Adds a sanity check to avoid a *very rare* infinite loop due to a corrupt tls

key list data structure in the thread startup path.

This change is a companion to r60148 which already successfully dealt with a
similar issue on thread shutdown.

In particular this loop has been observed happening from this call path:
 #0  in find_key ()
 #1  in PyThread_set_key_value ()
 #2  in _PyGILState_NoteThreadState ()
 #3  in PyThreadState_New ()
 #4  in t_bootstrap ()
 #5  in pthread_start_thread ()

I don't know how this happens but it does, *very* rarely.  On more than
one hardware platform.  I have not been able to reproduce it manually.
(A flaky mutex implementation on the system in question is one hypothesis).

As with r60148, the spinning we managed to observe in the wild was due to a
single list element pointing back upon itself.

diff --git a/Python/pystate.c b/Python/pystate.c
index 36b06d67af7c2bcb7a2623403102ed456ff96e65..da417c103202f792fefd42ea3fcb617ceb36585c 100644 (file)
--- a/Python/pystate.c
+++ b/Python/pystate.c
@@ -253,6 +253,10 @@ tstate_delete_common(PyThreadState *tstate)
                                "PyThreadState_Delete: invalid tstate");
                if (*p == tstate)
                        break;
+               /* Sanity check.  These states should never happen but if
+                * they do we must abort.  Otherwise we'll end up spinning in
+                * in a tight loop with the lock held.  A similar check is done
+                * in thread.c find_key().  */
                if (*p == prev_p)
                        Py_FatalError(
                                "PyThreadState_Delete: small circular list(!)"

diff --git a/Python/thread.c b/Python/thread.c
index b21e53b6cdf8a8dfb94009d6f94b7ad2a90dfbd8..03580f382d3be18175a1f985e92e8530255dff15 100644 (file)
--- a/Python/thread.c
+++ b/Python/thread.c
@@ -264,15 +264,25 @@ static int nkeys = 0;  /* PyThread_create_key() hands out nkeys+1 next */
 static struct key *
 find_key(int key, void *value)
 {
-       struct key *p;
+       struct key *p, *prev_p;
        long id = PyThread_get_thread_ident();
 
        if (!keymutex)
                return NULL;
        PyThread_acquire_lock(keymutex, 1);
+       prev_p = NULL;
        for (p = keyhead; p != NULL; p = p->next) {
                if (p->id == id && p->key == key)
                        goto Done;
+               /* Sanity check.  These states should never happen but if
+                * they do we must abort.  Otherwise we'll end up spinning in
+                * in a tight loop with the lock held.  A similar check is done
+                * in pystate.c tstate_delete_common().  */
+               if (p == prev_p)
+                       Py_FatalError("tls find_key: small circular list(!)");
+               prev_p = p;
+               if (p->next == keyhead)
+                       Py_FatalError("tls find_key: circular list(!)");
        }
        if (value == NULL) {
                assert(p == NULL);