prevent deref coercions in pin!

dianne · dianne · commit 8f93fc939be0 · 2026-03-05T11:24:17.000-08:00
diff --git a/library/core/src/pin.rs b/library/core/src/pin.rs
@@ -2034,6 +2034,13 @@ pub macro pin($value:expr $(,)?) {
     {
         super let mut pinned = $value;
         // SAFETY: The value is pinned: it is the local above which cannot be named outside this macro.
-        unsafe { $crate::pin::Pin::new_unchecked(&mut pinned) }
+        // HACK: We assign to `pinned_ref` to limit type inference. If a type annotation leads to an
+        // expected result type for `Pin::new_unchecked`, its argument will be a coercion site. If the
+        // argument is dereferenced by a coercion, the pinning invariant will be broken, leading to
+        // unsoundness; see <https://github.com/rust-lang/rust/issues/153438>. By separating out an
+        // assignment like this, we won't have an expectation on `pinned_ref`'s type when type-checking
+        // it, meaning we shouldn't see deref coercion.
+        let pinned_ref = unsafe { $crate::pin::Pin::new_unchecked(&mut pinned) };
+        pinned_ref
     }
 }
diff --git a/tests/ui/pin/dont-deref-coerce-pinned-value.rs b/tests/ui/pin/dont-deref-coerce-pinned-value.rs
@@ -2,12 +2,12 @@
 //! expectation on `pin!`'s result, make sure we don't deref-coerce the argument to
 //! `Pin::new_unchecked` to get its type to match up. That violates the pinning invariant, leading
 //! to unsoundness!
-//@ check-pass
 
 use std::pin::{Pin, pin};
 
 fn wrong_pin<T>(data: &mut T, callback: impl FnOnce(Pin<&mut T>)) {
     callback(pin!(data));
+    //~^ ERROR: mismatched types
 }
 
 fn main() {}
diff --git a/tests/ui/pin/dont-deref-coerce-pinned-value.stderr b/tests/ui/pin/dont-deref-coerce-pinned-value.stderr
@@ -0,0 +1,14 @@
+error[E0308]: mismatched types
+  --> $DIR/dont-deref-coerce-pinned-value.rs:9:14
+   |
+LL | fn wrong_pin<T>(data: &mut T, callback: impl FnOnce(Pin<&mut T>)) {
+   |              - expected this type parameter
+LL |     callback(pin!(data));
+   |              ^^^^^^^^^^ expected `Pin<&mut T>`, found `Pin<&mut &mut T>`
+   |
+   = note: expected struct `Pin<&mut _>`
+              found struct `Pin<&mut &mut _>`
+
+error: aborting due to 1 previous error
+
+For more information about this error, try `rustc --explain E0308`.

Original file line number	Diff line number	Diff line change
`@@ -2034,6 +2034,13 @@ pub macro pin($value:expr $(,)?) {`
`2034`	`2034`	`{`
`2035`	`2035`	`super let mut pinned = $value;`
`2036`	`2036`	`// SAFETY: The value is pinned: it is the local above which cannot be named outside this macro.`
`2037`		`- unsafe { $crate::pin::Pin::new_unchecked(&mut pinned) }`
	`2037`	+ // HACK: We assign to `pinned_ref` to limit type inference. If a type annotation leads to an
	`2038`	+ // expected result type for `Pin::new_unchecked`, its argument will be a coercion site. If the
	`2039`	`+ // argument is dereferenced by a coercion, the pinning invariant will be broken, leading to`
	`2040`	`+ // unsoundness; see <https://github.com/rust-lang/rust/issues/153438>. By separating out an`
	`2041`	+ // assignment like this, we won't have an expectation on `pinned_ref`'s type when type-checking
	`2042`	`+ // it, meaning we shouldn't see deref coercion.`
	`2043`	`+ let pinned_ref = unsafe { $crate::pin::Pin::new_unchecked(&mut pinned) };`
	`2044`	`+ pinned_ref`
`2038`	`2045`	`}`
`2039`	`2046`	`}`