GNU bug report logs - #41797
[PATCH] replace with-temporary-store-file

Previous Next

Package: guix-patches;

Reported by: Caleb Ristvedt <caleb.ristvedt <at> cune.org>

Date: Thu, 11 Jun 2020 04:31:02 UTC

Severity: normal

Tags: patch

To reply to this bug, email your comments to 41797 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to guix-patches <at> gnu.org:
bug#41797; Package guix-patches. (Thu, 11 Jun 2020 04:31:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to Caleb Ristvedt <caleb.ristvedt <at> cune.org>:
New bug report received and forwarded. Copy sent to guix-patches <at> gnu.org. (Thu, 11 Jun 2020 04:31:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Caleb Ristvedt <caleb.ristvedt <at> cune.org>
To: guix-patches <at> gnu.org
Subject: [PATCH] replace with-temporary-store-file
Date: Wed, 10 Jun 2020 23:29:45 -0500

[Message part 1 (text/plain, inline)]
with-temporary-store-file suffers from race conditions - see attached
patch commit message for details.

This addresses a problem that it's very likely nobody has run into yet,
due to the sheer size of the tempfile namespace, but that could
potentially cause serious issues, including store corruption.

The new procedure used to resolve this (restore-to-temp-store-file) will
be of use in the guile-daemon anyway.

- reepca


[0001-nar-fix-race-conditions-inherent-to-with-temporary-s.patch (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, inline)]
Information forwarded to guix-patches <at> gnu.org:
bug#41797; Package guix-patches. (Thu, 11 Jun 2020 17:05:01 GMT) Full text and rfc822 format available.

Message #8 received at 41797 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Caleb Ristvedt <caleb.ristvedt <at> cune.org>
Cc: 41797 <at> debbugs.gnu.org
Subject: Re: [bug#41797] [PATCH] replace with-temporary-store-file
Date: Thu, 11 Jun 2020 19:04:32 +0200

Hi,

Caleb Ristvedt <caleb.ristvedt <at> cune.org> skribis:

> with-temporary-store-file has a fundamental flaw: it assumes that if a
> temporary store file exists, is then added as a temporary root, and still
> exists, then it uniquely belongs to the current process.  This is not always
> the case, because the only criteria used for choosing temporary file names is
> that they not be currently used and fit a certain template.  This means it's
> entirely possible for another process to choose the same temporary file name
> if it doesn't exist at the time it chooses.

Then what about simply adding the PID to the file name template?

Trying to see if there’s a simpler solution that could address the
problem.

Thanks,
Ludo’.
Information forwarded to guix-patches <at> gnu.org:
bug#41797; Package guix-patches. (Mon, 22 Jun 2020 18:04:01 GMT) Full text and rfc822 format available.

Message #11 received at 41797 <at> debbugs.gnu.org (full text, mbox):

From: Caleb Ristvedt <caleb.ristvedt <at> cune.org>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: 41797 <at> debbugs.gnu.org
Subject: Re: [bug#41797] [PATCH] replace with-temporary-store-file
Date: Mon, 22 Jun 2020 13:03:12 -0500

[Message part 1 (text/plain, inline)]
Apologies for the delay on this.

Ludovic Courtès <ludo <at> gnu.org> writes:

> Hi,
>
> Caleb Ristvedt <caleb.ristvedt <at> cune.org> skribis:
>
>> with-temporary-store-file has a fundamental flaw: it assumes that if a
>> temporary store file exists, is then added as a temporary root, and still
>> exists, then it uniquely belongs to the current process.  This is not always
>> the case, because the only criteria used for choosing temporary file names is
>> that they not be currently used and fit a certain template.  This means it's
>> entirely possible for another process to choose the same temporary file name
>> if it doesn't exist at the time it chooses.
>
> Then what about simply adding the PID to the file name template?

AFAIK that would work currently, though for the daemon we'd have to also
include a fiber identifier. What concerns me is that I can't find any
restrictions about the characters that mkstemp is allowed to use, so
we'd have to enforce a consistent tempfile naming scheme. Admittedly, I
spent 10 minutes trying to think of realistic ways in which collisions
could still occur and couldn't come up with anything - the fact that the
randomized portion is always the same length and at the end makes it
quite difficult.

It's worth noting that adding the PID (and fiber ID) to the template
will only make it thread-safe, not reentrant. So
with-temporary-store-file uses couldn't be nested - indeed, no temporary
store files that use the same template could be safely created within
the extent of with-temporary-store-file. We could add a parameter to
track all the "reserved" filenames for the current dynamic state, but it
seems like a lot of hassle, and there's still the risk that other
temp-file-creating code could simply ignore it.

I'd still prefer restore-to-temp-store-file for the stronger guarantees
it gives.

- reepca

[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 4 years and 265 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.