6

I have some C code that calls a Python function. This Python function accepts an address and uses WINFUNCTYPE to eventually convert it to a function that Python can call. The C function send as a parameter to the Python function will eventually call another Python function. It is at this last step which causes a crash. So in short I go from C -> Python -> C -> Python. The last C -> Python causes a crash. I've been trying to understand the problem, but I have been unable to.

Can someone point out my problem?

C code compiled with Visual Studio 2010 and run with the args "c:\...\crash.py" and "func1":

#include <stdlib.h>
#include <stdio.h>

#include <Python.h>

PyObject* py_lib_mod_dict; //borrowed

void __stdcall cfunc1()
{
    PyObject* py_func;
    PyObject* py_ret;
    int size;
    PyGILState_STATE gil_state;

    gil_state = PyGILState_Ensure();
    printf("Hello from cfunc1!\n");

    size = PyDict_Size(py_lib_mod_dict);
    printf("The dictionary has %d items!\n", size);
    printf("Calling with GetItemString\n");
    py_func = PyDict_GetItemString(py_lib_mod_dict, "func2"); //fails here when cfunc1 is called via callback... will not even go to the next line!
    printf("Done with GetItemString\n");
    py_ret = PyObject_CallFunction(py_func, 0);

    if (py_ret)
    {
        printf("PyObject_CallFunction from cfunc1 was successful!\n");
        Py_DECREF(py_ret);
    }
    else
        printf("PyObject_CallFunction from cfunc1 failed!\n");

    printf("Goodbye from cfunc1!\n");
    PyGILState_Release(gil_state);
}

int wmain(int argc, wchar_t** argv)
{
    PyObject* py_imp_str;
    PyObject* py_imp_handle;
    PyObject* py_imp_dict; //borrowed
    PyObject* py_imp_load_source; //borrowed
    PyObject* py_dir; //stolen
    PyObject* py_lib_name; //stolen
    PyObject* py_args_tuple;
    PyObject* py_lib_mod;
    PyObject* py_func;
    PyObject* py_ret;

    Py_Initialize();

    //import our python script
    py_dir = PyUnicode_FromWideChar(argv[1], wcslen(argv[1]));
    py_imp_str = PyString_FromString("imp");
    py_imp_handle = PyImport_Import(py_imp_str);
    py_imp_dict = PyModule_GetDict(py_imp_handle); //borrowed
    py_imp_load_source = PyDict_GetItemString(py_imp_dict, "load_source"); //borrowed
    py_lib_name = PyUnicode_FromWideChar(argv[2], wcslen(argv[2]));

    py_args_tuple = PyTuple_New(2);
    PyTuple_SetItem(py_args_tuple, 0, py_lib_name); //stolen
    PyTuple_SetItem(py_args_tuple, 1, py_dir); //stolen

    py_lib_mod = PyObject_CallObject(py_imp_load_source, py_args_tuple);
    py_lib_mod_dict = PyModule_GetDict(py_lib_mod); //borrowed

    printf("Calling cfunc1 from main!\n");
    cfunc1();

    py_func = PyDict_GetItem(py_lib_mod_dict, py_lib_name);
    py_ret = PyObject_CallFunction(py_func, "(I)", &cfunc1);

    if (py_ret)
    {
        printf("PyObject_CallFunction from wmain was successful!\n");
        Py_DECREF(py_ret);
    }
    else
        printf("PyObject_CallFunction from wmain failed!\n");

    Py_DECREF(py_imp_str);
    Py_DECREF(py_imp_handle);
    Py_DECREF(py_args_tuple);
    Py_DECREF(py_lib_mod);

    Py_Finalize();

    fflush(stderr);
    fflush(stdout);
    return 0;
}

Python code:

from ctypes import *

def func1(cb):
    print "Hello from func1!"
    cb_proto = WINFUNCTYPE(None)
    print "C callback: " + hex(cb)
    call_me = cb_proto(cb)
    print "Calling callback from func1."
    call_me()
    print "Goodbye from func1!"

def func2():
    print "Hello and goodbye from func2!"

Output:

Calling cfunc1 from main!
Hello from cfunc1!
The dictionary has 88 items!
Calling with GetItemString
Done with GetItemString
Hello and goodbye from func2!
PyObject_CallFunction from cfunc1 was successful!
Goodbye from cfunc1!
Hello from func1!
C callback: 0x1051000
Calling callback from func1.
Hello from cfunc1!
The dictionary has 88 items!
Calling with GetItemString
PyObject_CallFunction from wmain failed!

I added a PyErr_Print() to the end and this was the result:

Traceback (most recent call last):
  File "C:\Programming\crash.py", line 9, in func1
    call_me()
WindowsError: exception: access violation writing 0x0000000C

EDIT: Fixed a bug that abarnert pointed out. Output is unaffected.
EDIT: Added in the code that resolved the bug (acquiring the GIL lock in cfunc1). Thanks again abarnert.

Improve this question
9
  • As I said, I had the same issue when porting to POSIX, and just removing that Py_DECREF solves the problem for me… Could it be the GIL issue I also mentioned in my answer? Try putting the PyGILState_Ensure/Release pair in and see what happens. Meanwhile, put in a bunch of PyObject_Print statements to make sure everything is what it should be. That's how I found the problem with func1 being decref'd. Commented Feb 4, 2013 at 19:10
  • This problem occurs in a single threaded environment. The GIL lock should only be required in a multithreaded environment where it is possible for two threads to be inside the same Python interpreter instance. Commented Feb 5, 2013 at 20:55
  • (I keep pressing enter for a new line... and I don't know how to do linebreaks even after readint help, sorry) The failure point is actually at with PyDict_GetItemString. That's a Python standard library that causes the AV. I'm not sure how to put prints inside a standard Python function. It should AV on the next line as well but it never gets there. What's interesting is that this code does not fail on Linux yet fails on Windows (thanks for pointing that out by the way). I'm in the process of setting up a Linux VM to see if I'm able to figure anything else out. Commented Feb 5, 2013 at 21:01
  • Actually, I'm testing on OS X, not linux, but… close enough. Anyway, the standard interpreter runs everything under the GIL even if you only have one thread, even though it seems like that shouldn't be necessary. And I was able to get the PyEval_SaveThread: NULL tstate crash in a single-threaded program. So, that's why I brought it up. I'm not sure it's relevant (I haven't actually done any serious C embedding in a long time), but it's worth testing instead of just dismissing it. Commented Feb 5, 2013 at 21:15
  • PS, you can't do linebreaks in comments. Well, you can (on some browsers/platforms) by copying and pasting a newline from another text editor to avoid triggering the "submit on enter", but it doesn't matter, because comments are formatted to collapse all whitespace into a single space anyway. Commented Feb 5, 2013 at 21:16

2 Answers 2

Reset to default
5

The problem is this code:

py_func = PyDict_GetItemString(py_lib_mod_dict, "func2"); //fails here when cfunc1 is called via callback... will not even go to the next line!
printf("Done with GetItemString\n");
py_ret = PyObject_CallFunction(py_func, 0);

Py_DECREF(py_func);

As the docs say, PyDict_GetItemString returns a borrowed reference. So, the first time you call here, you borrow the reference, and decref it, causing it to be destroyed. The next time you call, you get back garbage, and try to call it.

So, to fix it, just remove the Py_DECREF(py_func) (or add Py_INCREF(py_func) after the pyfunc = line).

Actually, you will usually get back a special "dead" object, so you can test this pretty easily: put a PyObject_Print(py_func, stdout) after the py_func = line and after the Py_DECREF line, and you'll probably see something like <function func2 at 0x10b9f1230> the first time, <refcnt 0 at 0x10b9f1230> the second and third times (and you won't see the fourth, because it'll crash before you get there).

I don't have a Windows box handy, but changing wmain, wchar_t, PyUnicode_FromWideChar, WINFUNCTYPE, etc. to main, char, PyString_FromString, CFUNCTYPE, etc., I was able to build and run your code, and I get a crash in the same place… and the fix works.

Also… shouldn't you be holding the GIL inside cfunc1? I don't often write code like this, so maybe I'm wrong. And I don't get a crash with the code as-is. Obviously, spawning a thread to run cfunc1 does crash, and PyGILState_Ensure/Release solves that crash… but that doesn't prove you need anything in the single-threaded case. So maybe this isn't relevant… but if you get another crash after fixing the first one (in the threaded case, mine looked like Fatal Python error: PyEval_SaveThread: NULL tstate), look into this.

