mirror of
https://github.com/chenhg5/cc-connect.git
synced 2026-07-03 12:28:10 +08:00
Every other failure path in AtomicWriteFile (Write / Sync / Close /
Chmod) calls os.Remove(tmpPath) before returning the error, so the
`.tmp-*` file CreateTemp produced does not survive an aborted write.
The rename branch — the most common failure mode in practice —
forgot to do the same:
return os.Rename(tmpPath, path)
If os.Rename returns a non-nil error (target is an existing directory,
target file is locked on Windows, cross-filesystem rename, etc.) the
caller gets the error but the orphaned `.tmp-*` is left behind. Repeated
failures litter the parent directory with stale temp files; that's
particularly nasty for the cron and session stores that scan their
own directory looking for state files.
Reproducer (works on every supported platform): pass a path that is
already an existing directory. After the failed call, the parent
contains both `blocked/` and `.tmp-XXXXXXXXXX`.
Fix: handle the rename error the same way the other branches do —
os.Remove(tmpPath) before returning. Add inline comment listing the
realistic failure causes so the next reader doesn't think this is
defensive paranoia.
Add TestAtomicWriteFile_NoTempLeftWhenRenameFails to pin it: writes
to an existing-directory path, asserts the call errors out, asserts
the parent directory contains no stray `.tmp-*` afterward. Confirmed
to fail on main (orphan `.tmp-*` present) and pass on this branch.
51 lines
1.4 KiB
Go
51 lines
1.4 KiB
Go
package core
|
|
|
|
import (
|
|
"os"
|
|
"path/filepath"
|
|
)
|
|
|
|
// AtomicWriteFile writes data to a file atomically by first writing to a
|
|
// temporary file in the same directory, syncing, then renaming over the target.
|
|
// This prevents data loss / corruption on crash.
|
|
func AtomicWriteFile(path string, data []byte, perm os.FileMode) error {
|
|
dir := filepath.Dir(path)
|
|
tmp, err := os.CreateTemp(dir, ".tmp-*")
|
|
if err != nil {
|
|
return err
|
|
}
|
|
tmpPath := tmp.Name()
|
|
|
|
if _, err := tmp.Write(data); err != nil {
|
|
tmp.Close()
|
|
os.Remove(tmpPath)
|
|
return err
|
|
}
|
|
if err := tmp.Sync(); err != nil {
|
|
tmp.Close()
|
|
os.Remove(tmpPath)
|
|
return err
|
|
}
|
|
if err := tmp.Close(); err != nil {
|
|
os.Remove(tmpPath)
|
|
return err
|
|
}
|
|
if err := os.Chmod(tmpPath, perm); err != nil {
|
|
os.Remove(tmpPath)
|
|
return err
|
|
}
|
|
if err := os.Rename(tmpPath, path); err != nil {
|
|
// Rename can fail when the destination is a directory, the
|
|
// destination's filesystem differs from the temp dir's (rare given
|
|
// CreateTemp uses the same dir, but possible with bind mounts), or
|
|
// the destination is locked by another process on Windows. In any
|
|
// of those cases the temp file is now an orphaned `.tmp-*` we
|
|
// created — clean it up so repeated failures don't litter the
|
|
// directory and confuse later directory scans (e.g. cron / session
|
|
// stores that walk their parent dir).
|
|
os.Remove(tmpPath)
|
|
return err
|
|
}
|
|
return nil
|
|
}
|