[3.12] gh-108987: Fix _thread.start_new_thread() race condition (#109135) (#110342)

* gh-108987: Fix _thread.start_new_thread() race condition (#109135) Fix _thread.start_new_thread() race condition. If a thread is created during Python finalization, the newly spawned thread now exits immediately instead of trying to access freed memory and lead to a crash. thread_run() calls PyEval_AcquireThread() which checks if the thread must exit. The problem was that tstate was dereferenced earlier in _PyThreadState_Bind() which leads to a crash most of the time. Move _PyThreadState_CheckConsistency() from thread_run() to _PyThreadState_Bind(). (cherry picked from commit 517cd82ea7d01b344804413ef05610934a43a241) * gh-109795: `_thread.start_new_thread`: allocate thread bootstate using raw memory allocator (#109808) (cherry picked from commit 1b8f2366b38c87b0450d9c15bdfdd4c4a2fc3a01) --------- Co-authored-by: Radislav Chugunov <52372310+chgnrdv@users.noreply.github.com>
author: Victor Stinner <vstinner@python.org> 2023-10-04 11:20:31 (GMT)
committer: GitHub <noreply@github.com> 2023-10-04 11:20:31 (GMT)
commit: 4936fa954125864ae3ae5d36863479094837e88a (patch)
tree: 44d8235ceea9c21e887e17cb2e90a20e526020f3 /Python
parent: 1d87465005e8349323f6dad7e13f48ed5b52f6ad (diff)
download: cpython-4936fa954125864ae3ae5d36863479094837e88a.zip
cpython-4936fa954125864ae3ae5d36863479094837e88a.tar.gz
cpython-4936fa954125864ae3ae5d36863479094837e88a.tar.bz2
2 files changed, 32 insertions, 25 deletions
diff --git a/Python/ceval_gil.c b/Python/ceval_gil.c
index b44cb0b..c1ab588 100644
--- a/Python/ceval_gil.c
+++ b/Python/ceval_gil.c
@@ -328,28 +328,6 @@ drop_gil(struct _ceval_state *ceval, PyThreadState *tstate)
 }
 
 
-/* Check if a Python thread must exit immediately, rather than taking the GIL
-   if Py_Finalize() has been called.
-
-   When this function is called by a daemon thread after Py_Finalize() has been
-   called, the GIL does no longer exist.
-
-   tstate must be non-NULL. */
-static inline int
-tstate_must_exit(PyThreadState *tstate)
-{
-    /* bpo-39877: Access _PyRuntime directly rather than using
-       tstate->interp->runtime to support calls from Python daemon threads.
-       After Py_Finalize() has been called, tstate can be a dangling pointer:
-       point to PyThreadState freed memory. */
-    PyThreadState *finalizing = _PyRuntimeState_GetFinalizing(&_PyRuntime);
-    if (finalizing == NULL) {
-        finalizing = _PyInterpreterState_GetFinalizing(tstate->interp);
-    }
-    return (finalizing != NULL && finalizing != tstate);
-}
-
-
 /* Take the GIL.
 
    The function saves errno at entry and restores its value at exit.
@@ -365,7 +343,7 @@ take_gil(PyThreadState *tstate)
     // XXX It may be more correct to check tstate->_status.finalizing.
     // XXX assert(!tstate->_status.cleared);
 
-    if (tstate_must_exit(tstate)) {
+    if (_PyThreadState_MustExit(tstate)) {
         /* bpo-39877: If Py_Finalize() has been called and tstate is not the
            thread which called Py_Finalize(), exit immediately the thread.
 
@@ -403,7 +381,7 @@ take_gil(PyThreadState *tstate)
             _Py_atomic_load_relaxed(&gil->locked) &&
             gil->switch_number == saved_switchnum)
         {
-            if (tstate_must_exit(tstate)) {
+            if (_PyThreadState_MustExit(tstate)) {
                 MUTEX_UNLOCK(gil->mutex);
                 // gh-96387: If the loop requested a drop request in a previous
                 // iteration, reset the request. Otherwise, drop_gil() can
@@ -443,7 +421,7 @@ _ready:
     MUTEX_UNLOCK(gil->switch_mutex);
 #endif
 
-    if (tstate_must_exit(tstate)) {
+    if (_PyThreadState_MustExit(tstate)) {
         /* bpo-36475: If Py_Finalize() has been called and tstate is not
            the thread which called Py_Finalize(), exit immediately the
            thread.
diff --git a/Python/pystate.c b/Python/pystate.c
index 1fe88fd..b77827f 100644
--- a/Python/pystate.c
+++ b/Python/pystate.c
@@ -1867,6 +1867,10 @@ PyThreadState_Swap(PyThreadState *newts)
 void
 _PyThreadState_Bind(PyThreadState *tstate)
 {
+    // gh-104690: If Python is being finalized and PyInterpreterState_Delete()
+    // was called, tstate becomes a dangling pointer.
+    assert(_PyThreadState_CheckConsistency(tstate));
+
     bind_tstate(tstate);
     // This makes sure there's a gilstate tstate bound
     // as soon as possible.
@@ -2866,6 +2870,31 @@ _PyThreadState_CheckConsistency(PyThreadState *tstate)
 #endif
 
 
+// Check if a Python thread must exit immediately, rather than taking the GIL
+// if Py_Finalize() has been called.
+//
+// When this function is called by a daemon thread after Py_Finalize() has been
+// called, the GIL does no longer exist.
+//
+// tstate can be a dangling pointer (point to freed memory): only tstate value
+// is used, the pointer is not deferenced.
+//
+// tstate must be non-NULL.
+int
+_PyThreadState_MustExit(PyThreadState *tstate)
+{
+    /* bpo-39877: Access _PyRuntime directly rather than using
+       tstate->interp->runtime to support calls from Python daemon threads.
+       After Py_Finalize() has been called, tstate can be a dangling pointer:
+       point to PyThreadState freed memory. */
+    PyThreadState *finalizing = _PyRuntimeState_GetFinalizing(&_PyRuntime);
+    if (finalizing == NULL) {
+        finalizing = _PyInterpreterState_GetFinalizing(tstate->interp);
+    }
+    return (finalizing != NULL && finalizing != tstate);
+}
+
+
 #ifdef __cplusplus
 }
 #endif
author	Victor Stinner <vstinner@python.org>	2023-10-04 11:20:31 (GMT)
committer	GitHub <noreply@github.com>	2023-10-04 11:20:31 (GMT)
commit	4936fa954125864ae3ae5d36863479094837e88a (patch)
tree	44d8235ceea9c21e887e17cb2e90a20e526020f3 /Python
parent	1d87465005e8349323f6dad7e13f48ed5b52f6ad (diff)
download	cpython-4936fa954125864ae3ae5d36863479094837e88a.zip cpython-4936fa954125864ae3ae5d36863479094837e88a.tar.gz cpython-4936fa954125864ae3ae5d36863479094837e88a.tar.bz2