Does TokioIo::poll_read violate the safety requirement of ReadBufCursor::as_mut?

[zacknewman]

I'm unable to create an issue or start a discussion in hyper-util, so I'm starting one here. I have essentially zero experience with unsafe code except in the simplest cases, so I apologize if this question is rudimentary.

Anyway, the safety comment for ReadBufCursor::as_mut states "The caller must not uninitialize any bytes that may have been initialized before.". TokioIo implements Read::poll_read in a way that appears to violate this requirement. Specifically, when AsyncRead::poll_read errs it immediately returns the error without advancing the buffer. Doesn't this mean that a call to Read::poll_read after an error will cause previously initialized memory to be unitialized when the previous call initialized some of the bytes before erring?

impl<T> hyper::rt::Read for TokioIo<T>
where
    T: tokio::io::AsyncRead,
{
    fn poll_read(
        self: Pin<&mut Self>,
        cx: &mut Context<'_>,
        mut buf: hyper::rt::ReadBufCursor<'_>,
    ) -> Poll<Result<(), std::io::Error>> {
        let n = unsafe {
            let mut tbuf = tokio::io::ReadBuf::uninit(buf.as_mut());
            match tokio::io::AsyncRead::poll_read(self.project().inner, cx, &mut tbuf) {
                Poll::Ready(Ok(())) => tbuf.filled().len(),
                // When `other` is `Poll::Ready(Err(_))`, isn't it possible that the above call to
                // `AsyncRead::poll_read` initialized at least some of `tbuf` meaning calling
                // `tokio::io::ReadBuf::uninit(buf.as_mut())` again violates the safety requirement?
                other => return other,
            }
        };

        unsafe {
            buf.advance(n);
        }
        Poll::Ready(Ok(()))
    }
}

[zacknewman]

Not an issue. Sorry for the noise.