unmovable { //! data, //! // we only create the pointer once the data is in place //! // otherwise it will have already moved before we even started //! slice: NonNull::dangling(), //! _pin: PhantomPinned, //! }; //! let mut boxed = Box::pin(res); //! //! let slice = NonNull::from(&boxed.data); //! // we know this is safe because modifying a field doesn't move the whole struct //! unsafe { //! let mut_ref: Pin<&mut Self> = Pin::as_mut(&mut boxed); //! Pin::get_unchecked_mut(mut_ref).slice = slice; //! } //! boxed //! } //! } //! //! let unmoved = Unmovable::new("hello".to_string()); //! // The pointer should point to the correct location, //! // so long as the struct hasn't moved. //! // Meanwhile, we are free to move the pointer around. //! # #[allow(unused_mut)] //! let mut still_unmoved = unmoved; //! assert_eq!(still_unmoved.slice, NonNull::from(&still_unmoved.data)); //! //! // Since our type doesn't implement Unpin, this will fail to compile: //! // let new_unmoved = Unmovable::new("world".to_string()); //! // std::mem::swap(&mut *still_unmoved, &mut *new_unmoved); //! ``` //! //! # Example: intrusive doubly-linked list //! //! In an intrusive doubly-linked list, the collection does not actually allocate //! the memory for the elements itself. Allocation is controlled by the clients, //! and elements can live on a stack frame that lives shorter than the collection does. //! //! To make this work, every element has pointers to its predecessor and successor in //! the list. Element can only be added when they are pinned, because moving the elements //! around would invalidate the pointers. Moreover, the `Drop` implementation of a linked //! list element will patch the pointers of its predecessor and successor to remove itself //! from the list. //! //! To make this work, it is crucial taht we can actually rely on `drop` being called. //! And, in fact, this is a guarantee that `Pin` provides. //! //! # `Drop` guarantee //! //! The purpose of pinning is to be able to rely on the placement of some data in memory. //! To make this work, not just moving the data is restricted; deallocating, repurposing or //! otherwise invalidating the memory used to store the data is restricted, too. //! Concretely, for pinned data you have to maintain the invariant //! that *its memory will not get invalidated from the moment it gets pinned until //! when `drop` is called*. Memory can be invalidated by deallocation, but also by //! replacing a `Some(v)` by `None`, or calling `Vec::set_len` to "kill" some elements //! off of a vector. //! //! This is exactly the kind of guarantee that the intrusive linked list from the previous //! section needs to function correctly. Clearly, if an element //! could be deallocated or otherwise invalidated without calling `drop`, the pointers into it //! from its neighbouring elements would become invalid, which would break the data structure. //! //! Notice that this guarantee does *not* mean that memory does not leak! It is still //! completely okay not to ever call `drop` on a pinned element (e.g., you can still //! call [`mem::forget`] on a `Pin>`). In the example of the doubly-linked //! list, that element would just stay in the list. However you may not free or reuse the storage //! *without calling `drop`*. //! //! # `Drop` implementation //! //! If your type uses pinning (such as the two examples above), you have to be careful //! when implementing `Drop`. The `drop` function takes `&mut self`, but this //! is called *even if your type was previously pinned*! It is as if the //! compiler automatically called `get_unchecked_mut`. //! //! This can never cause a problem in safe code because implementing a type that relies on pinning //! requires unsafe code, but be aware that deciding to make use of pinning //! in your type (for example by implementing some operation on `Pin<&[mut] Self>`) //! has consequences for your `Drop` implementation as well: if an element //! of your type could have been pinned, you must treat Drop as implicitly taking //! `Pin<&mut Self>`. //! //! In particular, if your type is `#[repr(packed)]`, the compiler will automatically //! move fields around to be able to drop them. As a consequence, you cannot use //! pinning with a `#[repr(packed)]` type. //! //! # Projections and Structural Pinning //! //! One interesting question arises when considering the interaction of pinning and //! the fields of a struct. When can a struct have a "pinning projection", i.e., //! an operation with type `fn(Pin<&[mut] Struct>) -> Pin<&[mut] Field>`? //! In a similar vein, when can a container type (such as `Vec`, `Box`, or `RefCell`) //! have an operation with type `fn(Pin<&[mut] Container>) -> Pin<&[mut] T>`? //! //! This question is closely related to the question of whether pinning is "structural": //! when you have pinned a wrapper type, have you pinned its contents? Deciding this //! is entirely up to the author of any given type. However, adding a //! projection to the API answers that question with a "yes" by offering pinned access //! to the contents. In that case, there are a couple requirements to be upheld: //! //! 1. The wrapper must only be [`Unpin`] if all the fields one can project to are //! `Unpin`. This is the default, but `Unpin` is a safe trait, so as the author of //! the wrapper it is your responsibility *not* to add something like //! `impl Unpin for Container`. (Notice that adding a projection operation //! requires unsafe code, so the fact that `Unpin` is a safe trait does not break //! the principle that you only have to worry about any of this if you use `unsafe`.) //! 2. The destructor of the wrapper must not move out of its argument. This is the exact //! point that was raised in the [previous section][drop-impl]: `drop` takes `&mut self`, //! but the wrapper (and hence its fields) might have been pinned before. //! You have to guarantee that you do not move a field inside your `Drop` implementation. //! 3. Your wrapper type must *not* be `#[repr(packed)]`. Packed structs have their fields //! moved around when they are dropped to properly align them, which is in conflict with //! claiming that the fields are pinned when your struct is. //! 4. You must make sure that you uphold the [`Drop` guarantee][drop-guarantee]: //! once your wrapper is pinned, the memory that contains the //! content is not overwritten or deallocated without calling the content's destructors. //! This can be tricky, as witnessed by `VecDeque`: the destructor of `VecDeque` can fail //! to call `drop` on all elements if one of the destructors panics. This violates the //! `Drop` guarantee, because it can lead to elements being deallocated without //! their destructor being called. (`VecDeque` has no pinning projections, so this //! does not cause unsoundness.) //! 5. You must not offer any other operations that could lead to data being moved out of //! the fields when your type is pinned. This is usually not a concern, but can become //! tricky when interior mutability is involved. For example, imagine `RefCell` //! would have a method `fn get_pin_mut(self: Pin<&mut Self>) -> Pin<&mut T>`. //! Then we could do the following: //! ```ignore //! fn exploit_ref_cell(rc: Pin<&mut RefCell) { //! { let p = rc.as_mut().get_pin_mut(); } // here we get pinned access to the `T` //! let rc_shr: &RefCell = rc.into_ref().get_ref(); //! let b = rc_shr.borrow_mut(); //! let content = &mut *b; // and here we have `&mut T` to the same data //! } //! ``` //! This is catastrophic, it means we can first pin the content of the `RefCell` //! (using `RefCell::get_pin_mut`) and then move that content using the mutable //! reference we got later. //! //! On the other hand, if you decide *not* to offer any pinning projections, you //! are free to `impl Unpin for Container`. In the standard library, //! this is done for all pointer types: `Box: Unpin` holds for all `T`. //! It makes sense to do this for pointer types, because moving the `Box` //! does not actually move the `T`: the `Box` can be freely movable even if the `T` //! is not. In fact, even `Pin>` and `Pin<&mut T>` are always `Unpin` themselves, //! for the same reason. //! //! [`Pin`]: struct.Pin.html //! [`Unpin`]: ../../std/marker/trait.Unpin.html //! [`mem::swap`]: ../../std/mem/fn.swap.html //! [`mem::forget`]: ../../std/mem/fn.forget.html //! [`Box`]: ../../std/boxed/struct.Box.html //! [drop-impl]: #drop-implementation //! [drop-guarantee]: #drop-guarantee #![stable(feature = "pin", since = "1.33.0")] use fmt; use marker::{Sized, Unpin}; use cmp::{self, PartialEq, PartialOrd}; use ops::{Deref, DerefMut, Receiver, CoerceUnsized, DispatchFromDyn}; /// A pinned pointer. /// /// This is a wrapper around a kind of pointer which makes that pointer "pin" its /// value in place, preventing the value referenced by that pointer from being moved /// unless it implements [`Unpin`]. /// /// See the [`pin` module] documentation for further explanation on pinning. /// /// [`Unpin`]: ../../std/marker/trait.Unpin.html /// [`pin` module]: ../../std/pin/index.html // // Note: the derives below, and the explicit `PartialEq` and `PartialOrd` // implementations, are allowed because they all only use `&P`, so they cannot move // the value behind `pointer`. #[stable(feature = "pin", since = "1.33.0")] #[cfg_attr(not(stage0), lang = "pin")] #[fundamental] #[repr(transparent)] #[derive(Copy, Clone, Hash, Eq, Ord)] pub struct Pin

{ pointer: P, } #[stable(feature = "pin_partialeq_partialord_impl_applicability", since = "1.34.0")] impl PartialEq> for Pin

where P: PartialEq, { fn eq(&self, other: &Pin) -> bool { self.pointer == other.pointer } fn ne(&self, other: &Pin) -> bool { self.pointer != other.pointer } } #[stable(feature = "pin_partialeq_partialord_impl_applicability", since = "1.34.0")] impl PartialOrd> for Pin

where P: PartialOrd, { fn partial_cmp(&self, other: &Pin) -> Option { self.pointer.partial_cmp(&other.pointer) } fn lt(&self, other: &Pin) -> bool { self.pointer < other.pointer } fn le(&self, other: &Pin) -> bool { self.pointer <= other.pointer } fn gt(&self, other: &Pin) -> bool { self.pointer > other.pointer } fn ge(&self, other: &Pin) -> bool { self.pointer >= other.pointer } } impl Pin

where P::Target: Unpin, { /// Construct a new `Pin` around a pointer to some data of a type that /// implements [`Unpin`]. /// /// Unlike `Pin::new_unchecked`, this method is safe because the pointer /// `P` dereferences to an [`Unpin`] type, which nullifies the pinning guarantees. /// /// [`Unpin`]: ../../std/marker/trait.Unpin.html #[stable(feature = "pin", since = "1.33.0")] #[inline(always)] pub fn new(pointer: P) -> Pin

{ // Safety: the value pointed to is `Unpin`, and so has no requirements // around pinning. unsafe { Pin::new_unchecked(pointer) } } } impl Pin

{ /// Construct a new `Pin` around a reference to some data of a type that /// may or may not implement `Unpin`. /// /// # Safety /// /// This constructor is unsafe because we cannot guarantee that the data /// pointed to by `pointer` is pinned, meaning that the data will not be moved or /// its storage invalidated until it gets dropped. If the constructed `Pin

` does /// not guarantee that the data `P` points to is pinned, constructing a /// `Pin

` is unsafe. In particular, calling `Pin::new_unchecked` /// on an `&'a mut T` is unsafe because while you are able to pin it for the given /// lifetime `'a`, you have no control over whether it is kept pinned once `'a` /// ends. A value, once pinned, must remain pinned forever (unless its type implements `Unpin`). /// /// By using this method, you are making a promise about the `P::Deref` and /// `P::DerefMut` implementations, if they exist. Most importantly, they /// must not move out of their `self` arguments: `Pin::as_mut` and `Pin::as_ref` /// will call `DerefMut::deref_mut` and `Deref::deref` *on the pinned pointer* /// and expect these methods to uphold the pinning invariants. /// Moreover, by calling this method you promise that the reference `P` /// dereferences to will not be moved out of again; in particular, it /// must not be possible to obtain a `&mut P::Target` and then /// move out of that reference (using, for example [`mem::swap`]). /// /// For example, the following is a *violation* of `Pin`'s safety: /// ``` /// use std::mem; /// use std::pin::Pin; /// /// fn foo(mut a: T, mut b: T) { /// unsafe { let p = Pin::new_unchecked(&mut a); } // should mean `a` can never move again /// mem::swap(&mut a, &mut b); /// // the address of `a` changed to `b`'s stack slot, so `a` got moved even /// // though we have previously pinned it! /// } /// ``` /// /// If `pointer` dereferences to an `Unpin` type, `Pin::new` should be used /// instead. /// /// [`mem::swap`]: ../../std/mem/fn.swap.html #[stable(feature = "pin", since = "1.33.0")] #[inline(always)] pub unsafe fn new_unchecked(pointer: P) -> Pin

{ Pin { pointer } } /// Gets a pinned shared reference from this pinned pointer. /// /// This is a generic method to go from `&Pin>` to `Pin<&T>`. /// It is safe because, as part of the contract of `Pin::new_unchecked`, /// the pointee cannot move after `Pin>` got created. /// "Malicious" implementations of `SmartPointer::Deref` are likewise /// ruled out by the contract of `Pin::new_unchecked`. #[stable(feature = "pin", since = "1.33.0")] #[inline(always)] pub fn as_ref(self: &Pin

) -> Pin<&P::Target> { unsafe { Pin::new_unchecked(&*self.pointer) } } } impl Pin

{ /// Gets a pinned mutable reference from this pinned pointer. /// /// This is a generic method to go from `&mut Pin>` to `Pin<&mut T>`. /// It is safe because, as part of the contract of `Pin::new_unchecked`, /// the pointee cannot move after `Pin>` got created. /// "Malicious" implementations of `SmartPointer::DerefMut` are likewise /// ruled out by the contract of `Pin::new_unchecked`. #[stable(feature = "pin", since = "1.33.0")] #[inline(always)] pub fn as_mut(self: &mut Pin

) -> Pin<&mut P::Target> { unsafe { Pin::new_unchecked(&mut *self.pointer) } } /// Assigns a new value to the memory behind the pinned reference. /// /// This overwrites pinned data, but that is okay: its destructor gets /// run before being overwritten, so no pinning guarantee is violated. #[stable(feature = "pin", since = "1.33.0")] #[inline(always)] pub fn set(self: &mut Pin

, value: P::Target) where P::Target: Sized, { *(self.pointer) = value; } } impl<'a, T: ?Sized> Pin<&'a T> { /// Constructs a new pin by mapping the interior value. /// /// For example, if you wanted to get a `Pin` of a field of something, /// you could use this to get access to that field in one line of code. /// However, there are several gotchas with these "pinning projections"; /// see the [`pin` module] documentation for further details on that topic. /// /// # Safety /// /// This function is unsafe. You must guarantee that the data you return /// will not move so long as the argument value does not move (for example, /// because it is one of the fields of that value), and also that you do /// not move out of the argument you receive to the interior function. /// /// [`pin` module]: ../../std/pin/index.html#projections-and-structural-pinning #[stable(feature = "pin", since = "1.33.0")] pub unsafe fn map_unchecked(self: Pin<&'a T>, func: F) -> Pin<&'a U> where F: FnOnce(&T) -> &U, { let pointer = &*self.pointer; let new_pointer = func(pointer); Pin::new_unchecked(new_pointer) } /// Gets a shared reference out of a pin. /// /// This is safe because it is not possible to move out of a shared reference. /// It may seem like there is an issue here with interior mutability: in fact, /// it *is* possible to move a `T` out of a `&RefCell`. However, this is /// not a problem as long as there does not also exist a `Pin<&T>` pointing /// to the same data, and `RefCell` does not let you create a pinned reference /// to its contents. See the discussion on ["pinning projections"] for further /// details. /// /// Note: `Pin` also implements `Deref` to the target, which can be used /// to access the inner value. However, `Deref` only provides a reference /// that lives for as long as the borrow of the `Pin`, not the lifetime of /// the `Pin` itself. This method allows turning the `Pin` into a reference /// with the same lifetime as the original `Pin`. /// /// ["pinning projections"]: ../../std/pin/index.html#projections-and-structural-pinning #[stable(feature = "pin", since = "1.33.0")] #[inline(always)] pub fn get_ref(self: Pin<&'a T>) -> &'a T { self.pointer } } impl<'a, T: ?Sized> Pin<&'a mut T> { /// Converts this `Pin<&mut T>` into a `Pin<&T>` with the same lifetime. #[stable(feature = "pin", since = "1.33.0")] #[inline(always)] pub fn into_ref(self: Pin<&'a mut T>) -> Pin<&'a T> { Pin { pointer: self.pointer } } /// Gets a mutable reference to the data inside of this `Pin`. /// /// This requires that the data inside this `Pin` is `Unpin`. /// /// Note: `Pin` also implements `DerefMut` to the data, which can be used /// to access the inner value. However, `DerefMut` only provides a reference /// that lives for as long as the borrow of the `Pin`, not the lifetime of /// the `Pin` itself. This method allows turning the `Pin` into a reference /// with the same lifetime as the original `Pin`. #[stable(feature = "pin", since = "1.33.0")] #[inline(always)] pub fn get_mut(self: Pin<&'a mut T>) -> &'a mut T where T: Unpin, { self.pointer } /// Gets a mutable reference to the data inside of this `Pin`. /// /// # Safety /// /// This function is unsafe. You must guarantee that you will never move /// the data out of the mutable reference you receive when you call this /// function, so that the invariants on the `Pin` type can be upheld. /// /// If the underlying data is `Unpin`, `Pin::get_mut` should be used /// instead. #[stable(feature = "pin", since = "1.33.0")] #[inline(always)] pub unsafe fn get_unchecked_mut(self: Pin<&'a mut T>) -> &'a mut T { self.pointer } /// Construct a new pin by mapping the interior value. /// /// For example, if you wanted to get a `Pin` of a field of something, /// you could use this to get access to that field in one line of code. /// However, there are several gotchas with these "pinning projections"; /// see the [`pin` module] documentation for further details on that topic. /// /// # Safety /// /// This function is unsafe. You must guarantee that the data you return /// will not move so long as the argument value does not move (for example, /// because it is one of the fields of that value), and also that you do /// not move out of the argument you receive to the interior function. /// /// [`pin` module]: ../../std/pin/index.html#projections-and-structural-pinning #[stable(feature = "pin", since = "1.33.0")] pub unsafe fn map_unchecked_mut(self: Pin<&'a mut T>, func: F) -> Pin<&'a mut U> where F: FnOnce(&mut T) -> &mut U, { let pointer = Pin::get_unchecked_mut(self); let new_pointer = func(pointer); Pin::new_unchecked(new_pointer) } } #[stable(feature = "pin", since = "1.33.0")] impl Deref for Pin

{ type Target = P::Target; fn deref(&self) -> &P::Target { Pin::get_ref(Pin::as_ref(self)) } } #[stable(feature = "pin", since = "1.33.0")] impl DerefMut for Pin

where P::Target: Unpin { fn deref_mut(&mut self) -> &mut P::Target { Pin::get_mut(Pin::as_mut(self)) } } #[unstable(feature = "receiver_trait", issue = "0")] impl Receiver for Pin

{} #[stable(feature = "pin", since = "1.33.0")] impl fmt::Debug for Pin

{ fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { fmt::Debug::fmt(&self.pointer, f) } } #[stable(feature = "pin", since = "1.33.0")] impl fmt::Display for Pin

{ fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { fmt::Display::fmt(&self.pointer, f) } } #[stable(feature = "pin", since = "1.33.0")] impl fmt::Pointer for Pin

{ fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { fmt::Pointer::fmt(&self.pointer, f) } } // Note: this means that any impl of `CoerceUnsized` that allows coercing from // a type that impls `Deref` to a type that impls // `Deref` is unsound. Any such impl would probably be unsound // for other reasons, though, so we just need to take care not to allow such // impls to land in std. #[stable(feature = "pin", since = "1.33.0")] impl CoerceUnsized> for Pin

where P: CoerceUnsized, {} #[stable(feature = "pin", since = "1.33.0")] impl<'a, P, U> DispatchFromDyn> for Pin

where P: DispatchFromDyn, {}