gh-126606: don't write incomplete pyc files #126627

cfbolz · 2024-11-09T15:16:13Z

fix corner case in importlib: so far, the code does not check the return value of _io.FileIO.write to see whether a pyc code was fully written to disk. If a ulimit is in place (or the disk is full or something), this could lead to truncated pyc files. After the fix, the written size is checked and the half-written file is removed.

Issue: Corrupt .pyc files stay on disk after failed writes #126606

cmaloney · 2024-11-09T15:48:13Z

Lib/importlib/_bootstrap_external.py

@@ -209,7 +209,9 @@ def _write_atomic(path, data, mode=0o666):
        # We first write data to a temporary file, and then use os.replace() to
        # perform an atomic rename.
        with _io.FileIO(fd, 'wb') as file:
-            file.write(data)


The write can be partial for a number of reasons, and while some of those are retried (PEP-0475), things like "this is windows and the write size is capped" aren't retried. Could this retry, which hopefully should also mean the OSError contains underlying errno / error info?

FileIO.write calls os.write calls _Py_write calls _Py_write_impl:

cpython/Python/fileutils.c

Lines 1918 to 2016 in 6293d00

_Py_write_impl(int fd, const void *buf, size_t count, int gil_held)

{

Py_ssize_t n;

int err;

int async_err = 0;

_Py_BEGIN_SUPPRESS_IPH

#ifdef MS_WINDOWS

if (count > 32767) {

/* Issue #11395: the Windows console returns an error (12: not

enough space error) on writing into stdout if stdout mode is

binary and the length is greater than 66,000 bytes (or less,

depending on heap usage). */

if (gil_held) {

Py_BEGIN_ALLOW_THREADS

if (isatty(fd)) {

count = 32767;

}

Py_END_ALLOW_THREADS

} else {

if (isatty(fd)) {

count = 32767;

}

}

}

#endif

if (count > _PY_WRITE_MAX) {

count = _PY_WRITE_MAX;

}

if (gil_held) {

do {

Py_BEGIN_ALLOW_THREADS

errno = 0;

#ifdef MS_WINDOWS

// write() on a non-blocking pipe fails with ENOSPC on Windows if

// the pipe lacks available space for the entire buffer.

int c = (int)count;

do {

_doserrno = 0;

n = write(fd, buf, c);

if (n >= 0 || errno != ENOSPC || _doserrno != 0) {

break;

}

errno = EAGAIN;

c /= 2;

} while (c > 0);

#else

n = write(fd, buf, count);

#endif

/* save/restore errno because PyErr_CheckSignals()

* and PyErr_SetFromErrno() can modify it */

err = errno;

Py_END_ALLOW_THREADS

} while (n < 0 && err == EINTR &&

!(async_err = PyErr_CheckSignals()));

}

else {

do {

errno = 0;

#ifdef MS_WINDOWS

// write() on a non-blocking pipe fails with ENOSPC on Windows if

// the pipe lacks available space for the entire buffer.

int c = (int)count;

do {

_doserrno = 0;

n = write(fd, buf, c);

if (n >= 0 || errno != ENOSPC || _doserrno != 0) {

break;

}

errno = EAGAIN;

c /= 2;

} while (c > 0);

#else

n = write(fd, buf, count);

#endif

err = errno;

} while (n < 0 && err == EINTR);

}

_Py_END_SUPPRESS_IPH

if (async_err) {

/* write() was interrupted by a signal (failed with EINTR)

and the Python signal handler raised an exception (if gil_held is

nonzero). */

errno = err;

assert(errno == EINTR && (!gil_held || PyErr_Occurred()));

return -1;

}

if (n < 0) {

if (gil_held)

PyErr_SetFromErrno(PyExc_OSError);

errno = err;

return -1;

}

return n;

}

I don't know whether we should retry here. in a sense that's a separate question to the bug that I'm trying to fix. we should definitely not silently write a truncated pyc file, as we are right now.

My thought is “why didn’t the write error itself” and doing a second one / retry might fix that

because write doesn't error, it just writes fewer bytes. from the man page:

The number of bytes written may be less than count if, for example, there is insufficient space on the underlying physical medium, or the RLIMIT_FSIZE resource limit is encountered (see setrlimit(2)), or the call
was interrupted by a signal handler after having written less than count bytes. (See also pipe(7).)

https://man7.org/linux/man-pages/man2/write.2.html#DESCRIPTION

Also from that though, a second call won't return 0, either it will write more and rerturn the count, or it will error (which should make the OSError):

In the event of a partial write, the caller can make another write() call to transfer the remaining bytes. The subsequent call will either transfer further bytes or may result in an error (e.g., if the disk is now full).

Considering this issue hasn't been reported until now I don't think it's worth complicating the code to try and be clever to work around some odd OS restriction.

Misc/NEWS.d/next/Core_and_Builtins/2024-11-09-16-10-22.gh-issue-126066.9zs4m4.rst

…e-126066.9zs4m4.rst Co-authored-by: Kirill Podoprigora <[email protected]>

brettcannon

Some stylistic comments on the test and a question of what the best exception is.

brettcannon · 2024-11-12T18:27:06Z

Lib/importlib/_bootstrap_external.py

@@ -209,7 +209,9 @@ def _write_atomic(path, data, mode=0o666):
        # We first write data to a temporary file, and then use os.replace() to
        # perform an atomic rename.
        with _io.FileIO(fd, 'wb') as file:
-            file.write(data)


Considering this issue hasn't been reported until now I don't think it's worth complicating the code to try and be clever to work around some odd OS restriction.

brettcannon · 2024-11-12T18:27:23Z

Lib/importlib/_bootstrap_external.py

-            file.write(data)
+            bytes_written = file.write(data)
+        if bytes_written != len(data):
+            raise OSError("os.write didn't write the full pyc file")


Suggested change

raise OSError("os.write didn't write the full pyc file")

raise OSError("os.write() didn't write the full .pyc file")

I'm trying to decide if OSError is the best exception or ImportError? While it does seem like the OS is the reason the write didn't fully succeed, it's import deciding that writing less isn't acceptable.

OSError is what surrounding code expects / the except after this catches to try and remove the partially-written file.

brettcannon · 2024-11-12T18:27:36Z