Re: [PATCH] rust: pin-init: replace shadowed return token by `unsafe`-to-create token

[Alice Ryhl]

On Wed, Mar 11, 2026 at 11:50:49AM +0100, Benno Lossin wrote:
> The reason we initially used the shadowing solution was because an
> alternative solution used a builder pattern. Gary writes [3]:
> 
>     In the early builder-pattern based InitOk, having a single InitOk
>     type for token is unsound because one can launder an InitOk token
>     used for one place to another initializer. I used a branded lifetime
>     solution, and then you figured out that using a shadowed type would
>     work better because nobody could construct it at all.
> 
> The laundering issue does not apply to the approach we ended up with
> today.

You could always make the unsafe-to-construct token generic over a
locally-defined type to avoid issues with laundering.

> Reported-by: Tim Chirananthavat <theemathas@xxxxxxxxx>
> Link: https://github.com/rust-lang/rust/issues/153535 [1]
> Link: https://github.com/rust-lang/rfcs/pull/3444#issuecomment-4016145373 [2]
> Link: https://github.com/rust-lang/rust/issues/153535#issuecomment-4017620804 [3]
> Fixes: fc6c6baa1f40 ("rust: init: add initialization macros")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Benno Lossin <lossin@xxxxxxxxxx>
> ---
> This is not yet a soundness issue, but could become one in the future
> when TAIT gets stabilized in a form that allows the problem described.

Let's just land it now regardless.

Reviewed-by: Alice Ryhl <aliceryhl@xxxxxxxxxx>

Alice