Bug report
Bug description:
faulthandler.enable() and faulthandler.disable() read and write the global fatal_error state with no synchronization. enable() checks the enabled guard and then sets it,
|
faulthandler_enable(void) |
|
{ |
|
if (fatal_error.enabled) { |
|
return 0; |
|
} |
|
fatal_error.enabled = 1; |
while disable() reads the same guard and tears the state back down, including Py_CLEAR(fatal_error.file),
|
faulthandler_disable(void) |
|
{ |
|
if (fatal_error.enabled) { |
|
fatal_error.enabled = 0; |
|
for (size_t i=0; i < faulthandler_nsignals; i++) { |
|
fault_handler_t *handler; |
|
handler = &faulthandler_handlers[i]; |
|
faulthandler_disable_fatal_handler(handler); |
|
} |
|
} |
|
#ifdef MS_WINDOWS |
|
if (fatal_error.exc_handler != NULL) { |
|
RemoveVectoredExceptionHandler(fatal_error.exc_handler); |
|
fatal_error.exc_handler = NULL; |
|
} |
|
#endif |
|
Py_CLEAR(fatal_error.file); |
|
} |
so two threads calling enable() and disable() concurrently race on the enabled flag, on the installed signal handlers, and on the fatal_error.file reference.
Reproducer:
import faulthandler, os
from threading import Thread, Event
def owner():
f = open(os.devnull, 'w')
for _ in range(200000):
faulthandler.enable(file=f, all_threads=False)
f.write('x')
f.flush()
f.close()
def toggler():
for _ in range(200000):
faulthandler.disable()
threads = [Thread(target=owner) for _ in range(4)]
threads += [Thread(target=toggler) for _ in range(4)]
for t in threads: t.start()
for t in threads: t.join()With TSAN build, the owner thread's own f.write()/enable() raises ValueError: I/O operation on uninitialized object because a concurrent disable() dropped the last reference to f and finalized it.
TSAN Report:
WARNING: ThreadSanitizer: data race (pid=1671402)
Write of size 4 at 0x555555e19478 by thread T5:
#0 faulthandler_disable /cpython/./Modules/faulthandler.c:644:29 (python3.16t+0x57830e)
#1 faulthandler_disable_py_impl /cpython/./Modules/faulthandler.c:674:5
#2 faulthandler_disable_py /cpython/./Modules/clinic/faulthandler.c.h:299:12
#3 cfunction_vectorcall_NOARGS /cpython/Objects/methodobject.c:508:24
#4 _PyObject_VectorcallTstate /cpython/./Include/internal/pycore_call.h:144:11
#5 PyObject_Vectorcall /cpython/Objects/call.c:327:12
...
Previous read of size 4 at 0x555555e19478 by thread T4:
#0 faulthandler_enable /cpython/./Modules/faulthandler.c:538:21
#1 faulthandler_py_enable_impl /cpython/./Modules/faulthandler.c:633:9
#2 faulthandler_py_enable /cpython/./Modules/clinic/faulthandler.c.h:278:20
#3 cfunction_vectorcall_FASTCALL_KEYWORDS /cpython/Objects/methodobject.c:465:24
#4 _PyObject_VectorcallTstate /cpython/./Include/internal/pycore_call.h:144:11
#5 PyObject_Vectorcall /cpython/Objects/call.c:327:12
...
Location is global '_PyRuntime' of size 405824 at 0x555555e16c80
SUMMARY: ThreadSanitizer: data race /cpython/./Modules/faulthandler.c:644:29 in faulthandler_disable
==================
CPython versions tested on:
CPython main branch
Operating systems tested on:
Linux
Bug report
Bug description:
faulthandler.enable()andfaulthandler.disable()read and write the globalfatal_errorstate with no synchronization.enable()checks theenabledguard and then sets it,cpython/Modules/faulthandler.c
Lines 536 to 541 in b18168c
while
disable()reads the same guard and tears the state back down, includingPy_CLEAR(fatal_error.file),cpython/Modules/faulthandler.c
Lines 641 to 658 in b18168c
so two threads calling
enable()anddisable()concurrently race on theenabledflag, on the installed signal handlers, and on thefatal_error.filereference.Reproducer:
With TSAN build, the
ownerthread's ownf.write()/enable()raisesValueError: I/O operation on uninitialized objectbecause a concurrentdisable()dropped the last reference tofand finalized it.TSAN Report:
CPython versions tested on:
CPython main branch
Operating systems tested on:
Linux