1 //! Types that pin data to its location in memory. 2 //! 3 //! It is sometimes useful to have objects that are guaranteed not to move, 4 //! in the sense that their placement in memory does not change, and can thus be relied upon. 5 //! A prime example of such a scenario would be building self-referential structs, 6 //! as moving an object with pointers to itself will invalidate them, which could cause undefined 7 //! behavior. 8 //! 9 //! At a high level, a <code>[Pin]\<P></code> ensures that the pointee of any pointer type 10 //! `P` has a stable location in memory, meaning it cannot be moved elsewhere 11 //! and its memory cannot be deallocated until it gets dropped. We say that the 12 //! pointee is "pinned". Things get more subtle when discussing types that 13 //! combine pinned with non-pinned data; [see below](#projections-and-structural-pinning) 14 //! for more details. 15 //! 16 //! By default, all types in Rust are movable. Rust allows passing all types by-value, 17 //! and common smart-pointer types such as <code>[Box]\<T></code> and <code>[&mut] T</code> allow 18 //! replacing and moving the values they contain: you can move out of a <code>[Box]\<T></code>, 19 //! or you can use [`mem::swap`]. <code>[Pin]\<P></code> wraps a pointer type `P`, so 20 //! <code>[Pin]<[Box]\<T>></code> functions much like a regular <code>[Box]\<T></code>: 21 //! when a <code>[Pin]<[Box]\<T>></code> gets dropped, so do its contents, and the memory gets 22 //! deallocated. Similarly, <code>[Pin]<[&mut] T></code> is a lot like <code>[&mut] T</code>. 23 //! However, <code>[Pin]\<P></code> does not let clients actually obtain a <code>[Box]\<T></code> 24 //! or <code>[&mut] T</code> to pinned data, which implies that you cannot use operations such 25 //! as [`mem::swap`]: 26 //! 27 //! ``` 28 //! use std::pin::Pin; 29 //! fn swap_pins<T>(x: Pin<&mut T>, y: Pin<&mut T>) { 30 //! // `mem::swap` needs `&mut T`, but we cannot get it. 31 //! // We are stuck, we cannot swap the contents of these references. 32 //! // We could use `Pin::get_unchecked_mut`, but that is unsafe for a reason: 33 //! // we are not allowed to use it for moving things out of the `Pin`. 34 //! } 35 //! ``` 36 //! 37 //! It is worth reiterating that <code>[Pin]\<P></code> does *not* change the fact that a Rust 38 //! compiler considers all types movable. [`mem::swap`] remains callable for any `T`. Instead, 39 //! <code>[Pin]\<P></code> prevents certain *values* (pointed to by pointers wrapped in 40 //! <code>[Pin]\<P></code>) from being moved by making it impossible to call methods that require 41 //! <code>[&mut] T</code> on them (like [`mem::swap`]). 42 //! 43 //! <code>[Pin]\<P></code> can be used to wrap any pointer type `P`, and as such it interacts with 44 //! [`Deref`] and [`DerefMut`]. A <code>[Pin]\<P></code> where <code>P: [Deref]</code> should be 45 //! considered as a "`P`-style pointer" to a pinned <code>P::[Target]</code> – so, a 46 //! <code>[Pin]<[Box]\<T>></code> is an owned pointer to a pinned `T`, and a 47 //! <code>[Pin]<[Rc]\<T>></code> is a reference-counted pointer to a pinned `T`. 48 //! For correctness, <code>[Pin]\<P></code> relies on the implementations of [`Deref`] and 49 //! [`DerefMut`] not to move out of their `self` parameter, and only ever to 50 //! return a pointer to pinned data when they are called on a pinned pointer. 51 //! 52 //! # `Unpin` 53 //! 54 //! Many types are always freely movable, even when pinned, because they do not 55 //! rely on having a stable address. This includes all the basic types (like 56 //! [`bool`], [`i32`], and references) as well as types consisting solely of these 57 //! types. Types that do not care about pinning implement the [`Unpin`] 58 //! auto-trait, which cancels the effect of <code>[Pin]\<P></code>. For <code>T: [Unpin]</code>, 59 //! <code>[Pin]<[Box]\<T>></code> and <code>[Box]\<T></code> function identically, as do 60 //! <code>[Pin]<[&mut] T></code> and <code>[&mut] T</code>. 61 //! 62 //! Note that pinning and [`Unpin`] only affect the pointed-to type <code>P::[Target]</code>, 63 //! not the pointer type `P` itself that got wrapped in <code>[Pin]\<P></code>. For example, 64 //! whether or not <code>[Box]\<T></code> is [`Unpin`] has no effect on the behavior of 65 //! <code>[Pin]<[Box]\<T>></code> (here, `T` is the pointed-to type). 66 //! 67 //! # Example: self-referential struct 68 //! 69 //! Before we go into more details to explain the guarantees and choices 70 //! associated with <code>[Pin]\<P></code>, we discuss some examples for how it might be used. 71 //! Feel free to [skip to where the theoretical discussion continues](#drop-guarantee). 72 //! 73 //! ```rust 74 //! use std::pin::Pin; 75 //! use std::marker::PhantomPinned; 76 //! use std::ptr::NonNull; 77 //! 78 //! // This is a self-referential struct because the slice field points to the data field. 79 //! // We cannot inform the compiler about that with a normal reference, 80 //! // as this pattern cannot be described with the usual borrowing rules. 81 //! // Instead we use a raw pointer, though one which is known not to be null, 82 //! // as we know it's pointing at the string. 83 //! struct Unmovable { 84 //! data: String, 85 //! slice: NonNull<String>, 86 //! _pin: PhantomPinned, 87 //! } 88 //! 89 //! impl Unmovable { 90 //! // To ensure the data doesn't move when the function returns, 91 //! // we place it in the heap where it will stay for the lifetime of the object, 92 //! // and the only way to access it would be through a pointer to it. 93 //! fn new(data: String) -> Pin<Box<Self>> { 94 //! let res = Unmovable { 95 //! data, 96 //! // we only create the pointer once the data is in place 97 //! // otherwise it will have already moved before we even started 98 //! slice: NonNull::dangling(), 99 //! _pin: PhantomPinned, 100 //! }; 101 //! let mut boxed = Box::pin(res); 102 //! 103 //! let slice = NonNull::from(&boxed.data); 104 //! // we know this is safe because modifying a field doesn't move the whole struct 105 //! unsafe { 106 //! let mut_ref: Pin<&mut Self> = Pin::as_mut(&mut boxed); 107 //! Pin::get_unchecked_mut(mut_ref).slice = slice; 108 //! } 109 //! boxed 110 //! } 111 //! } 112 //! 113 //! let unmoved = Unmovable::new("hello".to_string()); 114 //! // The pointer should point to the correct location, 115 //! // so long as the struct hasn't moved. 116 //! // Meanwhile, we are free to move the pointer around. 117 //! # #[allow(unused_mut)] 118 //! let mut still_unmoved = unmoved; 119 //! assert_eq!(still_unmoved.slice, NonNull::from(&still_unmoved.data)); 120 //! 121 //! // Since our type doesn't implement Unpin, this will fail to compile: 122 //! // let mut new_unmoved = Unmovable::new("world".to_string()); 123 //! // std::mem::swap(&mut *still_unmoved, &mut *new_unmoved); 124 //! ``` 125 //! 126 //! # Example: intrusive doubly-linked list 127 //! 128 //! In an intrusive doubly-linked list, the collection does not actually allocate 129 //! the memory for the elements itself. Allocation is controlled by the clients, 130 //! and elements can live on a stack frame that lives shorter than the collection does. 131 //! 132 //! To make this work, every element has pointers to its predecessor and successor in 133 //! the list. Elements can only be added when they are pinned, because moving the elements 134 //! around would invalidate the pointers. Moreover, the [`Drop`][Drop] implementation of a linked 135 //! list element will patch the pointers of its predecessor and successor to remove itself 136 //! from the list. 137 //! 138 //! Crucially, we have to be able to rely on [`drop`] being called. If an element 139 //! could be deallocated or otherwise invalidated without calling [`drop`], the pointers into it 140 //! from its neighboring elements would become invalid, which would break the data structure. 141 //! 142 //! Therefore, pinning also comes with a [`drop`]-related guarantee. 143 //! 144 //! # `Drop` guarantee 145 //! 146 //! The purpose of pinning is to be able to rely on the placement of some data in memory. 147 //! To make this work, not just moving the data is restricted; deallocating, repurposing, or 148 //! otherwise invalidating the memory used to store the data is restricted, too. 149 //! Concretely, for pinned data you have to maintain the invariant 150 //! that *its memory will not get invalidated or repurposed from the moment it gets pinned until 151 //! when [`drop`] is called*. Only once [`drop`] returns or panics, the memory may be reused. 152 //! 153 //! Memory can be "invalidated" by deallocation, but also by 154 //! replacing a <code>[Some]\(v)</code> by [`None`], or calling [`Vec::set_len`] to "kill" some 155 //! elements off of a vector. It can be repurposed by using [`ptr::write`] to overwrite it without 156 //! calling the destructor first. None of this is allowed for pinned data without calling [`drop`]. 157 //! 158 //! This is exactly the kind of guarantee that the intrusive linked list from the previous 159 //! section needs to function correctly. 160 //! 161 //! Notice that this guarantee does *not* mean that memory does not leak! It is still 162 //! completely okay to not ever call [`drop`] on a pinned element (e.g., you can still 163 //! call [`mem::forget`] on a <code>[Pin]<[Box]\<T>></code>). In the example of the doubly-linked 164 //! list, that element would just stay in the list. However you must not free or reuse the storage 165 //! *without calling [`drop`]*. 166 //! 167 //! # `Drop` implementation 168 //! 169 //! If your type uses pinning (such as the two examples above), you have to be careful 170 //! when implementing [`Drop`][Drop]. The [`drop`] function takes <code>[&mut] self</code>, but this 171 //! is called *even if your type was previously pinned*! It is as if the 172 //! compiler automatically called [`Pin::get_unchecked_mut`]. 173 //! 174 //! This can never cause a problem in safe code because implementing a type that 175 //! relies on pinning requires unsafe code, but be aware that deciding to make 176 //! use of pinning in your type (for example by implementing some operation on 177 //! <code>[Pin]<[&]Self></code> or <code>[Pin]<[&mut] Self></code>) has consequences for your 178 //! [`Drop`][Drop] implementation as well: if an element of your type could have been pinned, 179 //! you must treat [`Drop`][Drop] as implicitly taking <code>[Pin]<[&mut] Self></code>. 180 //! 181 //! For example, you could implement [`Drop`][Drop] as follows: 182 //! 183 //! ```rust,no_run 184 //! # use std::pin::Pin; 185 //! # struct Type { } 186 //! impl Drop for Type { 187 //! fn drop(&mut self) { 188 //! // `new_unchecked` is okay because we know this value is never used 189 //! // again after being dropped. 190 //! inner_drop(unsafe { Pin::new_unchecked(self)}); 191 //! fn inner_drop(this: Pin<&mut Type>) { 192 //! // Actual drop code goes here. 193 //! } 194 //! } 195 //! } 196 //! ``` 197 //! 198 //! The function `inner_drop` has the type that [`drop`] *should* have, so this makes sure that 199 //! you do not accidentally use `self`/`this` in a way that is in conflict with pinning. 200 //! 201 //! Moreover, if your type is `#[repr(packed)]`, the compiler will automatically 202 //! move fields around to be able to drop them. It might even do 203 //! that for fields that happen to be sufficiently aligned. As a consequence, you cannot use 204 //! pinning with a `#[repr(packed)]` type. 205 //! 206 //! # Projections and Structural Pinning 207 //! 208 //! When working with pinned structs, the question arises how one can access the 209 //! fields of that struct in a method that takes just <code>[Pin]<[&mut] Struct></code>. 210 //! The usual approach is to write helper methods (so called *projections*) 211 //! that turn <code>[Pin]<[&mut] Struct></code> into a reference to the field, but what type should 212 //! that reference have? Is it <code>[Pin]<[&mut] Field></code> or <code>[&mut] Field</code>? 213 //! The same question arises with the fields of an `enum`, and also when considering 214 //! container/wrapper types such as <code>[Vec]\<T></code>, <code>[Box]\<T></code>, 215 //! or <code>[RefCell]\<T></code>. (This question applies to both mutable and shared references, 216 //! we just use the more common case of mutable references here for illustration.) 217 //! 218 //! It turns out that it is actually up to the author of the data structure to decide whether 219 //! the pinned projection for a particular field turns <code>[Pin]<[&mut] Struct></code> 220 //! into <code>[Pin]<[&mut] Field></code> or <code>[&mut] Field</code>. There are some 221 //! constraints though, and the most important constraint is *consistency*: 222 //! every field can be *either* projected to a pinned reference, *or* have 223 //! pinning removed as part of the projection. If both are done for the same field, 224 //! that will likely be unsound! 225 //! 226 //! As the author of a data structure you get to decide for each field whether pinning 227 //! "propagates" to this field or not. Pinning that propagates is also called "structural", 228 //! because it follows the structure of the type. 229 //! In the following subsections, we describe the considerations that have to be made 230 //! for either choice. 231 //! 232 //! ## Pinning *is not* structural for `field` 233 //! 234 //! It may seem counter-intuitive that the field of a pinned struct might not be pinned, 235 //! but that is actually the easiest choice: if a <code>[Pin]<[&mut] Field></code> is never created, 236 //! nothing can go wrong! So, if you decide that some field does not have structural pinning, 237 //! all you have to ensure is that you never create a pinned reference to that field. 238 //! 239 //! Fields without structural pinning may have a projection method that turns 240 //! <code>[Pin]<[&mut] Struct></code> into <code>[&mut] Field</code>: 241 //! 242 //! ```rust,no_run 243 //! # use std::pin::Pin; 244 //! # type Field = i32; 245 //! # struct Struct { field: Field } 246 //! impl Struct { 247 //! fn pin_get_field(self: Pin<&mut Self>) -> &mut Field { 248 //! // This is okay because `field` is never considered pinned. 249 //! unsafe { &mut self.get_unchecked_mut().field } 250 //! } 251 //! } 252 //! ``` 253 //! 254 //! You may also <code>impl [Unpin] for Struct</code> *even if* the type of `field` 255 //! is not [`Unpin`]. What that type thinks about pinning is not relevant 256 //! when no <code>[Pin]<[&mut] Field></code> is ever created. 257 //! 258 //! ## Pinning *is* structural for `field` 259 //! 260 //! The other option is to decide that pinning is "structural" for `field`, 261 //! meaning that if the struct is pinned then so is the field. 262 //! 263 //! This allows writing a projection that creates a <code>[Pin]<[&mut] Field></code>, thus 264 //! witnessing that the field is pinned: 265 //! 266 //! ```rust,no_run 267 //! # use std::pin::Pin; 268 //! # type Field = i32; 269 //! # struct Struct { field: Field } 270 //! impl Struct { 271 //! fn pin_get_field(self: Pin<&mut Self>) -> Pin<&mut Field> { 272 //! // This is okay because `field` is pinned when `self` is. 273 //! unsafe { self.map_unchecked_mut(|s| &mut s.field) } 274 //! } 275 //! } 276 //! ``` 277 //! 278 //! However, structural pinning comes with a few extra requirements: 279 //! 280 //! 1. The struct must only be [`Unpin`] if all the structural fields are 281 //! [`Unpin`]. This is the default, but [`Unpin`] is a safe trait, so as the author of 282 //! the struct it is your responsibility *not* to add something like 283 //! <code>impl\<T> [Unpin] for Struct\<T></code>. (Notice that adding a projection operation 284 //! requires unsafe code, so the fact that [`Unpin`] is a safe trait does not break 285 //! the principle that you only have to worry about any of this if you use [`unsafe`].) 286 //! 2. The destructor of the struct must not move structural fields out of its argument. This 287 //! is the exact point that was raised in the [previous section][drop-impl]: [`drop`] takes 288 //! <code>[&mut] self</code>, but the struct (and hence its fields) might have been pinned 289 //! before. You have to guarantee that you do not move a field inside your [`Drop`][Drop] 290 //! implementation. In particular, as explained previously, this means that your struct 291 //! must *not* be `#[repr(packed)]`. 292 //! See that section for how to write [`drop`] in a way that the compiler can help you 293 //! not accidentally break pinning. 294 //! 3. You must make sure that you uphold the [`Drop` guarantee][drop-guarantee]: 295 //! once your struct is pinned, the memory that contains the 296 //! content is not overwritten or deallocated without calling the content's destructors. 297 //! This can be tricky, as witnessed by <code>[VecDeque]\<T></code>: the destructor of 298 //! <code>[VecDeque]\<T></code> can fail to call [`drop`] on all elements if one of the 299 //! destructors panics. This violates the [`Drop`][Drop] guarantee, because it can lead to 300 //! elements being deallocated without their destructor being called. 301 //! (<code>[VecDeque]\<T></code> has no pinning projections, so this 302 //! does not cause unsoundness.) 303 //! 4. You must not offer any other operations that could lead to data being moved out of 304 //! the structural fields when your type is pinned. For example, if the struct contains an 305 //! <code>[Option]\<T></code> and there is a [`take`][Option::take]-like operation with type 306 //! <code>fn([Pin]<[&mut] Struct\<T>>) -> [Option]\<T></code>, 307 //! that operation can be used to move a `T` out of a pinned `Struct<T>` – which means 308 //! pinning cannot be structural for the field holding this data. 309 //! 310 //! For a more complex example of moving data out of a pinned type, 311 //! imagine if <code>[RefCell]\<T></code> had a method 312 //! <code>fn get_pin_mut(self: [Pin]<[&mut] Self>) -> [Pin]<[&mut] T></code>. 313 //! Then we could do the following: 314 //! ```compile_fail 315 //! fn exploit_ref_cell<T>(rc: Pin<&mut RefCell<T>>) { 316 //! { let p = rc.as_mut().get_pin_mut(); } // Here we get pinned access to the `T`. 317 //! let rc_shr: &RefCell<T> = rc.into_ref().get_ref(); 318 //! let b = rc_shr.borrow_mut(); 319 //! let content = &mut *b; // And here we have `&mut T` to the same data. 320 //! } 321 //! ``` 322 //! This is catastrophic, it means we can first pin the content of the 323 //! <code>[RefCell]\<T></code> (using <code>[RefCell]::get_pin_mut</code>) and then move that 324 //! content using the mutable reference we got later. 325 //! 326 //! ## Examples 327 //! 328 //! For a type like <code>[Vec]\<T></code>, both possibilities (structural pinning or not) make 329 //! sense. A <code>[Vec]\<T></code> with structural pinning could have `get_pin`/`get_pin_mut` 330 //! methods to get pinned references to elements. However, it could *not* allow calling 331 //! [`pop`][Vec::pop] on a pinned <code>[Vec]\<T></code> because that would move the (structurally 332 //! pinned) contents! Nor could it allow [`push`][Vec::push], which might reallocate and thus also 333 //! move the contents. 334 //! 335 //! A <code>[Vec]\<T></code> without structural pinning could 336 //! <code>impl\<T> [Unpin] for [Vec]\<T></code>, because the contents are never pinned 337 //! and the <code>[Vec]\<T></code> itself is fine with being moved as well. 338 //! At that point pinning just has no effect on the vector at all. 339 //! 340 //! In the standard library, pointer types generally do not have structural pinning, 341 //! and thus they do not offer pinning projections. This is why <code>[Box]\<T>: [Unpin]</code> 342 //! holds for all `T`. It makes sense to do this for pointer types, because moving the 343 //! <code>[Box]\<T></code> does not actually move the `T`: the <code>[Box]\<T></code> can be freely 344 //! movable (aka [`Unpin`]) even if the `T` is not. In fact, even <code>[Pin]<[Box]\<T>></code> and 345 //! <code>[Pin]<[&mut] T></code> are always [`Unpin`] themselves, for the same reason: 346 //! their contents (the `T`) are pinned, but the pointers themselves can be moved without moving 347 //! the pinned data. For both <code>[Box]\<T></code> and <code>[Pin]<[Box]\<T>></code>, 348 //! whether the content is pinned is entirely independent of whether the 349 //! pointer is pinned, meaning pinning is *not* structural. 350 //! 351 //! When implementing a [`Future`] combinator, you will usually need structural pinning 352 //! for the nested futures, as you need to get pinned references to them to call [`poll`]. 353 //! But if your combinator contains any other data that does not need to be pinned, 354 //! you can make those fields not structural and hence freely access them with a 355 //! mutable reference even when you just have <code>[Pin]<[&mut] Self></code> (such as in your own 356 //! [`poll`] implementation). 357 //! 358 //! [Deref]: crate::ops::Deref "ops::Deref" 359 //! [`Deref`]: crate::ops::Deref "ops::Deref" 360 //! [Target]: crate::ops::Deref::Target "ops::Deref::Target" 361 //! [`DerefMut`]: crate::ops::DerefMut "ops::DerefMut" 362 //! [`mem::swap`]: crate::mem::swap "mem::swap" 363 //! [`mem::forget`]: crate::mem::forget "mem::forget" 364 //! [Vec]: ../../std/vec/struct.Vec.html "Vec" 365 //! [`Vec::set_len`]: ../../std/vec/struct.Vec.html#method.set_len "Vec::set_len" 366 //! [Box]: ../../std/boxed/struct.Box.html "Box" 367 //! [Vec::pop]: ../../std/vec/struct.Vec.html#method.pop "Vec::pop" 368 //! [Vec::push]: ../../std/vec/struct.Vec.html#method.push "Vec::push" 369 //! [Rc]: ../../std/rc/struct.Rc.html "rc::Rc" 370 //! [RefCell]: crate::cell::RefCell "cell::RefCell" 371 //! [`drop`]: Drop::drop 372 //! [VecDeque]: ../../std/collections/struct.VecDeque.html "collections::VecDeque" 373 //! [`ptr::write`]: crate::ptr::write "ptr::write" 374 //! [`Future`]: crate::future::Future "future::Future" 375 //! [drop-impl]: #drop-implementation 376 //! [drop-guarantee]: #drop-guarantee 377 //! [`poll`]: crate::future::Future::poll "future::Future::poll" 378 //! [&]: reference "shared reference" 379 //! [&mut]: reference "mutable reference" 380 //! [`unsafe`]: ../../std/keyword.unsafe.html "keyword unsafe" 381 382 #![stable(feature = "pin", since = "1.33.0")] 383 384 use crate::cmp::{self, PartialEq, PartialOrd}; 385 use crate::fmt; 386 use crate::hash::{Hash, Hasher}; 387 use crate::marker::{Sized, Unpin}; 388 use crate::ops::{CoerceUnsized, Deref, DerefMut, DispatchFromDyn, Receiver}; 389 390 /// A pinned pointer. 391 /// 392 /// This is a wrapper around a kind of pointer which makes that pointer "pin" its 393 /// value in place, preventing the value referenced by that pointer from being moved 394 /// unless it implements [`Unpin`]. 395 /// 396 /// `Pin<P>` is guaranteed to have the same memory layout and ABI as `P`. 397 /// 398 /// *See the [`pin` module] documentation for an explanation of pinning.* 399 /// 400 /// [`pin` module]: self 401 // 402 // Note: the `Clone` derive below causes unsoundness as it's possible to implement 403 // `Clone` for mutable references. 404 // See <https://internals.rust-lang.org/t/unsoundness-in-pin/11311> for more details. 405 #[stable(feature = "pin", since = "1.33.0")] 406 #[lang = "pin"] 407 #[fundamental] 408 #[repr(transparent)] 409 #[derive(Copy, Clone)] 410 pub struct Pin<P> { 411 // FIXME(#93176): this field is made `#[unstable] #[doc(hidden)] pub` to: 412 // - deter downstream users from accessing it (which would be unsound!), 413 // - let the `pin!` macro access it (such a macro requires using struct 414 // literal syntax in order to benefit from lifetime extension). 415 // Long-term, `unsafe` fields or macro hygiene are expected to offer more robust alternatives. 416 #[unstable(feature = "unsafe_pin_internals", issue = "none")] 417 #[doc(hidden)] 418 pub pointer: P, 419 } 420 421 // The following implementations aren't derived in order to avoid soundness 422 // issues. `&self.pointer` should not be accessible to untrusted trait 423 // implementations. 424 // 425 // See <https://internals.rust-lang.org/t/unsoundness-in-pin/11311/73> for more details. 426 427 #[stable(feature = "pin_trait_impls", since = "1.41.0")] 428 impl<P: Deref, Q: Deref> PartialEq<Pin<Q>> for Pin<P> 429 where 430 P::Target: PartialEq<Q::Target>, 431 { eq(&self, other: &Pin<Q>) -> bool432 fn eq(&self, other: &Pin<Q>) -> bool { 433 P::Target::eq(self, other) 434 } 435 ne(&self, other: &Pin<Q>) -> bool436 fn ne(&self, other: &Pin<Q>) -> bool { 437 P::Target::ne(self, other) 438 } 439 } 440 441 #[stable(feature = "pin_trait_impls", since = "1.41.0")] 442 impl<P: Deref<Target: Eq>> Eq for Pin<P> {} 443 444 #[stable(feature = "pin_trait_impls", since = "1.41.0")] 445 impl<P: Deref, Q: Deref> PartialOrd<Pin<Q>> for Pin<P> 446 where 447 P::Target: PartialOrd<Q::Target>, 448 { partial_cmp(&self, other: &Pin<Q>) -> Option<cmp::Ordering>449 fn partial_cmp(&self, other: &Pin<Q>) -> Option<cmp::Ordering> { 450 P::Target::partial_cmp(self, other) 451 } 452 lt(&self, other: &Pin<Q>) -> bool453 fn lt(&self, other: &Pin<Q>) -> bool { 454 P::Target::lt(self, other) 455 } 456 le(&self, other: &Pin<Q>) -> bool457 fn le(&self, other: &Pin<Q>) -> bool { 458 P::Target::le(self, other) 459 } 460 gt(&self, other: &Pin<Q>) -> bool461 fn gt(&self, other: &Pin<Q>) -> bool { 462 P::Target::gt(self, other) 463 } 464 ge(&self, other: &Pin<Q>) -> bool465 fn ge(&self, other: &Pin<Q>) -> bool { 466 P::Target::ge(self, other) 467 } 468 } 469 470 #[stable(feature = "pin_trait_impls", since = "1.41.0")] 471 impl<P: Deref<Target: Ord>> Ord for Pin<P> { cmp(&self, other: &Self) -> cmp::Ordering472 fn cmp(&self, other: &Self) -> cmp::Ordering { 473 P::Target::cmp(self, other) 474 } 475 } 476 477 #[stable(feature = "pin_trait_impls", since = "1.41.0")] 478 impl<P: Deref<Target: Hash>> Hash for Pin<P> { hash<H: Hasher>(&self, state: &mut H)479 fn hash<H: Hasher>(&self, state: &mut H) { 480 P::Target::hash(self, state); 481 } 482 } 483 484 impl<P: Deref<Target: Unpin>> Pin<P> { 485 /// Construct a new `Pin<P>` around a pointer to some data of a type that 486 /// implements [`Unpin`]. 487 /// 488 /// Unlike `Pin::new_unchecked`, this method is safe because the pointer 489 /// `P` dereferences to an [`Unpin`] type, which cancels the pinning guarantees. 490 /// 491 /// # Examples 492 /// 493 /// ``` 494 /// use std::pin::Pin; 495 /// 496 /// let mut val: u8 = 5; 497 /// // We can pin the value, since it doesn't care about being moved 498 /// let mut pinned: Pin<&mut u8> = Pin::new(&mut val); 499 /// ``` 500 #[inline(always)] 501 #[rustc_const_unstable(feature = "const_pin", issue = "76654")] 502 #[stable(feature = "pin", since = "1.33.0")] new(pointer: P) -> Pin<P>503 pub const fn new(pointer: P) -> Pin<P> { 504 // SAFETY: the value pointed to is `Unpin`, and so has no requirements 505 // around pinning. 506 unsafe { Pin::new_unchecked(pointer) } 507 } 508 509 /// Unwraps this `Pin<P>` returning the underlying pointer. 510 /// 511 /// This requires that the data inside this `Pin` implements [`Unpin`] so that we 512 /// can ignore the pinning invariants when unwrapping it. 513 /// 514 /// # Examples 515 /// 516 /// ``` 517 /// use std::pin::Pin; 518 /// 519 /// let mut val: u8 = 5; 520 /// let pinned: Pin<&mut u8> = Pin::new(&mut val); 521 /// // Unwrap the pin to get a reference to the value 522 /// let r = Pin::into_inner(pinned); 523 /// assert_eq!(*r, 5); 524 /// ``` 525 #[inline(always)] 526 #[rustc_const_unstable(feature = "const_pin", issue = "76654")] 527 #[stable(feature = "pin_into_inner", since = "1.39.0")] into_inner(pin: Pin<P>) -> P528 pub const fn into_inner(pin: Pin<P>) -> P { 529 pin.pointer 530 } 531 } 532 533 impl<P: Deref> Pin<P> { 534 /// Construct a new `Pin<P>` around a reference to some data of a type that 535 /// may or may not implement `Unpin`. 536 /// 537 /// If `pointer` dereferences to an `Unpin` type, `Pin::new` should be used 538 /// instead. 539 /// 540 /// # Safety 541 /// 542 /// This constructor is unsafe because we cannot guarantee that the data 543 /// pointed to by `pointer` is pinned, meaning that the data will not be moved or 544 /// its storage invalidated until it gets dropped. If the constructed `Pin<P>` does 545 /// not guarantee that the data `P` points to is pinned, that is a violation of 546 /// the API contract and may lead to undefined behavior in later (safe) operations. 547 /// 548 /// By using this method, you are making a promise about the `P::Deref` and 549 /// `P::DerefMut` implementations, if they exist. Most importantly, they 550 /// must not move out of their `self` arguments: `Pin::as_mut` and `Pin::as_ref` 551 /// will call `DerefMut::deref_mut` and `Deref::deref` *on the pinned pointer* 552 /// and expect these methods to uphold the pinning invariants. 553 /// Moreover, by calling this method you promise that the reference `P` 554 /// dereferences to will not be moved out of again; in particular, it 555 /// must not be possible to obtain a `&mut P::Target` and then 556 /// move out of that reference (using, for example [`mem::swap`]). 