1.33.0[−][src]Module core::pin
Types which pin data to its location in memory
It is sometimes useful to have objects that are guaranteed to not move, in the sense that their placement in memory does not change, and can thus be relied upon. A prime example of such a scenario would be building self-referential structs, since moving an object with pointers to itself will invalidate them, which could cause undefined behavior.
A Pin<P>
ensures that the pointee of any pointer type P
has a stable location in memory,
meaning it cannot be moved elsewhere and its memory cannot be deallocated
until it gets dropped. We say that the pointee is "pinned".
By default, all types in Rust are movable. Rust allows passing all types by-value,
and common smart-pointer types such as Box<T>
and &mut T
allow replacing and
moving the values they contain: you can move out of a Box<T>
, or you can use mem::swap
.
Pin<P>
wraps a pointer type P
, so Pin<Box<T>>
functions much like a regular Box<T>
:
when a Pin<Box<T>>
gets dropped, so do its contents, and the memory gets deallocated.
Similarily, Pin<&mut T>
is a lot like &mut T
. However, Pin<P>
does not let clients
actually obtain a Box<T>
or &mut T
to pinned data, which implies that you cannot use
operations such as mem::swap
:
use std::pin::Pin; fn swap_pins<T>(x: Pin<&mut T>, y: Pin<&mut T>) { // `mem::swap` needs `&mut T`, but we cannot get it. // We are stuck, we cannot swap the contents of these references. // We could use `Pin::get_unchecked_mut`, but that is unsafe for a reason: // we are not allowed to use it for moving things out of the `Pin`. }Run
It is worth reiterating that Pin<P>
does not change the fact that a Rust compiler
considers all types movable. mem::swap
remains callable for any T
. Instead, Pin<P>
prevents certain values (pointed to by pointers wrapped in Pin<P>
) from being
moved by making it impossible to call methods that require &mut T
on them
(like mem::swap
).
Pin<P>
can be used to wrap any pointer type P
, and as such it interacts with
Deref
and DerefMut
. A Pin<P>
where P: Deref
should be considered
as a "P
-style pointer" to a pinned P::Target
-- so, a Pin<Box<T>>
is
an owned pointer to a pinned T
, and a Pin<Rc<T>>
is a reference-counted
pointer to a pinned T
.
For correctness, Pin<P>
relies on the Deref
and DerefMut
implementations
to not move out of their self
parameter, and to only ever return a pointer
to pinned data when they are called on a pinned pointer.
Unpin
However, these restrictions are usually not necessary. Many types are always freely
movable, even when pinned, because they do not rely on having a stable address.
This includes all the basic types (like bool
, i32
, references)
as well as types consisting solely of these types.
Types that do not care about pinning implement the Unpin
auto-trait, which
cancels the effect of Pin<P>
. For T: Unpin
, Pin<Box<T>>
and Box<T>
function
identically, as do Pin<&mut T>
and &mut T
.
Note that pinning and Unpin
only affect the pointed-to type P::Target
, not the pointer
type P
itself that got wrapped in Pin<P>
. For example, whether or not Box<T>
is
Unpin
has no effect on the behavior of Pin<Box<T>>
(here, T
is the
pointed-to type).
Example: self-referential struct
use std::pin::Pin; use std::marker::PhantomPinned; use std::ptr::NonNull; // This is a self-referential struct since the slice field points to the data field. // We cannot inform the compiler about that with a normal reference, // since this pattern cannot be described with the usual borrowing rules. // Instead we use a raw pointer, though one which is known to not be null, // since we know it's pointing at the string. struct Unmovable { data: String, slice: NonNull<String>, _pin: PhantomPinned, } impl Unmovable { // To ensure the data doesn't move when the function returns, // we place it in the heap where it will stay for the lifetime of the object, // and the only way to access it would be through a pointer to it. fn new(data: String) -> Pin<Box<Self>> { let res = Unmovable { data, // we only create the pointer once the data is in place // otherwise it will have already moved before we even started slice: NonNull::dangling(), _pin: PhantomPinned, }; let mut boxed = Box::pin(res); let slice = NonNull::from(&boxed.data); // we know this is safe because modifying a field doesn't move the whole struct unsafe { let mut_ref: Pin<&mut Self> = Pin::as_mut(&mut boxed); Pin::get_unchecked_mut(mut_ref).slice = slice; } boxed } } let unmoved = Unmovable::new("hello".to_string()); // The pointer should point to the correct location, // so long as the struct hasn't moved. // Meanwhile, we are free to move the pointer around. let mut still_unmoved = unmoved; assert_eq!(still_unmoved.slice, NonNull::from(&still_unmoved.data)); // Since our type doesn't implement Unpin, this will fail to compile: // let new_unmoved = Unmovable::new("world".to_string()); // std::mem::swap(&mut *still_unmoved, &mut *new_unmoved);Run
Example: intrusive doubly-linked list
In an intrusive doubly-linked list, the collection does not actually allocate the memory for the elements itself. Allocation is controlled by the clients, and elements can live on a stack frame that lives shorter than the collection does.
To make this work, every element has pointers to its predecessor and successor in
the list. Elements can only be added when they are pinned, because moving the elements
around would invalidate the pointers. Moreover, the Drop
implementation of a linked
list element will patch the pointers of its predecessor and successor to remove itself
from the list.
Crucially, we have to be able to rely on drop
being called. If an element
could be deallocated or otherwise invalidated without calling drop
, the pointers into it
from its neighbouring elements would become invalid, which would break the data structure.
Therefore, pinning also comes with a drop
-related guarantee.
Drop
guarantee
The purpose of pinning is to be able to rely on the placement of some data in memory.
To make this work, not just moving the data is restricted; deallocating, repurposing, or
otherwise invalidating the memory used to store the data is restricted, too.
