bpo-34572: change _pickle unpickling to use import rather than retrieving from sys.modules #9047
Conversation
|
Hello, and thanks for your contribution! I'm a bot set up to make sure that the project can legally accept your contribution by verifying you have signed the PSF contributor agreement (CLA). Unfortunately our records indicate you have not signed the CLA. For legal reasons we need you to sign this before we can look at your contribution. Please follow the steps outlined in the CPython devguide to rectify this issue. You can check yourself to see if the CLA has been received. Thanks again for your contribution, we look forward to reviewing it! |
tjb900
force-pushed
the
pickle_import_race_fix
branch
from
c71f99f to
e47c5e1
Compare
|
Hi! Just wondering if there's something I can do to move this along - either that or be told that I'm completely wrong. We are using pure-python unpickling as a workaround for now, but I'd love to have some hope that we can switch back at some point in future. (I notice the same issue appears to be present in @pitrou/pickle5-backport - which I'm very keen to start using!) Thanks! |
|
@tjb900 I realize that this is a thread safety bug which is notoriously hard to test, but I generally find that pull requests that include tests are much easier to review, because it's easier to get a sense of what behavior it fixes and an assurance that there won't be regressions. |
Modules/_pickle.c
Outdated
| return NULL; | ||
| } | ||
| module = PyImport_Import(module_name); | ||
| if (module == NULL) |
There was a problem hiding this comment.
It seems to me that the difference in behavior here occurs when PyImport_Import returns NULL without raising an exception. I'm not really sure why this would occur. Is it safe to simply propagate the NULL up to the next level here?
There was a problem hiding this comment.
IIRC (a big if), the issue wasn't that PyImport_Import returned NULL, it's that PyImport_GetModule can return a module object where the body of the module is still being executed (in another thread), and this partially initialised thing is then used immediately by the thread doing the unpickling.
There was a problem hiding this comment.
I'm not sure how this fixes things, though. It seems like the only change in behavior is for the case where PyImport_Import returns NULL without raising an exception. Why would that ever happen, and why was it being explicitly handled here in the first place?
There was a problem hiding this comment.
In the failing case before, PyImport_Import was never called (at least, not on the thread which causes the error): GetModule returned non-NULL, and this object fell through to the getattribute, which then (sometimes) failed because that attribute did not exist yet.
On L6626 I changed _GetModule -> _Import. This, I believe, invokes the locking logic described here
Line 145 in cd90f6a
There was a problem hiding this comment.
My mistake, I didn't realize that you were changing the import function. I'm still concerned as to why this was added in the first place, and whether this is a wider problem.
There was a problem hiding this comment.
Another nitpick, per PEP 7:
Code structure: one space between keywords like if, for and the following left paren; no spaces inside the paren; braces are required everywhere, even where C permits them to be omitted, but do not add them to code you are not otherwise modifying. All new C code requires braces.
So can you add braces around this?
|
@pganssle Thanks for checking it out. Test case was attached with the bug report, but I didn't include it in the PR - will look at that ASAP. |
|
Looks to me like @ericsnowcurrently added this line when adding It was added in several places, so I'm wondering if this thread safety bug is a problem for all the uses of |
|
Hmmm. Line 4160 in ca2d610 I'm still trying to identify at what point this became unsafe (have partially initialised modules always been present in |
|
It looks to me like the cpickle logic has always been unsafe, but prior to the introduction of per-module import locks for Python 3.3 in https://bugs.python.org/issue9260 it was likely much harder to hit. |
|
So if I understand this correctly, the current version of the code likely works the way it does for performance reasons, but unfortunately that comes at the cost of thread safety, in which case I think the current patch is likely the right approach (at least for now - maybe If it's possible to make a reliable but not terribly resource-intensive test for this, I think that would be a big help, but that may be a lot to ask. |
|
@tjb900 Thanks for adding that test. I've verified that this test consistently fails when run without the other changes in this PR, and it runs quickly whether or not it succeeds, so it's a +1 from me! One last nitpick, though is that I think it would be better to put it in with the other pickle tests so that people looking to add or change tests will be able to find it more easily (for example there are three or four different test modules where |
Lib/test/test_threaded_pickle.py
Outdated
| slow_import_module = """ | ||
| import time | ||
|
|
||
| time.sleep(%(delay)s) |
There was a problem hiding this comment.
