classification
Title: Py_DecodeLocale() fails if used before the runtime is initialized.
Type: crash Stage: resolved
Components: Interpreter Core Versions: Python 3.7
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: eric.snow Nosy List: Decorater, eric.snow, ncoghlan, serhiy.storchaka, vstinner
Priority: normal Keywords: patch

Created on 2017-11-20 21:28 by eric.snow, last changed 2017-11-26 05:41 by ncoghlan. This issue is now closed.

Pull Requests
URL Status Linked Edit
PR 4481 closed eric.snow, 2017-11-20 21:33
PR 4495 closed eric.snow, 2017-11-21 19:48
PR 4532 merged vstinner, 2017-11-23 23:11
PR 4566 merged ncoghlan, 2017-11-26 03:16
Messages (32)
msg306585 - (view) Author: Eric Snow (eric.snow) * (Python committer) Date: 2017-11-20 21:28
(see the python-dev thread [1])
(related: issue #32086)

When I consolidated the global runtime state into a single global, _PyRuntime, calls Py_DecodeLocale() started to break if the runtime hadn't been intialized yet.  This is because that function relies on PyMem_RawMalloc() and PyMem_RawFree(), which rely on the raw allocator having been initialized as part of the runtime (it used to be intialized statically).

The documentation for various "Process-wide parameters" [2] explicitly directs users to call Py_DecodeLocale() where necessary.  The docs for Py_DecodeLocale(), in turn, explicitly refer to calling PyMem_RawFree().  So changing the pre-runtime-init behavior of Py_DecodeLocale() and PyMem_RawFree() is a regression that should be fixed.

[1] https://mail.python.org/pipermail/python-dev/2017-November/150605.html
[2] https://docs.python.org/3/c-api/init.html#process-wide-parameters
msg306587 - (view) Author: Decorater (Decorater) * Date: 2017-11-20 21:34
Interesting, on 3.6.3 on my embedded program it seems to work just fine.

Did anything change in it since then?

https://github.com/AraHaan/Els_kom_new/blob/master/PC/komextract_new.c
msg306591 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2017-11-20 22:06
Duplicate of bpo-32086.
msg306614 - (view) Author: Nick Coghlan (ncoghlan) * (Python committer) Date: 2017-11-21 02:02
While they're definitely closely related, I don't think this and issue 32086 are actually duplicates: this issue is "fix the current Py_DecodeLocale regression in 3.7 by reverting back to the 3.6 behaviour", while issue 32086 is "Should we deprecate our implied support for calling Py_DecodeLocale() before calling Py_Initialize()?".


The latter is certainly a valid question, but we should restore the 3.6 behaviour while we're considering it.
msg306654 - (view) Author: Eric Snow (eric.snow) * (Python committer) Date: 2017-11-21 15:46
I see at least 3 ways to sort this out:

 1. partially revert the _PyRuntime change, sort of temporarily
   ("revert the change on memory allocators, and retry later to fix
   it, once other initializations issues are fixed", as suggested by
   Victor in the email thread)
 2. statically initialize the "raw" allocator with defaults, enough
   to make PyMem_RawMalloc() and PyMem_RawFree() work pre-init (this
   is what my PR does)
 3. use hard-coded defaults in PyMem_RawMalloc() and PyMem_RawFree()
   if the runtime has not been initialized yet

I considered implementing #3 instead, but wasn't sure about the performance impact.  It would add a pointer comparison to NULL and a branch on each PyMem_RawMalloc() and PyMem_RawFree() call.  I'm not convinved it would make much of a difference.  Furthermore, I consider #3 to be the simplest solution, both to implement and to maintain, so I'll probably try it out.
msg306655 - (view) Author: Eric Snow (eric.snow) * (Python committer) Date: 2017-11-21 15:47
I thought issue #32086 was about documentation (which is worth having a separate issue for), not about a fix to the regression.
msg306656 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2017-11-21 15:48
"3. use hard-coded defaults in PyMem_RawMalloc() and PyMem_RawFree() if the runtime has not been initialized yet"

I dislike this option since it can have a negative impact on performances. The PEP 445 already added a new level of indirection and so made memory allocations a little bit slower.
msg306658 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2017-11-21 15:50
I marked bpo-32096 as a duplicate of this one. I don't want to discuss the same issue in 3 places (2 bpo and python-dev).
msg306659 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2017-11-21 15:52
Nick: "Should we deprecate our implied support for calling Py_DecodeLocale() before calling Py_Initialize()?"

