Fix: remove weakly referenced objects from GC lists.

Author: fangerer

graalpython/com.oracle.graal.python.test/src/tests/cpyext/test_gc.py

@@ -192,6 +192,7 @@ def test_native_class(self):
 ID_OBJ12 = 10
 ID_OBJ13 = 11
 ID_OBJ14 = 12
+ID_OBJ15 = 13
 
 # don't rely on deterministic Java GC behavior by default on GraalPy
 RELY_ON_GC = os.environ.get("RELY_ON_GC", not GRAALPY)
@@ -204,13 +205,15 @@ def test_native_class(self):
 
 if GRAALPY:
     get_handle_table_id = __graalpython__.get_handle_table_id
+    storage_to_native = __graalpython__.storage_to_native
     def assert_is_strong(x): assert __graalpython__.is_strong_handle_table_ref(x)
     def assert_is_weak(x): assert not __graalpython__.is_strong_handle_table_ref(x)
 else:
     # just that the test is compatible with CPython
-    def get_handle_table_id(object): return -1
-    def assert_is_strong(x): pass
-    def assert_is_weak(x): pass
+    def get_handle_table_id(_): return -1
+    def storage_to_native(_): pass
+    def assert_is_strong(_): pass
+    def assert_is_weak(_): pass
 
 class TestGCRefCycles(unittest.TestCase):
     def _trigger_gc(self):
@@ -357,6 +360,7 @@ def assert_is_freed(id): pass
         obj10 = TestCycle0(ID_OBJ10)
         obj11 = TestCycle0(ID_OBJ11)
         obj14 = TestCycle0(ID_OBJ14)
+        obj15 = TestCycle0(ID_OBJ15)
 
         # Legend
         # '=>'
@@ -462,6 +466,19 @@ def assert_is_freed(id): pass
         htid_l4 = get_handle_table_id(l4)
         del l4
 
+        # establish cycle:   l5 => obj15 =ht=> l5
+        # update_refs:       11     1
+        # subtract_refs:     10     0
+        # move_unreachable:  10     11
+        # update_refs:       11     11
+        # subtract_refs:     10     10
+        # commit_weak_cand:  l5 => obj15 =ht-> l5
+        l5 = [obj15]
+        storage_to_native(l5)
+        obj15.set_obj(l5)
+        htid_l5 = get_handle_table_id(l5)
+        del obj15
+
         # everything should still be alive
         assert_is_alive(ID_OBJ2)
         assert_is_alive(ID_OBJ3)
@@ -474,16 +491,19 @@ def assert_is_freed(id): pass
         assert_is_alive(ID_OBJ10)
         assert_is_alive(ID_OBJ11)
         assert_is_alive(ID_OBJ14)
+        assert_is_alive(ID_OBJ15)
         assert_is_strong(htid_l)
         assert_is_strong(htid_l1)
         assert_is_strong(htid_l2)
         assert_is_strong(htid_l3)
         assert_is_strong(htid_l4)
+        assert_is_strong(htid_l5)
         assert_is_strong(htid_d0)
 
         del obj2, l, obj3
         del obj4, obj5
         del obj6, d0, obj7
+        del l5
 
         ####################################### GC #######################################
         self._trigger_gc()
@@ -511,6 +531,7 @@ def assert_is_freed(id): pass
         assert_is_strong(htid_l1)
         assert_is_strong(htid_l4)
         assert_is_strong(htid_d0)
+        assert_is_freed(ID_OBJ15)
 
         rescued_obj4 = l1[0]
         del l1

graalpython/com.oracle.graal.python/src/com/oracle/graal/python/builtins/modules/cext/PythonCextBuiltins.java

@@ -1555,7 +1555,7 @@ static Object doNative(Object weakCandidates,
                         GC_LOGGER.fine(PythonUtils.formatJString("Transitioning to weak reference to break a reference cycle for %s, refcount=%d",
                                         abstractObjectNativeWrapper.ref, abstractObjectNativeWrapper.getRefCount()));
                     }
-                    updateRefNode.clearStrongRef(inliningTarget, abstractObjectNativeWrapper);
+                    updateRefNode.clearStrongRefButKeepInGCList(inliningTarget, abstractObjectNativeWrapper);
                 }
 
                 // next = GC_NEXT(gc)

graalpython/com.oracle.graal.python/src/com/oracle/graal/python/builtins/objects/cext/capi/CApiGCSupport.java

@@ -44,6 +44,7 @@
 
 import java.util.logging.Level;
 
+import com.oracle.graal.python.PythonLanguage;
 import com.oracle.graal.python.builtins.objects.cext.capi.CApiGCSupportFactory.GCListRemoveNodeGen;
 import com.oracle.graal.python.builtins.objects.cext.capi.CApiGCSupportFactory.PyObjectGCDelNodeGen;
 import com.oracle.graal.python.builtins.objects.cext.capi.ExternalFunctionNodes.PExternalFunctionWrapper;
@@ -55,6 +56,7 @@
 import com.oracle.graal.python.builtins.objects.cext.structs.CStructAccess.FreeNode;
 import com.oracle.graal.python.builtins.objects.cext.structs.CStructs;
 import com.oracle.graal.python.runtime.PythonContext;
+import com.oracle.graal.python.runtime.PythonOptions;
 import com.oracle.graal.python.util.PythonUtils;
 import com.oracle.truffle.api.dsl.Cached;
 import com.oracle.truffle.api.dsl.GenerateCached;
@@ -165,12 +167,24 @@ public static long executeUncached(long opUntagged) {
             return GCListRemoveNodeGen.getUncached().execute(null, opUntagged);
         }
 
+        /**
+         * Remove the Python object denoted by the given {@code PyObject*} pointer from the GC list
+         * it is currently contained in. This will apply {@code AS_GC(op)} first.
+         */
+        public final void executeOp(Node inliningTarget, long op) {
+            if (PythonLanguage.get(inliningTarget).getEngineOption(PythonOptions.PythonGC)) {
+                execute(inliningTarget, HandlePointerConverter.pointerToStub(op));
+            }
+        }
+
         public abstract long execute(Node inliningTarget, long opUntagged);
 
         @Specialization
         static long doGeneric(long opUntagged,
                         @Cached(inline = false) CStructAccess.ReadI64Node readI64Node,
                         @Cached(inline = false) CStructAccess.WriteLongNode writeLongNode) {
+            assert PythonLanguage.get(null).getEngineOption(PythonOptions.PythonGC);
+
             // issue a log message before doing the first memory access
             if (GC_LOGGER.isLoggable(Level.FINER)) {
                 GC_LOGGER.finer(PythonUtils.formatJString("attempting to remove 0x%x from GC generation", opUntagged));

graalpython/com.oracle.graal.python/src/com/oracle/graal/python/builtins/objects/cext/capi/transitions/CApiTransitions.java

@@ -2152,30 +2152,48 @@ static Object doIt(Object object) {
     public abstract static class UpdateStrongRefNode extends Node {
 
         public final void execute(Node inliningTarget, PythonAbstractObjectNativeWrapper wrapper, long refCount) {
-            execute(inliningTarget, wrapper, refCount > MANAGED_REFCNT);
+            execute(inliningTarget, wrapper, refCount > MANAGED_REFCNT, false);
         }
 
-        public final void clearStrongRef(Node inliningTarget, PythonAbstractObjectNativeWrapper wrapper) {
-            execute(inliningTarget, wrapper, false);
+        /**
+         * Makes the handle table reference of the given wrapper weak but keeps the native object
+         * stub in the GC list (if currently contained in any). The only valid use case for this
+         * method is when iterating over all objects of a GC list, calling this method on each
+         * object and in the end, dropping the whole GC list.
+         */
+        public final void clearStrongRefButKeepInGCList(Node inliningTarget, PythonAbstractObjectNativeWrapper wrapper) {
+            execute(inliningTarget, wrapper, false, true);
         }
 
-        public abstract void execute(Node inliningTarget, PythonAbstractObjectNativeWrapper wrapper, boolean setStrong);
+        public abstract void execute(Node inliningTarget, PythonAbstractObjectNativeWrapper wrapper, boolean setStrong, boolean keepInGcList);
 
         @Specialization
-        static void doGeneric(Node inliningTarget, PythonAbstractObjectNativeWrapper wrapper, boolean setStrong,
+        static void doGeneric(Node inliningTarget, PythonAbstractObjectNativeWrapper wrapper, boolean setStrong, boolean keepInGcList,
                         @Cached InlinedConditionProfile hasRefProfile,
-                        @Cached PyObjectGCTrackNode gcTrackNode) {
+                        @Cached PyObjectGCTrackNode gcTrackNode,
+                        @Cached GCListRemoveNode gcListRemoveNode) {
+            assert CompilerDirectives.isPartialEvaluationConstant(keepInGcList);
+
             PythonObjectReference ref;
             if (hasRefProfile.profile(inliningTarget, (ref = wrapper.ref) != null)) {
                 assert ref.pointer == wrapper.getNativePointer();
                 if (setStrong && !ref.isStrongReference()) {
                     ref.setStrongReference(wrapper);
                     if (ref.gc && PythonLanguage.get(inliningTarget).getEngineOption(PythonOptions.PythonGC)) {
                         // gc = AS_GC(op)
-                        long gc = wrapper.getNativePointer() - CStructs.PyGC_Head.size();
+                        long gc = ref.pointer - CStructs.PyGC_Head.size();
                         gcTrackNode.execute(inliningTarget, gc);
                     }
                 } else if (!setStrong && ref.isStrongReference()) {
+                    /*
+                     * As soon as the reference is made weak, we remove it from the GC list because
+                     * there are ways to iterate a GC list (e.g. 'PyUnstable_GC_VisitObjects') and
+                     * while doing so, the objects may be accessed. Since weakly referenced objects
+                     * may die any time, this could lead to dangling pointers being used.
+                     */
+                    if (!keepInGcList && ref.gc) {
+                        gcListRemoveNode.executeOp(inliningTarget, ref.pointer);
+                    }
                     ref.setStrongReference(null);
                 }
             }