ENH: review return values for PyArray_DescrNew

[mattip]

Fixes #19038

Review all the places PyArray_DescrNew and first derivative functions are used, and make sure to check the return value. Functions grepped for:

• PyArray_DescrNew (API function)
• PyArray_DescrNewFromType (API function)
• PyArray_DescrNewByteOrder (API function)
• PyArray_DESCR_REPLACE (macro)
• ensure_dtype_nbo (helper function)
• _descriptor_from_pep3118_format (helper function)
• arraydescr_newbyteorder (helper function)

An alternative would be to use exit(1) where malloc fails in PyArray_DescrNew since allocating a new descriptor should only fail on out-of-memory, and there is no real way to recover from that. Here are a few recommendations for using exit(1) (thanks @rgommers):

• https://titanwolf.org/Network/Articles/Article?AID=55f68680-740b-4f0b-ad05-a991894108bb.

  It can be concluded that for applications above 32 bits, the "out of memory" error handler is useless

• https://eli.thegreenplace.net/2009/10/30/handling-out-of-memory-conditions-in-c

  The abort policy is simple and familiar: when no memory is available, print a polite error message and exit (abort) the application. This is the most commonly used policy - most command-line tools and desktop applications use it.
  As a matter of fact, this policy is so common that most Unix programs use a gnulib library function xmalloc instead of malloc

[mattip]

Allow PyArray_FromString to allocate the descriptor:

numpy/numpy/core/src/multiarray/ctors.c

Lines 3743 to 3746 in c65bc21

	if (dtype == NULL) {
	dtype=PyArray_DescrFromType(NPY_DEFAULT_TYPE);
	if (dtype == NULL) {
	return NULL;

[seberg]

Thanks! Tricky stuff (although meaningless probability for running into)... a few suggestions that should be good, and 2 places where suggesting didn't do the trick. Let me know if you prefer me applying those changes.

[seberg]

This doesn't work PyArray_DescrNew does not accept NULL

[seberg]

I don't mind accepting NULL in for PyArray_NewFromDescr (passing through the error). I generally prefer if the caller sanitizes, but it seems a good exception to me here.

[mattip]

PyArray_NewFromDescr is an API function, so it is on us to check the inputs.

[mattip]

Not sure why I had to work so hard to do this check. The function is NUMPY_API, so it is on us to sanitize input. Why does gcc think descr can never be NULL?

[seberg]

I don't agree that API automatically means we have to sanitize, I do not think the Python C-API does this (EDIT: to be clear, does this always, not often, I think also for Python it is pretty common). But it is fairly common for us to do, and in this case I think the pattern "relying" on it (at least theoretically) is common enough to do it.

The generated header include:

NPY_NO_EXPORT NPY_STEALS_REF_TO_ARG(2) NPY_GCC_NONNULL(1) NPY_GCC_NONNULL(2) PyObject * PyArray_NewFromDescr \
       (PyTypeObject *, PyArray_Descr *, int, npy_intp const *, npy_intp const *, void *, int, PyObject *);

So we mark this as NONNULL explicitly, actually. This is done here:

numpy/numpy/core/code_generators/numpy_api.py

Line 140 in 855b5ed

'PyArray_NewFromDescr': (94, StealRef(2), NonNull([1, 2])),

[mattip]

Maybe we can get away with not sanitizing inputs (I think best practices is always to be liberal with input and strict with output), but using NonNull on API interfaces seems to me to be an anti-pattern. I will open an issue.

[mattip]

Done in #20971

[seberg]

No idea about the merit of having this in the public API. I think we should just change it to NonNull([1]) for the sake of this PR, though?

[mattip]

If we do we can only put it into 1.23

[seberg]

Hmmm, isn't that fully ABI/API compatible, since it is just an attribute (and relaxing an attribute at that)?

[seberg]

Hmm, lets discuss tomorrow or so. I thought we may not have to put any error at all (anywhere), because passing in NULL should only happen if the NULL exists due to an error being already in-progress. And if that is not true, Python will set a SystemError...

[mattip]

Let's leave that for #20971. For this PR, I pushed the check one level down. removed the check

[mattip]

I removed the check.

[seberg]

I pushed a small fixup and removed all custom error messages (to be clear, I am OK with re-adding them).

So effectively, this fixes up a bit of shady error checks, and otherwise now semi-officially allows calling a few/most(?) array-creation functions with a NULL dtype. These functions will then return NULL immediately while assuming that an error is already set.

[charris]

Thanks Matti, thanks Sebastian.

[charris]

I notice that numpy.sort is also part of the CVE, did we fix that?

[seberg]

yes, it was.