PEP 788: Address feedback from first discussion round

[ZeroIntensity]

• Change is either:
  • To a Draft PEP
  • To an Accepted or Final PEP, with Steering Council approval
  • To fix an editorial issue (markup, typo, link, header, etc)
• PR title prefixed with PEP number (e.g. PEP 123: Summary of changes)

---

The key changes I made here are:

• Interpreter references now have a dedicated type (PyInterpreterRef and PyInterpreterWeakRef *).
• Add PyThreadState_GetDaemon() and what needs to happen to threading for that to work.
• Add a terminology section for clarification on what things like "finalization" refer to in the PEP.
• Add a rejected idea for the previous approach (mainly using PyInterpreterState * for refs).
• Add an open issue for PyThreadState_Ensure stealing a strong reference.
• Editorial: Lots of clarity fixes (many had trouble understanding the PEP, unfortunately).
• Editorial: Headings are now in title case ("The Apple is Weird and Confusing") rather than sentence case ("The apple is weird and confusing").

---

📚 Documentation preview 📚: https://pep-previews--4400.org.readthedocs.build/pep-0788/

[ZeroIntensity]

@godlygeek I can't add you as a reviewer, but I'd appreciate your opinion on some of the new things I'm proposing here.

[ZeroIntensity]

Bump @AA-Turner @vstinner now that the beta is out. There's no rush considering we have a year until the 3.15 freeze, though.

[vstinner]

I'm not comfortable with PyInterpreterRef and PyInterpreterWeakRef which are different: PyInterpreterRef is used as a scalar value, whereas PyInterpreterWeakRef is used as a pointer. I would prefer that both are scalars, or both are pointers. Maybe using a pointer API would be more future proof and it makes sure that the value (the pointer) can be stored ... in a pointer, for a callback argument.

[vstinner]

LGTM. Thanks, the API looks better to me.

[colesbury]

When does PyThreadState_Ensure() create a new thread state instead of reusing an existing one?

[colesbury]

"Native threads" is not a good term for non-threading module created threads even if you (re)define the term. It perpetuates a confusion that Python threads aren't "real" OS threads.

We use "non-Python created threads" in, e.g., https://docs.python.org/3/c-api/init.html#non-python-created-threads.

[ZeroIntensity]

I don't totally disagree, but I'd really prefer not using the clunky phrase "non-Python created thread", especially considering how many times "native thread" is used throughout the PEP. Is there a shorter term we could use?

[vstinner]

OS threads?

[ZeroIntensity]

I think "OS thread" has the same problem as "native thread". I'm personally fine with still using the term "native thread", because this PEP will change how threading works too. So you get two interpretations, both being correct:

• "Reimagining Threads natively": The PEP changes how to use OS threads with a native caller.
• "Reimagining Native Threads": The PEP changes how native OS threads, threading included, interact with the interpreter.

[vstinner]

If you want to avoid "native threads", just write "non-Python threads"?

[colesbury]

I don't think this paragraph is helpful here. Get to the crux: PyGILState_Ensure/PyGILState_Release is one of the primary ways to get a valid thread state using the C API and it doesn't work well with subinterpreters because it always creates (or reuses) a thread state for the main interpreter.

[ZeroIntensity]

I think it's useful as a quick intro to people who aren't deeply familiar with how thread states work. I would expect that 99% of extension developers just know the PyGILState surface API, so the thread state terminology that the proposal uses might seem foreign. Would you prefer I just link to the documentation?

[colesbury]

I think talking about terminology is okay, but it doesn't need to be at the beginning of the abstract. When reading the abstract, I'd want to see:

1. The most important problem the PEP is solving
2. An outline of the solution without going in to too much detail

[colesbury]

I don't understand the distinction being made here between finalization and shutdown nor the purpose of making this distinction -- I don't see how "interpreter finalization" and "interpreter shutdown" are different things.

"Finalization" is also pretty overloaded; you can say "interpreter finalization" to be more clear.

[ZeroIntensity]

It's not important for the main interpreter, but there's an important distinction for subinterpreters because the PyInterpreterState structure becomes invalid after shutdown, but not during finalization. That's an important detail for the rationale on why we're not using PyInterpreterState * for PyThreadState_Ensure.