This test relies on sleep to work. I do not feel comfortable with such tests as it may fail or not work as intended almost certainly in the slowest or more exotic buildbots that we have. Check out, for example, the discussion in #10413 .
As an additional note, it also needs the reap_threads decorator.
There was a problem hiding this comment.
It will make the test a bit more complicated, but I think you can avoid sleep and make this more deterministic by creating a deliberate deadlock like this:
- Acquire Lock A in the test
- Attempt to acquire lock A in the partially-initialized module
- Spawn a thread that attempts to unpickle the object that involves an import
- Release lock A
- After the partially-initialized module has lock A, it adds the attribute that the pickled object uses.
I think there's still a race condition there that doesn't make it deterministic - namely that the thread which is unpickling the object needs to reach the "access the imported attribute" stage before lock A is released in order for it to be a good test, but I think if you fiddle around with the locks and threads a little bit you can get it to work.
There was a problem hiding this comment.
I'll be more radical and say I don't think we need a test at all, if we can't make it simpler.
There was a problem hiding this comment.
@pitrou I think removing the test because it's not guaranteed to test the thing it's intended to test would be a mistake. This still successfully tests what it's intending to test with high probability, which means that a regression would be very unlikely to ever hit master. Unlike other tests which cause erroneous failures, this causes erroneous successes, so its flakiness is unlikely to cause any erroneously broken buildbots.
If left in as a "flaky" test, I'd probably view it similar to a hypothesis test, which is that it's a probabilistic test that never has false negatives - if the test succeeds you are only partially certain that you have no bugs, but if it fails you know you have a bug.
Elsewhere you mention adding a comment about why PyImport_GetModule was dropped to prevent regressions - if it's worth a comment (which is not guaranteed to work), it's probably worth at least trying to enforce this with a test. Possibly with a comment that says why the test isn't guaranteed to detect regressions.
There was a problem hiding this comment.
Well, there are corner cases that we fix without writing tests for, because they are too tricky to reproduce. I think this one is a bit borderline: it's possible to reproduce, but nevertheless it needs a complex machinery.
There was a problem hiding this comment.
I certainly agree that if it's likely to have a negative impact on the test suite for reasons other than that it's not guaranteed to fail in the case of a regression the test should probably be considered optional.
I do think it's worth trying to get a test for this in the test suite, even if just as an exercising in providing a good example of how to test a race condition.
Lib/test/test_threaded_pickle.py
Outdated
| results = [] | ||
| forget("slowimport") | ||
| self.assertNotIn("slowimport", sys.modules) | ||
| importlib.invalidate_caches() |
There was a problem hiding this comment.
Can this affect any of the importlib tests?
There was a problem hiding this comment.
Any advice on how I can address this? FWIW I pretty much copied this test from test_threaded_import.py.
I haven't tested without that line, so it may not be necessary. I'll see if the test works (i.e. fails without the patch) reliably without it.
There was a problem hiding this comment.
Actually, I don't know why it would affect the importlib tests (I'm the one who added that function IIRC).
| @@ -6623,13 +6623,9 @@ _pickle_Unpickler_find_class_impl(UnpicklerObject *self, | |||
| } | |||
| } | |||
|
|
|||
| module = PyImport_GetModule(module_name); | |||
| module = PyImport_Import(module_name); | |||
There was a problem hiding this comment.
Could you benchmark how slower this is compared with just using PyImport_GetModule?
There was a problem hiding this comment.
git master:
$ ./python -m timeit -s "import pickle, logging; d = pickle.dumps((logging.Logger, logging.Handler, logging.Filter, logging.Formatter))" "pickle.loads(d)"
100000 loops, best of 5: 2.55 usec per loop
This PR:
$ ./python -m timeit -s "import pickle, logging; d = pickle.dumps((logging.Logger, logging.Handler, logging.Filter, logging.Formatter))" "pickle.loads(d)"
50000 loops, best of 5: 4.84 usec per loop
So this is a sizable performance drop, but on a micro-benchmark. I don't think this will be significant in real-world cases. Usually, pickle performance becomes important when large pieces of data are serialized, and by construction you don't get many STACK_GLOBAL opcodes in it.
cc'ing @pierreglaser @ogrisel out of curiosity.
