|
205 | 205 | //! value which does not actually satisfy the invariants that a pinned value must satisfy, and in |
206 | 206 | //! this way lead undefined behavior even in (from that point) fully safe code. Similarly, using |
207 | 207 | //! [`unsafe`], one may get access to a bare [`&mut T`] from a [`Pin<Ptr>`] and |
208 | | -//! juse that to invalidly *move* pinned the value out. It is the job of the user of the |
| 208 | +//! use that to invalidly *move* pinned the value out. It is the job of the user of the |
209 | 209 | //! [`unsafe`] parts of the [`Pin`] API to ensure these invariants are not violated. |
210 | 210 | //! |
211 | 211 | //! This differs from e.g. [`UnsafeCell`] which changes the semantics of a program's compiled |
|
336 | 336 | //! unsound without being expressed through pinning, and they would then need to not |
337 | 337 | //! implement [`Unpin`]. |
338 | 338 | //! |
339 | | -//! The compiler (and users!) is free to take the conservative stance of marking types as [`Unpin`] |
340 | | -//! by default. This is because if a type implements [`Unpin`], then it is unsound for [`unsafe`] |
341 | | -//! code to assume that type is truly pinned, *even* when viewed through a "pinning" pointer! It is |
342 | | -//! the responsibility of *the implementor of [`unsafe`] code that relies upon pinning for |
343 | | -//! soundness* (you, in this case!) to ensure that all the types which that code expects to be truly |
344 | | -//! pinned do not implement [`Unpin`]. |
345 | | -//! |
346 | | -//! Like other auto-traits, the compiler will automatically determine that a type implements |
347 | | -//! [`Unpin`] if all its fields also implement [`Unpin`]. If you are building a type which consists |
348 | | -//! of only [`Unpin`] types but has an address-sensistive state and thus should not itself |
349 | | -//! implement [`Unpin`], you must opt out of [`Unpin`] via adding a field with the |
350 | | -//! [`PhantomPinned`] marker type, as we did with our latest `AddrTracker` example above. Without |
351 | | -//! doing this, you must not rely on the pinning guarantees to apply to your type! |
352 | | -//! |
353 | | -//! If you have reason to pin a value of a type that implements [`Unpin`] such that pinning-related |
354 | | -//! guarantees actually are respected, you'll need to create your own wrapper type which itself |
355 | | -//! opts out of implementing [`Unpin`] and contains a sub-field with the [`Unpin`] type that you |
356 | | -//! want to pin. |
| 339 | +//! The compiler is free to take the conservative stance of marking types as [`Unpin`] so long as |
| 340 | +//! all of the types that compose its fields are also [`Unpin`]. This is because if a type |
| 341 | +//! implements [`Unpin`], then it is unsound for that type's implementation to rely on |
| 342 | +//! pinning-related guarantees for soundness, *even* when viewed through a "pinning" pointer! It is |
| 343 | +//! the responsibility of the implementor of a type that relies upon pinning for soundness to |
| 344 | +//! ensure that type is *not* marked as [`Unpin`] by adding [`PhantomPinned`] field. This is |
| 345 | +//! exactly what we did with our `AddrTracker` example above. Without doing this, you *must not* |
| 346 | +//! rely on pinning-related guarantees to apply to your type! |
| 347 | +//! |
| 348 | +//! If need to truly pin a value of a foreign or built-in type that implements [`Unpin`], you'll |
| 349 | +//! need to create your own wrapper type around the [`Unpin`] type you want to pin and then |
| 350 | +//! opts-out of [`Unpin`] using [`PhantomPinned`]. |
357 | 351 | //! |
358 | 352 | //! Exposing access to the inner field which you want to remain pinned must then be carefully |
359 | 353 | //! considered as well! Remember, exposing a method that gives access to a |
|
0 commit comments