But I think you're right, anyway. I'll remove this.

[colesbury]

I think this is mixing up a few ideas (critical sections and stop the world). You want Py_BEGIN_ALLOW_THREADS around blocking operations to prevent deadlock with GC (or other stop-the-world) events.

Stop-the-world events are analogous to holding the GIL -- one thread has exclusive access to the interpreter -- so you can end up with the same deadlocks.

[ZeroIntensity]

Hm, is the current thing I wrote wrong? I think this paragraph is quite long already, and it's only here to quickly explain why Py_BEGIN_ALLOW_THREADS is still needed on free-threaded builds. If there's nothing wrong with what's already there, it's probably fine to leave it.

[colesbury]

I agree that it's getting long already. Was this expanded in response to feedback on the PEP? I would just have one sentence regarding the free threaded build at the end of the lock ordering deadlock paragraph. Something like:

...while thread B holds the GIL and is waiting on the lock. A similar deadlock can occur in the free threaded build during stop the world pauses, which happen during during garbage collection.

[colesbury]

Hm, is the current thing I wrote wrong?

The first part is definitely true: "on free-threaded builds, lock-ordering deadlocks are still possible".

The subsequent explanation doesn't make much sense to me. The "releasing locks when the thread state is
detached" behavior is only applicable to critical sections, and we don't use Py_BEGIN_ALLOW_THREADS directly with critical section APIs. The critical section API implementations do the detaching/reattaching internally.

[ZeroIntensity]

Was this expanded in response to feedback on the PEP? I would just have one sentence regarding the free threaded build at the end of the lock ordering deadlock paragraph.

Ok, yeah, I'll do it this way.

The critical section API implementations do the detaching/reattaching internally.

I was thinking of something like this:

Py_BEGIN_CRITICAL_SECTION(whatever);
acquire_os_lock(); // NOT PyMutex
Py_END_CRITICAL_SECTION();

You still need to have Py_BEGIN_ALLOW_THREADS to release that critical section. Otherwise you can get lock-ordering deadlocks, right?

[colesbury]

The scenario here that leads to deadlock here happens when you acquire a lock during an object destructor/finalizer thats also acquired elsewhere. But if you're doing that, non-daemon threads won't save you because you will still occasionally deadlock with the GC.

[ZeroIntensity]

Hmm, I wasn't aware of this. That sounds like it compromises some of the motivation behind the PEP. Could you go into a little more detail here?

[colesbury]

Python's GC runs object finalizers (i.e., __del__ methods) in the same thread that triggered the GC, so you can end trying to reacquire a lock you already hold.

Here's an example from stackoverflow: https://stackoverflow.com/questions/18774401/self-deadlock-due-to-garbage-collector-in-single-threaded-code

Java runs finalizers in their own thread to avoid this sort of problem.

Generally, the "fix" in Python is to avoid acquiring locks in __del__ functions.

[ZeroIntensity]

Ah, that makes sense, I wasn't taking the garbage collector into account. I was imagining some C code that acquired a lock and got hung before calling into Python. But I think you're right that PyThreadState_Ensure isn't sufficient to fix tp_finalize/__del__ deadlocks. That's not good.

Java runs finalizers in their own thread to avoid this sort of problem.

Thinking out loud--it's not out of the question to take a similar approach for Python, at least for non-daemon threads. I'm not too sure what gc.garbage does in modern versions, but in theory, we could put objects collected under a non-daemon thread state into a garbage list, and then finalize them all in a dedicated thread.

[colesbury]

I don't see how "it's completely safe to choose the main interpreter" follows from "the callback has no closure".

Maybe these use cases (like readline) only make sense in the main interpreter, but choosing the correct interpreter seems important.

[ZeroIntensity]

If you don't have a closure argument/callback parameter or some other workaround, then you can't pass interpreter-specific data, so you're good to assume that the main interpreter is the one you want. It might not be the right choice, but by "totally safe", I mean that things will just raise a completely safe exception (e.g. an AttributeError), rather than crashing through using an object from a different interpreter.

So basically, if you can access state from the caller, then you can also store the interpreter reference, and if not, then there's no way to access invalid cross-interpreter state anyway.

[ZeroIntensity]

When does PyThreadState_Ensure() create a new thread state instead of reusing an existing one?

The same places where PyGILState_Ensure would (via the gilstate pointer), in addition to when the current interpreter doesn't match the requested interpreter. Should that be specified, or left up the implementation? I could see it going either way.

[colesbury]

Yes, I think it's worth specifying. The constraint "when the current interpreter doesn't match the requested interpreter" makes me think that you can end up with more threads states per interpreter+OS thread.

[ZeroIntensity]

Here's what I was envisioning:

// No tstate ever in this thread
// current: NULL

PyThreadState_Ensure(main_interp); // New thread state for the main interpreter
// current: main
PyThreadState_Ensure(main_interp); // Do nothing
// current: main
Py_BEGIN_ALLOW_THREADS; // Detach it
// current: NULL
PyThreadState_Ensure(main_interp); // Reattach the old thread state
// current: main
PyThreadState_Release(); // Detach it again
// current: NULL
Py_END_ALLOW_THREADS; // Reattach
// current: main
PyThreadState_Ensure(subinterp); // New thread state for the subinterpreter
// current: subinterp
PyThreadState_Ensure(main_interp); // New thread state for the main interpreter
// current: main

Basically, PyThreadState_Ensure for a different interpreter treats it as a new thread.

[vstinner]

cc @pablogsal: the PEP update I told you about. You might want to have a look.

[ericsnowcurrently]

Thanks for working on this. I haven't gotten though the whole proposal, but did start by trying to understand what we're trying to solve here. I've left short notes for each of the motivation sections. Ultimately, I think are some bugs to be addressed separately and the other concerns could be solved without replacing the existing API. That doesn't mean a new API isn't warranted, but let's see how much value it would add first. (I'd be glad to hop into a call to discuss this more.)

[ericsnowcurrently]

Can we address this with a distinct return value and two new functions?

• int PyGILState_Failed(PyGILState_STATE)
• void PyGILState_SetHangDuringFini(int) # default 1

[ericsnowcurrently]

Another option is to support a callback that gets called when the interpreter is finalizing:

typedef int (tstate_fini_callback *)(PyThreadState *, void *arg);
void PyThreadState_SetFiniCallback(PyThreadState *, tstate_fini_callback, void *arg);

I'm sure there are other options that are likewise compatible with the existing API (not that a replacement for PyGILState_Ensure() is necessarily a bad idea).

[ericsnowcurrently]

FWIW, at a certain point it make more sense to simply replace the old API, as you are proposing, rather than add a bunch of functions to awkwardly work around the deficiencies of the original API. That very well may be the case here. I just want to be sure we consider the obvious alternatives.

[ericsnowcurrently]

How is this different from the previous one?

[ericsnowcurrently]

Fixing the race here is certainly worth doing, but seems like a separate issue from the GILState API. It also doesn't seem like something that needs a PEP.

[ericsnowcurrently]

How much is this an issue in practice?

[ericsnowcurrently]

See my earlier comment about returning an error.

[ericsnowcurrently]

This section is a bit unclear. Bugginess is definitely something to fix. :) I'm not sure there's a strong argument about it being "confusing" though. As to there being multiple APIs, that's not a bad thing. Essentially, PyGILState_Ensure() is a convenience wrapper around the other functions. This section doesn't seem to add much value.

[ericsnowcurrently]

Crashes here are bugs to be fixed, which I don't expect will need a PEP to solve.

[ericsnowcurrently]

Sure, the name can be a little confusing. That is more of a "while we're at it, let's use a better name" situation than a motivation for a PEP. I wouldn't make much of a point about it, except maybe to mention it in passing.

[ericsnowcurrently]

That can be fixed with an extra function, e.g. int PyGILState_SetInterpreter(PyInterpreterState *), which I wouldn't think needs a PEP.

[ericsnowcurrently]

Bugs with finalization and use-after-free are broader issues that should be handled separately from solutions just about the GILState API. As mentioned earlier, I think the question of improving the current hanging behavior can be handled in a way that doesn't need a PEP.