Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Require the GIL to be held in ReleasePool::drain #585

Merged
merged 1 commit into from
Sep 5, 2019
Merged

Require the GIL to be held in ReleasePool::drain #585

merged 1 commit into from
Sep 5, 2019

Conversation

andersk
Copy link
Contributor

@andersk andersk commented Aug 30, 2019
edited
Loading

This adds a Python marker to GILPool, to prevent the caller from misusing it to drain the ReleasePool and release Python objects without the GIL held.

@andersk
Require the GIL to be held to drain the ReleasePool
e70e9ab 
This adds a `Python` marker to `GILPool`, to prevent the caller from
misusing it to drain the `ReleasePool` and release Python objects
without the GIL held.

Signed-off-by: Anders Kaseorg <[email protected]>
@andersk andersk mentioned this pull request Aug 30, 2019
Closed
@kngwyu
Copy link
Member

kngwyu commented Aug 30, 2019

Thank you for your PR.
As I commented in #311 I don't think we need this.
But, since I might be wrong about this(yeah everyone makes mistake), could you please explain more why we need this ?

@konstin
Copy link
Member

konstin commented Aug 30, 2019

IMHO we don't generally need this as GILPool is a #[doc(hidden)] internal api, but it makes upholding the invariants easier. Specifically, dropping the GILPool calls ffi::Py_DECREF, which requires the GIL to outlive the GILPool.

For my understanding misusing GILPool::new and GILPool::new_no_pointers will result in use-after-free, so IMO we should also mark those functions as unsafe. We might also want to inline and remove impl Default for GILPool, but that's a separate task.

@andersk
Copy link
Contributor Author

andersk commented Aug 30, 2019

We should never expose functions that can be used to break the invariants of safe Rust without marking them unsafe, even in #[doc(hidden)]. A user who accidentally (or intentionally!) relies on a #[doc(hidden)] API, or an auditor scanning for unsafe blocks, will receive no indication that this code might be dangerous.

If the functions can still be misused even with the GIL held, then yeah, we should mark them unsafe too. Either way, requiring a Python does make them less dangerous.

(The impl Default was removed because there’s no way for that to require a Python. As far as I can tell, it isn’t used anywhere, and was only added to satisfy a clippy rule that now no longer applies because new now takes an argument.)

@konstin
Copy link
Member

konstin commented Aug 30, 2019

(The impl Default was removed because there’s no way for that to require a Python. As far as I can tell, it isn’t used anywhere, and was only added to satisfy a clippy rule that now no longer applies because new now takes an argument.)

Oh sorry I had totally missed that you had already done that.

@kngwyu
Copy link
Member

kngwyu commented Aug 31, 2019

IMHO we don't generally need this as GILPool is a #[doc(hidden)] internal api, but it makes upholding the invariants easier.

OK, I understand.

@konstin
Copy link
Member

konstin commented Sep 5, 2019

Thank you!

@konstin konstin merged commit 3228b4c into PyO3:master Sep 5, 2019
@andersk andersk deleted the drain-gil branch August 16, 2021 19:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kngwyu kngwyu kngwyu approved these changes

Assignees

@konstin konstin

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@andersk @kngwyu @konstin