1 // SPDX-License-Identifier: Apache-2.0 OR MIT
3 //! API to safely and fallibly initialize pinned `struct`s using in-place constructors.
5 //! It also allows in-place initialization of big `struct`s that would otherwise produce a stack
8 //! Most `struct`s from the [`sync`] module need to be pinned, because they contain self-referential
9 //! `struct`s from C. [Pinning][pinning] is Rust's way of ensuring data does not move.
13 //! To initialize a `struct` with an in-place constructor you will need two things:
14 //! - an in-place constructor,
15 //! - a memory location that can hold your `struct` (this can be the [stack], an [`Arc<T>`],
16 //! [`UniqueArc<T>`], [`Box<T>`] or any other smart pointer that implements [`InPlaceInit`]).
18 //! To get an in-place constructor there are generally three options:
19 //! - directly creating an in-place constructor using the [`pin_init!`] macro,
20 //! - a custom function/macro returning an in-place constructor provided by someone else,
21 //! - using the unsafe function [`pin_init_from_closure()`] to manually create an initializer.
23 //! Aside from pinned initialization, this API also supports in-place construction without pinning,
24 //! the macros/types/functions are generally named like the pinned variants without the `pin`
29 //! ## Using the [`pin_init!`] macro
31 //! If you want to use [`PinInit`], then you will have to annotate your `struct` with
32 //! `#[`[`pin_data`]`]`. It is a macro that uses `#[pin]` as a marker for
33 //! [structurally pinned fields]. After doing this, you can then create an in-place constructor via
34 //! [`pin_init!`]. The syntax is almost the same as normal `struct` initializers. The difference is
35 //! that you need to write `<-` instead of `:` for fields that you want to initialize in-place.
38 //! # #![allow(clippy::disallowed_names, clippy::new_ret_no_self)]
39 //! use kernel::{prelude::*, sync::Mutex, new_mutex};
40 //! # use core::pin::Pin;
48 //! let foo = pin_init!(Foo {
49 //! a <- new_mutex!(42, "Foo::a"),
54 //! `foo` now is of the type [`impl PinInit<Foo>`]. We can now use any smart pointer that we like
55 //! (or just the stack) to actually initialize a `Foo`:
58 //! # #![allow(clippy::disallowed_names, clippy::new_ret_no_self)]
59 //! # use kernel::{prelude::*, sync::Mutex, new_mutex};
60 //! # use core::pin::Pin;
64 //! # a: Mutex<usize>,
67 //! # let foo = pin_init!(Foo {
68 //! # a <- new_mutex!(42, "Foo::a"),
71 //! let foo: Result<Pin<Box<Foo>>> = Box::pin_init(foo);
74 //! For more information see the [`pin_init!`] macro.
76 //! ## Using a custom function/macro that returns an initializer
78 //! Many types from the kernel supply a function/macro that returns an initializer, because the
79 //! above method only works for types where you can access the fields.
82 //! # use kernel::{new_mutex, sync::{Arc, Mutex}};
83 //! let mtx: Result<Arc<Mutex<usize>>> = Arc::pin_init(new_mutex!(42, "example::mtx"));
86 //! To declare an init macro/function you just return an [`impl PinInit<T, E>`]:
89 //! # #![allow(clippy::disallowed_names, clippy::new_ret_no_self)]
90 //! # use kernel::{sync::Mutex, prelude::*, new_mutex, init::PinInit, try_pin_init};
92 //! struct DriverData {
94 //! status: Mutex<i32>,
95 //! buffer: Box<[u8; 1_000_000]>,
99 //! fn new() -> impl PinInit<Self, Error> {
100 //! try_pin_init!(Self {
101 //! status <- new_mutex!(0, "DriverData::status"),
102 //! buffer: Box::init(kernel::init::zeroed())?,
108 //! ## Manual creation of an initializer
110 //! Often when working with primitives the previous approaches are not sufficient. That is where
111 //! [`pin_init_from_closure()`] comes in. This `unsafe` function allows you to create a
112 //! [`impl PinInit<T, E>`] directly from a closure. Of course you have to ensure that the closure
113 //! actually does the initialization in the correct way. Here are the things to look out for
114 //! (we are calling the parameter to the closure `slot`):
115 //! - when the closure returns `Ok(())`, then it has completed the initialization successfully, so
116 //! `slot` now contains a valid bit pattern for the type `T`,
117 //! - when the closure returns `Err(e)`, then the caller may deallocate the memory at `slot`, so
118 //! you need to take care to clean up anything if your initialization fails mid-way,
119 //! - you may assume that `slot` will stay pinned even after the closure returns until `drop` of
120 //! `slot` gets called.
123 //! use kernel::{prelude::*, init};
124 //! use core::{ptr::addr_of_mut, marker::PhantomPinned, pin::Pin};
126 //! # pub struct foo;
127 //! # pub unsafe fn init_foo(_ptr: *mut foo) {}
128 //! # pub unsafe fn destroy_foo(_ptr: *mut foo) {}
129 //! # pub unsafe fn enable_foo(_ptr: *mut foo, _flags: u32) -> i32 { 0 }
133 //! /// `foo` is always initialized
134 //! #[pin_data(PinnedDrop)]
135 //! pub struct RawFoo {
137 //! foo: Opaque<bindings::foo>,
139 //! _p: PhantomPinned,
143 //! pub fn new(flags: u32) -> impl PinInit<Self, Error> {
145 //! // - when the closure returns `Ok(())`, then it has successfully initialized and
146 //! // enabled `foo`,
147 //! // - when it returns `Err(e)`, then it has cleaned up before
149 //! init::pin_init_from_closure(move |slot: *mut Self| {
150 //! // `slot` contains uninit memory, avoid creating a reference.
