rust-lang · chenyukang · Oct 14, 2025 · chenyukang · Oct 14, 2025
diff --git a/library/std/src/sys/process/unix/common.rs b/library/std/src/sys/process/unix/common.rs
@@ -105,15 +105,15 @@ pub struct Command {
     setsid: bool,
 }
 
-// passed to do_exec() with configuration of what the child stdio should look
-// like
+// passed to do_exec() with configuration of what the child stdio should look like
 #[cfg_attr(target_os = "vita", allow(dead_code))]
 pub struct ChildPipes {
     pub stdin: ChildStdio,
     pub stdout: ChildStdio,
     pub stderr: ChildStdio,
 }
 
+// SAFETY: ChildPipes does not involve heap memory allocations
 pub enum ChildStdio {
     Inherit,
     Explicit(c_int),

diff --git a/library/std/src/sys/process/unix/unix.rs b/library/std/src/sys/process/unix/unix.rs
@@ -269,11 +269,6 @@ impl Command {
     // For this reason, the block of code below should contain 0
     // invocations of either malloc of free (or their related friends).
     //
-    // As an example of not having malloc/free traffic, we don't close
-    // this file descriptor by dropping the FileDesc (which contains an
-    // allocation). Instead we just close it manually. This will never
-    // have the drop glue anyway because this code never returns (the
-    // child will either exec() or invoke libc::exit)
     #[cfg(not(any(target_os = "tvos", target_os = "watchos")))]
     unsafe fn do_exec(
         &mut self,
@@ -292,6 +287,11 @@ impl Command {
             cvt_r(|| libc::dup2(fd, libc::STDERR_FILENO))?;
         }
 
+        // SAFETY: Dropping `stdio` (ChildPipes) is safe here since ChildPipes
+        // does not involve heap memory allocations
+        debug_assert!(size_of::<ChildPipes>() <= 24);
+        drop(stdio);
+
         #[cfg(not(target_os = "l4re"))]
         {
             if let Some(_g) = self.get_groups() {