[New-bugs-announce] [issue44091] traceback & inspect modules should verify that the .py source file matches the one that the running process is using

[Gregory P. Smith]

New submission from Gregory P. Smith <greg at krypto.org>:

A long-standing wart in Python is that once a module is loaded, when rendering a traceback and including source lines, we do not verify if the source file we're loading is the same as the one representing the code we are running.

It could have been replaced.  As is normal during software upgrades.

If our code was loaded from .py source, we should be recording the timestamp/size||hash of the source file and referencing that from each code object.  If our code was loaded from a .pyc source, the .pyc already contains a timestamp/size||hash for the corresponding .py source file that could be referenced.

When traceback.StackSummary and FrameSummary use the linecache module, we should plumb this source metainfo in from the relevant code object.

A traceback being rendered with potentially modified source code could choose to omit the source lines, or at least annotate them with a "  ## this source {timestamp/size||hash} does not match the running code {timestamp/size||hash}." marker so that anyone seeing the traceback knows the displayed line may not be trustworthy.  (If the pyc was written using the "unchecked-hash" mode, no source/pyc synchronization check should be made)

The inspect module also needs the ability to do indicate this to the caller.

----------
components: Library (Lib)
messages: 393328
nosy: gregory.p.smith
priority: normal
severity: normal
stage: needs patch
status: open
title: traceback & inspect modules should verify that the .py source file matches the one that the running process is using
type: enhancement
versions: Python 3.11

_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue44091>
_______________________________________