Please don't do that. Py_DecodeLocale() is the best available function to decode paths and environment variables to initialize Python. The implementation of Py_DecodeLocale() is very complex, but we need this complexity to decode "correctly" OS data.
msg306660 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2017-11-21 15:53
> 2. statically initialize the "raw" allocator with defaults, enough
>   to make PyMem_RawMalloc() and PyMem_RawFree() work pre-init (this
>   is what my PR does)

As I explained, the code to initialize PyMem_Raw allocator is complex and I would really prefer to only initialize it "partially" to prevent bad surprises.
msg306662 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2017-11-21 15:56
IMHO for the long term, the best would be to have a structure for pre-Py_Initialize configuration, maybe _PyCoreConfig, and pass it to functions that can be called before Py_Initialize().

For example, I'm working on a variant of Py_GetPath() which accepts a _PyCoreConfig to be able to pass the value of the PYTHONPATH environment variable.

That's a more complex solution, so I proposed to first revert, to have more time to design the "correct API".
msg306689 - (view) Author: Eric Snow (eric.snow) * (Python committer) Date: 2017-11-21 21:06
> IMHO for the long term, the best would be to have a structure for
> pre-Py_Initialize configuration, maybe _PyCoreConfig, and pass it
> to functions that can be called before Py_Initialize().

+1

As an alternative to that, we could also deprecate using any of those functions before initializing the runtime.   Instead of calling them, you would set the relevant info on the runtime "config" struct that you pass to the replacement for PyInitialize().  At that point we would not need some of those functions any longer and we could remove them (eventually, once backward-compatibility is resolved).  Given that the community of CPython embedders is relatively small, we're still in a position to iron this out

Regardless, I see where you're coming from.  I'm okay with reverting the Object/obmalloc.c parts, but, like I said, I'd rather avoid it if possible.

Solution #2 (that I listed above), AKA PR #4481, is focused and effective.  Unfortunately, it feels like a bit like a hack to me, though it is a well-contained hack.  So I'm not convinced it's the best solution.  However, I like it as much as I like reverting the allocators.

Solution #3, AKA PR #4495, is nice and clean, but potentially adds a little overhead to all PyMem_RawMalloc() and PyMem_RawFree() calls.  All the other PyMem_* functions are unaffected, so perhaps the overall impact is not significant enough to worry.


>> 2. statically initialize the "raw" allocator with defaults, enough
>>   to make PyMem_RawMalloc() and PyMem_RawFree() work pre-init (this
>>   is what my PR does)
>
> As I explained, the code to initialize PyMem_Raw allocator is complex
> and I would really prefer to only initialize it "partially" to prevent
> bad surprises.

The surprises would only be pre-initialization, right?  After the runtime is initialized, the allocators are in the proper fully-initialized state.  So it mostly boils down to what parts of the C-API embedders can use before initialization and how those functions interact with the raw memory allocator.  Those constraints narrow down the scope of potential problems to a manageable size (I won't say small, but it feels that way).

Ultimately, I favor solution #3 if we can see that it does not impact performance.  If we can't come to an agreement in a timely fashion then I'll go along with #1 (revert), so that we don't leave the embedding story broken.  If we go that route, do you think we could resolve the initialization issues within the 3.7 timeframe?
msg306708 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2017-11-22 09:33
> As an alternative to that, we could also deprecate using any of those functions before initializing the runtime.   Instead of calling them, you would set the relevant info on the runtime "config" struct that you pass to the replacement for PyInitialize().

Currently, _PyCoreConfig is not complete: you cannot pass PYTHONPATH or PYTHONHOME. I'm working on patches to implement that.

