Skip to content

enum_next and pairwise_next can result in tuple elements with zero reference count in free-threading build #121464

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
eendebakpt opened this issue Jul 7, 2024 · 3 comments
Open

enum_next and pairwise_next can result in tuple elements with zero reference count in free-threading build #121464

eendebakpt opened this issue Jul 7, 2024 · 3 comments
Labels
interpreter-core (Objects, Python, Grammar, and Parser dirs) topic-free-threading type-bug An unexpected behavior, bug, or error

Comments

@eendebakpt
Copy link
Contributor

eendebakpt commented Jul 7, 2024
edited by bedevere-app bot
Loading

Bug report

Bug description:

The enumerate object (and also the itertools.pairwise since #118219) re-uses tuples when possible. It does this by checking the reference count to be 1:

   // from enum_next in enumobject.c
    if (Py_REFCNT(result) == 1) {
        Py_INCREF(result);
        old_index = PyTuple_GET_ITEM(result, 0);
        old_item = PyTuple_GET_ITEM(result, 1);
        PyTuple_SET_ITEM(result, 0, next_index);
        PyTuple_SET_ITEM(result, 1, next_item);
        Py_DECREF(old_index);
        Py_DECREF(old_item);
        ....

The refcount check and increment are not atomic, so in the free-threading build multiple threads can end up operating on the result object. It is possible that one thread already sets an item in the tuple, and another thread decrefs the item believing it is still an old item.

In the nogil reference implementation (https://github.com/colesbury/nogil) no changes are made to address this. So maybe the issue cannot occur?

In #120591 this problem is addressed with a lock, which might be too much overhead (see the discussion in #120496)

@colesbury @hauntsaninja

CPython versions tested on:

CPython main branch

Operating systems tested on:

Windows

Linked PRs
@eendebakpt eendebakpt added the type-bug An unexpected behavior, bug, or error label Jul 7, 2024
@eendebakpt
Copy link
Contributor Author

There are more places in the codebase where the same issue occurs:

cpython/Modules/itertoolsmodule.c

Lines 360 to 367 in 58fdb16

if (Py_REFCNT(result) == 1) {
Py_INCREF(result);
PyObject *last_old = PyTuple_GET_ITEM(result, 0);
PyObject *last_new = PyTuple_GET_ITEM(result, 1);
PyTuple_SET_ITEM(result, 0, Py_NewRef(old));
PyTuple_SET_ITEM(result, 1, Py_NewRef(new));
Py_DECREF(last_old);
Py_DECREF(last_new);

cpython/Modules/itertoolsmodule.c

Lines 3713 to 3736 in 58fdb16

if (Py_REFCNT(result) == 1) {
Py_INCREF(result);
for (i=0 ; i < tuplesize ; i++) {
it = PyTuple_GET_ITEM(lz->ittuple, i);
if (it == NULL) {
item = Py_NewRef(lz->fillvalue);
} else {
item = PyIter_Next(it);
if (item == NULL) {
lz->numactive -= 1;
if (lz->numactive == 0 || PyErr_Occurred()) {
lz->numactive = 0;
Py_DECREF(result);
return NULL;
} else {
item = Py_NewRef(lz->fillvalue);
PyTuple_SET_ITEM(lz->ittuple, i, NULL);
Py_DECREF(it);
}
}
}
olditem = PyTuple_GET_ITEM(result, i);
PyTuple_SET_ITEM(result, i, item);
Py_DECREF(olditem);

cpython/Objects/enumobject.c

Lines 246 to 253 in 126910e

if (Py_REFCNT(result) == 1) {
Py_INCREF(result);
old_index = PyTuple_GET_ITEM(result, 0);
old_item = PyTuple_GET_ITEM(result, 1);
PyTuple_SET_ITEM(result, 0, next_index);
PyTuple_SET_ITEM(result, 1, next_item);
Py_DECREF(old_index);
Py_DECREF(old_item);

cpython/Objects/enumobject.c

Lines 246 to 253 in 126910e

if (Py_REFCNT(result) == 1) {
Py_INCREF(result);
old_index = PyTuple_GET_ITEM(result, 0);
old_item = PyTuple_GET_ITEM(result, 1);
PyTuple_SET_ITEM(result, 0, next_index);
PyTuple_SET_ITEM(result, 1, next_item);
Py_DECREF(old_index);
Py_DECREF(old_item);

cpython/Objects/enumobject.c

Lines 196 to 209 in 126910e

if (Py_REFCNT(result) == 1) {
Py_INCREF(result);
old_index = PyTuple_GET_ITEM(result, 0);
old_item = PyTuple_GET_ITEM(result, 1);
PyTuple_SET_ITEM(result, 0, next_index);
PyTuple_SET_ITEM(result, 1, next_item);
Py_DECREF(old_index);
Py_DECREF(old_item);
// bpo-42536: The GC may have untracked this result tuple. Since we're
// recycling it, make sure it's tracked again:
if (!_PyObject_GC_IS_TRACKED(result)) {
_PyObject_GC_TRACK(result);
}
return result;

cpython/Python/bltinmodule.c

Lines 2974 to 2994 in 58fdb16

if (Py_REFCNT(result) == 1) {
Py_INCREF(result);
for (i=0 ; i < tuplesize ; i++) {
it = PyTuple_GET_ITEM(lz->ittuple, i);
item = (*Py_TYPE(it)->tp_iternext)(it);
if (item == NULL) {
Py_DECREF(result);
if (lz->strict) {
goto check;
}
return NULL;
}
olditem = PyTuple_GET_ITEM(result, i);
PyTuple_SET_ITEM(result, i, item);
Py_DECREF(olditem);
}
// bpo-42536: The GC may have untracked this result tuple. Since we're
// recycling it, make sure it's tracked again:
if (!_PyObject_GC_IS_TRACKED(result)) {
_PyObject_GC_TRACK(result);
}

@picnixz picnixz added the interpreter-core (Objects, Python, Grammar, and Parser dirs) label Aug 23, 2024
@eendebakpt eendebakpt mentioned this issue Aug 29, 2024
Open
@rhettinger
Copy link
Contributor

It would be reasonable to ifdef out the tuple reuse fast path on a free-threaded build.

@eendebakpt
Copy link
Contributor Author

@rhettinger Disabling the re-use of the tuple solves part of the issues with free-threading.

We should also disable clearing the reference to the iterator (e.g. Py_CLEAR(po->it); inside pairwise_enum), otherwise one thread can clear the iterator (making the reference count zero) and another thread still use it. That will not impact performance or impact readability of the code. But it could subtly change behavior (see the notes in #123848 on exhausting the iterator)

And finally we have to make sure we handle updates to po->old correctly. In current main it can happen that in one thread the reference count to po->old is reduced to zero at lines

cpython/Modules/itertoolsmodule.c

Lines 382 to 383 in dd0ee20

Py_XSETREF(po->old, new);
Py_DECREF(old);
while in another thread a borrowed reference is obtained at

cpython/Modules/itertoolsmodule.c

Line 331 in dd0ee20

PyObject *old = po->old;

I think for pairwise we can do this with reasonably clean code.

For some other methods in itertools the situation is similar: there is an internal state that needs to be mutated during iteration. For example for itertools.product the internal state of the iterator is contained in lz->indices and lz->result and mutated in

cpython/Modules/itertoolsmodule.c

Lines 2057 to 2075 in dd0ee20

for (i=npools-1 ; i >= 0 ; i--) {
pool = PyTuple_GET_ITEM(pools, i);
indices[i]++;
if (indices[i] == PyTuple_GET_SIZE(pool)) {
/* Roll-over and advance to next pool */
indices[i] = 0;
elem = PyTuple_GET_ITEM(pool, 0);
Py_INCREF(elem);
oldelem = PyTuple_GET_ITEM(result, i);
PyTuple_SET_ITEM(result, i, elem);
Py_DECREF(oldelem);
} else {
/* No rollover. Just increment and stop here. */
elem = PyTuple_GET_ITEM(pool, indices[i]);
Py_INCREF(elem);
oldelem = PyTuple_GET_ITEM(result, i);
PyTuple_SET_ITEM(result, i, elem);
Py_DECREF(oldelem);
break;

I will think a bit more about alternative options.

@bedevere-app bedevere-app bot mentioned this issue Oct 19, 2024
Merged
kumaraditya303 pushed a commit that referenced this issue Mar 13, 2025
@eendebakpt
gh-121464: Make concurrent iteration over enumerate safe under free-t…
ec46a55 
…hreading (#125734)
plashchynski pushed a commit to plashchynski/cpython that referenced this issue Mar 17, 2025
@eendebakpt @plashchynski
pythongh-121464: Make concurrent iteration over enumerate safe under …
ccab4d1 
…free-threading (python#125734)
seehwan pushed a commit to seehwan/cpython that referenced this issue Apr 16, 2025
@eendebakpt @seehwan80
pythongh-121464: Make concurrent iteration over enumerate safe under …
4080123 
…free-threading (python#125734)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
interpreter-core (Objects, Python, Grammar, and Parser dirs) topic-free-threading type-bug An unexpected behavior, bug, or error
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@eendebakpt @rhettinger @picnixz @terryjreedy