Module std::pin

1.33.0 = =C2=B7 source =C2=B7

Expand descri= ption

Types that pin data to its= location in memory.

It is sometimes useful to have objects that are guaranteed not to move, in the sense that their placement in memory does not change, and can thus b= e relied upon. A prime example of such a scenario would be building self-referential struc= ts, as moving an object with pointers to itself will invalidate them, which cou= ld cause undefined behavior.

At a high level, a Pin ensur= es that the pointee of any pointer type P has a stable location in memory, meaning it cannot be moved = elsewhere and its memory cannot be deallocated until it gets dropped. We say that the pointee is =E2=80=9Cpinned=E2=80=9D. Things get more subtle when discussing= types that combine pinned with non-pinned data; see below for more details.

By default, all types in Rust are movable. Rust allows passing all types= by-value, and common smart-pointer types such as Box<T> and= &mut T allow replacing and moving the values they contain: you can move out of a <= a href=3D"https://doc.rust-lang.org/std/boxed/struct.Box.html" title=3D"Box= ">Box<T>, or you can use mem::swap. Pin<= /a> wraps a pointer type P, so Pin<Box<T>> functio= ns much like a regular Box<T>: when a Pin<Box<T>> ge= ts dropped, so do its contents, and the memory gets deallocated. Similarly, Pin<&mut T> is a lot like &= mut T. However, Pin does not let clien= ts actually obtain a Box<T> or &mut T to pinned data, which im= plies that you cannot use operations such as mem::swap:

use std::pin::Pin;
fn swap_pins<T>(x: Pin<&mut T>, y: Pin<&mut T=
>) {
    // `mem::swap` needs `&mut T`, but we canno=
t get it.
    // We are stuck, we cannot swap the contents of these references.
    // We could use `Pin::get_unchecked_mut`, but that is unsafe for a reas=
on:
    // we are not allowed to use it for moving things out of the `Pin`.
}

Run

It is worth reiterating that Pin does not change the fact that a Rust compiler considers all types movable. mem::swap remain= s callable for any T. Instead, Pin prevents certain valu= es (pointed to by pointers wrapped in Pin) from being moved by maki= ng it impossible to call methods that require &mut T on them (like mem= ::swap).


Pin<P> can be used to wrap any =
pointer type P, and as such it interacts with
Deref and DerefMut. A Pin<P> where P: Deref should be
considered as a =E2=80=9CP-style pointer=E2=80=9D to a pinned =
P::Target =E2=80=93=
 so, a
Pin<Box<T>> is an o=
wned pointer to a pinned T, and a
Pin<Rc<T>> is a refe=
rence-counted pointer to a pinned T.
For correctness, Pin<P> relies on =
the implementations of Deref and
DerefMut not to move out of their sel=
f parameter, and only ever to
return a pointer to pinned data when they are called on a pinned pointer.
Unpin

Many types are always freely movable, even when pinned, because they do = not rely on having a stable address. This includes all the basic types (like bool, i32, and refe= rences) as well as types consisting solely of these types. Types that do not care about pinning implement the Unpin auto-trait, which cancels the effect of Pin<= P>. For T: Unpin, Pin<Box<T>> and Box<T> function identically, as do Pin<&mut T>= and &mut T.

Note that pinning and Unpin o= nly affect the pointed-to type P::Target, not the pointer type P itself that got wrapped in Pin. For example, whether or not Box<T> is Pin<Box<T>> (here, = T is the pointed-to type).

Example: self-refe= rential struct

Before we go into more details to explain the guarantees and choices associated with Pin, we discuss= some examples for how it might be used. Feel free to skip to where the theoretical discussion continues.

use std::pin::Pin;
use std::marker::PhantomPinned;
use std::ptr::NonNull;

// This is a self-referential struct because the sl=
ice field points to the data field.
// We cannot inform the compiler about that with a normal reference,
// as this pattern cannot be described with the usual borrowing rules.
// Instead we use a raw pointer, though one which is known not to be null,
// as we know it's pointing at the string.
struct Unmovable {
    data: String,
    slice: NonNull<String>,
    _pin: PhantomPinned,
}

impl Unmovable {
    // To ensure the data doesn't move when the fun=
ction returns,
    // we place it in the heap where it will stay for the lifetime of the o=
bject,
    // and the only way to access it would be through a pointer to it.
    fn new(data: String) -> Pin<Box&=
lt;Self>> {
        let res =3D Unmovable {
            data,
            // we only create the pointer once the =
data is in place
            // otherwise it will have already moved before we even started
            slice: NonNull::dangling(),
            _pin: PhantomPinned,
        };
        let mut boxed=
 =3D Box::pin(res);

        let slice =3D NonNull::from(&boxed.data);
        // we know this is safe because modifying a=
 field doesn't move the whole struct
        unsafe {
            let mut_ref: Pin<&mut Self> =3D Pin::as_mut(&mut boxed);
            Pin::get_unchecked_mut(mut_ref).slice =3D slice;
        }
        boxed
    }
}

let unmoved =3D Unmovable::new("hello".to_string());
// The pointer should point to the correct location=
,
// so long as the struct hasn't moved.
// Meanwhile, we are free to move the pointer around.
let mut still_=
unmoved =3D unmoved;
assert_eq!(still_unmoved.slice, NonNull::from(=
&still_unmoved.data));

// Since our type doesn't implement Unpin, this wil=
l fail to compile:
// let mut new_unmoved =3D Unmovable::new("world".to_string());
// std::mem::swap(&mut *still_unmoved, &mut *new_unmoved);

Run

Example:= intrusive doubly-linked list

In an intrusive doubly-linked list, the collection does not actually all= ocate the memory for the elements itself. Allocation is controlled by the clients= , and elements can live on a stack frame that lives shorter than the collecti= on does.

To make this work, every element has pointers to its predecessor and suc= cessor in the list. Elements can only be added when they are pinned, because moving t= he elements around would invalidate the pointers. Moreover, the Drop implementation of a linked list element will patch the pointers of its predecessor and successor to re= move itself from the list.

Crucially, we have to be able to rely on drop being called. If an element could be deallocated or otherwise invalidated without calling drop, the pointers into it from its neighboring elements would become invalid, which would break the d= ata structure.

Therefore, pinning also comes with a drop-related guarantee.

`Drop` guarantee

The purpose of pinning is to be able to rely on the placement of some da= ta in memory. To make this work, not just moving the data is restricted; deallocating, re= purposing, or otherwise invalidating the memory used to store the data is restricted, too= . Concretely, for pinned data you have to maintain the invariant that its memory will not get invalidated or repurposed from the moment = it gets pinned until when drop is called= . Only once drop<= /a> returns or panics, the memory may be reused.

Memory can be =E2=80=9Cinvalidated=E2=80=9D by deallocation, but also by replacing a Some(= v) by None, or calling Vec::set_len = to =E2=80=9Ckill=E2=80=9D some elements off of a vector. It can be repurposed by using ptr::wr= ite to overwrite it without calling the destructor first. None of this is allowed for pinned data witho= ut calling drop.

This is exactly the kind of guarantee that the intrusive linked list fro= m the previous section needs to function correctly.

Notice that this guarantee does not mean that memory does not l= eak! It is still completely okay to not ever call drop on a pinned element (e.g., you can still call mem::forget on a Pin<= /a><Box<T>>). In the example of the doubly-linked list, that element would just stay in the list. However you must not free o= r reuse the storage without calling drop.


Drop implementation
If your type uses pinning (such as the two examples above), you have to =
be careful
when implementing Drop. The drop function takes &mut self, but this
is called even if your type was previously pinned! It is as if the
compiler automatically called Pin::get_unchecked_mut.
This can never cause a problem in safe code because implementing a type =
that
relies on pinning requires unsafe code, but be aware that deciding to make
use of pinning in your type (for example by implementing some operation on
Pin<&Self> or Pin<&mut Self>) has consequences for your
Drop implementation as well: if an eleme=
nt of your type could have been pinned,
you must treat Drop as implicitly taking=
 Pin<&mut Self&=
gt;.