Moreover, there is the question how to decode a bytes path (for PYTHONPATH) into a wchar_t* string.

Disallow calling Py_DecodeLocale() before Py_Initialize(): ok, but which alternative do you propose to decode OS data?
msg306717 - (view) Author: Nick Coghlan (ncoghlan) * (Python committer) Date: 2017-11-22 10:26
Victor, please stop trying to conflate the two questions of "How should we fix the current Py_DecodeLocale regression before 3.7.0a3?" and "What do we want to do long term?".

They're far from being the same question, and answering the second one properly is going to be much harder and more involved than just doing the bare minimum needed to make the previously supported embedding logic work again (even if it means postponing some of the dynamic allocator changes we'd like to make).

Omitting PYTHONHOME and PYTHONPATH from the core config is deliberate, as the interpreter doesn't support external imports yet when just the core has been initialized - only builtin and frozen ones.

Anything related to external imports should ultimately end up in the main interpreter configuration: https://www.python.org/dev/peps/pep-0432/#supported-configuration-settings

Longer term, I also want to rewrite getpath.c in Python (or at least primarily using Python lists and strings via the C API instead of relaying C arrays and C string manipulation functions).

However, our work on refactoring Py_Main has also shown me that we're going to need some additional structs to hold the raw(ish) command line arguments and environment variables in order to easily pass them around to other internal configuration APIs.

Modules/main.c already defines _Py_CommandLineDetails for the command line settings: https://github.com/python/cpython/blob/master/Modules/main.c#L382

We *don't* currently have anything like that for environment variables, not even the ones which are "read once at startup, then never read them again".
msg306718 - (view) Author: Nick Coghlan (ncoghlan) * (Python committer) Date: 2017-11-22 10:37
Speaking of surprises with static initialization of the runtime allocations: both PRs are failing in CI, suggesting that the changes that Py_Initialize makes to the allocator settings aren't being reverted in Py_Finalize, so there's a mismatch between the allocation function and the deallocation function.
msg306737 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2017-11-22 17:34
>  We *don't* currently have anything like that for environment variables, not even the ones which are "read once at startup, then never read them again".

I changed Py_Main() in bpo-32030. Now multiple environment variables are read once at startup and put into _PyCoreConfig:

https://github.com/python/cpython/blob/803ddd8ce22f0de3ab42fb98a225a704c000ef06/Modules/main.c#L1365-L1413

I added new fields to _PyCoreConfig:

https://github.com/python/cpython/blob/803ddd8ce22f0de3ab42fb98a225a704c000ef06/Include/pystate.h#L27-L39

I suggest to continue to add more fields to _PyCoreConfig to move all code to configure Python before Py_Initialize(), and later to let users embedding Python to configure Python as they want, without losing features. For example, to enable the new "development mode" (-X dev), now you "just" have to set _PyCoreConfig.dev_mode to 1.
msg306740 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2017-11-22 17:51
I created a new PR adding a a new _PyCoreConfig.pythonpath field:
https://github.com/python/cpython/pull/4504

Once it will be merged, I will work on a new PR for PYTHONHOME (add a new _PyCoreConfig.pythonhome field).
msg306764 - (view) Author: Nick Coghlan (ncoghlan) * (Python committer) Date: 2017-11-23 00:04
Victor, I think you're fundamentally misunderstanding the goals of PEP 432.

The entire point is to let people have a *mostly working Python runtime* during CPython startup. Moving everything that Py_Initialize needs to instead have to happen before Py_InitializeRuntime (aka _Py_CoreInitialize) defeats that point.

CoreConfig should thus contain *as little as possible*, with most of the environmental querying work moving into Py_ReadMainInterpreterConfig.

So could you please move everything you've added to CoreConfig (that isn't genuinely required to from the moment the runtime starts doing anything) out again, and either put it into the main interpreter config as Python objects (as described in PEP 432), or else into a new intermediate configuration struct?
msg306766 - (view) Author: Nick Coghlan (ncoghlan) * (Python committer) Date: 2017-11-23 00:11
Also, the basic rules of thumb I use for deciding whether or not a setting belongs in CoreConfig:

* does `PyUnicode_New` need this? (If yes, then include it)
* does the importlib bootstrapping need this? (If yes, then include it)

Everything else goes in MainInterpreterConfig as a real Python object.

We may need other structs internally to help manage the way Py_Main populates MainInterpreterConfig, but those should be made a required part of the future public initialization API (although we may decide to expose them as "use them if you want to better emulate CPython's default behaviour" helper APIs).
msg306769 - (view) Author: Nick Coghlan (ncoghlan) * (Python committer) Date: 2017-11-23 00:21
Follow up: this also came up on https://bugs.python.org/issue32030#msg306763, and I think Victor and I are on the same page now :)

Since MainInterpreterConfig is currently still a private struct, we can store the existing C level config state directly in there for now, and then look at upgrading to Python types on a case by case basis.

Once they're all both consolidated *and* upgraded, then we can consider making the new incremental configuration API public.
msg306772 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2017-11-23 00:29
"Victor, I think you're fundamentally misunderstanding the goals of PEP 432. The entire point is to let people have a *mostly working Python runtime* during CPython startup. (...)"

While the PEP 432 is nice, all changes are currently done in private APIs, symbols starting with _Py. I would prefer that nobody uses these new APIs before the conversion is complete. And from what I saw, I can say that the conversion just started, there are still a lot of changes that should be done.

While having _PyRuntime.mem is nice to have in the long term, it doesn't add any value *right now*, except of making the existing C API harder to use.

I would prefer to do things in this order:

* Revert _PyRutime.mem
* Finish PEP 432 implementation
* Recreate _PyRutime.mem

Maybe we can complete these 3 steps before Python 3.7, but I'm not sure about that.
msg306774 - (view) Author: Nick Coghlan (ncoghlan) * (Python committer) Date: 2017-11-23 00:44
Even the public implementation of PEP 432 is going to bound by the requirement to keep existing embedding logic working, and that's encapsulated in the new test Eric added in his PR:

    wchar_t *program = Py_DecodeLocale("spam", NULL);
    Py_SetProgramName(program);
    Py_Initialize();
    Py_Finalize();
    PyMem_RawFree(program);

So even if we were to revert the _PyRuntime.mem change in 3.7, we'd still face the same problem in 3.8, because we'd still be exposing the traditional configuration API - the new multi-step configuration API would be *optional* for folks that wanted to override the default settings more easily, rather than a backwards compatibility break with the previously supported way of doing things.

As a result, my preferred option is now to make exactly the promises we need to ensure that the above code works correctly, and then have Py_Initialize and Py_Finalize enforce those constraints:

* the public Py_Initialize API should fail if the memory allocators have already been set to something other than the default
* Py_Finalize should revert the memory allocators to their default setting
msg306889 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2017-11-24 11:09
New changeset 9e87e7776f7ace66baaf7247233afdabd00c2b44 by Victor Stinner in branch 'master':
bpo-32096: Remove obj and mem from _PyRuntime (#4532)
https://github.com/python/cpython/commit/9e87e7776f7ace66baaf7247233afdabd00c2b44
msg306893 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2017-11-24 12:41
> New changeset 9e87e7776f7ace66baaf7247233afdabd00c2b44 by Victor Stinner in branch 'master':
> bpo-32096: Remove obj and mem from _PyRuntime (#4532)

