gh-143008: fix TextIOWrapper.truncate via re-entrant flush#143041
gh-143008: fix TextIOWrapper.truncate via re-entrant flush#143041yihong0618 wants to merge 3 commits intopython:mainfrom
Conversation
Signed-off-by: yihong0618 <zouzou0208@gmail.com>
cmaloney
left a comment
cmaloney
left a comment
There was a problem hiding this comment.
I don't like adding a new flushing variable here. To me it doesn't solves the core issue: Code assumes self->buffer is non-NULL because of checks which become invalid by the time it's actually dereferenced/used (TOCTOU general bug class). I think TextIOWrapper already has the information we need to be looking at / checking for (CHECK_ATTACHED macro / self->detached, self->buffer == NULL, and self->ok, ...). Those seem to be tracking very close to the same thing and should be usable to solve this group of issues.
I think it would be better here to use CHECK_ATTACHED just before self->buffer is used / passed to a call / returned; making sure there aren't any other calls to interpreter methods betwen the CHECK_ATTACHED + self->buffer usage / dereference.
I suspect BufferedIO will need a similar set of fixes: It also has a concept of an underlying stream that can be "detached" and which user code may detach during various operations.
Some comments on specifics inline, the test_textio ones I think are important in further changes, implementation details less so if not adding/using the flushing member.
Lib/test/test_io/test_textio.py
Outdated
| # instead of crashing. | ||
| wrapper = None | ||
|
|
||
| class BadRaw(self.RawIOBase): |
There was a problem hiding this comment.
There's a number of mock helpers defined in test_io/utils.py to make it so can reduce this to just the methods that matter. I think self.MockRawIO will work here
Lib/test/test_io/test_textio.py
Outdated
| with self.subTest(name): | ||
| wrapper = self.TextIOWrapper(EvilBuffer(BadRaw()), encoding='utf-8') | ||
| self.assertRaisesRegex(RuntimeError, "reentrant", method) | ||
| wrapper = None |
There was a problem hiding this comment.
can we make the gc / closing here more explicit? del wrapper?
Misc/NEWS.d/next/Library/2025-12-21-17-56-37.gh-issue-143008.aakErJ.rst
Outdated
Show resolved
Hide resolved
Modules/_io/textio.c
Outdated
| static inline int | ||
| _textiowrapper_flush(textio *self) | ||
| { | ||
| self->flushing = 1; |
There was a problem hiding this comment.
Why can't this be in _io_TextIOWrapper_flush_impl?
There was a problem hiding this comment.
it can, the design is cover it in _PyFile_Flush
| PyObject *ret; | ||
| self->flushing = 1; | ||
| do { | ||
| ret = PyObject_CallMethodOneArg(self->buffer, &_Py_ID(write), b); |
There was a problem hiding this comment.
every loop iteration / write call could execute arbitrary interpreter code that could invalidate self->buffer so likely need to check on each loop iteration.
There was a problem hiding this comment.
will check, but I think maybe not need
I think you are right but |
|
And I can change it to my first solution or waiting for other discuss here? |
…akErJ.rst Co-authored-by: Cody Maloney <cmaloney@users.noreply.github.com>
|
I agree Can you explain what your first solution is? I'm not understanding what you're referring to. |
|
serhiy-storchaka
left a comment
serhiy-storchaka
left a comment
There was a problem hiding this comment.
This will break the case when flush() was intentionally overridden.
I am not also sure that it fixes the core issue, it just makes a particular reproducer no longer working.
will dig it, thank you |
after some check and work I do not think |
Signed-off-by: yihong0618 <zouzou0208@gmail.com>
I made some change but not sure its better idea, can you help to check? Thank you very much. if you have better way to fix all of them feel free to close it~ thanks again |
|
I'm starting to think a small refactor of |
will try to understand and learn it thank you |
TextIOWrapper keeps its underlying stream in a member called `self->buffer`. That stream can be detached by user code, such as custom `.flush` implementations resulting in `self->buffer` being set to NULL. The implementation often checked at the start of functions if `self->buffer` is in a good state, but did not always recheck after other Python code was called which could modify `self->buffer`. The cases which need to be re-checked are hard to spot so rather than rely on reviewer effort create better safety by making all self->buffer access go through helper functions. Thank you yihong0618 for the test, NEWS and initial implementation in pythongh-143041. Co-authored-by: yihong0618 <zouzou0208@gmail.com>
3 participants
This patch fix all re-entrant flush problem
by adding an attr flushing
and. refactor the file check to
_textiowrapper_flushTextIOWrapper.truncatevia re-entrantflush#143008all crash problem in 143008 can be fix cc @jackfromeast can you help to check?
thank you very much!