Add support for reading symlinks longer than PATH_MAX to readlink and readlinkat

[SolraBizna]

This is in response to issue #1178.

The new logic uses the following approach.

• At any time, if readlink returns an error, or a value ≥ 0 and < (not ≤!) the buffer size, we're done.
• Attempt to readlink into a PATH_MAX sized buffer. (This will almost always succeed, and saves a system call over calling lstat first.)
• Try to lstat the link. If it succeeds and returns a sane value, allocate the buffer to be that large plus one byte. Otherwise, allocate the buffer to be PATH_MAX.max(128) << 1 bytes.
• Repeatedly attempt to readlink. Any time its result is ≥ (not >!) the buffer size, double the buffer size and try again.

While testing this, I discovered that ext4 doesn't allow creation of a symlink > 4095 (Linux's PATH_MAX minus one) bytes long. This is in spite of Linux happily allowing paths in other contexts to be longer than this—including on ext4! This was probably instated to avoid breaking programs that assume PATH_MAX will always be enough, but ironically hindered my attempt to test support for not assuming. I tested the code using an artificially small PATH_MAX and (separately) a wired-to-fail lstat. strace showed the code behaving precisely as expected. Unfortunately, I can't add an automatic test for this.

Other changes made by this PR:

• wrap_readlink_result now calls shrink_to_fit on the buffer before returning, potentially reclaiming kilobytes of memory per call. This could be very important if the returned buffer is long-lived.
• readlink and readlink_at now both call an inner_readlink function that contains the bulk of the logic, avoiding copy-pasting of code. (This is much more important now that the logic is more than a few lines long.)

Notably, this PR does not add support for systems that don't define PATH_MAX at all. As far as I know, I don't have access to any POSIX-ish OS that doesn't have PATH_MAX, and I suspect it would have other compatibility issues with nix anyway.

[asomers]

I just checked, and I can't create a too-long symlink on FreeBSD, NetBSD, OpenBSD, or Solaris. Is there any operating system that does allow it?

[asomers]

Not your fault, but I notice that this line is doing a data copy. Could you eliminate the data copy by taking the v argument by value instead of by reference?

[asomers]

Wrap the long lines, please.

[SolraBizna]

What is this project's wrap width? (I normally wrap to 80 columns, but this project clearly has a wider convention.)

Edit: Apparently the rest of the file is almost all wrapped to 80 columns, and only the code I was editing wasn't. Wrapped all the code I touched to 80 columns.

[asomers]

As a matter of style, I prefer

if condition {
    something
} else {
   something_else
}

rather than cramming everything onto two lines

[asomers]

Interesting. I think this may be the first good use of reserve_exact I've seen.

[asomers]

I don't think we need to gracefully handle symlinks with paths greater than 32 bits. A panic would suffice. You can do

try_size = try_size.checked_mul(2).unwrap();

[SolraBizna]

I think it's better to return an error in this case (as below), but if you ask me to I'll replace that logic with a checked multiply.

[asomers]

In fact, I think this code will still panic if the size overflows 32 bits. I think << , like most operators, will panic on overflow in debug builds (but wrap on release builds). If you really want to handle the overflow without panicing, you need to use checked_shl.

[asomers]

These 13 lines are duped. Do you think you could deduplicate them?

[SolraBizna]

I think the wrong lines got selected. Do you mean L197-L204 and L218-L225?

[asomers]

Instead of comparing reported_size to 0, you may as well compare it to PATH_MAX. After all, lstat reports less than what we already tried, then we shouldn't trust lstat's output.

[SolraBizna]

Trusting lstat after a failed readlink handles a race condition where the link size changes between the first readlink and the first lstat.

[SolraBizna]

I just checked, and I can't create a too-long symlink on FreeBSD, NetBSD, OpenBSD, or Solaris. Is there any operating system that does allow it?

On Linux, as far as I can tell, it's up to the particular filesystem. None of [ext*, XFS, btrfs] support very long symlinks, though.

[SolraBizna]

Thank you for the thorough review. I have implemented every requested change except the panic on absurdly long symlinks. I'll implement that too while I'm "in the code" if you like.

(I do agree that a >4GiB symlink is absolutely, without a doubt useless, but I also subscribe to the GNU convention of avoiding arbitrary limits where possible, even reasonable ones.)

[asomers]

This line is dead code. We only ever call wrap_readlink_result when res is >= 0, so you may as well eliminate the Errno::result part. I think that issued predated your changes, but since you're here would you please fix it?

[asomers]

You could simply this line into .map_or(0, |x| x.st_size)

[asomers]

In fact, I think this code will still panic if the size overflows 32 bits. I think << , like most operators, will panic on overflow in debug builds (but wrap on release builds). If you really want to handle the overflow without panicing, you need to use checked_shl.

[SolraBizna]

In fact, I think this code will still panic if the size overflows 32 bits. I think << , like most operators, will panic on overflow in debug builds (but wrap on release builds).

It seems that, barring obviously foolish cases caught by the compiler, bit shifting wraps in both debug mode and release mode. Guess Rust's designers figured that overflow in bit shifting is likely to be intentional. Regardless, I replaced that code with checked_shl just because it's clearer and more idiomatic that way.

Thanks again for the feedback. I've pushed the requested changes. If you think of any other tweaks you'd like me to make, let me know.

[SolraBizna]

Huh. Using map_or broke the build on FreeBSD. Is it using an old rustc or something? (map_or seems to have been added in 1.41, which was released this last January.)

[asomers]

Huh. Using map_or broke the build on FreeBSD. Is it using an old rustc or something? (map_or seems to have been added in 1.41, which was released this last January.)

Yes. Nix's MSRV is currently 1.36.0. We're pretty conservative with MSRV because we're consumed by platforms that are slow to update, like OpenBSD and embedded systems. Could you please remove map_or? Fie on me for suggesting it.

[SolraBizna]

Done, and now all the checks pass again.

[asomers]

Great! Now all it needs is a squash.

[SolraBizna]

Should I be squashing it on my end? I assumed this would be a case for the "Squash and merge" button.

[asomers]

Yes you should squash it. Because we use the bors merge bot, we cannot squash on our end.

[SolraBizna]

There. Hopefully I did that properly.

[asomers]

bors r+

[bors]

Build succeeded:

• continuous-integration/travis-ci/push
• FreeBSD 11.3