The newly added test failed on AMD64 Debian root 3.x:

http://buildbot.python.org/all/#/builders/27/builds/226

======================================================================
FAIL: test_pre_initialization_api (test.test_capi.EmbeddingTests)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/root/buildarea/3.x.angelico-debian-amd64/build/Lib/test/test_capi.py", line 602, in test_pre_initialization_api
    out, err = self.run_embedded_interpreter("pre_initialization_api", env=env)
  File "/root/buildarea/3.x.angelico-debian-amd64/build/Lib/test/test_capi.py", line 464, in run_embedded_interpreter
    (p.returncode, err))
AssertionError: -6 != 0 : bad returncode -6, stderr is "Could not find platform independent libraries <prefix>\nCould not find platform dependent libraries <exec_prefix>\nConsider setting $PYTHONHOME to <prefix>[:<exec_prefix>]\nFatal Python error: initfsencoding: Unable to get the locale encoding\nModuleNotFoundError: No module named 'encodings'\n\nCurrent thread 0x00007f6456f8c700 (most recent call first):\n"
msg306895 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2017-11-24 13:24
We now check that Py_DecodeLocale() can be called before Py_Initialize(). IMHO we need to document this property in the documentation: I opened bpo-32124 and wrote a PR for that.
msg306896 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2017-11-24 13:29
The test also failed on x86 Tiger 3.x:

http://buildbot.python.org/all/#/builders/30/builds/212

======================================================================
FAIL: test_pre_initialization_api (test.test_capi.EmbeddingTests)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/Users/db3l/buildarea/3.x.bolen-tiger/build/Lib/test/test_capi.py", line 602, in test_pre_initialization_api
    out, err = self.run_embedded_interpreter("pre_initialization_api", env=env)
  File "/Users/db3l/buildarea/3.x.bolen-tiger/build/Lib/test/test_capi.py", line 464, in run_embedded_interpreter
    (p.returncode, err))
AssertionError: -6 != 0 : bad returncode -6, stderr is "Could not find platform independent libraries <prefix>\nCould not find platform dependent libraries <exec_prefix>\nConsider setting $PYTHONHOME to <prefix>[:<exec_prefix>]\nFatal Python error: initfsencoding: unable to load the file system codec\nModuleNotFoundError: No module named 'encodings'\n\nCurrent thread 0xa000d000 (most recent call first):\n"
msg306938 - (view) Author: Nick Coghlan (ncoghlan) * (Python committer) Date: 2017-11-25 03:45
Huh, those crashes are interesting - I'd guess that it means we have a platform-dependent dependency from Py_DecodeLocale on to Py_SetPythonHome in order to locate the encodings module. If I'm right, that dependency would then mean that embedding applications can only rely on Py_DecodeLocale to do "char *" to "wchar_t *" conversions if they can also rely on the locale encoding always being a builtin one that bypasses the search for the encodings module.

Perhaps we should be recommending temporarily doing 'setenv("PYTHONHOME", home)' (and then reverting that after calling Py_Initialize so it doesn't get inherited by subprocesses) as the preferred approach to handling platforms with "char *" based native filesystem APIs, and adding such a setting to that particular `_testembed` test?
msg306949 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2017-11-25 08:50
The test calls Py_SetProgramName(). IMHO the bug is that the program name
is needed to locate the Python std lib.

I don't think that the bug is triggered by Py_DecodeLocale().
msg306982 - (view) Author: Nick Coghlan (ncoghlan) * (Python committer) Date: 2017-11-26 01:17
Ah, you're right - I forgot about this little hack in the other embedding tests: https://github.com/vstinner/cpython/blob/3fda852ba4d4040657a1b616a1ef60ad437b7845/Programs/_testembed.c#L11

I'll add "./" to the program name in the new test as well, and see if that's enough to make the failing build bots happy.
msg306987 - (view) Author: Nick Coghlan (ncoghlan) * (Python committer) Date: 2017-11-26 04:19
New changeset 4274609e1856facd80b7ee588b0791fe8963b9e0 by Nick Coghlan in branch 'master':
bpo-32096: Ensure new embedding test can find the encodings module (GH-4566)
https://github.com/python/cpython/commit/4274609e1856facd80b7ee588b0791fe8963b9e0
msg306989 - (view) Author: Nick Coghlan (ncoghlan) * (Python committer) Date: 2017-11-26 04:42
Looking more closely at the code, I've realised Victor's right - there's no way for Py_DecodeLocale() to accidentally trigger an attempt to import the "encodings" module.

Instead, the error is likely coming from the init_sys_streams step towards the end of the initialization process. The way the embedded test cases are currently being run unfortunately truncated that traceback.

Rather than trying to improve the test case error reporting under the scope of this issue, I've instead filed https://bugs.python.org/issue32136 to cover factoring the runtime embedding tests out to their own test file.
msg306993 - (view) Author: Nick Coghlan (ncoghlan) * (Python committer) Date: 2017-11-26 05:41
Successful test run on the Debian machine that failed above:

* http://buildbot.python.org/all/#/builders/27/builds/242

And for the macOS Tiger machine:

* http://buildbot.python.org/all/#/builders/30/builds/227

So I think we can call the regression fixed, which is where we wanted to get to before the next alpha release.
History
Date User Action Args
2017-11-26 05:41:53ncoghlansetstatus: open -> closed
resolution: fixed
messages: + msg306993

stage: patch review -> resolved
2017-11-26 04:42:25ncoghlansetmessages: + msg306989
2017-11-26 04:19:15ncoghlansetmessages: + msg306987
2017-11-26 03:16:50ncoghlansetpull_requests: + pull_request4494
2017-11-26 01:17:45ncoghlansetmessages: + msg306982
2017-11-25 08:50:00vstinnersetmessages: + msg306949
2017-11-25 03:45:39ncoghlansetmessages: + msg306938
2017-11-24 13:29:20vstinnersetmessages: + msg306896
2017-11-24 13:24:52vstinnersetmessages: + msg306895
2017-11-24 12:41:22vstinnersetmessages: + msg306893
2017-11-24 11:09:31vstinnersetmessages: + msg306889
2017-11-23 23:11:54vstinnersetpull_requests: + pull_request4467
2017-11-23 00:44:22ncoghlansetmessages: + msg306774
2017-11-23 00:29:45vstinnersetmessages: + msg306772
2017-11-23 00:21:14ncoghlansetmessages: + msg306769
2017-11-23 00:11:51ncoghlansetmessages: + msg306766
2017-11-23 00:04:42ncoghlansetmessages: + msg306764
2017-11-22 17:51:28vstinnersetmessages: + msg306740
2017-11-22 17:34:31vstinnersetmessages: + msg306737
2017-11-22 10:37:31ncoghlansetmessages: + msg306718
2017-11-22 10:26:49ncoghlansetmessages: + msg306717
2017-11-22 09:33:13vstinnersetmessages: + msg306708
2017-11-21 21:06:16eric.snowsetmessages: + msg306689
2017-11-21 19:48:30eric.snowsetstage: patch review
pull_requests: + pull_request4432
2017-11-21 15:56:05vstinnersetmessages: + msg306662
2017-11-21 15:53:24vstinnersetmessages: + msg306660
2017-11-21 15:52:10vstinnersetmessages: + msg306659
2017-11-21 15:50:27vstinnersetsuperseder: C API: Clarify which C functions are safe to be called before Py_Initialize() ->
messages: + msg306658
2017-11-21 15:49:51vstinnerlinkissue32086 superseder
2017-11-21 15:48:54vstinnersetmessages: + msg306656
2017-11-21 15:47:39eric.snowsetmessages: + msg306655
2017-11-21 15:46:14eric.snowsetmessages: + msg306654
2017-11-21 02:02:07ncoghlansetstatus: closed -> open
resolution: duplicate -> (no value)
messages: + msg306614

stage: resolved -> (no value)
2017-11-20 22:06:33vstinnersetstatus: open -> closed
superseder: C API: Clarify which C functions are safe to be called before Py_Initialize()
messages: + msg306591

resolution: duplicate
stage: patch review -> resolved
2017-11-20 21:40:14serhiy.storchakasetcomponents: + Interpreter Core
versions: + Python 3.7
2017-11-20 21:34:22Decoratersetnosy: + Decorater
messages: + msg306587
2017-11-20 21:33:08eric.snowsetkeywords: + patch
stage: patch review
pull_requests: + pull_request4418
2017-11-20 21:28:36eric.snowcreate