diff options
| author | Victor Stinner <vstinner@python.org> | 2023-09-11 15:27:03 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-09-11 15:27:03 (GMT) |
| commit | 517cd82ea7d01b344804413ef05610934a43a241 (patch) | |
| tree | 733959eb7944699c65275e5108be00b8dbc7a061 /Python/pystate.c | |
| parent | c0f488b88f2a54d76256818e2841d868fecfd396 (diff) | |
| download | cpython-517cd82ea7d01b344804413ef05610934a43a241.zip cpython-517cd82ea7d01b344804413ef05610934a43a241.tar.gz cpython-517cd82ea7d01b344804413ef05610934a43a241.tar.bz2 | |
gh-108987: Fix _thread.start_new_thread() race condition (#109135)
Fix _thread.start_new_thread() race condition. If a thread is created
during Python finalization, the newly spawned thread now exits
immediately instead of trying to access freed memory and lead to a
crash.
thread_run() calls PyEval_AcquireThread() which checks if the thread
must exit. The problem was that tstate was dereferenced earlier in
_PyThreadState_Bind() which leads to a crash most of the time.
Move _PyThreadState_CheckConsistency() from thread_run() to
_PyThreadState_Bind().
Diffstat (limited to 'Python/pystate.c')
| -rw-r--r-- | Python/pystate.c | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/Python/pystate.c b/Python/pystate.c index 09c3538..b5c4fd7 100644 --- a/Python/pystate.c +++ b/Python/pystate.c @@ -1907,6 +1907,10 @@ PyThreadState_Swap(PyThreadState *newts) void _PyThreadState_Bind(PyThreadState *tstate) { + // gh-104690: If Python is being finalized and PyInterpreterState_Delete() + // was called, tstate becomes a dangling pointer. + assert(_PyThreadState_CheckConsistency(tstate)); + bind_tstate(tstate); // This makes sure there's a gilstate tstate bound // as soon as possible. @@ -2908,6 +2912,31 @@ _PyThreadState_CheckConsistency(PyThreadState *tstate) #endif +// Check if a Python thread must exit immediately, rather than taking the GIL +// if Py_Finalize() has been called. +// +// When this function is called by a daemon thread after Py_Finalize() has been +// called, the GIL does no longer exist. +// +// tstate can be a dangling pointer (point to freed memory): only tstate value +// is used, the pointer is not deferenced. +// +// tstate must be non-NULL. +int +_PyThreadState_MustExit(PyThreadState *tstate) +{ + /* bpo-39877: Access _PyRuntime directly rather than using + tstate->interp->runtime to support calls from Python daemon threads. + After Py_Finalize() has been called, tstate can be a dangling pointer: + point to PyThreadState freed memory. */ + PyThreadState *finalizing = _PyRuntimeState_GetFinalizing(&_PyRuntime); + if (finalizing == NULL) { + finalizing = _PyInterpreterState_GetFinalizing(tstate->interp); + } + return (finalizing != NULL && finalizing != tstate); +} + + #ifdef __cplusplus } #endif |