std: respect the bounds of the platform's data structures when performing time arithmetic

joboet · joboet · commit f46231215816 · 2025-09-26T17:04:51.000+02:00
diff --git a/library/std/src/sys/fs/wasi.rs b/library/std/src/sys/fs/wasi.rs
@@ -536,17 +536,9 @@ impl File {
     }
 
     pub fn set_times(&self, times: FileTimes) -> io::Result<()> {
-        let to_timestamp = |time: Option<SystemTime>| match time {
-            Some(time) if let Some(ts) = time.to_wasi_timestamp() => Ok(ts),
-            Some(_) => Err(io::const_error!(
-                io::ErrorKind::InvalidInput,
-                "timestamp is too large to set as a file time",
-            )),
-            None => Ok(0),
-        };
         self.fd.filestat_set_times(
-            to_timestamp(times.accessed)?,
-            to_timestamp(times.modified)?,
+            times.accessed.map_or(0, SystemTime::to_wasi_timestamp),
+            times.modified.map_or(0, SystemTime::to_wasi_timestamp),
             times.accessed.map_or(0, |_| wasi::FSTFLAGS_ATIM)
                 | times.modified.map_or(0, |_| wasi::FSTFLAGS_MTIM),
         )
diff --git a/library/std/src/sys/pal/sgx/abi/usercalls/mod.rs b/library/std/src/sys/pal/sgx/abi/usercalls/mod.rs
@@ -266,9 +266,8 @@ pub fn send(event_set: u64, tcs: Option<Tcs>) -> IoResult<()> {
 
 /// Usercall `insecure_time`. See the ABI documentation for more information.
 #[unstable(feature = "sgx_platform", issue = "56975")]
-pub fn insecure_time() -> Duration {
-    let t = unsafe { raw::insecure_time().0 };
-    Duration::new(t / 1_000_000_000, (t % 1_000_000_000) as _)
+pub fn insecure_time() -> u64 {
+    unsafe { raw::insecure_time().0 }
 }
 
 /// Usercall `alloc`. See the ABI documentation for more information.
diff --git a/library/std/src/sys/pal/sgx/time.rs b/library/std/src/sys/pal/sgx/time.rs
@@ -2,45 +2,61 @@ use super::abi::usercalls;
 use crate::time::Duration;
 
 #[derive(Copy, Clone, PartialEq, Eq, PartialOrd, Ord, Debug, Hash)]
-pub struct Instant(Duration);
+pub struct Instant {
+    nanos: u64,
+}
 
 #[derive(Copy, Clone, PartialEq, Eq, PartialOrd, Ord, Debug, Hash)]
-pub struct SystemTime(Duration);
+pub struct SystemTime {
+    nanos: u64,
+}
 
-pub const UNIX_EPOCH: SystemTime = SystemTime(Duration::from_secs(0));
+pub const UNIX_EPOCH: SystemTime = SystemTime { nanos: 0 };
 
 impl Instant {
     pub fn now() -> Instant {
-        Instant(usercalls::insecure_time())
+        Instant { nanos: usercalls::insecure_time() }
     }
 
     pub fn checked_sub_instant(&self, other: &Instant) -> Option<Duration> {
-        self.0.checked_sub(other.0)
+        let nanos = self.nanos.checked_sub(other.nanos)?;
+        Some(Duration::from_nanos(nanos))
     }
 
     pub fn checked_add_duration(&self, other: &Duration) -> Option<Instant> {
-        Some(Instant(self.0.checked_add(*other)?))
+        let to_add = other.as_nanos().try_into().ok()?;
+        let nanos = self.nanos.checked_add(to_add)?;
+        Some(Instant { nanos })
     }
 
     pub fn checked_sub_duration(&self, other: &Duration) -> Option<Instant> {
-        Some(Instant(self.0.checked_sub(*other)?))
+        let to_sub = other.as_nanos().try_into().ok()?;
+        let nanos = self.nanos.checked_sub(to_sub)?;
+        Some(Instant { nanos })
     }
 }
 
 impl SystemTime {
     pub fn now() -> SystemTime {
-        SystemTime(usercalls::insecure_time())
+        SystemTime { nanos: usercalls::insecure_time() }
     }
 
     pub fn sub_time(&self, other: &SystemTime) -> Result<Duration, Duration> {
-        self.0.checked_sub(other.0).ok_or_else(|| other.0 - self.0)
+        self.nanos
+            .checked_sub(other.nanos)
+            .map(Duration::from_nanos)
+            .ok_or_else(|| Duration::from_nanos(other.nanos - self.nanos))
     }
 
     pub fn checked_add_duration(&self, other: &Duration) -> Option<SystemTime> {
-        Some(SystemTime(self.0.checked_add(*other)?))
+        let to_add = other.as_nanos().try_into().ok()?;
+        let nanos = self.nanos.checked_add(to_add)?;
+        Some(SystemTime { nanos })
     }
 
     pub fn checked_sub_duration(&self, other: &Duration) -> Option<SystemTime> {
-        Some(SystemTime(self.0.checked_sub(*other)?))
+        let to_sub = other.as_nanos().try_into().ok()?;
+        let nanos = self.nanos.checked_sub(to_sub)?;
+        Some(SystemTime { nanos })
     }
 }
diff --git a/library/std/src/sys/pal/unsupported/time.rs b/library/std/src/sys/pal/unsupported/time.rs
@@ -1,7 +1,8 @@
 use crate::time::Duration;
 
 #[derive(Copy, Clone, PartialEq, Eq, PartialOrd, Ord, Debug, Hash)]
-pub struct Instant(Duration);
+#[allow(unreachable_code)] // Generated by the PartialEq derive.
+pub struct Instant(!);
 
 #[derive(Copy, Clone, PartialEq, Eq, PartialOrd, Ord, Debug, Hash)]
 pub struct SystemTime(Duration);
@@ -13,16 +14,16 @@ impl Instant {
         panic!("time not implemented on this platform")
     }
 
-    pub fn checked_sub_instant(&self, other: &Instant) -> Option<Duration> {
-        self.0.checked_sub(other.0)
+    pub fn checked_sub_instant(&self, _other: &Instant) -> Option<Duration> {
+        self.0
     }
 
-    pub fn checked_add_duration(&self, other: &Duration) -> Option<Instant> {
-        Some(Instant(self.0.checked_add(*other)?))
+    pub fn checked_add_duration(&self, _other: &Duration) -> Option<Instant> {
+        self.0
     }
 
-    pub fn checked_sub_duration(&self, other: &Duration) -> Option<Instant> {
-        Some(Instant(self.0.checked_sub(*other)?))
+    pub fn checked_sub_duration(&self, _other: &Duration) -> Option<Instant> {
+        self.0
     }
 }
 
diff --git a/library/std/src/sys/pal/vexos/time.rs b/library/std/src/sys/pal/vexos/time.rs
@@ -6,23 +6,30 @@ mod unsupported_time;
 pub use unsupported_time::{SystemTime, UNIX_EPOCH};
 
 #[derive(Copy, Clone, PartialEq, Eq, PartialOrd, Ord, Debug, Hash)]
-pub struct Instant(Duration);
+pub struct Instant {
+    micros: u64,
+}
 
 impl Instant {
     pub fn now() -> Instant {
         let micros = unsafe { vex_sdk::vexSystemHighResTimeGet() };
-        Self(Duration::from_micros(micros))
+        Self { micros }
     }
 
     pub fn checked_sub_instant(&self, other: &Instant) -> Option<Duration> {
-        self.0.checked_sub(other.0)
+        let micros = self.micros.checked_sub(other.micros)?;
+        Some(Duration::from_micros(micros))
     }
 
     pub fn checked_add_duration(&self, other: &Duration) -> Option<Instant> {
-        Some(Instant(self.0.checked_add(*other)?))
+        let to_add = other.as_micros().try_into().ok()?;
+        let micros = self.micros.checked_add(to_add)?;
+        Some(Instant { micros })
     }
 
     pub fn checked_sub_duration(&self, other: &Duration) -> Option<Instant> {
-        Some(Instant(self.0.checked_sub(*other)?))
+        let to_sub = other.as_micros().try_into().ok()?;
+        let micros = self.micros.checked_sub(to_sub)?;
+        Some(Instant { micros })
     }
 }
diff --git a/library/std/src/sys/pal/wasip1/time.rs b/library/std/src/sys/pal/wasip1/time.rs
@@ -3,63 +3,78 @@
 use crate::time::Duration;
 
 #[derive(Copy, Clone, PartialEq, Eq, PartialOrd, Ord, Debug, Hash)]
-pub struct Instant(Duration);
+pub struct Instant {
+    nanos: wasi::Timestamp,
+}
 
 #[derive(Copy, Clone, PartialEq, Eq, PartialOrd, Ord, Debug, Hash)]
-pub struct SystemTime(Duration);
+pub struct SystemTime {
+    nanos: wasi::Timestamp,
+}
 
-pub const UNIX_EPOCH: SystemTime = SystemTime(Duration::from_secs(0));
+pub const UNIX_EPOCH: SystemTime = SystemTime { nanos: 0 };
 
-fn current_time(clock: wasi::Clockid) -> Duration {
-    let ts = unsafe {
+fn current_time(clock: wasi::Clockid) -> wasi::Timestamp {
+    unsafe {
         wasi::clock_time_get(
             clock, 1, // precision... seems ignored though?
         )
         .unwrap()
-    };
-    Duration::new((ts / 1_000_000_000) as u64, (ts % 1_000_000_000) as u32)
+    }
 }
 
 impl Instant {
     pub fn now() -> Instant {
-        Instant(current_time(wasi::CLOCKID_MONOTONIC))
+        Instant { nanos: current_time(wasi::CLOCKID_MONOTONIC) }
     }
 
     pub fn checked_sub_instant(&self, other: &Instant) -> Option<Duration> {
-        self.0.checked_sub(other.0)
+        let nanos = self.nanos.checked_sub(other.nanos)?;
+        Some(Duration::from_nanos(nanos))
     }
 
     pub fn checked_add_duration(&self, other: &Duration) -> Option<Instant> {
-        Some(Instant(self.0.checked_add(*other)?))
+        let to_add = other.as_nanos().try_into().ok()?;
+        let nanos = self.nanos.checked_add(to_add)?;
+        Some(Instant { nanos })
     }
 
     pub fn checked_sub_duration(&self, other: &Duration) -> Option<Instant> {
-        Some(Instant(self.0.checked_sub(*other)?))
+        let to_sub = other.as_nanos().try_into().ok()?;
+        let nanos = self.nanos.checked_sub(to_sub)?;
+        Some(Instant { nanos })
     }
 }
 
 impl SystemTime {
     pub fn now() -> SystemTime {
-        SystemTime(current_time(wasi::CLOCKID_REALTIME))
+        SystemTime { nanos: current_time(wasi::CLOCKID_REALTIME) }
     }
 
     pub fn from_wasi_timestamp(ts: wasi::Timestamp) -> SystemTime {
-        SystemTime(Duration::from_nanos(ts))
+        SystemTime { nanos: ts }
     }
 
-    pub fn to_wasi_timestamp(&self) -> Option<wasi::Timestamp> {
-        self.0.as_nanos().try_into().ok()
+    pub fn to_wasi_timestamp(self) -> wasi::Timestamp {
+        self.nanos
     }
 
     pub fn sub_time(&self, other: &SystemTime) -> Result<Duration, Duration> {
-        self.0.checked_sub(other.0).ok_or_else(|| other.0 - self.0)
+        self.nanos
+            .checked_sub(other.nanos)
+            .map(Duration::from_nanos)
+            .ok_or_else(|| Duration::from_nanos(other.nanos - self.nanos))
     }
 
     pub fn checked_add_duration(&self, other: &Duration) -> Option<SystemTime> {
-        Some(SystemTime(self.0.checked_add(*other)?))
+        let to_add = other.as_nanos().try_into().ok()?;
+        let nanos = self.nanos.checked_add(to_add)?;
+        Some(SystemTime { nanos })
     }
 
     pub fn checked_sub_duration(&self, other: &Duration) -> Option<SystemTime> {
-        Some(SystemTime(self.0.checked_sub(*other)?))
+        let to_sub = other.as_nanos().try_into().ok()?;
+        let nanos = self.nanos.checked_sub(to_sub)?;
+        Some(SystemTime { nanos })
     }
 }
diff --git a/library/std/src/sys/pal/wasip2/time.rs b/library/std/src/sys/pal/wasip2/time.rs
@@ -1,32 +1,41 @@
 use crate::time::Duration;
 
 #[derive(Copy, Clone, PartialEq, Eq, PartialOrd, Ord, Debug, Hash)]
-pub struct Instant(Duration);
+pub struct Instant {
+    nanos: wasip2::clocks::monotonic_clock::Instant,
+}
 
