bpo-43916: Add _PyType_DisabledNew to prevent new heap types from being created uninitialised

[erlend-aasland]

TODO

• SSL/crypo: Christan will take care of this
• missing dbm/gdbm tests UPDATE: gdbm test added
• missing multibytecodec tests: suggesting to drop this
• missing _functools._lru_list_elem test: suggesting to drop this
• missing _thread._localdummy test: suggesting to drop this
• convert old workarounds in curses/tkinter to use _PyType_DisabledNew
• news/what's new UPDATE: Draft NEWS entry added
• add _PyType_DisabledNew to the internal C API
• declare _PyType_DisabledNew with extern iso. PyAPI_FUNC: bpo-43916: Add _PyType_DisabledNew to prevent new heap types from being created uninitialised #25653 (comment)
• fix Windows builds
• _tkinter fails because Py_BUILD_CORE is not set on Travis

https://bugs.python.org/issue43916

[tiran]

I don't like the state->typeobject->tp_new approach. It looks like a hack. Does this work?

keyobject_type_slots[] = {
    {Py_tp_null, NULL},
    ...
}

[bedevere-bot]

A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated.

Once you have made the requested changes, please leave a comment on this pull request containing the phrase I have made the requested changes; please review again. I will then notify any core developers who have left a review that you're ready for them to take another look at this pull request.

[erlend-aasland]

I don't like the state->typeobject->tp_new approach. It looks like a hack.

I don't like it either, but that's how it has been fixed earlier.

Does this work?

keyobject_type_slots[] = {
    {Py_tp_null, NULL},
    ...
}

Unfortunately, no. Also, Py_tp_null => Py_tp_new :)

How about this:

1. We add an internal C API function (somewhere in Include/internal/) a la your _disabled_new in _hashopenssl.c.
2. Add {Py_tp_new, <pointer to new func>}, to affected types

Feels less like a hack, and will be easily greppable.

[tiran]

Yes, that would be my preferred solution. We have PyType_GenericNew, how about PyType_DisabledNew?

[erlend-aasland]

Yes, that would be my preferred solution. We have PyType_GenericNew, how about PyType_DisabledNew?

I like it, but I think we should add it as _PyType_DisabledNew in Include/cpython.

cc. @pablogsal

[shreyanavigyan]

Doesn't this change require a news entry?

[vstinner]

@tiran @pablogsal: Disabling the constructor is commonly used in Python, so I would not be surprised if this feature would be needed outside CPython code base. I'm fine with adding directly a public function. I understand that @tiran is ok with that, what about you @pablogsal?

[pablogsal]

what about you @pablogsal?

I am still -1, this can be done manually and I prefer to stop growing the C-API when possible unless is very clear that is needed, like with the GC functions.

[vstinner]

@pablogsal: Sorry, I missed your earlier comment "Can we move this to the inernal API maybe? @vstinner what do you think?".

Ok, let's keep it internal for now. We can revisit that later.

[erlend-aasland]

Ok, let's keep it internal for now. We can revisit that later.

All right. I need help landing this PR; see my questions regarding extern raised in this thread: #25653 (comment)

Perhaps it would be easier if I split it up in three:

1. Add the new API
2. Apply it to the affected types (except Christian's stuff)
3. Apply it to _curses_panel and _tkinter

It up to the reviewers :)

[shreyanavigyan]

This time the error is FSCTL_SET_REPARSE_POINT not found

[shreyanavigyan]

Try #include winioctl.h and see if the tests run correctly.

[shreyanavigyan]

Looks like windows.h was conflicting with FSCTL_SET_REPARSE_POINT. Now the build is successful.

[erlend-aasland]

Try #include winioctl.h and see if the tests run correctly.

The fix is similar to the issue in Modules/posixmodule.c:

cpython/Modules/posixmodule.c

Lines 15 to 24 in 1e7b858

	#ifdef MS_WINDOWS
	/* include <windows.h> early to avoid conflict with pycore_condvar.h:
	#define WIN32_LEAN_AND_MEAN
	#include <windows.h>
	FSCTL_GET_REPARSE_POINT is not exported with WIN32_LEAN_AND_MEAN. */
	# include <windows.h>
	# include <pathcch.h>
	#endif

There's a conflict between pycore_condvar.h and windows.h. The former is implicitly included via pycore_object.h. The solution is to reorder the includes.

If a missing Windows include was the problem, the Windows build would have been broken all over.

[erlend-aasland]

@pablogsal, @vstinner: I've marked this as ready for review. Test coverage is not complete, but I'm not sure how much time we should put into extracting all the implementation specific types; they are normally hidden from the APIs anyway, and one really has to put an effort into snatching the type and then trying to create it uninitialised. Consenting adults and so on.

I refer to Pablos's comment regarding my problems with declaring _PyType_DisabledNew using extern: #25653 (comment)

@tiran will take care of his stuff, presumably in a separate PR.

I still think the PR is too large, but that's up to you two to decide :)

BTW, _tkinter fails because Py_BUILD_CORE is not set on Travis; I'll have a look at setup.py and Modules/Setup. UPDATE: Fixed in ce16da5

[tiran]

Urks, extra_compile_args = ['-DPy_BUILD_CORE_MODULE'] is wrong. This shouldn't be an extra compiler arg.

[erlend-aasland]

Urks, extra_compile_args = ['-DPy_BUILD_CORE_MODULE'] is wrong. This shouldn't be an extra compiler arg.

I can use define_macros instead, but there's a lot of precedence in setup.py where extra_compile_args is used.

[tiran]

I have opened PR GH-25713 to address the problem. I'll rebase my PR after you have landed your PR. Let's land your PR first.

[erlend-aasland]

I have opened PR GH-25713 to address the problem. I'll rebase my PR after you have landed your PR. Let's land your PR first.

Thank you, Christian!

[erlend-aasland]

Thanks for reviewing, @tiran. I have made the requested changes; please review again.

[bedevere-bot]

Thanks for making the requested changes!

@tiran: please review the changes made to this pull request.

[tiran]

LGTM, good work!

[tiran]

@pablogsal @vstinner Do you want to double check the PR or should I merge it?

[erlend-aasland]

LGTM, good work!

Thanks! Actually, you should add attribution to yourself; I've based the core solution off of your work :)

[serhiy-storchaka]

It is already tested in test_os.

[vstinner]

I propose a different solution: PR #25721 adds Py_TPFLAGS_DISABLE_NEW type flag.

[erlend-aasland]

Closing in favour of #25721