Fix race condition in C API init

Author: steve-s

graalpython/com.oracle.graal.python/src/com/oracle/graal/python/builtins/modules/cext/PythonCextBuiltins.java

@@ -1887,10 +1887,18 @@ private static PythonManagedClass lookupBuiltinTypeWithName(PythonContext contex
             } else {
                 String module = name.substring(0, index);
                 name = name.substring(index + 1);
-                Object moduleObject = core.lookupBuiltinModule(toTruffleStringUncached(module));
+                TruffleString tsModule = toTruffleStringUncached(module);
+                Object moduleObject = core.lookupBuiltinModule(tsModule);
                 if (moduleObject == null) {
-                    moduleObject = AbstractImportNode.importModule(toTruffleStringUncached(module));
+                    moduleObject = AbstractImportNode.lookupImportedModule(context, tsModule);
+                    if (moduleObject == null) {
+                        throw CompilerDirectives.shouldNotReachHere(String.format(
+                                        "Module '%s' is needed during C API initialization, but was not imported prior to the initialization in ensureCapiWasLoaded. This is an internal error in GraalPy.",
+                                        module));
+                    }
                 }
+                // Assumption: builtin modules' tp_getattro is well-behaved and just reads the
+                // attribute, there is no locking or blocking inside
                 Object attribute = PyObjectGetAttr.getUncached().execute(null, moduleObject, toTruffleStringUncached(name));
                 if (attribute != PNone.NO_VALUE) {
                     if (attribute instanceof PythonBuiltinClassType builtinType) {

graalpython/com.oracle.graal.python/src/com/oracle/graal/python/builtins/objects/cext/capi/CApiContext.java

@@ -66,6 +66,7 @@
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.atomic.AtomicInteger;
 import java.util.concurrent.atomic.AtomicLong;
+import java.util.concurrent.locks.ReentrantLock;
 import java.util.logging.Level;
 
 import org.graalvm.collections.Pair;
@@ -113,6 +114,7 @@
 import com.oracle.graal.python.nodes.ErrorMessages;
 import com.oracle.graal.python.nodes.PRaiseNode;
 import com.oracle.graal.python.nodes.object.GetClassNode;
+import com.oracle.graal.python.nodes.statement.AbstractImportNode;
 import com.oracle.graal.python.runtime.GilNode;
 import com.oracle.graal.python.runtime.PosixConstants;
 import com.oracle.graal.python.runtime.PythonContext;
@@ -905,106 +907,133 @@ public static CApiContext ensureCapiWasLoaded(Node node, PythonContext context,
     }
 