There was a problem hiding this comment.
+1. Also, STACK_GLOBAL should tend to progressively vanish in the pickle string, in favor of BINGET as functions/classes get progressively added to the memo (if used).
|
A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated. Once you have made the requested changes, please leave a comment on this pull request containing the phrase |
I agree with @pganssle in that this test should be placed with the rest of the pickle tests. |
Lib/test/test_threaded_pickle.py
Outdated
| slow_import_module = """ | ||
| import time | ||
|
|
||
| time.sleep(%(delay)s) |
There was a problem hiding this comment.
I'll be more radical and say I don't think we need a test at all, if we can't make it simpler.
| @@ -6623,13 +6623,9 @@ _pickle_Unpickler_find_class_impl(UnpicklerObject *self, | |||
| } | |||
| } | |||
|
|
|||
| module = PyImport_GetModule(module_name); | |||
| module = PyImport_Import(module_name); | |||
There was a problem hiding this comment.
git master:
$ ./python -m timeit -s "import pickle, logging; d = pickle.dumps((logging.Logger, logging.Handler, logging.Filter, logging.Formatter))" "pickle.loads(d)"
100000 loops, best of 5: 2.55 usec per loop
This PR:
$ ./python -m timeit -s "import pickle, logging; d = pickle.dumps((logging.Logger, logging.Handler, logging.Filter, logging.Formatter))" "pickle.loads(d)"
50000 loops, best of 5: 4.84 usec per loop
So this is a sizable performance drop, but on a micro-benchmark. I don't think this will be significant in real-world cases. Usually, pickle performance becomes important when large pieces of data are serialized, and by construction you don't get many STACK_GLOBAL opcodes in it.
cc'ing @pierreglaser @ogrisel out of curiosity.
|
I haven't tried adapting this to actually use pickle, but I can consistently get a failure due to partially initialized modules on the first try with this configuration. It does use |
|
This other case of
|
|
I have made the requested changes; please review again. Happy to backport to 3.6 and 3.7 also. |
|
Thanks for making the requested changes! @pablogsal: please review the changes made to this pull request. |
Please make that a separate issue on bugs.python.org. We'll have to discuss its performance implications separately. |
Lib/test/pickletester.py
Outdated
| t1.join() | ||
| t2.join() | ||
|
|
||
| self.assertEqual(len(results), 2) |
There was a problem hiding this comment.
Perhaps also assert something about the results?
| @@ -1174,6 +1178,63 @@ def test_truncated_data(self): | |||
| for p in badpickles: | |||
| self.check_unpickling_error(self.truncated_errors, p) | |||
|
|
|||
| @reap_threads | |||
| def test_unpickle_module_race(self): | |||
|
@pablogsal Any thoughts on the new tests for this one? |
|
@pablogsal, I think your comments have been addressed. Can you confirm? |
|
This addresses all my concerns! I like |
…ving from sys.modules (pythonGH-9047) Fix C implementation of pickle.loads to use importlib's locking mechanisms, and thereby avoid using partially-loaded modules. (cherry picked from commit 4371c0a) Co-authored-by: tjb900 <[email protected]>
|
GH-11921 is a backport of this pull request to the 3.7 branch. |
…ving from sys.modules (GH-9047) (GH-11921) Fix C implementation of pickle.loads to use importlib's locking mechanisms, and thereby avoid using partially-loaded modules. (cherry picked from commit 4371c0a) Co-authored-by: tjb900 <[email protected]>
import.cseems to contain a lot of protection to ensure that a partially-initialised module is not returned from import when in a multi-threaded environment.PyImport_Importenjoys these protections, butPyImport_GetModuledoes not.https://bugs.python.org/issue34572