Accessing MaybeUninit

someotherself · January 7, 2026, 9:34am

I'm working on an ffi crate and need some advice in one key area.
My types usually look like this:

pub struct Wrapper {
    inner: Pin<Box<MaybeUninit<sys::c_struct>>>,
    init: bool,
}

Pin is used because it's an audio library and moves can lead to seg faults.
MaybeUninit is used because of how I initialize the c struct. It usually follows the same pattern:

pub fn new() -> Result<Wrapper> {
    let mut wrapper = Wrapper::new_uninit();
    let res = unsafe { sys::c_initializer_function(wrapper.maybe_uninit_mut_ptr())} // below
    // Check res for errors
    wrapper.set_init(); // set wrapper.init = true
    Ok(wrapper)
}

fn new_uninit() -> Wrapper {
    let mut inner = Box::pin(MaybeUninit::<sys::c_struct>::uninit());
    Wrapper { 
        inner,
        init: false,
    }
}

Now, I need 3 helpers to access the inner pointer.

Used to pass the unitialized ptr to c_initializer_function
fn maybe_uninit_mut_ptr(&mut self) -> *mut sys::c_struct {
    self.inner.as_mut_ptr()
}

And 2 other got getting a *const and a *mut after it's initialized.

fn assume_init_ptr(&self) -> *const sys::c_struct {
    debug_assert!(self.init, "Wrapper used before initialization.");
    unsafe { &self.inner.assume_init() as *const _ }
}

fn assume_init_mut_ptr(&mut self) -> *mut sys::c_struct {
    debug_assert!(self.init, "Wrapper used before initialization.");
    unsafe { self.inner.assume_init_mut() }
}

The main concern I have is with the last 2, if my helpers are sound. I am unsure of the difference between:
unsafe { &self.inner.assume_init() as *const _}
and simply and simply
self.inner.as_ptr()

Or between
unsafe { self.inner.assume_init_mut() }
and
self.inner.as_mut_ptr()

What are correct the ways I should access the pointers here?

nerditation · January 7, 2026, 9:55am

you may want to check out moveit, which handles the boilerplates of Pin and MaybeUninit, so you can emulate the C++ constructor semantic in safe code:

btw, you combined MaybeUninit<T> and a boolean flag init in your example, which can be replaced by Option<T> without any unsafe. you also get the bonus niche optimization if your type supports it, which is not possible with MaybeUninit and bool.

alice · January 7, 2026, 11:45am

Your current definition is not good. The type inside your pinned box implements Unpin, so the Pin has no effect. For good measure, you probably want to use UnsafeCell too. This gives you:

pub struct Wrapper {
    inner: Pin<Box<CStruct>>,
    init: bool,
}

struct CStruct {
    inner: UnsafeCell<MaybeUninit<sys::c_struct>>,
    _not_unpin: PhantomPinned,
}

the other option, which is equally legal, is to use a raw pointer:

pub struct Wrapper {
    inner: *mut sys::c_struct, // or NonNull<sys::c_struct>
    init: bool,
}

impl Drop for Wrapper {
    fn drop(&mut self) {
        // clean up the c struct if required
        drop(unsafe { Box::from_raw(self.inner) });
    }
}

someotherself · January 7, 2026, 1:02pm

Thank you! I do like the simplicity of inner: NonNull<sys::c_struct>. If needed I can wrap that in an Option, but for now at least, it doesn't seem necessary with how it gets initialized.

akrauze · January 7, 2026, 2:02pm

But OP needs to pass an out-pointer to sys::c_initializer_function. You cannot change in-place variant of an enum.

khimru · January 7, 2026, 2:15pm

You can not do that with most enums. But that's very explicitly permitted for Option<NonNull<…>>. Precisely because it's so useful for FFI. Of course that's only true when you pointer is for Sized type, but that's Ok for topicstarter needs.

alice · January 7, 2026, 2:17pm

What I intended is:

let alloc = Box::new_uninit();
let ptr = Box::into_raw(alloc);
unsafe { sys::c_initializer_function(ptr) };
Self {
    inner: ptr,
}

someotherself · January 7, 2026, 2:29pm

That's kind of what I went with

    let mut alloc: Box<MaybeUninit<sys::c_struct>> = Box::new_uninit();
    unsafe { sys::c_initializer_function(mem.as_mut_ptr()) };
    let leaked: *mut sys::c_struct = Box::into_raw(alloc).cast::<sys::c_stryct>();
    Ok(Wrapper {
        inner: unsafe { NonNull::new_unchecked(leaked) },
    })

