Skip to content

docs: refresh IOCP wiring and signal-handler unsafe attribution#4574

Merged
oferchen merged 1 commit into
masterfrom
docs/readme-security-iocp-signal-refresh
May 20, 2026
Merged

docs: refresh IOCP wiring and signal-handler unsafe attribution#4574
oferchen merged 1 commit into
masterfrom
docs/readme-security-iocp-signal-refresh

Conversation

@oferchen
Copy link
Copy Markdown
Owner

@oferchen oferchen commented May 20, 2026

Summary

Three factual corrections to README.md and SECURITY.md against current origin/master state.

  1. IOCP wiring is broader than the prose claims. Both the README status table (row Async I/O backend) and the Known Limitations section described Windows IOCP as either compiled, not wired or wired only for sockets. In current master, transfer::disk_commit::Writer::Iocp dispatches the receive-side disk-write pipeline through IOCP on Windows; only the read path still falls back to standard buffered I/O. The stale issue reference #1868 (which was actually a packaging-flow issue, merged 2025-11-01) is dropped; the read-path extension is now tracked under WPG-1.

  2. Signal-handler unsafe lives in fast_io, not platform or core. Both files still attributed signal-handler unsafe to platform (and SECURITY.md implicitly to core::signal's previous #![allow(unsafe_code)]). The signal-installation FFI has been hoisted into fast_io::signal::install_signal_handler; core::signal now lives under plain #![deny(unsafe_code)], and the platform bullet no longer claims signal handling. The fast_io bullets in both files now mention signal::install_signal_handler alongside the rest of the syscall surface.

  3. embedding carries a test-only #[allow(unsafe_code)]. SECURITY.md listed embedding in the deny-only list, which is correct for production code but misleading - tests::EnvGuard uses #[cfg(test)]-only unsafe { std::env::set_var(...) } under a process-wide mutex. The bullet now calls out that carve-out explicitly.

No code changes. Both files are markdown-only edits.

Test plan

  • CI required checks pass (fmt+clippy, nextest stable, Windows, macOS, Linux musl, interop) - this is a docs-only diff so the failure modes are limited to broken markdown rendering or markdownlint regressions.
  • Manual rendering check on GitHub PR preview confirms no broken links / table corruption.

@oferchen
docs: refresh IOCP wiring and signal-handler unsafe attribution
95697f2 
- README status table and Known Limitations now state IOCP is wired
  for the receive-side disk-write pipeline (transfer::disk_commit
  dispatches Writer::Iocp on Windows) in addition to socket transports,
  not just compiled. The stale #1868 issue reference is dropped; the
  read-path extension is tracked under WPG-1.
- README and SECURITY.md unsafe-code inventories reflect PR #4571:
  signal-handler installation lives in fast_io::signal as a safe
  wrapper, core::signal carries no unsafe override, and platform's
  bullet drops "signal handlers" from its description.
- SECURITY.md notes the test-only #[allow(unsafe_code)] on
  embedding's tests::EnvGuard helper so the deny-only list is accurate
  for production code without misrepresenting test scaffolding.
@github-actions github-actions Bot added the documentation Improvements or additions to documentation label May 20, 2026
@oferchen oferchen merged commit f1a7da5 into master May 20, 2026
10 checks passed
@oferchen oferchen deleted the docs/readme-security-iocp-signal-refresh branch May 20, 2026 11:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

documentation Improvements or additions to documentation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@oferchen