Skip to content

gh-146270: Fix PyMember_SetOne(..., NULL) not being atomic #148800

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
dpdani wants to merge 5 commits into
base: main
Choose a base branch
from
Open

gh-146270: Fix PyMember_SetOne(..., NULL) not being atomic #148800

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
98cbbc0
gh-146270: Fix `PyMember_SetOne(..., NULL)` not being atomic
dpdani Apr 1, 2026
7a7114b
📜🤖 Added by blurb_it.
blurb-it[bot] Apr 20, 2026
47b58c9
fix backticks
dpdani Apr 20, 2026
015795a
address some review comments
dpdani Apr 21, 2026
50c19f6
decrease number of iterations
dpdani Apr 21, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 44 additions & 0 deletions Lib/test/test_free_threading/test_slots.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,50 @@ def reader():

run_in_threads([writer, reader, reader, reader])

def test_del_object_is_atomic(self):
Copy link
Copy Markdown
Contributor

@colesbury colesbury Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This test is too slow. It's not worth trying to catch every sort non-sequential consistency. If you catch the data race under TSan reasonably often, that's fine:

from test.support.threading_helper import run_concurrently

...

        class Spam:
            __slots__ = [ "foo" ]

        def deleter(spam, successes):
            try:
                del spam.foo
                successes.append(True)
            except AttributeError:
                successes.append(False)

        for _ in range(10):
            spam = Spam()
            spam.foo = 0
            successes = []
            run_concurrently(deleter, nthreads=4, args=(spam, successes))
            self.assertEqual(sum(successes), 1)

Copy link
Copy Markdown
Contributor Author

@dpdani dpdani Apr 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When you say it's too slow, what upper bound do you have in mind?

Btw, with your test, I cannot get it to fail when reverting structmember.c, nor did I get TSan warnings in 5 out of 5 attempts.

I think the reason why that's so is that just starting threads doesn't generate enough contention: they're not actually going to hit the current *(PyObject **)addr == NULL at line 177 concurrently with the FT_ATOMIC_STORE_PTR_RELEASE at line 335. This is why I added SpinningBarrier, to generate more contention and have them hit these lines concurrently, in a reliable way.

I can also just reduce the number of iterations in my test. Even with just iters = 10, TSan reported a race 10 out of 10 times. I kinda put 1000 to begin with and then forgot about it.

With iters = 10, the whole test suite runs in about 35ms on my MacBook, albeit the test doesn't fail reliably with TSan turned off, only failing ~33% of the times.

Copy link
Copy Markdown
Contributor

@colesbury colesbury Apr 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You should aim for <100ms. I get a TSan error on nearly every run

Copy link
Copy Markdown
Contributor Author

@dpdani dpdani Apr 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With the current test on 10 iterations, the whole suite runs in <50ms, so I think that should be fine.

It's curious that you're getting more TSan errors, on my macbook I'm seeing 1 TSan warning every ~20 runs. Can I ask you what's your ./configure? Mine is ./configure --config-cache --disable-gil --with-pydebug --with-thread-sanitizer.

Btw, if I use your test code and switch threading.Barrier -> _testcapi.SpinningBarrier inside run_concurrently, I saw a TSan warning on 100 out of 100 runs.

To be clear, I'm not suggesting to use SpinningBarrier in run_concurrently, I'm saying that it definitely gives more determinism to the results, and I think it's worth keeping it.

# Testing whether the implementation of `del slots_object.attribute`
# removes the attribute atomically, thus avoiding non-sequentially-
# consistent behaviors.
# https://github.com/python/cpython/issues/146270

class Spam:
__slots__ = [
"eggs",
"foo",
]

spam = Spam()
non_seq_cst_behaviour_observed = False

def deleter():
barrier.wait()
try:
del spam.eggs
except AttributeError:
pass
else:
try:
del spam.foo
except AttributeError:
nonlocal non_seq_cst_behaviour_observed
non_seq_cst_behaviour_observed = True
# The fact that the else branch was reached implies that
# the `del spam.eggs` call was successful. If that were
# atomic, there is no way for two threads to enter the else
# branch, therefore it must be that only one thread
# attempts to `del spam.foo`. Thus, hitting an
# AttributeError here is non-sequentially-consistent,
# falsifying the assumption that `del spam.eggs` was
# atomic. The test fails if this point is reached.

for _ in range(10):
spam.eggs = 0
spam.foo = 0
barrier = _testcapi.SpinningBarrier(2)
# threading.Barrier would not create enough contention here
run_in_threads([deleter, deleter])
self.assertFalse(non_seq_cst_behaviour_observed)

def test_T_BOOL(self):
spam_old = _testcapi._test_structmembersType_OldAPI()
spam_new = _testcapi._test_structmembersType_NewAPI()
Expand Down
1 change: 1 addition & 0 deletions Misc/NEWS.d/next/Core_and_Builtins/2026-04-20-15-25-55.gh-issue-146270.qZYfyc.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Fix a sequential consistency bug in ``structmember.c`` and add ``_testcapi.SpinningBarrier`` to support the new test.
108 changes: 108 additions & 0 deletions Modules/_testcapimodule.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2642,6 +2642,108 @@ test_soft_deprecated_macros(PyObject *Py_UNUSED(self), PyObject *Py_UNUSED(args)
Py_RETURN_NONE;
}

/**
Copy link
Copy Markdown
Contributor

@colesbury colesbury Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think it's worth adding this

Copy link
Copy Markdown
Contributor Author

@dpdani dpdani Apr 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Without SpinningBarrier the bug becomes significantly harder to reproduce. Also see my comment above.

Copy link
Copy Markdown
Contributor

@colesbury colesbury Apr 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's still not worth it. I'm more than happy to accept reduced chances of catching one specific regression per test run in exchange for avoiding this.

* A spinning barrier is a multithreading barrier similar to threading.Barrier,
* except that it never parks threads that are waiting on the barrier.
*
* This is useful in scenarios where it is desirable to increase contention on
* the code that follows the barrier. For instance, consider this test:
*
* def test_my_method_is_atomic():
* x = MyClass()
* b = _testcapi.SpinningBarrier()
*
* def thread():
* b.wait()
* x.my_method()
*
* for _ in range(1_000):
* threads = [Thread(target=thread), Thread(target=thread)]
* for t in threads: t.start()
* for t in threads: t.join()
*
* It can be desirable (and sometimes necessary) to increase the contention
* on x's internal data structure by avoiding threads parking.
* Here, not parking may become necessary when the code in my_method() is so
* short that contention-related code paths are never exercised otherwise.
*
* It is roughly equivalent to this Python class:
*
* class SpinningBarrier:
* def __init__(self, parties: int):
* self.parties = AtomicInt(parties) # if only we had atomic integers
*
* def wait(self):
* v = self.parties.decrement_and_get()
* while True:
* if v < 0:
* raise ValueError("wait was called too many times")
* if v == 0:
* return
* v = self.parties.get()
*
*/

typedef struct {
PyObject_HEAD
int parties;
} SpinningBarrier;

int
SpinningBarrier_init(PyObject *self, PyObject *args, PyObject *kwargs)
{
int parties = 0;
const char *kwlist[] = {"parties", NULL};
if (!PyArg_ParseTupleAndKeywords(args, kwargs, "i", (char **)kwlist, &parties)) {
return -1;
}
if (parties <= 0) {
PyErr_SetString(PyExc_ValueError, "parties must be greater than zero");
return -1;
}

SpinningBarrier *self_b = (SpinningBarrier *) self;
self_b->parties = parties;

return 0;
}

PyObject *
SpinningBarrier_wait(PyObject *self, PyObject *Py_UNUSED(args))
{
SpinningBarrier *self_b = (SpinningBarrier *) self;
const long decremented = _Py_atomic_add_int(&self_b->parties, -1) - 1;
long v = decremented;
while (1) {
if (v < 0) {
PyErr_SetString(PyExc_ValueError, "wait was called too many times");
return NULL;
}
if (v == 0) {
return PyLong_FromLong(decremented);
}
v = _Py_atomic_load_int_relaxed(&self_b->parties);
if (PyErr_CheckSignals()) {
return NULL;
}
}
}

static PyMethodDef SpinningBarrier_methods[] = {
{"wait", SpinningBarrier_wait, METH_NOARGS},
{NULL, NULL},
};

static PyTypeObject SpinningBarrier_Type = {
PyVarObject_HEAD_INIT(NULL, 0)
.tp_name = "SpinningBarrier",
.tp_basicsize = sizeof(SpinningBarrier),
.tp_new = PyType_GenericNew,
.tp_free = PyObject_Free,
.tp_init = &SpinningBarrier_init,
.tp_methods = SpinningBarrier_methods,
};