Concretely, for pinned data you have to maintain the invariant
that its memory will not get invalidated from the moment it gets pinned until
when drop
is called. Memory can be invalidated by deallocation, but also by
replacing a Some(v)
by None
, or calling Vec::set_len
to "kill" some elements
off of a vector.
This is exactly the kind of guarantee that the intrusive linked list from the previous section needs to function correctly.
Notice that this guarantee does not mean that memory does not leak! It is still
completely okay not to ever call drop
on a pinned element (e.g., you can still
call mem::forget
on a Pin<Box<T>>
). In the example of the doubly-linked
list, that element would just stay in the list. However you may not free or reuse the storage
without calling drop
.
Drop
implementation
If your type uses pinning (such as the two examples above), you have to be careful
when implementing Drop
. The drop
function takes &mut self
, but this
is called even if your type was previously pinned! It is as if the
compiler automatically called get_unchecked_mut
.
This can never cause a problem in safe code because implementing a type that relies on pinning
requires unsafe code, but be aware that deciding to make use of pinning
in your type (for example by implementing some operation on Pin<&[mut] Self>
)
has consequences for your Drop
implementation as well: if an element
of your type could have been pinned, you must treat Drop as implicitly taking
Pin<&mut Self>
.
In particular, if your type is #[repr(packed)]
, the compiler will automatically
move fields around to be able to drop them. As a consequence, you cannot use
pinning with a #[repr(packed)]
type.
Projections and Structural Pinning
One interesting question arises when considering the interaction of pinning and
the fields of a struct. When can a struct have a "pinning projection", i.e.,
an operation with type fn(Pin<&[mut] Struct>) -> Pin<&[mut] Field>
?
In a similar vein, when can a generic wrapper type (such as Vec<T>
, Box<T>
, or RefCell<T>
)
have an operation with type fn(Pin<&[mut] Wrapper<T>>) -> Pin<&[mut] T>
?
Having a pinning projection for some field means that pinning is "structural":
when the wrapper is pinned, the field must be considered pinned, too.
After all, the pinning projection lets us get a Pin<&[mut] Field>
.
However, structural pinning comes with a few extra requirements, so not all wrappers can be structural and hence not all wrappers can offer pinning projections:
-
The wrapper must only be
Unpin
if all the structural fields areUnpin
. This is the default, butUnpin
is a safe trait, so as the author of the wrapper it is your responsibility not to add something likeimpl<T> Unpin for Wrapper<T>
. (Notice that adding a projection operation requires unsafe code, so the fact thatUnpin
is a safe trait does not break the principle that you only have to worry about any of this if you useunsafe
.) -
The destructor of the wrapper must not move structural fields out of its argument. This is the exact point that was raised in the previous section:
drop
takes&mut self
, but the wrapper (and hence its fields) might have been pinned before. You have to guarantee that you do not move a field inside yourDrop
implementation. In particular, as explained previously, this means that your wrapper type must not be#[repr(packed)]
. -
You must make sure that you uphold the
Drop
guarantee: once your wrapper is pinned, the memory that contains the content is not overwritten or deallocated without calling the content's destructors. This can be tricky, as witnessed byVecDeque<T>
: the destructor ofVecDeque<T>
can fail to calldrop
on all elements if one of the destructors panics. This violates theDrop
guarantee, because it can lead to elements being deallocated without their destructor being called. (VecDeque
has no pinning projections, so this does not cause unsoundness.) -
You must not offer any other operations that could lead to data being moved out of the fields when your type is pinned. For example, if the wrapper contains an
Option<T>
and there is atake
-like operation with typefn(Pin<&mut Wrapper<T>>) -> Option<T>
, that operation can be used to move aT
out of a pinnedWrapper<T>
-- which means pinning cannot be structural.For a more complex example of moving data out of a pinned type, imagine if
RefCell<T>
had a methodfn get_pin_mut(self: Pin<&mut Self>) -> Pin<&mut T>
. Then we could do the following:ⓘThis example deliberately fails to compilefn exploit_ref_cell<T>(rc: Pin<&mut RefCell<T>) { { let p = rc.as_mut().get_pin_mut(); } // Here we get pinned access to the `T`. let rc_shr: &RefCell<T> = rc.into_ref().get_ref(); let b = rc_shr.borrow_mut(); let content = &mut *b; // And here we have `&mut T` to the same data. }Run
This is catastrophic, it means we can first pin the content of the
RefCell<T>
(usingRefCell::get_pin_mut
) and then move that content using the mutable reference we got later.
For a type like Vec<T>
, both possibilites (structural pinning or not) make sense,
and the choice is up to the author. A Vec<T>
with structural pinning could
have get_pin
/get_pin_mut
projections. However, it could not allow calling
pop
on a pinned Vec<T>
because that would move the (structurally pinned) contents!
Nor could it allow push
, which might reallocate and thus also move the contents.
A Vec<T>
without structural pinning could impl<T> Unpin for Vec<T>
, because the contents
are never pinned and the Vec<T>
itself is fine with being moved as well.
In the standard library, pointer types generally do not have structural pinning,
and thus they do not offer pinning projections. This is why Box<T>: Unpin
holds for all T
.
It makes sense to do this for pointer types, because moving the Box<T>
does not actually move the T
: the Box<T>
can be freely movable (aka Unpin
) even if the T
is not. In fact, even Pin<Box<T>>
and Pin<&mut T>
are always Unpin
themselves,
for the same reason: their contents (the T
) are pinned, but the pointers themselves
can be moved without moving the pinned data. For both Box<T>
and Pin<Box<T>>
,
whether the content is pinned is entirely independent of whether the pointer is
pinned, meaning pinning is not structural.
Structs
Pin | A pinned pointer. |