Implement C recursion protection with limit pointers

markshannon · markshannon · commit afeb8666d357 · 2025-02-11T15:32:49.000Z
diff --git a/Include/ceval.h b/Include/ceval.h
@@ -61,7 +61,6 @@ PyAPI_FUNC(int) Py_EnterRecursiveCall(const char *where);
 PyAPI_FUNC(void) Py_LeaveRecursiveCall(void);
 
 PyAPI_FUNC(int) Py_ReachedRecursionLimit(PyThreadState *tstate, int margin_count);
-PyAPI_FUNC(void) _Py_EnterRecursiveCallUnchecked(PyThreadState *tstate);
 PyAPI_FUNC(void) Py_LeaveRecursiveCallTstate(PyThreadState *tstate);
 
 PyAPI_FUNC(const char *) PyEval_GetFuncName(PyObject *);
diff --git a/Include/cpython/object.h b/Include/cpython/object.h
@@ -493,11 +493,9 @@ do { \
     if (Py_ReachedRecursionLimit(tstate, 1) && Py_TYPE(op)->tp_dealloc == (destructor)dealloc) { \
         _PyTrash_thread_deposit_object(tstate, (PyObject *)op); \
         break; \
-    } \
-    _Py_EnterRecursiveCallUnchecked(tstate);
+    }
     /* The body of the deallocator is here. */
 #define Py_TRASHCAN_END \
-    Py_LeaveRecursiveCallTstate(tstate); \
     if (tstate->delete_later && !Py_ReachedRecursionLimit(tstate, 2)) { \
         _PyTrash_thread_destroy_chain(tstate); \
     } \
diff --git a/Include/cpython/pystate.h b/Include/cpython/pystate.h
@@ -112,7 +112,8 @@ struct _ts {
     int py_recursion_remaining;
     int py_recursion_limit;
 
-    int c_recursion_remaining;
+    char *c_stack_soft_limit;
+    char *c_stack_hard_limit;
     int recursion_headroom; /* Allow 50 more calls to handle any errors. */
 
     /* 'tracing' keeps track of the execution depth when tracing/profiling.
@@ -202,34 +203,45 @@ struct _ts {
     PyObject *threading_local_sentinel;
 };
 
-#ifdef Py_DEBUG
-   // A debug build is likely built with low optimization level which implies
-   // higher stack memory usage than a release build: use a lower limit.
-#  define Py_C_RECURSION_LIMIT 500
-#elif defined(__s390x__)
-#  define Py_C_RECURSION_LIMIT 800
+
+#if defined(__s390x__)
+#  define Py_C_STACK_SIZE 320000
 #elif defined(_WIN32) && defined(_M_ARM64)
-#  define Py_C_RECURSION_LIMIT 1000
+#  define Py_C_STACK_SIZE 400000
 #elif defined(_WIN32)
-#  define Py_C_RECURSION_LIMIT 3000
+#  define Py_C_STACK_SIZE 1200000
 #elif defined(__ANDROID__)
    // On an ARM64 emulator, API level 34 was OK with 10000, but API level 21
    // crashed in test_compiler_recursion_limit.
-#  define Py_C_RECURSION_LIMIT 3000
-#elif defined(_Py_ADDRESS_SANITIZER)
-#  define Py_C_RECURSION_LIMIT 4000
+#  define Py_C_STACK_SIZE 1200000
 #elif defined(__sparc__)
    // test_descr crashed on sparc64 with >7000 but let's keep a margin of error.
-#  define Py_C_RECURSION_LIMIT 4000
+#  define Py_C_STACK_SIZE 1600000
 #elif defined(__wasi__)
    // Based on wasmtime 16.
-#  define Py_C_RECURSION_LIMIT 5000
+#  define Py_C_STACK_SIZE 2000000
 #elif defined(__hppa__) || defined(__powerpc64__)
    // test_descr crashed with >8000 but let's keep a margin of error.
-#  define Py_C_RECURSION_LIMIT 5000
+#  define Py_C_STACK_SIZE 2000000
 #else
    // This value is duplicated in Lib/test/support/__init__.py
-#  define Py_C_RECURSION_LIMIT 10000
+#  define Py_C_STACK_SIZE 5000000
+#endif
+
+
+#ifdef Py_DEBUG
+   // A debug build is likely built with low optimization level which implies
+   // higher stack memory usage than a release build: use a lower limit.
+#  if defined(__has_feature)  /* Clang */
+    // Clang debug builds use a lot of stack space
+#    define Py_C_RECURSION_LIMIT (Py_C_STACK_SIZE / 2000)
+#  else
+#    define Py_C_RECURSION_LIMIT (Py_C_STACK_SIZE / 1000)
+#  endif
+#elif defined(_Py_ADDRESS_SANITIZER)
+#  define Py_C_STACK_SIZE (Py_C_STACK_SIZE / 600)
+#else
+#  define Py_C_RECURSION_LIMIT (Py_C_STACK_SIZE / 300)
 #endif
 
 
diff --git a/Include/internal/pycore_ceval.h b/Include/internal/pycore_ceval.h
@@ -193,18 +193,10 @@ extern void _PyEval_DeactivateOpCache(void);
 
 /* --- _Py_EnterRecursiveCall() ----------------------------------------- */
 
-#ifdef USE_STACKCHECK
-/* With USE_STACKCHECK macro defined, trigger stack checks in
-   _Py_CheckRecursiveCall() on every 64th call to _Py_EnterRecursiveCall. */
 static inline int _Py_MakeRecCheck(PyThreadState *tstate)  {
-    return (tstate->c_recursion_remaining-- < 0
-            || (tstate->c_recursion_remaining & 63) == 0);
+    char here;
+    return &here < tstate->c_stack_soft_limit;
 }
-#else
-static inline int _Py_MakeRecCheck(PyThreadState *tstate) {
-    return tstate->c_recursion_remaining-- < 0;
-}
-#endif
 
 // Export for '_json' shared extension, used via _Py_EnterRecursiveCall()
 // static inline function.
@@ -220,29 +212,21 @@ static inline int _Py_EnterRecursiveCallTstate(PyThreadState *tstate,
     return (_Py_MakeRecCheck(tstate) && _Py_CheckRecursiveCall(tstate, where));
 }
 
-static inline void _Py_EnterRecursiveCallTstateUnchecked(PyThreadState *tstate)  {
-    assert(tstate->c_recursion_remaining >= -2); // Allow a bit of wiggle room
-    tstate->c_recursion_remaining--;
-}
-
 static inline int _Py_EnterRecursiveCall(const char *where) {
     PyThreadState *tstate = _PyThreadState_GET();
     return _Py_EnterRecursiveCallTstate(tstate, where);
 }
 
 static inline void _Py_LeaveRecursiveCallTstate(PyThreadState *tstate)  {
-    tstate->c_recursion_remaining++;
+    (void)tstate;
 }
 
-#define Py_RECURSION_LIMIT_MARGIN_MULTIPLIER 50
-
 static inline int _Py_ReachedRecursionLimit(PyThreadState *tstate, int margin_count)  {
-    return tstate->c_recursion_remaining <= margin_count * Py_RECURSION_LIMIT_MARGIN_MULTIPLIER;
+    char here;
+    return &here <= tstate->c_stack_soft_limit + margin_count * PYOS_STACK_MARGIN_BYTES;
 }
 
 static inline void _Py_LeaveRecursiveCall(void)  {
-    PyThreadState *tstate = _PyThreadState_GET();
-    _Py_LeaveRecursiveCallTstate(tstate);
 }
 
 extern struct _PyInterpreterFrame* _PyEval_GetFrame(void);
diff --git a/Include/pythonrun.h b/Include/pythonrun.h
@@ -25,6 +25,7 @@ PyAPI_DATA(int) (*PyOS_InputHook)(void);
    on 64-bit platforms).  On a 32-bit platform, this translates
    to an 8k margin. */
 #define PYOS_STACK_MARGIN 2048
+#define PYOS_STACK_MARGIN_BYTES (PYOS_STACK_MARGIN * sizeof(void *))
 
 #if defined(WIN32) && !defined(MS_WIN64) && !defined(_M_ARM) && defined(_MSC_VER) && _MSC_VER >= 1300
 /* Enable stack checking under Microsoft C */
diff --git a/Lib/test/list_tests.py b/Lib/test/list_tests.py
@@ -62,7 +62,7 @@ def test_repr(self):
     @skip_emscripten_stack_overflow()
     def test_repr_deep(self):
         a = self.type2test([])
-        for i in range(get_c_recursion_limit() + 1):
+        for i in range(get_c_recursion_limit() * 10):
             a = self.type2test([a])
         self.assertRaises(RecursionError, repr, a)
 
diff --git a/Lib/test/mapping_tests.py b/Lib/test/mapping_tests.py
@@ -625,7 +625,7 @@ def __repr__(self):
     @skip_emscripten_stack_overflow()
     def test_repr_deep(self):
         d = self._empty_mapping()
-        for i in range(get_c_recursion_limit() + 1):
+        for i in range(get_c_recursion_limit() * 5):
             d0 = d
             d = self._empty_mapping()
             d[1] = d0
diff --git a/Lib/test/support/__init__.py b/Lib/test/support/__init__.py
@@ -2634,7 +2634,7 @@ def get_c_recursion_limit():
 
 def exceeds_recursion_limit():
     """For recursion tests, easily exceeds default recursion limit."""
-    return get_c_recursion_limit() * 3
+    return get_c_recursion_limit() * 20
 
 
 # Windows doesn't have os.uname() but it doesn't support s390x.
diff --git a/Lib/test/test_compile.py b/Lib/test/test_compile.py
@@ -712,11 +712,11 @@ def test_yet_more_evil_still_undecodable(self):
     @unittest.skipIf(support.is_wasi, "exhausts limited stack on WASI")
     @support.skip_emscripten_stack_overflow()
     def test_compiler_recursion_limit(self):
-        # Expected limit is Py_C_RECURSION_LIMIT
-        limit = get_c_recursion_limit()
-        fail_depth = limit + 1
-        crash_depth = limit * 100
-        success_depth = int(limit * 0.8)
+        # Compiler frames are small
+        limit = get_c_recursion_limit() * 3 // 2
+        fail_depth = limit * 10
+        crash_depth = limit * 50
+        success_depth = limit
 
         def check_limit(prefix, repeated, mode="single"):
             expect_ok = prefix + repeated * success_depth
diff --git a/Lib/test/test_dict.py b/Lib/test/test_dict.py
@@ -597,7 +597,7 @@ def __repr__(self):
     @support.skip_emscripten_stack_overflow()
     def test_repr_deep(self):
         d = {}
-        for i in range(get_c_recursion_limit() + 1):
+        for i in range(get_c_recursion_limit() * 10):
             d = {1: d}
         self.assertRaises(RecursionError, repr, d)
 
diff --git a/Lib/test/test_dictviews.py b/Lib/test/test_dictviews.py
@@ -280,7 +280,7 @@ def test_recursive_repr(self):
     @skip_emscripten_stack_overflow()
     def test_deeply_nested_repr(self):
         d = {}
-        for i in range(get_c_recursion_limit()//2 + 100):
+        for i in range(get_c_recursion_limit() * 2):
             d = {42: d.values()}
         self.assertRaises(RecursionError, repr, d)
 
diff --git a/Lib/test/test_exception_group.py b/Lib/test/test_exception_group.py
@@ -460,7 +460,7 @@ def test_basics_split_by_predicate__match(self):
 class DeepRecursionInSplitAndSubgroup(unittest.TestCase):
     def make_deep_eg(self):
         e = TypeError(1)
-        for i in range(get_c_recursion_limit() + 1):
+        for i in range(get_c_recursion_limit() * 10):
             e = ExceptionGroup('eg', [e])
         return e
 
diff --git a/Modules/_testinternalcapi.c b/Modules/_testinternalcapi.c
@@ -115,7 +115,9 @@ static PyObject*
 get_c_recursion_remaining(PyObject *self, PyObject *Py_UNUSED(args))
 {
     PyThreadState *tstate = _PyThreadState_GET();
-    return PyLong_FromLong(tstate->c_recursion_remaining);
+    char here;
+    int remaining = (int)((&here - tstate->c_stack_soft_limit)/PYOS_STACK_MARGIN_BYTES * 50);
+    return PyLong_FromLong(remaining);
 }
 
 
diff --git a/Objects/object.c b/Objects/object.c
@@ -2899,18 +2899,6 @@ _PyTrash_thread_deposit_object(PyThreadState *tstate, PyObject *op)
 void
 _PyTrash_thread_destroy_chain(PyThreadState *tstate)
 {
-    /* We need to increase c_recursion_remaining here, otherwise,
-       _PyTrash_thread_destroy_chain will be called recursively
-       and then possibly crash.  An example that may crash without
-       increase:
-           N = 500000  # need to be large enough
-           ob = object()
-           tups = [(ob,) for i in range(N)]
-           for i in range(49):
-               tups = [(tup,) for tup in tups]
-           del tups
-    */
-    _Py_EnterRecursiveCallTstateUnchecked(tstate);
     while (tstate->delete_later) {
         PyObject *op = tstate->delete_later;
         destructor dealloc = Py_TYPE(op)->tp_dealloc;
@@ -2932,7 +2920,6 @@ _PyTrash_thread_destroy_chain(PyThreadState *tstate)
         _PyObject_ASSERT(op, Py_REFCNT(op) == 0);
         (*dealloc)(op);
     }
-    _Py_LeaveRecursiveCallTstate(tstate);
 }
 
 void _Py_NO_RETURN
diff --git a/Python/bytecodes.c b/Python/bytecodes.c
@@ -3980,7 +3980,6 @@ dummy_func(
             STAT_INC(CALL, hit);
             PyCFunction cfunc = PyCFunction_GET_FUNCTION(callable_o);
             _PyStackRef arg = args[0];
-            _Py_EnterRecursiveCallTstateUnchecked(tstate);
             PyObject *res_o = _PyCFunction_TrampolineCall(cfunc, PyCFunction_GET_SELF(callable_o), PyStackRef_AsPyObjectBorrow(arg));
             _Py_LeaveRecursiveCallTstate(tstate);
             assert((res_o != NULL) ^ (_PyErr_Occurred(tstate) != NULL));
@@ -4177,7 +4176,6 @@ dummy_func(
                                  method->d_common.d_type));
             STAT_INC(CALL, hit);
             PyCFunction cfunc = meth->ml_meth;
-            _Py_EnterRecursiveCallTstateUnchecked(tstate);
             PyObject *res_o = _PyCFunction_TrampolineCall(cfunc,
                                   PyStackRef_AsPyObjectBorrow(self_stackref),
                                   PyStackRef_AsPyObjectBorrow(arg_stackref));
@@ -4255,7 +4253,6 @@ dummy_func(
             EXIT_IF(_Py_ReachedRecursionLimit(tstate, 0));
             STAT_INC(CALL, hit);
             PyCFunction cfunc = meth->ml_meth;
-            _Py_EnterRecursiveCallTstateUnchecked(tstate);
             PyObject *res_o = _PyCFunction_TrampolineCall(cfunc, self, NULL);
             _Py_LeaveRecursiveCallTstate(tstate);
             assert((res_o != NULL) ^ (_PyErr_Occurred(tstate) != NULL));
diff --git a/Python/ceval.c b/Python/ceval.c
@@ -311,8 +311,8 @@ Py_ReachedRecursionLimit(PyThreadState *tstate, int margin_count)
 void
 _Py_EnterRecursiveCallUnchecked(PyThreadState *tstate)
 {
-    tstate->c_recursion_remaining--;
-    if (tstate->c_recursion_remaining < -50) {
+    char here;
+    if (&here < tstate->c_stack_hard_limit) {
         Py_FatalError("Unchecked stack overflow.");
     }
 }
@@ -328,31 +328,44 @@ Py_LeaveRecursiveCallTstate(PyThreadState *tstate)
 int
 _Py_CheckRecursiveCall(PyThreadState *tstate, const char *where)
 {
+    char here;
+    assert(tstate->c_stack_soft_limit != NULL);
+    if (tstate->c_stack_hard_limit == NULL) {
 #ifdef USE_STACKCHECK
-    if (PyOS_CheckStack()) {
-        ++tstate->c_recursion_remaining;
-        _PyErr_SetString(tstate, PyExc_MemoryError, "Stack overflow");
-        return -1;
-    }
+        assert(_PyOS_CheckStack(PYOS_STACK_MARGIN));
+        if (_PyOS_CheckStack(PYOS_STACK_MARGIN * 2) == 0) {
+            tstate->c_stack_soft_limit = &here - PYOS_STACK_MARGIN_BYTES;
+            return 0;
+        }
+        else {
+            assert(tstate->c_stack_soft_limit != (char*)UINTPTR_MAX);
+            tstate->c_stack_hard_limit = tstate->c_stack_soft_limit - PYOS_STACK_MARGIN_BYTES;
+        }F
+#else
+        assert(tstate->c_stack_soft_limit == (char*)UINTPTR_MAX);
+        tstate->c_stack_soft_limit = &here - Py_C_STACK_SIZE;
+        tstate->c_stack_hard_limit = &here - (Py_C_STACK_SIZE + PYOS_STACK_MARGIN_BYTES);
 #endif
+    }
+    if (&here >= tstate->c_stack_soft_limit) {
+        return 0;
+    }
+    assert(tstate->c_stack_hard_limit != NULL);
+    if (&here < tstate->c_stack_hard_limit) {
+        /* Overflowing while handling an overflow. Give up. */
+        Py_FatalError("Cannot recover from stack overflow.");
+    }
     if (tstate->recursion_headroom) {
-        if (tstate->c_recursion_remaining < -50) {
-            /* Overflowing while handling an overflow. Give up. */
-            Py_FatalError("Cannot recover from stack overflow.");
-        }
+        return 0;
     }
     else {
-        if (tstate->c_recursion_remaining <= 0) {
-            tstate->recursion_headroom++;
-            _PyErr_Format(tstate, PyExc_RecursionError,
-                        "maximum recursion depth exceeded%s",
-                        where);
-            tstate->recursion_headroom--;
-            ++tstate->c_recursion_remaining;
-            return -1;
-        }
+        tstate->recursion_headroom++;
+        _PyErr_Format(tstate, PyExc_RecursionError,
+                    "maximum recursion depth exceeded%s",
+                    where);
+        tstate->recursion_headroom--;
+        return -1;
     }
-    return 0;
 }
 
 
@@ -838,9 +851,6 @@ _PyEval_EvalFrameDefault(PyThreadState *tstate, _PyInterpreterFrame *frame, int
     frame->previous = &entry_frame;
     tstate->current_frame = frame;
 
-    // PyEval_EvalDefault is a big function, so count it twice
-    _Py_EnterRecursiveCallTstateUnchecked(tstate);
-
     /* support for generator.throw() */
     if (throwflag) {
         if (_Py_EnterRecursivePy(tstate)) {
@@ -1561,11 +1571,9 @@ clear_thread_frame(PyThreadState *tstate, _PyInterpreterFrame * frame)
     // _PyThreadState_PopFrame, since f_code is already cleared at that point:
     assert((PyObject **)frame + _PyFrame_GetCode(frame)->co_framesize ==
         tstate->datastack_top);
-    _Py_EnterRecursiveCallTstateUnchecked(tstate);
     assert(frame->frame_obj == NULL || frame->frame_obj->f_frame == frame);
     _PyFrame_ClearExceptCode(frame);
     PyStackRef_CLEAR(frame->f_executable);
-    _Py_LeaveRecursiveCallTstate(tstate);
     _PyThreadState_PopFrame(tstate, frame);
 }
 
@@ -1578,11 +1586,9 @@ clear_gen_frame(PyThreadState *tstate, _PyInterpreterFrame * frame)
     assert(tstate->exc_info == &gen->gi_exc_state);
     tstate->exc_info = gen->gi_exc_state.previous_item;
     gen->gi_exc_state.previous_item = NULL;
-    _Py_EnterRecursiveCallTstateUnchecked(tstate);
     assert(frame->frame_obj == NULL || frame->frame_obj->f_frame == frame);
     _PyFrame_ClearExceptCode(frame);
     _PyErr_ClearExcState(&gen->gi_exc_state);
-    _Py_LeaveRecursiveCallTstate(tstate);
     frame->previous = NULL;
 }
 
diff --git a/Python/executor_cases.c.h b/Python/executor_cases.c.h
diff --git a/Python/generated_cases.c.h b/Python/generated_cases.c.h
diff --git a/Python/pystate.c b/Python/pystate.c
diff --git a/Tools/cases_generator/analyzer.py b/Tools/cases_generator/analyzer.py
