gh-149101: Implement PEP 788

[ZeroIntensity]

Hugo has graciously given me permission to backport this if we don't make the May 5th deadline, but let's try to get this done in time!

I will write a full tutorial and migration guide once this is merged; I want to first make sure that this lands before the beta freeze.

• Issue: Implement PEP 788 -- Protecting the C API from Interpreter Finalization #149101

[read-the-docs-community]

Documentation build overview

📚 cpython-previews | 🛠️ Build #32550521 | 📁 Comparing 17b0e2a against main (40dc61a)

  🔍 Preview build  

70 files changed · + 1 added · ± 69 modified

+ Added

• c-api/slots.html

± Modified

• glossary.html
• c-api/concrete.html
• c-api/extension-modules.html
• c-api/index.html
• c-api/interp-lifecycle.html
• c-api/lifecycle.html
• c-api/module.html
• c-api/perfmaps.html
• c-api/stable.html
• c-api/synchronization.html
• and 59 more...

[encukou]

Thanks for adding these!

I'll send notes for Doc/ now; code review coming up.

[bedevere-bot]

🤖 New build scheduled with the buildbot fleet by @ZeroIntensity for commit bc78c10 🤖

Results will be shown at:

https://buildbot.python.org/all/#/grid?branch=refs%2Fpull%2F149116%2Fmerge

If you want to schedule another build, you need to add the 🔨 test-with-buildbots label again.

[encukou]

for buildbots: The RHEL8 failures aren't relevant. Refleaks are worrying though.

[encukou]

Refleaks are worrying though.

Never mind; main currently leaks (#149179).

[colesbury]

I know I've made a bunch of other comments about this lock, but also try_acquire_interp_guard is called within HEAD_LOCK() and HEAD_LOCK should always be the inner-most lock. This risks lock ordering deadlocks.

[ZeroIntensity]

Moot now that the lock is gone

[colesbury]

I thought we talked about this being typdef void PyThreadStateToken. Casting PyThreadState* to a distinct struct PyThreadStateToken* looks like UB to me.

[ZeroIntensity]

Petr wrote this part and I just didn't notice. No idea if it's UB, but I'll change it.

[encukou]

I'm pretty sure it's not UB, but, void works too.

[colesbury]

I stuck the pattern in ChatGPT and it agreed with @encukou that it's not UB, at least if struct PyThreadStateToken is kept opaque.

The typedef struct PyThreadStateToken PyThreadStateToken definition is fine with me, and will probably provide stricter type checking.

[colesbury]

I think all these checks here should be done atomically without acquiring/releasing locks in between. So basically:

PyMutex_Lock(&interp->ceval.pending.mutex);
_PyEval_StopTheWorldAll(interp->runtime);
HEAD_LOCK(&_PyRuntime);
// ... do the checks and compare-exchange on finalization_guards
HEAD_UNLOCK(_PyRuntime);
_PyEval_StartTheWorldAll(interp->runtime);
PyMutex_Unlock(&interp->ceval.pending.mutex);

In other words, lift the HEAD_LOCK() out from runtime_has_subinterpreters and interp_has_threads

[colesbury]

I stuck the pattern in ChatGPT and it agreed with @encukou that it's not UB, at least if struct PyThreadStateToken is kept opaque.

The typedef struct PyThreadStateToken PyThreadStateToken definition is fine with me, and will probably provide stricter type checking.

[colesbury]

Is the current ordering here deliberate? I'm not sure if there's any issues, but the split of detach/attach across _PyEval_StartTheWorldAll and PyMutex_Unlock confuses me.

I would write it as:

        _PyEval_StartTheWorldAll(interp->runtime);
        PyMutex_Unlock(&interp->ceval.pending.mutex);

        // Temporarily let other threads execute
        _PyThreadState_Detach(tstate);
        _PyThreadState_Attach(tstate);

But it's also not clear to me whey we need _PyThreadState_Detach/Attach here. If other threads are running, won't we wait on them in either wait_for_thread_shutdown or when parking on the finalization_guards?

[ZeroIntensity]

Yeah, I think that's an artifact of an older variation.

[colesbury]

There is a bug here (found by Claude) where PyThreadState_Ensure/PyThreadState_Release with an already attached detaches on release when it should keep the active thread state.

In other words, we aren't properly distinguishing the two cases "already has a valid active thread state" and "doesn't have any attached thread state".

https://gist.github.com/colesbury/b6538312a898dd97fdd770b22fb3c338

[colesbury]

We should use an affirmative tone. For example:

Use this function when an interpreter pointer or view cannot be supplied by the caller, for example, when a native threading library does not provide a void *arg parameter that could carry a :c:type:PyInterpreterGuard or :c:type:PyInterpreterView. In code that supports subinterpreters, prefer :c:func:PyInterpreterView_FromCurrent so the guard tracks the calling interpreter rather than the main one.

[colesbury]

I'm not sure I understand the purpose of this in the tests. If the intent is to try to capture timing bugs, use something like pysleep. You can copy-paste those few lines of code if necessary.

I'd prefer we don't export this symbol since that complicates potential future bug fixes if we need to change or remove it.

[ZeroIntensity]

I'll just remove it. My hope was that this would make some of the apparent thread safety issues reproduce more reliably, but it doesn't seem that it did.

[colesbury]

I think this also has a bug. Let's say you have:

t1 = PyThreadState_Ensure(main_interp_guard); // counter 0 -> 1
Py_BEGIN_ALLOW_THREADS
t2 = PyThreadState_Ensure(main_interp_guard); // counter 1 -> 2
PyThreadState_Release(t2); // BUG! 2->1
Py_END_ALLOW_THREADS
PyThreadState_Release(t1);

The inner PyThreadState_Release should restore the thread state to "not attached", but it leaves it as attached due to the counter.