Ensure at least one buffer for vectored I/O

POSIX requires at least one buffer passed to readv and writev, but we
allow the user to pass an empty slice of buffers. In this case, return a
zero-length read or write.

Author: thaliaarchi

library/std/src/io/mod.rs

@@ -297,7 +297,6 @@
 #[cfg(test)]
 mod tests;
 
-use core::intrinsics;
 #[unstable(feature = "read_buf", issue = "78485")]
 pub use core::io::{BorrowedBuf, BorrowedCursor};
 use core::slice::memchr;
@@ -1389,25 +1388,6 @@ impl<'a> IoSliceMut<'a> {
         }
     }
 
-    /// Limits a slice of buffers to at most `n` buffers.
-    ///
-    /// When the slice contains over `n` buffers, ensure that at least one
-    /// non-empty buffer is in the truncated slice, if there is one.
-    #[allow(dead_code)] // Not used on all platforms
-    #[inline]
-    pub(crate) fn limit_slices(bufs: &mut &mut [IoSliceMut<'a>], n: usize) {
-        if intrinsics::unlikely(bufs.len() > n) {
-            for (i, buf) in bufs.iter().enumerate() {
-                if !buf.is_empty() {
-                    let len = cmp::min(bufs.len() - i, n);
-                    *bufs = &mut take(bufs)[i..i + len];
-                    return;
-                }
-            }
-            *bufs = &mut take(bufs)[..0];
-        }
-    }
-
     /// Get the underlying bytes as a mutable slice with the original lifetime.
     ///
     /// # Examples
@@ -1569,25 +1549,6 @@ impl<'a> IoSlice<'a> {
         }
     }
 
-    /// Limits a slice of buffers to at most `n` buffers.
-    ///
-    /// When the slice contains over `n` buffers, ensure that at least one
-    /// non-empty buffer is in the truncated slice, if there is one.
-    #[allow(dead_code)] // Not used on all platforms
-    #[inline]
-    pub(crate) fn limit_slices(bufs: &mut &[IoSlice<'a>], n: usize) {
-        if intrinsics::unlikely(bufs.len() > n) {
-            for (i, buf) in bufs.iter().enumerate() {
-                if !buf.is_empty() {
-                    let len = cmp::min(bufs.len() - i, n);
-                    *bufs = &bufs[i..i + len];
-                    return;
-                }
-            }
-            *bufs = &bufs[..0];
-        }
-    }
-
     /// Get the underlying bytes as a slice with the original lifetime.
     ///
     /// This doesn't borrow from `self`, so is less restrictive than calling
@@ -1625,6 +1586,60 @@ impl<'a> Deref for IoSlice<'a> {
     }
 }
 
+/// Limits a slice of buffers to at most `n` buffers and ensures that it has at
+/// least one buffer, even if empty.
+///
+/// When the slice contains over `n` buffers, ensure that at least one non-empty
+/// buffer is in the truncated slice, if there is one.
+#[allow(unused_macros)] // Not used on all platforms
+pub(crate) macro limit_slices($bufs:expr, $n:expr) {
+    'slices: {
+        let bufs: &[IoSlice<'_>] = $bufs;
+        let n: usize = $n;
+        // if bufs.len() > n || bufs.is_empty()
+        if core::intrinsics::unlikely(bufs.len().wrapping_sub(1) >= n) {
+            for (i, buf) in bufs.iter().enumerate() {
+                if !buf.is_empty() {
+                    let len = cmp::min(bufs.len() - i, n);
+                    break 'slices &bufs[i..i + len];
+                }
+            }
+            // All buffers are empty. Since POSIX requires at least one buffer
+            // for [writev], but possibly bufs.is_empty(), return an empty write.
+            // [writev]: https://pubs.opengroup.org/onlinepubs/9799919799/functions/writev.html
+            return Ok(0);
+        }
+        bufs
+    }
+}
+
+/// Limits a slice of buffers to at most `n` buffers and ensures that it has at
+/// least one buffer, even if empty.
+///
+/// When the slice contains over `n` buffers, ensure that at least one non-empty
+/// buffer is in the truncated slice, if there is one.
+#[allow(unused_macros)] // Not used on all platforms
+pub(crate) macro limit_slices_mut($bufs:expr, $n:expr) {
+    'slices: {
+        let bufs: &mut [IoSliceMut<'_>] = $bufs;
+        let n: usize = $n;
+        // if bufs.len() > n || bufs.is_empty()
+        if core::intrinsics::unlikely(bufs.len().wrapping_sub(1) >= n) {
+            for (i, buf) in bufs.iter().enumerate() {
+                if !buf.is_empty() {
+                    let len = cmp::min(bufs.len() - i, n);
+                    break 'slices &mut bufs[i..i + len];
+                }
+            }
+            // All buffers are empty. Since POSIX requires at least one buffer
+            // for [readv], but possibly bufs.is_empty(), return an empty read.
+            // [readv]: https://pubs.opengroup.org/onlinepubs/9799919799/functions/readv.html
+            return Ok(0);
+        }
+        bufs
+    }
+}
+
 /// A trait for objects which are byte-oriented sinks.
 ///
 /// Implementors of the `Write` trait are sometimes called 'writers'.

library/std/src/sys/fd/hermit.rs

@@ -37,8 +37,8 @@ impl FileDesc {
         Ok(())
     }
 
-    pub fn read_vectored(&self, mut bufs: &mut [IoSliceMut<'_>]) -> io::Result<usize> {
-        IoSliceMut::limit_slices(&mut bufs, max_iov());
+    pub fn read_vectored(&self, bufs: &mut [IoSliceMut<'_>]) -> io::Result<usize> {
+        let bufs = io::limit_slices_mut!(bufs, max_iov());
         let ret = cvt(unsafe {
             hermit_abi::readv(
                 self.as_raw_fd(),
@@ -65,8 +65,8 @@ impl FileDesc {
         Ok(result as usize)
     }
 
-    pub fn write_vectored(&self, mut bufs: &[IoSlice<'_>]) -> io::Result<usize> {
-        IoSlice::limit_slices(&mut bufs, max_iov());
+    pub fn write_vectored(&self, bufs: &[IoSlice<'_>]) -> io::Result<usize> {
+        let bufs = io::limit_slices!(bufs, max_iov());
         let ret = cvt(unsafe {
             hermit_abi::writev(
                 self.as_raw_fd(),

library/std/src/sys/fd/unix.rs

@@ -108,8 +108,8 @@ impl FileDesc {
         target_os = "vita",
         target_os = "nuttx"
     )))]
-    pub fn read_vectored(&self, mut bufs: &mut [IoSliceMut<'_>]) -> io::Result<usize> {
-        IoSliceMut::limit_slices(&mut bufs, max_iov());
+    pub fn read_vectored(&self, bufs: &mut [IoSliceMut<'_>]) -> io::Result<usize> {
+        let bufs = io::limit_slices_mut!(bufs, max_iov());
         let ret = cvt(unsafe {
             libc::readv(
                 self.as_raw_fd(),
@@ -199,12 +199,8 @@ impl FileDesc {
         target_os = "netbsd",
         target_os = "openbsd", // OpenBSD 2.7
     ))]
-    pub fn read_vectored_at(
-        &self,
-        mut bufs: &mut [IoSliceMut<'_>],
-        offset: u64,
-    ) -> io::Result<usize> {
-        IoSliceMut::limit_slices(&mut bufs, max_iov());
+    pub fn read_vectored_at(&self, bufs: &mut [IoSliceMut<'_>], offset: u64) -> io::Result<usize> {
+        let bufs = io::limit_slices_mut!(bufs, max_iov());
         let ret = cvt(unsafe {
             libc::preadv(
                 self.as_raw_fd(),
@@ -241,11 +237,7 @@ impl FileDesc {
     // passing 64-bits parameters to syscalls, so we fallback to the default
     // implementation if `preadv` is not available.
     #[cfg(all(target_os = "android", target_pointer_width = "64"))]
-    pub fn read_vectored_at(
-        &self,
-        mut bufs: &mut [IoSliceMut<'_>],
-        offset: u64,
-    ) -> io::Result<usize> {
+    pub fn read_vectored_at(&self, bufs: &mut [IoSliceMut<'_>], offset: u64) -> io::Result<usize> {
         syscall!(
             fn preadv(
                 fd: libc::c_int,
@@ -255,7 +247,7 @@ impl FileDesc {
             ) -> isize;
         );
 
-        IoSliceMut::limit_slices(&mut bufs, max_iov());
+        let bufs = io::limit_slices_mut!(bufs, max_iov());
         let ret = cvt(unsafe {
             preadv(
                 self.as_raw_fd(),
@@ -271,11 +263,7 @@ impl FileDesc {
     // FIXME(#115199): Rust currently omits weak function definitions
     // and its metadata from LLVM IR.
     #[no_sanitize(cfi)]
-    pub fn read_vectored_at(
-        &self,
-        mut bufs: &mut [IoSliceMut<'_>],
-        offset: u64,
-    ) -> io::Result<usize> {
+    pub fn read_vectored_at(&self, bufs: &mut [IoSliceMut<'_>], offset: u64) -> io::Result<usize> {
         weak!(
             fn preadv64(
                 fd: libc::c_int,
@@ -287,7 +275,7 @@ impl FileDesc {
 
         match preadv64.get() {
             Some(preadv) => {
-                IoSliceMut::limit_slices(&mut bufs, max_iov());
+                let bufs = io::limit_slices_mut!(bufs, max_iov());
                 let ret = cvt(unsafe {
                     preadv(
                         self.as_raw_fd(),
@@ -312,11 +300,7 @@ impl FileDesc {
     // These versions may be newer than the minimum supported versions of OS's we support so we must
     // use "weak" linking.
     #[cfg(target_vendor = "apple")]
-    pub fn read_vectored_at(
-        &self,
-        mut bufs: &mut [IoSliceMut<'_>],
-        offset: u64,
-    ) -> io::Result<usize> {
+    pub fn read_vectored_at(&self, bufs: &mut [IoSliceMut<'_>], offset: u64) -> io::Result<usize> {
         weak!(
             fn preadv(
                 fd: libc::c_int,
@@ -328,7 +312,7 @@ impl FileDesc {
 
         match preadv.get() {
             Some(preadv) => {
-                IoSliceMut::limit_slices(&mut bufs, max_iov());
+                let bufs = io::limit_slices_mut!(bufs, max_iov());
                 let ret = cvt(unsafe {
                     preadv(
                         self.as_raw_fd(),
@@ -360,8 +344,8 @@ impl FileDesc {
         target_os = "vita",
         target_os = "nuttx"
     )))]
-    pub fn write_vectored(&self, mut bufs: &[IoSlice<'_>]) -> io::Result<usize> {
-        IoSlice::limit_slices(&mut bufs, max_iov());
+    pub fn write_vectored(&self, bufs: &[IoSlice<'_>]) -> io::Result<usize> {
+        let bufs = io::limit_slices!(bufs, max_iov());
         let ret = cvt(unsafe {
             libc::writev(
                 self.as_raw_fd(),
@@ -430,8 +414,8 @@ impl FileDesc {
         target_os = "netbsd",
         target_os = "openbsd", // OpenBSD 2.7
     ))]
-    pub fn write_vectored_at(&self, mut bufs: &[IoSlice<'_>], offset: u64) -> io::Result<usize> {
-        IoSlice::limit_slices(&mut bufs, max_iov());
+    pub fn write_vectored_at(&self, bufs: &[IoSlice<'_>], offset: u64) -> io::Result<usize> {
+        let bufs = io::limit_slices!(bufs, max_iov());
         let ret = cvt(unsafe {
             libc::pwritev(
                 self.as_raw_fd(),
@@ -468,7 +452,7 @@ impl FileDesc {
     // passing 64-bits parameters to syscalls, so we fallback to the default
     // implementation if `pwritev` is not available.
     #[cfg(all(target_os = "android", target_pointer_width = "64"))]
-    pub fn write_vectored_at(&self, mut bufs: &[IoSlice<'_>], offset: u64) -> io::Result<usize> {
+    pub fn write_vectored_at(&self, bufs: &[IoSlice<'_>], offset: u64) -> io::Result<usize> {
         syscall!(
             fn pwritev(
                 fd: libc::c_int,
@@ -478,7 +462,7 @@ impl FileDesc {
             ) -> isize;
         );
 
