[PATCH] replace with-temporary-store-file

  • Open
  • quality assurance status badge
Details
2 participants
  • Caleb Ristvedt
  • Ludovic Courtès
Owner
unassigned
Submitted by
Caleb Ristvedt
Severity
normal
C
C
Caleb Ristvedt wrote on 11 Jun 2020 06:29
(address . guix-patches@gnu.org)
87k10e5io6.fsf@cune.org
with-temporary-store-file suffers from race conditions - see attached
patch commit message for details.

This addresses a problem that it's very likely nobody has run into yet,
due to the sheer size of the tempfile namespace, but that could
potentially cause serious issues, including store corruption.

The new procedure used to resolve this (restore-to-temp-store-file) will
be of use in the guile-daemon anyway.

- reepca
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEdNapMPRLm4SepVYGwWaqSV9/GJwFAl7hszoACgkQwWaqSV9/
GJxEMQgAibod0c4JnSgJ3aSvFMaqZRQ+uZIB8RAWDAHq+TH7GFXul1YTilFdFFaC
gwSeEjjQvmpMmH0OK4tUHJNRiu/pmEtg1PjDXZgez9bTkYMYuZAEQd27ciTQCLhx
O0Z1nl1oP9O+CCMcCcOdxygHJOBe/ARekE9EJdXpVqAFtW006QHRn5YnEGRw0dP1
LPl9QqZD1snm2mAd48oX39RJAmIxptg+9CPr+MD9haXzy17Cue6P/jdPgTkVKPGK
l4kqojing7ySTF93gNEXPUBTzfO+/Cv+9C6nGRf8JoHewTml3FuypGlOgeURC+In
S9S5AFT1GNyfThbYfUN2W1CEIAfE7A==
=vRI3
-----END PGP SIGNATURE-----

L
L
Ludovic Courtès wrote on 11 Jun 2020 19:04
(name . Caleb Ristvedt)(address . caleb.ristvedt@cune.org)(address . 41797@debbugs.gnu.org)
877dwdbkkf.fsf@gnu.org
Hi,

Caleb Ristvedt <caleb.ristvedt@cune.org> skribis:

Toggle quote (8 lines)
> with-temporary-store-file has a fundamental flaw: it assumes that if a
> temporary store file exists, is then added as a temporary root, and still
> exists, then it uniquely belongs to the current process. This is not always
> the case, because the only criteria used for choosing temporary file names is
> that they not be currently used and fit a certain template. This means it's
> entirely possible for another process to choose the same temporary file name
> if it doesn't exist at the time it chooses.

Then what about simply adding the PID to the file name template?

Trying to see if there’s a simpler solution that could address the
problem.

Thanks,
Ludo’.
C
C
Caleb Ristvedt wrote on 22 Jun 2020 20:03
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 41797@debbugs.gnu.org)
874kr35673.fsf@cune.org
Apologies for the delay on this.

Ludovic Courtès <ludo@gnu.org> writes:

Toggle quote (14 lines)
> Hi,
>
> Caleb Ristvedt <caleb.ristvedt@cune.org> skribis:
>
>> with-temporary-store-file has a fundamental flaw: it assumes that if a
>> temporary store file exists, is then added as a temporary root, and still
>> exists, then it uniquely belongs to the current process. This is not always
>> the case, because the only criteria used for choosing temporary file names is
>> that they not be currently used and fit a certain template. This means it's
>> entirely possible for another process to choose the same temporary file name
>> if it doesn't exist at the time it chooses.
>
> Then what about simply adding the PID to the file name template?

AFAIK that would work currently, though for the daemon we'd have to also
include a fiber identifier. What concerns me is that I can't find any
restrictions about the characters that mkstemp is allowed to use, so
we'd have to enforce a consistent tempfile naming scheme. Admittedly, I
spent 10 minutes trying to think of realistic ways in which collisions
could still occur and couldn't come up with anything - the fact that the
randomized portion is always the same length and at the end makes it
quite difficult.

It's worth noting that adding the PID (and fiber ID) to the template
will only make it thread-safe, not reentrant. So
with-temporary-store-file uses couldn't be nested - indeed, no temporary
store files that use the same template could be safely created within
the extent of with-temporary-store-file. We could add a parameter to
track all the "reserved" filenames for the current dynamic state, but it
seems like a lot of hassle, and there's still the risk that other
temp-file-creating code could simply ignore it.

I'd still prefer restore-to-temp-store-file for the stronger guarantees
it gives.

- reepca
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEdNapMPRLm4SepVYGwWaqSV9/GJwFAl7w8mEACgkQwWaqSV9/
GJwvbwf+MCNm6d+ymsOi0/bbDvbCUv5IjeUsur34e4RnGg4Sy0MvY7zLcRPD1Y1C
aY5ucOYEwfkmWkkv7pk9Zk4ZFnxPutza5d/13CQKFTkoSjPM8UOcr8AiISmBiALM
rMmdCRCZ+qYX8NB56ylA0JEk6xL7tagM5FAyKSgDrkLlgJ46bTO9fQPRRM15sbAp
fjCdP8VmOHwj6BxLHItXCjkLxz7iNZ70C/JqwSzlU0UWmBRYF/+pZb60OR46MoBE
FSDsYGo0YAbMdoZsgxFDYx87pFbAVcAC9NOCyiWL2fahqHzNwjRK9DcQ6QtaWz6X
VJYBd5Ck5uvqHe4QAs5Wuq9ItLdZsQ==
=RZqc
-----END PGP SIGNATURE-----

?