151 //! let foo = addr_of_mut!((*slot).foo);
153 //! // Initialize the `foo`
154 //! bindings::init_foo(Opaque::raw_get(foo));
156 //! // Try to enable it.
157 //! let err = bindings::enable_foo(Opaque::raw_get(foo), flags);
159 //! // Enabling has failed, first clean up the foo and then return the error.
160 //! bindings::destroy_foo(Opaque::raw_get(foo));
161 //! return Err(Error::from_kernel_errno(err));
164 //! // All fields of `RawFoo` have been initialized, since `_p` is a ZST.
172 //! impl PinnedDrop for RawFoo {
173 //! fn drop(self: Pin<&mut Self>) {
174 //! // SAFETY: Since `foo` is initialized, destroying is safe.
175 //! unsafe { bindings::destroy_foo(self.foo.get()) };
180 //! For the special case where initializing a field is a single FFI-function call that cannot fail,
181 //! there exist the helper function [`Opaque::ffi_init`]. This function initialize a single
182 //! [`Opaque`] field by just delegating to the supplied closure. You can use these in combination
183 //! with [`pin_init!`].
185 //! For more information on how to use [`pin_init_from_closure()`], take a look at the uses inside
186 //! the `kernel` crate. The [`sync`] module is a good starting point.
188 //! [`sync`]: kernel::sync
189 //! [pinning]: https://doc.rust-lang.org/std/pin/index.html
190 //! [structurally pinned fields]:
191 //! https://doc.rust-lang.org/std/pin/index.html#pinning-is-structural-for-field
192 //! [stack]: crate::stack_pin_init
193 //! [`Arc<T>`]: crate::sync::Arc
194 //! [`impl PinInit<Foo>`]: PinInit
195 //! [`impl PinInit<T, E>`]: PinInit
196 //! [`impl Init<T, E>`]: Init
197 //! [`Opaque`]: kernel::types::Opaque
198 //! [`Opaque::ffi_init`]: kernel::types::Opaque::ffi_init
199 //! [`pin_data`]: ::macros::pin_data
200 //! [`pin_init!`]: crate::pin_init!
203 error::{self, Error},
206 use alloc::boxed::Box;
215 ptr::{self, NonNull},
223 /// Initialize and pin a type directly on the stack.
228 /// # #![allow(clippy::disallowed_names, clippy::new_ret_no_self)]
229 /// # use kernel::{init, pin_init, stack_pin_init, init::*, sync::Mutex, new_mutex};
230 /// # use macros::pin_data;
231 /// # use core::pin::Pin;
244 /// stack_pin_init!(let foo = pin_init!(Foo {
245 /// a <- new_mutex!(42),
250 /// let foo: Pin<&mut Foo> = foo;
251 /// pr_info!("a: {}", &*foo.a.lock());
256 /// A normal `let` binding with optional type annotation. The expression is expected to implement
257 /// [`PinInit`]/[`Init`] with the error type [`Infallible`]. If you want to use a different error
258 /// type, then use [`stack_try_pin_init!`].
260 /// [`stack_try_pin_init!`]: crate::stack_try_pin_init!
262 macro_rules! stack_pin_init {
263 (let $var:ident $(: $t:ty)? = $val:expr) => {
265 let mut $var = ::core::pin::pin!($crate::init::__internal::StackInit$(::<$t>)?::uninit());
266 let mut $var = match $crate::init::__internal::StackInit::init($var, val) {
269 let x: ::core::convert::Infallible = x;
276 /// Initialize and pin a type directly on the stack.
281 /// # #![allow(clippy::disallowed_names, clippy::new_ret_no_self)]
282 /// # use kernel::{init, pin_init, stack_try_pin_init, init::*, sync::Mutex, new_mutex};
283 /// # use macros::pin_data;
284 /// # use core::{alloc::AllocError, pin::Pin};
296 /// stack_try_pin_init!(let foo: Result<Pin<&mut Foo>, AllocError> = pin_init!(Foo {
297 /// a <- new_mutex!(42),
298 /// b: Box::try_new(Bar {
302 /// let foo = foo.unwrap();
303 /// pr_info!("a: {}", &*foo.a.lock());
307 /// # #![allow(clippy::disallowed_names, clippy::new_ret_no_self)]
308 /// # use kernel::{init, pin_init, stack_try_pin_init, init::*, sync::Mutex, new_mutex};
309 /// # use macros::pin_data;
310 /// # use core::{alloc::AllocError, pin::Pin};
322 /// stack_try_pin_init!(let foo: Pin<&mut Foo> =? pin_init!(Foo {
323 /// a <- new_mutex!(42),
324 /// b: Box::try_new(Bar {
328 /// pr_info!("a: {}", &*foo.a.lock());
329 /// # Ok::<_, AllocError>(())
334 /// A normal `let` binding with optional type annotation. The expression is expected to implement
335 /// [`PinInit`]/[`Init`]. This macro assigns a result to the given variable, adding a `?` after the
336 /// `=` will propagate this error.
338 macro_rules! stack_try_pin_init {
339 (let $var:ident $(: $t:ty)? = $val:expr) => {
341 let mut $var = ::core::pin::pin!($crate::init::__internal::StackInit$(::<$t>)?::uninit());
342 let mut $var = $crate::init::__internal::StackInit::init($var, val);
344 (let $var:ident $(: $t:ty)? =? $val:expr) => {
346 let mut $var = ::core::pin::pin!($crate::init::__internal::StackInit$(::<$t>)?::uninit());
347 let mut $var = $crate::init::__internal::StackInit::init($var, val)?;
351 /// Construct an in-place, pinned initializer for `struct`s.
353 /// This macro defaults the error to [`Infallible`]. If you need [`Error`], then use
354 /// [`try_pin_init!`].
356 /// The syntax is almost identical to that of a normal `struct` initializer:
359 /// # #![allow(clippy::disallowed_names, clippy::new_ret_no_self)]
360 /// # use kernel::{init, pin_init, macros::pin_data, init::*};
361 /// # use core::pin::Pin;
373 /// # fn demo() -> impl PinInit<Foo> {
376 /// let initializer = pin_init!(Foo {
383 /// # Box::pin_init(demo()).unwrap();
386 /// Arbitrary Rust expressions can be used to set the value of a variable.
388 /// The fields are initialized in the order that they appear in the initializer. So it is possible
389 /// to read already initialized fields using raw pointers.
391 /// IMPORTANT: You are not allowed to create references to fields of the struct inside of the
396 /// When working with this API it is often desired to let others construct your types without
397 /// giving access to all fields. This is where you would normally write a plain function `new`
398 /// that would return a new instance of your type. With this API that is also possible.
399 /// However, there are a few extra things to keep in mind.
401 /// To create an initializer function, simply declare it like this:
404 /// # #![allow(clippy::disallowed_names, clippy::new_ret_no_self)]
405 /// # use kernel::{init, pin_init, prelude::*, init::*};
406 /// # use core::pin::Pin;
417 /// fn new() -> impl PinInit<Self> {
428 /// Users of `Foo` can now create it like this:
431 /// # #![allow(clippy::disallowed_names, clippy::new_ret_no_self)]
432 /// # use kernel::{init, pin_init, macros::pin_data, init::*};
433 /// # use core::pin::Pin;
444 /// # fn new() -> impl PinInit<Self> {
445 /// # pin_init!(Self {
453 /// let foo = Box::pin_init(Foo::new());
456 /// They can also easily embed it into their own `struct`s:
459 /// # #![allow(clippy::disallowed_names, clippy::new_ret_no_self)]
460 /// # use kernel::{init, pin_init, macros::pin_data, init::*};
461 /// # use core::pin::Pin;
472 /// # fn new() -> impl PinInit<Self> {
473 /// # pin_init!(Self {
482 /// struct FooContainer {
490 /// impl FooContainer {
491 /// fn new(other: u32) -> impl PinInit<Self> {
493 /// foo1 <- Foo::new(),
494 /// foo2 <- Foo::new(),
501 /// Here we see that when using `pin_init!` with `PinInit`, one needs to write `<-` instead of `:`.
502 /// This signifies that the given field is initialized in-place. As with `struct` initializers, just
503 /// writing the field (in this case `other`) without `:` or `<-` means `other: other,`.
507 /// As already mentioned in the examples above, inside of `pin_init!` a `struct` initializer with
508 /// the following modifications is expected:
509 /// - Fields that you want to initialize in-place have to use `<-` instead of `:`.
510 /// - In front of the initializer you can write `&this in` to have access to a [`NonNull<Self>`]
511 /// pointer named `this` inside of the initializer.
516 /// # use kernel::pin_init;
517 /// # use macros::pin_data;
518 /// # use core::{ptr::addr_of_mut, marker::PhantomPinned};
521 /// // `ptr` points into `buf`.
525 /// pin: PhantomPinned,
527 /// pin_init!(&this in Buf {
529 /// ptr: unsafe { addr_of_mut!((*this.as_ptr()).buf).cast() },
530 /// pin: PhantomPinned,
534 /// [`try_pin_init!`]: kernel::try_pin_init
535 /// [`NonNull<Self>`]: core::ptr::NonNull
536 // For a detailed example of how this macro works, see the module documentation of the hidden
537 // module `__internal` inside of `init/__internal.rs`.
539 macro_rules! pin_init {
540 ($(&$this:ident in)? $t:ident $(::<$($generics:ty),* $(,)?>)? {
543 $crate::try_pin_init!(
545 @typ($t $(::<$($generics),*>)?),
546 @fields($($fields)*),
547 @error(::core::convert::Infallible),
552 /// Construct an in-place, fallible pinned initializer for `struct`s.
554 /// If the initialization can complete without error (or [`Infallible`]), then use [`pin_init!`].
556 /// You can use the `?` operator or use `return Err(err)` inside the initializer to stop
557 /// initialization and return the error.
559 /// IMPORTANT: if you have `unsafe` code inside of the initializer you have to ensure that when
560 /// initialization fails, the memory can be safely deallocated without any further modifications.
562 /// This macro defaults the error to [`Error`].
564 /// The syntax is identical to [`pin_init!`] with the following exception: you can append `? $type`
565 /// after the `struct` initializer to specify the error type you want to use.
570 /// # #![feature(new_uninit)]
571 /// use kernel::{init::{self, PinInit}, error::Error};
574 /// big: Box<[u8; 1024 * 1024 * 1024]>,
575 /// small: [u8; 1024 * 1024],
580 /// fn new() -> impl PinInit<Self, Error> {
581 /// try_pin_init!(Self {
582 /// big: Box::init(init::zeroed())?,
583 /// small: [0; 1024 * 1024],
584 /// ptr: core::ptr::null_mut(),
589 // For a detailed example of how this macro works, see the module documentation of the hidden
590 // module `__internal` inside of `init/__internal.rs`.
592 macro_rules! try_pin_init {
593 ($(&$this:ident in)? $t:ident $(::<$($generics:ty),* $(,)?>)? {
596 $crate::try_pin_init!(
598 @typ($t $(::<$($generics),*>)? ),
599 @fields($($fields)*),
600 @error($crate::error::Error),
603 ($(&$this:ident in)? $t:ident $(::<$($generics:ty),* $(,)?>)? {
606 $crate::try_pin_init!(
608 @typ($t $(::<$($generics),*>)? ),
609 @fields($($fields)*),
614 @this($($this:ident)?),
615 @typ($t:ident $(::<$($generics:ty),*>)?),
616 @fields($($fields:tt)*),
619 // We do not want to allow arbitrary returns, so we declare this type as the `Ok` return
620 // type and shadow it later when we insert the arbitrary user code. That way there will be
621 // no possibility of returning without `unsafe`.
623 // Get the pin data from the supplied type.
625 use $crate::init::__internal::HasPinData;
626 $t$(::<$($generics),*>)?::__pin_data()
628 // Ensure that `data` really is of type `PinData` and help with type inference:
629 let init = $crate::init::__internal::PinData::make_closure::<_, __InitOk, $err>(
633 // Shadow the structure so it cannot be used to return early.
635 // Create the `this` so it can be referenced by the user inside of the
636 // expressions creating the individual fields.
637 $(let $this = unsafe { ::core::ptr::NonNull::new_unchecked(slot) };)?
638 // Initialize every field.
639 $crate::try_pin_init!(init_slot:
642 @munch_fields($($fields)*,),
644 // We use unreachable code to ensure that all fields have been mentioned exactly
645 // once, this struct initializer will still be type-checked and complain with a
646 // very natural error message if a field is forgotten/mentioned more than once.
647 #[allow(unreachable_code, clippy::diverging_sub_expression)]
649 $crate::try_pin_init!(make_initializer:
652 @munch_fields($($fields)*,),
656 // Forget all guards, since initialization was a success.
657 $crate::try_pin_init!(forget_guards:
658 @munch_fields($($fields)*,),
664 let init = move |slot| -> ::core::result::Result<(), $err> {
665 init(slot).map(|__InitOk| ())
667 let init = unsafe { $crate::init::pin_init_from_closure::<_, $err>(init) };
673 @munch_fields($(,)?),
675 // Endpoint of munching, no fields are left.
680 // In-place initialization syntax.
681 @munch_fields($field:ident <- $val:expr, $($rest:tt)*),
684 // Call the initializer.
686 // SAFETY: `slot` is valid, because we are inside of an initializer closure, we
687 // return when an error/panic occurs.
688 // We also use the `data` to require the correct trait (`Init` or `PinInit`) for `$field`.
689 unsafe { $data.$field(::core::ptr::addr_of_mut!((*$slot).$field), $field)? };
690 // Create the drop guard.
692 // We only give access to `&DropGuard`, so it cannot be forgotten via safe code.
694 // SAFETY: We forget the guard later when initialization has succeeded.
695 let $field = &unsafe {
696 $crate::init::__internal::DropGuard::new(::core::ptr::addr_of_mut!((*$slot).$field))
699 $crate::try_pin_init!(init_slot:
702 @munch_fields($($rest)*),
708 // Direct value init, this is safe for every field.
709 @munch_fields($field:ident $(: $val:expr)?, $($rest:tt)*),
711 $(let $field = $val;)?
712 // Initialize the field.
714 // SAFETY: The memory at `slot` is uninitialized.
715 unsafe { ::core::ptr::write(::core::ptr::addr_of_mut!((*$slot).$field), $field) };
716 // Create the drop guard:
718 // We only give access to `&DropGuard`, so it cannot be accidentally forgotten.
720 // SAFETY: We forget the guard later when initialization has succeeded.
721 let $field = &unsafe {
722 $crate::init::__internal::DropGuard::new(::core::ptr::addr_of_mut!((*$slot).$field))
725 $crate::try_pin_init!(init_slot:
728 @munch_fields($($rest)*),
733 @type_name($t:ident),
734 @munch_fields($(,)?),
737 // Endpoint, nothing more to munch, create the initializer.
738 // Since we are in the `if false` branch, this will never get executed. We abuse `slot` to
739 // get the correct type inference here:
741 ::core::ptr::write($slot, $t {
748 @type_name($t:ident),
749 @munch_fields($field:ident <- $val:expr, $($rest:tt)*),
752 $crate::try_pin_init!(make_initializer:
755 @munch_fields($($rest)*),
756 @acc($($acc)* $field: ::core::panic!(),),
761 @type_name($t:ident),
762 @munch_fields($field:ident $(: $val:expr)?, $($rest:tt)*),
765 $crate::try_pin_init!(make_initializer:
768 @munch_fields($($rest)*),
769 @acc($($acc)* $field: ::core::panic!(),),
773 @munch_fields($(,)?),
775 // Munching finished.
778 @munch_fields($field:ident <- $val:expr, $($rest:tt)*),
780 unsafe { $crate::init::__internal::DropGuard::forget($field) };
782 $crate::try_pin_init!(forget_guards:
783 @munch_fields($($rest)*),
787 @munch_fields($field:ident $(: $val:expr)?, $($rest:tt)*),
789 unsafe { $crate::init::__internal::DropGuard::forget($field) };
791 $crate::try_pin_init!(forget_guards:
792 @munch_fields($($rest)*),
797 /// Construct an in-place initializer for `struct`s.
