bpo-34454: Fix issue with non-UTF8 separator strings

[pganssle]

It is possible to pass a non-UTF-8 string as a separator in datetime.isoformat, but the current implementation starts by decoding to UTF-8, which will fail even for some valid strings.

In the special case of non-UTF-8 separators, we replace the separator character with T before encoding as UTF-8, so that encoding errors only occur on invalid ISO 8601 strings, and are handled as a standard ValueError (as would occur in the pure Python version).

bpo-34454: Implementation of the fix without significant performance problems.

https://bugs.python.org/issue34454

[pganssle]

@taleinat If you want you want to use this feel free to rebase against my branch. This PR is mainly because as part of figuring out how to make your PR fast, I actually re-wrote your PR, so it seemed easier to just push my changes.

[pganssle]

I've merged in the tests and NEWS from #8859, but I now think this PR should be merged instead of that one.

Comparing performance (using the script from this comment) of this PR (updated after sanitize_isoformat_str refactor):

datetime constructor:                1192.5ns
fromisoformat:                       561.3ns
fromisoformat (special characters):  599.7ns
fromisoformat (non-utf8):            1289.5ns
fromisoformat (fail, non-utf8):      3501.5ns
fromisoformat (fail, utf8):          1738.7ns

Compared with #8859:

datetime constructor:                1165.1ns
fromisoformat:                       520.7ns
fromisoformat (special characters):  1153.1ns
fromisoformat (non-utf8):            1165.8ns
fromisoformat (fail, non-utf8):      2815.5ns
fromisoformat (fail, utf8):          1648.3ns

It's much faster in at least one common(ish) case (utf-8) and essentially the same performance in all other cases. IMO, this one also is more readable, since it's essentially equivalent to:

def new_isoformat(dtstr):
    if len(dtstr) > 10 and is_surrogate(dtstr[10]):
        dtstr = "%sT%s" % (dtstr[0:10], dtstr[11:])
    return old_isoformat_minus_segfaults(dtstr)

It does not require the more complicated fast-path/slow-path branching in #8859 and proliferation of intermediate PyObjects (and associated refcounts) is kept to an absolute minimum.

[pganssle]

CC @abalkin @serhiy-storchaka

[taleinat]

Looks good, just a few small details to amend.

[taleinat]

This should be len < 11 or len < 10.

[taleinat]

We should mention @izbyshev in this NEWS entry.

[taleinat]

IMO needs_decref should be an int, not unsigned char.

[pganssle]

Makes no difference to me. Ideally it would be bool but I guess that's not a thing in C?

[taleinat]

Using PyUnicode_GET_LENGTH requires having called PyUnicode_READY before. In this case (and below), just use PyUnicode_GetLength().

[taleinat]

Are you sure that only surrogates can cause failure to encode as UTF-8?

[taleinat]

"finally" can be confusing since this doesn't happen upon success. I would just use "error".

[bedevere-bot]

A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated.

Once you have made the requested changes, please leave a comment on this pull request containing the phrase I have made the requested changes; please review again. I will then notify any core developers who have left a review that you're ready for them to take another look at this pull request.

[taleinat]

This should be len < 11 or len <= 10.

[pganssle]

Fixed.

[pganssle]

I believe all the changes are fixed. Thanks for the review @taleinat

[izbyshev]

I haven't checked it, but creating a copy of dtstr (with PyUnicode_New/ PyUnicode_CopyCharacters or similar) and using PyUnicode_WriteChar to replace the separator might be both faster and simpler than splitting the string and then joining it again.

[pganssle]

OK, refactored. You are right, it is both simpler and faster.

[izbyshev]

Great, thanks!

[taleinat]

The PyUnicode_GetLength() here is now unnecessary.

[taleinat]

@pganssle, for your consideration: If you also do the UTF-8 encoding in _sanitize_isoformat_str (renamed appropriately) and return a const char * and length, you can avoid the conditional Py_DECREF() in the fast-path at the end of datetime_fromisoformat().

[izbyshev]

dtstr should be checked for NULL.

[pganssle]

Good catch, C programming is hard. :(

Fixed now.

[pganssle]

@taleinat I'm not entirely sure, but I think that wouldn't work; when the RC of the temporary dtstr reaches 0 it would be deleted, and I think that the temporary dtstr is managing the memory for dt_ptr. If that's not how it works, I'm not sure what would be managing that memory, since I'm not allocating any memory for it, or freeing it later.

[taleinat]

@pganssle, you're right, I hadn't considered that. Better to leave it as it is then.

Just remove the PyUnicode_GetLength() call and it should be ready to go in.

Also, you're welcome to add yourself to the NEWS section, i.e. "Patch by Paul Ganssle".

[pganssle]

@taleinat Fixed the duplicate PyUnicode_GetLength and the missing NULL check. I don't really need to be mentioned in the NEWS, plus I think it would be complicated to properly assign credit for this patch, as it was a collaborative effort between me, you and @izbyshev.

[taleinat]

@pganssle, looks good!

I'm a core dev and will merge this so my name will be on it anyways.

[miss-islington]

Thanks @pganssle for the PR, and @taleinat for merging it 🌮🎉.. I'm working now to backport this PR to: 3.7.
🐍🍒⛏🤖

[bedevere-bot]

GH-8877 is a backport of this pull request to the 3.7 branch.

[serhiy-storchaka]

{ should be on new line.

[serhiy-storchaka]

PyUnicode_GetLength() can set an exception and return -1.

[pganssle]

Hm, good call. For some reason I had the impression that Py_ssize_t was an unsigned integer.

[serhiy-storchaka]

_PyUnicode_Copy() could be used.

But I'm not sure that arbitrary character (including lone surrogates) should be accepted as a date-time separator. For example 2018-08-24016:10:00 looks pretty confusing.

[pganssle]

When we developed datetime.fromisoformat, the contract of the function was that it should act as the inverse of datetime.isoformat, meaning that it should satisfy

datetime.fromisoformat(dt.isoformat(*args, **kwargs)) == dt

for all values of dt, args and kwargs. Since dt.isoformat(sep='\ud800') and dt.isoformat(sep='0') are valid, we need to accept any character in the separator position in order to comply with the contract of the function.

It may be worth bringing up the appropriate contract in the datetime-SIG mailing list, but it was decided to use a very simple contract so that it's very simple to define what is and is not the correct behavior for this function (which could otherwise grow unwieldy).

[serhiy-storchaka]

This error message can contain not original string.

[pganssle]

Oh good point. As part of the fixup I will change how this works so that dtstr is not re-assigned.

[pganssle]

@serhiy-storchaka I'll make a second PR with the cleanup.