├── .gitignore ├── Cargo.toml ├── LICENSE-APACHE ├── LICENSE-MIT ├── README.md └── src ├── bin └── example-dynref.rs └── lib.rs /.gitignore: -------------------------------------------------------------------------------- 1 | /target 2 | **/*.rs.bk 3 | Cargo.lock -------------------------------------------------------------------------------- /Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "transfer" 3 | version = "0.1.0" 4 | authors = ["Louis Dureuil "] 5 | license = "MIT OR Apache-2.0" 6 | description = "Crate that exposes a Transfer trait, that is to move what Clone is to copy" 7 | repository = "https://github.com/dureuill/transfer" 8 | documentation = "https://docs.rs/transfer" 9 | readme = "README.md" 10 | maintenance = "experimental" 11 | keyword = ["pin", "ownership", "self", "reference"] 12 | categories = ["rust-patterns"] 13 | edition = "2018" 14 | 15 | [dependencies] 16 | stackpin = "0.0.2" 17 | -------------------------------------------------------------------------------- /LICENSE-APACHE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | 203 | -------------------------------------------------------------------------------- /LICENSE-MIT: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2019 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | Transfer is to move what clone is to copy 2 | ========================================= 3 | 4 | Note: This crate, as well as [`stackpin`](https://github.com/dureuill/stackpin/) is very much a work in progress, and is published in the hope that it will be of interest for further work. 5 | 6 | The `Transfer` trait executes user code to take a value from an unmovable instance of a struct to another instance. 7 | 8 | In this way, it is similar to the `Clone` trait, that allows to execute user code to clone a value that is not copiable. 9 | 10 | The `Transfer` trait is also comparable to the move constructor of C++. 11 | 12 | Hold on, what is an unmovable struct? 13 | ------------------------------------- 14 | 15 | Rust does not natively expose the concept of "unmovable types". However, thanks to [`Pin`](std::pin::Pin) and `unsafe`, it is possible to express this concept in the type system. 16 | `Transfer` leverages the [`stackpin`](https://github.com/dureuill/stackpin/) crate (by the same author) to build type safe abstractions for Unmovable types. 17 | 18 | Examples 19 | -------- 20 | 21 | * The unit tests for `Transfer` demonstrate a `SecretU64` type, that attempt to erase itself securely when it gets out of scope. 22 | * An example for `Transfer` is `DynRef`, a type of reference that uses an external `Lifetime` struct to represent the lifetime of `DynRef`. 23 | -------------------------------------------------------------------------------- /src/bin/example-dynref.rs: -------------------------------------------------------------------------------- 1 | use stackpin::{stack_let, FromUnpinned, PinStack, Unpinned}; 2 | use std::cell::Cell; 3 | use std::marker::{PhantomData, PhantomPinned}; 4 | use transfer::{transfer, Tr, Transfer}; 5 | 6 | pub struct DynRef(Cell>); 7 | 8 | impl DynRef { 9 | pub fn new() -> Self { 10 | Self(Cell::new(None)) 11 | } 12 | 13 | unsafe fn get(&self) -> Option<&T> { 14 | self.0.get().map(|ptr| &*ptr) 15 | } 16 | 17 | pub fn map U>(&self, f: F) -> Option { 18 | unsafe { self.get().map(f) } 19 | } 20 | 21 | pub fn is_some(&self) -> bool { 22 | self.0.get().is_some() 23 | } 24 | 25 | pub fn is_none(&self) -> bool { 26 | self.0.get().is_none() 27 | } 28 | 29 | pub