ref: move user_consent to sentry_run_t for thread-safe access

Move require_user_consent and user_consent from sentry_options_t to
sentry_run_t as atomic longs. Add sentry__run_should_skip_upload()
helper that batcher and retry call directly through their refcounted
run pointer, replacing the fragile raw long* into options.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: jpnurmi

src/sentry_batcher.c

@@ -224,9 +224,7 @@ sentry__batcher_flush(sentry_batcher_t *batcher, bool crash_safe)
                 // crash
                 sentry__run_write_envelope(batcher->run, envelope);
                 sentry_envelope_free(envelope);
-            } else if (!batcher->user_consent
-                || sentry__atomic_fetch(batcher->user_consent)
-                    == SENTRY_USER_CONSENT_GIVEN) {
+            } else if (!sentry__run_should_skip_upload(batcher->run)) {
                 // Normal operation: use transport for HTTP transmission
                 sentry__transport_send_envelope(batcher->transport, envelope);
             } else {
@@ -373,12 +371,10 @@ sentry__batcher_startup(
 {
     // dsn is incref'd because release() decref's it and may outlive options.
     batcher->dsn = sentry__dsn_incref(options->dsn);
-    // transport, run, and user_consent are non-owning refs, safe because they
+    // transport and run are non-owning refs, safe because they
     // are only accessed in flush() which is bound by the options lifetime.
     batcher->transport = options->transport;
     batcher->run = options->run;
-    batcher->user_consent
-        = options->require_user_consent ? (long *)&options->user_consent : NULL;
 
     // Mark thread as starting before actually spawning so thread can transition
     // to RUNNING. This prevents shutdown from thinking the thread was never

src/sentry_batcher.h

@@ -47,7 +47,6 @@ typedef struct {
     sentry_dsn_t *dsn;
     sentry_transport_t *transport;
     sentry_run_t *run;
-    long *user_consent; // (atomic) NULL if consent not required
 } sentry_batcher_t;
 
 typedef struct {

src/sentry_core.c

@@ -79,13 +79,13 @@ load_user_consent(sentry_options_t *opts)
     sentry__path_free(consent_path);
     switch (contents ? contents[0] : 0) {
     case '1':
-        opts->user_consent = SENTRY_USER_CONSENT_GIVEN;
+        opts->run->user_consent = SENTRY_USER_CONSENT_GIVEN;
         break;
     case '0':
-        opts->user_consent = SENTRY_USER_CONSENT_REVOKED;
+        opts->run->user_consent = SENTRY_USER_CONSENT_REVOKED;
         break;
     default:
-        opts->user_consent = SENTRY_USER_CONSENT_UNKNOWN;
+        opts->run->user_consent = SENTRY_USER_CONSENT_UNKNOWN;
         break;
     }
     sentry_free(contents);
@@ -96,9 +96,7 @@ sentry__should_skip_upload(void)
 {
     bool skip = true;
     SENTRY_WITH_OPTIONS (options) {
-        skip = options->require_user_consent
-            && sentry__atomic_fetch((long *)&options->user_consent)
-                != SENTRY_USER_CONSENT_GIVEN;
+        skip = sentry__run_should_skip_upload(options->run);
     }
     return skip;
 }
@@ -204,6 +202,7 @@ sentry_init(sentry_options_t *options)
         SENTRY_WARN("failed to initialize run directory");
         goto fail;
     }
+    options->run->require_user_consent = options->require_user_consent;
 
     load_user_consent(options);
 
@@ -434,7 +433,7 @@ static void
 set_user_consent(sentry_user_consent_t new_val)
 {
     SENTRY_WITH_OPTIONS (options) {
-        if (sentry__atomic_store((long *)&options->user_consent, new_val)
+        if (sentry__atomic_store(&options->run->user_consent, new_val)
             != new_val) {
             if (options->backend
                 && options->backend->user_consent_changed_func) {
@@ -483,7 +482,7 @@ sentry_user_consent_get(void)
     sentry_user_consent_t rv = SENTRY_USER_CONSENT_UNKNOWN;
     SENTRY_WITH_OPTIONS (options) {
         rv = (sentry_user_consent_t)(int)sentry__atomic_fetch(
-            (long *)&options->user_consent);
+            &options->run->user_consent);
     }
     return rv;
 }

