ENH: reimplement _move_into_mutable_buffer in C.

Joe Jevnik · Joe Jevnik · commit 7d02f3bae484 · 2016-02-23T03:34:45.000-05:00
By writing our move function in C we can hide the original bytes object
from the user while still ensuring that the lifetime is managed
correctly. This implementation is designed to make it impossible to get
access to the invalid bytes object from pure python.
diff --git a/pandas/io/_move.c b/pandas/io/_move.c
@@ -0,0 +1,274 @@
+#include <Python.h>
+
+#define COMPILING_IN_PY2 (PY_VERSION_HEX <= 0x03000000)
+
+#if !COMPILING_IN_PY2
+/* alias this because it is not aliased in Python 3 */
+#define PyString_CheckExact PyBytes_CheckExact
+#define PyString_AS_STRING PyBytes_AS_STRING
+#define PyString_GET_SIZE PyBytes_GET_SIZE
+#endif  /* !COMPILING_IN_PY2 */
+
+#ifndef Py_TPFLAGS_HAVE_GETCHARBUFFER
+#define Py_TPFLAGS_HAVE_GETCHARBUFFER 0
+#endif
+
+#ifndef Py_TPFLAGS_HAVE_NEWBUFFER
+#define Py_TPFLAGS_HAVE_NEWBUFFER 0
+#endif
+
+PyObject *badmove;  /* bad move exception class */
+
+typedef struct {
+    PyObject_HEAD
+    /* the bytes that own the buffer we are mutating */
+    PyObject *invalid_bytes;
+} stolenbufobject;
+
+PyTypeObject stolenbuf_type;  /* forward declare type */
+
+static void
+stolenbuf_dealloc(stolenbufobject *self)
+{
+    Py_DECREF(self->invalid_bytes);
+    PyObject_Del(self);
+}
+
+static int
+stolenbuf_getbuffer(stolenbufobject *self, Py_buffer *view, int flags)
+{
+    return PyBuffer_FillInfo(view,
+                             (PyObject*) self,
+                             (void*) PyString_AS_STRING(self->invalid_bytes),
+                             PyString_GET_SIZE(self->invalid_bytes),
+                             0,  /* not readonly */
+                             flags);
+}
+
+#if COMPILING_IN_PY2
+
+static Py_ssize_t
+stolenbuf_getreadwritebuf(stolenbufobject *self, Py_ssize_t segment, void **out)
+{
+    if (segment != 0) {
+        PyErr_SetString(PyExc_SystemError,
+                        "accessing non-existent string segment");
+        return -1;
+    }
+    *out = PyString_AS_STRING(self->invalid_bytes);
+    return PyString_GET_SIZE(self->invalid_bytes);
+}
+
+static Py_ssize_t
+stolenbuf_getsegcount(stolenbufobject *self, Py_ssize_t *len)
+{
+    if (len) {
+        *len = PyString_GET_SIZE(self->invalid_bytes);
+    }
+    return 1;
+}
+
+PyBufferProcs stolenbuf_as_buffer = {
+    (readbufferproc) stolenbuf_getreadwritebuf,
+    (writebufferproc) stolenbuf_getreadwritebuf,
+    (segcountproc) stolenbuf_getsegcount,
+    (charbufferproc) stolenbuf_getreadwritebuf,
+    (getbufferproc) stolenbuf_getbuffer,
+};
+
+#else  /* Python 3 */
+
+PyBufferProcs stolenbuf_as_buffer = {
+    (getbufferproc) stolenbuf_getbuffer,
+    NULL,
+};
+
+#endif  /* COMPILING_IN_PY2 */
+
+static PyObject *
+stolenbuf_new(PyObject *self, PyObject *args, PyObject *kwargs)
+{
+    stolenbufobject *ret;
+    PyObject *bytes_rvalue;
+
+    if (kwargs && PyDict_Size(kwargs)) {
+        PyErr_SetString(PyExc_TypeError,
+                        "stolenbuf does not accept keyword arguments");
+        return NULL;
+    }
+
+    if (PyTuple_GET_SIZE(args) != 1) {
+        PyErr_SetString(PyExc_TypeError,
+                        "stolenbuf requires exactly 1 positional argument");
+        return NULL;
+
+    }
+
+    /* pull out the single, positional argument */
+    bytes_rvalue = PyTuple_GET_ITEM(args, 0);
+
+    if (!PyString_CheckExact(bytes_rvalue)) {
+        PyErr_SetString(PyExc_TypeError,
+                        "stolenbuf can only steal from bytes objects");
+        return NULL;
+    }
+
+    if (Py_REFCNT(bytes_rvalue) != 1) {
+        /* there is a reference other than the caller's stack */
+        PyErr_SetObject(badmove, bytes_rvalue);
+        return NULL;
+    }
+
+    if (!(ret = PyObject_New(stolenbufobject, &stolenbuf_type))) {
+        return NULL;
+    }
+
+    /* store the original bytes object in a field that is not
+       exposed to python */
+    Py_INCREF(bytes_rvalue);
+    ret->invalid_bytes = bytes_rvalue;
+    return (PyObject*) ret;
+}
+
+PyDoc_STRVAR(
+    stolenbuf_doc,
+    "Moves a bytes object that is about to be destroyed into a mutable buffer\n"
+    "without copying the data.\n"
+    "\n"
+    "Parameters\n"
+    "----------\n"
+    "bytes_rvalue : bytes with 1 refcount.\n"
+    "    The bytes object that you want to move into a mutable buffer. This\n"
+    "    cannot be a named object. It must only have a single reference.\n"
+    "\n"
+    "Returns\n"
+    "-------\n"
+    "buf : stolenbuf\n"
+    "    An object that supports the buffer protocol which can give a mutable\n"
+    "    view of the data that was previously owned by ``bytes_rvalue``.\n"
+    "\n"
+    "Raises\n"
+    "------\n"
+    "BadMove\n"
+    "    Raised when a move is attempted on an object with more than one\n"
+    "    reference.\n"
+    "\n"
+    "Notes\n"
+    "-----\n"
+    "If you want to use this function you are probably wrong.\n");
+
+PyTypeObject stolenbuf_type = {
+    PyVarObject_HEAD_INIT(&PyType_Type, 0)
+    "pandas.io._move.stolenbuf",                /* tp_name */
+    sizeof(stolenbufobject),                    /* tp_basicsize */
+    0,                                          /* tp_itemsize */
+    (destructor) stolenbuf_dealloc,             /* tp_dealloc */
+    0,                                          /* tp_print */
+    0,                                          /* tp_getattr */
+    0,                                          /* tp_setattr */
+    0,                                          /* tp_reserved */
+    0,                                          /* tp_repr */
+    0,                                          /* tp_as_number */
+    0,                                          /* tp_as_sequence */
+    0,                                          /* tp_as_mapping */
+    0,                                          /* tp_hash */
+    0,                                          /* tp_call */
+    0,                                          /* tp_str */
+    0,                                          /* tp_getattro */
+    0,                                          /* tp_setattro */
+    &stolenbuf_as_buffer,                       /* tp_as_buffer */
+    Py_TPFLAGS_DEFAULT |
+    Py_TPFLAGS_HAVE_NEWBUFFER |
+    Py_TPFLAGS_HAVE_GETCHARBUFFER,              /* tp_flags */
+    stolenbuf_doc,                              /* tp_doc */
+    0,                                          /* tp_traverse */
+    0,                                          /* tp_clear */
+    0,                                          /* tp_richcompare */
+    0,                                          /* tp_weaklistoffset */
+    0,                                          /* tp_iter */
+    0,                                          /* tp_iternext */
+    0,                                          /* tp_methods */
+    0,                                          /* tp_members */
+    0,                                          /* tp_getset */
+    0,                                          /* tp_base */
+    0,                                          /* tp_dict */
+    0,                                          /* tp_descr_get */
+    0,                                          /* tp_descr_set */
+    0,                                          /* tp_dictoffset */
+    0,                                          /* tp_init */
+    0,                                          /* tp_alloc */
+    (newfunc) stolenbuf_new,                    /* tp_new */
+};
+
+#define MODULE_NAME "pandas.io._move"
+
+#if !COMPILING_IN_PY2
+PyModuleDef _move_module = {
+    PyModuleDef_HEAD_INIT,
+    MODULE_NAME,
+    NULL,
+    -1,
+};
+#endif  /* !COMPILING_IN_PY2 */
+
+PyDoc_STRVAR(
+    badmove_doc,
+    "Exception used to indicate that a move was attempted on a value with\n"
+    "more than a single reference.\n"
+    "\n"
+    "Parameters\n"
+    "----------\n"
+    "data : any\n"
+    "    The data which was passed to ``_move_into_mutable_buffer``.\n"
+    "\n"
+    "See Also\n"
+    "--------\n"
+    "pandas.io._move.stolenbuf\n");
+
+PyMODINIT_FUNC
+#if !COMPILING_IN_PY2
+#define ERROR_RETURN NULL
+PyInit__move(void)
+#else
+#define ERROR_RETURN
+init_move(void)
+#endif  /* !COMPILING_IN_PY2 */
+{
+    PyObject *m;
+
+    if (!(badmove = PyErr_NewExceptionWithDoc("pandas.io._move.BadMove",
+                                              badmove_doc,
+                                              NULL,
+                                              NULL))) {
+        return ERROR_RETURN;
+    }
+
+    if (PyType_Ready(&stolenbuf_type)) {
+        return ERROR_RETURN;
+    }
+
+#if !COMPILING_IN_PY2
+    if (!(m = PyModule_Create(&_move_module)))
+#else
+    if (!(m = Py_InitModule(MODULE_NAME, NULL)))
+#endif  /* !COMPILING_IN_PY2 */
+    {
+        return ERROR_RETURN;
+    }
+
+    if (PyModule_AddObject(m,
+                           "move_into_mutable_buffer",
+                           (PyObject*) &stolenbuf_type)) {
+        Py_DECREF(m);
+        return ERROR_RETURN;
+    }
+
+    if (PyModule_AddObject(m, "BadMove", badmove)) {
+        Py_DECREF(m);
+        return ERROR_RETURN;
+    }
+
+#if !COMPILING_IN_PY2
+    return m;
+#endif  /* !COMPILING_IN_PY2 */
+}
diff --git a/pandas/io/packers.py b/pandas/io/packers.py
@@ -41,7 +41,6 @@
 from datetime import datetime, date, timedelta
 from dateutil.parser import parse
 import os
-import sys
 import warnings
 
 import numpy as np
@@ -64,6 +63,10 @@
 import pandas.core.internals as internals
 
 from pandas.msgpack import Unpacker as _Unpacker, Packer as _Packer, ExtType
+from ._move import (
+    BadMove as _BadMove,
+    move_into_mutable_buffer as _move_into_mutable_buffer,
+)
 
 # until we can pass this into our conversion functions,
 # this is pretty hacky
@@ -246,77 +249,6 @@ def convert(values):
     return ExtType(0, v.tostring())
 
 
-class _BadMove(ValueError):
-    """Exception used to indicate that a move was attempted on a value with
-    more than a single reference.
-
-    Parameters
-    ----------
-    data : any
-        The data which was passed to ``_move_into_mutable_buffer``.
-
-    See Also
-    --------
-    _move_into_mutable_buffer
-    """
-    def __init__(self, data):
-        self.data = data
-
-    def __str__(self):
-        return 'cannot move data from a named object'
-
-
-def _move_into_mutable_buffer(bytes_rvalue):
-    """Moves a bytes object that is about to be destroyed into a mutable buffer
-    without copying the data.
-
-    Parameters
-    ----------
-    bytes_rvalue : bytes with 1 refcount.
-        The bytes object that you want to move into a mutable buffer. This
-        cannot be a named object. It must only have a single reference.
-
-    Returns
-    -------
-    buf : memoryview
-        A mutable buffer that was previously used as that data for
-        ``bytes_rvalue``.
-
-    Raises
-    ------
-    _BadMove
-        Raised when a move is attempted on an object with more than one
-        reference.
-
-    Notes
-    -----
-    If you want to use this function you are probably wrong.
-    """
-    if sys.getrefcount(bytes_rvalue) != 3:
-        # The three references are:
-        # 1. The callers stack (this is the only external reference)
-        # 2. The locals for this function
-        # 3. This function's stack (to pass to `sys.getrefcount`)
-        raise _BadMove(bytes_rvalue)
-
-    # create a numpy array from the memory of `bytes_rvalue`
-    arr = np.frombuffer(bytes_rvalue, dtype=np.int8)
-    try:
-        # mark this array as mutable
-        arr.flags.writeable = True
-        # At this point any mutations to `arr` will invalidate `bytes_rvalue`.
-        # This would be fine but `np.frombuffer` is going to store this object
-        # on `arr.base`. In order to preserve user's sanity we are going to
-        # destroy `arr` to drop the final reference to `bytes_rvalue` and just
-        # return a `memoryview` of the now mutable data. This dance is very
-        # fast and makes it impossible for users to shoot themselves in the
-        # foot.
-        return memoryview(arr)
-    finally:
-        # assure that our mutable view is destroyed even if we raise
-        del arr
-
-
 def unconvert(values, dtype, compress=None):
 
     as_is_ext = isinstance(values, ExtType) and values.code == 0
@@ -350,7 +282,7 @@ def unconvert(values, dtype, compress=None):
             # We don't just store this in the locals because we want to
             # minimize the risk of giving users access to a `bytes` object
             # whose data is also given to a mutable buffer.
-            values = e.data
+            values = e.args[0]
             if len(values) > 1:
                 # The empty string and single characters are memoized in many
                 # string creating functions in the capi. This case should not
diff --git a/setup.py b/setup.py
@@ -510,6 +510,13 @@ def pxd(name):
 
 extensions.append(ujson_ext)
 
+# extension for pseudo-safely moving bytes into mutable buffers
+_move_ext = Extension('pandas.io._move',
+                      depends=[],
+                      sources=['pandas/io/_move.c'])
+extensions.append(_move_ext)
+
+
 
 if _have_setuptools:
     setuptools_kwargs["test_suite"] = "nose.collector"
