Documentation of the C API memory management, inline comments, rename UpdateRefNode

Author: steve-s

docs/contributor/IMPLEMENTATION_DETAILS.md

@@ -165,3 +165,120 @@ For embedders, it may be important to be able to interrupt Python threads by
 other means. We use the TruffleSafepoint mechanism to mark our threads waiting
 to acquire the GIL as blocked for the purpose of safepoints. The Truffle
 safepoint action mechanism can thus be used to kill threads waiting on the GIL.
+
+## C Extensions and Memory Management
+
+### High-level
+
+C extensions assume reference counting, but on the managed side we want to leverage
+Java tracing GC. This creates a mismatch. The approach is to combine the two.
+
+On the native side we use reference counting. The native code is responsible for doing
+the counting, i.e., calling the `Py_IncRef` and `Py_DecRef` API functions. Inside those
+functions we add special handling for the point when first reference from the native
+code is created and when the last reference from the native code is destroyed.
+
+On the managed side we rely on tracing GC, so managed references are not ref-counted.
+For the ref-counting scheme on the native side, we approximate all the managed references
+as a single reference, i.e., we increment the refcount when object is referenced from managed
+code, and using a `PhantomReference` and reference queue we decrement the refcount when
+there are no longer any managed references (but we do not clean the object as long as
+`refcount > 0`, because that means that there are still native references to it).
+
+### Details
+
+There are two kinds of Python objects in GraalPy: managed and native.
+
+#### Managed Objects
+
+Managed objects are allocated in the interpreter. If there is no native code involved,
+we do not do anything special and let the Java GC handle them. When a managed object
+leaks to native extension:
+
+* We wrap it in `PythonObjectNativeWrapper`. This is mostly in order to provide different
+interop protocol: we do not want to expose `toNative` and `asPointer` on Python objects.
+
+* When NFI or Sulong call `toNative`/`asPointer` we:
+    * Allocate C memory that will represent the object on the native side (including the refcount field)
+    * Add a mapping of that memory address to the `PythonObjectNativeWrapper` object to a hash map `CApiTransitions.nativeLookup`.
+    * We initialize the refcount field to a constant `MANAGED_REFCNT` (larger number, because some
+              extensions like to special case on some small refcount values)
+    * Create `PythonObjectReference`: a weak reference to the `PythonObjectNativeWrapper`,
+    when this reference is enqueued (i.e., no managed references exist), we decrement the refcount by
+    `MANAGED_REFCNT` and if the recount falls back to `0`, we deallocate the native memory of the object,
+    otherwise we need to wait for the native code to eventually call `Py_DecRef` and make it `0`.
+
+* When extension code wants to create a new reference, it will call `Py_IncRef`.
+In the C implementation of `Py_IncRef` we check if a managed object with
+`refcount==MANAGED_REFCNT` wants to increment its refcount. In such case, the native code is
+creating a first reference to the managed object, we must make sure to keep the object alive
+as long as there are some native references. We set a field `PythonObjectReference.strongReference`,
+which will keep the `PythonObjectNativeWrapper` alive even when all other managed references die.
+
+* When extension code is done with the object, it will call `Py_DecRef`.
+In the C implementation of `Py_DecRef` we check if a managed object with refcount==MANAGED_REFCNT+1
+wants to decrement its refcount to MANAGED_REFCNT, which means that there are no native references
+to that object anymore. In such case we clear the `PythonObjectReference.strongReference` field,
+and the memory management is then again left solely to the Java tracing GC.
