Use ManuallyDrop inside Undo

fitzgen · fitzgen · commit 7e1426cb7b44 · 2026-01-29T13:24:51.000-08:00
diff --git a/crates/core/src/undo.rs b/crates/core/src/undo.rs
@@ -82,19 +82,19 @@ pub struct Undo<T, F>
 where
     F: FnOnce(T),
 {
-    inner: Option<T>,
-    undo: Option<F>,
+    inner: mem::ManuallyDrop<T>,
+    undo: mem::ManuallyDrop<F>,
 }
 
 impl<T, F> Drop for Undo<T, F>
 where
     F: FnOnce(T),
 {
     fn drop(&mut self) {
-        if let Some(inner) = self.inner.take() {
-            let undo = self.undo.take().unwrap();
-            undo(inner);
-        }
+        // Safety: These `ManuallyDrop` fields will not be used again.
+        let inner = unsafe { mem::ManuallyDrop::take(&mut self.inner) };
+        let undo = unsafe { mem::ManuallyDrop::take(&mut self.undo) };
+        undo(inner);
     }
 }
 
@@ -118,7 +118,7 @@ where
     type Target = T;
 
     fn deref(&self) -> &Self::Target {
-        self.inner.as_ref().unwrap()
+        &self.inner
     }
 }
 
@@ -127,7 +127,7 @@ where
     F: FnOnce(T),
 {
     fn deref_mut(&mut self) -> &mut Self::Target {
-        self.inner.as_mut().unwrap()
+        &mut self.inner
     }
 }
 
@@ -141,16 +141,23 @@ where
     /// when dropped, unless the guard is disabled via `Undo::commit`.
     pub fn new(inner: T, undo: F) -> Self {
         Self {
-            inner: Some(inner),
-            undo: Some(undo),
+            inner: mem::ManuallyDrop::new(inner),
+            undo: mem::ManuallyDrop::new(undo),
         }
     }
 
     /// Disable this `Undo` and return its inner value.
     ///
     /// This `Undo`'s cleanup function will never be called.
     pub fn commit(mut guard: Self) -> T {
-        let inner = guard.inner.take().unwrap();
+        // Safety: These `ManuallyDrop` fields will not be used again.
+        let inner = unsafe {
+            // Make sure to drop `undo`, even though we aren't calling it, to
+            // avoid leaking closed-over `Arc`s, for example.
+            mem::ManuallyDrop::drop(&mut guard.undo);
+
+            mem::ManuallyDrop::take(&mut guard.inner)
+        };
         mem::forget(guard);
         inner
     }

Original file line number	Diff line number	Diff line change
`@@ -82,19 +82,19 @@ pub struct Undo<T, F>`
`82`	`82`	`where`
`83`	`83`	`F: FnOnce(T),`
`84`	`84`	`{`
`85`		`- inner: Option<T>,`
`86`		`- undo: Option<F>,`
	`85`	`+ inner: mem::ManuallyDrop<T>,`
	`86`	`+ undo: mem::ManuallyDrop<F>,`
`87`	`87`	`}`
`88`	`88`
`89`	`89`	`impl<T, F> Drop for Undo<T, F>`
`90`	`90`	`where`
`91`	`91`	`F: FnOnce(T),`
`92`	`92`	`{`
`93`	`93`	`fn drop(&mut self) {`
`94`		`- if let Some(inner) = self.inner.take() {`
`95`		`- let undo = self.undo.take().unwrap();`
`96`		`- undo(inner);`
`97`		`- }`
	`94`	+ // Safety: These `ManuallyDrop` fields will not be used again.
	`95`	`+ let inner = unsafe { mem::ManuallyDrop::take(&mut self.inner) };`
	`96`	`+ let undo = unsafe { mem::ManuallyDrop::take(&mut self.undo) };`
	`97`	`+ undo(inner);`
`98`	`98`	`}`
`99`	`99`	`}`
`100`	`100`
`@@ -118,7 +118,7 @@ where`
`118`	`118`	`type Target = T;`
`119`	`119`
`120`	`120`	`fn deref(&self) -> &Self::Target {`
`121`		`- self.inner.as_ref().unwrap()`
	`121`	`+ &self.inner`
`122`	`122`	`}`
`123`	`123`	`}`
`124`	`124`
`@@ -127,7 +127,7 @@ where`
`127`	`127`	`F: FnOnce(T),`
`128`	`128`	`{`
`129`	`129`	`fn deref_mut(&mut self) -> &mut Self::Target {`
`130`		`- self.inner.as_mut().unwrap()`
	`130`	`+ &mut self.inner`
`131`	`131`	`}`
`132`	`132`	`}`
`133`	`133`
`@@ -141,16 +141,23 @@ where`
`141`	`141`	/// when dropped, unless the guard is disabled via `Undo::commit`.
`142`	`142`	`pub fn new(inner: T, undo: F) -> Self {`
`143`	`143`	`Self {`
`144`		`- inner: Some(inner),`
`145`		`- undo: Some(undo),`
	`144`	`+ inner: mem::ManuallyDrop::new(inner),`
	`145`	`+ undo: mem::ManuallyDrop::new(undo),`
`146`	`146`	`}`
`147`	`147`	`}`
`148`	`148`
`149`	`149`	/// Disable this `Undo` and return its inner value.
`150`	`150`	`///`
`151`	`151`	/// This `Undo`'s cleanup function will never be called.
`152`	`152`	`pub fn commit(mut guard: Self) -> T {`
`153`		`- let inner = guard.inner.take().unwrap();`
	`153`	+ // Safety: These `ManuallyDrop` fields will not be used again.
	`154`	`+ let inner = unsafe {`
	`155`	+ // Make sure to drop `undo`, even though we aren't calling it, to
	`156`	+ // avoid leaking closed-over `Arc`s, for example.
	`157`	`+ mem::ManuallyDrop::drop(&mut guard.undo);`
	`158`	`+`
	`159`	`+ mem::ManuallyDrop::take(&mut guard.inner)`
	`160`	`+ };`
`154`	`161`	`mem::forget(guard);`
`155`	`162`	`inner`
`156`	`163`	`}`