8000 gh-107080: Fix Py_TRACE_REFS Crashes Under Isolated Subinterpreters by ericsnowcurrently · Pull Request #107567 · python/cpython · GitHub
[go: up one dir, main page]
Skip to content

gh-107080: Fix Py_TRACE_REFS Crashes Under Isolated Subinterpreters #107567

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Aug 3, 2023
Merged

gh-107080: Fix Py_TRACE_REFS Crashes Under Isolated Subinterpreters #107567

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
11d48cd
Move refchain to _PyRuntimeState.
ericsnowcurrently Aug 2, 2023
238e00f
Move refchain to PyInterpreterState.
ericsnowcurrently Aug 2, 2023
33105c0
Add a NEWS entry.
ericsnowcurrently Aug 2, 2023
ac78d7b
Clean up _Py_GetObjects().
ericsnowcurrently Aug 2, 2023
e21c558
Drop _Py_StealRefchain().
ericsnowcurrently Aug 3, 2023
7a8e549
Drop _Py_StealRefchain().
ericsnowcurrently Aug 3, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions Include/internal/pycore_object.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -292,8 +292,9 @@ extern void _PyDebug_PrintTotalRefs(void);

#ifdef Py_TRACE_REFS
extern void _Py_AddToAllObjects(PyObject *op, int force);
extern void _Py_PrintReferences(FILE *);
extern void _Py_PrintReferenceAddresses(FILE *);
extern void _Py_PrintReferences(PyInterpreterState *, FILE *);
extern void _Py_PrintReferenceAddresses(PyObject *, FILE *);
extern void _Py_StealRefchain(PyInterpreterState *, PyObject *);
#endif


Expand Down
13 changes: 9 additions & 4 deletions Include/internal/pycore_object_state.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,17 +11,22 @@ extern "C" {
struct _py_object_runtime_state {
#ifdef Py_REF_DEBUG
Py_ssize_t interpreter_leaks;
#else
int _not_used;
#endif
int _not_used;
};

struct _py_object_state {
#ifdef Py_REF_DEBUG
Py_ssize_t reftotal;
#else
int _not_used;
#endif
#ifdef Py_TRACE_REFS
/* Head of circular doubly-linked list of all objects. These are linked
* together via the _ob_prev and _ob_next members of a PyObject, which
* exist only in a Py_TRACE_REFS build.
*/
PyObject refchain;
#endif
int _not_used;
};


Expand Down
11 changes: 11 additions & 0 deletions Include/internal/pycore_runtime_init.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -157,6 +157,7 @@ extern PyTypeObject _PyExc_MemoryError;
{ .threshold = 10, }, \
}, \
}, \
.object_state = _py_object_state_INIT(INTERP), \
.dtoa = _dtoa_state_INIT(&(INTERP)), \
.dict_state = _dict_state_INIT, \
.func_state = { \
Expand Down Expand Up @@ -186,6 +187,16 @@ extern PyTypeObject _PyExc_MemoryError;
.context_ver = 1, \
}

#ifdef Py_TRACE_REFS
# define _py_object_state_INIT(INTERP) \
{ \
.refchain = {&INTERP.object_state.refchain, &INTERP.object_state.refchain}, \
}
#else
# define _py_object_state_INIT(INTERP) \
{ 0 }
#endif


// global objects

Expand Down
4 changes: 4 additions & 0 deletions Misc/NEWS.d/next/Core and Builtins/2023-08-02-12-24-51.gh-issue-107080.PNolFU.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
Trace refs builds (``--with-trace-refs``) were crashing when used with
isolated subinterpreters. The problematic global state has been isolated to
each interpreter. Other fixing the crashes, this change does not affect
users.
68 changes: 49 additions & 19 deletions Objects/object.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -159,11 +159,8 @@ _PyDebug_PrintTotalRefs(void) {
Do not call them otherwise, they do not initialize the object! */

#ifdef Py_TRACE_REFS
/* Head of circular doubly-linked list of all objects. These are linked
* together via the _ob_prev and _ob_next members of a PyObject, which
* exist only in a Py_TRACE_REFS build.
*/
static PyObject refchain = {&refchain, &refchain};

#define REFCHAIN(interp) &interp->object_state.refchain

/* Insert op at the front of the list of all objects. If force is true,
* op is added even if _ob_prev and _ob_next are non-NULL already. If
Expand All @@ -188,10 +185,11 @@ _Py_AddToAllObjects(PyObject *op, int force)
}
#endif
if (force || op->_ob_prev == NULL) {
op->_ob_next = refchain._ob_next;
op->_ob_prev = &refchain;
refchain._ob_next->_ob_prev = op;
refchain._ob_next = op;
PyObject *refchain = REFCHAIN(_PyInterpreterState_GET());
op->_ob_next = refchain->_ob_next;
op->_ob_prev = refchain;
refchain->_ob_next->_ob_prev = op;
refchain->_ob_next = op;
}
}
#endif /* Py_TRACE_REFS */
Expand Down Expand Up @@ -2229,20 +2227,21 @@ _Py_ForgetReference(PyObject *op)
_PyObject_ASSERT_FAILED_MSG(op, "negative refcnt");
}

if (op == &refchain ||
PyObject *refchain = REFCHAIN(_PyInterpreterState_GET());
if (op == refchain ||
op->_ob_prev->_ob_next != op || op->_ob_next->_ob_prev != op)
{
_PyObject_ASSERT_FAILED_MSG(op, "invalid object chain");
}

#ifdef SLOW_UNREF_CHECK
PyObject *p;
for (p = refchain._ob_next; p != &refchain; p = p->_ob_next) {
for (p = refchain->_ob_next; p != refchain; p = p->_ob_next) {
if (p == op) {
break;
}
}
if (p == &refchain) {
if (p == refchain) {
/* Not found */
_PyObject_ASSERT_FAILED_MSG(op,
"object not found in the objects list");
Expand All @@ -2254,15 +2253,41 @@ _Py_ForgetReference(PyObject *op)
op->_ob_next = op->_ob_prev = NULL;
}

void
_Py_StealRefchain(PyInterpreterState *interp, PyObject *refchain)
{
assert(refchain != NULL
&& (refchain->_ob_prev == NULL || refchain->_ob_prev == refchain)
&& (refchain->_ob_next == NULL || refchain->_ob_next == refchain));
if (interp == NULL) {
interp = _PyInterpreterState_Main();
}
PyObject *old = REFCHAIN(interp);
if (old->_ob_prev == old) {
assert(old->_ob_next == old);
refchain->_ob_prev = refchain;
refchain->_ob_next = refchain;
return;
}
refchain->_ob_prev = old->_ob_prev;
refchain->_ob_prev->_ob_next = refchain;
refchain->_ob_next = old->_ob_next;
refchain->_ob_next->_ob_prev = refchain;
}

/* Print all live objects. Because PyObject_Print is called, the
* interpreter must be in a healthy state.
*/
void
_Py_PrintReferences(FILE *fp)
_Py_PrintReferences(PyInterpreterState *interp, FILE *fp)
{
PyObject *op;
if (interp == NULL) {
interp = _PyInterpreterState_Main();
}
fprintf(fp, "Remaining objects:\n");
for (op = refchain._ob_next; op != &refchain; op = op->_ob_next) {
PyObject *refchain = REFCHAIN(interp);
for (op = refchain->_ob_next; op != refchain; op = op->_ob_next) {
fprintf(fp, "%p [%zd] ", (void *)op, Py_REFCNT(op));
if (PyObject_Print(op, fp, 0) != 0) {
PyErr_Clear();
Expand All @@ -2275,33 +2300,36 @@ _Py_PrintReferences(FILE *fp)
* doesn't make any calls to the Python C API, so is always safe to call.
*/
void
_Py_PrintReferenceAddresses(FILE *fp)
_Py_PrintReferenceAddresses(PyObject *refchain, FILE *fp)
{
PyObject *op;
fprintf(fp, "Remaining object addresses:\n");
for (op = refchain._ob_next; op != &refchain; op = op->_ob_next)
for (op = refchain->_ob_next; op != refchain; op = op->_ob_next)
fprintf(fp, "%p [%zd] %s\n", (void *)op,
Py_REFCNT(op), Py_TYPE(op)->tp_name);
}

/* The implementation of sys.getobjects(). */
PyObject *
_Py_GetObjects(PyObject *self, PyObject *args)
{
int i, n;
PyObject *t = NULL;
PyObject *res, *op;
PyInterpreterState *interp = _PyInterpreterState_GET();

if (!PyArg_ParseTuple(args, "i|O", &n, &t))
return NULL;
op = refchain._ob_next;
PyObject *refchain = REFCHAIN(interp);
op = refchain->_ob_next;
res = PyList_New(0);
if (res == NULL)
return NULL;
for (i = 0; (n == 0 || i < n) && op != &refchain; i++) {
for (i = 0; (n == 0 || i < n) && op != refchain; i++) {
while (op == self || op == args || op == res || op == t ||
(t != NULL && !Py_IS_TYPE(op, (PyTypeObject *) t))) {
op = op->_ob_next;
if (op == &refchain)
if (op == refchain)
return res;
}
if (PyList_Append(res, op) < 0) {
Expand All @@ -2313,6 +2341,8 @@ _Py_GetObjects(PyObject *self, PyObject *args)
return res;
}

#undef REFCHAIN

#endif


Expand Down
11 changes: 7 additions & 4 deletions Python/pylifecycle.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1921,12 +1921,15 @@ Py_FinalizeEx(void)
}

if (dump_refs) {
_Py_PrintReferences(stderr);
_Py_PrintReferences(tstate->interp, stderr);
}

if (dump_refs_fp != NULL) {
_Py_PrintReferences(dump_refs_fp);
_Py_PrintReferences(tstate->interp, dump_refs_fp);
}

PyObject refchain = { 0 };
_Py_StealRefchain(tstate->interp, &refchain);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is this necessary?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The interpreter will be deallocated before we later call _Py_PrintReferenceAddresses() to walk the linked list.

That said, I think there's a related problem that I still need to address. Namely, every remaining object in the linked list will be (effectively) freed when the interpreter's allocator is finalized, so the _ob_next and _ob_prev accesses might segfault. It likely isn't a big problem during runtime finalization (except perhaps for embedders) but I'll fix that regardless.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, I'm pretty sure that's not actually a problem. We only call _Py_PrintReferenceAddresses() in Py_FinalizeEx() and only for the main interpreter, which is statically allocated. Objects in the linked list might still cause a segfault but only if they would have before this change, so I'm not going to worry about that here. I will leave a note in the code though.

#endif /* Py_TRACE_REFS */

/* At this point there's almost no other Python code that will run,
Expand Down Expand Up @@ -1961,11 +1964,11 @@ Py_FinalizeEx(void)
*/

if (dump_refs) {
_Py_PrintReferenceAddresses(stderr);
_Py_PrintReferenceAddresses(&refchain, stderr);
}

if (dump_refs_fp != NULL) {
_Py_PrintReferenceAddresses(dump_refs_fp);
_Py_PrintReferenceAddresses(&refchain, dump_refs_fp);
fclose(dump_refs_fp);
}
#endif /* Py_TRACE_REFS */
Expand Down
0