fn lock<'dr, 'br>( 30 | &'dr self, 31 | br: &'br T, 32 | ) -> Unpinned<(&'br T, &'dr Self), Lifetime<'dr, 'br, T>> 33 | where 34 | T: Sized, // FIXME: This shouldn't be required 35 | { 36 | Unpinned::new((br, self)) 37 | } 38 | } 39 | struct Dropper<'dr, T: ?Sized + 'dr>(Option<&'dr DynRef>); 40 | 41 | pub struct Lifetime<'dr, 'br, T: ?Sized + 'dr + 'br> { 42 | dynref: Dropper<'dr, T>, 43 | _data: PhantomData<&'br T>, 44 | _pin: PhantomPinned, 45 | } 46 | 47 | impl<'dr, T: ?Sized + 'dr> Drop for Dropper<'dr, T> { 48 | fn drop(&mut self) { 49 | match self.0 { 50 | Some(DynRef(cell)) => cell.set(None), 51 | None => {} 52 | } 53 | } 54 | } 55 | 56 | impl<'dr, 'br, T> Lifetime<'dr, 'br, T> { 57 | fn new_empty() -> Self { 58 | Self { 59 | dynref: Dropper(None), 60 | _data: PhantomData, 61 | _pin: PhantomPinned, 62 | } 63 | } 64 | } 65 | 66 | unsafe impl<'dr, 'br, T> FromUnpinned<(&'br T, &'dr DynRef)> for Lifetime<'dr, 'br, T> { 67 | type PinData = (&'br T, &'dr DynRef); 68 | 69 | unsafe fn from_unpinned(data: Self::PinData) -> (Self, Self::PinData) { 70 | (Self::new_empty(), data) 71 | } 72 | 73 | unsafe fn on_pin(&mut self, (val, dynref): Self::PinData) { 74 | let ptr = val as *const T; 75 | dynref.0.set(Some(ptr)); 76 | self.dynref = Dropper(Some(dynref)); 77 | } 78 | } 79 | 80 | unsafe impl<'dr, 'br, T> Transfer for Lifetime<'dr, 'br, T> { 81 | fn empty() -> Tr { 82 | Tr::from_empty(Self::new_empty()) 83 | } 84 | 85 | unsafe fn transfer(src: &mut PinStack<'_, Self>, dst: *mut Self) { 86 | (*dst).dynref.0 = src.dynref.0; 87 | src.as_mut().get_unchecked_mut().dynref.0 = None 88 | } 89 | } 90 | 91 | fn main() { 92 | let dr = DynRef::new(); 93 | assert!(dr.is_none()); 94 | { 95 | let s = String::from("foo"); 96 | { 97 | stack_let!(_lifetime = dr.lock(&s)); 98 | 99 | // you can throw the lifetime OK! 100 | std::mem::drop(_lifetime); 101 | assert!(dr.is_some()); 102 | } 103 | assert!(dr.is_none()); 104 | } 105 | println!("foo: {}", transfer_if_odd("foo")); 106 | println!("foobar: {}", transfer_if_odd("foobar")); 107 | } 108 | 109 | fn transfer_if_odd(val: &'static str) -> bool { 110 | let dr = DynRef::new(); 111 | { 112 | let mut lifetime = Lifetime::empty(); 113 | let s = String::from(val); 114 | assert!(dr.is_none()); 115 | { 116 | stack_let!(inner_lifetime = dr.lock(&s)); 117 | assert!(dr.is_some()); 118 | if val.len() % 2 == 1 { 119 | transfer(inner_lifetime, &mut lifetime); 120 | } 121 | assert!(dr.is_some()); 122 | } 123 | dr.is_some() 124 | } 125 | } 126 | -------------------------------------------------------------------------------- /src/lib.rs: -------------------------------------------------------------------------------- 1 | use stackpin::PinStack; 2 | 3 | /// 4 | /// # Safety 5 | /// 6 | /// * Implementers **must** write a valid `Self` to the `dst` argument of `transfer` 7 | /// * Implementers are **not** allowed to panic in the `transfer` function 8 | /// * Implementers **must** reset `pin` to a value that can be safely dropped without incidence on 9 | /// the `dst` pointer that was written to in the `transfer` function 10 | pub unsafe trait Transfer { 11 | /// # Safety 12 | /// 13 | /// * Callers of this function **must** call `reset` on the `src` argument right afterwards. 14 | /// * `dst` must point to a `Self` instance, that can possibly be uninitialized 15 | /// * `src` and `dest` **must** point to different instances. 16 | unsafe fn transfer(src: &mut PinStack<'_, Self>, dst: *mut Self) 17 | where 18 | Self: Sized; 19 | 20 | fn empty() -> Tr; 21 | } 22 | 23 | pub struct Tr(T); 24 | 25 | impl Tr { 26 | pub fn from_empty(empty: T) -> Self { 27 | Self(empty) 28 | } 29 | 30 | fn slot(&mut self) -> *mut T { 31 | &mut self.0 as *mut T 32 | } 33 | } 34 | 35 | pub fn transfer<'old, 'new, T>( 36 | mut src: PinStack<'old, T>, 37 | dest: &'new mut Tr, 38 | ) -> PinStack<'new, T> 39 | where 40 | T: Transfer, 41 | { 42 | use stackpin::StackPinned; 43 | use std::pin::Pin; 44 | unsafe { 45 | let slot = dest.slot(); 46 | T::transfer(&mut src, slot); 47 | Pin::new_unchecked(StackPinned::new(&mut *slot)) 48 | } 49 | } 50 | 51 | #[macro_export] 52 | macro_rules! transfer_let { 53 | ($id:ident = $fun_name:ident ($($arg:expr),*)) => { 54 | let mut $id = $crate::Transfer::empty(); 55 | let $id = $fun_name($($arg),* &mut $id); 56 | }; 57 | ($id:ident = $e:expr) => { 58 | let mut $id = $crate::Transfer::empty(); 59 | let $id = $crate::transfer($e, &mut $id); 60 | }; 61 | } 62 | 63 | #[cfg(test)] 64 | mod tests { 65 | 66 | mod secret { 67 | use std::marker::PhantomPinned; 68 | pub struct SecretU64(u64, PhantomPinned); 69 | 70 | fn secure_erase(x: &mut u64) { 71 | *x = 0; 72 | } 73 | 74 | use super::super::{Tr, Transfer}; 75 | use stackpin::FromUnpinned; 76 | use stackpin::PinStack; 77 | 78 | unsafe impl<'a> FromUnpinned<&'a mut u64> for SecretU64 { 79 | type PinData = &'a mut u64; 80 | 81 | unsafe fn from_unpinned(src: &'a mut u64) -> (Self, &'a mut u64) { 82 | (Self(0, PhantomPinned), src) 83 | } 84 | 85 | unsafe fn on_pin(&mut self, data: &'a mut u64) { 86 | self.0 = *data; 87 | println!( 88 | "Secure erasing data that served for construction at {:p}", 89 | data 90 | ); 91 | secure_erase(data); 92 | } 93 | } 94 | 95 | unsafe impl Transfer for SecretU64 { 96 | unsafe fn transfer(src: &mut PinStack<'_, Self>, dst: *mut Self) { 97 | (*dst).0 = src.0; 98 | secure_erase(&mut src.as_mut().get_unchecked_mut().0); 99 | println!( 100 | "Secure erasing on transfer for {:p}", 101 | &mut src.as_mut().get_unchecked_mut().0 102 | ); 103 | } 104 | 105 | fn empty() -> Tr { 106 | Tr::from_empty(Self(0, PhantomPinned)) 107 | } 108 | } 109 | 110 | impl SecretU64 { 111 | pub fn reveal(this: &PinStack<'_, Self>) -> u64 { 112 | this.0 113 | } 114 | } 115 | 116 | impl Drop for SecretU64 { 117 | fn drop(&mut self) { 118 | if self.0 == 0 { 119 | println!("Not erasing empty secret at {:p}", self); 120 | } else { 121 | println!("Secure erasing in dtor for {:p}", self); 122 | secure_erase(&mut self.0) 123 | } 124 | } 125 | } 126 | 127 | pub fn generate_secret(slot: &mut crate::Tr) -> PinStack<'_, SecretU64> { 128 | let mut secret = 42; 129 | stackpin::stack_let!(secret = stackpin::Unpinned::new(&mut secret)); 130 | crate::transfer(secret, slot) 131 | } 132 | } 133 | 134 | use secret::SecretU64; 135 | 136 | #[test] 137 | fn outin_transfer() { 138 | use secret::generate_secret; 139 | super::transfer_let!(my_secret = generate_secret()); 140 | assert_eq!(SecretU64::reveal(&my_secret), 42); 141 | } 142 | 143 | fn transfer_secret(outer_secret: stackpin::PinStack<'_, secret::SecretU64>) { 144 | super::transfer_let!(inner_secret = outer_secret); 145 | assert_eq!(SecretU64::reveal(&inner_secret), 83); 146 | } 147 | 148 | #[test] 149 | fn inout_transfer() { 150 | let mut initial_secret = 83u64; 151 | stackpin::stack_let!(my_secret: SecretU64 = &mut initial_secret); 152 | transfer_secret(my_secret); 153 | assert_eq!(initial_secret, 0); 154 | } 155 | } 156 | --------------------------------------------------------------------------------