feat: use a larger buffer when reading attributes (#80)

Stebalien · web-flow · commit 03d129a89752 · 2025-09-20T17:46:14.000-07:00
The code is somewhat nasty, but I'm trying to abstract over different platforms and multiple calling conventions... fixes #79
diff --git a/src/sys/bsd.rs b/src/sys/bsd.rs
@@ -2,21 +2,19 @@
 
 use libc::{c_int, c_void, size_t, EPERM};
 use std::ffi::{CString, OsStr, OsString};
-use std::io;
-use std::mem;
+use std::mem::{self, MaybeUninit};
 use std::os::unix::ffi::{OsStrExt, OsStringExt};
 use std::os::unix::io::{AsRawFd, BorrowedFd};
 use std::path::Path;
 use std::ptr;
+use std::{io, slice};
 
 use libc::{
     extattr_delete_fd, extattr_delete_file, extattr_delete_link, extattr_get_fd, extattr_get_file,
     extattr_get_link, extattr_list_fd, extattr_list_file, extattr_list_link, extattr_set_fd,
     extattr_set_file, extattr_set_link, EXTATTR_NAMESPACE_SYSTEM, EXTATTR_NAMESPACE_USER,
 };
 
-use crate::util::allocate_loop;
-
 pub const ENOATTR: i32 = libc::ENOATTR;
 pub const ERANGE: i32 = libc::ERANGE;
 
@@ -36,14 +34,38 @@ fn path_to_c(path: &Path) -> io::Result<CString> {
 }
 
 #[inline]
-fn slice_parts(buf: &mut [u8]) -> (*mut c_void, size_t) {
+fn cvt(res: libc::ssize_t) -> io::Result<usize> {
+    if res < 0 {
+        Err(io::Error::last_os_error())
+    } else {
+        Ok(res as usize)
+    }
+}
+
+#[inline]
+fn slice_parts(buf: &mut [MaybeUninit<u8>]) -> (*mut c_void, size_t) {
     if buf.is_empty() {
         (ptr::null_mut(), 0)
     } else {
         (buf.as_mut_ptr().cast(), buf.len() as size_t)
     }
 }
 
+fn allocate_loop<F: Fn(*mut c_void, size_t) -> libc::ssize_t>(f: F) -> io::Result<Vec<u8>> {
+    crate::util::allocate_loop(
+        |buf| unsafe {
+            let (ptr, len) = slice_parts(buf);
+            let new_len = cvt(f(ptr, len))?;
+            assert!(
+                new_len <= len,
+                "OS returned length {new_len} greater than buffer size {len}"
+            );
+            Ok(slice::from_raw_parts_mut(ptr.cast(), new_len))
+        },
+        || cvt(f(ptr::null_mut(), 0)),
+    )
+}
+
 /// An iterator over a set of extended attributes names.
 #[derive(Default)]
 pub struct XAttrs {
@@ -165,22 +187,9 @@ fn prefix_namespace(attr: &OsStr, ns: c_int) -> OsString {
     OsString::from_vec(v)
 }
 
-fn cvt(res: libc::ssize_t) -> io::Result<usize> {
-    if res < 0 {
-        Err(io::Error::last_os_error())
-    } else {
-        Ok(res as usize)
-    }
-}
-
 pub fn get_fd(fd: BorrowedFd<'_>, name: &OsStr) -> io::Result<Vec<u8>> {
     let (ns, name) = name_to_ns(name)?;
-    unsafe {
-        allocate_loop(|buf| {
-            let (ptr, len) = slice_parts(buf);
-            cvt(extattr_get_fd(fd.as_raw_fd(), ns, name.as_ptr(), ptr, len))
-        })
-    }
+    unsafe { allocate_loop(|ptr, len| extattr_get_fd(fd.as_raw_fd(), ns, name.as_ptr(), ptr, len)) }
 }
 
 pub fn set_fd(fd: BorrowedFd<'_>, name: &OsStr, value: &[u8]) -> io::Result<()> {
@@ -213,14 +222,8 @@ pub fn remove_fd(fd: BorrowedFd<'_>, name: &OsStr) -> io::Result<()> {
 
 pub fn list_fd(fd: BorrowedFd<'_>) -> io::Result<XAttrs> {
     let sysvec = unsafe {
-        let res = allocate_loop(|buf| {
-            let (ptr, len) = slice_parts(buf);
-            cvt(extattr_list_fd(
-                fd.as_raw_fd(),
-                EXTATTR_NAMESPACE_SYSTEM,
-                ptr,
-                len,
-            ))
+        let res = allocate_loop(|ptr, len| {
+            extattr_list_fd(fd.as_raw_fd(), EXTATTR_NAMESPACE_SYSTEM, ptr, len)
         });
         // On FreeBSD, system attributes require root privileges to view. However,
         // to mimic the behavior of listxattr in linux and osx, we need to query
@@ -238,14 +241,8 @@ pub fn list_fd(fd: BorrowedFd<'_>) -> io::Result<XAttrs> {
     };
 