static PyMethodDef TestMethods[] = {
{"set_errno", set_errno, METH_VARARGS},
{"test_config", test_config, METH_NOARGS},
Expand Down Expand Up @@ -3369,6 +3471,12 @@ _testcapi_exec(PyObject *m)
Py_INCREF(&MethStatic_Type);
PyModule_AddObject(m, "MethStatic", (PyObject *)&MethStatic_Type);

if (PyType_Ready(&SpinningBarrier_Type) < 0) {
return -1;
}
Py_INCREF(&SpinningBarrier_Type);
PyModule_AddObject(m, "SpinningBarrier", (PyObject *)&SpinningBarrier_Type);

PyModule_AddObject(m, "CHAR_MAX", PyLong_FromLong(CHAR_MAX));
PyModule_AddObject(m, "CHAR_MIN", PyLong_FromLong(CHAR_MIN));
PyModule_AddObject(m, "UCHAR_MAX", PyLong_FromLong(UCHAR_MAX));
Expand Down
26 changes: 13 additions & 13 deletions Python/structmember.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -171,19 +171,10 @@ PyMember_SetOne(char *addr, PyMemberDef *l, PyObject *v)
PyErr_SetString(PyExc_AttributeError, "readonly attribute");
return -1;
}
if (v == NULL) {
if (l->type == Py_T_OBJECT_EX) {
/* Check if the attribute is set. */
if (*(PyObject **)addr == NULL) {
PyErr_SetString(PyExc_AttributeError, l->name);
return -1;
}
}
else if (l->type != _Py_T_OBJECT) {
PyErr_SetString(PyExc_TypeError,
"can't delete numeric/char attribute");
return -1;
}
if (v == NULL && l->type != Py_T_OBJECT_EX && l->type != _Py_T_OBJECT) {
PyErr_SetString(PyExc_TypeError,
"can't delete numeric/char attribute");
return -1;
}
switch (l->type) {
case Py_T_BOOL:{
Expand Down Expand Up @@ -334,6 +325,15 @@ PyMember_SetOne(char *addr, PyMemberDef *l, PyObject *v)
oldv = *(PyObject **)addr;
FT_ATOMIC_STORE_PTR_RELEASE(*(PyObject **)addr, Py_XNewRef(v));
Py_END_CRITICAL_SECTION();
if (v == NULL && oldv == NULL && l->type == Py_T_OBJECT_EX) {
// Raise an exception when attempting to delete an already deleted
// attribute.
// Differently from Py_T_OBJECT_EX, _Py_T_OBJECT does not raise an
// exception here (PyMember_GetOne will return Py_None instead of
// NULL).
PyErr_SetString(PyExc_AttributeError, l->name);
return -1;
}
Comment on lines +328 to +336
Copy link
Copy Markdown
Contributor

@colesbury colesbury Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. Keep the comments simple, i.e., "deleting an already deleted attribute raises an exception
  2. Move the decref after the check. Reading a pointer that has been freed, even if it's just a NULL check, is UB
  3. The l->type is redundant
if (v == NULL && oldv == NULL && l->type == Py_T_OBJECT_EX) {
    // Raise an exception when attempting to delete an already deleted attribute
    PyErr_SetString(PyExc_AttributeError, l->name);
    return -1;
}
Py_XDECREF(oldv);

Copy link
Copy Markdown
Contributor Author

@dpdani dpdani Apr 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't understand what you meant with "The l->type is redundant."

I have expanded a comment, hopefully it clarifies why that check is needed?

Py_XDECREF(oldv);
break;
case Py_T_CHAR: {
Expand Down
1 change: 1 addition & 0 deletions Tools/c-analyzer/cpython/ignored.tsv
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -542,6 +542,7 @@ Modules/_testcapimodule.c - meth_class_methods -
Modules/_testcapimodule.c - meth_instance_methods -
Modules/_testcapimodule.c - meth_static_methods -
Modules/_testcapimodule.c - ml -
Modules/_testcapimodule.c - SpinningBarrier_Type -
Modules/_testcapimodule.c - str1 -
Modules/_testcapimodule.c - str2 -
Modules/_testcapimodule.c - test_c_thread -
Expand Down
Loading