     @TruffleBoundary
+    @SuppressWarnings("try")
     public static CApiContext ensureCapiWasLoaded(Node node, PythonContext context, TruffleString name, TruffleString path, String reason) throws IOException, ImportException, ApiInitException {
         assert PythonContext.get(null).ownsGil(); // unsafe lazy initialization
-        if (!context.hasCApiContext()) {
-            Env env = context.getEnv();
-            InteropLibrary U = InteropLibrary.getUncached();
-
-            TruffleFile homePath = env.getInternalTruffleFile(context.getCAPIHome().toJavaStringUncached());
-            // e.g. "libpython-native.so"
-            String libName = PythonContext.getSupportLibName("python-native");
-            final TruffleFile capiFile = homePath.resolve(libName).getCanonicalFile();
+        // The initialization may run Python code (e.g., module import in
+        // GraalPyPrivate_InitBuiltinTypesAndStructs), so just holding the GIL is not enough
+        if (!context.isCApiInitialized()) {
+
+            // We import those modules ahead of the initialization without the initialization lock
+            // to avoid deadlocks. We would have imported them in the initialization anyway, this
+            // way we can just simply look up already imported modules during the initialization
+            // without running the complex import machinery and risking a deadlock
+            AbstractImportNode.importModule(toTruffleStringUncached("datetime"));
+            AbstractImportNode.importModule(toTruffleStringUncached("types"));
+
+            ReentrantLock initLock = context.getcApiInitializationLock();
+            try (var ignored = GilNode.uncachedAcquire()) {
+                TruffleSafepoint.setBlockedThreadInterruptible(node, ReentrantLock::lockInterruptibly, initLock);
+            }
             try {
-                SourceBuilder capiSrcBuilder;
-                boolean useNative = true;
-                boolean isolateNative = PythonOptions.IsolateNativeModules.getValue(env.getOptions());
-                final NativeLibraryLocator loc;
-                if (!isolateNative) {
-                    useNative = nativeCAPILoaded.compareAndSet(NO_NATIVE_CONTEXT, GLOBAL_NATIVE_CONTEXT);
-                } else {
-                    useNative = nativeCAPILoaded.compareAndSet(NO_NATIVE_CONTEXT, ISOLATED_NATIVE_CONTEXT) || nativeCAPILoaded.get() == ISOLATED_NATIVE_CONTEXT;
-                }
-                if (!useNative) {
-                    String actualReason = "initialize native extensions support";
-                    if (reason != null) {
-                        actualReason = reason;
-                    } else if (name != null && path != null) {
-                        actualReason = String.format("load a native module '%s' from path '%s'", name.toJavaStringUncached(), path.toJavaStringUncached());
-                    }
-                    throw new ApiInitException(toTruffleStringUncached(
-                                    String.format("Option python.IsolateNativeModules is set to 'false' and a second GraalPy context attempted to %s. " +
-                                                    "At least one context in this process runs with 'IsolateNativeModules' set to false. " +
-                                                    "Depending on the order of context creation, this means some contexts in the process " +
-                                                    "cannot use native module.", actualReason)));
-                }
-                loc = new NativeLibraryLocator(context, capiFile, isolateNative);
-                context.ensureNFILanguage(node, "allowNativeAccess", "true");
-                String dlopenFlags = isolateNative ? "RTLD_LOCAL" : "RTLD_GLOBAL";
-                capiSrcBuilder = Source.newBuilder(J_NFI_LANGUAGE, String.format("load(%s) \"%s\"", dlopenFlags, loc.getCapiLibrary()), "<libpython>");
-                LOGGER.config(() -> "loading CAPI from " + loc.getCapiLibrary() + " as native");
-                if (!context.getLanguage().getEngineOption(PythonOptions.ExposeInternalSources)) {
-                    capiSrcBuilder.internal(true);
-                }
-                CallTarget capiLibraryCallTarget = context.getEnv().parseInternal(capiSrcBuilder.build());
-
-                Object capiLibrary = capiLibraryCallTarget.call();
-                Object initFunction = U.readMember(capiLibrary, "initialize_graal_capi");
-                CApiContext cApiContext = new CApiContext(context, capiLibrary, loc);
-                context.setCApiContext(cApiContext);
-
-                try (BuiltinArrayWrapper builtinArrayWrapper = new BuiltinArrayWrapper()) {
-                    /*
-                     * The GC state needs to be created before the first managed object is sent to
-                     * native. This is because the native object stub could take part in GC and will
-                     * then already require the GC state.
-                     */
-                    Object gcState = cApiContext.createGCState();
-                    Object signature = env.parseInternal(Source.newBuilder(J_NFI_LANGUAGE, "(ENV,POINTER,POINTER):VOID", "exec").build()).call();
-                    initFunction = SignatureLibrary.getUncached().bind(signature, initFunction);
-                    U.execute(initFunction, builtinArrayWrapper, gcState);
+                if (!context.isCApiInitialized()) {
+                    // loadCApi must set C API context half-way through its execution so that it can
+                    // run code that needs C API context
+                    loadCApi(node, context, name, path, reason);
+                    context.setCApiInitialized(); // volatile write
                 }
+            } finally {
+                initLock.unlock();
+            }
+        }
+        return context.getCApiContext();
+    }
 
-                assert PythonCApiAssertions.assertBuiltins(capiLibrary);
-                cApiContext.pyDateTimeCAPICapsule = PyDateTimeCAPIWrapper.initWrapper(context, cApiContext);
-                context.runCApiHooks();
+    private static CApiContext loadCApi(Node node, PythonContext context, TruffleString name, TruffleString path, String reason) throws IOException, ImportException, ApiInitException {
+        Env env = context.getEnv();
+        InteropLibrary U = InteropLibrary.getUncached();
 
-                /*
-                 * C++ libraries sometimes declare global objects that have destructors that call
-                 * Py_DECREF. Those destructors are then called during native shutdown, which is
-                 * after the JVM/SVM shut down and the upcall would segfault. This finalizer code
-                 * rebinds reference operations to native no-ops that don't upcall. In normal
-                 * scenarios we call it during context exit, but when the VM is terminated by a
-                 * signal, the context exit is skipped. For that case we set up the shutdown hook.
-                 */
-                Object finalizeFunction = U.readMember(capiLibrary, "GraalPyPrivate_GetFinalizeCApiPointer");
-                Object finalizeSignature = env.parseInternal(Source.newBuilder(J_NFI_LANGUAGE, "():POINTER", "exec").build()).call();
-                Object finalizingPointer = SignatureLibrary.getUncached().call(finalizeSignature, finalizeFunction);
-                try {
-                    cApiContext.addNativeFinalizer(context, finalizingPointer);
-                    cApiContext.runBackgroundGCTask(context);
-                } catch (RuntimeException e) {
-                    // This can happen when other languages restrict multithreading
-                    LOGGER.warning(() -> "didn't register a native finalizer due to: " + e.getMessage());
+        TruffleFile homePath = env.getInternalTruffleFile(context.getCAPIHome().toJavaStringUncached());
+        // e.g. "libpython-native.so"
+        String libName = PythonContext.getSupportLibName("python-native");
+        final TruffleFile capiFile = homePath.resolve(libName).getCanonicalFile();
+        try {
+            SourceBuilder capiSrcBuilder;
+            boolean useNative = true;
+            boolean isolateNative = PythonOptions.IsolateNativeModules.getValue(env.getOptions());
+            final NativeLibraryLocator loc;
+            if (!isolateNative) {
+                useNative = nativeCAPILoaded.compareAndSet(NO_NATIVE_CONTEXT, GLOBAL_NATIVE_CONTEXT);
+            } else {
+                useNative = nativeCAPILoaded.compareAndSet(NO_NATIVE_CONTEXT, ISOLATED_NATIVE_CONTEXT) || nativeCAPILoaded.get() == ISOLATED_NATIVE_CONTEXT;
+            }
+            if (!useNative) {
+                String actualReason = "initialize native extensions support";
+                if (reason != null) {
+                    actualReason = reason;
+                } else if (name != null && path != null) {
+                    actualReason = String.format("load a native module '%s' from path '%s'", name.toJavaStringUncached(), path.toJavaStringUncached());
                 }
+                throw new ApiInitException(toTruffleStringUncached(
+                                String.format("Option python.IsolateNativeModules is set to 'false' and a second GraalPy context attempted to %s. " +
+                                                "At least one context in this process runs with 'IsolateNativeModules' set to false. " +
+                                                "Depending on the order of context creation, this means some contexts in the process " +
+                                                "cannot use native module.", actualReason)));
+            }
+            loc = new NativeLibraryLocator(context, capiFile, isolateNative);
+            context.ensureNFILanguage(node, "allowNativeAccess", "true");
+            String dlopenFlags = isolateNative ? "RTLD_LOCAL" : "RTLD_GLOBAL";
+            capiSrcBuilder = Source.newBuilder(J_NFI_LANGUAGE, String.format("load(%s) \"%s\"", dlopenFlags, loc.getCapiLibrary()), "<libpython>");
+            LOGGER.config(() -> "loading CAPI from " + loc.getCapiLibrary() + " as native");
+            if (!context.getLanguage().getEngineOption(PythonOptions.ExposeInternalSources)) {
+                capiSrcBuilder.internal(true);
+            }
+            CallTarget capiLibraryCallTarget = context.getEnv().parseInternal(capiSrcBuilder.build());
+
+            Object capiLibrary = capiLibraryCallTarget.call();
+            Object initFunction = U.readMember(capiLibrary, "initialize_graal_capi");
+            CApiContext cApiContext = new CApiContext(context, capiLibrary, loc);
+            context.setCApiContext(cApiContext);
 
-                return cApiContext;
-            } catch (PException e) {
+            try (BuiltinArrayWrapper builtinArrayWrapper = new BuiltinArrayWrapper()) {
                 /*
-                 * Python exceptions that occur during the C API initialization are just passed
-                 * through
+                 * The GC state needs to be created before the first managed object is sent to
+                 * native. This is because the native object stub could take part in GC and will
+                 * then already require the GC state.
                  */
-                throw e;
-            } catch (RuntimeException | UnsupportedMessageException | ArityException | UnknownIdentifierException | UnsupportedTypeException e) {
-                // we cannot really check if we truly need native access, so
-                // when the abi contains "managed" we assume we do not
-                if (!libName.contains("managed") && !context.isNativeAccessAllowed()) {
-                    throw new ImportException(null, name, path, ErrorMessages.NATIVE_ACCESS_NOT_ALLOWED);
-                }
-                throw new ApiInitException(e);
+                Object gcState = cApiContext.createGCState();
+                Object signature = env.parseInternal(Source.newBuilder(J_NFI_LANGUAGE, "(ENV,POINTER,POINTER):VOID", "exec").build()).call();
+                initFunction = SignatureLibrary.getUncached().bind(signature, initFunction);
+                U.execute(initFunction, builtinArrayWrapper, gcState);
+            }
+
+            assert PythonCApiAssertions.assertBuiltins(capiLibrary);
+            cApiContext.pyDateTimeCAPICapsule = PyDateTimeCAPIWrapper.initWrapper(context, cApiContext);
+            context.runCApiHooks();
+
+            /*
+             * C++ libraries sometimes declare global objects that have destructors that call
+             * Py_DECREF. Those destructors are then called during native shutdown, which is after
+             * the JVM/SVM shut down and the upcall would segfault. This finalizer code rebinds
+             * reference operations to native no-ops that don't upcall. In normal scenarios we call
+             * it during context exit, but when the VM is terminated by a signal, the context exit
+             * is skipped. For that case we set up the shutdown hook.
+             */
+            Object finalizeFunction = U.readMember(capiLibrary, "GraalPyPrivate_GetFinalizeCApiPointer");
+            Object finalizeSignature = env.parseInternal(Source.newBuilder(J_NFI_LANGUAGE, "():POINTER", "exec").build()).call();
+            Object finalizingPointer = SignatureLibrary.getUncached().call(finalizeSignature, finalizeFunction);
+            try {
+                cApiContext.addNativeFinalizer(context, finalizingPointer);
+                cApiContext.runBackgroundGCTask(context);
+            } catch (RuntimeException e) {
+                // This can happen when other languages restrict multithreading
+                LOGGER.warning(() -> "didn't register a native finalizer due to: " + e.getMessage());
+            }
+
+            return cApiContext;
+        } catch (PException e) {
+            /*
+             * Python exceptions that occur during the C API initialization are just passed through
+             */
+            throw e;
+        } catch (RuntimeException | UnsupportedMessageException | ArityException | UnknownIdentifierException | UnsupportedTypeException e) {
+            // we cannot really check if we truly need native access, so
+            // when the abi contains "managed" we assume we do not
+            if (!libName.contains("managed") && !context.isNativeAccessAllowed()) {
+                throw new ImportException(null, name, path, ErrorMessages.NATIVE_ACCESS_NOT_ALLOWED);
             }
+            throw new ApiInitException(e);
         }
-        return context.getCApiContext();
     }
 
     private static final Set<String> C_EXT_SUPPORTED_LIST = Set.of(

graalpython/com.oracle.graal.python/src/com/oracle/graal/python/nodes/statement/AbstractImportNode.java

@@ -118,6 +118,11 @@ public static PythonModule importModule(TruffleString name) {
         }
         Object fromList = PFactory.createTuple(context.getLanguage(), PythonUtils.EMPTY_TRUFFLESTRING_ARRAY);
         CallNode.executeUncached(builtinImport, name, PNone.NONE, PNone.NONE, fromList, 0);
+        return lookupImportedModule(context, name);
+    }
+
+    @TruffleBoundary
+    public static PythonModule lookupImportedModule(PythonContext context, TruffleString name) {
         PythonModule sysModule = context.lookupBuiltinModule(T_SYS);
         Object modules = sysModule.getAttribute(T_MODULES);
         if (modules == PNone.NO_VALUE) {

graalpython/com.oracle.graal.python/src/com/oracle/graal/python/runtime/PythonContext.java

@@ -98,7 +98,6 @@
 import java.util.concurrent.locks.ReentrantLock;
 import java.util.logging.Level;
 
-import com.oracle.graal.python.nodes.attributes.ReadAttributeFromModuleNode;
 import org.graalvm.options.OptionKey;
 
 import com.oracle.graal.python.PythonLanguage;
@@ -146,6 +145,7 @@
 import com.oracle.graal.python.nodes.SpecialAttributeNames;
 import com.oracle.graal.python.nodes.SpecialMethodNames;
 import com.oracle.graal.python.nodes.WriteUnraisableNode;
+import com.oracle.graal.python.nodes.attributes.ReadAttributeFromModuleNode;
 import com.oracle.graal.python.nodes.attributes.ReadAttributeFromObjectNode;
 import com.oracle.graal.python.nodes.bytecode_dsl.PBytecodeDSLRootNode;
 import com.oracle.graal.python.nodes.call.CallNode;
@@ -769,6 +769,8 @@ PythonThreadState getThreadState(Node n) {
     private OutputStream out;
     private OutputStream err;
     private InputStream in;
+    private final ReentrantLock cApiInitializationLock = new ReentrantLock(false);
+    private volatile boolean cApiWasInitialized = false;
     @CompilationFinal private CApiContext cApiContext;
     @CompilationFinal private boolean nativeAccessAllowed;
 
@@ -2640,13 +2642,31 @@ private static void releaseSentinelLock(WeakReference<PLock> sentinelLockWeakref
     }
 
     public boolean hasCApiContext() {
+        // This may be called during C API initialization, we have a context so that we can finish
+        // the initialization, but the C API is not fully initialized yet
+        assert (cApiContext != null) || !cApiWasInitialized;
         return cApiContext != null;
     }
 
+    public boolean isCApiInitialized() {
+        assert (cApiContext != null) || !cApiWasInitialized;
+        return cApiWasInitialized;
+    }
+
+    public void setCApiInitialized() {
+        assert cApiContext != null;
+        cApiWasInitialized = true;
+    }
+
     public CApiContext getCApiContext() {
+        assert (cApiContext != null) || !cApiWasInitialized;
         return cApiContext;
     }
 
+    public ReentrantLock getcApiInitializationLock() {
+        return cApiInitializationLock;
+    }
+
     public void setCApiContext(CApiContext capiContext) {
         assert this.cApiContext == null : "tried to create new C API context but it was already created";
         this.cApiContext = capiContext;