557 /// 558 /// For example, calling `Pin::new_unchecked` on an `&'a mut T` is unsafe because 559 /// while you are able to pin it for the given lifetime `'a`, you have no control 560 /// over whether it is kept pinned once `'a` ends: 561 /// ``` 562 /// use std::mem; 563 /// use std::pin::Pin; 564 /// 565 /// fn move_pinned_ref<T>(mut a: T, mut b: T) { 566 /// unsafe { 567 /// let p: Pin<&mut T> = Pin::new_unchecked(&mut a); 568 /// // This should mean the pointee `a` can never move again. 569 /// } 570 /// mem::swap(&mut a, &mut b); // Potential UB down the road ⚠️ 571 /// // The address of `a` changed to `b`'s stack slot, so `a` got moved even 572 /// // though we have previously pinned it! We have violated the pinning API contract. 573 /// } 574 /// ``` 575 /// A value, once pinned, must remain pinned forever (unless its type implements `Unpin`). 576 /// 577 /// Similarly, calling `Pin::new_unchecked` on an `Rc<T>` is unsafe because there could be 578 /// aliases to the same data that are not subject to the pinning restrictions: 579 /// ``` 580 /// use std::rc::Rc; 581 /// use std::pin::Pin; 582 /// 583 /// fn move_pinned_rc<T>(mut x: Rc<T>) { 584 /// let pinned = unsafe { Pin::new_unchecked(Rc::clone(&x)) }; 585 /// { 586 /// let p: Pin<&T> = pinned.as_ref(); 587 /// // This should mean the pointee can never move again. 588 /// } 589 /// drop(pinned); 590 /// let content = Rc::get_mut(&mut x).unwrap(); // Potential UB down the road ⚠️ 591 /// // Now, if `x` was the only reference, we have a mutable reference to 592 /// // data that we pinned above, which we could use to move it as we have 593 /// // seen in the previous example. We have violated the pinning API contract. 594 /// } 595 /// ``` 596 /// 597 /// ## Pinning of closure captures 598 /// 599 /// Particular care is required when using `Pin::new_unchecked` in a closure: 600 /// `Pin::new_unchecked(&mut var)` where `var` is a by-value (moved) closure capture 601 /// implicitly makes the promise that the closure itself is pinned, and that *all* uses 602 /// of this closure capture respect that pinning. 603 /// ``` 604 /// use std::pin::Pin; 605 /// use std::task::Context; 606 /// use std::future::Future; 607 /// 608 /// fn move_pinned_closure(mut x: impl Future, cx: &mut Context<'_>) { 609 /// // Create a closure that moves `x`, and then internally uses it in a pinned way. 610 /// let mut closure = move || unsafe { 611 /// let _ignore = Pin::new_unchecked(&mut x).poll(cx); 612 /// }; 613 /// // Call the closure, so the future can assume it has been pinned. 614 /// closure(); 615 /// // Move the closure somewhere else. This also moves `x`! 616 /// let mut moved = closure; 617 /// // Calling it again means we polled the future from two different locations, 618 /// // violating the pinning API contract. 619 /// moved(); // Potential UB ⚠️ 620 /// } 621 /// ``` 622 /// When passing a closure to another API, it might be moving the closure any time, so 623 /// `Pin::new_unchecked` on closure captures may only be used if the API explicitly documents 624 /// that the closure is pinned. 625 /// 626 /// The better alternative is to avoid all that trouble and do the pinning in the outer function 627 /// instead (here using the [`pin!`][crate::pin::pin] macro): 628 /// ``` 629 /// use std::pin::pin; 630 /// use std::task::Context; 631 /// use std::future::Future; 632 /// 633 /// fn move_pinned_closure(mut x: impl Future, cx: &mut Context<'_>) { 634 /// let mut x = pin!(x); 635 /// // Create a closure that captures `x: Pin<&mut _>`, which is safe to move. 636 /// let mut closure = move || { 637 /// let _ignore = x.as_mut().poll(cx); 638 /// }; 639 /// // Call the closure, so the future can assume it has been pinned. 640 /// closure(); 641 /// // Move the closure somewhere else. 642 /// let mut moved = closure; 643 /// // Calling it again here is fine (except that we might be polling a future that already 644 /// // returned `Poll::Ready`, but that is a separate problem). 645 /// moved(); 646 /// } 647 /// ``` 648 /// 649 /// [`mem::swap`]: crate::mem::swap 650 #[lang = "new_unchecked"] 651 #[inline(always)] 652 #[rustc_const_unstable(feature = "const_pin", issue = "76654")] 653 #[stable(feature = "pin", since = "1.33.0")] new_unchecked(pointer: P) -> Pin<P>654 pub const unsafe fn new_unchecked(pointer: P) -> Pin<P> { 655 Pin { pointer } 656 } 657 658 /// Gets a pinned shared reference from this pinned pointer. 659 /// 660 /// This is a generic method to go from `&Pin<Pointer<T>>` to `Pin<&T>`. 661 /// It is safe because, as part of the contract of `Pin::new_unchecked`, 662 /// the pointee cannot move after `Pin<Pointer<T>>` got created. 663 /// "Malicious" implementations of `Pointer::Deref` are likewise 664 /// ruled out by the contract of `Pin::new_unchecked`. 665 #[stable(feature = "pin", since = "1.33.0")] 666 #[inline(always)] as_ref(&self) -> Pin<&P::Target>667 pub fn as_ref(&self) -> Pin<&P::Target> { 668 // SAFETY: see documentation on this function 669 unsafe { Pin::new_unchecked(&*self.pointer) } 670 } 671 672 /// Unwraps this `Pin<P>` returning the underlying pointer. 673 /// 674 /// # Safety 675 /// 676 /// This function is unsafe. You must guarantee that you will continue to 677 /// treat the pointer `P` as pinned after you call this function, so that 678 /// the invariants on the `Pin` type can be upheld. If the code using the 679 /// resulting `P` does not continue to maintain the pinning invariants that 680 /// is a violation of the API contract and may lead to undefined behavior in 681 /// later (safe) operations. 682 /// 683 /// If the underlying data is [`Unpin`], [`Pin::into_inner`] should be used 684 /// instead. 685 #[inline(always)] 686 #[rustc_const_unstable(feature = "const_pin", issue = "76654")] 687 #[stable(feature = "pin_into_inner", since = "1.39.0")] into_inner_unchecked(pin: Pin<P>) -> P688 pub const unsafe fn into_inner_unchecked(pin: Pin<P>) -> P { 689 pin.pointer 690 } 691 } 692 693 impl<P: DerefMut> Pin<P> { 694 /// Gets a pinned mutable reference from this pinned pointer. 695 /// 696 /// This is a generic method to go from `&mut Pin<Pointer<T>>` to `Pin<&mut T>`. 697 /// It is safe because, as part of the contract of `Pin::new_unchecked`, 698 /// the pointee cannot move after `Pin<Pointer<T>>` got created. 699 /// "Malicious" implementations of `Pointer::DerefMut` are likewise 700 /// ruled out by the contract of `Pin::new_unchecked`. 701 /// 702 /// This method is useful when doing multiple calls to functions that consume the pinned type. 703 /// 704 /// # Example 705 /// 706 /// ``` 707 /// use std::pin::Pin; 708 /// 709 /// # struct Type {} 710 /// impl Type { 711 /// fn method(self: Pin<&mut Self>) { 712 /// // do something 713 /// } 714 /// 715 /// fn call_method_twice(mut self: Pin<&mut Self>) { 716 /// // `method` consumes `self`, so reborrow the `Pin<&mut Self>` via `as_mut`. 717 /// self.as_mut().method(); 718 /// self.as_mut().method(); 719 /// } 720 /// } 721 /// ``` 722 #[stable(feature = "pin", since = "1.33.0")] 723 #[inline(always)] as_mut(&mut self) -> Pin<&mut P::Target>724 pub fn as_mut(&mut self) -> Pin<&mut P::Target> { 725 // SAFETY: see documentation on this function 726 unsafe { Pin::new_unchecked(&mut *self.pointer) } 727 } 728 729 /// Assigns a new value to the memory behind the pinned reference. 730 /// 731 /// This overwrites pinned data, but that is okay: its destructor gets 732 /// run before being overwritten, so no pinning guarantee is violated. 733 /// 734 /// # Example 735 /// 736 /// ``` 737 /// use std::pin::Pin; 738 /// 739 /// let mut val: u8 = 5; 740 /// let mut pinned: Pin<&mut u8> = Pin::new(&mut val); 741 /// println!("{}", pinned); // 5 742 /// pinned.as_mut().set(10); 743 /// println!("{}", pinned); // 10 744 /// ``` 745 #[stable(feature = "pin", since = "1.33.0")] 746 #[inline(always)] set(&mut self, value: P::Target) where P::Target: Sized,747 pub fn set(&mut self, value: P::Target) 748 where 749 P::Target: Sized, 750 { 751 *(self.pointer) = value; 752 } 753 } 754 755 impl<'a, T: ?Sized> Pin<&'a T> { 756 /// Constructs a new pin by mapping the interior value. 757 /// 758 /// For example, if you wanted to get a `Pin` of a field of something, 759 /// you could use this to get access to that field in one line of code. 760 /// However, there are several gotchas with these "pinning projections"; 761 /// see the [`pin` module] documentation for further details on that topic. 762 /// 763 /// # Safety 764 /// 765 /// This function is unsafe. You must guarantee that the data you return 766 /// will not move so long as the argument value does not move (for example, 767 /// because it is one of the fields of that value), and also that you do 768 /// not move out of the argument you receive to the interior function. 769 /// 770 /// [`pin` module]: self#projections-and-structural-pinning 771 #[stable(feature = "pin", since = "1.33.0")] map_unchecked<U, F>(self, func: F) -> Pin<&'a U> where U: ?Sized, F: FnOnce(&T) -> &U,772 pub unsafe fn map_unchecked<U, F>(self, func: F) -> Pin<&'a U> 773 where 774 U: ?Sized, 775 F: FnOnce(&T) -> &U, 776 { 777 let pointer = &*self.pointer; 778 let new_pointer = func(pointer); 779 780 // SAFETY: the safety contract for `new_unchecked` must be 781 // upheld by the caller. 782 unsafe { Pin::new_unchecked(new_pointer) } 783 } 784 785 /// Gets a shared reference out of a pin. 786 /// 787 /// This is safe because it is not possible to move out of a shared reference. 788 /// It may seem like there is an issue here with interior mutability: in fact, 789 /// it *is* possible to move a `T` out of a `&RefCell<T>`. However, this is 790 /// not a problem as long as there does not also exist a `Pin<&T>` pointing 791 /// to the same data, and `RefCell<T>` does not let you create a pinned reference 792 /// to its contents. See the discussion on ["pinning projections"] for further 793 /// details. 794 /// 795 /// Note: `Pin` also implements `Deref` to the target, which can be used 796 /// to access the inner value. However, `Deref` only provides a reference 797 /// that lives for as long as the borrow of the `Pin`, not the lifetime of 798 /// the `Pin` itself. This method allows turning the `Pin` into a reference 799 /// with the same lifetime as the original `Pin`. 800 /// 801 /// ["pinning projections"]: self#projections-and-structural-pinning 802 #[inline(always)] 803 #[must_use] 804 #[rustc_const_unstable(feature = "const_pin", issue = "76654")] 805 #[stable(feature = "pin", since = "1.33.0")] get_ref(self) -> &'a T806 pub const fn get_ref(self) -> &'a T { 807 self.pointer 808 } 809 } 810 811 impl<'a, T: ?Sized> Pin<&'a mut T> { 812 /// Converts this `Pin<&mut T>` into a `Pin<&T>` with the same lifetime. 813 #[inline(always)] 814 #[must_use = "`self` will be dropped if the result is not used"] 815 #[rustc_const_unstable(feature = "const_pin", issue = "76654")] 816 #[stable(feature = "pin", since = "1.33.0")] into_ref(self) -> Pin<&'a T>817 pub const fn into_ref(self) -> Pin<&'a T> { 818 Pin { pointer: self.pointer } 819 } 820 821 /// Gets a mutable reference to the data inside of this `Pin`. 822 /// 823 /// This requires that the data inside this `Pin` is `Unpin`. 824 /// 825 /// Note: `Pin` also implements `DerefMut` to the data, which can be used 826 /// to access the inner value. However, `DerefMut` only provides a reference 827 /// that lives for as long as the borrow of the `Pin`, not the lifetime of 828 /// the `Pin` itself. This method allows turning the `Pin` into a reference 829 /// with the same lifetime as the original `Pin`. 830 #[inline(always)] 831 #[must_use = "`self` will be dropped if the result is not used"] 832 #[stable(feature = "pin", since = "1.33.0")] 833 #[rustc_const_unstable(feature = "const_pin", issue = "76654")] get_mut(self) -> &'a mut T where T: Unpin,834 pub const fn get_mut(self) -> &'a mut T 835 where 836 T: Unpin, 837 { 838 self.pointer 839 } 840 841 /// Gets a mutable reference to the data inside of this `Pin`. 842 /// 843 /// # Safety 844 /// 845 /// This function is unsafe. You must guarantee that you will never move 846 /// the data out of the mutable reference you receive when you call this 847 /// function, so that the invariants on the `Pin` type can be upheld. 848 /// 849 /// If the underlying data is `Unpin`, `Pin::get_mut` should be used 850 /// instead. 851 #[inline(always)] 852 #[must_use = "`self` will be dropped if the result is not used"] 853 #[stable(feature = "pin", since = "1.33.0")] 854 #[rustc_const_unstable(feature = "const_pin", issue = "76654")] get_unchecked_mut(self) -> &'a mut T855 pub const unsafe fn get_unchecked_mut(self) -> &'a mut T { 856 self.pointer 857 } 858 859 /// Construct a new pin by mapping the interior value. 860 /// 861 /// For example, if you wanted to get a `Pin` of a field of something, 862 /// you could use this to get access to that field in one line of code. 863 /// However, there are several gotchas with these "pinning projections"; 864 /// see the [`pin` module] documentation for further details on that topic. 865 /// 866 /// # Safety 867 /// 868 /// This function is unsafe. You must guarantee that the data you return 869 /// will not move so long as the argument value does not move (for example, 870 /// because it is one of the fields of that value), and also that you do 871 /// not move out of the argument you receive to the interior function. 872 /// 873 /// [`pin` module]: self#projections-and-structural-pinning 874 #[must_use = "`self` will be dropped if the result is not used"] 875 #[stable(feature = "pin", since = "1.33.0")] map_unchecked_mut<U, F>(self, func: F) -> Pin<&'a mut U> where U: ?Sized, F: FnOnce(&mut T) -> &mut U,876 pub unsafe fn map_unchecked_mut<U, F>(self, func: F) -> Pin<&'a mut U> 877 where 878 U: ?Sized, 879 F: FnOnce(&mut T) -> &mut U, 880 { 881 // SAFETY: the caller is responsible for not moving the 882 // value out of this reference. 883 let pointer = unsafe { Pin::get_unchecked_mut(self) }; 884 let new_pointer = func(pointer); 885 // SAFETY: as the value of `this` is guaranteed to not have 886 // been moved out, this call to `new_unchecked` is safe. 887 unsafe { Pin::new_unchecked(new_pointer) } 888 } 889 } 890 891 impl<T: ?Sized> Pin<&'static T> { 892 /// Get a pinned reference from a static reference. 893 /// 894 /// This is safe, because `T` is borrowed for the `'static` lifetime, which 895 /// never ends. 896 #[stable(feature = "pin_static_ref", since = "1.61.0")] 897 #[rustc_const_unstable(feature = "const_pin", issue = "76654")] static_ref(r: &'static T) -> Pin<&'static T>898 pub const fn static_ref(r: &'static T) -> Pin<&'static T> { 899 // SAFETY: The 'static borrow guarantees the data will not be 900 // moved/invalidated until it gets dropped (which is never). 