Skip to content

gh-146270: Fix PyMember_SetOne(..., NULL) not being atomic#148800

Open
dpdani wants to merge 3 commits intopython:mainfrom
dpdani:gh/146270-fix-slot-del-atomic
Open

gh-146270: Fix PyMember_SetOne(..., NULL) not being atomic#148800
dpdani wants to merge 3 commits intopython:mainfrom
dpdani:gh/146270-fix-slot-del-atomic

Conversation

@dpdani
Copy link
Copy Markdown
Contributor

@dpdani dpdani commented Apr 20, 2026

This PR fixes a sequential consistency bug (introduced by yours truly) whereby two threads that are deleting a struct member may observe both their deletions to be successful.

In order to test this properly, I couldn't use threading.Barrier because its overhead was enough to mask the bug, making the test flaky. Therefore, a spinning-loop barrier was added in the _testcapi module.

@diegorusso diegorusso requested a review from colesbury April 20, 2026 16:03
Comment thread Python/structmember.c
Comment on lines +338 to +341
// Other cases are already covered by the above:
// oldv == NULL && v != NULL: pseudo-non-existing attribute is set, ok
// oldv != NULL && v == NULL: existing attribute is deleted, ok
// oldv != NULL && v != NULL: existing attribute is set, ok
Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Drop these comments. They're not sufficiently helpful to a reader.

Comment thread Python/structmember.c
Comment on lines +329 to +337
if (v == NULL && oldv == NULL && l->type == Py_T_OBJECT_EX) {
// Pseudo-non-existing attribute is deleted: raise AttributeError.
// The attribute doesn't exist to Python, but CPython knows that it
// could have existed because it was declared in __slots__.
// _Py_T_OBJECT does not raise an exception here, and
// PyMember_GetOne will return Py_None instead of NULL.
PyErr_SetString(PyExc_AttributeError, l->name);
return -1;
}
Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. Keep the comments simple, i.e., "deleting an already deleted attribute raises an exception
  2. Move the decref after the check. Reading a pointer that has been freed, even if it's just a NULL check, is UB
  3. The l->type is redundant
if (v == NULL && oldv == NULL && l->type == Py_T_OBJECT_EX) {
    // Raise an exception when attempting to delete an already deleted attribute
    PyErr_SetString(PyExc_AttributeError, l->name);
    return -1;
}
Py_XDECREF(oldv);


run_in_threads([writer, reader, reader, reader])

def test_del_object_is_atomic(self):
Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This test is too slow. It's not worth trying to catch every sort non-sequential consistency. If you catch the data race under TSan reasonably often, that's fine:

from test.support.threading_helper import run_concurrently

...

        class Spam:
            __slots__ = [ "foo" ]

        def deleter(spam, successes):
            try:
                del spam.foo
                successes.append(True)
            except AttributeError:
                successes.append(False)

        for _ in range(10):
            spam = Spam()
            spam.foo = 0
            successes = []
            run_concurrently(deleter, nthreads=4, args=(spam, successes))
            self.assertEqual(sum(successes), 1)

Comment thread Modules/_testcapimodule.c
Py_RETURN_NONE;
}

/**
Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think it's worth adding this

@colesbury
Copy link
Copy Markdown
Contributor

Thanks for fixing this! I left some comments above.

I think it's worth prioritizing keeping the tests fast. In general, it helps to keep them small and understandable too.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants