mirrors/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-09-26 18:29:57 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10

[3.12] gh-108987: Fix _thread.start_new_thread() race condition (#109135) (#110342)

Browse source 
* gh-108987: Fix _thread.start_new_thread() race condition (#109135)

Fix _thread.start_new_thread() race condition. If a thread is created
during Python finalization, the newly spawned thread now exits
immediately instead of trying to access freed memory and lead to a
crash.

thread_run() calls PyEval_AcquireThread() which checks if the thread
must exit. The problem was that tstate was dereferenced earlier in
_PyThreadState_Bind() which leads to a crash most of the time.

Move _PyThreadState_CheckConsistency() from thread_run() to
_PyThreadState_Bind().

(cherry picked from commit 517cd82ea7)

* gh-109795: `_thread.start_new_thread`: allocate thread bootstate using raw memory allocator (#109808)

(cherry picked from commit 1b8f2366b3)

---------

Co-authored-by: Radislav Chugunov <52372310+chgnrdv@users.noreply.github.com>
This commit is contained in:
Victor Stinner 2023-10-04 13:20:31 +02:00 committed by GitHub
parent 1d87465005
commit 4936fa9541
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 75 additions and 44 deletions
Download patch file Download diff file Expand all files Collapse all files

2
Include/internal/pycore_pystate.h
View file

@ -72,6 +72,8 @@ PyAPI_DATA(PyThreadState *) _PyThreadState_GetCurrent(void);
extern int _PyThreadState_CheckConsistency(PyThreadState *tstate); extern int _PyThreadState_CheckConsistency(PyThreadState *tstate);
#endif #endif
extern int _PyThreadState_MustExit(PyThreadState *tstate);
/* Get the current Python thread state. /* Get the current Python thread state.
This function is unsafe: it does not check for error and it can return NULL. This function is unsafe: it does not check for error and it can return NULL.

4
Misc/NEWS.d/next/Library/2023-09-08-12-09-55.gh-issue-108987.x5AIG8.rst Normal file
View file

@ -0,0 +1,4 @@
Fix :func:`_thread.start_new_thread` race condition. If a thread is created
during Python finalization, the newly spawned thread now exits immediately
instead of trying to access freed memory and lead to a crash. Patch by
Victor Stinner.

56
Modules/_threadmodule.c
View file

@ -1063,22 +1063,22 @@ _localdummy_destroyed(PyObject *localweakref, PyObject *dummyweakref)
/* Module functions */ /* Module functions */
struct bootstate { struct bootstate {
PyInterpreterState *interp; PyThreadState *tstate;
PyObject *func; PyObject *func;
PyObject *args; PyObject *args;
PyObject *kwargs; PyObject *kwargs;
PyThreadState *tstate;
_PyRuntimeState *runtime;
}; };
static void static void
thread_bootstate_free(struct bootstate *boot) thread_bootstate_free(struct bootstate *boot, int decref)
{ {
Py_DECREF(boot->func); if (decref) {
Py_DECREF(boot->args); Py_DECREF(boot->func);
Py_XDECREF(boot->kwargs); Py_DECREF(boot->args);
PyMem_Free(boot); Py_XDECREF(boot->kwargs);
}
PyMem_RawFree(boot);
} }
@ -1088,9 +1088,24 @@ thread_run(void *boot_raw)
struct bootstate *boot = (struct bootstate *) boot_raw; struct bootstate *boot = (struct bootstate *) boot_raw;
PyThreadState *tstate = boot->tstate; PyThreadState *tstate = boot->tstate;
// gh-104690: If Python is being finalized and PyInterpreterState_Delete() // gh-108987: If _thread.start_new_thread() is called before or while
// was called, tstate becomes a dangling pointer. // Python is being finalized, thread_run() can called *after*.
assert(_PyThreadState_CheckConsistency(tstate)); // _PyRuntimeState_SetFinalizing() is called. At this point, all Python
// threads must exit, except of the thread calling Py_Finalize() whch holds
// the GIL and must not exit.
//
// At this stage, tstate can be a dangling pointer (point to freed memory),
// it's ok to call _PyThreadState_MustExit() with a dangling pointer.
if (_PyThreadState_MustExit(tstate)) {
// Don't call PyThreadState_Clear() nor _PyThreadState_DeleteCurrent().
// These functions are called on tstate indirectly by Py_Finalize()
// which calls _PyInterpreterState_Clear().
//
// Py_DECREF() cannot be called because the GIL is not held: leak
// references on purpose. Python is being finalized anyway.
thread_bootstate_free(boot, 0);
goto exit;
}
_PyThreadState_Bind(tstate); _PyThreadState_Bind(tstate);
PyEval_AcquireThread(tstate); PyEval_AcquireThread(tstate);
@ -1109,14 +1124,17 @@ thread_run(void *boot_raw)
Py_DECREF(res); Py_DECREF(res);
} }
thread_bootstate_free(boot); thread_bootstate_free(boot, 1);
tstate->interp->threads.count--; tstate->interp->threads.count--;
PyThreadState_Clear(tstate); PyThreadState_Clear(tstate);
_PyThreadState_DeleteCurrent(tstate); _PyThreadState_DeleteCurrent(tstate);
exit:
// bpo-44434: Don't call explicitly PyThread_exit_thread(). On Linux with // bpo-44434: Don't call explicitly PyThread_exit_thread(). On Linux with
// the glibc, pthread_exit() can abort the whole process if dlopen() fails // the glibc, pthread_exit() can abort the whole process if dlopen() fails
// to open the libgcc_s.so library (ex: EMFILE error). // to open the libgcc_s.so library (ex: EMFILE error).
return;
} }
static PyObject * static PyObject *
@ -1140,7 +1158,6 @@ and False otherwise.\n");
static PyObject * static PyObject *
thread_PyThread_start_new_thread(PyObject *self, PyObject *fargs) thread_PyThread_start_new_thread(PyObject *self, PyObject *fargs)
{ {
_PyRuntimeState *runtime = &_PyRuntime;
PyObject *func, *args, *kwargs = NULL; PyObject *func, *args, *kwargs = NULL;
if (!PyArg_UnpackTuple(fargs, "start_new_thread", 2, 3, if (!PyArg_UnpackTuple(fargs, "start_new_thread", 2, 3,
@ -1179,20 +1196,21 @@ thread_PyThread_start_new_thread(PyObject *self, PyObject *fargs)
return NULL; return NULL;
} }
struct bootstate *boot = PyMem_NEW(struct bootstate, 1); // gh-109795: Use PyMem_RawMalloc() instead of PyMem_Malloc(),
// because it should be possible to call thread_bootstate_free()
// without holding the GIL.
struct bootstate *boot = PyMem_RawMalloc(sizeof(struct bootstate));
if (boot == NULL) { if (boot == NULL) {
return PyErr_NoMemory(); return PyErr_NoMemory();
} }
boot->interp = _PyInterpreterState_GET(); boot->tstate = _PyThreadState_New(interp);
boot->tstate = _PyThreadState_New(boot->interp);
if (boot->tstate == NULL) { if (boot->tstate == NULL) {
PyMem_Free(boot); PyMem_RawFree(boot);
if (!PyErr_Occurred()) { if (!PyErr_Occurred()) {
return PyErr_NoMemory(); return PyErr_NoMemory();
} }
return NULL; return NULL;
} }
boot->runtime = runtime;
boot->func = Py_NewRef(func); boot->func = Py_NewRef(func);
boot->args = Py_NewRef(args); boot->args = Py_NewRef(args);
boot->kwargs = Py_XNewRef(kwargs); boot->kwargs = Py_XNewRef(kwargs);
@ -1201,7 +1219,7 @@ thread_PyThread_start_new_thread(PyObject *self, PyObject *fargs)
if (ident == PYTHREAD_INVALID_THREAD_ID) { if (ident == PYTHREAD_INVALID_THREAD_ID) {
PyErr_SetString(ThreadError, "can't start new thread"); PyErr_SetString(ThreadError, "can't start new thread");
PyThreadState_Clear(boot->tstate); PyThreadState_Clear(boot->tstate);
thread_bootstate_free(boot); thread_bootstate_free(boot, 1);
return NULL; return NULL;
} }
return PyLong_FromUnsignedLong(ident); return PyLong_FromUnsignedLong(ident);

28
Python/ceval_gil.c
View file

@ -328,28 +328,6 @@ drop_gil(struct _ceval_state *ceval, PyThreadState *tstate)
} }
/* Check if a Python thread must exit immediately, rather than taking the GIL
if Py_Finalize() has been called.
When this function is called by a daemon thread after Py_Finalize() has been
called, the GIL does no longer exist.
tstate must be non-NULL. */
static inline int
tstate_must_exit(PyThreadState *tstate)
{
/* bpo-39877: Access _PyRuntime directly rather than using
tstate->interp->runtime to support calls from Python daemon threads.
After Py_Finalize() has been called, tstate can be a dangling pointer:
point to PyThreadState freed memory. */
PyThreadState *finalizing = _PyRuntimeState_GetFinalizing(&_PyRuntime);
if (finalizing == NULL) {
finalizing = _PyInterpreterState_GetFinalizing(tstate->interp);
}
return (finalizing != NULL && finalizing != tstate);
}
/* Take the GIL. /* Take the GIL.
The function saves errno at entry and restores its value at exit. The function saves errno at entry and restores its value at exit.
@ -365,7 +343,7 @@ take_gil(PyThreadState *tstate)
// XXX It may be more correct to check tstate->_status.finalizing. // XXX It may be more correct to check tstate->_status.finalizing.
// XXX assert(!tstate->_status.cleared); // XXX assert(!tstate->_status.cleared);
if (tstate_must_exit(tstate)) { if (_PyThreadState_MustExit(tstate)) {
/* bpo-39877: If Py_Finalize() has been called and tstate is not the /* bpo-39877: If Py_Finalize() has been called and tstate is not the
thread which called Py_Finalize(), exit immediately the thread. thread which called Py_Finalize(), exit immediately the thread.
@ -403,7 +381,7 @@ take_gil(PyThreadState *tstate)
_Py_atomic_load_relaxed(&gil->locked) && _Py_atomic_load_relaxed(&gil->locked) &&
gil->switch_number == saved_switchnum) gil->switch_number == saved_switchnum)
{ {
if (tstate_must_exit(tstate)) { if (_PyThreadState_MustExit(tstate)) {
MUTEX_UNLOCK(gil->mutex); MUTEX_UNLOCK(gil->mutex);
// gh-96387: If the loop requested a drop request in a previous // gh-96387: If the loop requested a drop request in a previous
// iteration, reset the request. Otherwise, drop_gil() can // iteration, reset the request. Otherwise, drop_gil() can
@ -443,7 +421,7 @@ _ready:
MUTEX_UNLOCK(gil->switch_mutex); MUTEX_UNLOCK(gil->switch_mutex);
#endif #endif
if (tstate_must_exit(tstate)) { if (_PyThreadState_MustExit(tstate)) {
/* bpo-36475: If Py_Finalize() has been called and tstate is not /* bpo-36475: If Py_Finalize() has been called and tstate is not
the thread which called Py_Finalize(), exit immediately the the thread which called Py_Finalize(), exit immediately the
thread. thread.

29
Python/pystate.c
View file

@ -1867,6 +1867,10 @@ PyThreadState_Swap(PyThreadState *newts)
void void
_PyThreadState_Bind(PyThreadState *tstate) _PyThreadState_Bind(PyThreadState *tstate)
{ {
// gh-104690: If Python is being finalized and PyInterpreterState_Delete()
// was called, tstate becomes a dangling pointer.
assert(_PyThreadState_CheckConsistency(tstate));
bind_tstate(tstate); bind_tstate(tstate);
// This makes sure there's a gilstate tstate bound // This makes sure there's a gilstate tstate bound
// as soon as possible. // as soon as possible.
@ -2866,6 +2870,31 @@ _PyThreadState_CheckConsistency(PyThreadState *tstate)
#endif #endif
// Check if a Python thread must exit immediately, rather than taking the GIL
// if Py_Finalize() has been called.
//
// When this function is called by a daemon thread after Py_Finalize() has been
// called, the GIL does no longer exist.
//
// tstate can be a dangling pointer (point to freed memory): only tstate value
// is used, the pointer is not deferenced.
//
// tstate must be non-NULL.
int
_PyThreadState_MustExit(PyThreadState *tstate)
{
/* bpo-39877: Access _PyRuntime directly rather than using
tstate->interp->runtime to support calls from Python daemon threads.
After Py_Finalize() has been called, tstate can be a dangling pointer:
point to PyThreadState freed memory. */
PyThreadState *finalizing = _PyRuntimeState_GetFinalizing(&_PyRuntime);
if (finalizing == NULL) {
finalizing = _PyInterpreterState_GetFinalizing(tstate->interp);
}
return (finalizing != NULL && finalizing != tstate);
}
#ifdef __cplusplus #ifdef __cplusplus
} }
#endif #endif