mikros/rust
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Rollup merge of #116888 - tbu-:pr_unsafe_env, r=Amanieu

Browse Source 
Add discussion that concurrent access to the environment is unsafe

The bug report #27970 has existed for 8 years, the actual bug dates back to Rust pre-1.0. I documented it since it's in the interest of the user to be aware of it. The note can be removed once #27970 is fixed.
This commit is contained in:
Matthias Krüger 2023-12-15 06:50:17 +01:00 committed by GitHub
commit 44fd74aede
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 40 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
library/std/src/env.rs
View File

@ -313,17 +313,32 @@ fn description(&self) -> &str {
/// Sets the environment variable `key` to the value `value` for the currently running /// Sets the environment variable `key` to the value `value` for the currently running
/// process. /// process.
/// ///
/// Note that while concurrent access to environment variables is safe in Rust, /// # Safety
/// some platforms only expose inherently unsafe non-threadsafe APIs for ///
/// inspecting the environment. As a result, extra care needs to be taken when /// Even though this function is currently not marked as `unsafe`, it needs to
/// auditing calls to unsafe external FFI functions to ensure that any external /// be because invoking it can cause undefined behaviour. The function will be
/// environment accesses are properly synchronized with accesses in Rust. /// marked `unsafe` in a future version of Rust. This is tracked in
/// [rust#27970](https://github.com/rust-lang/rust/issues/27970).
///
/// This function is safe to call in a single-threaded program.
///
/// In multi-threaded programs, you must ensure that are no other threads
/// concurrently writing or *reading*(!) from the environment through functions
/// other than the ones in this module. You are responsible for figuring out
/// how to achieve this, but we strongly suggest not using `set_var` or
/// `remove_var` in multi-threaded programs at all.
///
/// Most C libraries, including libc itself do not advertise which functions
/// read from the environment. Even functions from the Rust standard library do
/// that, e.g. for DNS lookups from [`std::net::ToSocketAddrs`].
/// ///
/// Discussion of this unsafety on Unix may be found in: /// Discussion of this unsafety on Unix may be found in:
/// ///
/// - [Austin Group Bugzilla](https://austingroupbugs.net/view.php?id=188) /// - [Austin Group Bugzilla](https://austingroupbugs.net/view.php?id=188)
/// - [GNU C library Bugzilla](https://sourceware.org/bugzilla/show_bug.cgi?id=15607#c2) /// - [GNU C library Bugzilla](https://sourceware.org/bugzilla/show_bug.cgi?id=15607#c2)
/// ///
/// [`std::net::ToSocketAddrs`]: crate::net::ToSocketAddrs
///
/// # Panics /// # Panics
/// ///
/// This function may panic if `key` is empty, contains an ASCII equals sign `'='` /// This function may panic if `key` is empty, contains an ASCII equals sign `'='`
@ -351,17 +366,32 @@ fn _set_var(key: &OsStr, value: &OsStr) {
/// Removes an environment variable from the environment of the currently running process. /// Removes an environment variable from the environment of the currently running process.
/// ///
/// Note that while concurrent access to environment variables is safe in Rust, /// # Safety
/// some platforms only expose inherently unsafe non-threadsafe APIs for ///
/// inspecting the environment. As a result extra care needs to be taken when /// Even though this function is currently not marked as `unsafe`, it needs to
/// auditing calls to unsafe external FFI functions to ensure that any external /// be because invoking it can cause undefined behaviour. The function will be
/// environment accesses are properly synchronized with accesses in Rust. /// marked `unsafe` in a future version of Rust. This is tracked in
/// [rust#27970](https://github.com/rust-lang/rust/issues/27970).
///
/// This function is safe to call in a single-threaded program.
///
/// In multi-threaded programs, you must ensure that are no other threads
/// concurrently writing or *reading*(!) from the environment through functions
/// other than the ones in this module. You are responsible for figuring out
/// how to achieve this, but we strongly suggest not using `set_var` or
/// `remove_var` in multi-threaded programs at all.
///
/// Most C libraries, including libc itself do not advertise which functions
/// read from the environment. Even functions from the Rust standard library do
/// that, e.g. for DNS lookups from [`std::net::ToSocketAddrs`].
/// ///
/// Discussion of this unsafety on Unix may be found in: /// Discussion of this unsafety on Unix may be found in:
/// ///
/// - [Austin Group Bugzilla](https://austingroupbugs.net/view.php?id=188) /// - [Austin Group Bugzilla](https://austingroupbugs.net/view.php?id=188)
/// - [GNU C library Bugzilla](https://sourceware.org/bugzilla/show_bug.cgi?id=15607#c2) /// - [GNU C library Bugzilla](https://sourceware.org/bugzilla/show_bug.cgi?id=15607#c2)
/// ///
/// [`std::net::ToSocketAddrs`]: crate::net::ToSocketAddrs
///
/// # Panics /// # Panics
/// ///
/// This function may panic if `key` is empty, contains an ASCII equals sign /// This function may panic if `key` is empty, contains an ASCII equals sign