799 /// This macro defaults the error to [`Infallible`]. If you need [`Error`], then use
802 /// The syntax is identical to [`pin_init!`] and its safety caveats also apply:
803 /// - `unsafe` code must guarantee either full initialization or return an error and allow
804 /// deallocation of the memory.
805 /// - the fields are initialized in the order given in the initializer.
806 /// - no references to fields are allowed to be created inside of the initializer.
808 /// This initializer is for initializing data in-place that might later be moved. If you want to
809 /// pin-initialize, use [`pin_init!`].
811 /// [`try_init!`]: crate::try_init!
812 // For a detailed example of how this macro works, see the module documentation of the hidden
813 // module `__internal` inside of `init/__internal.rs`.
816 ($(&$this:ident in)? $t:ident $(::<$($generics:ty),* $(,)?>)? {
821 @typ($t $(::<$($generics),*>)?),
822 @fields($($fields)*),
823 @error(::core::convert::Infallible),
828 /// Construct an in-place fallible initializer for `struct`s.
830 /// This macro defaults the error to [`Error`]. If you need [`Infallible`], then use
833 /// The syntax is identical to [`try_pin_init!`]. If you want to specify a custom error,
834 /// append `? $type` after the `struct` initializer.
835 /// The safety caveats from [`try_pin_init!`] also apply:
836 /// - `unsafe` code must guarantee either full initialization or return an error and allow
837 /// deallocation of the memory.
838 /// - the fields are initialized in the order given in the initializer.
839 /// - no references to fields are allowed to be created inside of the initializer.
844 /// use kernel::{init::PinInit, error::Error, InPlaceInit};
846 /// big: Box<[u8; 1024 * 1024 * 1024]>,
847 /// small: [u8; 1024 * 1024],
851 /// fn new() -> impl Init<Self, Error> {
853 /// big: Box::init(zeroed())?,
854 /// small: [0; 1024 * 1024],
859 // For a detailed example of how this macro works, see the module documentation of the hidden
860 // module `__internal` inside of `init/__internal.rs`.
862 macro_rules! try_init {
863 ($(&$this:ident in)? $t:ident $(::<$($generics:ty),* $(,)?>)? {
868 @typ($t $(::<$($generics),*>)?),
869 @fields($($fields)*),
870 @error($crate::error::Error),
873 ($(&$this:ident in)? $t:ident $(::<$($generics:ty),* $(,)?>)? {
878 @typ($t $(::<$($generics),*>)?),
879 @fields($($fields)*),
884 @this($($this:ident)?),
885 @typ($t:ident $(::<$($generics:ty),*>)?),
886 @fields($($fields:tt)*),
889 // We do not want to allow arbitrary returns, so we declare this type as the `Ok` return
890 // type and shadow it later when we insert the arbitrary user code. That way there will be
891 // no possibility of returning without `unsafe`.
893 // Get the init data from the supplied type.
895 use $crate::init::__internal::HasInitData;
896 $t$(::<$($generics),*>)?::__init_data()
898 // Ensure that `data` really is of type `InitData` and help with type inference:
899 let init = $crate::init::__internal::InitData::make_closure::<_, __InitOk, $err>(
903 // Shadow the structure so it cannot be used to return early.
905 // Create the `this` so it can be referenced by the user inside of the
906 // expressions creating the individual fields.
907 $(let $this = unsafe { ::core::ptr::NonNull::new_unchecked(slot) };)?
908 // Initialize every field.
909 $crate::try_init!(init_slot:
911 @munch_fields($($fields)*,),
913 // We use unreachable code to ensure that all fields have been mentioned exactly
914 // once, this struct initializer will still be type-checked and complain with a
915 // very natural error message if a field is forgotten/mentioned more than once.
916 #[allow(unreachable_code, clippy::diverging_sub_expression)]
918 $crate::try_init!(make_initializer:
921 @munch_fields($($fields)*,),
925 // Forget all guards, since initialization was a success.
926 $crate::try_init!(forget_guards:
927 @munch_fields($($fields)*,),
933 let init = move |slot| -> ::core::result::Result<(), $err> {
934 init(slot).map(|__InitOk| ())
936 let init = unsafe { $crate::init::init_from_closure::<_, $err>(init) };
941 @munch_fields( $(,)?),
943 // Endpoint of munching, no fields are left.
947 @munch_fields($field:ident <- $val:expr, $($rest:tt)*),
950 // Call the initializer.
952 // SAFETY: `slot` is valid, because we are inside of an initializer closure, we
953 // return when an error/panic occurs.
955 $crate::init::Init::__init($field, ::core::ptr::addr_of_mut!((*$slot).$field))?;
957 // Create the drop guard.
959 // We only give access to `&DropGuard`, so it cannot be accidentally forgotten.
961 // SAFETY: We forget the guard later when initialization has succeeded.
962 let $field = &unsafe {
963 $crate::init::__internal::DropGuard::new(::core::ptr::addr_of_mut!((*$slot).$field))
966 $crate::try_init!(init_slot:
968 @munch_fields($($rest)*),
973 // Direct value init.
974 @munch_fields($field:ident $(: $val:expr)?, $($rest:tt)*),
976 $(let $field = $val;)?
977 // Call the initializer.
979 // SAFETY: The memory at `slot` is uninitialized.
