pub struct ManuallyDrop<T: TrackDrop>(pub T);Expand description
Linear-drop obligation wrapper. ManuallyDrop::new(t, regions)
consumes the State-side obligation entry for t.key() (via
T::consume_obligation) and wraps the value. The wrapper carries only
the value — no embedded obligation — and can be silently dropped
affinely; the linear-drop guarantee comes from the State-side ledger.
The precondition consume_requires (e.g. `frame_obligations.count(idx)
0
for Frame) is the load-bearing safety check: callers must establish an outstanding obligation entry att.key(). Producers likeFrame::from_raw,Frame::clone,Frame::from_unused,Frame::from_in_use` mint that entry. The mint + consume pair is net-zero on the ledger — “the borrow ends here.”
§Unsoundness warning
It is unsound to extract the inner T from ManuallyDrop<T> via
take/into_inner-style operations without minting a fresh
obligation at the extraction site. A ManuallyDrop<T> carries no
obligation, so the extracted T would have none either — but
T::drop (e.g. Frame::drop) requires an obligation as input, so the
extracted value cannot legally be dropped. Any extraction site must
mint a fresh entry into the State-side ledger, gated by a soundness
justification (typically ref_count >= 1 for MD<Frame>, mirroring
Frame::from_raw’s safety condition).
At the time of this redesign no ostd callsite extracts a Frame from
a ManuallyDrop<Frame> (only Deref borrows are taken; the one
into_inner is on MD<Arc<T>>, not MD<Frame>). Adding such an
extraction without the matching mint resurrects the double-counting
bug that motivated this redesign.
Tuple Fields§
§0: T