Closed
Description
openedon Feb 25, 2018
A recent Doc PR for CStr reminded me of this:
https://users.rust-lang.org/t/cstring-from-raw-danger/15340
CString::from_rawshould make it clear that the length isn't just "recomputed," but that the recomputed length must match the original length. Yes, this can be inferred from the clearly-stated invariants of the type, but I feel this is important enough to deserve a sentence all of its own in theUnsafetysection of thefrom_rawmethod, because it singlehandedly cripples a very wide range of would-be use cases forCString.CString::into_rawshould steer users away from using the pattern ofCString::{into_raw,from_raw}when interfacing with C APIs that may change the effective length of the string by writing interior NULs or erasing the final NUL. (But what should we steer them towards?Vec<c_char>, probably? Hard to create one from string data though, compared toVec<u8>...)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Metadata
Assignees
Labels
Area: Foreign function interface (FFI)Area: documentation for any part of the project, including the compiler, standard library, and toolsCategory: An issue proposing an enhancement or a PR with one.Call for participation: Hard difficulty. Experience needed to fix: A lot.Medium priorityRelevant to the library API team, which will review and decide on the PR/issue.