Files
chenhg5-cc-connect/core/atomicwrite.go
Shawn 5a13f6a6cb fix(core): clean up tmp file in AtomicWriteFile when rename fails (#912)
Every other failure path in AtomicWriteFile (Write / Sync / Close /
Chmod) calls os.Remove(tmpPath) before returning the error, so the
`.tmp-*` file CreateTemp produced does not survive an aborted write.
The rename branch — the most common failure mode in practice —
forgot to do the same:

    return os.Rename(tmpPath, path)

If os.Rename returns a non-nil error (target is an existing directory,
target file is locked on Windows, cross-filesystem rename, etc.) the
caller gets the error but the orphaned `.tmp-*` is left behind. Repeated
failures litter the parent directory with stale temp files; that's
particularly nasty for the cron and session stores that scan their
own directory looking for state files.

Reproducer (works on every supported platform): pass a path that is
already an existing directory. After the failed call, the parent
contains both `blocked/` and `.tmp-XXXXXXXXXX`.

Fix: handle the rename error the same way the other branches do —
os.Remove(tmpPath) before returning. Add inline comment listing the
realistic failure causes so the next reader doesn't think this is
defensive paranoia.

Add TestAtomicWriteFile_NoTempLeftWhenRenameFails to pin it: writes
to an existing-directory path, asserts the call errors out, asserts
the parent directory contains no stray `.tmp-*` afterward. Confirmed
to fail on main (orphan `.tmp-*` present) and pass on this branch.
2026-05-18 10:13:17 +08:00

51 lines
1.4 KiB
Go

package core
import (
"os"
"path/filepath"
)
// AtomicWriteFile writes data to a file atomically by first writing to a
// temporary file in the same directory, syncing, then renaming over the target.
// This prevents data loss / corruption on crash.
func AtomicWriteFile(path string, data []byte, perm os.FileMode) error {
dir := filepath.Dir(path)
tmp, err := os.CreateTemp(dir, ".tmp-*")
if err != nil {
return err
}
tmpPath := tmp.Name()
if _, err := tmp.Write(data); err != nil {
tmp.Close()
os.Remove(tmpPath)
return err
}
if err := tmp.Sync(); err != nil {
tmp.Close()
os.Remove(tmpPath)
return err
}
if err := tmp.Close(); err != nil {
os.Remove(tmpPath)
return err
}
if err := os.Chmod(tmpPath, perm); err != nil {
os.Remove(tmpPath)
return err
}
if err := os.Rename(tmpPath, path); err != nil {
// Rename can fail when the destination is a directory, the
// destination's filesystem differs from the temp dir's (rare given
// CreateTemp uses the same dir, but possible with bind mounts), or
// the destination is locked by another process on Windows. In any
// of those cases the temp file is now an orphaned `.tmp-*` we
// created — clean it up so repeated failures don't litter the
// directory and confuse later directory scans (e.g. cron / session
// stores that walk their parent dir).
os.Remove(tmpPath)
return err
}
return nil
}