-
Notifications
You must be signed in to change notification settings - Fork 13k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider documenting that (parts of?) stdlib must not be used before/after main #110708
Comments
IMHO, core types should work in whatever context but libstd is more dicey. It more explicitly has a runtime or three (e.g. Rust's, libc's and the OS's). So at a minimum anything in the modules In summary, my thoughts are:
|
Core types can still panic and panics do IO. |
Hm... how much of an issue is that? Panics don't have to do I/O (e.g. if stderr is closed) so if platforms don't support that before or after main then it can be silently skipped, no? |
But do we do that properly today? And it's not just IO but also panic hooks which in turn can rely on various other parts of std. |
I think it would be fine to document that e.g. after main they may want to set an empty (or aborting) panic hook if panicking is possible. I really don't want to be in a situation where the user is in a worse place than if they'd just used |
Could we turn panics into immediate aborts after main? That would also avoid the backtrace printing and symbolication. |
I looked through the standard library, and The stack guard used by the stack overflow handler also accesses the same TLS slot as |
If we're going to make a statement at all then imo we should start out with something more cautious than making solid guarantees since this would be a pretty wide-ranging promise.
|
Proposed documentation based on my previous comment: #115247 |
Document std limitations before/after main Solves rust-lang#110708
Rollup merge of rust-lang#115247 - the8472:life-before-main, r=dtolnay Document std limitations before/after main Solves rust-lang#110708
All existing standard library documentation implicitly assumes that the APIs are being used between the start of a Rust
main
and end ofmain
.For example
std::thread::current
does not document any indication that the function would panic. It does not need to document that, because the function cannot panic, as long as the call occurs within the duration ofmain
.However it's possible to observe a panic like this:
(Related PR and discussion: #107216)
In general using the standard library from an
atexit
callback, or beforemain
through a static constructor, is UB: according to #107216 (comment) "we can't really guarantee anything specific happens [...]; at least not in a cross-platform way."Is this worth calling out centrally as a caveat to all other documentation of the standard library? At the top level of the whole
std
crate (it would perhaps be more prominent than it deserves), at the module level, or in the Reference? Certainly forstd::thread
,std::io
,std::fs
, the expectation users need to have is that nothing in there will work outside ofmain
.Are there APIs it makes sense to carve out as being permissible outside of
main
? Stuff likeCell
,ManuallyDrop
,MaybeUninit
,NonNull
, etc. We'd maybe need to do research into how constructors and atexit are being used in the wild. For example theinventory
crate relies onAtomicPtr
,UnsafeCell
, andOption
to be usable beforemain
: https://github.com/dtolnay/inventory/blob/508cb5918640d05414b0c49843d1c26088df6713/src/lib.rs#L191. It seems obvious that those things should work but there isn't documentation which guarantees it. I assume that makes theinventory
crate technically unsound as written.The text was updated successfully, but these errors were encountered: