fix races when initializing #[pyclass] type objects
#5341
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| Fix data races inside Python type objects when initializing `#[pyclass]` types. |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,22 +1,22 @@ | ||
| use std::{ | ||
| marker::PhantomData, | ||
| thread::{self, ThreadId}, | ||
| }; | ||
|
|
||
| use pyo3_ffi::PyTypeObject; | ||
|
|
||
| #[cfg(Py_3_14)] | ||
| use crate::err::error_on_minusone; | ||
| #[cfg(Py_3_14)] | ||
| use crate::types::PyTypeMethods; | ||
| use crate::{ | ||
| exceptions::PyRuntimeError, | ||
| impl_::pymethods::PyMethodDefType, | ||
| pyclass::{create_type_object, PyClassTypeObject}, | ||
| sync::PyOnceLock, | ||
| type_object::PyTypeInfo, | ||
| types::{PyAnyMethods, PyType}, | ||
| Bound, Py, PyClass, PyErr, PyResult, Python, | ||
| }; | ||
|
|
||
| use std::sync::Mutex; | ||
|
|
@@ -29,13 +29,9 @@ pub struct LazyTypeObject<T>(LazyTypeObjectInner, PhantomData<T>); | |
|
|
||
| // Non-generic inner of LazyTypeObject to keep code size down | ||
| struct LazyTypeObjectInner { | ||
| value: PyOnceLock<PyClassTypeObject>, | ||
| initializing_thread: Mutex<Option<ThreadId>>, | ||
| fully_initialized_type: PyOnceLock<Py<PyType>>, | ||
| } | ||
|
|
||
| impl<T> LazyTypeObject<T> { | ||
|
|
@@ -44,11 +40,9 @@ impl<T> LazyTypeObject<T> { | |
| pub const fn new() -> Self { | ||
| LazyTypeObject( | ||
| LazyTypeObjectInner { | ||
| value: PyOnceLock::new(), | ||
| initializing_thread: Mutex::new(None), | ||
| fully_initialized_type: PyOnceLock::new(), | ||
| }, | ||
| PhantomData, | ||
| ) | ||
|
|
@@ -71,6 +65,7 @@ impl<T: PyClass> LazyTypeObject<T> { | |
| fn try_init<'py>(&self, py: Python<'py>) -> PyResult<&Bound<'py, PyType>> { | ||
| self.0.get_or_try_init( | ||
| py, | ||
| <T::BaseType as PyTypeInfo>::type_object_raw, | ||
| create_type_object::<T>, | ||
| <T as PyClass>::NAME, | ||
| T::items_iter(), | ||
|
|
@@ -85,18 +80,28 @@ impl LazyTypeObjectInner { | |
| fn get_or_try_init<'py>( | ||
| &self, | ||
| py: Python<'py>, | ||
| base_init: fn(Python<'py>) -> *mut PyTypeObject, | ||
| init: fn(Python<'py>) -> PyResult<PyClassTypeObject>, | ||
| name: &str, | ||
| items_iter: PyClassItemsIter, | ||
| ) -> PyResult<&Bound<'py, PyType>> { | ||
| (|| -> PyResult<_> { | ||
| // ensure that base is fully initialized before entering the `PyOnceLock` | ||
| // initialization; that could otherwise deadlock if the base type needs | ||
| // to load the subtype as an attribute. | ||
| // | ||
| // don't try to synchronize this; assume that `base_init` handles concurrency and | ||
| // re-entrancy in the same way this function does | ||
| base_init(py); | ||
| // at this point, we are guaranteed that the base type object has been created, we may be inside | ||
| // `fill_tp_dict` of the base type in the case of this subtype being an attribute on the base | ||
| let PyClassTypeObject { | ||
| type_object, | ||
| is_immutable_type, | ||
| .. | ||
| } = self.value.get_or_try_init(py, || init(py))?; | ||
| let type_object = type_object.bind(py); | ||
| self.fill_tp_dict(type_object, *is_immutable_type, name, items_iter)?; | ||
| Ok(type_object) | ||
| })() | ||
| .map_err(|err| { | ||
|
|
@@ -108,146 +113,133 @@ impl LazyTypeObjectInner { | |
| }) | ||
| } | ||
|
|
||
| fn fill_tp_dict( | ||
| &self, | ||
| type_object: &Bound<'_, PyType>, | ||
| #[allow(unused_variables)] is_immutable_type: bool, | ||
| name: &str, | ||
| items_iter: PyClassItemsIter, | ||
| ) -> PyResult<()> { | ||
| let py: Python<'_> = type_object.py(); | ||
|
|
||
| // We might want to fill the `tp_dict` with python instances of `T` | ||
| // itself. In order to do so, we must first initialize the type object | ||
| // with an empty `tp_dict`: now we can create instances of `T`. | ||
| // | ||
| // More importantly, if a thread is performing initialization of the | ||
| // `tp_dict`, it can still request the type object through `get_or_init`, | ||
| // but the `tp_dict` may appear empty of course. | ||
|
|
||
| let Some(guard) = InitializationGuard::new(&self.initializing_thread) else { | ||
|
Contributor
There was a problem hiding this comment. Just to be sure I get the logic here: The idea is that multiple threads might acquire a guard here, but only one of them will be able to will start the initialization due to the Is that roughly right?
Member
Author
There was a problem hiding this comment. Yes, though the more I think about this I think there might be deadlock risks in other more perverse cases e.g. I feel like it might be that this I guess there's a secondary concern about what happens if one attribute fails to compute partway through, some attributes might be set and others not. Is that ok? Maybe there's an argument that we should spend some more time thinking about this, get it right once in 0.27, and document the full behaviour properly at the same time.
Contributor
There was a problem hiding this comment. If the goal is to disallow races, IMO we shouldn't be allowing any thread to see a partially initialized type. Would a test that defines two classes that depend on each other as class attributes make this whole discussion a little more concrete?
Member
Author
There was a problem hiding this comment.
That would be helpful, yes please. It can be added next to the other test I added https://github.com/PyO3/pyo3/pull/5341/changes#diff-ce6fbca6e26a2417fc5cbc9c2c3258a4f22ca1063cfea4b140704c030abecdd9R325 I guess that probably we should error (or even panic) if there's a cyclic relationship? Users can always modify the type objects after construction by hand if needed. Also I part wonder whether moving towards proper module state / storing types on module objects will have any impact on this situation. Probably not because the natural API for modules in Rust/PyO3 is still declarative. |
||
| // we are re-entrant with `tp_dict` initialization on this thread, we should | ||
| // just return Ok and allow the init to proceed, whatever is accessing the type | ||
| // object will just see the class without all attributes present. | ||
| return Ok(()); | ||
| }; | ||
|
|
||
| // Only one thread will now proceed to set the type attributes. | ||
| self.fully_initialized_type | ||
| .get_or_try_init(py, move || -> PyResult<_> { | ||
| guard.start_init(); | ||
|
|
||
| for class_items in items_iter { | ||
| for method in class_items.methods { | ||
| if let PyMethodDefType::ClassAttribute(attr) = method { | ||
| (attr.meth)(py) | ||
| .and_then(|val| { | ||
| type_object.setattr( | ||
| // FIXME: add `IntoPyObject` for `&CStr`? | ||
| attr.name.to_str().expect("attribute name should be UTF8"), | ||
| val, | ||
| ) | ||
| }) | ||
| .map_err(|err| { | ||
| wrap_in_runtime_error( | ||
| py, | ||
| err, | ||
| format!( | ||
| "An error occurred while initializing `{}.{}`", | ||
| name, | ||
| attr.name.to_str().unwrap() | ||
| ), | ||
| ) | ||
| })?; | ||
| } | ||
| } | ||
| } | ||
|
|
||
| #[cfg(Py_3_14)] | ||
| if is_immutable_type { | ||
| // freeze immutable types after __dict__ is initialized | ||
| let res = unsafe { crate::ffi::PyType_Freeze(type_object.as_type_ptr()) }; | ||
| error_on_minusone(py, res)?; | ||
| } | ||
| #[cfg(all(Py_3_10, not(Py_LIMITED_API), not(Py_3_14)))] | ||
| if is_immutable_type { | ||
| use crate::types::PyTypeMethods as _; | ||
| #[cfg(not(Py_GIL_DISABLED))] | ||
| unsafe { | ||
| (*type_object.as_type_ptr()).tp_flags |= | ||
| crate::ffi::Py_TPFLAGS_IMMUTABLETYPE | ||
| }; | ||
| #[cfg(Py_GIL_DISABLED)] | ||
| unsafe { | ||
| (*type_object.as_type_ptr()).tp_flags.fetch_or( | ||
| crate::ffi::Py_TPFLAGS_IMMUTABLETYPE, | ||
| std::sync::atomic::Ordering::Relaxed, | ||
| ) | ||
| }; | ||
| unsafe { crate::ffi::PyType_Modified(type_object.as_type_ptr()) }; | ||
| } | ||
|
|
||
| drop(guard); | ||
| Ok(type_object.clone().unbind()) | ||
| })?; | ||
|
|
||
| Ok(()) | ||
| } | ||
| } | ||
|
|
||
| struct InitializationGuard<'a> { | ||
| initializing_thread: &'a Mutex<Option<ThreadId>>, | ||
| thread_id: ThreadId, | ||
| } | ||
|
|
||
| impl<'a> InitializationGuard<'a> { | ||
| /// Attempt to create a new `InitializationGuard`. | ||
| /// | ||
| /// Returns `None` if this call would be re-entrant. | ||
| /// | ||
| /// The guard will not protect against re-entrancy until `start_init` is called. | ||
| fn new(initializing_thread: &'a Mutex<Option<ThreadId>>) -> Option<Self> { | ||
| let thread_id = thread::current().id(); | ||
| let thread = initializing_thread.lock().expect("no poisoning"); | ||
| if thread.is_some_and(|id| id == thread_id) { | ||
| None | ||
| } else { | ||
| Some(Self { | ||
| initializing_thread, | ||
| thread_id, | ||
| }) | ||
| } | ||
| } | ||
|
|
||
| /// Starts the initialization process. From this point forward `InitializationGuard::new` will protect against re-entrancy. | ||
| fn start_init(&self) { | ||
| let mut thread = self.initializing_thread.lock().expect("no poisoning"); | ||
| assert!(thread.is_none(), "overlapping use of `InitializationGuard`"); | ||
| *thread = Some(self.thread_id); | ||
| } | ||
| } | ||
|
|
||
| impl Drop for InitializationGuard<'_> { | ||
| fn drop(&mut self) { | ||
| let mut thread = self.initializing_thread.lock().unwrap(); | ||
| // only clear the thread if this was the thread which called `start_init` | ||
| if thread.is_some_and(|id| id == self.thread_id) { | ||
| *thread = None; | ||
| } | ||
| } | ||
| } | ||
|
|
||
| // This is necessary for making static `LazyTypeObject`s | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Probably I accidentally double-clicked an inline hint.