With then dropping is as drop(unsafe { Box::from_raw(self.inner.as_ptr()) });

Morgane55440 · January 7, 2026, 2:52pm

i would recommend

let leaked = NonNull::from_mut(Box::leak(alloc)).cast::<sys::c_struct>()

to avoid the unnecesary new_unchecked. the best would be Box::into_non_null ofc, but that is not stable

RustyYato · January 7, 2026, 3:12pm

This is not good, although it does allow you to avoid on tiny bit of unsafe, it makes it impossible to correctly (soundly) deallocate that box.
But converting it to a reference you've lost the provenance of the original allocation. This means it's ub to deallocate using this pointer.

Box::into_non_null can't come soon enough

See these two related issues:

github.com/rust-lang/rust

Does `dealloc` care about provenance?

opened 07:07AM - 06 Dec 25 UTC

scottmcm

A-allocators A-strict-provenance T-opsem

<https://doc.rust-lang.org/alloc/alloc/fn.dealloc.html> points to <https://doc.r…ust-lang.org/alloc/alloc/trait.GlobalAlloc.html#tymethod.dealloc>, which says nothing about provenance, just > - `ptr` is a block of memory currently allocated via this allocator and, > - `layout` is the same layout that was used to allocate that block of memory. (<https://doc.rust-lang.org/alloc/alloc/trait.Allocator.html#tymethod.deallocate> also doesn't mention provenance, nor does <https://doc.rust-lang.org/alloc/alloc/trait.Allocator.html#currently-allocated-memory>.) Does the `ptr` need to have any particular provenance? Does an allocator need to launder the provenance back to a known-valid one in order to read/write through the pointer it got in `dealloc`? Whatever the answer, it would be good to say either way in docs. FWIW, MIRI rejects this today ("pointer not dereferenceable"): ```rust let layout = Layout::new::<i32>(); let p: *mut u8 = alloc(layout); let other: *mut u8 = without_provenance_mut(p.addr()); dealloc(other, layout); ``` <https://play.rust-lang.org/?version=stable&mode=debug&edition=2024&gist=0f058facb5747bdb47e8e44ccdfc2b71> And also rejects this (with an odd "does not point to the beginning of an object" error that's arguably not true): ```rust let layout = Layout::new::<i32>(); let p: *mut u8 = alloc(layout); let mut mylocal = 10_u8; let other = (&raw mut mylocal).with_addr(p.addr()); dealloc(other, layout); ``` <https://play.rust-lang.org/?version=nightly&mode=debug&edition=2024&gist=5977dfe5da7f5700f902f8386f1a7f59>

github.com/rust-lang/unsafe-code-guidelines

About "unleaking": what is the required pointer provenance in `dealloc`?

