Ensure at least one buffer for vectored I/O

thaliaarchi · thaliaarchi · commit 9d3dc9206bba · 2025-03-29T21:50:42.000-07:00
POSIX requires at least one buffer passed to readv and writev, but we
allow the user to pass an empty slice of buffers. In this case, return a
zero-length read or write.
diff --git a/library/std/src/io/mod.rs b/library/std/src/io/mod.rs
@@ -297,7 +297,6 @@
 #[cfg(test)]
 mod tests;
 
-use core::intrinsics;
 #[unstable(feature = "read_buf", issue = "78485")]
 pub use core::io::{BorrowedBuf, BorrowedCursor};
 use core::slice::memchr;
@@ -1389,25 +1388,6 @@ impl<'a> IoSliceMut<'a> {
         }
     }
 
-    /// Limits a slice of buffers to at most `n` buffers.
-    ///
-    /// When the slice contains over `n` buffers, ensure that at least one
-    /// non-empty buffer is in the truncated slice, if there is one.
-    #[allow(dead_code)] // Not used on all platforms
-    #[inline]
-    pub(crate) fn limit_slices(bufs: &mut &mut [IoSliceMut<'a>], n: usize) {
-        if intrinsics::unlikely(bufs.len() > n) {
-            for (i, buf) in bufs.iter().enumerate() {
-                if !buf.is_empty() {
-                    let len = cmp::min(bufs.len() - i, n);
-                    *bufs = &mut take(bufs)[i..i + len];
-                    return;
-                }
-            }
-            *bufs = &mut take(bufs)[..0];
-        }
-    }
-
     /// Get the underlying bytes as a mutable slice with the original lifetime.
     ///
     /// # Examples
@@ -1569,25 +1549,6 @@ impl<'a> IoSlice<'a> {
         }
     }
 
-    /// Limits a slice of buffers to at most `n` buffers.
-    ///
-    /// When the slice contains over `n` buffers, ensure that at least one
-    /// non-empty buffer is in the truncated slice, if there is one.
-    #[allow(dead_code)] // Not used on all platforms
-    #[inline]
-    pub(crate) fn limit_slices(bufs: &mut &[IoSlice<'a>], n: usize) {
-        if intrinsics::unlikely(bufs.len() > n) {
-            for (i, buf) in bufs.iter().enumerate() {
-                if !buf.is_empty() {
-                    let len = cmp::min(bufs.len() - i, n);
-                    *bufs = &bufs[i..i + len];
-                    return;
-                }
-            }
-            *bufs = &bufs[..0];
-        }
-    }
-
     /// Get the underlying bytes as a slice with the original lifetime.
     ///
     /// This doesn't borrow from `self`, so is less restrictive than calling
@@ -1625,6 +1586,60 @@ impl<'a> Deref for IoSlice<'a> {
     }
 }
 
+/// Limits a slice of buffers to at most `n` buffers and ensures that it has at
+/// least one buffer, even if empty.
+///
+/// When the slice contains over `n` buffers, ensure that at least one non-empty
+/// buffer is in the truncated slice, if there is one.
+#[allow(dead_code)] // Not used on all platforms
+pub(crate) macro limit_slices($bufs:expr, $n:expr) {
+    'slices: {
+        let bufs: &[IoSlice<'_>] = $bufs;
+        let n: usize = $n;
+        // if bufs.len() > n || bufs.is_empty()
+        if core::intrinsics::unlikely(bufs.len().wrapping_sub(1) > n - 1) {
+            for (i, buf) in bufs.iter().enumerate() {
+                if !buf.is_empty() {
+                    let len = cmp::min(bufs.len() - i, n);
+                    break 'slices &bufs[i..i + len];
+                }
+            }
+            // All buffers are empty. Since POSIX requires at least one buffer
+            // for [writev], but possibly bufs.is_empty(), return an empty write.
+            // [writev]: https://pubs.opengroup.org/onlinepubs/9799919799/functions/writev.html
+            return Ok(0);
+        }
+        bufs
+    }
+}
+
+/// Limits a slice of buffers to at most `n` buffers and ensures that it has at
+/// least one buffer, even if empty.
+///
+/// When the slice contains over `n` buffers, ensure that at least one non-empty
+/// buffer is in the truncated slice, if there is one.
+#[allow(dead_code)] // Not used on all platforms
+pub(crate) macro limit_slices_mut($bufs:expr, $n:expr) {
+    'slices: {
+        let bufs: &mut [IoSliceMut<'_>] = $bufs;
+        let n: usize = $n;
+        // if bufs.len() > n || bufs.is_empty()
+        if core::intrinsics::unlikely(bufs.len().wrapping_sub(1) > n - 1) {
+            for (i, buf) in bufs.iter().enumerate() {
+                if !buf.is_empty() {
+                    let len = cmp::min(bufs.len() - i, n);
+                    break 'slices &mut bufs[i..i + len];
+                }
+            }
+            // All buffers are empty. Since POSIX requires at least one buffer
+            // for [readv], but possibly bufs.is_empty(), return an empty read.
+            // [readv]: https://pubs.opengroup.org/onlinepubs/9799919799/functions/readv.html
+            return Ok(0);
+        }
+        bufs
+    }
+}
+
 /// A trait for objects which are byte-oriented sinks.
 ///
 /// Implementors of the `Write` trait are sometimes called 'writers'.
diff --git a/library/std/src/sys/net/connection/socket/solid.rs b/library/std/src/sys/net/connection/socket/solid.rs
@@ -222,8 +222,8 @@ impl Socket {
         self.recv_with_flags(buf, 0)
     }
 