-        IoSlice::limit_slices(&mut bufs, max_iov());
+        let bufs = io::limit_slices!(bufs, max_iov());
         let ret = cvt(unsafe {
             pwritev(
                 self.as_raw_fd(),
@@ -491,7 +475,7 @@ impl FileDesc {
     }
 
     #[cfg(all(target_os = "android", target_pointer_width = "32"))]
-    pub fn write_vectored_at(&self, mut bufs: &[IoSlice<'_>], offset: u64) -> io::Result<usize> {
+    pub fn write_vectored_at(&self, bufs: &[IoSlice<'_>], offset: u64) -> io::Result<usize> {
         weak!(
             fn pwritev64(
                 fd: libc::c_int,
@@ -503,7 +487,7 @@ impl FileDesc {
 
         match pwritev64.get() {
             Some(pwritev) => {
-                IoSlice::limit_slices(&mut bufs, max_iov());
+                let bufs = io::limit_slices!(bufs, max_iov());
                 let ret = cvt(unsafe {
                     pwritev(
                         self.as_raw_fd(),
@@ -528,7 +512,7 @@ impl FileDesc {
     // These versions may be newer than the minimum supported versions of OS's we support so we must
     // use "weak" linking.
     #[cfg(target_vendor = "apple")]
-    pub fn write_vectored_at(&self, mut bufs: &[IoSlice<'_>], offset: u64) -> io::Result<usize> {
+    pub fn write_vectored_at(&self, bufs: &[IoSlice<'_>], offset: u64) -> io::Result<usize> {
         weak!(
             fn pwritev(
                 fd: libc::c_int,
@@ -540,7 +524,7 @@ impl FileDesc {
 
         match pwritev.get() {
             Some(pwritev) => {
-                IoSlice::limit_slices(&mut bufs, max_iov());
+                let bufs = io::limit_slices!(bufs, max_iov());
                 let ret = cvt(unsafe {
                     pwritev(
                         self.as_raw_fd(),

library/std/src/sys/fd/unix/tests.rs

@@ -21,3 +21,12 @@ fn limit_vector_count() {
     bufs[IOV_MAX * 2] = IoSlice::new(b"world!");
     assert_eq!(stdout.write_vectored(&bufs).unwrap(), b"hello".len())
 }
+
+#[test]
+fn empty_vector() {
+    let stdin = ManuallyDrop::new(unsafe { FileDesc::from_raw_fd(0) });
+    assert_eq!(stdin.read_vectored(&mut []).unwrap(), 0);
+
+    let stdout = ManuallyDrop::new(unsafe { FileDesc::from_raw_fd(1) });
+    assert_eq!(stdout.write_vectored(&[]).unwrap(), 0);
+}

library/std/src/sys/net/connection/socket/solid.rs

@@ -222,8 +222,8 @@ impl Socket {
         self.recv_with_flags(buf, 0)
     }
 
-    pub fn read_vectored(&self, mut bufs: &mut [IoSliceMut<'_>]) -> io::Result<usize> {
-        IoSliceMut::limit_slices(&mut bufs, max_iov());
+    pub fn read_vectored(&self, bufs: &mut [IoSliceMut<'_>]) -> io::Result<usize> {
+        let bufs = io::limit_slices_mut!(bufs, max_iov());
         let ret = cvt(unsafe {
             netc::readv(self.as_raw_fd(), bufs.as_ptr() as *const netc::iovec, bufs.len() as c_int)
         })?;
@@ -264,8 +264,8 @@ impl Socket {
         self.recv_from_with_flags(buf, MSG_PEEK)
     }
 
-    pub fn write_vectored(&self, mut bufs: &[IoSlice<'_>]) -> io::Result<usize> {
-        IoSlice::limit_slices(&mut bufs, max_iov());
+    pub fn write_vectored(&self, bufs: &[IoSlice<'_>]) -> io::Result<usize> {
+        let bufs = io::limit_slices!(bufs, max_iov());
         let ret = cvt(unsafe {
             netc::writev(self.as_raw_fd(), bufs.as_ptr() as *const netc::iovec, bufs.len() as c_int)
         })?;