Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit d868be8

Browse files
gpsheadgpshead
committed
Adds a sanity check to avoid a *very rare* infinite loop due to a corrupt tls
key list data structure in the thread startup path. This change is a companion to r60148 which already successfully dealt with a similar issue on thread shutdown. In particular this loop has been observed happening from this call path: #0 in find_key () #1 in PyThread_set_key_value () #2 in _PyGILState_NoteThreadState () #3 in PyThreadState_New () #4 in t_bootstrap () #5 in pthread_start_thread () I don't know how this happens but it does, *very* rarely. On more than one hardware platform. I have not been able to reproduce it manually. (A flaky mutex implementation on the system in question is one hypothesis). As with r60148, the spinning we managed to observe in the wild was due to a single list element pointing back upon itself.
1 parent e7829a5 commit d868be8

2 files changed

Lines changed: 15 additions & 1 deletion

File tree

Python/pystate.c

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -253,6 +253,10 @@ tstate_delete_common(PyThreadState *tstate)
253253
"PyThreadState_Delete: invalid tstate");
254254
if (*p == tstate)
255255
break;
256+
/* Sanity check. These states should never happen but if
257+
* they do we must abort. Otherwise we'll end up spinning in
258+
* in a tight loop with the lock held. A similar check is done
259+
* in thread.c find_key(). */
256260
if (*p == prev_p)
257261
Py_FatalError(
258262
"PyThreadState_Delete: small circular list(!)"

Python/thread.c

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -264,15 +264,25 @@ static int nkeys = 0; /* PyThread_create_key() hands out nkeys+1 next */
264264
static struct key *
265265
find_key(int key, void *value)
266266
{
267-
struct key *p;
267+
struct key *p, *prev_p;
268268
long id = PyThread_get_thread_ident();
269269

270270
if (!keymutex)
271271
return NULL;
272272
PyThread_acquire_lock(keymutex, 1);
273+
prev_p = NULL;
273274
for (p = keyhead; p != NULL; p = p->next) {
274275
if (p->id == id && p->key == key)
275276
goto Done;
277+
/* Sanity check. These states should never happen but if
278+
* they do we must abort. Otherwise we'll end up spinning in
279+
* in a tight loop with the lock held. A similar check is done
280+
* in pystate.c tstate_delete_common(). */
281+
if (p == prev_p)
282+
Py_FatalError("tls find_key: small circular list(!)");
283+
prev_p = p;
284+
if (p->next == keyhead)
285+
Py_FatalError("tls find_key: circular list(!)");
276286
}
277287
if (value == NULL) {
278288
assert(p == NULL);

0 commit comments

Comments
 (0)