By the way, if you're new to Python extending and embedding: A huge number of unexplained crashes are, like this one, caused by manual refcounting errors. That's the reason things like boost::python, etc. exist. It's not that it's impossible to get it right with the plain C API, just that it's so easy to get it wrong, and you will have to get used to debugging problems like this.

Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

You are correct about the PyDic_GetItemString. I need to fix that. However, I actually removed all Py_DECREF during one of my tests to ensure that was not the problem and the result is the same.
Just got a chance to test acquiring the GIL and it works. Thank you for the time you spent helping me. I still would like to know why acquiring the GIL works especially in this single threaded instance. I do know that WINFUNCTYPE releases the GIL, but again this is a single threaded instance so I didn't think much of it. I did do some research beforehand about the GIL when I was trying to troubleshoot, but it did not seem necessary from the documentation I read. I've discussed this with people who do Python <-> C regularly and they all mentioned that the GIL was only required multiple threads.
@Dennis: I think I understand here. The fundamental rule is that you're only allowed to run the interpreter inside the GIL. If you're just doing Python <-> C, the only way you can lose the GIL is if another thread grabs it, so there's no problem unless you're writing multi-threaded code. But if you're doing Python <-> C <-> Python, you can also lose the GIL because some C code explicitly releases it, even in single-threaded code.
So now I have another question. I was reading some documentation and doing some quick Google searches and it sounds like you need PyEval_InitThreads() to make the GIL effective. To test this, I actually tried to acquire the GIL twice (and then release it twice) in cfunc1. I ran PyGILState_Ensure() twice. The execution was perfect as far as I could tell. That's not suppose to happen, is it?
@Dennis: Well, the docs say "It is not needed before calling PyEval_SaveThread() or PyEval_RestoreThread()". Also read the following Note:, and the documentation on PyEval_SaveThread. It sounds like if you never call InitThreads, you can still save/restore, ensure/release, and it doesn't do any expensive locking (it may still twiddle a refcount?). Meanwhile, you definitely can ensure twice; see docs.python.org/2/c-api/init.html#PyGILState_Ensure
|
1

abarnert's answer provided the correct functions to call, however the explanation bothered me so I came home early and poked around some more.

Before I go into the explanation, I want to mention that when I say GIL, I strictly mean the mutex, semaphore, or whatever that the Global Interpreter Lock uses to do the thread synchronization. This does not include any other housekeeping that Python does before/after it acquires and releases the GIL.

Single threaded programs do not initialize the GIL because you never call PyEval_InitThreads(). Thus there is no GIL. Even if there was locking going on, it shouldn't matter because it's single threaded. However, functions that acquire and release the GIL also do some funny stuff like mess with the thread state in addition to acquiring/releasing the GIL. Documentation on WINFUNCTYPE objects explicitly states that it releases the GIL before making the jump to C. So when the C callback was called in Python, I suspect something like PyEval_SaveThread() is called (maybe in error because it's only suppose to be called in threaded operations at least from my understanding). This would release the GIL (if it existed) and set the thread state to become NULL, however there's no GIL in single threaded Python programs, thus all it really does is just set the thread state to NULL. This causes the majority of Python functions in the C callback to fail hard.

Really the only benefit of calling PyGILState_Ensure/Release is to tell Python to set the thread state to something valid before running off and doing things. There's not a GIL to acquire (not initialized because I never called PyEval_InitThreads()).

To test my theory: In the main function I use PyThreadState_Swap(NULL) to grab a copy of the thread state object. I restore it during the callback and everything works fine. If I keep the thread state at null, I get pretty much the same access violation even without doing a Python -> C callback. Inside cfunc1, I restore the thread state and there's no more problems cfunc1 itself during the Python -> C callback.

There is an issue when cfunc1 returns into Python code, but that's probably because I messed with the thread state and the WINFUNCTYPE object is expecting something totally different. If you keep the thread the state without setting it back to null when returning, Python just sits there and does nothing. If you restore it back to null, it crashes. However, it does successfully executes cfunc1 so I'm not sure I care too much.

I may eventually go poke around in the Python source code to be 100% sure, but I'm sure enough to be satisfied.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.