Skip to content

Commit 14b9019

Browse files
RalfJungRalfJung
committed
update UnsafePinned docs regarding public API exposure
1 parent 86e0188 commit 14b9019

File tree

1 file changed

+10
-8
lines changed

1 file changed

+10
-8
lines changed

text/0000-unsafe-aliased.md

Lines changed: 10 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -192,13 +192,17 @@ Similarly, the intrusive linked list from the motivation can be fixed by wrappin
192192
/// The type `UnsafePinned<T>` lets unsafe code violate
193193
/// the rule that `&mut UnsafePinned<T>` may never alias anything else.
194194
///
195-
/// However, it is still very risky to have an `&mut UnsafePinned<T>` that aliases
195+
/// However, even if you define your type like `pub struct Wrapper(UnsafePinned<...>)`,
196+
/// it is still very risky to have an `&mut Wrapper` that aliases
196197
/// anything else. Many functions that work generically on `&mut T` assume that the
197198
/// memory that stores `T` is uniquely owned (such as `mem::swap`). In other words,
198-
/// while having aliasing with `&mut UnsafePinned<T>` is not immediate Undefined
199+
/// while having aliasing with `&mut Wrapper` is not immediate Undefined
199200
/// Behavior, it is still unsound to expose such a mutable reference to code you do
200-
/// not control!
201-
/// Techniques such as pinning via `Pin` are needed to ensure soundness.
201+
/// not control! Techniques such as pinning via `Pin` are needed to ensure soundness.
202+
///
203+
/// Similar to `UnsafeCell`, `UnsafePinned` will not usually show up in the public
204+
/// API of a library. It is an internal implementation detail of libraries that
205+
/// need to support aliasing mutable references.
202206
///
203207
/// Further note that this does *not* lift the requirement that shared references
204208
/// must be read-only! Use `UnsafeCell` for that.
@@ -227,10 +231,8 @@ impl<T: ?Sized> UnsafePinned<T> {
227231

228232
/// Get read-write access to the contents of an `UnsafePinned`.
229233
///
230-
/// If you need to use this function, something is likely going wrong.
231-
/// Exposing an `&mut UnsafePinned` that aliases other pointers to code outside your
232-
/// crate is unsound. Only `Pin<&mut UnsafePinned>` can be exposed soundly.
233-
/// Use `get_mut_pinned` instead whenever possible!
234+
/// You should usually be using `get_mut_pinned` instead to explicitly track
235+
/// the fact that this memory is "pinned" due to there being aliases.
234236
pub fn get_mut_unchecked(&mut self) -> *mut T {
235237
ptr::addr_of_mut!(self.value)
236238
}

0 commit comments

Comments
 (0)