980 unsafe { ::core::ptr::write(::core::ptr::addr_of_mut!((*$slot).$field), $field) };
981 // Create the drop guard.
983 // We only give access to `&DropGuard`, so it cannot be accidentally forgotten.
985 // SAFETY: We forget the guard later when initialization has succeeded.
986 let $field = &unsafe {
987 $crate::init::__internal::DropGuard::new(::core::ptr::addr_of_mut!((*$slot).$field))
990 $crate::try_init!(init_slot:
992 @munch_fields($($rest)*),
997 @type_name($t:ident),
998 @munch_fields( $(,)?),
1001 // Endpoint, nothing more to munch, create the initializer.
1002 // Since we are in the `if false` branch, this will never get executed. We abuse `slot` to
1003 // get the correct type inference here:
1005 ::core::ptr::write($slot, $t {
1012 @type_name($t:ident),
1013 @munch_fields($field:ident <- $val:expr, $($rest:tt)*),
1016 $crate::try_init!(make_initializer:
1019 @munch_fields($($rest)*),
1020 @acc($($acc)*$field: ::core::panic!(),),
1025 @type_name($t:ident),
1026 @munch_fields($field:ident $(: $val:expr)?, $($rest:tt)*),
1029 $crate::try_init!(make_initializer:
1032 @munch_fields($($rest)*),
1033 @acc($($acc)*$field: ::core::panic!(),),
1037 @munch_fields($(,)?),
1039 // Munching finished.
1042 @munch_fields($field:ident <- $val:expr, $($rest:tt)*),
1044 unsafe { $crate::init::__internal::DropGuard::forget($field) };
1046 $crate::try_init!(forget_guards:
1047 @munch_fields($($rest)*),
1051 @munch_fields($field:ident $(: $val:expr)?, $($rest:tt)*),
1053 unsafe { $crate::init::__internal::DropGuard::forget($field) };
1055 $crate::try_init!(forget_guards:
1056 @munch_fields($($rest)*),
1061 /// A pin-initializer for the type `T`.
1063 /// To use this initializer, you will need a suitable memory location that can hold a `T`. This can
1064 /// be [`Box<T>`], [`Arc<T>`], [`UniqueArc<T>`] or even the stack (see [`stack_pin_init!`]). Use the
1065 /// [`InPlaceInit::pin_init`] function of a smart pointer like [`Arc<T>`] on this.
1067 /// Also see the [module description](self).
1071 /// When implementing this type you will need to take great care. Also there are probably very few
1072 /// cases where a manual implementation is necessary. Use [`pin_init_from_closure`] where possible.
1074 /// The [`PinInit::__pinned_init`] function
1075 /// - returns `Ok(())` if it initialized every field of `slot`,
1076 /// - returns `Err(err)` if it encountered an error and then cleaned `slot`, this means:
1077 /// - `slot` can be deallocated without UB occurring,
1078 /// - `slot` does not need to be dropped,
1079 /// - `slot` is not partially initialized.
1080 /// - while constructing the `T` at `slot` it upholds the pinning invariants of `T`.
1082 /// [`Arc<T>`]: crate::sync::Arc
1083 /// [`Arc::pin_init`]: crate::sync::Arc::pin_init
1084 #[must_use = "An initializer must be used in order to create its value."]
1085 pub unsafe trait PinInit<T: ?Sized, E = Infallible>: Sized {
1086 /// Initializes `slot`.
1090 /// - `slot` is a valid pointer to uninitialized memory.
1091 /// - the caller does not touch `slot` when `Err` is returned, they are only permitted to
1093 /// - `slot` will not move until it is dropped, i.e. it will be pinned.
1094 unsafe fn __pinned_init(self, slot: *mut T) -> Result<(), E>;
1097 /// An initializer for `T`.
1099 /// To use this initializer, you will need a suitable memory location that can hold a `T`. This can
1100 /// be [`Box<T>`], [`Arc<T>`], [`UniqueArc<T>`] or even the stack (see [`stack_pin_init!`]). Use the
1101 /// [`InPlaceInit::init`] function of a smart pointer like [`Arc<T>`] on this. Because
1102 /// [`PinInit<T, E>`] is a super trait, you can use every function that takes it as well.
1104 /// Also see the [module description](self).
1108 /// When implementing this type you will need to take great care. Also there are probably very few
1109 /// cases where a manual implementation is necessary. Use [`init_from_closure`] where possible.
1111 /// The [`Init::__init`] function
1112 /// - returns `Ok(())` if it initialized every field of `slot`,
1113 /// - returns `Err(err)` if it encountered an error and then cleaned `slot`, this means:
1114 /// - `slot` can be deallocated without UB occurring,
1115 /// - `slot` does not need to be dropped,
1116 /// - `slot` is not partially initialized.
1117 /// - while constructing the `T` at `slot` it upholds the pinning invariants of `T`.
1119 /// The `__pinned_init` function from the supertrait [`PinInit`] needs to execute the exact same
1120 /// code as `__init`.
1122 /// Contrary to its supertype [`PinInit<T, E>`] the caller is allowed to
1123 /// move the pointee after initialization.
1125 /// [`Arc<T>`]: crate::sync::Arc
1126 #[must_use = "An initializer must be used in order to create its value."]
1127 pub unsafe trait Init<T: ?Sized, E = Infallible>: Sized {
1128 /// Initializes `slot`.
1132 /// - `slot` is a valid pointer to uninitialized memory.
1133 /// - the caller does not touch `slot` when `Err` is returned, they are only permitted to
1135 unsafe fn __init(self, slot: *mut T) -> Result<(), E>;
1138 // SAFETY: Every in-place initializer can also be used as a pin-initializer.
1139 unsafe impl<T: ?Sized, E, I> PinInit<T, E> for I
1143 unsafe fn __pinned_init(self, slot: *mut T) -> Result<(), E> {
1144 // SAFETY: `__init` meets the same requirements as `__pinned_init`, except that it does not
1145 // require `slot` to not move after init.
1146 unsafe { self.__init(slot) }
1150 /// Creates a new [`PinInit<T, E>`] from the given closure.
1155 /// - returns `Ok(())` if it initialized every field of `slot`,
1156 /// - returns `Err(err)` if it encountered an error and then cleaned `slot`, this means:
1157 /// - `slot` can be deallocated without UB occurring,
1158 /// - `slot` does not need to be dropped,
1159 /// - `slot` is not partially initialized.
1160 /// - may assume that the `slot` does not move if `T: !Unpin`,
1161 /// - while constructing the `T` at `slot` it upholds the pinning invariants of `T`.
1163 pub const unsafe fn pin_init_from_closure<T: ?Sized, E>(
1164 f: impl FnOnce(*mut T) -> Result<(), E>,
1165 ) -> impl PinInit<T, E> {
1166 __internal::InitClosure(f, PhantomData)
1169 /// Creates a new [`Init<T, E>`] from the given closure.
1174 /// - returns `Ok(())` if it initialized every field of `slot`,
1175 /// - returns `Err(err)` if it encountered an error and then cleaned `slot`, this means:
1176 /// - `slot` can be deallocated without UB occurring,
1177 /// - `slot` does not need to be dropped,
1178 /// - `slot` is not partially initialized.
1179 /// - the `slot` may move after initialization.
1180 /// - while constructing the `T` at `slot` it upholds the pinning invariants of `T`.
1182 pub const unsafe fn init_from_closure<T: ?Sized, E>(
1183 f: impl FnOnce(*mut T) -> Result<(), E>,
1184 ) -> impl Init<T, E> {
1185 __internal::InitClosure(f, PhantomData)
1188 /// An initializer that leaves the memory uninitialized.
1190 /// The initializer is a no-op. The `slot` memory is not changed.
1192 pub fn uninit<T, E>() -> impl Init<MaybeUninit<T>, E> {
1193 // SAFETY: The memory is allowed to be uninitialized.
1194 unsafe { init_from_closure(|_| Ok(())) }
1197 // SAFETY: Every type can be initialized by-value.
1198 unsafe impl<T, E> Init<T, E> for T {
1199 unsafe fn __init(self, slot: *mut T) -> Result<(), E> {
1200 unsafe { slot.write(self) };
1205 /// Smart pointer that can initialize memory in-place.
1206 pub trait InPlaceInit<T>: Sized {
1207 /// Use the given pin-initializer to pin-initialize a `T` inside of a new smart pointer of this
1210 /// If `T: !Unpin` it will not be able to move afterwards.
1211 fn try_pin_init<E>(init: impl PinInit<T, E>) -> Result<Pin<Self>, E>
1213 E: From<AllocError>;
1215 /// Use the given pin-initializer to pin-initialize a `T` inside of a new smart pointer of this
1218 /// If `T: !Unpin` it will not be able to move afterwards.
1219 fn pin_init<E>(init: impl PinInit<T, E>) -> error::Result<Pin<Self>>
1223 // SAFETY: We delegate to `init` and only change the error type.
1225 pin_init_from_closure(|slot| init.__pinned_init(slot).map_err(|e| Error::from(e)))
1227 Self::try_pin_init(init)
1230 /// Use the given initializer to in-place initialize a `T`.
1231 fn try_init<E>(init: impl Init<T, E>) -> Result<Self, E>
1233 E: From<AllocError>;
1235 /// Use the given initializer to in-place initialize a `T`.
1236 fn init<E>(init: impl Init<T, E>) -> error::Result<Self>
1240 // SAFETY: We delegate to `init` and only change the error type.
1242 init_from_closure(|slot| init.__pinned_init(slot).map_err(|e| Error::from(e)))
1244 Self::try_init(init)
1248 impl<T> InPlaceInit<T> for Box<T> {
1250 fn try_pin_init<E>(init: impl PinInit<T, E>) -> Result<Pin<Self>, E>
1252 E: From<AllocError>,
1254 let mut this = Box::try_new_uninit()?;
1255 let slot = this.as_mut_ptr();
1256 // SAFETY: When init errors/panics, slot will get deallocated but not dropped,
1257 // slot is valid and will not be moved, because we pin it later.
1258 unsafe { init.__pinned_init(slot)? };
1259 // SAFETY: All fields have been initialized.
1260 Ok(unsafe { this.assume_init() }.into())
1264 fn try_init<E>(init: impl Init<T, E>) -> Result<Self, E>
1266 E: From<AllocError>,
1268 let mut this = Box::try_new_uninit()?;
1269 let slot = this.as_mut_ptr();
1270 // SAFETY: When init errors/panics, slot will get deallocated but not dropped,
1272 unsafe { init.__init(slot)? };
1273 // SAFETY: All fields have been initialized.
1274 Ok(unsafe { this.assume_init() })
1278 impl<T> InPlaceInit<T> for UniqueArc<T> {
1280 fn try_pin_init<E>(init: impl PinInit<T, E>) -> Result<Pin<Self>, E>
1282 E: From<AllocError>,
1284 let mut this = UniqueArc::try_new_uninit()?;
1285 let slot = this.as_mut_ptr();
1286 // SAFETY: When init errors/panics, slot will get deallocated but not dropped,
1287 // slot is valid and will not be moved, because we pin it later.