     let uservec = unsafe {
-        let res = allocate_loop(|buf| {
-            let (ptr, len) = slice_parts(buf);
-            cvt(extattr_list_fd(
-                fd.as_raw_fd(),
-                EXTATTR_NAMESPACE_USER,
-                ptr,
-                len,
-            ))
+        let res = allocate_loop(|ptr, len| {
+            extattr_list_fd(fd.as_raw_fd(), EXTATTR_NAMESPACE_USER, ptr, len)
         });
         match res {
             Ok(v) => v,
@@ -269,10 +266,7 @@ pub fn get_path(path: &Path, name: &OsStr, deref: bool) -> io::Result<Vec<u8>> {
         extattr_get_link
     };
     unsafe {
-        allocate_loop(|buf| {
-            let (ptr, len) = slice_parts(buf);
-            cvt(extattr_get_func(path.as_ptr(), ns, name.as_ptr(), ptr, len))
-        })
+        allocate_loop(|ptr, len| extattr_get_func(path.as_ptr(), ns, name.as_ptr(), ptr, len))
     }
 }
 
@@ -324,14 +318,8 @@ pub fn list_path(path: &Path, deref: bool) -> io::Result<XAttrs> {
         extattr_list_link
     };
     let sysvec = unsafe {
-        let res = allocate_loop(|buf| {
-            let (ptr, len) = slice_parts(buf);
-            cvt(extattr_list_func(
-                path.as_ptr(),
-                EXTATTR_NAMESPACE_SYSTEM,
-                ptr,
-                len,
-            ))
+        let res = allocate_loop(|ptr, len| {
+            extattr_list_func(path.as_ptr(), EXTATTR_NAMESPACE_SYSTEM, ptr, len)
         });
         // On FreeBSD, system attributes require root privileges to view. However,
         // to mimic the behavior of listxattr in linux and osx, we need to query
@@ -349,14 +337,8 @@ pub fn list_path(path: &Path, deref: bool) -> io::Result<XAttrs> {
     };
 
     let uservec = unsafe {
-        let res = allocate_loop(|buf| {
-            let (ptr, len) = slice_parts(buf);
-            cvt(extattr_list_func(
-                path.as_ptr(),
-                EXTATTR_NAMESPACE_USER,
-                ptr,
-                len,
-            ))
+        let res = allocate_loop(|ptr, len| {
+            extattr_list_func(path.as_ptr(), EXTATTR_NAMESPACE_USER, ptr, len)
         });
         match res {
             Ok(v) => v,
diff --git a/src/sys/linux_macos.rs b/src/sys/linux_macos.rs
@@ -7,8 +7,6 @@ use std::path::Path;
 
 use rustix::fs as rfs;
 
-use crate::util::allocate_loop;
-
 #[cfg(not(target_os = "macos"))]
 pub const ENOATTR: i32 = rustix::io::Errno::NODATA.raw_os_error();
 
@@ -66,8 +64,23 @@ impl Iterator for XAttrs {
     }
 }
 
+/// A macro to abstract away some of the boilerplate when calling `allocate_loop` with rustix
+/// functions. Unfortunately, we can't write this as a helper function because I need to call
+/// generic rustix function with two different types.
+macro_rules! allocate_loop {
+    (|$buf:ident| $($e:tt)*) => {
+        crate::util::allocate_loop(
+            |$buf| Ok($($e)*?.0),
+            || {
+                let $buf: &mut [u8] = &mut [];
+                Ok($($e)*?)
+            },
+        )
+    };
+}
+
 pub fn get_fd(fd: BorrowedFd<'_>, name: &OsStr) -> io::Result<Vec<u8>> {
-    allocate_loop(|buf| rfs::fgetxattr(fd, name, buf))
+    allocate_loop!(|buf| rfs::fgetxattr(fd, name, buf))
 }
 
 pub fn set_fd(fd: BorrowedFd<'_>, name: &OsStr, value: &[u8]) -> io::Result<()> {
@@ -81,19 +94,19 @@ pub fn remove_fd(fd: BorrowedFd<'_>, name: &OsStr) -> io::Result<()> {
 }
 
 pub fn list_fd(fd: BorrowedFd<'_>) -> io::Result<XAttrs> {
-    let vec = allocate_loop(|buf| rfs::flistxattr(fd, buf))?;
+    let vec = allocate_loop!(|buf| rfs::flistxattr(fd, buf))?;
     Ok(XAttrs {
         data: vec.into_boxed_slice(),
         offset: 0,
     })
 }
 
 pub fn get_path(path: &Path, name: &OsStr, deref: bool) -> io::Result<Vec<u8>> {
-    allocate_loop(|buf| {
-        let getxattr_func = if deref { rfs::getxattr } else { rfs::lgetxattr };
-        let size = getxattr_func(path, name, buf)?;
-        io::Result::Ok(size)
-    })
+    if deref {
+        allocate_loop!(|buf| rfs::getxattr(path, name, buf))
+    } else {
+        allocate_loop!(|buf| rfs::lgetxattr(path, name, buf))
+    }
 }
 
 pub fn set_path(path: &Path, name: &OsStr, value: &[u8], deref: bool) -> io::Result<()> {
@@ -103,23 +116,20 @@ pub fn set_path(path: &Path, name: &OsStr, value: &[u8], deref: bool) -> io::Res
 }
 
 pub fn remove_path(path: &Path, name: &OsStr, deref: bool) -> io::Result<()> {
-    let removexattr_func = if deref {
-        rfs::removexattr
+    if deref {
+        rfs::removexattr(path, name)
     } else {
-        rfs::lremovexattr
-    };
-    removexattr_func(path, name)?;
+        rfs::lremovexattr(path, name)
+    }?;
     Ok(())
 }
 
 pub fn list_path(path: &Path, deref: bool) -> io::Result<XAttrs> {
-    let vec = allocate_loop(|buf| {
-        if deref {
-            rfs::listxattr(path, buf)
-        } else {
-            rfs::llistxattr(path, buf)
-        }
-    })?;
+    let vec = if deref {
+        allocate_loop!(|buf| rfs::listxattr(path, buf))
+    } else {
+        allocate_loop!(|buf| rfs::llistxattr(path, buf))
+    }?;
     Ok(XAttrs {
         data: vec.into_boxed_slice(),
         offset: 0,
diff --git a/src/util.rs b/src/util.rs
@@ -1,4 +1,5 @@
 use std::io;
+use std::mem::MaybeUninit;
 
 pub fn extract_noattr(result: io::Result<Vec<u8>>) -> io::Result<Option<Vec<u8>>> {
     result.map(Some).or_else(|e| {
@@ -10,48 +11,42 @@ pub fn extract_noattr(result: io::Result<Vec<u8>>) -> io::Result<Option<Vec<u8>>
     })
 }
 
+/// Calls `get_value` to with a buffer and `get_size` to estimate the size of the buffer if/when
+/// `get_value` returns ERANGE.
 #[allow(dead_code)]
-pub fn allocate_loop<E, F: FnMut(&mut [u8]) -> Result<usize, E>>(mut f: F) -> io::Result<Vec<u8>>
+pub fn allocate_loop<F, S>(mut get_value: F, mut get_size: S) -> io::Result<Vec<u8>>
 where
-    io::Error: From<E>,
+    F: for<'a> FnMut(&'a mut [MaybeUninit<u8>]) -> io::Result<&'a mut [u8]>,
+    S: FnMut() -> io::Result<usize>,
 {
-    // Try assuming the variable is less than 256. We do this on the stack and copy to avoid double
-    // allocation.
-    const INITIAL_BUFFER_SIZE: usize = 256;
-    {
-        let mut buf = [0u8; INITIAL_BUFFER_SIZE];
-        match f(&mut buf[..]) {
-            Ok(len) => return Ok(buf[..len].to_vec()),
-            Err(e) => {
-                let err: io::Error = e.into();
-                if err.raw_os_error() != Some(crate::sys::ERANGE) {
-                    return Err(err);
-                }
-            }
-        }
+    // Start by assuming the return value is <= 4KiB. If it is, we can do this in one syscall.
+    const INITIAL_BUFFER_SIZE: usize = 4096;
+    match get_value(&mut [MaybeUninit::<u8>::uninit(); INITIAL_BUFFER_SIZE]) {
+        Ok(val) => return Ok(val.to_vec()),
+        Err(e) if e.raw_os_error() != Some(crate::sys::ERANGE) => return Err(e),
+        _ => {}
     }
 
-    // If that fails, enter the allocation loop.
+    // If that fails, we ask for the size and try again with a buffer of the correct size.
     let mut vec: Vec<u8> = Vec::new();
     loop {
-        let ret = f(&mut [])?;
-        vec.resize(ret, 0);
-
-        match f(&mut vec) {
-            Ok(size) => {
-                vec.truncate(size);
+        vec.reserve_exact(get_size()?);
+        match get_value(vec.spare_capacity_mut()) {
+            Ok(initialized) => {
+                unsafe {
+                    let len = initialized.len();
+                    assert_eq!(
+                        initialized.as_ptr(),
+                        vec.as_ptr(),
+                        "expected the same buffer"
+                    );
+                    vec.set_len(len);
+                }
                 vec.shrink_to_fit();
                 return Ok(vec);
             }
-
-            Err(e) => {
-                let err: io::Error = e.into();
-                if err.raw_os_error() == Some(crate::sys::ERANGE) {
-                    continue;
-                } else {
-                    return Err(err);
-                }
-            }
+            Err(e) if e.raw_os_error() != Some(crate::sys::ERANGE) => return Err(e),
+            _ => {} // try again
         }
     }
 }
