diff options
| author | Dylan DPC <dylan.dpc@gmail.com> | 2021-03-19 15:03:22 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-03-19 15:03:22 +0100 |
| commit | db4a97c4cbcb160b3754c803284dd0110d1de1e4 (patch) | |
| tree | d974b9eab71f38c10712c0a481544361e16e3e91 | |
| parent | 61372e1af6a100aedc203d0739073b42f8977e4e (diff) | |
| parent | 9dfda62763a4462407bf76b916b1808aed57401a (diff) | |
| download | rust-db4a97c4cbcb160b3754c803284dd0110d1de1e4.tar.gz rust-db4a97c4cbcb160b3754c803284dd0110d1de1e4.zip | |
Rollup merge of #82892 - jix:clarify-read-read, r=joshtriplett
Clarify docs for Read::read's return value Right now the docs for `Read::read`'s return value are phrased in a way that makes it easy for the reader to assume that the return value is never larger than the passed buffer. This PR clarifies that this is a requirement for implementations of the trait, but that callers have to expect a buggy yet safe implementation failing to do so, especially if unchecked accesses to the buffer are done afterwards. I fell into this trap recently, and when I noticed, I looked at the docs again and had the feeling that I might not have been the first one to miss this. The same issue of trusting the return value of `read` was also present in std itself for about 2.5 years and only fixed recently, see #80895. I hope that clarifying the docs might help others to avoid this issue.
| -rw-r--r-- | library/std/src/io/mod.rs | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/library/std/src/io/mod.rs b/library/std/src/io/mod.rs index 17002e3b860..6abb300054a 100644 --- a/library/std/src/io/mod.rs +++ b/library/std/src/io/mod.rs @@ -514,8 +514,8 @@ pub trait Read { /// waiting for data, but if an object needs to block for a read and cannot, /// it will typically signal this via an [`Err`] return value. /// - /// If the return value of this method is [`Ok(n)`], then it must be - /// guaranteed that `0 <= n <= buf.len()`. A nonzero `n` value indicates + /// If the return value of this method is [`Ok(n)`], then implementations must + /// guarantee that `0 <= n <= buf.len()`. A nonzero `n` value indicates /// that the buffer `buf` has been filled in with `n` bytes of data from this /// source. If `n` is `0`, then it can indicate one of two scenarios: /// @@ -529,6 +529,11 @@ pub trait Read { /// This may happen for example because fewer bytes are actually available right now /// (e. g. being close to end-of-file) or because read() was interrupted by a signal. /// + /// As this trait is safe to implement, callers cannot rely on `n <= buf.len()` for safety. + /// Extra care needs to be taken when `unsafe` functions are used to access the read bytes. + /// Callers have to ensure that no unchecked out-of-bounds accesses are possible even if + /// `n > buf.len()`. + /// /// No guarantees are provided about the contents of `buf` when this /// function is called, implementations cannot rely on any property of the /// contents of `buf` being true. It is recommended that *implementations* |