copy-file no longer trusts st_size

In copy-file, do not trust st_size, since it might change as we run, or we might be in a /proc system where it is unreliable anyway. Also, fix some other unlikely copy-file bugs while we’re here. * src/fileio.c (Fcopy_file): Use O_TRUNC when opening a destination that already exists. This saves us the trouble of having to call ftruncate with a possibly-bogus st_size; the old motivation for using ftruncate is no longer compelling. Do not assume ptrdiff_t is as wide as ssize_t; although this is true on all known platforms, it’s easy to not assume it. Don’t trust st_size. Prefer SSIZE_MAX to TYPE_MAXIMUM (ssize_t). Always read+write, regardless of whether copy_file_range failed.
author: Paul Eggert 2025-01-22 11:06:06 -0800
committer: Paul Eggert 2025-07-13 21:09:38 -0700
commit: ffd65be2277b9a30e77a00ad69c9ba21459f72c5 (patch)
tree: 2a3cc5dc796280ec9cc86e1a374744b0b27169c0 /src
parent: ae30a61c74215c3e02fb3c0d603894457a4cfef5 (diff)
download: emacs-ffd65be2277b9a30e77a00ad69c9ba21459f72c5.tar.gz
emacs-ffd65be2277b9a30e77a00ad69c9ba21459f72c5.zip
1 files changed, 22 insertions, 42 deletions
diff --git a/src/fileio.c b/src/fileio.c
index 4c3bc5787cf..82ee22d2187 100644
--- a/src/fileio.c
+++ b/src/fileio.c
@@ -2369,15 +2369,13 @@ permissions.  */)
        barf_or_query_if_file_exists (newname, true, "copy to it",
                                      FIXNUMP (ok_if_already_exists), false);
      already_exists = true;
-      ofd = emacs_open (SSDATA (encoded_newname), O_WRONLY, 0);
+      ofd = emacs_open (SSDATA (encoded_newname), O_WRONLY | O_TRUNC, 0);
    }
  if (ofd < 0)
    report_file_error ("Opening output file", newname);
  record_unwind_protect_int (close_file_unwind, ofd);
-  off_t oldsize = 0, newsize;
  if (already_exists)
    {
      struct stat out_st;
@@ -2386,36 +2384,26 @@ permissions.  */)
      if (st.st_dev == out_st.st_dev && st.st_ino == out_st.st_ino)
        report_file_errno ("Input and output files are the same",
                           list2 (file, newname), 0);
-      if (S_ISREG (out_st.st_mode))
-        oldsize = out_st.st_size;
    }
  maybe_quit ();
-  if (emacs_fd_to_int (ifd) != -1
+  if (emacs_fd_to_int (ifd) == -1
-      && clone_file (ofd, emacs_fd_to_int (ifd)))
+      || !clone_file (ofd, emacs_fd_to_int (ifd)))
-    newsize = st.st_size;
-  else
    {
-      off_t insize = st.st_size;
+      off_t newsize = 0;
-      ssize_t copied;
 #ifndef MSDOS
-      newsize = 0;
      if (emacs_fd_to_int (ifd) != -1)
        {
-          for (; newsize < insize; newsize += copied)
+          for (ssize_t copied; ; newsize += copied)
            {
              /* Copy at most COPY_MAX bytes at a time; this is min
-                 (PTRDIFF_MAX, SIZE_MAX) truncated to a value that is
+                 (SSIZE_MAX, SIZE_MAX) truncated to a value that is
                 surely aligned well.  */
-              ssize_t ssize_max = TYPE_MAXIMUM (ssize_t);
+              ssize_t copy_max = min (SSIZE_MAX, SIZE_MAX) >> 30 << 30;
-              ptrdiff_t copy_max = min (ssize_max, SIZE_MAX) >> 30 << 30;
-              off_t intail = insize - newsize;
-              ptrdiff_t len = min (intail, copy_max);
              copied = copy_file_range (emacs_fd_to_int (ifd), NULL,
-                                        ofd, NULL, len, 0);
+                                        ofd, NULL, copy_max, 0);
              if (copied <= 0)
                break;
              maybe_quit ();
@@ -2423,32 +2411,24 @@ permissions.  */)
        }
 #endif /* MSDOS */
-      /* Fall back on read+write if copy_file_range failed, or if the
+      /* Follow up with read+write regardless of any copy_file_range failure.
-         input is empty and so could be a /proc file, or if ifd is an
+         Many copy_file_range implementations fail for no good reason,
-         invention of android.c.  read+write will either succeed, or
+         or "succeed" even when they did nothing (e.g., in /proc files).
-         report an error more precisely than copy_file_range
+         Also, if read+write fails it will report an error more
-         would.  */
+         precisely than copy_file_range would.  */
-      if (newsize != insize || insize == 0)
+      char buf[MAX_ALLOCA];
-        {
-          char buf[MAX_ALLOCA];
-          for (; (copied = emacs_fd_read (ifd, buf, sizeof buf));
+      for (ptrdiff_t copied;
-               newsize += copied)
+           (copied = emacs_fd_read (ifd, buf, sizeof buf));
-            {
+           newsize += copied)
-              if (copied < 0)
+        {
-                report_file_error ("Read error", file);
+          if (copied < 0)
-              if (emacs_write_quit (ofd, buf, copied) != copied)
+            report_file_error ("Read error", file);
-                report_file_error ("Write error", newname);
+          if (emacs_write_quit (ofd, buf, copied) != copied)
-            }
+            report_file_error ("Write error", newname);
        }
    }
-  /* Truncate any existing output file after writing the data.  This
-     is more likely to work than truncation before writing, if the
-     file system is out of space or the user is over disk quota.  */
-  if (newsize < oldsize && ftruncate (ofd, newsize) != 0)
-    report_file_error ("Truncating output file", newname);
 #ifndef MSDOS
  /* Preserve the original file permissions, and if requested, also its
     owner and group.  */
author	Paul Eggert	2025-01-22 11:06:06 -0800
committer	Paul Eggert	2025-07-13 21:09:38 -0700
commit	ffd65be2277b9a30e77a00ad69c9ba21459f72c5 (patch)
tree	2a3cc5dc796280ec9cc86e1a374744b0b27169c0 /src
parent	ae30a61c74215c3e02fb3c0d603894457a4cfef5 (diff)
download	emacs-ffd65be2277b9a30e77a00ad69c9ba21459f72c5.tar.gz emacs-ffd65be2277b9a30e77a00ad69c9ba21459f72c5.zip