⚠️ PyO3 0.23.0, 0.23.1, 0.23.2 have soundness bug in compile configuration #4757
Comments
|
fat finger submit, details incoming... |
|
This "only" impacts the situation where you're doing multiple builds in the same dir (or caching it), is that right? |
|
I don't think this is the root cause of issues in 0.23, but anyone who tries to set up free-threaded wheels may run into Quansight-Labs/setup-python#5 on Windows, which also affects CI environments setting up multiple python versions simultaneously. Just sharing here since others might be experimenting with building free-threaded wheels using Maturin. |
Yes, typically this would be due to using |
|
can this issue be closed now that 0.23.3 is live on crates.io ref #4745 (comment)? |
|
Yes, GitHub release now pushed and advisory PR up. I'll yank the affected versions and close this. rustsec/advisory-db#2159 |
Previous builds were corrupt when done with multiple interpreters at the same time (meaning while sharing cross-build state). This resolves segfaults seen with the latest rpds.py release, which we will yank, following PyO3 itself (which is yanking these versions). We should also generally reconsider doing these builds separately (using separate jobs for each interpreter). Closes: #112 Refs: PyO3/pyo3#4757 Refs: rustsec/advisory-db#2159
Details: PyO3/pyo3#4757 Signed-off-by: Panos Vagenas <[email protected]>
WARNING: The candidate selected for download or install is a yanked version: 'rpds-py' candidate (version 0.22.1 at https://files.pythonhosted.org/packages/35/39/bca2385071b5d72b4f2200ce2bff975b83d9d1e8c5746d4d5e021c2dfcd1/rpds_py-0.22.1-cp310-cp310-win_amd64.whl (from https://pypi.org/simple/rpds-py/) (requires-python:>=3.9)) Reason for being yanked: PyO3/pyo3#4757
* Update pyproject.toml * Make pyproject install work FOllowing commands were run: python -m venv temp_test_env temp_test_env\Scripts\activate python -m pip install --upgrade pip pip install build pip install -e . precice-structure-generator --help * Dont use where instead specifiy directly * Fix warning being shown: WARNING: The candidate selected for download or install is a yanked version: 'rpds-py' candidate (version 0.22.1 at https://files.pythonhosted.org/packages/35/39/bca2385071b5d72b4f2200ce2bff975b83d9d1e8c5746d4d5e021c2dfcd1/rpds_py-0.22.1-cp310-cp310-win_amd64.whl (from https://pypi.org/simple/rpds-py/) (requires-python:>=3.9)) Reason for being yanked: PyO3/pyo3#4757 * Remove requirements as we can use pyproject now * Adjust install scripts to use pyproject.toml and no more submodule * create venv in project root * Adjust README * add authors to pyproject.toml * fix github workflow failing * fix authors nuking setup * fix authors nuking setup * Remove authors for now as it fails the test * use python 3.10 instead of 3.9 * Try adding authors again * Revert "Try adding authors again" This reverts commit 33a2403. * Add author inside project * Fix test failing because of missing email * Fix using old name for cli * Fix cd .. going out of repo * Use new name in readme cli call too
I've seen recent segmentation faults from builds shipped in watchfiles and jiter, as well as unexpected errors in pydantic-core's test suite.
My current hypothesis is that the root cause is #4497, which mistakenly changed reading of
PYO3_CONFIG_FILEenv var such that we don't emitcargo:rerun-if-changedblock for it.As such, wheels built in bulk for many interpreters with
maturinare not rebuilt properly and all contain codecfg-d for the first interpreter built for.I will continue to verify that this is the cause, and work on a patch ASAP.
I think we will need to yank 0.23.0 through 0.23.2 and file a security advisory, as wheels built with these versions are likely highly unstable and will fail in unpredictable ways.
The text was updated successfully, but these errors were encountered: