feat: Make Client::from_env safe to call for any number of time

NobodyXu · NobodyXu · commit 1a679705e5a8 · 2023-08-03T23:52:39.000+10:00
So that it can be used in different crates without causing UB.

Signed-off-by: Jiahao XU &lt;Jiahao_XU@outlook.com&gt;
diff --git a/src/lib.rs b/src/lib.rs
@@ -256,11 +256,7 @@ impl Client {
     /// make sure to take ownership properly of the file descriptors passed
     /// down, if any.
     ///
-    /// It's generally unsafe to call this function twice in a program if the
-    /// previous invocation returned `Some`.
-    ///
-    /// Note, though, that on Windows it should be safe to call this function
-    /// any number of times.
+    /// It is ok to call this function any number of times.
     pub unsafe fn from_env_ext(check_pipe: bool) -> FromEnv {
         let (env, var_os) = match ["CARGO_MAKEFLAGS", "MAKEFLAGS", "MFLAGS"]
             .iter()
@@ -299,6 +295,19 @@ impl Client {
     /// environment.
     ///
     /// Wraps `from_env_ext` and discards error details.
+    ///
+    /// # Safety
+    ///
+    /// This function is `unsafe` to call on Unix specifically as it
+    /// transitively requires usage of the `from_raw_fd` function, which is
+    /// itself unsafe in some circumstances.
+    ///
+    /// It's recommended to call this function very early in the lifetime of a
+    /// program before any other file descriptors are opened. That way you can
+    /// make sure to take ownership properly of the file descriptors passed
+    /// down, if any.
+    ///
+    /// It is ok to call this function any number of times.
     pub unsafe fn from_env() -> Option<Client> {
         Self::from_env_ext(false).client.ok()
     }
diff --git a/src/unix.rs b/src/unix.rs
@@ -149,9 +149,10 @@ impl Client {
             }
         }
 
-        drop(set_cloexec(read, true));
-        drop(set_cloexec(write, true));
-        Ok(Some(Client::from_fds(read, write)))
+        Ok(Some(Client::Pipe {
+            read: clone_fd_and_set_cloexec(read)?,
+            write: clone_fd_and_set_cloexec(write)?,
+        }))
     }
 
     unsafe fn from_fds(read: c_int, write: c_int) -> Client {
@@ -435,6 +436,14 @@ unsafe fn fd_check(fd: c_int, check_pipe: bool) -> Result<(), FromEnvErrorInner>
     }
 }
 
+fn clone_fd_and_set_cloexec(fd: c_int) -> Result<File, FromEnvErrorInner> {
+    // Safety: File is wrapped in `ManuallyDrop` to prevent closing on drop
+    // since we don't own the fd.
+    mem::ManuallyDrop::new(unsafe { File::from_raw_fd(fd) })
+        .try_clone()
+        .map_err(|err| FromEnvErrorInner::CannotOpenFd(fd, err))
+}
+
 fn set_cloexec(fd: c_int, set: bool) -> io::Result<()> {
     unsafe {
         let previous = cvt(libc::fcntl(fd, libc::F_GETFD))?;

Original file line number	Diff line number	Diff line change
`@@ -149,9 +149,10 @@ impl Client {`
`149`	`149`	`}`
`150`	`150`	`}`
`151`	`151`
`152`		`- drop(set_cloexec(read, true));`
`153`		`- drop(set_cloexec(write, true));`
`154`		`- Ok(Some(Client::from_fds(read, write)))`
	`152`	`+ Ok(Some(Client::Pipe {`
	`153`	`+ read: clone_fd_and_set_cloexec(read)?,`
	`154`	`+ write: clone_fd_and_set_cloexec(write)?,`
	`155`	`+ }))`
`155`	`156`	`}`
`156`	`157`
`157`	`158`	`unsafe fn from_fds(read: c_int, write: c_int) -> Client {`
`@@ -435,6 +436,14 @@ unsafe fn fd_check(fd: c_int, check_pipe: bool) -> Result<(), FromEnvErrorInner>`
`435`	`436`	`}`
`436`	`437`	`}`
`437`	`438`
	`439`	`+fn clone_fd_and_set_cloexec(fd: c_int) -> Result<File, FromEnvErrorInner> {`
	`440`	+ // Safety: File is wrapped in `ManuallyDrop` to prevent closing on drop
	`441`	`+ // since we don't own the fd.`
	`442`	`+ mem::ManuallyDrop::new(unsafe { File::from_raw_fd(fd) })`
	`443`	`+ .try_clone()`
	`444`	`+ .map_err(\|err\| FromEnvErrorInner::CannotOpenFd(fd, err))`
	`445`	`+}`
	`446`	`+`
`438`	`447`	`fn set_cloexec(fd: c_int, set: bool) -> io::Result<()> {`
`439`	`448`	`unsafe {`
`440`	`449`	`let previous = cvt(libc::fcntl(fd, libc::F_GETFD))?;`