[PATCH 7/8] rust: pin-init: make `[pin_]init_array_from_fn` unwind safe
From: Gary Guo
Date: Wed May 27 2026 - 13:20:52 EST
From: Mirko Adzic <adzicmirko97@xxxxxxxxx>
Adds a guard type that safely initializes an array by running an
initializer on each element, keeping track of the number of initialized
elements. In the case of a panic or error in the per-element initializer,
the guard drops the already-initialized portion of the array; nothing is
dropped on success.
The previous code only ran cleanup on the explicit error path. If the per-
element initializer panicked partway through, the elements already written
into the array would be leaked: their `Drop` impls would never run.
Reported-by: Gary Guo <gary@xxxxxxxxxxx>
Closes: https://github.com/Rust-for-Linux/pin-init/issues/136
Suggested-by: Gary Guo <gary@xxxxxxxxxxx>
Signed-off-by: Mirko Adzic <adzicmirko97@xxxxxxxxx>
[ Add `#[inline]` to `ArrayInit::drop` - Gary ]
Signed-off-by: Gary Guo <gary@xxxxxxxxxxx>
---
rust/pin-init/src/lib.rs | 157 ++++++++++++++++++++++++++++++++++-------------
1 file changed, 115 insertions(+), 42 deletions(-)
diff --git a/rust/pin-init/src/lib.rs b/rust/pin-init/src/lib.rs
index fd40c8f244a1..1fdf9c2366ff 100644
--- a/rust/pin-init/src/lib.rs
+++ b/rust/pin-init/src/lib.rs
@@ -1193,6 +1193,117 @@ pub fn uninit<T, E>() -> impl Init<MaybeUninit<T>, E> {
unsafe { init_from_closure(|_| Ok(())) }
}
+/// Allows safe (pinned and non-pinned) initialization of an array.
+///
+/// Drops the already initialized elements of the array if an error or panic occurs
+/// partway through the initialization process.
+///
+/// # Invariants
+///
+/// If `ptr` is not null:
+/// - `ptr[..num_init]` contains initialized elements of type `T`
+/// - `ptr[num_init..N]` (where N is the size of the array) contains uninitialized memory
+struct ArrayInit<T, F> {
+ /// A pointer to the first element of the array.
+ ptr: *mut T,
+ /// The number of initialized elements in the array.
+ num_init: usize,
+ /// Initialization function factory.
+ make_init: F,
+}
+
+impl<T, F> ArrayInit<T, F> {
+ #[inline]
+ fn new(make_init: F) -> Self {
+ Self {
+ // INVARIANT: `ptr` is null prior to any initialization.
+ ptr: core::ptr::null_mut(),
+ num_init: 0,
+ make_init,
+ }
+ }
+}
+
+/// SAFETY: On success, all `N` elements of the array have been initialized through
+/// `I: Init`. On error or panic, the elements that have been initialized so far are
+/// dropped, thus leaving the array uninitialized and ready to deallocate. The `Init`
+/// implementation executes the same code as that of `PinInit`.
+unsafe impl<T, F, I, E, const N: usize> Init<[T; N], E> for ArrayInit<T, F>
+where
+ F: FnMut(usize) -> I,
+ I: Init<T, E>,
+{
+ unsafe fn __init(mut self, slot: *mut [T; N]) -> Result<(), E> {
+ debug_assert!(!slot.is_null());
+ // INVARIANT: `self.ptr` is non-null once initialization starts.
+ self.ptr = slot.cast::<T>();
+ for i in 0..N {
+ // INVARIANT: Elements `self.ptr[..self.num_init]` have been initialized
+ // thus far. This hold true for every `self.num_init = i`.
+ self.num_init = i;
+ let init = (self.make_init)(i);
+ // SAFETY: `self.ptr.add(i)` is in bounds.
+ let ptr = unsafe { self.ptr.add(i) };
+ // SAFETY: The pointer is derived from `slot` with a valid offset. It is
+ // thus valid for writes and points uninitialized memory.
+ unsafe { init.__init(ptr) }?;
+ }
+ // INVARIANT: `self.ptr` is null after the array is initialized.
+ self.ptr = core::ptr::null_mut();
+ Ok(())
+ }
+}
+
+/// SAFETY: On success, all `N` elements of the array have been initialized through
+/// `I`. Since `I: PinInit` guarantees that the pinning invariants of `T` are upheld,
+/// the guarantees of `[T; N]` are also upheld. On error or panic, the elements that
+/// have been initialized so far are dropped, thus leaving the array uninitialized
+/// and ready to deallocate.
+unsafe impl<T, F, I, E, const N: usize> PinInit<[T; N], E> for ArrayInit<T, F>
+where
+ F: FnMut(usize) -> I,
+ I: PinInit<T, E>,
+{
+ unsafe fn __pinned_init(mut self, slot: *mut [T; N]) -> Result<(), E> {
+ debug_assert!(!slot.is_null());
+ // INVARIANT: `self.ptr` is non-null once initialization starts.
+ self.ptr = slot.cast::<T>();
+ for i in 0..N {
+ // INVARIANT: Elements `self.ptr[..self.num_init]` have been initialized
+ // thus far. This hold true for every `self.num_init = i`.
+ self.num_init = i;
+ let init = (self.make_init)(i);
+ // SAFETY: `self.ptr.add(i)` is in bounds.
+ let ptr = unsafe { self.ptr.add(i) };
+ // SAFETY: The pointer is derived from `slot` with a valid offset. It is
+ // thus valid for writes and points uninitialized memory.
+ unsafe { init.__pinned_init(ptr) }?;
+ }
+ // INVARIANT: `self.ptr` is null after the array is initialized.
+ self.ptr = core::ptr::null_mut();
+ Ok(())
+ }
+}
+
+impl<T, F> Drop for ArrayInit<T, F> {
+ #[inline]
+ fn drop(&mut self) {
+ if self.ptr.is_null() {
+ // Since `self.ptr` is null - either no initialization has been attempted
+ // or the array was successfully initialized, per type invariant. Nothing
+ // to drop.
+ return;
+ }
+
+ // SAFETY: Since `self.ptr` is not null - the initialization has failed
+ // partway. Drop `self.ptr[..self.num_init]` which are initialized per
+ // type invariant.
+ unsafe {
+ core::ptr::drop_in_place(core::ptr::slice_from_raw_parts_mut(self.ptr, self.num_init))
+ };
+ }
+}
+
/// Initializes an array by initializing each element via the provided initializer.
///
/// # Examples
@@ -1204,31 +1315,12 @@ pub fn uninit<T, E>() -> impl Init<MaybeUninit<T>, E> {
/// assert_eq!(array.len(), 1_000);
/// ```
pub fn init_array_from_fn<I, const N: usize, T, E>(
- mut make_init: impl FnMut(usize) -> I,
+ make_init: impl FnMut(usize) -> I,
) -> impl Init<[T; N], E>
where
I: Init<T, E>,
{
- let init = move |slot: *mut [T; N]| {
- let slot = slot.cast::<T>();
- for i in 0..N {
- let init = make_init(i);
- // SAFETY: Since 0 <= `i` < N, it is still in bounds of `[T; N]`.
- let ptr = unsafe { slot.add(i) };
- // SAFETY: The pointer is derived from `slot` and thus satisfies the `__init`
- // requirements.
- if let Err(e) = unsafe { init.__init(ptr) } {
- // SAFETY: The loop has initialized the elements `slot[0..i]` and since we return
- // `Err` below, `slot` will be considered uninitialized memory.
- unsafe { ptr::drop_in_place(ptr::slice_from_raw_parts_mut(slot, i)) };
- return Err(e);
- }
- }
- Ok(())
- };
- // SAFETY: The initializer above initializes every element of the array. On failure it drops
- // any initialized elements and returns `Err`.
- unsafe { init_from_closure(init) }
+ ArrayInit::new(make_init)
}
/// Initializes an array by initializing each element via the provided initializer.
@@ -1247,31 +1339,12 @@ pub fn init_array_from_fn<I, const N: usize, T, E>(
/// assert_eq!(array.len(), 1_000);
/// ```
pub fn pin_init_array_from_fn<I, const N: usize, T, E>(
- mut make_init: impl FnMut(usize) -> I,
+ make_init: impl FnMut(usize) -> I,
) -> impl PinInit<[T; N], E>
where
I: PinInit<T, E>,
{
- let init = move |slot: *mut [T; N]| {
- let slot = slot.cast::<T>();
- for i in 0..N {
- let init = make_init(i);
- // SAFETY: Since 0 <= `i` < N, it is still in bounds of `[T; N]`.
- let ptr = unsafe { slot.add(i) };
- // SAFETY: The pointer is derived from `slot` and thus satisfies the `__init`
- // requirements.
- if let Err(e) = unsafe { init.__pinned_init(ptr) } {
- // SAFETY: The loop has initialized the elements `slot[0..i]` and since we return
- // `Err` below, `slot` will be considered uninitialized memory.
- unsafe { ptr::drop_in_place(ptr::slice_from_raw_parts_mut(slot, i)) };
- return Err(e);
- }
- }
- Ok(())
- };
- // SAFETY: The initializer above initializes every element of the array. On failure it drops
- // any initialized elements and returns `Err`.
- unsafe { pin_init_from_closure(init) }
+ ArrayInit::new(make_init)
}
/// Construct an initializer in a closure and run it.
--
2.54.0