Document the requirement on recomputed length for CString::from_raw #48525
Labels
A-docs
Area: Documentation for any part of the project, including the compiler, standard library, and tools
A-FFI
Area: Foreign function interface (FFI)
C-enhancement
Category: An issue proposing an enhancement or a PR with one.
E-hard
Call for participation: Hard difficulty. Experience needed to fix: A lot.
P-medium
Medium priority
T-libs-api
Relevant to the library API team, which will review and decide on the PR/issue.
A recent Doc PR for CStr reminded me of this:
https://users.rust-lang.org/t/cstring-from-raw-danger/15340
CString::from_raw
should make it clear that the length isn't just "recomputed," but that the recomputed length must match the original length. Yes, this can be inferred from the clearly-stated invariants of the type, but I feel this is important enough to deserve a sentence all of its own in theUnsafety
section of thefrom_raw
method, because it singlehandedly cripples a very wide range of would-be use cases forCString
.CString::into_raw
should steer users away from using the pattern ofCString::{into_raw,from_raw}
when interfacing with C APIs that may change the effective length of the string by writing interior NULs or erasing the final NUL. (But what should we steer them towards?Vec<c_char>
, probably? Hard to create one from string data though, compared toVec<u8>
...)The text was updated successfully, but these errors were encountered: