Skip to content

gh-132070: Fix PyObject_Realloc thread-safety in free threaded Python#143441

Merged
colesbury merged 3 commits intopython:mainfrom
colesbury:gh-132070-pyobject-realloc
Jan 6, 2026
Merged

gh-132070: Fix PyObject_Realloc thread-safety in free threaded Python#143441
colesbury merged 3 commits intopython:mainfrom
colesbury:gh-132070-pyobject-realloc

Conversation

@colesbury
Copy link
Contributor

@colesbury colesbury commented Jan 5, 2026
edited by bedevere-app bot
Loading

The PyObject header reference count fields must be initialized using atomic operations because they may be concurrently read by another thread (e.g., from _Py_TryIncref).

@colesbury
pythongh-132070: Fix PyObject_Realloc thread-safety in free threaded …
a4c76a6 
…Python

The PyObject header reference count fields must be initialized using
atomic operations because they may be concurrently read by another
thread (e.g., from _Py_TryIncref).
@colesbury colesbury requested review from Yhg1s and mpage January 5, 2026 19:25
@bedevere-app bedevere-app bot mentioned this pull request Jan 5, 2026
Closed
@colesbury
Copy link
Contributor Author

colesbury commented Jan 5, 2026
edited
Loading

Reimplementing the mi_realloc logic in obmalloc.c feels a bit dirty, but it also seems better than the alternatives.

Yhg1s
Yhg1s approved these changes Jan 5, 2026
View reviewed changes
Objects/obmalloc.c
for (size_t i = 0; i != offset; i += sizeof(void*)) {
void *word;
memcpy(&word, (char*)ptr + i, sizeof(void*));
_Py_atomic_store_ptr_relaxed((void**)((char*)newp + i), word);
Copy link
Member

@Yhg1s Yhg1s Jan 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a reason for the intermediate word? And why the memcpy instead of just a cast + deref + assignment? Can't this just be:

Suggested change
_Py_atomic_store_ptr_relaxed((void**)((char*)newp + i), word);
_Py_atomic_store_ptr_relaxed((void**)((char*)newp + i), (void *)((char *)ptr + 1));

(If it can't be, it probably deserves a comment.)

Copy link
Contributor Author

@colesbury colesbury Jan 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My thinking was that the memcpy avoids accessing data the pointers of an incorrect size or strict aliasing issues. For example, we read ob_flags, ob_mutex, ob_gc_bits, and ob_ref_local together as a 64-bit load (on 64-bit systems).

I guess there's still the same issue when we write the data with _Py_atomic_store_ptr_relaxed, so maybe it doesn't matter.

From what I can tell, UBSan and ASan don't check for this kind of thing.

Copy link
Contributor Author

@colesbury colesbury Jan 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added a comment

@colesbury colesbury added the 🔨 test-with-refleak-buildbots Test PR w/ refleak buildbots; report in status section label Jan 6, 2026
@bedevere-bot
Copy link

bedevere-bot commented Jan 6, 2026

🤖 New build scheduled with the buildbot fleet by @colesbury for commit 3387cd2 🤖

Results will be shown at:

https://buildbot.python.org/all/#/grid?branch=refs%2Fpull%2F143441%2Fmerge

If you want to schedule another build, you need to add the 🔨 test-with-refleak-buildbots label again.

@bedevere-bot bedevere-bot removed the 🔨 test-with-refleak-buildbots Test PR w/ refleak buildbots; report in status section label Jan 6, 2026
@colesbury colesbury merged commit 98e55d7 into python:main Jan 6, 2026
56 checks passed
@colesbury colesbury deleted the gh-132070-pyobject-realloc branch January 6, 2026 20:55
thunder-coding pushed a commit to thunder-coding/cpython that referenced this pull request Feb 15, 2026
@colesbury @thunder-coding
pythongh-132070: Fix PyObject_Realloc thread-safety in free threaded …
140f221 
…Python (pythongh-143441)

The PyObject header reference count fields must be initialized using
atomic operations because they may be concurrently read by another
thread (e.g., from `_Py_TryIncref`).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Yhg1s Yhg1s Yhg1s approved these changes

@mpage mpage Awaiting requested review from mpage

Assignees

No one assigned

Labels

skip news topic-free-threading

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@colesbury @bedevere-bot @Yhg1s