diff --git a/library/std/src/sys/process/unix/common.rs b/library/std/src/sys/process/unix/common.rs index 1d5909e99bacc..8c2184e40fd36 100644 --- a/library/std/src/sys/process/unix/common.rs +++ b/library/std/src/sys/process/unix/common.rs @@ -105,8 +105,7 @@ pub struct Command { setsid: bool, } -// passed to do_exec() with configuration of what the child stdio should look -// like +// passed to do_exec() with configuration of what the child stdio should look like #[cfg_attr(target_os = "vita", allow(dead_code))] pub struct ChildPipes { pub stdin: ChildStdio, @@ -114,6 +113,7 @@ pub struct ChildPipes { pub stderr: ChildStdio, } +// SAFETY: ChildPipes does not involve heap memory allocations pub enum ChildStdio { Inherit, Explicit(c_int), diff --git a/library/std/src/sys/process/unix/unix.rs b/library/std/src/sys/process/unix/unix.rs index 7d944f2f7eef1..e90a3bbb656c4 100644 --- a/library/std/src/sys/process/unix/unix.rs +++ b/library/std/src/sys/process/unix/unix.rs @@ -269,11 +269,6 @@ impl Command { // For this reason, the block of code below should contain 0 // invocations of either malloc of free (or their related friends). // - // As an example of not having malloc/free traffic, we don't close - // this file descriptor by dropping the FileDesc (which contains an - // allocation). Instead we just close it manually. This will never - // have the drop glue anyway because this code never returns (the - // child will either exec() or invoke libc::exit) #[cfg(not(any(target_os = "tvos", target_os = "watchos")))] unsafe fn do_exec( &mut self, @@ -292,6 +287,11 @@ impl Command { cvt_r(|| libc::dup2(fd, libc::STDERR_FILENO))?; } + // SAFETY: Dropping `stdio` (ChildPipes) is safe here since ChildPipes + // does not involve heap memory allocations + debug_assert!(size_of::() <= 24); + drop(stdio); + #[cfg(not(target_os = "l4re"))] { if let Some(_g) = self.get_groups() {