refactor: Forbid calling unsafe fs::path(std::string) constructor and fs::path::string() method #22937
Conversation
|
The following sections might be updated with supplementary metadata relevant to reviewers and maintainers. ConflictsReviewers, this pull request conflicts with the following ones:
If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first. |
|
mingw complains: |
ryanofsky
force-pushed
the
pr/u8path
branch
from
1e07139
to
ddbfc51
Compare
There was a problem hiding this comment.
Rebased 1e07139 -> ddbfc51 (pr/u8path.1 -> pr/u8path.2, compare) due to conflict with #21222, also fixing win64 build error https://cirrus-ci.com/task/5157617598201856
|
re: #22937 (comment)
Thanks for headsup, and this should be addressed in the last push |
|
This PR is basically ready but I still am looking for feedback about about whether best solution to Other remaining todos here: improve fs.h documentation and split commit into two parts so fs.h functions are added in the first commit, and code is switched over to call the new functions in a second commit. |
If this fixes all our issues and avoids developer headaches when writing code (which conversion function to use), that seems most preferable. |
Sorry, I thought I had posted more details/drawbacks about this alternate approach previously, but I don't think I ever did. Details can be found at https://docs.microsoft.com/en-us/windows/apps/design/globalizing/use-utf8-code-page#set-a-process-code-page-to-utf-8 The only impact I believe this alternate approach would have for future developers (as opposed to current reviewers) compared to the current approach is that future developers will be able to write Another drawback of the UTF-8 windows code page build option is that is silently ignored by older versions of windows. Another drawback of the UTF-8 windows code page build option is that it is not yet unimplemented, and will require someone with more knowledge than me of both the MSVC and Mingw builds to implement, while this PR is a straightforward code change that is basically ready to go. Updated ddbfc51 -> d312e52 ( |
ryanofsky
force-pushed
the
pr/u8path
branch
from
ddbfc51
to
d312e52
Compare
|
Out of curiosity, what is the leveldb approach to handle paths on Windows? |
|
@hebasto I compiled on my Windows 10 machine using instructions here: https://github.com/ryanofsky/bitcoin/blob/pr/u8path/build_msvc/README.md#building Note that bitcoin source files are located in folder Now when I attempt to run I'm not sure if I have not made an error somewhere but it would be great to know if this is a bug or not (and whose). And if it is, then if it is replicable on other machines. |
Why not using the updated build instructions? In the Command Prompt everything works as expected: |
I forgot they have changed. Thanks for letting me know. Anyway, I have re-compiled the source code (with merged master) and now it works for me with |
|
ACK 6544ea5 |
|
Code review ACK 6544ea5 |
…functions Summary: There is no change in behavior. This just helps prepare for the transition from the `boost::filesystem` to the `std::filesystem` path implementation. Co-authored-by: Kiminuo <kiminuo@protonmail.com> This is a backport of [[bitcoin/bitcoin#22937 | core#22937]] [1/2] bitcoin/bitcoin@b39a477 Test Plan: `ninja all check-all` Reviewers: #bitcoin_abc, Fabien Reviewed By: #bitcoin_abc, Fabien Differential Revision: https://reviews.bitcoinabc.org/D10784
Summary: > There is no change in behavior. This just helps prepare for the > transition from `boost::filesystem` to `std::filesystem` by avoiding calls > to methods which will be unsafe after the transaction to `std::filesystem` > to due lack of a `boost::filesystem::path::imbue` equivalent and inability > to set a predictable locale. > > Co-authored-by: Hennadii Stepanov <32963518+hebasto@users.noreply.github.com> > Co-authored-by: Kiminuo <kiminuo@protonmail.com> > Co-authored-by: MarcoFalke <falke.marco@gmail.com> This is a partial backport of [[bitcoin/bitcoin#22937 | core#22937]] [2a/2g] bitcoin/bitcoin@6544ea5 The backport for this commit was split in to multiple commits to make review easier. This first commit does mainly two things: - add a couple of necessary methods to `fs::path`: `quoted` and `operator+` to be used in subsequent commits to migrate away from methods that will be unsafe when we will transition from `boost::filesystem` to `std::filesystem`. - use `fs::ofstream` instead of `std::ostream` because the former defines a constructor for `fs::path`, and pass in `fs::path` directly when constructing `fs::ofstream` instead of a c string. This removes the need to to path to string conversions that depend on the the BOOST version. Depends on D10784, D10781, D10783 Test Plan: `ninja all check-all` Reviewers: #bitcoin_abc, Fabien Reviewed By: #bitcoin_abc, Fabien Differential Revision: https://reviews.bitcoinabc.org/D10795
Summary: This is a partial backport of [[bitcoin/bitcoin#22937 | core#22937]] [2b/2g] bitcoin/bitcoin@6544ea5 The backport for this commit was split in to multiple commits to make review easier. This part deals with converting `fs::string()` calls that will become unsafe when migrating from boost::filesystem to std::filesystem. Depends on D10795 Test Plan: `ninja all check-all` Reviewers: #bitcoin_abc, Fabien Reviewed By: #bitcoin_abc, Fabien Differential Revision: https://reviews.bitcoinabc.org/D10796
…s, qt, rpc) Summary: This is a partial backport of [[bitcoin/bitcoin#22937 | core#22937]] [2c/2g] bitcoin/bitcoin@6544ea5 The backport for this commit was split in to multiple commits to make review easier. This part deals with converting `fs::string()` calls that will become unsafe when migrating from `boost::filesystem` to `std::filesystem`. Depends on D10796 Test Plan: `ninja all check-all` Reviewers: #bitcoin_abc, Fabien Reviewed By: #bitcoin_abc, Fabien Differential Revision: https://reviews.bitcoinabc.org/D10797
…z, wallet/test) Summary: This is a partial backport of [[bitcoin/bitcoin#22937 | core#22937]] [2d/2g] bitcoin/bitcoin@6544ea5 The backport for this commit was split in to multiple commits to make review easier. This part deals with converting `fs::string()` calls that will become unsafe when migrating from `boost::filesystem` to `std::filesystem`. Depends on D10797 Test Plan: `ninja all check-all bitcoin-fuzzers` Reviewers: #bitcoin_abc, Fabien Reviewed By: #bitcoin_abc, Fabien Differential Revision: https://reviews.bitcoinabc.org/D10798
Summary: This is a partial backport of [[bitcoin/bitcoin#22937 | core#22937]] [2e/2g] bitcoin/bitcoin@6544ea5 The backport for this commit was split in to multiple commits to make review easier. This part deals with converting `fs::string()` calls that will become unsafe when migrating from `boost::filesystem` to `std::filesystem`. Depends on D10798 Test Plan: `ninja all check-all` Reviewers: #bitcoin_abc, Fabien Reviewed By: #bitcoin_abc, Fabien Differential Revision: https://reviews.bitcoinabc.org/D10799
Summary: This is a partial backport of [[bitcoin/bitcoin#22937 | core#22937]] [2f/2g] bitcoin/bitcoin@6544ea5 The backport for this commit was split in to multiple commits to make review easier. This part deals with converting `fs::string()` calls that will become unsafe when migrating from `boost::filesystem` to `std::filesystem`. Depends on D10799 Test Plan: `ninja all check-all` Reviewers: #bitcoin_abc, Fabien Reviewed By: #bitcoin_abc, Fabien Differential Revision: https://reviews.bitcoinabc.org/D10800
Summary: This concludes backport of [[bitcoin/bitcoin#22937 | core#22937]] [2g/2g] bitcoin/bitcoin@6544ea5 This commit disallows passing a `std::string` to `fs::path`, building on previous commits which removed all such calls. This is because the behavior of this constructor on windows will be more complicated and can mangle path strings after the transition from `boost::filesystem` to `std::filesystem` in [[bitcoin/bitcoin#20744 | core#20744]] . Depends on D10800 Test Plan: `ninja all check-all` Reviewers: #bitcoin_abc, Fabien Reviewed By: #bitcoin_abc, Fabien Differential Revision: https://reviews.bitcoinabc.org/D10801
a43b8e9 build: set OSX_MIN_VERSION to 10.15 (fanquake) Pull request description: Taken out of bitcoin#20744, as splitting up some of the build changes was mentioned [here](bitcoin#22937 (comment)). This is required to use `std::filesystem` on macOS, as support for it only landed in the libc++.dylib shipped with 10.15. So if we want to move to using `std::filesystem` for `23.0`, this bump is required. See also: https://developer.apple.com/documentation/xcode-release-notes/xcode-11-release-notes > Clang now supports the C++17 \<filesystem\> library for iOS 13, macOS 10.15, watchOS 6, and tvOS 13. macOS 10.15 was released in October 2019. macOS OS's seem to have a life of about 3 years, so it's possible that 10.14 will become officially unsupported by the end of 2021 and prior to the release of 23.0. Guix builds: ```bash bash-5.1# find guix-build-$(git rev-parse --short=12 HEAD)/output/ -type f -print0 | env LC_ALL=C sort -z | xargs -r0 sha256sum abc8b749be65f1339dcdf44bd1ed6ade2533b8e3b5030ad1dde0ae0cede78136 guix-build-a43b8e955558/output/dist-archive/bitcoin-a43b8e955558.tar.gz 1edcc301eb4c02f3baa379beb8d4c78e661abc24a293813bc9d900cf7255b790 guix-build-a43b8e955558/output/x86_64-apple-darwin19/SHA256SUMS.part e9dbb5594a664519da778dde9ed861c3f0f631525672e17a67eeda599f16ff44 guix-build-a43b8e955558/output/x86_64-apple-darwin19/bitcoin-a43b8e955558-osx-unsigned.dmg 11b23a17c630dddc7594c25625eea3de42db50f355733b9ce9ade2d8eba3a8f3 guix-build-a43b8e955558/output/x86_64-apple-darwin19/bitcoin-a43b8e955558-osx-unsigned.tar.gz 257ba64a327927f94d9aa0a68da3a2695cf880b3ed1a0113c5a966dcc426eb5e guix-build-a43b8e955558/output/x86_64-apple-darwin19/bitcoin-a43b8e955558-osx64.tar.gz ``` ACKs for top commit: hebasto: ACK a43b8e9 jarolrod: ACK a43b8e9 Tree-SHA512: 9ac77be7cb56c068578860a3b2b8b7487c9e18b71b14aedd77a9c663f5d4bb19756d551770c02ddd12f1797beea5757b261588e7b67fb53509bb998ee8022369
The
fs::pathclass has astd::stringconstructor which will implicitly convert from strings. Implicit conversions like this are not great in general because they can hide complexity and inefficiencies in the code, but this case is especially bad, because after the transition fromboost::filesystemtostd::filesystemin #20744 the behavior of this constructor on windows will be more complicated and can mangle path strings. Thefs::pathclass also has a.string()method which is inverse of the constructor and has the same problems.Fix this by replacing the unsafe method calls with
PathToStringandPathFromStringfunction calls, and by forbidding unsafe method calls in the future.