rust: pin-init: internal: move alignment check to `make_field_check`

Instead of having the reference creation serving dual-purpose as both for let bindings and alignment check, detangle them so that the alignment check is done explicitly in `make_field_check`. This is more robust against refactors that may change the way let bindings are created. Cc: stable@vger.kernel.org Reviewed-by: Alice Ryhl <aliceryhl@google.com> Signed-off-by: Gary Guo <gary@garyguo.net> Link: https://patch.msgid.link/20260427-pin-init-fix-v3-1-496a699674dd@garyguo.net [ Reworded for typo. - Miguel ] Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
2026-04-27 16:43:00 +01:00 · 2026-04-27 16:43:00 +01:00 · 83ac287031
parent ba6b328588
commit 83ac287031
1 changed files with 37 additions and 41 deletions
--- a/rust/pin-init/internal/src/init.rs
+++ b/rust/pin-init/internal/src/init.rs
@ -249,10 +249,6 @@ fn init_fields(
                });
                // Again span for better diagnostics
                let write = quote_spanned!(ident.span()=> ::core::ptr::write);
                // NOTE: the field accessor ensures that the initialized field is properly aligned.
                // Unaligned fields will cause the compiler to emit E0793. We do not support
                // unaligned fields since `Init::__init` requires an aligned pointer; the call to
                // `ptr::write` below has the same requirement.
                let accessor = if pinned {
                    let project_ident = format_ident!("__project_{ident}");
                    quote! {
@ -367,49 +363,49 @@ fn init_fields(
    }
 }
-/// Generate the check for ensuring that every field has been initialized.
+/// Generate the check for ensuring that every field has been initialized and aligned.
 fn make_field_check(
    fields: &Punctuated<InitializerField, Token![,]>,
    init_kind: InitKind,
    path: &Path,
 ) -> TokenStream {
-    let field_attrs = fields
+    let field_attrs: Vec<_> = fields
        .iter()
-        .filter_map(|f| f.kind.ident().map(|_| &f.attrs));
+        .filter_map(|f| f.kind.ident().map(|_| &f.attrs))
-    let field_name = fields.iter().filter_map(|f| f.kind.ident());
+        .collect();
-    match init_kind {
+    let field_name: Vec<_> = fields.iter().filter_map(|f| f.kind.ident()).collect();
-        InitKind::Normal => quote! {
+    let zeroing_trailer = match init_kind {
-            // We use unreachable code to ensure that all fields have been mentioned exactly once,
+        InitKind::Normal => None,
-            // this struct initializer will still be type-checked and complain with a very natural
+        InitKind::Zeroing => Some(quote! {
-            // error message if a field is forgotten/mentioned more than once.
+            ..::core::mem::zeroed()
-            #[allow(unreachable_code, clippy::diverging_sub_expression)]
+        }),
-            // SAFETY: this code is never executed.
+    };
-            let _ = || unsafe {
+    quote! {
-                ::core::ptr::write(slot, #path {
+        #[allow(unreachable_code, clippy::diverging_sub_expression)]
-                    #(
+        // We use unreachable code to perform field checks. They're still checked by the compiler.
-                        #(#field_attrs)*
+        // SAFETY: this code is never executed.
-                        #field_name: ::core::panic!(),
+        let _ = || unsafe {
-                    )*
+            // Create references to ensure that the initialized field is properly aligned.
-                })
+            // Unaligned fields will cause the compiler to emit E0793. We do not support
-            };
+            // unaligned fields since `Init::__init` requires an aligned pointer; the call to
-        },
+            // `ptr::write` for value-initialization case has the same requirement.
-        InitKind::Zeroing => quote! {
+            #(
-            // We use unreachable code to ensure that all fields have been mentioned at most once.
+                #(#field_attrs)*
-            // Since the user specified `..Zeroable::zeroed()` at the end, all missing fields will
+                let _ = &(*slot).#field_name;
-            // be zeroed. This struct initializer will still be type-checked and complain with a
+            )*
-            // very natural error message if a field is mentioned more than once, or doesn't exist.
+
-            #[allow(unreachable_code, clippy::diverging_sub_expression, unused_assignments)]
+            // If the zeroing trailer is not present, this checks that all fields have been
-            // SAFETY: this code is never executed.
+            // mentioned exactly once. If the zeroing trailer is present, all missing fields will be
-            let _ = || unsafe {
+            // zeroed, so this checks that all fields have been mentioned at most once. The use of
-                ::core::ptr::write(slot, #path {
+            // struct initializer will still generate very natural error messages for any misuse.
-                    #(
+            ::core::ptr::write(slot, #path {
-                        #(#field_attrs)*
+                #(
-                        #field_name: ::core::panic!(),
+                    #(#field_attrs)*
-                    )*
+                    #field_name: ::core::panic!(),
-                    ..::core::mem::zeroed()
+                )*
-                })
+                #zeroing_trailer
-            };
+            })
-        },
+        };
    }
 }