diff options
| author | Victor Stinner <vstinner@python.org> | 2023-09-11 17:33:08 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-09-11 17:33:08 (GMT) |
| commit | 82a18069a1c288b9be3cdaf63a04e4c77fbd231f (patch) | |
| tree | 219c98c62906504ef043217f78c027dccef95683 /Python | |
| parent | 9297a72dbd39aca99fa8cf92960ce1869bc51c0b (diff) | |
| download | cpython-82a18069a1c288b9be3cdaf63a04e4c77fbd231f.zip cpython-82a18069a1c288b9be3cdaf63a04e4c77fbd231f.tar.gz cpython-82a18069a1c288b9be3cdaf63a04e4c77fbd231f.tar.bz2 | |
[3.11] gh-108987: Fix _thread.start_new_thread() race condition (#109135) (#109272)
gh-108987: Fix _thread.start_new_thread() race condition (#109135)
Fix _thread.start_new_thread() race condition. If a thread is created
during Python finalization, the newly spawned thread now exits
immediately instead of trying to access freed memory and lead to a
crash.
thread_run() calls PyEval_AcquireThread() which checks if the thread
must exit. The problem was that tstate was dereferenced earlier in
_PyThreadState_Bind() which leads to a crash most of the time.
Move _PyThreadState_CheckConsistency() from thread_run() to
_PyThreadState_Bind().
(cherry picked from commit 517cd82ea7d01b344804413ef05610934a43a241)
Diffstat (limited to 'Python')
| -rw-r--r-- | Python/ceval_gil.h | 25 | ||||
| -rw-r--r-- | Python/pystate.c | 26 |
2 files changed, 29 insertions, 22 deletions
diff --git a/Python/ceval_gil.h b/Python/ceval_gil.h index d20af26..94e2df0 100644 --- a/Python/ceval_gil.h +++ b/Python/ceval_gil.h @@ -185,25 +185,6 @@ drop_gil(struct _ceval_runtime_state *ceval, struct _ceval_state *ceval2, } -/* Check if a Python thread must exit immediately, rather than taking the GIL - if Py_Finalize() has been called. - - When this function is called by a daemon thread after Py_Finalize() has been - called, the GIL does no longer exist. - - tstate must be non-NULL. */ -static inline int -tstate_must_exit(PyThreadState *tstate) -{ - /* bpo-39877: Access _PyRuntime directly rather than using - tstate->interp->runtime to support calls from Python daemon threads. - After Py_Finalize() has been called, tstate can be a dangling pointer: - point to PyThreadState freed memory. */ - PyThreadState *finalizing = _PyRuntimeState_GetFinalizing(&_PyRuntime); - return (finalizing != NULL && finalizing != tstate); -} - - /* Take the GIL. The function saves errno at entry and restores its value at exit. @@ -216,7 +197,7 @@ take_gil(PyThreadState *tstate) assert(tstate != NULL); - if (tstate_must_exit(tstate)) { + if (_PyThreadState_MustExit(tstate)) { /* bpo-39877: If Py_Finalize() has been called and tstate is not the thread which called Py_Finalize(), exit immediately the thread. @@ -255,7 +236,7 @@ take_gil(PyThreadState *tstate) _Py_atomic_load_relaxed(&gil->locked) && gil->switch_number == saved_switchnum) { - if (tstate_must_exit(tstate)) { + if (_PyThreadState_MustExit(tstate)) { MUTEX_UNLOCK(gil->mutex); // gh-96387: If the loop requested a drop request in a previous // iteration, reset the request. Otherwise, drop_gil() can @@ -295,7 +276,7 @@ _ready: MUTEX_UNLOCK(gil->switch_mutex); #endif - if (tstate_must_exit(tstate)) { + if (_PyThreadState_MustExit(tstate)) { /* bpo-36475: If Py_Finalize() has been called and tstate is not the thread which called Py_Finalize(), exit immediately the thread. diff --git a/Python/pystate.c b/Python/pystate.c index ec278ee..db2ce87 100644 --- a/Python/pystate.c +++ b/Python/pystate.c @@ -882,6 +882,10 @@ _PyThreadState_Init(PyThreadState *tstate) void _PyThreadState_SetCurrent(PyThreadState *tstate) { + // gh-104690: If Python is being finalized and PyInterpreterState_Delete() + // was called, tstate becomes a dangling pointer. + assert(_PyThreadState_CheckConsistency(tstate)); + _PyGILState_NoteThreadState(&tstate->interp->runtime->gilstate, tstate); } @@ -2255,6 +2259,28 @@ _PyThreadState_CheckConsistency(PyThreadState *tstate) #endif +// Check if a Python thread must exit immediately, rather than taking the GIL +// if Py_Finalize() has been called. +// +// When this function is called by a daemon thread after Py_Finalize() has been +// called, the GIL does no longer exist. +// +// tstate can be a dangling pointer (point to freed memory): only tstate value +// is used, the pointer is not deferenced. +// +// tstate must be non-NULL. +int +_PyThreadState_MustExit(PyThreadState *tstate) +{ + /* bpo-39877: Access _PyRuntime directly rather than using + tstate->interp->runtime to support calls from Python daemon threads. + After Py_Finalize() has been called, tstate can be a dangling pointer: + point to PyThreadState freed memory. */ + PyThreadState *finalizing = _PyRuntimeState_GetFinalizing(&_PyRuntime); + return (finalizing != NULL && finalizing != tstate); +} + + #ifdef __cplusplus } #endif |