+// WASIp2's datetime is identical to our `Duration` in terms of its representable
+// range, so use `Duration` to simplify the implementation below.
 #[derive(Copy, Clone, PartialEq, Eq, PartialOrd, Ord, Debug, Hash)]
 pub struct SystemTime(Duration);
 
 pub const UNIX_EPOCH: SystemTime = SystemTime(Duration::from_secs(0));
 
 impl Instant {
     pub fn now() -> Instant {
-        Instant(Duration::from_nanos(wasip2::clocks::monotonic_clock::now()))
+        Instant { nanos: wasip2::clocks::monotonic_clock::now() }
+    }
+
+    pub fn to_wasi_instant(self) -> wasip2::clocks::monotonic_clock::Instant {
+        self.nanos
     }
 
     pub fn checked_sub_instant(&self, other: &Instant) -> Option<Duration> {
-        self.0.checked_sub(other.0)
+        let nanos = self.nanos.checked_sub(other.nanos)?;
+        Some(Duration::from_nanos(nanos))
     }
 
     pub fn checked_add_duration(&self, other: &Duration) -> Option<Instant> {
-        Some(Instant(self.0.checked_add(*other)?))
+        let to_add = other.as_nanos().try_into().ok()?;
+        let nanos = self.nanos.checked_add(to_add)?;
+        Some(Instant { nanos })
     }
 
     pub fn checked_sub_duration(&self, other: &Duration) -> Option<Instant> {
-        Some(Instant(self.0.checked_sub(*other)?))
-    }
-
-    pub(crate) fn as_duration(&self) -> &Duration {
-        &self.0
+        let to_sub = other.as_nanos().try_into().ok()?;
+        let nanos = self.nanos.checked_sub(to_sub)?;
+        Some(Instant { nanos })
     }
 }
 
@@ -40,8 +49,9 @@ impl SystemTime {
         SystemTime(Duration::from_nanos(ts))
     }
 
-    pub fn to_wasi_timestamp(&self) -> Option<wasi::Timestamp> {
-        self.0.as_nanos().try_into().ok()
+    pub fn to_wasi_timestamp(self) -> wasi::Timestamp {
+        // FIXME: use the WASIp2 filesystem proposal, which accepts a WASIp2 datetime.
+        self.0.as_nanos().try_into().expect("error converting WASIp2 datetime to WASIp1 timestamp")
     }
 
     pub fn sub_time(&self, other: &SystemTime) -> Result<Duration, Duration> {
diff --git a/library/std/src/sys/pal/windows/time.rs b/library/std/src/sys/pal/windows/time.rs
diff --git a/library/std/src/sys/pal/xous/time.rs b/library/std/src/sys/pal/xous/time.rs
diff --git a/library/std/src/sys/thread/wasip2.rs b/library/std/src/sys/thread/wasip2.rs

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,8 @@`
`1`	`1`	`use crate::time::Duration;`
`2`	`2`
`3`	`3`	`#[derive(Copy, Clone, PartialEq, Eq, PartialOrd, Ord, Debug, Hash)]`
`4`		`-pub struct Instant(Duration);`
	`4`	`+#[allow(unreachable_code)] // Generated by the PartialEq derive.`
	`5`	`+pub struct Instant(!);`
`5`	`6`
`6`	`7`	`#[derive(Copy, Clone, PartialEq, Eq, PartialOrd, Ord, Debug, Hash)]`
`7`	`8`	`pub struct SystemTime(Duration);`
`@@ -13,16 +14,16 @@ impl Instant {`
`13`	`14`	`panic!("time not implemented on this platform")`
`14`	`15`	`}`
`15`	`16`
`16`		`- pub fn checked_sub_instant(&self, other: &Instant) -> Option<Duration> {`
`17`		`- self.0.checked_sub(other.0)`
	`17`	`+ pub fn checked_sub_instant(&self, _other: &Instant) -> Option<Duration> {`
	`18`	`+ self.0`
`18`	`19`	`}`
`19`	`20`
`20`		`- pub fn checked_add_duration(&self, other: &Duration) -> Option<Instant> {`
`21`		`- Some(Instant(self.0.checked_add(*other)?))`
	`21`	`+ pub fn checked_add_duration(&self, _other: &Duration) -> Option<Instant> {`
	`22`	`+ self.0`
`22`	`23`	`}`
`23`	`24`
`24`		`- pub fn checked_sub_duration(&self, other: &Duration) -> Option<Instant> {`
`25`		`- Some(Instant(self.0.checked_sub(*other)?))`
	`25`	`+ pub fn checked_sub_duration(&self, _other: &Duration) -> Option<Instant> {`
	`26`	`+ self.0`
`26`	`27`	`}`
`27`	`28`	`}`
`28`	`29`