bpo-28180: Implementation for PEP 538

[ncoghlan]

Reference implementation for PEP 538, which is in turn a partial fix for bpo-28180.

This updates the CPython CLI to attempt to set LC_CTYPE to a suitable UTF-8
based locale before loading the runtime when it detects that it is running in
the C locale.

It also updates the CPython runtime to emit a compatibility warning on stderr
when running in the C locale.

Remaining work:

• Fix the Windows compatibility issue reported by Appveyor
• What's New entry
• Add a note in the What's New entry regarding the current locale coercion warning that indicates we're actively seeking feedback on it during the 3.7 pre-release cycle. Our experience with the Fedora 26 backport so far has been that the warning is useful in spotting places where we should probably change the configured locale to C.UTF-8 (e.g. in RPM build environments), but I'm still starting to wonder if it might be better for us to disable it before the F26 final release.
• NEWS entry

[methane]

This may break old Python 2 in subprocess.

$ cat t.py
# encoding: utf-8
print(u"こんにちは")

$ /usr/bin/python2.6 t.py
こんにちは

$ export PYTHONIOENCODING=utf-8:surrogateescape
$ /usr/bin/python2.6 t.py
TypeError: an integer is required

[methane]

I'm sorry, my environment was wrong.
I accidently test above in Lib/ directory in cpython's checkout.

[ncoghlan]

It still raises a good question though, as that setting does affect Python 2 differently from the way it affects Python 3 - it changes the implicit encoding step on stdout, but stdin still relies on passing the raw bytes through without interpretation:

$ LANG=C python2
Python 2.7.13 (default, Jan 12 2017, 17:59:37) 
[GCC 6.3.1 20161221 (Red Hat 6.3.1-1)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> print(u"こんにちは")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
UnicodeEncodeError: 'ascii' codec can't encode characters in position 0-14: ordinal not in range(128)
>>> print("こんにちは")
こんにちは
>>> 
$ PYTHONIOENCODING=utf-8:surrogateescape LANG=C python2
Python 2.7.13 (default, Jan 12 2017, 17:59:37) 
[GCC 6.3.1 20161221 (Red Hat 6.3.1-1)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> print(u"こんにちは")
こんにちは
>>> print("こんにちは")
こんにちは
>>> 

It's also a potential problem that 'surrogateescape' doesn't exist in Python 2, so it may be better to just use Py_SetStandardStreamEncoding in PEP 538, and leave enabling surrogateescape in subprocesses as well to PEP 540 (via PYTHONUTF8=1 in the parent environment).

It also turns out that LANG=C python2 is an easy way to demonstrate that GNU readline just plain doesn't handle UTF-8 properly in the C locale - attempting to edit the print(u"こんにちは") line at the interactive prompt to remove the u prefix or add it back results in nonsense:

>>> print(u"こんにちは")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
UnicodeEncodeError: 'ascii' codec can't encode characters in position 0-14: ordinal not in range(128)
>>> print(�こんにちは")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
UnicodeEncodeError: 'ascii' codec can't encode characters in position 0-13: ordinal not in range(128)
>>> print("こんにちは")
こんにちは
>>> print(u��にちは") ")
こ�u��にちは

[warsaw]

Leaving out for the moment whether this is a good idea or not (we'll use the PEP process for that), I have some questions about the code.

[warsaw]

Am I reading this right? It seems odd that setting PYTHONCOERCECLOCALE would disable coercing the legacy locale. The sense is exactly opposite of what I'd expect.

Should the envar be named PYTHONNOCOERCECLOCALE?

Also, what if the environment variable is set to "0"? Given the above description, that should still skip coercion.

[ncoghlan]

Oops, that's a holdover from when the setting was PYTHONALLOWCLOCALE - presumably I changed the title of the section, but then got distracted by something else before updating the body.

[ncoghlan]

Fixed in 1c3a270

[warsaw]

Does the value of the envar matter or not? It just needs to be any string value, right?

[ncoghlan]

Docs bug - the warning matches the behaviour, the docs don't.

[ncoghlan]

Docs fixed in 1c3a270

[warsaw]

Does the order matter? If not, what about using for env_var in base_var_dict:?

[ncoghlan]

Done in d12b412

[warsaw]

And here...

[ncoghlan]

Done in d12b412

[warsaw]

Doesn't this contradict the documentation at the top of this PR?

[ncoghlan]

Docs fixed in 1c3a270

[warsaw]

What about using self.addCleanup(os.chdir, self.oldcwd) in the setUp() instead and getting rid of the tearDown()?

[ncoghlan]

Good point - I stole the basic structure from test_capi (simplified a bit since this doesn't need to run on Windows), so it's missing some modern niceties. With addCleanup, we wouldn't even need self.oldcwd as a record, we can just add the cleanup operation before changing the directory:

self.addCleanup(os.chdir, os.getcwd())
os.chdir(basepath)

[ncoghlan]

Done in d12b412

[warsaw]

Does it make any sense to run this without universal_newlines also? Since the locale changes should only affect text mode, that additional test would just ensure that nothing's changed when running subprocesses in bytes mode.

[ncoghlan]

For this particular test, I don't think so, as it's just checking that the runtime warning gets emitted when we bypass the locale coercion in the standard Python CLI, rather than doing anything with the standard streams.

However, it does make sense for test_locale_coercion itself (which I should rename to test_c_locale_coercion): that should check the behaviour when the Python subprocess is run with the -u option for unbuffered binary streams.

[ncoghlan]

So it turns out that even -u doesn't change anything of interest to this PEP any more, and there's just an error in the --help docs that makes it sound like it still does: http://bugs.python.org/issue28647

[ncoghlan]

However, now that the PEP potentially also affects the way the standard streams are configured, I expanded on the test cases to also cover that: 4e6d502

[warsaw]

There's been some discussion about the "legacy C locale" nomenclature. What about "bare C locale"?

[ncoghlan]

Even glibc devs consider 7-bit ASCII a legacy encoding at this point, it's just an enormous ecosystem to try to migrate to a new default way of doing things.

My view would likely be different if we were planning to invest time and energy in getting Python 3 to "work properly" in the C locale, but the underlying assumptions are sufficiently incompatible that it isn't even clear what "working properly" would even mean. (PEP 540 gets closer than the status quo, but it's definition of "working properly" is "ignoring the declared locale encoding as almost certainly being wrong")

[warsaw]

This seems to come up in every project I work on. Do we use UK or US spelling? :)

I think in Python we use US spellings.

[ncoghlan]

Yeah, I'll typically use my native spellings when writing PEPs and email, but anything in the actual code or docs should be using the US spelling.

[ncoghlan]

Fixed in ccfc83f

[warsaw]

You do this same check in two places. Would it make sense to refactor that into a call or macro so there's no chance in getting out of sync? (See my question at the top of the PR.)

[ncoghlan]

An alternative would be to check a C global here, rather than checking the environment variable directly, and have a _Py_DisableCLocaleWarning() helper that the CLI calls when PYTHONCOERCECLOCALE=0 is set.

[ncoghlan]

The downside of that approach would be that it means embedding applications can't use PYTHONCOERCECLOCALE=0 to silence the warning without changing the configured locale, and I don't want to define a new public embedding configuration API just to avoid checking the environment variable twice.

So I'll unconditionally export a private helper function from pylifecycle.c (so the ABI doesn't depend on the configure flag setting), and re-use that from the CLI implementation.

[ncoghlan]

@zooba @brettcannon Would one of you have some time to look at the Windows failure here? I suspect what's happened is that I've changed some code that I thought was *nix specific, and it needs a preprocessor guard to get it to retain the old behaviour on Windows.

[methane]

These LC_ALL should be updated.

[zooba]

@ncoghlan Is there some state involved in checking/configuring the locale override that must be run before Py_Initialize? On Windows, main.c is exactly one line long and you haven't updated it to call the new functions, so it may be related to that. I don't see any changes to common code that could be a problem, but maybe I missed it.

As an aside, I'm somewhat uncomfortable about the "let's ignore -E -S" parts, but if you're sure it's not going to enable loading arbitrary code (via an encoding) then I won't push back too hard.

[ncoghlan]

@zooba This is the bit that I suspect may be unintentionally changing the interpreter startup behaviour on Windows and thus causing the Appveyor test failures: there's currently nothing restricting this particular code path to only run on non-Windows systems, so I suspect it may be triggering and activating surrogateescape by default on the Windows standard streams, even though Windows uses its own code page system, rather than the POSIX locale system. If I'm right, then the entire body of this function should be inside some kind of #ifdef, such that the Windows case degenerates to return NULL;

[zooba]

Possibly. The only thing that is available for coercion on Windows is locale.getpreferredencoding(), and there are no results from setlocale() that you can reasonably interpret as "wrong".

When/if the "force UTF-8" option comes along, that should apply to Windows, but I don't think we need to determine the error handler here at all for Windows.

[ncoghlan]

Comparing this to the old code (as a result of the test_sys failure), it seems we were setting surrogateescape by default in the C locale, even on Windows. So I've had a second go at fixing this by keeping that, and only skipping the new checks for the coercion target locales.

[ncoghlan]

It turned out this wasn't the problem, but rather the earlier call to setlocale(LC_CTYPE, ""), where I had removed a HAVE_SETLOCALE guard as being redundant in 2017. It turns out that even though Windows does have setlocale available:

1. Passing an empty string doesn't work the same way it does in glibc (presumably it syncs the active C locale with the active Windows code page rather than looking at environment variables)
2. The Windows builds don't define HAVE_SETLOCALE, so that guard was previously serving as a cryptic #ifndef MS_WINDOWS check

So rather than restoring the original guard, I replaced it with an explicit #ifndef MS_WINDOWS check instead.

[ncoghlan]

Per @zooba: I need to explain the (lack of) security implications here, since:

• the envvar can only be used to turn off locale coercion, it doesn't do anything else (i.e. it's a boolean toggle, not input data)
• if an attacker is in a position to corrupt the behaviour of the ascii encoding, they're likely to be able to attack the utf-8 encoding just as effectively

[zooba]

👍

[ncoghlan]

Huzzah, finally sorted out all the subtle inconsistencies with the behaviour on Windows :)

@methane, @zooba, @warsaw Do any of you want to take a further look at the code changes while I finish up with the What's New entry and adding some caveats around the current locale coercion warning?

[ncoghlan]

The What's New entry has been added, so I consider this PR to be feature complete now - to reduce the chance of conflicts, I won't add the NEWS entry until we're just about to merge it.

[ncoghlan]

AppVeyor seems to be MIA, but the last Windows run passed, and I've only made docs and metadata changes since then, so I'll be going ahead with the merge and marking the PEP as Final once the Travis run completes.

[ronaldoussoren]

This appears to be an unrelated change.

[ncoghlan]

You're right that it's technically unrelated now, but an earlier iteration of the patch failed in debug mode without it - that iteration was using Py_SetStandardStreamEncoding, and when you do that, you allocate some memory that gets freed during interpreter startup after the default allocator has been configured. Without this change, that free attempt failed in debug mode due to the allocator mismatch.

So these guards mean that the "safe to call before Py_Initialize" APIs actually are safe to call from the CLI entry point.