src/sentry_core.h

@@ -34,6 +34,10 @@
 /**
  * This function will check the user consent, and return `true` if uploads
  * should *not* be sent to the sentry server, and be discarded instead.
+ *
+ * This acquires the options lock internally. Use
+ * `sentry__run_should_skip_upload` from worker threads that may run while
+ * the options are locked during SDK shutdown.
  */
 bool sentry__should_skip_upload(void);
 

src/sentry_database.c

@@ -74,6 +74,8 @@ sentry__run_new(const sentry_path_t *database_path)
     }
 
     run->refcount = 1;
+    run->require_user_consent = 0;
+    run->user_consent = SENTRY_USER_CONSENT_UNKNOWN;
     run->uuid = uuid;
     run->run_path = run_path;
     run->session_path = session_path;
@@ -96,6 +98,14 @@ sentry__run_new(const sentry_path_t *database_path)
     return NULL;
 }
 
+bool
+sentry__run_should_skip_upload(const sentry_run_t *run)
+{
+    return sentry__atomic_fetch((long *)&run->require_user_consent)
+        && sentry__atomic_fetch((long *)&run->user_consent)
+        != SENTRY_USER_CONSENT_GIVEN;
+}
+
 sentry_run_t *
 sentry__run_incref(sentry_run_t *run)
 {

src/sentry_database.h

@@ -14,8 +14,19 @@ typedef struct sentry_run_s {
     sentry_path_t *cache_path;
     sentry_filelock_t *lock;
     long refcount;
+    long require_user_consent;
+    long user_consent;
 } sentry_run_t;
 
+/**
+ * This function will check the user consent, and return `true` if uploads
+ * should *not* be sent to the sentry server, and be discarded instead.
+ *
+ * This is a lock-free variant of `sentry__should_skip_upload`, safe to call
+ * from worker threads while the options are locked during SDK shutdown.
+ */
+bool sentry__run_should_skip_upload(const sentry_run_t *run);
+
 /**
  * This creates a new application run including its associated directory and
  * lockfile:

src/sentry_options.c

@@ -46,7 +46,6 @@ sentry_options_new(void)
     }
     sentry_options_set_sdk_name(opts, SENTRY_SDK_NAME);
     opts->max_breadcrumbs = SENTRY_BREADCRUMBS_MAX;
-    opts->user_consent = SENTRY_USER_CONSENT_UNKNOWN;
     opts->auto_session_tracking = true;
     opts->system_crash_reporter_enabled = false;
     opts->attach_screenshot = false;

src/sentry_options.h

@@ -85,7 +85,6 @@ struct sentry_options_s {
     struct sentry_backend_s *backend;
     sentry_session_t *session;
 
-    long user_consent;
     long refcount;
     uint64_t shutdown_timeout;
     sentry_handler_strategy_t handler_strategy;

src/sentry_retry.c

@@ -28,7 +28,6 @@ typedef enum {
 struct sentry_retry_s {
     sentry_run_t *run;
     bool cache_keep;
-    long *user_consent;
     uint64_t startup_time;
     volatile long state;
     volatile long scheduled;
@@ -49,8 +48,6 @@ sentry__retry_new(const sentry_options_t *options)
     sentry__mutex_init(&retry->sealed_lock);
     retry->run = sentry__run_incref(options->run);
     retry->cache_keep = options->cache_keep;
-    retry->user_consent
-        = options->require_user_consent ? (long *)&options->user_consent : NULL;
     retry->startup_time = sentry__usec_time() / 1000;
     return retry;
 }
@@ -145,9 +142,7 @@ size_t
 sentry__retry_send(sentry_retry_t *retry, uint64_t before,
     sentry_retry_send_func_t send_cb, void *data)
 {
-    if (retry->user_consent
-        && sentry__atomic_fetch(retry->user_consent)
-            != SENTRY_USER_CONSENT_GIVEN) {
+    if (sentry__run_should_skip_upload(retry->run)) {
         return 0;
     }