This is the mail archive of the gdb-cvs@sourceware.org mailing list for the GDB project.
Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]
[binutils-gdb] Fix Py_DECREF being executed without holding the GIL

From: Simon Marchi <simark at sourceware dot org>
To: gdb-cvs at sourceware dot org
Date: 21 Jan 2017 02:07:54 -0000
Subject: [binutils-gdb] Fix Py_DECREF being executed without holding the GIL
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b1ce65684d5f92f281d678581f0569cb16fa58e3

commit b1ce65684d5f92f281d678581f0569cb16fa58e3
Author: Simon Marchi <simon.marchi@ericsson.com>
Date:   Fri Jan 20 21:02:05 2017 -0500

    Fix Py_DECREF being executed without holding the GIL
    
    When the gdbpy_ref objects get destroyed, they call Py_DECREF to
    decrement the reference counter of the python object they hold a
    reference to.  Any time we call into the Python API, we should be
    holding the GIL.  The gdbpy_enter object does that for us in an
    RAII-fashion.
    
    However, if gdbpy_enter is declared after a gdbpy_ref object in a
    function, gdbpy_enter's destructor will be called (and the GIL will be
    released) before gdbpy_ref's destructor is called.  Therefore, we will
    end up calling Py_DECREF without holding the GIL.
    
    This became obvious with Python 3.6, where memory management functions
    have asserts to make sure that the GIL is held.  This was exposed by
    tests py-as-string.exp, py-function.exp and py-xmethods.  For example:
    
      (gdb) p $_as_string(enum_valid)
      Fatal Python error: Python memory allocator called without holding the GIL
    
      Current thread 0x00007f7f7b21c780 (most recent call first):
      [1]    18678 abort (core dumped)  ./gdb -nx testsuite/outputs/gdb.python/py-as-string/py-as-string
    
      #0  0x00007ffff618bc37 in raise () from /lib/x86_64-linux-gnu/libc.so.6
      #1  0x00007ffff618f028 in abort () from /lib/x86_64-linux-gnu/libc.so.6
      #2  0x00007ffff6b104d6 in Py_FatalError (msg=msg@entry=0x7ffff6ba15b8 "Python memory allocator called without holding the GIL") at Python/pylifecycle.c:1457
      #3  0x00007ffff6a37a68 in _PyMem_DebugCheckGIL () at Objects/obmalloc.c:1972
      #4  0x00007ffff6a3804e in _PyMem_DebugFree (ctx=0x7ffff6e65290 <_PyMem_Debug+48>, ptr=0x24f8830) at Objects/obmalloc.c:1994
      #5  0x00007ffff6a38e1d in PyMem_Free (ptr=<optimized out>) at Objects/obmalloc.c:442
      #6  0x00007ffff6b866c6 in _PyFaulthandler_Fini () at ./Modules/faulthandler.c:1369
      #7  0x00007ffff6b104bd in Py_FatalError (msg=msg@entry=0x7ffff6ba15b8 "Python memory allocator called without holding the GIL") at Python/pylifecycle.c:1431
      #8  0x00007ffff6a37a68 in _PyMem_DebugCheckGIL () at Objects/obmalloc.c:1972
      #9  0x00007ffff6a3804e in _PyMem_DebugFree (ctx=0x7ffff6e652c0 <_PyMem_Debug+96>, ptr=0x7ffff46b6040) at Objects/obmalloc.c:1994
      #10 0x00007ffff6a38f55 in PyObject_Free (ptr=<optimized out>) at Objects/obmalloc.c:503
      #11 0x00007ffff6a5f27e in unicode_dealloc (unicode=unicode@entry=0x7ffff46b6040) at Objects/unicodeobject.c:1794
      #12 0x00007ffff6a352a9 in _Py_Dealloc (op=0x7ffff46b6040) at Objects/object.c:1786
      #13 0x000000000063f28b in gdb_Py_DECREF (op=0x7ffff46b6040) at /home/emaisin/src/binutils-gdb/gdb/python/python-internal.h:192
      #14 0x000000000063fa33 in gdbpy_ref_policy::decref (ptr=0x7ffff46b6040) at /home/emaisin/src/binutils-gdb/gdb/python/py-ref.h:35
      #15 0x000000000063fa77 in gdb::ref_ptr<_object, gdbpy_ref_policy>::~ref_ptr (this=0x7fffffffcdf0, __in_chrg=<optimized out>) at /home/emaisin/src/binutils-gdb/gdb/common/gdb_ref_ptr.h:91
      #16 0x000000000064d8b8 in fnpy_call (gdbarch=0x2b50010, language=0x115d2c0 <c_language_defn>, cookie=0x7ffff46b7468, argc=1, argv=0x7fffffffcf48)
        at /home/emaisin/src/binutils-gdb/gdb/python/py-function.c:145
    
    The fix is to place the gdbpy_enter first in the function.  I also
    cleaned up the comments a bit and removed the unnecessary initialization
    of the value variable.
    
    gdb/ChangeLog:
    
    	* python/py-function.c (fnpy_call): Reorder declarations to have
    	the gdbpy_enter object declared first.
    	* python/py-xmethods.c (gdbpy_get_xmethod_arg_types): Likewise.

Diff:
---
 gdb/ChangeLog            |  6 ++++++
 gdb/python/py-function.c | 11 +++++------
 gdb/python/py-xmethods.c |  5 +++--
 3 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/gdb/ChangeLog b/gdb/ChangeLog
index 6311d91..6bd0a23 100644
--- a/gdb/ChangeLog
+++ b/gdb/ChangeLog
@@ -1,5 +1,11 @@
 2017-01-20  Simon Marchi  <simon.marchi@ericsson.com>
 
+	* python/py-function.c (fnpy_call): Reorder declarations to have
+	the gdbpy_enter object declared first.
+	* python/py-xmethods.c (gdbpy_get_xmethod_arg_types): Likewise.
+
+2017-01-20  Simon Marchi  <simon.marchi@ericsson.com>
+
 	PR python/21068
 	* python/python-internal.h (PyMem_RawMalloc): Define for
 	Python < 3.4.
diff --git a/gdb/python/py-function.c b/gdb/python/py-function.c
index 13c7a11..6762a6d 100644
--- a/gdb/python/py-function.c
+++ b/gdb/python/py-function.c
@@ -59,14 +59,13 @@ static struct value *
 fnpy_call (struct gdbarch *gdbarch, const struct language_defn *language,
 	   void *cookie, int argc, struct value **argv)
 {
-  struct value *value = NULL;
-  /* 'result' must be set to NULL, this initially indicates whether
-     the function was called, or not.  */
-  gdbpy_ref result;
-
+  /* The gdbpy_enter object needs to be placed first, so that it's the last to
+     be destroyed.  */
   gdbpy_enter enter_py (gdbarch, language);
-
+  struct value *value;
+  gdbpy_ref result;
   gdbpy_ref args (convert_values_to_python (argc, argv));
+
   /* convert_values_to_python can return NULL on error.  If we
      encounter this, do not call the function, but allow the Python ->
      error code conversion below to deal with the Python exception.
diff --git a/gdb/python/py-xmethods.c b/gdb/python/py-xmethods.c
index c3ca75a..6505d06 100644
--- a/gdb/python/py-xmethods.c
+++ b/gdb/python/py-xmethods.c
@@ -308,6 +308,9 @@ gdbpy_get_xmethod_arg_types (const struct extension_language_defn *extlang,
 			     struct xmethod_worker *worker,
 			     int *nargs, struct type ***arg_types)
 {
+  /* The gdbpy_enter object needs to be placed first, so that it's the last to
+     be destroyed.  */
+  gdbpy_enter enter_py (get_current_arch (), current_language);
   struct gdbpy_worker_data *worker_data
     = (struct gdbpy_worker_data *) worker->data;
   PyObject *py_worker = worker_data->worker;
@@ -319,8 +322,6 @@ gdbpy_get_xmethod_arg_types (const struct extension_language_defn *extlang,
      an invalid/unusable number of arg types.  */
   *nargs = -1;
 
-  gdbpy_enter enter_py (get_current_arch (), current_language);
-
   gdbpy_ref get_arg_types_method
     (PyObject_GetAttrString (py_worker, get_arg_types_method_name));
   if (get_arg_types_method == NULL)
Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]