901 unsafe { Pin::new_unchecked(r) } 902 } 903 } 904 905 impl<'a, P: DerefMut> Pin<&'a mut Pin<P>> { 906 /// Gets a pinned mutable reference from this nested pinned pointer. 907 /// 908 /// This is a generic method to go from `Pin<&mut Pin<Pointer<T>>>` to `Pin<&mut T>`. It is 909 /// safe because the existence of a `Pin<Pointer<T>>` ensures that the pointee, `T`, cannot 910 /// move in the future, and this method does not enable the pointee to move. "Malicious" 911 /// implementations of `P::DerefMut` are likewise ruled out by the contract of 912 /// `Pin::new_unchecked`. 913 #[unstable(feature = "pin_deref_mut", issue = "86918")] 914 #[must_use = "`self` will be dropped if the result is not used"] 915 #[inline(always)] as_deref_mut(self) -> Pin<&'a mut P::Target>916 pub fn as_deref_mut(self) -> Pin<&'a mut P::Target> { 917 // SAFETY: What we're asserting here is that going from 918 // 919 // Pin<&mut Pin<P>> 920 // 921 // to 922 // 923 // Pin<&mut P::Target> 924 // 925 // is safe. 926 // 927 // We need to ensure that two things hold for that to be the case: 928 // 929 // 1) Once we give out a `Pin<&mut P::Target>`, an `&mut P::Target` will not be given out. 930 // 2) By giving out a `Pin<&mut P::Target>`, we do not risk of violating `Pin<&mut Pin<P>>` 931 // 932 // The existence of `Pin<P>` is sufficient to guarantee #1: since we already have a 933 // `Pin<P>`, it must already uphold the pinning guarantees, which must mean that 934 // `Pin<&mut P::Target>` does as well, since `Pin::as_mut` is safe. We do not have to rely 935 // on the fact that P is _also_ pinned. 936 // 937 // For #2, we need to ensure that code given a `Pin<&mut P::Target>` cannot cause the 938 // `Pin<P>` to move? That is not possible, since `Pin<&mut P::Target>` no longer retains 939 // any access to the `P` itself, much less the `Pin<P>`. 940 unsafe { self.get_unchecked_mut() }.as_mut() 941 } 942 } 943 944 impl<T: ?Sized> Pin<&'static mut T> { 945 /// Get a pinned mutable reference from a static mutable reference. 946 /// 947 /// This is safe, because `T` is borrowed for the `'static` lifetime, which 948 /// never ends. 949 #[stable(feature = "pin_static_ref", since = "1.61.0")] 950 #[rustc_const_unstable(feature = "const_pin", issue = "76654")] static_mut(r: &'static mut T) -> Pin<&'static mut T>951 pub const fn static_mut(r: &'static mut T) -> Pin<&'static mut T> { 952 // SAFETY: The 'static borrow guarantees the data will not be 953 // moved/invalidated until it gets dropped (which is never). 954 unsafe { Pin::new_unchecked(r) } 955 } 956 } 957 958 #[stable(feature = "pin", since = "1.33.0")] 959 impl<P: Deref> Deref for Pin<P> { 960 type Target = P::Target; deref(&self) -> &P::Target961 fn deref(&self) -> &P::Target { 962 Pin::get_ref(Pin::as_ref(self)) 963 } 964 } 965 966 #[stable(feature = "pin", since = "1.33.0")] 967 impl<P: DerefMut<Target: Unpin>> DerefMut for Pin<P> { deref_mut(&mut self) -> &mut P::Target968 fn deref_mut(&mut self) -> &mut P::Target { 969 Pin::get_mut(Pin::as_mut(self)) 970 } 971 } 972 973 #[unstable(feature = "receiver_trait", issue = "none")] 974 impl<P: Receiver> Receiver for Pin<P> {} 975 976 #[stable(feature = "pin", since = "1.33.0")] 977 impl<P: fmt::Debug> fmt::Debug for Pin<P> { fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result978 fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { 979 fmt::Debug::fmt(&self.pointer, f) 980 } 981 } 982 983 #[stable(feature = "pin", since = "1.33.0")] 984 impl<P: fmt::Display> fmt::Display for Pin<P> { fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result985 fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { 986 fmt::Display::fmt(&self.pointer, f) 987 } 988 } 989 990 #[stable(feature = "pin", since = "1.33.0")] 991 impl<P: fmt::Pointer> fmt::Pointer for Pin<P> { fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result992 fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { 993 fmt::Pointer::fmt(&self.pointer, f) 994 } 995 } 996 997 // Note: this means that any impl of `CoerceUnsized` that allows coercing from 998 // a type that impls `Deref<Target=impl !Unpin>` to a type that impls 999 // `Deref<Target=Unpin>` is unsound. Any such impl would probably be unsound 1000 // for other reasons, though, so we just need to take care not to allow such 1001 // impls to land in std. 1002 #[stable(feature = "pin", since = "1.33.0")] 1003 impl<P, U> CoerceUnsized<Pin<U>> for Pin<P> where P: CoerceUnsized<U> {} 1004 1005 #[stable(feature = "pin", since = "1.33.0")] 1006 impl<P, U> DispatchFromDyn<Pin<U>> for Pin<P> where P: DispatchFromDyn<U> {} 1007 1008 /// Constructs a <code>[Pin]<[&mut] T></code>, by pinning a `value: T` locally. 1009 /// 1010 /// Unlike [`Box::pin`], this does not create a new heap allocation. As explained 1011 /// below, the element might still end up on the heap however. 1012 /// 1013 /// The local pinning performed by this macro is usually dubbed "stack"-pinning. 1014 /// Outside of `async` contexts locals do indeed get stored on the stack. In 1015 /// `async` functions or blocks however, any locals crossing an `.await` point 1016 /// are part of the state captured by the `Future`, and will use the storage of 1017 /// those. That storage can either be on the heap or on the stack. Therefore, 1018 /// local pinning is a more accurate term. 1019 /// 1020 /// If the type of the given value does not implement [`Unpin`], then this macro 1021 /// pins the value in memory in a way that prevents moves. On the other hand, 1022 /// if the type does implement [`Unpin`], <code>[Pin]<[&mut] T></code> behaves 1023 /// like <code>[&mut] T</code>, and operations such as 1024 /// [`mem::replace()`][crate::mem::replace] or [`mem::take()`](crate::mem::take) 1025 /// will allow moves of the value. 1026 /// See [the `Unpin` section of the `pin` module][self#unpin] for details. 1027 /// 1028 /// ## Examples 1029 /// 1030 /// ### Basic usage 1031 /// 1032 /// ```rust 1033 /// # use core::marker::PhantomPinned as Foo; 1034 /// use core::pin::{pin, Pin}; 1035 /// 1036 /// fn stuff(foo: Pin<&mut Foo>) { 1037 /// // … 1038 /// # let _ = foo; 1039 /// } 1040 /// 1041 /// let pinned_foo = pin!(Foo { /* … */ }); 1042 /// stuff(pinned_foo); 1043 /// // or, directly: 1044 /// stuff(pin!(Foo { /* … */ })); 1045 /// ``` 1046 /// 1047 /// ### Manually polling a `Future` (without `Unpin` bounds) 1048 /// 1049 /// ```rust 1050 /// use std::{ 1051 /// future::Future, 1052 /// pin::pin, 1053 /// task::{Context, Poll}, 1054 /// thread, 1055 /// }; 1056 /// # use std::{sync::Arc, task::Wake, thread::Thread}; 1057 /// 1058 /// # /// A waker that wakes up the current thread when called. 1059 /// # struct ThreadWaker(Thread); 1060 /// # 1061 /// # impl Wake for ThreadWaker { 1062 /// # fn wake(self: Arc<Self>) { 1063 /// # self.0.unpark(); 1064 /// # } 1065 /// # } 1066 /// # 1067 /// /// Runs a future to completion. 1068 /// fn block_on<Fut: Future>(fut: Fut) -> Fut::Output { 1069 /// let waker_that_unparks_thread = // … 1070 /// # Arc::new(ThreadWaker(thread::current())).into(); 1071 /// let mut cx = Context::from_waker(&waker_that_unparks_thread); 1072 /// // Pin the future so it can be polled. 1073 /// let mut pinned_fut = pin!(fut); 1074 /// loop { 1075 /// match pinned_fut.as_mut().poll(&mut cx) { 1076 /// Poll::Pending => thread::park(), 1077 /// Poll::Ready(res) => return res, 1078 /// } 1079 /// } 1080 /// } 1081 /// # 1082 /// # assert_eq!(42, block_on(async { 42 })); 1083 /// ``` 1084 /// 1085 /// ### With `Generator`s 1086 /// 1087 /// ```rust 1088 /// #![feature(generators, generator_trait)] 1089 /// use core::{ 1090 /// ops::{Generator, GeneratorState}, 1091 /// pin::pin, 1092 /// }; 1093 /// 1094 /// fn generator_fn() -> impl Generator<Yield = usize, Return = ()> /* not Unpin */ { 1095 /// // Allow generator to be self-referential (not `Unpin`) 1096 /// // vvvvvv so that locals can cross yield points. 1097 /// static || { 1098 /// let foo = String::from("foo"); 1099 /// let foo_ref = &foo; // ------+ 1100 /// yield 0; // | <- crosses yield point! 1101 /// println!("{foo_ref}"); // <--+ 1102 /// yield foo.len(); 1103 /// } 1104 /// } 1105 /// 1106 /// fn main() { 1107 /// let mut generator = pin!(generator_fn()); 1108 /// match generator.as_mut().resume(()) { 1109 /// GeneratorState::Yielded(0) => {}, 1110 /// _ => unreachable!(), 1111 /// } 1112 /// match generator.as_mut().resume(()) { 1113 /// GeneratorState::Yielded(3) => {}, 1114 /// _ => unreachable!(), 1115 /// } 1116 /// match generator.resume(()) { 1117 /// GeneratorState::Yielded(_) => unreachable!(), 1118 /// GeneratorState::Complete(()) => {}, 1119 /// } 1120 /// } 1121 /// ``` 1122 /// 1123 /// ## Remarks 1124 /// 1125 /// Precisely because a value is pinned to local storage, the resulting <code>[Pin]<[&mut] T></code> 1126 /// reference ends up borrowing a local tied to that block: it can't escape it. 1127 /// 1128 /// The following, for instance, fails to compile: 1129 /// 1130 /// ```rust,compile_fail 1131 /// use core::pin::{pin, Pin}; 1132 /// # use core::{marker::PhantomPinned as Foo, mem::drop as stuff}; 1133 /// 1134 /// let x: Pin<&mut Foo> = { 1135 /// let x: Pin<&mut Foo> = pin!(Foo { /* … */ }); 1136 /// x 1137 /// }; // <- Foo is dropped 1138 /// stuff(x); // Error: use of dropped value 1139 /// ``` 1140 /// 1141 /// <details><summary>Error message</summary> 1142 /// 1143 /// ```console 1144 /// error[E0716]: temporary value dropped while borrowed 1145 /// --> src/main.rs:9:28 1146 /// | 1147 /// 8 | let x: Pin<&mut Foo> = { 1148 /// | - borrow later stored here 1149 /// 9 | let x: Pin<&mut Foo> = pin!(Foo { /* … */ }); 1150 /// | ^^^^^^^^^^^^^^^^^^^^^ creates a temporary value which is freed while still in use 1151 /// 10 | x 1152 /// 11 | }; // <- Foo is dropped 1153 /// | - temporary value is freed at the end of this statement 1154 /// | 1155 /// = note: consider using a `let` binding to create a longer lived value 1156 /// ``` 1157 /// 1158 /// </details> 1159 /// 1160 /// This makes [`pin!`] **unsuitable to pin values when intending to _return_ them**. Instead, the 1161 /// value is expected to be passed around _unpinned_ until the point where it is to be consumed, 1162 /// where it is then useful and even sensible to pin the value locally using [`pin!`]. 1163 /// 1164 /// If you really need to return a pinned value, consider using [`Box::pin`] instead. 1165 /// 1166 /// On the other hand, local pinning using [`pin!`] is likely to be cheaper than 1167 /// pinning into a fresh heap allocation using [`Box::pin`]. Moreover, by virtue of not 1168 /// requiring an allocator, [`pin!`] is the main non-`unsafe` `#![no_std]`-compatible [`Pin`] 1169 /// constructor. 1170 /// 1171 /// [`Box::pin`]: ../../std/boxed/struct.Box.html#method.pin 1172 #[stable(feature = "pin_macro", since = "1.68.0")] 1173 #[rustc_macro_transparency = "semitransparent"] 1174 #[allow_internal_unstable(unsafe_pin_internals)] 1175 pub macro pin($value:expr $(,)?) { 1176 // This is `Pin::new_unchecked(&mut { $value })`, so, for starters, let's 1177 // review such a hypothetical macro (that any user-code could define): 1178 // 1179 // ```rust 1180 // macro_rules! pin {( $value:expr ) => ( 1181 // match &mut { $value } { at_value => unsafe { // Do not wrap `$value` in an `unsafe` block. 1182 // $crate::pin::Pin::<&mut _>::new_unchecked(at_value) 1183 // }} 1184 // )} 1185 // ``` 1186 // 1187 // Safety: 1188 // - `type P = &mut _`. There are thus no pathological `Deref{,Mut}` impls 1189 // that would break `Pin`'s invariants. 1190 // - `{ $value }` is braced, making it a _block expression_, thus **moving** 1191 // the given `$value`, and making it _become an **anonymous** temporary_. 1192 // By virtue of being anonymous, it can no longer be accessed, thus 1193 // preventing any attempts to `mem::replace` it or `mem::forget` it, _etc._ 1194 // 1195 // This gives us a `pin!` definition that is sound, and which works, but only 1196 // in certain scenarios: 1197 // - If the `pin!(value)` expression is _directly_ fed to a function call: 1198 // `let poll = pin!(fut).poll(cx);` 1199 // - If the `pin!(value)` expression is part of a scrutinee: 1200 // ```rust 1201 // match pin!(fut) { pinned_fut => { 1202 // pinned_fut.as_mut().poll(...); 1203 // pinned_fut.as_mut().poll(...); 1204 // }} // <- `fut` is dropped here. 1205 // ``` 1206 // Alas, it doesn't work for the more straight-forward use-case: `let` bindings. 1207 // ```rust 1208 // let pinned_fut = pin!(fut); // <- temporary value is freed at the end of this statement 1209 // pinned_fut.poll(...) // error[E0716]: temporary value dropped while borrowed 1210 // // note: consider using a `let` binding to create a longer lived value 1211 // ``` 1212 // - Issues such as this one are the ones motivating https://github.com/rust-lang/rfcs/pull/66 1213 // 1214 // This makes such a macro incredibly unergonomic in practice, and the reason most macros 1215 // out there had to take the path of being a statement/binding macro (_e.g._, `pin!(future);`) 1216 // instead of featuring the more intuitive ergonomics of an expression macro. 1217 // 1218 // Luckily, there is a way to avoid the problem. Indeed, the problem stems from the fact that a 1219 // temporary is dropped at the end of its enclosing statement when it is part of the parameters 1220 // given to function call, which has precisely been the case with our `Pin::new_unchecked()`! 1221 // For instance, 1222 // ```rust 1223 // let p = Pin::new_unchecked(&mut <temporary>); 1224 // ``` 1225 // becomes: 1226 // ```rust 1227 // let p = { let mut anon = <temporary>; &mut anon }; 1228 // ``` 1229 // 1230 // However, when using a literal braced struct to construct the value, references to temporaries 1231 // can then be taken. This makes Rust change the lifespan of such temporaries so that they are, 1232 // instead, dropped _at the end of the enscoping block_. 1233 // For instance, 1234 // ```rust 1235 // let p = Pin { pointer: &mut <temporary> }; 1236 // ``` 1237 // becomes: 1238 // ```rust 1239 // let mut anon = <temporary>; 1240 // let p = Pin { pointer: &mut anon }; 1241 // ``` 1242 // which is *exactly* what we want. 1243 // 1244 // See https://doc.rust-lang.org/1.58.1/reference/destructors.html#temporary-lifetime-extension 1245 // for more info. 1246 $crate::pin::Pin::<&mut _> { pointer: &mut { $value } } 1247 } 1248