Search code examples

Get a &mut [u8] from a MaybeUninit for writing to

I want to do something like:

let mut buf: MaybeUninit<[u8; BUF_SIZE]> = MaybeUninit::uninit();
let buf: &mut [u8] = unsafe { &mut *buf.as_mut_ptr() };

let mut len = 0;
loop {
    let n = buf[len..])?;
    len += n;
    // ...

AFAIK you have to use unsafe code, because the compiler can't verify that you're not reading from the uninitialized memory. This should improve if/when rust finally provides a safe way to read into a MaybeUninit buffer.

But what's the canonical way to do this? I've also seen it done with transmute and std::slice::from_raw_parts_mut. The transmute is ugly as sin if you specify the types, which you should, and the from_raw_parts_mut loses the buffer size info, which gives you one extra opportunity to make a mistake.

The docs for as_mut_ptr() basically give very similar code as an example of undefined behavior. I don't agree with the docs, I think it only is undefined behavior if you read from it, and I don't. Am I wrong? Why?

Is there some library that lets me do this in a nicer way? I checked the bytes crate an smallvec crates, but the former creates a heap buffer and the latter doesn't make the code any better.


  • Given that people here (including me) have outright forbade this (and for a good reason!), I'd like to give a more nuanced stance.

    I'll begin with: as already stated here, and cited from the docs, you must not do this. This is in undecided territory, and as such, it definitely could be declared UB.

    However, the general stance of t-opsem (the team that is responsible for decisions about unsafe code) seem to be to eventually allow this. See and There are many reasons (explained in detail in the linked pages), and they can require understanding of deep corners of the memory model, so I'll avoid explaining them here. What you should know is that if and when (and only when!) this will be formally accepted, creating &mut [u8] (or any other reference) pointing to uninitialized memory won't be UB, but reading u8s from it will, and perhaps writing too (that depends on other undecided questions).

    So if this will get accepted, your code will become sound, at one crucial condition: you wrote the read() function, and you know it doesn't read from its argument (alternatively, it is provided by a library, but the library guarantees it doesn't read from its argument). This is because safe code can trust any unsafe code, but unsafe code can only trust known safe code. So read() can't be generic - otherwise, it'd be possible to supply a type that reads from the provided reference, creating unsoundness. It can neither be an std reader (e.g. File) - because those do not guarantee they don't read from their argument. For all you know, in the next Rust/library version they may suddenly start doing that, even if they haven't previously. That leaves pretty much only code you personally maintain.

    So isn't there a solution? There is; as mentioned above, it's BorrowedBuf. It's a type designed to encapsulate the unsafety of reading into uninitialized buffers, by providing an interface that allows the buffer to be given even to untrusted code and trusting BorrowedBuf to not let them do forbidden things.

    There are two problems in this rosy vision:

    1. BorrowedBuf is unstable (and have been for years), because people still aren't sure what's the best API for it.
    2. Even when it was stabilized, it is opt-in: you will need your reader to implement the read_buf() method, otherwise it'll just fill the buffer and forward to read().

    So for now, the only path forward is to write all the code yourself, including the reader, and use raw pointers only. But before committing to that, please benchmark - most probably, you will discover that the overhead of zeroing few bytes isn't noticeable at all.