Clarify String::from_utf8_unchecked's invariants

[CAD97]

This is the same clarification as in #95895, and makes str::from_utf8_unchecked and String::from_utf8_unchecked agree again. Either String should be changed to match str (this PR), or str should be reverted to match String. (Or both are changed to a new, better description of what it means to violate the safety invariant.)

Strictly speaking, String's buffer being valid UTF-8 is a safety invariant, not a validity invariant. This means that String managing a non-UTF-8 buffer is not an AM violation / UB, but can result in safe API surface causing an AM violation / UB.

Currently, no String functionality, including Drop::drop, say they are valid on invalid UTF-8. As such, the only thing possible to do with an unsafe String is forget to drop it. Everything else is library UB.

Making valid UTF-8 a precondition of from_utf8_unchecked then is an API simplification. Additionally, this makes from_utf8(bytes).unwrap() a valid sanitizing implementation.

I opened a #t-lang/wg-unsafe-code-guidelines Zulip thread to discuss whether from_unchecked style functions should prefer documenting a safety precondition or a safety postcondition.

[rust-highfive]

Hey! It looks like you've submitted a new PR for the library teams!

If this PR contains changes to any rust-lang/rust public library APIs then please comment with @rustbot label +T-libs-api -T-libs to tag it appropriately. If this PR contains changes to any unstable APIs please edit the PR description to add a link to the relevant API Change Proposal or create one if you haven't already. If you're unsure where your change falls no worries, just leave it as is and the reviewer will take a look and make a decision to forward on if necessary.

Examples of T-libs-api changes:

• Stabilizing library features
• Introducing insta-stable changes such as new implementations of existing stable traits on existing stable types
• Introducing new or changing existing unstable library APIs (excluding permanently unstable features / features without a tracking issue)
• Changing public documentation in ways that create new stability guarantees
• Changing observable runtime behavior of library APIs

[rust-highfive]

r? @Mark-Simulacrum

(rust-highfive has picked a reviewer for you, use r? to override)

[CAD97]

@rustbot label +T-libs-api -T-libs

[Mark-Simulacrum]

I have a preference towards the new phrasing as well, but probably worth a short discussion at a T-libs-api meeting or similar just to confirm this is indeed what we want.

r? @joshtriplett

[JohnCSimon]

What is the status of this PR. No movement since June

[pitaj]

@joshtriplett ping from triage, no movement for 7 months. What is the status of this PR? Did the aforementioned discussion ever take place?

[JohnCSimon]

@CAD97
Ping from triage: I'm closing this due to inactivity, Please reopen when you are ready to continue with this.
Note: if you are going to continue please open the PR BEFORE you push to it, else you won't be able to reopen - this is a quirk of github.
Thanks for your contribution.

@rustbot label: +S-inactive