From: Benno Lossin <lossin@kernel.org>
To: "Benno Lossin" <lossin@kernel.org>, "Gary Guo" <gary@garyguo.net>,
"Miguel Ojeda" <ojeda@kernel.org>,
"Boqun Feng" <boqun.feng@gmail.com>,
"Björn Roy Baron" <bjorn3_gh@protonmail.com>,
"Andreas Hindborg" <a.hindborg@kernel.org>,
"Alice Ryhl" <aliceryhl@google.com>,
"Trevor Gross" <tmgross@umich.edu>,
"Danilo Krummrich" <dakr@kernel.org>
Cc: Janne Grunau <j@jannau.net>,
rust-for-linux@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH v4 13/15] rust: pin-init: internal: init: add escape hatch for referencing initialized fields
Date: Fri, 16 Jan 2026 11:54:28 +0100 [thread overview]
Message-ID: <20260116105514.3794384-14-lossin@kernel.org> (raw)
In-Reply-To: <20260116105514.3794384-1-lossin@kernel.org>
The initializer macro emits mutable references for already initialized
fields, which allows modifying or accessing them later in code blocks or
when initializing other fields. This behavior results in compiler errors
when combining with packed structs, since those do not permit creating
references to misaligned fields. For example:
#[repr(C, packed)]
struct Foo {
a: i8,
b: i32,
}
fn main() {
let _ = init!(Foo { a: -42, b: 42 });
}
This will lead to an error like this:
error[E0793]: reference to field of packed struct is unaligned
--> tests/ui/compile-fail/init/packed_struct.rs:10:13
|
10 | let _ = init!(Foo { a: -42, b: 42 });
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
= note: this struct is 1-byte aligned, but the type of this field may require higher alignment
= note: creating a misaligned reference is undefined behavior (even if that reference is never dereferenced)
= help: copy the field contents to a local variable, or replace the reference with a raw pointer and use `read_unaligned`/`write_unaligned` (loads and stores via `*p` must be properly aligned even when using raw pointers)
= note: this error originates in the macro `init` (in Nightly builds, run with -Z macro-backtrace for more info)
This was requested by Janne Grunau [1] and will most certainly be used
by the kernel when we eventually end up with trying to initialize packed
structs.
Thus add an initializer attribute `#[disable_initialized_field_access]`
that does what the name suggests: do not generate references to already
initialized fields.
There is space for future work: add yet another attribute which can be
applied on fields of initializers that ask for said field to be made
accessible. We can add that when the need arises.
Requested-by: Janne Grunau <j@jannau.net>
Link: https://lore.kernel.org/all/20251206170214.GE1097212@robin.jannau.net [1]
Tested-by: Andreas Hindborg <a.hindborg@kernel.org>
Reviewed-by: Gary Guo <gary@garyguo.net>
Signed-off-by: Benno Lossin <lossin@kernel.org>
---
Changes in v4: none
Changes in v3: none
Changes in v2:
* silence clippy warning
---
rust/pin-init/internal/src/init.rs | 75 +++++++++++++++++++++---------
1 file changed, 52 insertions(+), 23 deletions(-)
diff --git a/rust/pin-init/internal/src/init.rs b/rust/pin-init/internal/src/init.rs
index e8b93b444f7e..ed2e1462e176 100644
--- a/rust/pin-init/internal/src/init.rs
+++ b/rust/pin-init/internal/src/init.rs
@@ -62,6 +62,7 @@ fn ident(&self) -> Option<&Ident> {
enum InitializerAttribute {
DefaultError(DefaultErrorAttribute),
+ DisableInitializedFieldAccess,
}
struct DefaultErrorAttribute {
@@ -85,7 +86,6 @@ pub(crate) fn expand(
let error = error.map_or_else(
|| {
if let Some(default_error) = attrs.iter().fold(None, |acc, attr| {
- #[expect(irrefutable_let_patterns)]
if let InitializerAttribute::DefaultError(DefaultErrorAttribute { ty }) = attr {
Some(ty.clone())
} else {
@@ -145,7 +145,15 @@ fn assert_zeroable<T: ?::core::marker::Sized>(_: *mut T)
};
// `mixed_site` ensures that the data is not accessible to the user-controlled code.
let data = Ident::new("__data", Span::mixed_site());
- let init_fields = init_fields(&fields, pinned, &data, &slot);
+ let init_fields = init_fields(
+ &fields,
+ pinned,
+ !attrs
+ .iter()
+ .any(|attr| matches!(attr, InitializerAttribute::DisableInitializedFieldAccess)),
+ &data,
+ &slot,
+ );
let field_check = make_field_check(&fields, init_kind, &path);
Ok(quote! {{
// We do not want to allow arbitrary returns, so we declare this type as the `Ok` return
@@ -228,6 +236,7 @@ fn get_init_kind(rest: Option<(Token![..], Expr)>, dcx: &mut DiagCtxt) -> InitKi
fn init_fields(
fields: &Punctuated<InitializerField, Token![,]>,
pinned: bool,
+ generate_initialized_accessors: bool,
data: &Ident,
slot: &Ident,
) -> TokenStream {
@@ -263,6 +272,13 @@ fn init_fields(
unsafe { &mut (*#slot).#ident }
}
};
+ let accessor = generate_initialized_accessors.then(|| {
+ quote! {
+ #(#cfgs)*
+ #[allow(unused_variables)]
+ let #ident = #accessor;
+ }
+ });
quote! {
#(#attrs)*
{
@@ -270,37 +286,31 @@ fn init_fields(
// SAFETY: TODO
unsafe { #write(::core::ptr::addr_of_mut!((*#slot).#ident), #value_ident) };
}
- #(#cfgs)*
- #[allow(unused_variables)]
- let #ident = #accessor;
+ #accessor
}
}
InitializerKind::Init { ident, value, .. } => {
// Again span for better diagnostics
let init = format_ident!("init", span = value.span());
- if pinned {
+ let (value_init, accessor) = if pinned {
let project_ident = format_ident!("__project_{ident}");
- quote! {
- #(#attrs)*
- {
- let #init = #value;
+ (
+ quote! {
// SAFETY:
// - `slot` is valid, because we are inside of an initializer closure, we
// return when an error/panic occurs.
