gh-118209: Add structured exception handling to mmap module

[Dobatymo]

If DONT_USE_SEH is not defined, catch page errors and access violations when reading/writing the mmap pointer and convert it into a Python exception.

Methods done:

• mmap_read_method
• mmap_read_byte_method
• mmap_read_line_method
• mmap_write_method
• mmap_write_byte_method
• mmap_item
• mmap_subscript
• mmap_ass_item
• mmap_ass_subscript
• mmap_move_method
• mmap_gfind (hopefully I didn't miss any resource handling here)

Other comments:

• LsaNtStatusToWinError is equivalent to RtlNtStatusToDosError (see comment below). So I am using this since it's easier to call.
• one other tiny bug is fixed in mmap_read_line_method. Previously the file pointer would still be advanced in case of a memory allocation error.

Issues with the PR:

• other methods should be handled as well, but I want to wait on some feedback first
  • mmap_resize_method

I don't know how to fix:

• mmap_buffer_getbuf: this creates a buffer object without actually reading from memory (yet). This will cause issues when the buffer is read in other parts of the code. The only way to fix this would be make all buffer methods SEH aware also... :(

See

• https://learn.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-mapviewoffile#remarks
• https://learn.microsoft.com/en-us/windows/win32/memory/reading-and-writing-from-a-file-view
• https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-exception_record

• Issue: mmap lacks error handling (SEH) on Windows which can lead to interpreter crashes #118209

[cpython-cla-bot]

All commit authors signed the Contributor License Agreement.

[bedevere-app]

Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool.

If this change has little impact on Python users, wait for a maintainer to apply the skip news label instead.

[bedevere-app]

Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool.

If this change has little impact on Python users, wait for a maintainer to apply the skip news label instead.

[bedevere-app]

Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool.

If this change has little impact on Python users, wait for a maintainer to apply the skip news label instead.

[zooba]

PR looks good so far, though as this is a draft I'll leave it with you for now.

One other possibility may be to protect PyBytes_FromString internally, which could cut off an entire class of crashes instead of just one. Thoughts?

[Dobatymo]

One other possibility may be to protect PyBytes_FromString internally, which could cut off an entire class of crashes instead of just one. Thoughts?

That's a possibility too. However I don't know if there's a big performance impact if the exception handling is used there. PyBytes_FromString seems to be a quite commonly used function. On the other hand, the MapViewOfFile family are the only functions I can find which reference the EXCEPTION_IN_PAGE_ERROR exception.

[zooba]

I don't know if there's a big performance impact if the exception handling is used there.

Native exceptions are zero cost until an exception is actually thrown, so I wouldn't worry about that. The compiler generates a static table that the OS refers to in order to figure out which handler to invoke.

That said, a number of the other functions you mentioned won't go through that path, so there's probably going to be a need to add it directly into mmap, particularly for writing.

Maybe a helper function to do a protected memcpy is the way to go? That would let us entirely scope the exception handling and make sure we aren't mismanaging any state inside of it (which is the usual issue). It also means we can have a plain implementation on non-Windows (for now) and keep the code that uses it looking fairly consistent.

[Dobatymo]

Maybe a helper function to do a protected memcpy is the way to go?

I think that's probably a good idea. However there are still some rogue pointer derefs (like the one-character optimization mentioned above) which can still throw.

EDIT: This is out-of-scope for this PR. But Linux probably has similar issues. I couldn't find good docs regarding the situtation (I am more familiar with Windows), but Linux will probably send some signal like SIGBUS/SIGSEV in this scenario. Are you supposed to handle them when mmapping?

[zooba]

Linux probably has similar issues. I couldn't find good docs regarding the situtation (I am more familiar with Windows), but Linux will probably send some signal like SIGBUS/SIGSEV in this scenario

I'm in the same position as you, and agree that it's out of scope for this PR. But if we set things up so that it's easy to multiplex per-platform, we'll at least set up someone who does know to be able to do it.

What that means to me is that we want to contain __try/__except to helper functions that don't interact with Python objects at all (you can assume that the caller has "pinned" any memory that gets passed in) and have an error result that basically means "invalid pointer". So if safe_memcpy(...) or safe_read_char(char *dest, const char *src) return < 0 (typical for our APIs), then we can raise an error on all platforms, and eventually maybe they get implementations that are more complex than just *dest = *src; return 0;

[eryksun]

Linux will probably send some signal like SIGBUS/SIGSEV in this scenario. Are you supposed to handle them when mmapping?

Yes, on POSIX SIGBUS and SIGSEGV are raised synchronously on the executing thread. I mentioned this on the linked issue. I think if this crash scenario is to be handled by the mmap type, it should be addressed on POSIX as well as Windows.

[Dobatymo]

I used LsaNtStatusToWinError to convert the error code which should do they same as RtlNtStatusToDosError but easier to load. I created a function call safe_memcpy which returns 0 if it succeeds and -1 otherwise and restructured mmap_read_byte_method and mmap_read_method to use it.

It will be very difficult to handle all the functions in this way though. For example there would need to be additional functions like safe_memchr for mmap_read_line_method and for other functions I need to go even deeper to see if they need any cleanup or can simply be wrapped (like mmap_find_method->mmap_gfind->_PyBytes_Find->stringlib_find->???)

[Dobatymo]

By the way regarding the ntstatus to win32 error conversion
I ran

# pip install ctypes-windows-sdk tqdm
from cwinsdk.um.winternl import RtlNtStatusToDosError
from cwinsdk.um.ntsecapi import LsaNtStatusToWinError

from tqdm import trange

for i in trange(-(2**31), 2**31):
    a = RtlNtStatusToDosError(i)
    b = LsaNtStatusToWinError(i)
    if a != b:
        raise AssertionError(f"NTSTATUS={i}, RtlNtStatusToDosError={a}, LsaNtStatusToWinError={b}")

and it shows that the output of both functions is the same for the full range of ints. LsaNtStatusToWinError doesn't have to be manually loaded like RtlNtStatusToDosError though.

[eryksun]

it shows that the output of both functions is the same for the full range of ints. LsaNtStatusToWinError doesn't have to be manually loaded like RtlNtStatusToDosError though.

I forgot about that one. It's not exactly surprising that it behaves the same. 😉

0:005> u advapi32!LsaNtStatusToWinError l1
ADVAPI32!LsaNtStatusToWinError:
00007ff9`32869740 48ff2569430700  jmp     qword ptr [ADVAPI32!_imp_RtlNtStatusToDosError (00007ff9`328ddab0)]
0:005> dq 00007ff9`328ddab0 l1
00007ff9`328ddab0  00007ff9`32e23140
0:005> ln 00007ff9`32e23140
(00007ff9`32e23140)   ntdll!RtlNtStatusToDosError   |  (00007ff9`32e232e0)   ntdll!RtlSetLastWin32Error
Exact matches:
    ntdll!RtlNtStatusToDosError (void)

[zooba]

I like how this is looking. Let us know when you'd like CI run and we can hit the button to get it going, and feel free to start adapting other cases in this file.

[zooba]

!buildbot .windows.

[bedevere-bot]

🤖 New build scheduled with the buildbot fleet by @zooba for commit 9737f22 🤖

The command will test the builders whose names match following regular expression: .*windows.*

The builders matched are:

• ARM64 Windows Non-Debug PR
• AMD64 Windows10 PR
• AMD64 Windows Server 2022 NoGIL PR
• AMD64 Windows11 Non-Debug PR
• AMD64 Windows11 Bigmem PR
• AMD64 Windows11 Refleaks PR
• ARM64 Windows PR

[zooba]

I'm torn between just merging (to make beta 1) and being more thorough, but I think we should be more thorough. This can easily go in for beta 2, so the only urgency is to make sure we get good test coverage.

[zooba]

Looks like we may need to use or switch to __restrict instead of restrict based on the compiler version (or the level of C99 support) - restrict is not one of our listed requirements, and it seems easy enough to avoid:

#if defined(_MSC_VER) && (!defined(__STDC_VERSION__) || (__STDC_VERSION__+0) < 201112L)
#define restrict __restrict
#endif

(Possibly that condition has to be broken up, but I think it ought to work.)

[Dobatymo]

We can also simply remove restrict. I only used it because it was part of the signature for memcpy here for C99 https://en.cppreference.com/w/c/string/byte/memcpy

[zooba]

We can also simply remove restrict.

Works for me.

We'll get this in for beta 2 at this stage.

[Dobatymo]

@zooba @eryksun Thank you so much for all your help! This is my first PR for CPython and I had a very good experience.

[zooba]

Congratulations!

[miss-islington-app]

Thanks @Dobatymo for the PR, and @zooba for merging it 🌮🎉.. I'm working now to backport this PR to: 3.13.
🐍🍒⛏🤖

[bedevere-app]

GH-118887 is a backport of this pull request to the 3.13 branch.