cloudflare
diff --git a/‎justfile
Lines changed: 3 additions & 0 deletions b/‎justfile
Lines changed: 3 additions & 0 deletions
diff --git a/‎kj-rs/awaiter.c++
Lines changed: 6 additions & 65 deletions b/‎kj-rs/awaiter.c++
Lines changed: 6 additions & 65 deletions
diff --git a/‎kj-rs/awaiter.h
Lines changed: 2 additions & 4 deletions b/‎kj-rs/awaiter.h
Lines changed: 2 additions & 4 deletions
diff --git a/‎kj-rs/awaiter.h.rs
Lines changed: 0 additions & 15 deletions b/‎kj-rs/awaiter.h.rs
Lines changed: 0 additions & 15 deletions
diff --git a/‎kj-rs/awaiter.rs
Lines changed: 55 additions & 103 deletions b/‎kj-rs/awaiter.rs
Lines changed: 55 additions & 103 deletions
diff --git a/‎kj-rs/lazy_pin_init.rs
Lines changed: 0 additions & 56 deletions b/‎kj-rs/lazy_pin_init.rs
Lines changed: 0 additions & 56 deletions
@@ -11,6 +11,9 @@ build:
 test:
     bazel test //...
 
+asan:
+    bazel test --config=asan //...
+
 clippy:
     bazel build --config=clippy  //...
 
 
@@ -13,69 +13,10 @@ namespace kj_rs {
 // that end, we use bindgen to generate an opaque FFI type of known size for RustPromiseAwaiter in
 // awaiter.h.rs.
 //
-// Our use of bindgen is non-automated, and the generated awaiter.hs.rs file must be manually
-// regenerated whenever the size and alignment of RustPromiseAwaiter changes. To remind us to do so,
-// we have these static_asserts.
-//
-// If you are reading this because a static_assert fired:
-//
-//   1. Scroll down to find a sample `bindgen` command line invocation.
-//   2. Run the command in this directory.
-//   3. Read the new awaiter.hs.rs and adjust the constants in these static_asserts with the new size
-//      or alignment.
-//   4. Commit the changes here with the new awaiter.hs.rs file.
-//
-// It would be nice to automate this someday. `rules_rust` has some bindgen rules, but it adds a few
-// thousand years to the build times due to its hermetic dependency on LLVM. It's possible to
-// provide our own toolchain, but I became fatigued in the attempt.
-static_assert(sizeof(GuardedRustPromiseAwaiter) == sizeof(uint64_t) * 15,
-    "GuardedRustPromiseAwaiter size changed, you must re-run bindgen");
-static_assert(alignof(GuardedRustPromiseAwaiter) == alignof(uint64_t) * 1,
-    "GuardedRustPromiseAwaiter alignment changed, you must re-run bindgen");
-
-// Notes about the bindgen command below:
-//
-//   - `--generate "types"` inhibits the generation of any binding other than types.
-//   - We use `--allow-list-type` and `--blocklist-type` regexes to select specific types.
-//   - `--blocklist-type` seems to be necessary if your allowlisted type has nested types.
-//   - The allowlist/blocklist regexes are applied to an intermediate mangling of the types' paths
-//     in C++. In particular, C++ namespaces are replaced with Rust module names. Since `async` is
-//     a keyword in Rust, bindgen mangles the corresponding Rust module to `async_`. Meanwhile,
-//     nested types are mangled to `T_Nested`, despite being `T::Nested` in C++.
-//   - `--opaque-type` tells bindgen to generate a type containing a single array of words, rather
-//     than named members which alias the members in C++.
-//
-// The end result is a Rust file which defines Rust equivalents for our selected C++ types. The
-// types will have the same size and alignment as our C++ types, but do not provide data member
-// access, nor does bindgen define any member functions or special functions for the type. Instead,
-// we define the entire interface for the types in our `cxxbridge` FFI module.
-//
-// We do it this way because in our philosophy on cross-language safety, the only structs which both
-// languages are allowed to mutate are those generated by our `cxxbridge` macro. RustPromiseAwaiter
-// is a C++ class, so we don't let Rust mutate its internal data members.
-
-#if 0
-
-bindgen \
-    --rust-target 1.83.0 \
-    --disable-name-namespacing \
-    --generate "types" \
-    --allowlist-type "kj_rs_::GuardedRustPromiseAwaiter" \
-    --opaque-type ".*" \
-    --no-derive-copy \
-    ./awaiter.h \
-    -o ./awaiter.h.rs \
-    -- \
-    -x c++ \
-    -std=c++23 \
-    -stdlib=libc++ \
-    -Wno-pragma-once-outside-header \
-    -I $(bazel info bazel-bin)/external/capnp-cpp/src/kj/_virtual_includes/kj \
-    -I $(bazel info bazel-bin)/external/capnp-cpp/src/kj/_virtual_includes/kj-async \
-    -I $(bazel info bazel-bin)/external/crates_vendor__cxx-1.0.133/_virtual_includes/cxx_cc \
-    -I $(bazel info bazel-bin)/src/rust/async/_virtual_includes/async@cxx
-
-#endif
+static_assert(sizeof(GuardedRustPromiseAwaiter) == sizeof(GuardedRustPromiseAwaiterRepr),
+    "GuardedRustPromiseAwaiter size changed, you must update lib.rs ffi");
+static_assert(alignof(GuardedRustPromiseAwaiter) == alignof(GuardedRustPromiseAwaiterRepr),
+    "GuardedRustPromiseAwaiter alignment changed, you must update lib.rs ffi");
 
 RustPromiseAwaiter::RustPromiseAwaiter(
     OptionWaker& optionWaker, OwnPromiseNode nodeParam, kj::SourceLocation location)
@@ -192,10 +133,10 @@ OwnPromiseNode RustPromiseAwaiter::take_own_promise_node() {
 }
 
 void guarded_rust_promise_awaiter_new_in_place(
-    PtrGuardedRustPromiseAwaiter ptr, OptionWaker* optionWaker, OwnPromiseNode node) {
+    GuardedRustPromiseAwaiter* ptr, OptionWaker* optionWaker, OwnPromiseNode node) {
   kj::ctor(*ptr, *optionWaker, kj::mv(node));
 }
-void guarded_rust_promise_awaiter_drop_in_place(PtrGuardedRustPromiseAwaiter ptr) {
+void guarded_rust_promise_awaiter_drop_in_place(GuardedRustPromiseAwaiter* ptr) {
   kj::dtor(*ptr);
 }
 
 
@@ -121,11 +121,9 @@ struct GuardedRustPromiseAwaiter: ExecutorGuarded<RustPromiseAwaiter> {
   }
 };
 
-using PtrGuardedRustPromiseAwaiter = GuardedRustPromiseAwaiter*;
-
 void guarded_rust_promise_awaiter_new_in_place(
-    PtrGuardedRustPromiseAwaiter, OptionWaker*, OwnPromiseNode);
-void guarded_rust_promise_awaiter_drop_in_place(PtrGuardedRustPromiseAwaiter);
+    GuardedRustPromiseAwaiter*, OptionWaker*, OwnPromiseNode);
+void guarded_rust_promise_awaiter_drop_in_place(GuardedRustPromiseAwaiter*);
 
 // =======================================================================================
 // FuturePollEvent
 
@@ -1,80 +1,20 @@
+use std::mem::MaybeUninit;
 use std::pin::Pin;
-
 use std::task::Context;
 
-use cxx::ExternType;
-
+use crate::ffi::{GuardedRustPromiseAwaiter, GuardedRustPromiseAwaiterRepr};
 use crate::waker::try_into_kj_waker_ptr;
 
-use crate::lazy_pin_init::LazyPinInit;
-
 // =======================================================================================
 // GuardedRustPromiseAwaiter
 
-#[path = "awaiter.h.rs"]
-mod awaiter_h;
-pub use awaiter_h::GuardedRustPromiseAwaiter;
-
 // Safety: KJ Promises are not associated with threads, but with event loops at construction time.
 // Therefore, they can be polled from any thread, as long as that thread has the correct event loop
 // active at the time of the call to `poll()`. If the correct event loop is not active,
 // GuardedRustPromiseAwaiter's API will panic. (The Guarded- prefix refers to the C++ class template
 // ExecutorGuarded, which enforces the correct event loop requirement.)
 unsafe impl Send for GuardedRustPromiseAwaiter {}
 
