fixup! refactor(core.utils): close TOCTOU in atime touch via fd-based stat+utime

Author: cpcloud

cuda_core/cuda/core/utils/_program_cache.py

@@ -921,6 +921,9 @@ def _stat_and_read_with_sharing_retry(path: Path) -> tuple[os.stat_result, bytes
     raise FileNotFoundError(path) from last_exc
 
 
+_UTIME_SUPPORTS_FD = os.utime in os.supports_fd
+
+
 def _touch_atime(path: Path, st_before: os.stat_result) -> None:
     """Bump ``path``'s atime to "now", preserving its mtime, iff the
     file's stat still matches ``st_before``.
@@ -942,14 +945,52 @@ def _touch_atime(path: Path, st_before: os.stat_result) -> None:
     read and this touch, blindly applying ``st_before.st_mtime_ns``
     would roll the new entry's mtime back to the old value and confuse
     the eviction stat-guard (which checks ``(ino, size, mtime_ns)``)
-    into deleting a freshly-committed file. A mismatch means the racing
-    writer's reader will refresh atime when it next reads, so skipping
-    here is safe.
+    into deleting a freshly-committed file.
+
+    Where ``os.utime`` supports file descriptors (Linux, macOS), the
+    fstat-then-utime pair runs against the same open fd: even if another
+    writer replaces the path between our ``os.open`` and the ``fstat``,
+    the fd still refers to the file we opened, so the comparison and the
+    utime both target the same inode. This closes the residual TOCTOU
+    window that a path-based stat + path-based utime would have.
+
+    On Windows, ``os.utime`` is path-only; the fallback re-stats the
+    path and accepts a small TOCTOU window between the second stat and
+    the utime. That window is microseconds and the worst-case outcome
+    is the racing writer's mtime being rolled back by a few hundred
+    nanoseconds -- the eviction stat-guard would then refuse to evict
+    the slightly-stale entry, costing one cache miss (recompile) but
+    not a corrupt eviction.
 
     Best-effort: any ``OSError`` (read-only mount, restrictive ACLs,
     ...) is swallowed -- size enforcement still bounds the cache, but
     eviction degrades toward FIFO.
     """
+    new_atime_ns = time.time_ns()
+    if _UTIME_SUPPORTS_FD:
+        try:
+            fd = os.open(path, os.O_RDONLY)
+        except OSError:
+            return
+        try:
+            try:
+                st_now = os.fstat(fd)
+            except OSError:
+                return
+            if (st_now.st_ino, st_now.st_size, st_now.st_mtime_ns) != (
+                st_before.st_ino,
+                st_before.st_size,
+                st_before.st_mtime_ns,
+            ):
+                return
+            with contextlib.suppress(OSError):
+                os.utime(fd, ns=(new_atime_ns, st_before.st_mtime_ns))
+        finally:
+            os.close(fd)
+        return
+
+    # Path-based fallback (Windows). Best-effort -- residual TOCTOU window
+    # documented above.
     try:
         st_now = path.stat()
     except OSError:
@@ -961,7 +1002,7 @@ def _touch_atime(path: Path, st_before: os.stat_result) -> None:
     ):
         return
     with contextlib.suppress(OSError):
-        os.utime(path, ns=(time.time_ns(), st_before.st_mtime_ns))
+        os.utime(path, ns=(new_atime_ns, st_before.st_mtime_ns))
 
 
 def _prune_if_stat_unchanged(path: Path, st_before: os.stat_result) -> None: