fix(core): move sigaction unsafe out of core into fast_io#4571
Merged
Conversation
The `core::signal::unix` module installed Unix signal handlers with a
direct `libc::sigaction` call inside `unsafe { }`, requiring a
module-level `#![allow(unsafe_code)]` override on `core::signal`. That
violates the workspace policy that confines unsafe code to a small set of
permitted crates (`fast_io`, `metadata`, `checksums`, `engine`,
`protocol`).
Hoist the FFI into a new `fast_io::signal` module that exposes a safe
`install_signal_handler(signum, handler)` API. The wrapper zero-initialises
the `sigaction` struct, sets `SA_RESTART`, and submits it; non-Unix
targets compile to a no-op stub. `core::signal::unix` now installs SIGINT,
SIGTERM, SIGHUP, and SIGPIPE through that safe API, and the module-level
unsafe override is removed so `core`'s `#![deny(unsafe_code)]` covers the
signal subtree.
Signal semantics are unchanged: same four signals, same handler
functions, same `SA_RESTART` flag, same atomic-flag state machine.
oferchen
added a commit
that referenced
this pull request
May 20, 2026
- README status table and Known Limitations now state IOCP is wired for the receive-side disk-write pipeline (transfer::disk_commit dispatches Writer::Iocp on Windows) in addition to socket transports, not just compiled. The stale #1868 issue reference is dropped; the read-path extension is tracked under WPG-1. - README and SECURITY.md unsafe-code inventories reflect PR #4571: signal-handler installation lives in fast_io::signal as a safe wrapper, core::signal carries no unsafe override, and platform's bullet drops "signal handlers" from its description. - SECURITY.md notes the test-only #[allow(unsafe_code)] on embedding's tests::EnvGuard helper so the deny-only list is accurate for production code without misrepresenting test scaffolding.
3 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
libc::sigactionFFI call out ofcore::signal::unixand into a newfast_io::signalmodule that exposes a safeinstall_signal_handler(signum, handler)API.#![allow(unsafe_code)]override fromcore::signalso thecorecrate's#![deny(unsafe_code)]now covers the signal subtree.SA_RESTARTflag, same atomic-flag state machine.Why
corewas the only general-purpose crate left carrying a module-scoped unsafe override. The workspace policy confines unsafe code to a small set of permitted crates (fast_io,metadata,checksums,engine,protocol);fast_iois the long-term home for platform FFI. Moving the eight lines ofsigactionsetup behind a one-call safe wrapper deletes the override without changing behaviour.Layout
crates/fast_io/src/signal/mod.rs- publicSignalHandlerFnalias and re-exports.crates/fast_io/src/signal/unix.rs- the single unsafe block (zero-initsigaction,SA_RESTART, submit). Tested with SIGUSR1 (must install) and-1(must return EINVAL).crates/fast_io/src/signal/stub.rs- no-op for non-Unix targets.crates/core/src/signal/unix.rs- now callsfast_io::signal::install_signal_handlerfour times.crates/core/src/signal/mod.rs- module-level#![allow(unsafe_code)]removed; doc comment updated.Test plan
cargo fmt --all -- --checkclean.cargo clippy --workspace --all-targets --all-features --no-deps -- -D warningsclean.core::signal::install_signal_handlers()integration test still passes (no API change).