For example, you could implement Drop=
 as follows:

impl Drop for Type {
    fn drop(&mut =
self) {
        // `new_unchecked` is okay because we know =
this value is never used
        // again after being dropped.
        inner_drop(unsafe { Pin::new_unche=
cked(self)});
        fn inner_drop(this: Pin<&mut Type>) {
            // Actual drop code goes here.
        }
    }
}
Run
The function inner_drop has the type that drop should have, so this m=
akes sure that
you do not accidentally use self/this in a way th=
at is in conflict with pinning.
Moreover, if your type is #[repr(packed)], the compiler wil=
l automatically
move fields around to be able to drop them. It might even do
that for fields that happen to be sufficiently aligned. As a consequence, y=
ou cannot use
pinning with a #[repr(packed)] type.
Projections =
and Structural Pinning
When working with pinned structs, the question arises how one can access=
 the
fields of that struct in a method that takes just P=
in<&mut Struct>.
The usual approach is to write helper methods (so called projections)
that turn Pin<&mut Struct> into a reference to the field, but what type should
that reference have? Is it Pin<&mut Field> or &mut<=
/a> Field?
The same question arises with the fields of an enum, and also =
when considering
container/wrapper types such as Vec<T>, Bo=
x<T>,
or RefCell<T>. (This question applie=
s to both mutable and shared references,
we just use the more common case of mutable references here for illustratio=
n.)

It turns out that it is actually up to the author of the data structure =
to decide whether
the pinned projection for a particular field turns =
Pin<&mut Struct>
into Pin<&mut Fi=
eld> or &mut Field. Ther=
e are some
constraints though, and the most important constraint is consistency:
every field can be either projected to a pinned reference, or<=
/em> have
pinning removed as part of the projection. If both are done for the same fi=
eld,
that will likely be unsound!

As the author of a data structure you get to decide for each field wheth=
er pinning
=E2=80=9Cpropagates=E2=80=9D to this field or not. Pinning that propagates =
is also called =E2=80=9Cstructural=E2=80=9D,
because it follows the structure of the type.
In the following subsections, we describe the considerations that have to b=
e made
for either choice.
Pinning is not structural for field
It may seem counter-intuitive that the field of a pinned struct might no=
t be pinned,
but that is actually the easiest choice: if a Pin<&mut Field> is never created,
nothing can go wrong! So, if you decide that some field does not have struc=
tural pinning,
all you have to ensure is that you never create a pinned reference to that =
field.
Fields without structural pinning may have a projection method that turn=
s
Pin<&mut Struc=
t> into &mut Field:

impl Struct { fn pin_get_field(self: Pin<&mut Self= >) -> &mut Field { // This is okay because `field` is never co= nsidered pinned. unsafe { &= ;mut self.get_unchecked_mut().field } } }
Run

You may also impl Unpin for Struct even if the type of field is not Unpin. What that type thi= nks about pinning is not relevant when no Pin<&mut= Field> is ever created.
Pinning is structural for field The other option is to decide that pinning is =E2=80=9Cstructural=E2=80= =9D for field, meaning that if the struct is pinned then so is the field. This allows writing a projection that creates a = Pin<&mut Field>, thus witnessing that the field is pinned:impl Struct { fn pin_get_field(self: Pin<&mut Self= >) -> Pin<&mut Field> { // This is okay because `field` is pinned w= hen `self` is. unsafe { self= .map_unchecked_mut(|s| &mut s.field)= } } }
Run

However, structural pinning comes with a few extra requirements:

The struct must only be Unpin= if all the structural fields are Unpin. This is the default, but = Unpin is a safe trait, so as the= author of the struct it is your responsibility not to add something like impl<T> Unpin for Struct<T>=. (Notice that adding a projection operation requires unsafe code, so the fact that Unpi= n is a safe trait does not break the principle that you only have to worry about any of this if you use unsafe.)

The destructor of the struct must not move structural fields out of its = argument. This is the exact point that was raised in the previous section: drop takes &mut self, but the struct (and hen= ce its fields) might have been pinned before. You have to guarantee that you do not move a field inside your Drop implementation. In particular, as explained previously, this means that you= r struct must not be #[repr(packed)]. See that section for how to write drop in a way that the compiler can help you not accidentally break pinning.

You must make sure that you uphold the Drop guarantee: once your struct is pinned, the memory that contains the content is not overwritten or deallocated without calling the content=E2=80= =99s destructors. This can be tricky, as witnessed by V= ecDeque<T>: the destructor of VecDeque<T> can fail= to call drop on al= l elements if one of the destructors panics. This violates the Drop guarantee, because it can lead to elements being deallocated without their destructor being called. (VecDeque<T> has no = pinning projections, so this does not cause unsoundness.)

You must not offer any other operations that could lead to data being mo= ved out of the structural fields when your type is pinned. For example, if the struct = contains an Option<T> and there is a <= a href=3D"https://doc.rust-lang.org/std/option/enum.Option.html#method.take= " title=3D"method std::option::Option::take">take-like ope= ration with type fn(Pin<&mut Stru= ct<T>>) -> Option<T>= , that operation can be used to move a T out of a pinned S= truct<T> =E2=80=93 which means pinning cannot be structural for the field holding this data.

For a more complex example of moving data out of a pinned type, imagine if RefCell<T> had a method fn get_pin_mut(self: Pin<&mut Self>) -> Pin<&mut T>. Then we could do the following:

=E2=93=98
= fn exploit_ref_cell<T>(rc: Pin<&mut RefCell<T>>) { { let p =3D rc.as_mut().get_pin_mut(); } // Here we get pinned access to the `T`. let rc_shr: &= RefCell<T> =3D rc.into_ref().get_ref(); let b =3D rc_shr.borrow_mut(); let content =3D &mut= *b; // And here we have `&mut T` to the= same data. }
Run

This is catastrophic, it means we can first pin the content of the RefCell<T> (using RefCell::get_pin_mut) and then move that content using the mutable reference we got later.

Examples

For a type like Vec<T>, both possibilities (stru= ctural pinning or not) make sense. A Vec<T> with structural pinning could have = get_pin/get_pin_mut methods to get pinned references to elements. However, it could not allow calling pop on a pinned Vec<T> because that would move the (structurally pinned) contents! Nor could it allow push, which might reallocate and thus also move the contents.
A Vec<T> without structural pinning could impl<T> Unpin for Vec<T&g= t;, because the contents are never pinned and the Vec<T> itself is fine with being moved as w= ell. At that point pinning just has no effect on the vector at all. In the standard library, pointer types generally do not have structural = pinning, and thus they do not offer pinning projections. This is why Box<= /a><T>: Unpin holds for all T. It makes sense to do this for pointer types, = because moving the Box<T> does not actually move the T:= the Box<T> can be freely movable (aka Unpin) even if the = T is not. In fact, even Pin<= Box<T>> and Pin<&mut T>= are always Unpin themsel= ves, for the same reason: their contents (the T) are pinned, but the pointers themselves= can be moved without moving the pinned data. For both Box<T> and Pin<Box<T>>, whether the content is pinned is entirely independent of whether the pointer is pinned, meaning pinning is not structural. When implementing a Future combinator,= you will usually need structural pinning for the nested futures, as you need to get pinned references to them to cal= l poll. But if your combinator contains any other data that does not need to be pin= ned, you can make those fields not structural and hence freely access them with = a mutable reference even when you just have Pin&l= t;&mut Self> (such as in your own poll implementation).=

`Macros`

pin
Constructs a Pin<&mut T>, = by pinning a value: T locally.

`Structs`

Pin
A pinned pointer.

Module std::pin

`Unpin`

Example: self-refe= rential struct

Example:= intrusive doubly-linked list

`Drop` guarantee

`Drop` implementation

Projections = and Structural Pinning

Pinning is not structural for `field`

Pinning is structural for `field`

Examples

`Macros`

`Structs`