1288 unsafe { init.__pinned_init(slot)? };
1289 // SAFETY: All fields have been initialized.
1290 Ok(unsafe { this.assume_init() }.into())
1294 fn try_init<E>(init: impl Init<T, E>) -> Result<Self, E>
1296 E: From<AllocError>,
1298 let mut this = UniqueArc::try_new_uninit()?;
1299 let slot = this.as_mut_ptr();
1300 // SAFETY: When init errors/panics, slot will get deallocated but not dropped,
1302 unsafe { init.__init(slot)? };
1303 // SAFETY: All fields have been initialized.
1304 Ok(unsafe { this.assume_init() })
1308 /// Trait facilitating pinned destruction.
1310 /// Use [`pinned_drop`] to implement this trait safely:
1313 /// # use kernel::sync::Mutex;
1314 /// use kernel::macros::pinned_drop;
1315 /// use core::pin::Pin;
1316 /// #[pin_data(PinnedDrop)]
1319 /// mtx: Mutex<usize>,
1323 /// impl PinnedDrop for Foo {
1324 /// fn drop(self: Pin<&mut Self>) {
1325 /// pr_info!("Foo is being dropped!");
1332 /// This trait must be implemented via the [`pinned_drop`] proc-macro attribute on the impl.
1334 /// [`pinned_drop`]: kernel::macros::pinned_drop
1335 pub unsafe trait PinnedDrop: __internal::HasPinData {
1336 /// Executes the pinned destructor of this type.
1338 /// While this function is marked safe, it is actually unsafe to call it manually. For this
1339 /// reason it takes an additional parameter. This type can only be constructed by `unsafe` code
1340 /// and thus prevents this function from being called where it should not.
1342 /// This extra parameter will be generated by the `#[pinned_drop]` proc-macro attribute
1344 fn drop(self: Pin<&mut Self>, only_call_from_drop: __internal::OnlyCallFromDrop);
1347 /// Marker trait for types that can be initialized by writing just zeroes.
1351 /// The bit pattern consisting of only zeroes is a valid bit pattern for this type. In other words,
1355 /// let val: Self = unsafe { core::mem::zeroed() };
1357 pub unsafe trait Zeroable {}
1359 /// Create a new zeroed T.
1361 /// The returned initializer will write `0x00` to every byte of the given `slot`.
1363 pub fn zeroed<T: Zeroable>() -> impl Init<T> {
1364 // SAFETY: Because `T: Zeroable`, all bytes zero is a valid bit pattern for `T`
1365 // and because we write all zeroes, the memory is initialized.
1367 init_from_closure(|slot: *mut T| {
1368 slot.write_bytes(0, 1);
1374 macro_rules! impl_zeroable {
1375 ($($({$($generics:tt)*})? $t:ty, )*) => {
1376 $(unsafe impl$($($generics)*)? Zeroable for $t {})*
1381 // SAFETY: All primitives that are allowed to be zero.
1384 u8, u16, u32, u64, u128, usize,
1385 i8, i16, i32, i64, i128, isize,
1388 // SAFETY: These are ZSTs, there is nothing to zero.
1389 {<T: ?Sized>} PhantomData<T>, core::marker::PhantomPinned, Infallible, (),
1391 // SAFETY: Type is allowed to take any value, including all zeros.
1392 {<T>} MaybeUninit<T>,
1394 // SAFETY: All zeros is equivalent to `None` (option layout optimization guarantee).
1395 Option<NonZeroU8>, Option<NonZeroU16>, Option<NonZeroU32>, Option<NonZeroU64>,
1396 Option<NonZeroU128>, Option<NonZeroUsize>,
1397 Option<NonZeroI8>, Option<NonZeroI16>, Option<NonZeroI32>, Option<NonZeroI64>,
1398 Option<NonZeroI128>, Option<NonZeroIsize>,
1400 // SAFETY: All zeros is equivalent to `None` (option layout optimization guarantee).
1402 // In this case we are allowed to use `T: ?Sized`, since all zeros is the `None` variant.
1403 {<T: ?Sized>} Option<NonNull<T>>,
1404 {<T: ?Sized>} Option<Box<T>>,
1406 // SAFETY: `null` pointer is valid.
1408 // We cannot use `T: ?Sized`, since the VTABLE pointer part of fat pointers is not allowed to be
1411 // When `Pointee` gets stabilized, we could use
1412 // `T: ?Sized where <T as Pointee>::Metadata: Zeroable`
1413 {<T>} *mut T, {<T>} *const T,
1415 // SAFETY: `null` pointer is valid and the metadata part of these fat pointers is allowed to be
1417 {<T>} *mut [T], {<T>} *const [T], *mut str, *const str,
1419 // SAFETY: `T` is `Zeroable`.
1420 {<const N: usize, T: Zeroable>} [T; N], {<T: Zeroable>} Wrapping<T>,
1423 macro_rules! impl_tuple_zeroable {
1425 ($first:ident, $($t:ident),* $(,)?) => {
1426 // SAFETY: All elements are zeroable and padding can be zero.
1427 unsafe impl<$first: Zeroable, $($t: Zeroable),*> Zeroable for ($first, $($t),*) {}
1428 impl_tuple_zeroable!($($t),* ,);
1432 impl_tuple_zeroable!(A, B, C, D, E, F, G, H, I, J);