Please keep this API internal.

I am specifically intending to add this as a public API that may be used to safely attempt to acquire the GIL without the risk of hanging the thread (or if we continued to callpthread_exit, crashing the program).

The intended use case is as follows:

Previously, you might code like the following:

//somenon-PythoncreatedthreadthatwantstosendPythonanasyncnotificationPyGILState_STATEstate=PyGILState_Ensure();//maykillthreadwithpthread_exit//call`call_soon_threadsafe`onsomeeventloopobjectPyGILState_Release(state);

With this new API:

//somenon-PythoncreatedthreadthatwantstosendPythonanasyncnotificationintacquired=PyThread_TryAcquireFinalizeBlock();if (!acquired) {//skipsendingnotificationsincepythonisexitingreturn;}PyGILState_STATEstate=PyGILState_Ensure();//safenow//call`call_soon_threadsafe`onsomeeventloopobjectPyGILState_Release(state);PyThread_ReleaseFinalizeBlock();

Or with the convenience interface:

//somenon-PythoncreatedthreadthatwantstosendPythonanasyncnotificationPyGILState_TRY_STATEstate=PyGILState_TryAcquireFinalizeBlockAndGil();if (!state) {//skipsendingnotificationsincepythonisexitingreturn;}//call`call_soon_threadsafe`onsomeeventloopobjectPyGILState_ReleaseGilAndFinalizeBlock(state);

This write-up with examples actually makes some sense to be included in your "Cautions regarding runtime finalization" documentation section introducing the new APIs.

Why do we need both APIs. Why notonly offer the "convenience" API as a public API?

Also realize that extension authors and code generators will likely need conditionally compiled code based on the Python version to juse the their existing PyGILState_Ensure and Release calls on <= 3.10 while calling the new convenience API on 3.11+. When introducing something new, including that in the example should help (though maybe that specific transitional example belongs in the What's New doc for 3.11)

In some sense PyThread_TryAcquireFinalizeBlock is logically separate from acquiring the GIL. Yes, it is hard to imagine why you would want to acquire a finalize block if you don't also want to acquire the GIL, but you may well release the GIL while holding the finalize block (and in fact if the GIL were guaranteed not to be released, then a separate finalize block wouldn't be needed at all). However, that is a minor point.

Another issue is that the documentation forPyGILState_Ensure indicates it should not be used when using sub-interpreters. I don't really know much about how sub-interpreters work, but as this convenience API is based onPyGILState_Ensure, it would have the same limitation.

There is the additional issue of what to do when called from the finalization thread. Currently these APIs will fail, since they don't make an exception for the finalization thread. But since you can safely acquire the GIL on the finalization thread, in some cases you might want to skip acquiring the finaliation block, but proceed with acquiring the GIL, if running on the finalization thread.

I added this to the documentation, and also added an#if PY_VERSION_HEX snippet to the example as well.

This write-up with examples actually makes some sense to be included in your "Cautions regarding runtime finalization" documentation section introducing the new APIs.

Why do we need both APIs. Why notonly offer the "convenience" API as a public API?

Also realize that extension authors and code generators will likely need conditionally compiled code based on the Python version to juse the their existing PyGILState_Ensure and Release calls on <= 3.10 while calling the new convenience API on 3.11+. When introducing something new, including that in the example should help (though maybe that specific transitional example belongs in the What's New doc for 3.11)

We have a per-interpreter GIL now but - I think what needed to happen is to switch to using the main interpreters GIL as protection for this. So that's what I've committed and pushed.

Alternatively this finalize_blocks could use a lock of its own?

This PR seems like it should apply to each interpreter, rather than just to the whole global runtime (i.e. main interpreter).

I'm not sure I understand the point about PyGILState_Release() being confusing. I think the main question is whether there's a reasonable use-case for the finalize blockoutside of acquiring the GIL. For the use-case of making sure it's safe to acquire the GIL (and preventing finalization from starting while the GILState is held), I think the PyGILState API makes more sense. At that point it isn't exposed as a separate lock but as a new error condition (and a new safety guarantee when calling TryEnsure).

Framing it as "PyGILState_TryEnsure() is likePyGILState_Ensure() except it also prevents finalization from starting while the GILState is held" makes sense to me. I don't think most users of the C API care if their threads are blocked forever when finalizing, so they can just keep using PyGILState_Ensure. I don't think that's more confusing.

AFAICT, this API is interpreter-specific, rather than tied to a thread or the global runtime. SoPy_AcquireFinalizeBlock() might be more consistent with similar existing API (e.g.Py_NewInterpreterFromConfig(),Py_EndInterpreter()).

That said, the proposed function relies on knowing the interpreter associated with the current thread (e.g.PyInterpreterState_Get()). I'd say we're trending away from that approach generally, and, ideally, we would not introduce new C-API that relies on that implicit knowledge. Instead, it may make more sense to add a variant instead:PyInterpreterState_AcquireFinalizeBlock().

The caller would explicitly provide the interpreter that should be blocked:

PyInterpreterState*interp=PyInterpreterState_Get();if (!PyInterpreterState_AcquireFinalizeBlock(interp)) {end_early_because_we_are_finalizing_unexpectedly();return;    }do_the_normal_work();PyInterpreterState_ReleaseFinalizeBlock(interp);return;

Given what I've said about "finalize block", consider alternate names:

• PyInterpreterState_PreventFini() (andPyInterpreterState_AllowFini())
  • similarly,Py_PreventInterpreterFini() (andPy_AllowInterpreterFini())
• PyInterpreterState_BlockFini() (andPyInterpreterState_ReleaseFini())

While it is fairly straightforward to make these finalize blocks interpreter-specific, it is not clear to me, with my limited understanding of sub-interpreters, whether that is actually useful.

• It isn't clear to me howPyFinalize_Ex interacts with multiple interpreters. It only seems to finalize the current interpreter.

• The documentation forPy_EndInterpreter states that the interpreter must "have no other threads". In fact it only does this check after calling the AtExit functions for the interpreter, so it seems it would be sufficient to ensure that all other thread states are destroyed before the AtExit functions finish. But there is also the question of what happens if we try to create a thread state whilePy_EndInterpreter is still in progress.Py_EndInterpreter doesn't seem to check for other thread states while holding the HEAD_LOCK, but that is not an issue as long as the check does not fail.

• In general, given the "no other threads" constraint forPy_EndInterpreter it seems that if other non-Python-created or daermon threads hold references to thePyInterpreterState, then some external synchronization mechanism will be needed to ensure that they don't attempt to access thePyInterpreterState once the "no other threads" check completes.

As an example, suppose we have a C extension that provides a Python API that allows Python callbacks to be passed in, and then later calls those Python functions on its own non-Python-created thread pool. If this extension is to support sub-interpreters, then either during multi-phase module initialization, or when it receives the Python callback, it must record the PyInterpreterState associated with the callback. Then, in order to invoke the callback on a thread from its thread pool, it must obtain a PyThreadState for the (thread, interpreter) combination, creating one if one does not already exist. To ensure thePyInterpreterState pointers that it holds remain valid, it would need to register an AtExit function for the interpreter that ensures thePyInterpreterState won't be used. ThisAtExit function would likely need to essentially implement its own version of the "finalize block" mechanism introduced here.

Given the need for external synchronization of threads when callingPy_EndInterpreter, it seems to me that the finalize block mechanism defined by this PR is only useful for the main interpreter.

Before I dig in to responding: one key point to consider is that Python users (especially extension authors, via the C-API) only interact directly with the global runtime via a few API functions. In nearly every case they are instead interacting with the Python thread (state) or interpreter associated with the current OS thread.

Another key point is that, as of 3.12, each interpreter has its own GIL.

Finally, it is certainly possible that I've misunderstood either the problem you're trying to solve or the way you're trying to solve it or both. I'm completely willing to learn and adjust. Then again, I might be completely right too!

(Sorry for the length of this post. I genuinely want to understand and to be sure we're taking the right approach. I appreciate the work you've done and your willingness to converse.)

Now, on to responses:

• It isn't clear to me howPyFinalize_Ex interacts with multiple interpreters. It only seems to finalize the current interpreter.

PyFinalize_Ex() finalizes the main interpreter and the global runtime. At the point it is called, no other interpreters should exist.

Py_EndInterpreter() finalizes any other interpreter, almost entirely in the same way we finalize the main interpreter.

• The documentation forPy_EndInterpreter states that the interpreter must "have no other threads".

Please clarify. The only thing I see is: "All thread states associated with this interpreter are destroyed."

The behavior should be the same for all interpreters, whether viaPy_EndInterpreter() or the main interpreter viaPy_FinalizeEx():

1. check if current thread and holds GIL and not still running (ensures no reentrancy from the eval loop)
2. internally mark the interpreter as finalizing
3. wait for all non-daemon threads to finish
4. call all of the interpreter's atexit callbacks, if any
5. externally mark the interpreter as finalizing (this causes daemon threads to die, or, now, pause)
6. finalize imports
7. clear the interpreter state (including all its remaining thread states)
8. delete the interpreter state

Caveats:

Py_FinalizeEx() does a few extra things at various places, but that should not relate to interpreter lifecycle.

I do see that it calls_PyThreadState_DeleteExcept() right after step (5), whichPy_EndInterpreter() does not do. However, that's unexpected and should probably be resolved.

There are a few things we don't do in either that we probably should, probably before orright after step (5), e.g. disable the import system, disallow new threads (thread states).

Also, step (3) only applies to threads created by the threading module. We might want to extend that to all other threads states (i.e. created viaPyThreadState_New() orPyGILState_Ensure()).

In fact it only does this check after calling the AtExit functions for the interpreter,

Looking atPy_EndInterpreter():

• callswait_for_thread_shutdown() rightbefore_PyAtExit_Call()
• publicly marks itself as finalizing rightafter_PyAtExit_Call()
• destroys its remaining thread states at the end duringfinalize_interp_clear()

So I'm not sure what you mean specifically.

FWIW,Py_FinalizeEx() is exactly the same, except currently it does that last part a little earlier with_PyThreadState_DeleteExcept().

so it seems it would be sufficient to ensure that all other thread states are destroyed before the AtExit functions finish.

Only daemon threads (and, for now, threads (states) created via the C-API) would still be running at that point, and only until next step (5) above.

So are we talking about both the following?

• move step (5) before step (4)
• apply steps (3) and (5) to thread states that werenot created by the threading module

Just to be clear, here are the ways thread states get created:

• Py_Initialize*()
• Py_NewInterpreter*()
• PyThreadState_New()
• PyGILState_Ensure()
• _thread.start_new_thread() (viathreading.Thread.start())

At the moment, it's mostly only with that last one that we are careful during runtime/interp finalization.

It occurs to me that this PR is mostly about addressing that: dealing with other thread states in the same way we currently do threads created via the threading module. Does that sound right?

But there is also the question of what happens if we try to create a thread state whilePy_EndInterpreter is still in progress.Py_EndInterpreter doesn't seem to check for other thread states while holding the HEAD_LOCK, but that is not an issue as long as the check does not fail.

Yeah, we should probably be more deliberate about disallowing that sort of thing during finalization.

• In general, given the "no other threads" constraint forPy_EndInterpreter it seems that if other non-Python-created or daermon threads hold references to thePyInterpreterState, then some external synchronization mechanism will be needed to ensure that they don't attempt to access thePyInterpreterState once the "no other threads" check completes.

That's what the proposed change in the PR is, AFAICS. The API you're adding must be specific to each interpreter, not to the global runtime. The resources that the proposed change protects are per-interpreter resources, not global ones. So I would not expect there to be any additional API or synchronization mechanism other than what you've already proposed (except applied to each interpreter instead of the main interpreter. Otherwise users of multiple interpreters will still be subject to the problem you're trying to solve.

As an example, suppose we have a C extension that provides a Python API that allows Python callbacks to be passed in, and then later calls those Python functions on its own non-Python-created thread pool. If this extension is to support sub-interpreters, then either during multi-phase module initialization, or when it receives the Python callback, it must record the PyInterpreterState associated with the callback. Then, in order to invoke the callback on a thread from its thread pool, it must obtain a PyThreadState for the (thread, interpreter) combination, creating one if one does not already exist.

That's literally whatPyGILState_Ensure() is for and does. 😄

To ensure thePyInterpreterState pointers that it holds remain valid, it would need to register an AtExit function for the interpreter that ensures thePyInterpreterState won't be used. ThisAtExit function would likely need to essentially implement its own version of the "finalize block" mechanism introduced here.

Why wouldn't we just exclusively use the mechanism you're proposed here? Why would each interpreter have to have an additional duplicate? Again, the resources we're trying to protect here are specific to each interpreter, not to the global runtime, no?

Given the need for external synchronization of threads when callingPy_EndInterpreter, it seems to me that the finalize block mechanism defined by this PR is only useful for the main interpreter.

Hmm, I didn't catch what external synchonization of threads you are talking about. Sorry if I missed it or misunderstood. Please restate what you mean specifically. Thanks!

I don't have any experience with implementing extensions that work with multiple interpreters, but I'm trying to think how that would be done safely.

Let's say this extension lets the user schedule a Python callback to invoked at a specific time, on a global thread pool not created by Python.

With a single interpreter, the extension may either keep a cached PyThreadState per thread in the pool for the main interpreter, or create it on demand. I haven't checked exactly what happens when trying to create a new PyThreadState whilePyFinalize_Ex is running, but I think there is no problem there. The core problem is that the extension could attempt to dispatch a callback just asPy_FinalizeEx is running. Using the existing finalize block mechanism in this PR, the extension can ensure that finalization does not start while a callback is being dispatched, in order to ensure threads in the thread pool won't hang trying to acquire the GIL.

With multiple interpreters, we need a separate PyThreadState per thread in the pool per interpreter, and for each callback that has been scheduled, we also need to store the associatedPyInterpreterState*. However, we also need a way to know that the interpreter is exiting, and cancel any scheduled callbacks, so that we don't attempt to use a danglingPyInterpreterState pointer. IfPyThreadState objects have been cached for the thread pool threads, we would also need to destroy those PyThreadState objects, to avoid violating the constraint ofPy_EndInterpreter. This cancellation mechanism is what I mean by an external synchronization mechanism. Given this external synchronization mechanism, I don't think such an extension would need to use the "finalize block" mechanism. We can't usePyGILState_Ensure because that does not take aPyInterpreterState*, and even if it did, we would need a way to ensure that ourPyInterpreterState* is not dangling.

I think I get it now. The "finalize block" API, as proposed, relies on the global runtime state, which is guaranteed to exist in the process, whereas a given interpreter state pointer may have already been freed.

That said, do we continually have the guarantees we might need relative to the global runtime state, since at a certain point we will have freed some of the state the proposed API would need, no? I suppose if we can rely on some final flag for already-finalized then we'd be okay.

As to interpreters, even if the target one has been finalized already, we can still know that. Interpreters may be looked up by ID, rather than referenced by pointer. It's an O(n) operation, of course, but I'm not sure that would be a huge obstacle. Likewise the pointer can be checked against the list of alive interpreters to check for validity. Would we need more than that?

I think it is safe to assume that there may be numerous race conditions still remaining in the finalization logic. In particular I'd assume that callingPy_Initialize again afterPy_FinalizeEx could definitely result in a lot of problems. I had put that in the category of things not to be done in production code. At least for the single interpreter case, single call toPy_Initialize, I think such bugs could likely be fixed without further API changes, though.

I am unclear on how sub-interpreters should be handled. Checking if thePyInterpreterState* is valid by checking if it is in the list of alive interpreters could fail if the interpreter is freed and then another allocated again at the same address, unless something is done to prevent that. In addition, if a given C/C++ extension only finds out afterwards that an interpreter has been destroyed, it is too late for it to free any PyObjects it has, so it would likely end up leaking memory. Therefore an atexit callback would seem to be more appropriate.

For the single-interpreter case we don't care about leaking memory because the program is about to exit anyway.

Since there are some API questions to resolve here, one option may be to split out the change to make threads hang rather than terminate, which can go in right away, and I expect will be sufficient for almost all single-interpreter use cases. The finalize block API, or other API changes to safely support multi-threading without leaks in the presence of interpreters stopping, could then be added later without blocking the fix for the common case.

Agreed@jbms, can you make a PR splitting that part out?

Done, see#105805

FWIW, this should probably go in Include/cpython/pythread.h.

Also, why the leading underscore? If it's not meant to public use then put it in Include/internal/pycore_pythread.h. Otherwise either drop the leading underscore or add the "PyUnstable_" prefix. (Seehttps://devguide.python.org/developer-workflow/c-api/#c-api, AKA PEP 689.)

Done in#105805

This should apply to each interpreter (seePy_EndInterpreter()), not just the main interpreter at global runtime finalization, no?

It shouldn't be possible, but that's not where things are at yet. 😢

Is there a good reason to put this in the public header? I'd expect it to go in Include/internal/pycore_condvar.h.