-    pub fn read_vectored(&self, mut bufs: &mut [IoSliceMut<'_>]) -> io::Result<usize> {
-        IoSliceMut::limit_slices(&mut bufs, max_iov());
+    pub fn read_vectored(&self, bufs: &mut [IoSliceMut<'_>]) -> io::Result<usize> {
+        let bufs = io::limit_slices_mut!(bufs, max_iov());
         let ret = cvt(unsafe {
             netc::readv(self.as_raw_fd(), bufs.as_ptr() as *const netc::iovec, bufs.len() as c_int)
         })?;
@@ -264,8 +264,8 @@ impl Socket {
         self.recv_from_with_flags(buf, MSG_PEEK)
     }
 
-    pub fn write_vectored(&self, mut bufs: &[IoSlice<'_>]) -> io::Result<usize> {
-        IoSlice::limit_slices(&mut bufs, max_iov());
+    pub fn write_vectored(&self, bufs: &[IoSlice<'_>]) -> io::Result<usize> {
+        let bufs = io::limit_slices!(bufs, max_iov());
         let ret = cvt(unsafe {
             netc::writev(self.as_raw_fd(), bufs.as_ptr() as *const netc::iovec, bufs.len() as c_int)
         })?;
diff --git a/library/std/src/sys/net/connection/socket/windows.rs b/library/std/src/sys/net/connection/socket/windows.rs
@@ -333,8 +333,8 @@ impl Socket {
         self.recv_with_flags(buf, 0)
     }
 
-    pub fn read_vectored(&self, mut bufs: &mut [IoSliceMut<'_>]) -> io::Result<usize> {
-        IoSliceMut::limit_slices(&mut bufs, u32::MAX as usize);
+    pub fn read_vectored(&self, bufs: &mut [IoSliceMut<'_>]) -> io::Result<usize> {
+        let bufs = io::limit_slices_mut!(bufs, u32::MAX as usize);
         let mut nread = 0;
         let mut flags = 0;
         let result = unsafe {
@@ -422,8 +422,8 @@ impl Socket {
         self.recv_from_with_flags(buf, c::MSG_PEEK)
     }
 
-    pub fn write_vectored(&self, mut bufs: &[IoSlice<'_>]) -> io::Result<usize> {
-        IoSlice::limit_slices(&mut bufs, u32::MAX as usize);
+    pub fn write_vectored(&self, bufs: &[IoSlice<'_>]) -> io::Result<usize> {
+        let bufs = io::limit_slices!(bufs, u32::MAX as usize);
         let mut nwritten = 0;
         let result = unsafe {
             c::WSASend(
diff --git a/library/std/src/sys/pal/hermit/fd.rs b/library/std/src/sys/pal/hermit/fd.rs
@@ -37,8 +37,8 @@ impl FileDesc {
         Ok(())
     }
 
-    pub fn read_vectored(&self, mut bufs: &mut [IoSliceMut<'_>]) -> io::Result<usize> {
-        IoSliceMut::limit_slices(&mut bufs, max_iov());
+    pub fn read_vectored(&self, bufs: &mut [IoSliceMut<'_>]) -> io::Result<usize> {
+        let bufs = io::limit_slices_mut!(bufs, max_iov());
         let ret = cvt(unsafe {
             hermit_abi::readv(
                 self.as_raw_fd(),
@@ -65,8 +65,8 @@ impl FileDesc {
         Ok(result as usize)
     }
 
-    pub fn write_vectored(&self, mut bufs: &[IoSlice<'_>]) -> io::Result<usize> {
-        IoSlice::limit_slices(&mut bufs, max_iov());
+    pub fn write_vectored(&self, bufs: &[IoSlice<'_>]) -> io::Result<usize> {
+        let bufs = io::limit_slices!(bufs, max_iov());
         let ret = cvt(unsafe {
             hermit_abi::writev(
                 self.as_raw_fd(),
diff --git a/library/std/src/sys/pal/unix/fd.rs b/library/std/src/sys/pal/unix/fd.rs
@@ -104,8 +104,8 @@ impl FileDesc {
         target_os = "vita",
         target_os = "nuttx"
     )))]
-    pub fn read_vectored(&self, mut bufs: &mut [IoSliceMut<'_>]) -> io::Result<usize> {
-        IoSliceMut::limit_slices(&mut bufs, max_iov());
+    pub fn read_vectored(&self, bufs: &mut [IoSliceMut<'_>]) -> io::Result<usize> {
+        let bufs = io::limit_slices_mut!(bufs, max_iov());
         let ret = cvt(unsafe {
             libc::readv(
                 self.as_raw_fd(),
@@ -195,12 +195,8 @@ impl FileDesc {
         target_os = "netbsd",
         target_os = "openbsd", // OpenBSD 2.7
     ))]
-    pub fn read_vectored_at(
-        &self,
-        mut bufs: &mut [IoSliceMut<'_>],
-        offset: u64,
-    ) -> io::Result<usize> {
-        IoSliceMut::limit_slices(&mut bufs, max_iov());
+    pub fn read_vectored_at(&self, bufs: &mut [IoSliceMut<'_>], offset: u64) -> io::Result<usize> {
+        let bufs = io::limit_slices_mut!(bufs, max_iov());
         let ret = cvt(unsafe {
             libc::preadv(
                 self.as_raw_fd(),
@@ -237,11 +233,7 @@ impl FileDesc {
     // passing 64-bits parameters to syscalls, so we fallback to the default
     // implementation if `preadv` is not available.
     #[cfg(all(target_os = "android", target_pointer_width = "64"))]
-    pub fn read_vectored_at(
-        &self,
-        mut bufs: &mut [IoSliceMut<'_>],
-        offset: u64,
-    ) -> io::Result<usize> {
+    pub fn read_vectored_at(&self, bufs: &mut [IoSliceMut<'_>], offset: u64) -> io::Result<usize> {
         super::weak::syscall!(
             fn preadv(
                 fd: libc::c_int,
@@ -251,7 +243,7 @@ impl FileDesc {
             ) -> isize;
         );
 
-        IoSliceMut::limit_slices(&mut bufs, max_iov());
+        let bufs = io::limit_slices_mut!(bufs, max_iov());
         let ret = cvt(unsafe {
             preadv(
                 self.as_raw_fd(),
@@ -267,11 +259,7 @@ impl FileDesc {
     // FIXME(#115199): Rust currently omits weak function definitions
     // and its metadata from LLVM IR.
     #[no_sanitize(cfi)]
-    pub fn read_vectored_at(
-        &self,
-        mut bufs: &mut [IoSliceMut<'_>],
-        offset: u64,
-    ) -> io::Result<usize> {
+    pub fn read_vectored_at(&self, bufs: &mut [IoSliceMut<'_>], offset: u64) -> io::Result<usize> {
         super::weak::weak!(
             fn preadv64(
                 fd: libc::c_int,
@@ -283,7 +271,7 @@ impl FileDesc {
 
         match preadv64.get() {
             Some(preadv) => {
-                IoSliceMut::limit_slices(&mut bufs, max_iov());
+                let bufs = io::limit_slices_mut!(bufs, max_iov());
                 let ret = cvt(unsafe {
                     preadv(
                         self.as_raw_fd(),
@@ -308,11 +296,7 @@ impl FileDesc {
     // These versions may be newer than the minimum supported versions of OS's we support so we must
     // use "weak" linking.
     #[cfg(target_vendor = "apple")]
-    pub fn read_vectored_at(
-        &self,
-        mut bufs: &mut [IoSliceMut<'_>],
-        offset: u64,
-    ) -> io::Result<usize> {
+    pub fn read_vectored_at(&self, bufs: &mut [IoSliceMut<'_>], offset: u64) -> io::Result<usize> {
         super::weak::weak!(
             fn preadv(
                 fd: libc::c_int,
@@ -324,7 +308,7 @@ impl FileDesc {
 
         match preadv.get() {
             Some(preadv) => {
-                IoSliceMut::limit_slices(&mut bufs, max_iov());
+                let bufs = io::limit_slices_mut!(bufs, max_iov());
                 let ret = cvt(unsafe {
                     preadv(
                         self.as_raw_fd(),
@@ -356,8 +340,8 @@ impl FileDesc {
         target_os = "vita",
         target_os = "nuttx"
     )))]
-    pub fn write_vectored(&self, mut bufs: &[IoSlice<'_>]) -> io::Result<usize> {
-        IoSlice::limit_slices(&mut bufs, max_iov());
+    pub fn write_vectored(&self, bufs: &[IoSlice<'_>]) -> io::Result<usize> {
+        let bufs = io::limit_slices!(bufs, max_iov());
         let ret = cvt(unsafe {
             libc::writev(
                 self.as_raw_fd(),
@@ -426,8 +410,8 @@ impl FileDesc {
         target_os = "netbsd",
         target_os = "openbsd", // OpenBSD 2.7
     ))]
-    pub fn write_vectored_at(&self, mut bufs: &[IoSlice<'_>], offset: u64) -> io::Result<usize> {
-        IoSlice::limit_slices(&mut bufs, max_iov());
+    pub fn write_vectored_at(&self, bufs: &[IoSlice<'_>], offset: u64) -> io::Result<usize> {
+        let bufs = io::limit_slices!(bufs, max_iov());
         let ret = cvt(unsafe {
             libc::pwritev(
                 self.as_raw_fd(),
@@ -464,7 +448,7 @@ impl FileDesc {
     // passing 64-bits parameters to syscalls, so we fallback to the default
     // implementation if `pwritev` is not available.
     #[cfg(all(target_os = "android", target_pointer_width = "64"))]
-    pub fn write_vectored_at(&self, mut bufs: &[IoSlice<'_>], offset: u64) -> io::Result<usize> {
+    pub fn write_vectored_at(&self, bufs: &[IoSlice<'_>], offset: u64) -> io::Result<usize> {
         super::weak::syscall!(
             fn pwritev(
                 fd: libc::c_int,
@@ -474,7 +458,7 @@ impl FileDesc {
             ) -> isize;
         );
 
-        IoSlice::limit_slices(&mut bufs, max_iov());
+        let bufs = io::limit_slices!(bufs, max_iov());
         let ret = cvt(unsafe {
             pwritev(
                 self.as_raw_fd(),
@@ -487,7 +471,7 @@ impl FileDesc {
     }
 
     #[cfg(all(target_os = "android", target_pointer_width = "32"))]
-    pub fn write_vectored_at(&self, mut bufs: &[IoSlice<'_>], offset: u64) -> io::Result<usize> {
+    pub fn write_vectored_at(&self, bufs: &[IoSlice<'_>], offset: u64) -> io::Result<usize> {
         super::weak::weak!(
             fn pwritev64(
                 fd: libc::c_int,
@@ -499,7 +483,7 @@ impl FileDesc {
 
         match pwritev64.get() {
             Some(pwritev) => {
-                IoSlice::limit_slices(&mut bufs, max_iov());
+                let bufs = io::limit_slices!(bufs, max_iov());
                 let ret = cvt(unsafe {
                     pwritev(
                         self.as_raw_fd(),
@@ -524,7 +508,7 @@ impl FileDesc {
     // These versions may be newer than the minimum supported versions of OS's we support so we must
     // use "weak" linking.
     #[cfg(target_vendor = "apple")]
-    pub fn write_vectored_at(&self, mut bufs: &[IoSlice<'_>], offset: u64) -> io::Result<usize> {
+    pub fn write_vectored_at(&self, bufs: &[IoSlice<'_>], offset: u64) -> io::Result<usize> {
         super::weak::weak!(
             fn pwritev(
                 fd: libc::c_int,
@@ -536,7 +520,7 @@ impl FileDesc {
 
         match pwritev.get() {
             Some(pwritev) => {
-                IoSlice::limit_slices(&mut bufs, max_iov());
+                let bufs = io::limit_slices!(bufs, max_iov());
                 let ret = cvt(unsafe {
                     pwritev(
                         self.as_raw_fd(),
diff --git a/library/std/src/sys/pal/unix/fd/tests.rs b/library/std/src/sys/pal/unix/fd/tests.rs
@@ -20,3 +20,12 @@ fn limit_vector_count() {
     bufs[IOV_MAX * 2] = IoSlice::new(b"world!");
     assert_eq!(stdout.write_vectored(&bufs).unwrap(), b"hello".len())
 }
+
+#[test]
+fn empty_vector() {
+    let stdin = ManuallyDrop::new(unsafe { FileDesc::from_raw_fd(0) });
+    assert_eq!(stdin.read_vectored(&mut []).unwrap(), 0);
+
+    let stdout = ManuallyDrop::new(unsafe { FileDesc::from_raw_fd(1) });
+    assert_eq!(stdout.write_vectored(&[]).unwrap(), 0);
+}
