subprocess can block all Python threads when using `vfork()` until the child process `exec()` succeeds or fails. #104372

gpshead · 2023-05-10T23:41:38Z

Background

When using the subprocess module on Linux, vfork() rather than fork() has been preferred when possible for a few Python releases as is generally offers MUCH higher performance, the larger the parent process, the more cpu time it saves on page table copying.

Problem

vfork() - by design - does not return control to parent process until after the child process has successfully performed an exec() system call or has died.

Python subprocess uses _posixsubprocess.fork_exec() extension module implementation to do handle async-signal-safe fork/vfork+exec code path (as that cannot safely be implemented in Python). This function does not release the GIL. Thus the GIL is held across the vfork() call. Meaning the parent process does not resume execution until the exec has succeeded, or failed and returned an error which our child writes to it's errpipe_write fd before exiting.

This can result in all Python threads hanging (ie: the GIL is held by a blocked thread) when the child exec system call takes a long time. Such as the binary existing on a potentially slow or high latency network filesystem. (We witnessed this on a FUSE filesystem backed by remote (high latency) cloud storage with a large executable... but any slow or high latency filesystem containing an executable or anything interfering in the exec system call can cause the same problem).

Workarounds

Building without vfork support in _posixsubprocess or otherwise passing an arg to subprocess API that happens to disable vfork because it is incompatible with the vfork-concept are workarounds. (I won't recommend any of those because none of them are a good idea to pass when not needed for their primary purpose).

Another workaround viable in our specific case is to pre-read the executable before asking subprocess to launch it as that moves the high IO latency from the exec system call into a read without the GIL held beforehand as it pulls the executable into a fast-enough local storage cache. (That being useful at all depends on your particular filesystem latency implementation situation)

Potential Solutions

If we could simply release the GIL around the vfork() call that would seem to be ideal... It's not clear to me that we can actually do that, I'm working out what a PR would look like or what blocks us from doing so safely.

Offering yet another keyword argument to subprocess APIs to disable the use of APIs that could block the entire process upon exec() such as vfork is viable - but doesn't feel great given our existing long list of subprocess args.

Linked PRs

The text was updated successfully, but these errors were encountered:

gpshead · 2023-05-15T21:20:19Z

A practical workaround usable in some cases:

+import shlex
 ...
-    subprocess.run(argv, ...)
+    subprocess.run(shlex.join(["exec"] + argv, shell=True, ...)

Do not use this workaround unless you fully control argv and know that it cannot contain anything that might wind up as shell injection.

That defers the blocking exec into an intermediary post-vfork-exec child process using your already installed shell that is already capable of doing that.

We move all of the Python C API calls into the parent process up front instead of doing PyLong_AsLong and PyErr_Occurred and PyTuple_GET from the post-fork/vfork child process.

…al safety and no GIL requirement (#104518) Move all of the Python C API calls into the parent process up front instead of doing PyLong_AsLong and PyErr_Occurred and PyTuple_GET from the post-fork/vfork child process. Much of this was long overdue. We shouldn't have been using PyTuple and PyLong APIs within all of these low level functions anyways.

…c signal safety and no GIL requirement (python#104518) Move all of the Python C API calls into the parent process up front instead of doing PyLong_AsLong and PyErr_Occurred and PyTuple_GET from the post-fork/vfork child process. Much of this was long overdue. We shouldn't have been using PyTuple and PyLong APIs within all of these low level functions anyways.

…104697) Use non-Raw malloc for c_fds_to_keep as the code could ask for 0 length.

On Linux where the `subprocess` module can use the `vfork` syscall for faster spawning, prevent the parent process from blocking other threads by dropping the GIL while it waits for the vfork'ed child process `exec` outcome. This prevents spawning a binary from a slow filesystem from blocking the rest of the application. Fixes python#104372.

…or async signal safety and no GIL requirement (pythonGH-104518) Move all of the Python C API calls into the parent process up front instead of doing PyLong_AsLong and PyErr_Occurred and PyTuple_GET from the post-fork/vfork child process. Much of this was long overdue. We shouldn't have been using PyTuple and PyLong APIs within all of these low level functions anyways.. (cherry picked from commit c649df6) Co-authored-by: Gregory P. Smith <greg@krypto.org>

…c signal safety and no GIL requirement (python#104518) Move all of the Python C API calls into the parent process up front instead of doing PyLong_AsLong and PyErr_Occurred and PyTuple_GET from the post-fork/vfork child process. Much of this was long overdue. We shouldn't have been using PyTuple and PyLong APIs within all of these low level functions anyways. (cherry picked from commit c649df6)

…or async signal safety and no GIL requirement (pythonGH-104518) Move all of the Python C API calls into the parent process up front instead of doing PyLong_AsLong and PyErr_Occurred and PyTuple_GET from the post-fork/vfork child process. Much of this was long overdue. We shouldn't have been using PyTuple and PyLong APIs within all of these low level functions anyways.. (cherry picked from commit c649df6) Co-authored-by: Gregory P. Smith <greg@krypto.org>

gpshead · 2023-05-23T07:43:21Z

A heavy handed workaround, disable the use of vfork entirely:

subprocess._USE_VFORK = False

if your process is large this will slow down process launching time (regular fork is used - which must copy the entire process memory map) but for most things that is perfectly fine.

… signal safety gh-104518 (#104785) Move all of the Python C API calls into the parent process up front instead of doing PyLong_AsLong and PyErr_Occurred and PyTuple_GET from the post-fork/vfork child process. Much of this was long overdue. We shouldn't have been using PyTuple and PyLong APIs within all of these low level functions anyways. This is a backport of c649df6 for #104518 and the tiny adjustment in d1732fe #104697. Backporting this allows backporting of the real bug fix that requires it. Co-authored-by: Gregory P. Smith [Google] <greg@krypto.org>

The ideal pattern for this. (already in the 3.11 backport)

The ideal pattern for this. (already in the 3.11 backport) (cherry picked from commit 7f963bf) Co-authored-by: Gregory P. Smith <greg@krypto.org>

The ideal pattern for this. (already in the 3.11 backport)

gh-104372: use == -1 before PyErr_Occurred (GH-104831) The ideal pattern for this. (already in the 3.11 backport) (cherry picked from commit 7f963bf) Co-authored-by: Gregory P. Smith <greg@krypto.org>

On Linux where the `subprocess` module can use the `vfork` syscall for faster spawning, prevent the parent process from blocking other threads by dropping the GIL while it waits for the vfork'ed child process `exec` outcome. This prevents spawning a binary from a slow filesystem from blocking the rest of the application. Fixes #104372.

On Linux where the `subprocess` module can use the `vfork` syscall for faster spawning, prevent the parent process from blocking other threads by dropping the GIL while it waits for the vfork'ed child process `exec` outcome. This prevents spawning a binary from a slow filesystem from blocking the rest of the application. Fixes pythonGH-104372. (cherry picked from commit d086792) Co-authored-by: Gregory P. Smith <gps@python.org>

gpshead · 2023-05-25T20:15:50Z

I'll take care of a 3.11.x bug fix backport, but I want to let this bake in some 3.12beta releases for a while first. It isn't urgent.

…104942) gh-104372: Drop the GIL around the vfork() call. (GH-104782) On Linux where the `subprocess` module can use the `vfork` syscall for faster spawning, prevent the parent process from blocking other threads by dropping the GIL while it waits for the vfork'ed child process `exec` outcome. This prevents spawning a binary from a slow filesystem from blocking the rest of the application. Fixes GH-104372. (cherry picked from commit d086792) Co-authored-by: Gregory P. Smith <gps@python.org>

On Linux where the `subprocess` module can use the `vfork` syscall for faster spawning, prevent the parent process from blocking other threads by dropping the GIL while it waits for the vfork'ed child process `exec` outcome. This prevents spawning a binary from a slow filesystem from blocking the rest of the application. Fixes python#104372. (cherry picked from commit d086792)

…04958) gh-104372: Drop the GIL around the vfork() call. (#104782) On Linux where the `subprocess` module can use the `vfork` syscall for faster spawning, prevent the parent process from blocking other threads by dropping the GIL while it waits for the vfork'ed child process `exec` outcome. This prevents spawning a binary from a slow filesystem from blocking the rest of the application. Fixes #104372. (cherry picked from commit d086792)

gpshead added type-bug An unexpected behavior, bug, or error stdlib Python modules in the Lib dir extension-modules C modules in the Modules dir labels May 10, 2023

gpshead self-assigned this May 10, 2023

gpshead mentioned this issue May 15, 2023

gh-104372: Unlock the GIL before exec when using vfork(). #104515

Closed

bedevere-bot mentioned this issue May 16, 2023

gh-104372: Cleanup _posixsubprocess make_inheritable for async signal safety #104518

Merged

bedevere-bot mentioned this issue May 20, 2023

gh-104372: Use non-Raw malloc for c_fds_to_keep in _posixsubprocess #104697

Merged

gpshead added a commit that referenced this issue May 20, 2023

gh-104372: Use non-Raw malloc for c_fds_to_keep in _posixsubprocess (#…

d1732fe

…104697) Use non-Raw malloc for c_fds_to_keep as the code could ask for 0 length.

gpshead mentioned this issue May 23, 2023

gh-104372: Drop the GIL around the vfork() call. #104782

Merged

bedevere-bot mentioned this issue May 23, 2023

[3.11] gh-104372: Cleanup _posixsubprocess make_inheritable for async signal safety gh-104518 #104785

Merged

gpshead added 3.11 only security fixes 3.12 bugs and security fixes 3.10 only security fixes labels May 23, 2023

gpshead added a commit to gpshead/cpython that referenced this issue May 24, 2023

pythongh-104372: use == -1 before PyErr_Occurred

eefb96d

The ideal pattern for this. (already in the 3.11 backport)

This was referenced May 24, 2023

gh-104372: use == -1 before PyErr_Occurred #104831

Merged

[3.12] gh-104372: use == -1 before PyErr_Occurred (GH-104831) #104833

Merged

gpshead added a commit that referenced this issue May 24, 2023

gh-104372: use == -1 before PyErr_Occurred (#104831)

7f963bf

The ideal pattern for this. (already in the 3.11 backport)

gpshead closed this as completed in #104782 May 25, 2023

miss-islington mentioned this issue May 25, 2023

[3.12] gh-104372: Drop the GIL around the vfork() call. (GH-104782) #104942

Merged

gpshead reopened this May 26, 2023

gpshead mentioned this issue May 26, 2023

[3.11] gh-104372: Drop the GIL around the vfork() call. (#104782) #104958

Merged

gpshead closed this as completed May 26, 2023

erlend-aasland mentioned this issue Jun 6, 2023

3.12 backport gh 105236 #105358

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

subprocess can block all Python threads when using `vfork()` until the child process `exec()` succeeds or fails. #104372

subprocess can block all Python threads when using `vfork()` until the child process `exec()` succeeds or fails. #104372

gpshead commented May 10, 2023 •

edited by bedevere-bot

Loading

gpshead commented May 15, 2023

gpshead commented May 23, 2023

gpshead commented May 25, 2023

subprocess can block all Python threads when using vfork() until the child process exec() succeeds or fails. #104372

subprocess can block all Python threads when using vfork() until the child process exec() succeeds or fails. #104372

Comments

gpshead commented May 10, 2023 • edited by bedevere-bot Loading

Background

Problem

Workarounds

Potential Solutions

Linked PRs

gpshead commented May 15, 2023

gpshead commented May 23, 2023

gpshead commented May 25, 2023

subprocess can block all Python threads when using `vfork()` until the child process `exec()` succeeds or fails. #104372

subprocess can block all Python threads when using `vfork()` until the child process `exec()` succeeds or fails. #104372

gpshead commented May 10, 2023 •

edited by bedevere-bot

Loading