-impl Drop for GuardedRustPromiseAwaiter {
-    fn drop(&mut self) {
-        // Pin safety:
-        // The pin crate suggests implementing drop traits for address-sensitive types with an inner
-        // function which accepts a `Pin<&mut Type>` parameter, to help uphold pinning guarantees.
-        // However, since our drop function is actually a C++ destructor to which we must pass a raw
-        // pointer, there is no benefit in creating a Pin from `self`.
-        //
-        // https://doc.rust-lang.org/std/pin/index.html#implementing-drop-for-types-with-address-sensitive-states
-        //
-        // Pointer safety:
-        // 1. Pointer to self is non-null, and obviously points to valid memory.
-        // 2. We do not read or write to the OwnPromiseNode's memory, so there are no atomicity nor
-        //    interleaved pointer/reference access concerns.
-        //
-        // https://doc.rust-lang.org/std/ptr/index.html#safety
-        unsafe {
-            crate::ffi::guarded_rust_promise_awaiter_drop_in_place(PtrGuardedRustPromiseAwaiter(
-                self,
-            ));
-        }
-    }
-}
-
-// Safety: We have a static_assert in awaiter.c++ which breaks if you change the size or alignment
-// of the C++ definition of GuardedRustPromiseAwaiter, with instructions to regenerate the bindgen-
-// generated type. I couldn't figure out how to static_assert on the actual generated Rust struct,
-// though, so it's not perfect. Ideally we'd run bindgen in the build system.
-//
-// https://docs.rs/cxx/latest/cxx/trait.ExternType.html#integrating-with-bindgen-generated-types
-unsafe impl ExternType for GuardedRustPromiseAwaiter {
-    type Id = cxx::type_id!("::kj_rs::GuardedRustPromiseAwaiter");
-    type Kind = cxx::kind::Opaque;
-}
-
-// This Ptr- type is copied from dtolnay's `Box<dyn Trait>` example:
-// https://github.com/dtolnay/cxx/pull/672/files#diff-0ca4eb15f64c7f6bd562b9efb702a1f6020ee83a6f1c686054cfd3fb314edfe1R16
-//
-// I don't entirely understand why it is necessary. When I tried to replace it with raw pointers, I
-// encountered segfaults, so I put it back.
-//
-// TODO(someday): Examine the generated code with and without this wrapper type and figure out why
-//   it's necessary. Do we need this sort of wrapper for our macro-generated Future and Promise
-//   types, too?
-#[repr(transparent)]
-pub struct PtrGuardedRustPromiseAwaiter(*mut GuardedRustPromiseAwaiter);
-
-// Safety: Raw pointers are the same size in both languages.
-unsafe impl ExternType for PtrGuardedRustPromiseAwaiter {
-    type Id = cxx::type_id!("::kj_rs::PtrGuardedRustPromiseAwaiter");
-    type Kind = cxx::kind::Trivial;
-}
-
 // =======================================================================================
 // Await syntax for OwnPromiseNode
 
@@ -83,7 +23,8 @@ use crate::OwnPromiseNode;
 pub struct PromiseAwaiter<Data: std::marker::Unpin> {
     node: Option<OwnPromiseNode>,
     pub(crate) data: Data,
-    awaiter: LazyPinInit<GuardedRustPromiseAwaiter>,
+    awaiter: MaybeUninit<GuardedRustPromiseAwaiterRepr>,
+    awaiter_initialized: bool,
     // Safety: `option_waker` must be declared after `awaiter`, because `awaiter` contains a reference
     // to `option_waker`. This ensures `option_waker` will be dropped after `awaiter`.
     option_waker: OptionWaker,
@@ -94,7 +35,8 @@ impl<Data: std::marker::Unpin> PromiseAwaiter<Data> {
         PromiseAwaiter {
             node: Some(node),
             data,
-            awaiter: LazyPinInit::uninit(),
+            awaiter: MaybeUninit::uninit(),
+            awaiter_initialized: false,
             option_waker: OptionWaker::empty(),
         }
     }
@@ -104,45 +46,43 @@ impl<Data: std::marker::Unpin> PromiseAwaiter<Data> {
     /// Panics if `node` is None.
     #[must_use]
     pub fn get_awaiter(mut self: Pin<&mut Self>) -> Pin<&mut GuardedRustPromiseAwaiter> {
-        // On our first invocation, `node` will be Some, and `get_awaiter` will forward its
-        // contents into GuardedRustPromiseAwaiter's constructor. On all subsequent invocations, `node`
-        // will be None and the constructor will not run.
-        let node = self.as_mut().node.take();
-
-        // Safety: `awaiter` stores `rust_waker_ptr` and uses it to call `wake()`. Note that
-        // `awaiter` is `self.awaiter`, which lives before `self.option_waker`. Since struct members
-        // are dropped in declaration order, the `rust_waker_ptr` that `awaiter` stores will always
-        // be valid during its lifetime.
-        //
-        // We pass a mutable pointer to C++. This is safe, because our use of the OptionWaker inside
-        // of `std::task::Waker` is synchronized by ensuring we only allow calls to `poll()` on the
-        // thread with the Promise's event loop active.
-        let rust_waker_ptr = &raw mut self.as_mut().option_waker;
-
-        // Safety:
-        // 1. We do not implement Unpin for PromiseAwaiter.
-        // 2. Our Drop trait implementation does not move the awaiter value, nor do we use
-        //    `repr(packed)` anywhere.
-        // 3. The backing memory is inside our pinned Future, so we can be assured our Drop trait
-        //    implementation will run before Rust re-uses the memory.
-        //
-        // https://doc.rust-lang.org/std/pin/index.html#choosing-pinning-to-be-structural-for-field
-        let awaiter = unsafe { self.map_unchecked_mut(|s| &mut s.awaiter) };
-
-        // Safety:
-        // 1. We trust that LazyPinInit's implementation passed us a valid pointer to an
-        //    uninitialized GuardedRustPromiseAwaiter.
-        // 2. We do not read or write to the GuardedRustPromiseAwaiter's memory, so there are no atomicity
-        //    nor interleaved pointer reference access concerns.
-        //
-        // https://doc.rust-lang.org/std/ptr/index.html#safety
-        awaiter.get_or_init(move |ptr: *mut GuardedRustPromiseAwaiter| unsafe {
-            crate::ffi::guarded_rust_promise_awaiter_new_in_place(
-                PtrGuardedRustPromiseAwaiter(ptr),
-                rust_waker_ptr,
-                node.expect("node should be Some in call to init()"),
-            );
-        })
+        // Safety: We never move out of `this`.
+        let this = unsafe { Pin::into_inner_unchecked(self.as_mut()) };
+
+        // Initialize the awaiter if not already done
+        if !this.awaiter_initialized {
+            // On our first invocation, `node` will be Some, and `get_awaiter` will forward its
+            // contents into GuardedRustPromiseAwaiter's constructor. On all subsequent invocations, `node`
+            // will be None and the constructor will not run.
+            let node = this.node.take();
+
+            // Safety: `awaiter` stores `rust_waker_ptr` and uses it to call `wake()`. Note that
+            // `awaiter` is `this.awaiter`, which lives before `this.option_waker`. 
+            // Since we drop awaiter manually, the `rust_waker_ptr` that `awaiter` stores will always
+            // be valid during its lifetime.
+            //
+            // We pass a mutable pointer to C++. This is safe, because our use of the OptionWaker inside
+            // of `std::task::Waker` is synchronized by ensuring we only allow calls to `poll()` on the
+            // thread with the Promise's event loop active.
+            let rust_waker_ptr = &raw mut this.option_waker;
+
+            // Safety: The memory slot is valid and this type ensures that it will stay pinned.
+            unsafe {
+                crate::ffi::guarded_rust_promise_awaiter_new_in_place(
+                    this.awaiter.as_mut_ptr().cast::<GuardedRustPromiseAwaiter>(),
+                    rust_waker_ptr,
+                    node.expect("node should be Some in call to init()"),
+                );
+            }
+            this.awaiter_initialized = true;
+        }
+
+        // Safety: `this.awaiter` is pinned since `self` is pinned.
+        unsafe {
+            let raw = this.awaiter.assume_init_mut() as *mut GuardedRustPromiseAwaiterRepr;
+            let raw = raw.cast::<GuardedRustPromiseAwaiter>();
+            Pin::new_unchecked(&mut *raw)
+        }
     }
 
     pub fn poll(mut self: Pin<&mut Self>, cx: &mut Context) -> bool {
@@ -153,6 +93,18 @@ impl<Data: std::marker::Unpin> PromiseAwaiter<Data> {
     }
 }
 
+impl<Data: std::marker::Unpin> Drop for PromiseAwaiter<Data> {
+    fn drop(&mut self) {
+        if self.awaiter_initialized {
+            unsafe {
+                crate::ffi::guarded_rust_promise_awaiter_drop_in_place(
+                    self.awaiter.as_mut_ptr().cast::<GuardedRustPromiseAwaiter>()
+                );
+            }
+        }
+    }
+}
+
 // =======================================================================================
 // OptionWaker and WakerRef