opened 04:06PM - 10 Jan 22 UTC

danielhenrymantilla

Sorry if this is a duplicate, but I like the "keywords" I've showcased in this i…ssue. Other related issues: - https://github.com/rust-lang/unsafe-code-guidelines/issues/285 - https://github.com/rust-lang/unsafe-code-guidelines/issues/287 - https://github.com/rust-lang/unsafe-code-guidelines/issues/256 <- this is a pervasive instance of that. - https://github.com/rust-lang/unsafe-code-guidelines/issues/243 - https://github.com/rust-lang/unsafe-code-guidelines/issues/134 <- canonical issue? - https://github.com/rust-lang/unsafe-code-guidelines/issues/52 Note that the quite loaded term "provenance" is being used here as described mainly in https://github.com/rust-lang/unsafe-code-guidelines/issues/134. ___ ## Unleaking The stdlib libs docs [currently state, regarding `Box::leak`](https://doc.rust-lang.org/1.57.0/std/boxed/struct.Box.html#method.leak): > Dropping the returned reference \[return value of `Box::leak()`\] will cause a memory leak. If this is not acceptable, the reference should first be wrapped with the `Box::from_raw` function producing a `Box`. This `Box` can then be dropped which will properly destroy `T` and release the allocated memory. So, even if there is no code snippet, such statement is stating that: ```rust fn drop_box<T> (boxed: Box<T>) { drop(unsafe { Box::from_raw(Box::leak(boxed)) }); } ``` is sound, no matter the `alloc::Global` backing it. - <details><summary>A far-fetched / contrived generalization to any <code>impl Allocator</code></summary> ```rust fn drop_box_in<T, A : Allocator> (boxed: Box<T, A>) { let (mut ptr, alloc) = Box::into_raw_with_allocator(x); unsafe { ptr = &mut *ptr; drop(Box::from_raw_in(ptr, alloc)); } } ``` </details> Which, given `Box`'s implementation, is assuming that if somebody asks an `impl GlobalAlloc` —or an `impl Alloc` if generalizing— memory for a `Layout::new::<T>()` (through `alloc` or `realloc`), and gets back a non-null pointer `ptr`, then it is then legal to give back `ptr` to that `impl Alloc`'s `dealloc` (or `realloc`), but with `ptr`'s provenance having been "shrunk" down to that `T`'s layout (_e.g._, through `ptr = <*mut _>::cast(&mut *ptr.cast::<MaybeUninit<T>>());`). This, in practice, can be quite problematic for many (most?) `GlobalAlloc` implementations out there, since they do often perform some bookkeeping and whatnot laid out contiguously to the yielded allocation, and such metadata would thus not be accessible from such a returned pointer alone: the allocator would thus need to keep some extra data / state to be able to get back provenance over the user-facing allocation _and_ the contiguous metadata. ### A simplified example ```rust use ::std::{ alloc::{self, GlobalAlloc as _, Layout}, mem::drop as stuff, ptr, }; unsafe trait AllocI32 { fn alloc_i32() -> Option<ptr::NonNull<i32>>; unsafe fn dealloc(_: ptr::NonNull<i32>); } struct MyAllocUsingGlobalAllocUnderTheHood; #[repr(C)] struct I32AndMeta { alloc: i32, meta: u8, } static SYSTEM_ALLOC: alloc::System = alloc::System; unsafe impl AllocI32 for MyAllocUsingGlobalAllocUnderTheHood { fn alloc_i32() -> Option<ptr::NonNull<i32>> { let layout = Layout::new::<I32AndMeta>(); ptr::NonNull::new(unsafe { SYSTEM_ALLOC.alloc_zeroed(layout) }) .map(ptr::NonNull::cast) } unsafe fn dealloc(ptr: ptr::NonNull<i32>) { let layout = Layout::new::<I32AndMeta>(); let meta = ptr.as_ptr().cast::<u8>().add(4).read(); stuff(meta); SYSTEM_ALLOC.dealloc(ptr.as_ptr().cast(), layout); } } ``` The interesting lines here are: ```rust unsafe fn dealloc(ptr: ptr::NonNull<i32>) { let layout = Layout::new::<I32AndMeta>(); let meta = ptr.as_ptr().cast::<u8>().add(4).read(); ``` if `ptr` were to stem from `&i32` (_e.g._, `let r: &i32 = …; dealloc(r.into());`), even if that `&i32` had originated from an `alloc()`-yielded ptr (`let r: &i32 = alloc().unwrap().as_ref();`), then the operation reading `meta` would not be well-defined: `r.add(4)` would yield an off-by-one pointer, which would not be usable to perform a read-dereference with. ___ ### The two possible workarounds In a world without any abstraction whatsoever, the answer to this problem is easy: keep a pointer with provenance over that allocated `I32AndMeta` around (such as the `ptr` returned by `alloc` itself), and use it to "launder" the received ptr. But since there is this `Alloc` / `GlobalAlloc` boundary, the question remains: who should be responsible for doing this? - Would it be the `Alloc`ator, as in: ```diff unsafe fn dealloc(ptr: ptr::NonNull<i32>) { let layout = Layout::new::<I32AndMeta>(); let ptr = ptr.as_ptr().cast::<u8>(); + let ptr_with_provenance: *mut u8 = Self::get_ptr_with_provenance(…); + // amend `ptr` so that it points to the same place, but with a fixed provenance + let ptr = <*mut u8>::wrapping_offset( + ptr_with_provenance, + isize::wrapping_sub( + ptr.as_ptr() as _, + ptr_with_provenance as _, + ), + ); let meta = ptr.add(4).read(); // <- this read is now well-defined! stuff(meta); SYSTEM_ALLOC.dealloc(ptr.as_ptr().cast(), layout); } ``` - or would it be the user of the `Alloc`ator, **by declaring "unleaking" to be a contract violation** / **by requiring that a pointer with the originally-obtained provenance be the only valid input for a `{de,re}alloc` call?** ```rust pub struct MutRefWithOriginalProvenance<'lt, T> { ptr: ptr::NonNull<T>, _phantom: PhantomData<&'lt mut T>, } impl<T> Deref{,Mut} for … { type Target = T; … } impl… MutRefWithOriginalProvenance… { pub fn into_raw… } ``` ```rust let mut r: MutRefWithOriginalProvenance<'static, i32> = Box::reversible_leak(Box::new(42)); *r += 27; unsafe { drop(Box::from_raw(r.into_raw())); } ``` This point ought to be clarified, and if going for the latter —or until confirming the former—, then the stdlib docs should be updated to actually disincentivize unleaking. ___ #### My potentially-obvious two cents It feels like the "legalized unleaking" approach has the drawback of requiring that extra `get_ptr_with_provenance(…)` operation, which could come with a non-negligible cost for _all_ `GlobalAlloc` implementations, only to allow a potentially deemed niche "unleaking" operation. But it also feels like "forbidden unleaking" approach is quite a footgun, if, for instance, even the stdlib docs have gotten it wrong for such a long time. So this seems like the classic "let's gauge/measure the performance benefits of 'forbidden unleaking' / the performance cost of 'legalized unleaking'" to compare them against the footguns that forbidding it introduces. Finally, and this is technically beyond Rust's reach, there is also the question of non-Rust pervasive implementations of `GlobalAlloc`, such as that of `libc` (`malloc`, `calloc`, `realloc`, `free`) and whatnot. Such implementations do use metadata, and according to @chorman0773, the cost of a `get_ptr_with_provenance(…)` operation would be very much non-negligible (and, technically, even more so since Rust cannot go and tweak such an implementation, and would thus have to wrap it in a black-box API kind of fashion). - So, _from the looks of it_ / IIUC, the only _practical_ approach _w.r.t._ a legalized unleaking would be to ban `malloc` _& friends_ from being used for `GlobalAlloc` implementations! But I may very well be wrong; I'll let @chorman0773 (and others) chime in and clarify this _hypothetical_ point (although if this were to be true, then I guess there is really no other choice than forbidding unleaking). - <sub><sup>This, in turn, could be deemed inconvenient for FFI users which would have chosen a `malloc`-powered `#[global_allocator]` to allow `free`-ing to occur from the C side, but this is yet another topic…</sup></sub>

alice · January 7, 2026, 3:20pm

@RustyYato I had the same take until I was corrected. Yes, provenance matters. But the provenance of a &mut T is enough to deallocate. Apparently.

And stdlib does suggest people use leak + NonNull::from to do exactly this.

someotherself · January 7, 2026, 4:00pm

After some tweaks:

    let mut alloc: Box<MaybeUninit<sys::c_struct>> = Box::new_uninit();
    unsafe { sys::c_initializer_function(alloc.as_mut_ptr()) };
    let alloc: Box<sys::c_struct> = unsafe { alloc.assume_init() };
    let inner = NonNull::new(Box::into_raw(alloc)).expect("NonNull pointer to c_struct");
    Ok(Wrapper { inner })

I guess into_raw and from_raw fit better.

Topic		Replies	Views
Does addr_of_mut! require MaybeUninit? help	11	1695	February 4, 2022
How to coerce a rust uninitialized type to mut mut T help	18	519	March 15, 2023
Why deference MaybeUninit().unint().as_mut_ptr() is safe? help	21	2349	August 30, 2021
Assume_init on MaybeUninit without address change help	6	760	May 1, 2023
FFI: Iterator, MaybeUninit<T> reuses the same T instance with each iteration help	16	333	November 2, 2024

Accessing MaybeUninit

Related topics