From b92cd1a32c842e82575e59374545dda5f9b9f77a Mon Sep 17 00:00:00 2001 From: Christopher Durham Date: Sun, 10 Apr 2022 15:04:57 -0500 Subject: [PATCH] Clarify str::from_utf8_unchecked's invariants Specifically, make it clear that it is immediately UB to pass ill-formed UTF-8 into the function. The previous wording left space to interpret that the UB only occurred when calling another function, which "assumes that `&str`s are valid UTF-8." This does not change whether str being UTF-8 is a safety or a validity invariant. (As per previous discussion, it is a safety invariant, not a validity invariant.) It just makes it clear that valid UTF-8 is a precondition of str::from_utf8_unchecked, and that emitting an Abstract Machine fault (e.g. UB or a sanitizer error) on invalid UTF-8 is a valid thing to do. If user code wants to create an unsafe `&str` pointing to ill-formed UTF-8, it must be done via transmutes. Also, just, don't. --- library/core/src/str/converts.rs | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/library/core/src/str/converts.rs b/library/core/src/str/converts.rs index ef26cbfb640..81b1db4ac6f 100644 --- a/library/core/src/str/converts.rs +++ b/library/core/src/str/converts.rs @@ -144,11 +144,7 @@ pub const fn from_utf8_mut(v: &mut [u8]) -> Result<&mut str, Utf8Error> { /// /// # Safety /// -/// This function is unsafe because it does not check that the bytes passed to -/// it are valid UTF-8. If this constraint is violated, undefined behavior -/// results, as the rest of Rust assumes that [`&str`]s are valid UTF-8. -/// -/// [`&str`]: str +/// The bytes passed in must be valid UTF-8. /// /// # Examples ///