New submission from Gregory P. Smith <g...@krypto.org>:

A long-standing wart in Python is that once a module is loaded, when rendering 
a traceback and including source lines, we do not verify if the source file 
we're loading is the same as the one representing the code we are running.

It could have been replaced.  As is normal during software upgrades.

If our code was loaded from .py source, we should be recording the 
timestamp/size||hash of the source file and referencing that from each code 
object.  If our code was loaded from a .pyc source, the .pyc already contains a 
timestamp/size||hash for the corresponding .py source file that could be 
referenced.

When traceback.StackSummary and FrameSummary use the linecache module, we 
should plumb this source metainfo in from the relevant code object.

A traceback being rendered with potentially modified source code could choose 
to omit the source lines, or at least annotate them with a "  ## this source 
{timestamp/size||hash} does not match the running code {timestamp/size||hash}." 
marker so that anyone seeing the traceback knows the displayed line may not be 
trustworthy.  (If the pyc was written using the "unchecked-hash" mode, no 
source/pyc synchronization check should be made)

The inspect module also needs the ability to do indicate this to the caller.

----------
components: Library (Lib)
messages: 393328
nosy: gregory.p.smith
priority: normal
severity: normal
stage: needs patch
status: open
title: traceback & inspect modules should verify that the .py source file 
matches the one that the running process is using
type: enhancement
versions: Python 3.11

_______________________________________
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue44091>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

Reply via email to