// - We also use `#data` to require the correct trait (`Init` or `PinInit`)
// for `#ident`.
unsafe { #data.#ident(::core::ptr::addr_of_mut!((*#slot).#ident), #init)? };
- }
- #(#cfgs)*
- // SAFETY: TODO
- #[allow(unused_variables)]
- let #ident = unsafe { #data.#project_ident(&mut (*#slot).#ident) };
- }
+ },
+ quote! {
+ // SAFETY: TODO
+ unsafe { #data.#project_ident(&mut (*#slot).#ident) }
+ },
+ )
} else {
- quote! {
- #(#attrs)*
- {
- let #init = #value;
+ (
+ quote! {
// SAFETY: `slot` is valid, because we are inside of an initializer
// closure, we return when an error/panic occurs.
unsafe {
@@ -309,12 +319,27 @@ fn init_fields(
::core::ptr::addr_of_mut!((*#slot).#ident),
)?
};
- }
+ },
+ quote! {
+ // SAFETY: TODO
+ unsafe { &mut (*#slot).#ident }
+ },
+ )
+ };
+ let accessor = generate_initialized_accessors.then(|| {
+ quote! {
#(#cfgs)*
- // SAFETY: TODO
#[allow(unused_variables)]
- let #ident = unsafe { &mut (*#slot).#ident };
+ let #ident = #accessor;
+ }
+ });
+ quote! {
+ #(#attrs)*
+ {
+ let #init = #value;
+ #value_init
}
+ #accessor
}
}
InitializerKind::Code { block: value, .. } => quote! {
@@ -446,6 +471,10 @@ fn parse(input: syn::parse::ParseStream<'_>) -> syn::Result<Self> {
if a.path().is_ident("default_error") {
a.parse_args::<DefaultErrorAttribute>()
.map(InitializerAttribute::DefaultError)
+ } else if a.path().is_ident("disable_initialized_field_access") {
+ a.meta
+ .require_path_only()
+ .map(|_| InitializerAttribute::DisableInitializedFieldAccess)
} else {
Err(syn::Error::new_spanned(a, "unknown initializer attribute"))
}
--
2.52.0
next prev parent reply other threads:[~2026-01-16 10:57 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-16 10:54 [PATCH v4 00/15] `syn` rewrite of pin-init Benno Lossin
2026-01-16 10:54 ` [PATCH v4 01/15] rust: pin-init: remove `try_` versions of the initializer macros Benno Lossin
2026-01-16 10:54 ` [PATCH v4 02/15] rust: pin-init: allow the crate to refer to itself as `pin-init` in doc tests Benno Lossin
2026-01-16 10:54 ` [PATCH v4 03/15] rust: pin-init: add `syn` dependency and remove `proc-macro[2]` and `quote` workarounds Benno Lossin
2026-01-16 10:54 ` [PATCH v4 04/15] rust: pin-init: internal: add utility API for syn error handling Benno Lossin
2026-01-16 10:54 ` [PATCH v4 05/15] rust: pin-init: rewrite `derive(Zeroable)` and `derive(MaybeZeroable)` using `syn` Benno Lossin
2026-01-16 10:54 ` [PATCH v4 06/15] rust: pin-init: rewrite the `#[pinned_drop]` attribute macro " Benno Lossin
2026-01-16 10:54 ` [PATCH v4 07/15] rust: pin-init: rewrite `#[pin_data]` " Benno Lossin
2026-01-16 11:40 ` Gary Guo
2026-01-16 10:54 ` [PATCH v4 08/15] rust: pin-init: add `?Sized` bounds to traits in `#[pin_data]` macro Benno Lossin
2026-01-16 10:54 ` [PATCH v4 09/15] rust: pin-init: rewrite the initializer macros using `syn` Benno Lossin
2026-01-16 10:54 ` [PATCH v4 10/15] rust: pin-init: add `#[default_error(<type>)]` attribute to initializer macros Benno Lossin
2026-01-16 10:54 ` [PATCH v4 11/15] rust: init: use `#[default_error(err)]` for the " Benno Lossin
2026-01-16 10:54 ` [PATCH v4 12/15] rust: pin-init: internal: init: add support for attributes on initializer fields Benno Lossin
2026-01-16 11:41 ` Gary Guo
2026-01-16 10:54 ` Benno Lossin [this message]
2026-01-16 10:54 ` [PATCH v4 14/15] rust: pin-init: internal: init: simplify Zeroable safety check Benno Lossin
2026-01-16 10:54 ` [PATCH v4 15/15] MAINTAINERS: add Gary Guo to pin-init Benno Lossin
2026-01-17 9:54 ` [PATCH v4 00/15] `syn` rewrite of pin-init Benno Lossin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260116105514.3794384-14-lossin@kernel.org \
--to=lossin@kernel.org \
--cc=a.hindborg@kernel.org \
--cc=aliceryhl@google.com \
--cc=bjorn3_gh@protonmail.com \
--cc=boqun.feng@gmail.com \
--cc=dakr@kernel.org \
--cc=gary@garyguo.net \
--cc=j@jannau.net \
--cc=linux-kernel@vger.kernel.org \
--cc=ojeda@kernel.org \
--cc=rust-for-linux@vger.kernel.org \
--cc=tmgross@umich.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox