bpo-35983: skip trashcan for subclasses (pythonGH-11841)

Add new trashcan macros to deal with a double deallocation that could occur when the `tp_dealloc` of a subclass calls the `tp_dealloc` of a base class and that base class uses the trashcan mechanism. Patch by Jeroen Demeyer.

Author: jdemeyer

Include/object.h

@@ -649,26 +649,26 @@ times.
 
 When deallocating a container object, it's possible to trigger an unbounded
 chain of deallocations, as each Py_DECREF in turn drops the refcount on "the
-next" object in the chain to 0. This can easily lead to stack faults, and
+next" object in the chain to 0. This can easily lead to stack overflows,
 especially in threads (which typically have less stack space to work with).
 
-A container object that participates in cyclic gc can avoid this by
-bracketing the body of its tp_dealloc function with a pair of macros:
+A container object can avoid this by bracketing the body of its tp_dealloc
+function with a pair of macros:
 
 static void
 mytype_dealloc(mytype *p)
 {
  ... declarations go here ...
 
  PyObject_GC_UnTrack(p); // must untrack first
- Py_TRASHCAN_SAFE_BEGIN(p)
+ Py_TRASHCAN_BEGIN(p, mytype_dealloc)
  ... The body of the deallocator goes here, including all calls ...
  ... to Py_DECREF on contained objects. ...
- Py_TRASHCAN_SAFE_END(p)
+ Py_TRASHCAN_END // there should be no code after this
 }
 
 CAUTION: Never return from the middle of the body! If the body needs to
-"get out early", put a label immediately before the Py_TRASHCAN_SAFE_END
+"get out early", put a label immediately before the Py_TRASHCAN_END
 call, and goto it. Else the call-depth counter (see below) will stay
 above 0 forever, and the trashcan will never get emptied.
 
@@ -684,6 +684,12 @@ notices this, and calls another routine to deallocate all the objects that
 may have been added to the list of deferred deallocations. In effect, a
 chain of N deallocations is broken into (N-1)/(PyTrash_UNWIND_LEVEL-1) pieces,
 with the call stack never exceeding a depth of PyTrash_UNWIND_LEVEL.
+
+Since the tp_dealloc of a subclass typically calls the tp_dealloc of the base
+class, we need to ensure that the trashcan is only triggered on the tp_dealloc
+of the actual class being deallocated. Otherwise we might end up with a
+partially-deallocated object. To check this, the tp_dealloc function must be
+passed as second argument to Py_TRASHCAN_BEGIN().
 */
 
 /* The new thread-safe private API, invoked by the macros below. */
@@ -692,21 +698,38 @@ PyAPI_FUNC(void) _PyTrash_thread_destroy_chain(void);
 
 #define PyTrash_UNWIND_LEVEL 50
 
-#define Py_TRASHCAN_SAFE_BEGIN(op) \
+#define Py_TRASHCAN_BEGIN_CONDITION(op, cond) \
  do { \
- PyThreadState *_tstate = PyThreadState_GET(); \
- if (_tstate->trash_delete_nesting < PyTrash_UNWIND_LEVEL) { \
- ++_tstate->trash_delete_nesting;
- /* The body of the deallocator is here. */
-#define Py_TRASHCAN_SAFE_END(op) \
+ PyThreadState *_tstate = NULL; \
+ /* If "cond" is false, then _tstate remains NULL and the deallocator \
+ * is run normally without involving the trashcan */ \
+ if (cond) { \
+ _tstate = PyThreadState_GET(); \
+ if (_tstate->trash_delete_nesting >= PyTrash_UNWIND_LEVEL) { \
+ /* Store the object (to be deallocated later) and jump past \
+ * Py_TRASHCAN_END, skipping the body of the deallocator */ \
+ _PyTrash_thread_deposit_object(_PyObject_CAST(op)); \
+ break; \
+ } \
+ ++_tstate->trash_delete_nesting; \
+ }
+ /* The body of the deallocator is here. */
+#define Py_TRASHCAN_END \
+ if (_tstate) { \
  --_tstate->trash_delete_nesting; \
  if (_tstate->trash_delete_later && _tstate->trash_delete_nesting <= 0) \
  _PyTrash_thread_destroy_chain(); \
  } \
- else \
- _PyTrash_thread_deposit_object(_PyObject_CAST(op)); \
  } while (0);
 
+#define Py_TRASHCAN_BEGIN(op, dealloc) Py_TRASHCAN_BEGIN_CONDITION(op, \
+ Py_TYPE(op)->tp_dealloc == (destructor)(dealloc))
+
+/* For backwards compatibility, these macros enable the trashcan
+ * unconditionally */
+#define Py_TRASHCAN_SAFE_BEGIN(op) Py_TRASHCAN_BEGIN_CONDITION(op, 1)
+#define Py_TRASHCAN_SAFE_END(op) Py_TRASHCAN_END
+
 
 #ifndef Py_LIMITED_API
 # define Py_CPYTHON_OBJECT_H

Lib/test/test_capi.py

@@ -333,6 +333,49 @@ def test_negative_refcount(self):
  br'_Py_NegativeRefcount: Assertion failed: '
  br'object has negative ref count')
 
+ def test_trashcan_subclass(self):
+ # bpo-35983: Check that the trashcan mechanism for "list" is NOT
+ # activated when its tp_dealloc is being called by a subclass
+ from _testcapi import MyList
+ L = None
+ for i in range(1000):
+ L = MyList((L,))
+
+ def test_trashcan_python_class1(self):
+ self.do_test_trashcan_python_class(list)
+
+ def test_trashcan_python_class2(self):
+ from _testcapi import MyList
+ self.do_test_trashcan_python_class(MyList)
+
+ def do_test_trashcan_python_class(self, base):
+ # Check that the trashcan mechanism works properly for a Python
+ # subclass of a class using the trashcan (this specific test assumes
+ # that the base class "base" behaves like list)
+ class PyList(base):
+ # Count the number of PyList instances to verify that there is
+ # no memory leak
+ num = 0
+ def __init__(self, *args):
+ __class__.num += 1
+ super().__init__(*args)
+ def __del__(self):
+ __class__.num -= 1
+
+ for parity in (0, 1):
+ L = None
+ # We need in the order of 2**20 iterations here such that a
+ # typical 8MB stack would overflow without the trashcan.
+ for i in range(2**20):
+ L = PyList((L,))
+ L.attr = i
+ if parity:
+ # Add one additional nesting layer
+ L = (L,)
+ self.assertGreater(PyList.num, 0)
+ del L
+ self.assertEqual(PyList.num, 0)
+
 
 class TestPendingCalls(unittest.TestCase):
 

Lib/test/test_ordered_dict.py

@@ -459,7 +459,9 @@ def update(self, *args, **kwds):
  self.assertEqual(list(MyOD(items).items()), items)
 
  def test_highly_nested(self):
- # Issue 25395: crashes during garbage collection
+ # Issues 25395 and 35983: test that the trashcan mechanism works
+ # correctly for OrderedDict: deleting a highly nested OrderDict
+ # should not crash Python.
  OrderedDict = self.OrderedDict
  obj = None
  for _ in range(1000):
@@ -468,7 +470,9 @@ def test_highly_nested(self):
  support.gc_collect()
 
  def test_highly_nested_subclass(self):
- # Issue 25395: crashes during garbage collection
+ # Issues 25395 and 35983: test that the trashcan mechanism works
+ # correctly for OrderedDict: deleting a highly nested OrderDict
+ # should not crash Python.
  OrderedDict = self.OrderedDict
  deleted = []
  class MyOD(OrderedDict):

Misc/NEWS.d/next/Core and Builtins/2019-02-13-16-47-19.bpo-35983.bNxsXv.rst

@@ -0,0 +1,3 @@
+Added new trashcan macros to deal with a double deallocation that could occur
+when the `tp_dealloc` of a subclass calls the `tp_dealloc` of a base class
+and that base class uses the trashcan mechanism. Patch by Jeroen Demeyer.

Modules/_elementtree.c

@@ -669,7 +669,7 @@ element_dealloc(ElementObject* self)
 {
  /* bpo-31095: UnTrack is needed before calling any callbacks */
  PyObject_GC_UnTrack(self);
- Py_TRASHCAN_SAFE_BEGIN(self)
+ Py_TRASHCAN_BEGIN(self, element_dealloc)
 
  if (self->weakreflist != NULL)
  PyObject_ClearWeakRefs((PyObject *) self);
@@ -680,7 +680,7 @@ element_dealloc(ElementObject* self)
 
  RELEASE(sizeof(ElementObject), "destroy element");
  Py_TYPE(self)->tp_free((PyObject *)self);
- Py_TRASHCAN_SAFE_END(self)
+ Py_TRASHCAN_END
 }
 
 /* -------------------------------------------------------------------- */

Modules/_testcapimodule.c

@@ -5451,6 +5451,76 @@ recurse_infinitely_error_init(PyObject *self, PyObject *args, PyObject *kwds)
 }
 
 
+/* Test bpo-35983: create a subclass of "list" which checks that instances
+ * are not deallocated twice */
+
+typedef struct {
+ PyListObject list;
+ int deallocated;
+} MyListObject;
+
+static PyObject *
+MyList_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
+{
+ PyObject* op = PyList_Type.tp_new(type, args, kwds);
+ ((MyListObject*)op)->deallocated = 0;
+ return op;
+}
+
+void
+MyList_dealloc(MyListObject* op)
+{
+ if (op->deallocated) {
+ /* We cannot raise exceptions here but we still want the testsuite
+ * to fail when we hit this */
+ Py_FatalError("MyList instance deallocated twice");
+ }
+ op->deallocated = 1;
+ PyList_Type.tp_dealloc((PyObject *)op);
+}
+
+static PyTypeObject MyList_Type = {
+ PyVarObject_HEAD_INIT(NULL, 0)
+ "MyList",
+ sizeof(MyListObject),
+ 0,
+ (destructor)MyList_dealloc, /* tp_dealloc */
+ 0, /* tp_print */
+ 0, /* tp_getattr */
+ 0, /* tp_setattr */
+ 0, /* tp_reserved */
+ 0, /* tp_repr */
+ 0, /* tp_as_number */
+ 0, /* tp_as_sequence */
+ 0, /* tp_as_mapping */
+ 0, /* tp_hash */
+ 0, /* tp_call */
+ 0, /* tp_str */
+ 0, /* tp_getattro */
+ 0, /* tp_setattro */
+ 0, /* tp_as_buffer */
+ Py_TPFLAGS_DEFAULT | Py_TPFLAGS_BASETYPE, /* tp_flags */
+ 0, /* tp_doc */
+ 0, /* tp_traverse */
+ 0, /* tp_clear */
+ 0, /* tp_richcompare */
+ 0, /* tp_weaklistoffset */
+ 0, /* tp_iter */
+ 0, /* tp_iternext */
+ 0, /* tp_methods */
+ 0, /* tp_members */
+ 0, /* tp_getset */
+ 0, /* &PyList_Type */ /* tp_base */
+ 0, /* tp_dict */
+ 0, /* tp_descr_get */
+ 0, /* tp_descr_set */
+ 0, /* tp_dictoffset */
+ 0, /* tp_init */
+ 0, /* tp_alloc */
+ MyList_new, /* tp_new */
+};
+
+
 /* Test PEP 560 */
 
 typedef struct {
@@ -5564,6 +5634,12 @@ PyInit__testcapi(void)
  Py_INCREF(&awaitType);
  PyModule_AddObject(m, "awaitType", (PyObject *)&awaitType);
 
+ MyList_Type.tp_base = &PyList_Type;
+ if (PyType_Ready(&MyList_Type) < 0)
+ return NULL;
+ Py_INCREF(&MyList_Type);
+ PyModule_AddObject(m, "MyList", (PyObject *)&MyList_Type);
+
  if (PyType_Ready(&GenericAlias_Type) < 0)
  return NULL;
  Py_INCREF(&GenericAlias_Type);

Objects/descrobject.c

@@ -1021,11 +1021,11 @@ static void
 wrapper_dealloc(wrapperobject *wp)
 {
  PyObject_GC_UnTrack(wp);
- Py_TRASHCAN_SAFE_BEGIN(wp)
+ Py_TRASHCAN_BEGIN(wp, wrapper_dealloc)
  Py_XDECREF(wp->descr);
  Py_XDECREF(wp->self);
  PyObject_GC_Del(wp);
- Py_TRASHCAN_SAFE_END(wp)
+ Py_TRASHCAN_END
 }
 
 static PyObject *

Objects/dictobject.c

@@ -1978,7 +1978,7 @@ dict_dealloc(PyDictObject *mp)
 
  /* bpo-31095: UnTrack is needed before calling any callbacks */
  PyObject_GC_UnTrack(mp);
- Py_TRASHCAN_SAFE_BEGIN(mp)
+ Py_TRASHCAN_BEGIN(mp, dict_dealloc)
  if (values != NULL) {
  if (values != empty_values) {
  for (i = 0, n = mp->ma_keys->dk_nentries; i < n; i++) {
@@ -1996,7 +1996,7 @@ dict_dealloc(PyDictObject *mp)
  free_list[numfree++] = mp;
  else
  Py_TYPE(mp)->tp_free((PyObject *)mp);
- Py_TRASHCAN_SAFE_END(mp)
+ Py_TRASHCAN_END
 }
 
 

Objects/listobject.c

@@ -361,7 +361,7 @@ list_dealloc(PyListObject *op)
 {
  Py_ssize_t i;
  PyObject_GC_UnTrack(op);
- Py_TRASHCAN_SAFE_BEGIN(op)
+ Py_TRASHCAN_BEGIN(op, list_dealloc)
  if (op->ob_item != NULL) {
  /* Do it backwards, for Christian Tismer.
  There's a simple test case where somehow this reduces
@@ -377,7 +377,7 @@ list_dealloc(PyListObject *op)
  free_list[numfree++] = op;
  else
  Py_TYPE(op)->tp_free((PyObject *)op);
- Py_TRASHCAN_SAFE_END(op)
+ Py_TRASHCAN_END
 }
 
 static PyObject *

Objects/odictobject.c

@@ -1356,28 +1356,17 @@ static PyGetSetDef odict_getset[] = {
 static void
 odict_dealloc(PyODictObject *self)
 {
- PyThreadState *tstate = _PyThreadState_GET();
-
  PyObject_GC_UnTrack(self);
- Py_TRASHCAN_SAFE_BEGIN(self)
+ Py_TRASHCAN_BEGIN(self, odict_dealloc)
 
  Py_XDECREF(self->od_inst_dict);
  if (self->od_weakreflist != NULL)
  PyObject_ClearWeakRefs((PyObject *)self);
 
  _odict_clear_nodes(self);
-
- /* Call the base tp_dealloc(). Since it too uses the trashcan mechanism,
- * temporarily decrement trash_delete_nesting to prevent triggering it
- * and putting the partially deallocated object on the trashcan's
- * to-be-deleted-later list.
- */
- --tstate->trash_delete_nesting;
- assert(_tstate->trash_delete_nesting < PyTrash_UNWIND_LEVEL);
  PyDict_Type.tp_dealloc((PyObject *)self);
- ++tstate->trash_delete_nesting;
 
- Py_TRASHCAN_SAFE_END(self)
+ Py_TRASHCAN_END
 }
 
 /* tp_repr */