+
+#### Native Objects
+
+Native objects are backed by native memory and may never leak to managed code. If they do not
+leak to managed code, they are reference counted as usual, where `Py_DecRef` call that reaches
+`0` will deallocate the object. If a native object does leak to managed code:
+
+* We increment the refcount of the native object by `MANAGED_REFCNT`
+* We create:
+  * `PythonAbstractNativeObject` Java object to represent it
+  * `NativeObjectReference`, a weak reference to the `PythonAbstractNativeObject`.
+* Save the mapping from the native object address to the `NativeObjectReference`
+object into hash map `CApiTransitions.nativeLookup` (next time this native object leaks to
+the managed code, we only fetch the existing wrapper and don't do any of this).
+* When `NativeObjectReference` is enqueued, we decrement the refcount by `MANAGED_REFCNT`
+and if it falls to `0`, it means that there are no references to the object even from
+native code, we can destroy it. If it does not fall to `0`, we just wait for the native
+code to eventually call `Py_DecRef` that makes it fall to `0`.
+
+### Cycle GC
+
+We leverage the CPython's GC module to detect cycles for objects that participate
+in the reference counting scheme (native objects or managed objects that leaked to native).
+See: https://devguide.python.org/internals/garbage-collector/index.html.
+
+There are two issues:
+
+* Objects that are referenced from the managed code have refcount >= `MANAGED_REFCNT` and
+until Java GC runs we do not know if they are garbage or not.
+* We cannot traverse the managed objects: since we don't do refcounting on the managed
+side, we cannot traverse them and decrement refcounts to see if there is a cycle.
+
+The high level solution is that when we see a "dead" cycle going through a managed object
+(i.e., cycle not referenced by any native object from the "outside" of the collected set),
+we fully replicate the object graphs (and the cycle) on the managed side (refcounts of native objects
+in the cycle, which were not referenced from managed yet, will get new `NativeObjectReference`
+created and refcount incremented by `MANAGED_REFCNT`). Managed objects already refer
+to the `PythonAbstractNativeObject` wrappers of the native objects (e.g., some Python container
+with managed storage), but we also make the native wrappers refer to whatever their referents
+are on the Java side (we use `tp_traverse` to find their referents).
+
+Then we make the managed objects in the cycle only weakly referenced on the Java side.
+One can think about this as pushing the baseline reference count when the
+object is eligible for being GC'ed and thus freed. Normally when the object has
+`refcount > MANAGED_REFCNT` we keep it alive with a strong reference assuming that
+there are some native references to it. In this case, we know that all the native
+references to that object are part of potentially dead cycle, and we do not
+count them into this limit. Let us call this limit *weak to strong limit*.
+
+After this, if the managed objects are garbage, eventually Java GC will collect them
+together with the whole cycle.
+
+If some of the managed objects are not garbage, and they leak back to native code,
+the native code can then access and resurrect the whole cycle. W.r.t. the refcounts
+integrity this is fine, because we did not alter the refcounts. The native references
+between the objects are still factored in their refcounts. What may seem like a problem
+is that we pushed the *weak to strong limit* for some objects. Such object may leak to
+native, get `Py_IncRef`'ed making it strong reference again. Since `Py_DecRef` is
+checking the same `MANAGED_REFCNT` limit for all objects, the subsequent `Py_DecRef`
+call for this object will not detect that the reference should be made weak again!
+However, this is OK, it only prolongs the collection: we will make it weak again in
+the next run of the cycle GC.

graalpython/com.oracle.graal.python.cext/src/gcmodule.c

@@ -457,7 +457,7 @@ validate_list(PyGC_Head *head, enum flagstates flags)
 static int
 visit_reachable(PyObject *op, PyGC_Head *reachable);
 
-/* A traversal callback for move_weak_candidates.
+/* A traversal callback for move_unreachable.
  *
  * This function is only used to traverse the referents of an object that was
  * moved from 'unreachable' to 'young' because it was made reachable due to a
@@ -729,7 +729,7 @@ visit_reachable(PyObject *op, PyGC_Head *reachable)
     // an untracked object.
     assert(UNTAG(gc)->_gc_next != 0);
 
-    const Py_ssize_t gc_refs_reset = is_managed(gc) ? MANAGED_REFCNT + 1 : 1;
+    const Py_ssize_t gc_refs_reset = is_managed(gc) ? MANAGED_REFCNT + 1 : 1; // GraalPy change
     if (UNTAG(gc)->_gc_next & NEXT_MASK_UNREACHABLE) {
         /* This had gc_refs = 0 when move_unreachable got
          * to it, but turns out it's reachable after all.
@@ -749,15 +749,18 @@ visit_reachable(PyObject *op, PyGC_Head *reachable)
         _PyGCHead_SET_PREV(next, prev);
 
         gc_list_append(gc, reachable);
-        gc_set_refs(gc, gc_refs_reset);
+        gc_set_refs(gc, gc_refs_reset); // GraalPy change: 1->gc_refs_reset
     }
-    else if (gc_refs == 0 || (gc_refs == MANAGED_REFCNT && is_managed(gc))) {
+    else if (gc_refs == 0 ||
+        // GraalPy change: the additional condition, managed objects with MANAGED_REFCNT
+        // may be still reachanble from managed, we must not declare them unreachable
+        (gc_refs == MANAGED_REFCNT && is_managed(gc))) {
         /* This is in move_unreachable's 'young' list, but
          * the traversal hasn't yet gotten to it.  All
          * we need to do is tell move_unreachable that it's
          * reachable.
          */
-        gc_set_refs(gc, gc_refs_reset);
+        gc_set_refs(gc, gc_refs_reset); // GraalPy change: 1->gc_refs_reset
     }
     /* Else there's nothing to do.
      * If gc_refs > 0, it must be in move_unreachable's 'young'
@@ -837,12 +840,12 @@ move_unreachable(PyGC_Head *young, PyGC_Head *unreachable,
                                       "refcount is too small");
             // NOTE: visit_reachable may change gc->_gc_next when
             // young->_gc_prev == gc.  Don't do gc = GC_NEXT(gc) before!
-            // GraalPy change
-            // CALL_TRAVERSE(traverse, op, visit_reachable, (void *)young);
             if (PyTruffle_PythonGC()) {
+                // GraalPy change: this branch, else branch is original CPython code
                 cycle.head = NULL;
                 cycle.n = 0;
                 assert (cycle.reachable == weak_candidates );
+                /* visit_collect_managed_referents is visit_reachable + capture the references into "cycle" */
                 CALL_TRAVERSE(traverse, op, visit_collect_managed_referents, (void *)&cycle);
 
                 /* replicate any native reference to managed objects to Java */
@@ -856,6 +859,9 @@ move_unreachable(PyGC_Head *young, PyGC_Head *unreachable,
 
             if (gc_refcnt == MANAGED_REFCNT && is_managed(gc) &&
                     Py_REFCNT(op) > MANAGED_REFCNT) {
+                // The refcount fell to MANAGED_REFCNT, we have a managed object that was
+                // part of a cycle and is no longer referenced from native space.
+
                 // Assertion is enough because if Python GC is disabled, we will
                 // never track managed objects.
                 assert (PyTruffle_PythonGC());

graalpython/com.oracle.graal.python/src/com/oracle/graal/python/builtins/modules/cext/PythonCextBuiltins.java

@@ -133,7 +133,7 @@
 import com.oracle.graal.python.builtins.objects.cext.capi.transitions.CApiTransitions.HandleContext;
 import com.oracle.graal.python.builtins.objects.cext.capi.transitions.CApiTransitions.HandlePointerConverter;
 import com.oracle.graal.python.builtins.objects.cext.capi.transitions.CApiTransitions.NativePtrToPythonWrapperNode;
-import com.oracle.graal.python.builtins.objects.cext.capi.transitions.CApiTransitions.UpdateRefNode;
+import com.oracle.graal.python.builtins.objects.cext.capi.transitions.CApiTransitions.UpdateStrongRefNode;
 import com.oracle.graal.python.builtins.objects.cext.common.CExtCommonNodes.CoerceNativePointerToLongNode;
 import com.oracle.graal.python.builtins.objects.cext.common.CExtCommonNodes.TransformExceptionToNativeNode;
 import com.oracle.graal.python.builtins.objects.cext.common.CExtCommonNodesFactory.TransformExceptionToNativeNodeGen;
@@ -1588,7 +1588,7 @@ static Object doNative(Object weakCandidates,
                         @Cached CStructAccess.ReadI64Node readI64Node,
                         @Cached CStructAccess.WriteLongNode writeLongNode,
                         @Cached NativePtrToPythonWrapperNode nativePtrToPythonWrapperNode,
-                        @Cached UpdateRefNode updateRefNode) {
+                        @Cached UpdateStrongRefNode updateRefNode) {
             // guaranteed by the guard
             assert PythonContext.get(inliningTarget).isNativeAccessAllowed();
             assert PythonContext.get(inliningTarget).getOption(PythonOptions.PythonGC);
@@ -1618,7 +1618,7 @@ static Object doNative(Object weakCandidates,
                     if (GC_LOGGER.isLoggable(Level.FINE)) {
                         GC_LOGGER.fine(PythonUtils.formatJString("Breaking reference cycle for %s", abstractObjectNativeWrapper.ref));
                     }
-                    updateRefNode.execute(inliningTarget, abstractObjectNativeWrapper, PythonAbstractObjectNativeWrapper.MANAGED_REFCNT);
+                    updateRefNode.clearStrongRef(inliningTarget, abstractObjectNativeWrapper);
                 }
 
                 // next = GC_NEXT(gc)

graalpython/com.oracle.graal.python/src/com/oracle/graal/python/builtins/modules/cext/PythonCextObjectBuiltins.java

@@ -92,7 +92,7 @@
 import com.oracle.graal.python.builtins.objects.cext.capi.transitions.CApiTransitions.NativeToPythonNode;
 import com.oracle.graal.python.builtins.objects.cext.capi.transitions.CApiTransitions.PythonToNativeNode;
 import com.oracle.graal.python.builtins.objects.cext.capi.transitions.CApiTransitions.ToPythonWrapperNode;
-import com.oracle.graal.python.builtins.objects.cext.capi.transitions.CApiTransitions.UpdateRefNode;
+import com.oracle.graal.python.builtins.objects.cext.capi.transitions.CApiTransitions.UpdateStrongRefNode;
 import com.oracle.graal.python.builtins.objects.cext.common.GetNextVaArgNode;
 import com.oracle.graal.python.builtins.objects.cext.structs.CFields;
 import com.oracle.graal.python.builtins.objects.cext.structs.CStructAccess;
@@ -165,7 +165,7 @@ abstract static class PyTruffle_NotifyRefCount extends CApiBinaryBuiltinNode {
         @Specialization
         static Object doGeneric(PythonAbstractObjectNativeWrapper wrapper, long refCount,
                         @Bind("this") Node inliningTarget,
-                        @Cached UpdateRefNode updateRefNode) {
+                        @Cached UpdateStrongRefNode updateRefNode) {
             assert CApiTransitions.readNativeRefCount(HandlePointerConverter.pointerToStub(wrapper.getNativePointer())) == refCount;
             // refcounting on an immortal object should be a NOP
             assert refCount != PythonAbstractObjectNativeWrapper.IMMORTAL_REFCNT;
@@ -180,7 +180,7 @@ abstract static class PyTruffle_BulkNotifyRefCount extends CApiBinaryBuiltinNode
         @Specialization
         static Object doGeneric(Object arrayPointer, int len,
                         @Bind("this") Node inliningTarget,
-                        @Cached UpdateRefNode updateRefNode,
+                        @Cached UpdateStrongRefNode updateRefNode,
                         @Cached CStructAccess.ReadPointerNode readPointerNode,
                         @Cached ToPythonWrapperNode toPythonWrapperNode) {
 

graalpython/com.oracle.graal.python/src/com/oracle/graal/python/builtins/objects/cext/capi/CExtNodes.java

@@ -106,7 +106,7 @@
 import com.oracle.graal.python.builtins.objects.cext.capi.transitions.CApiTransitions.NativeToPythonTransferNode;
 import com.oracle.graal.python.builtins.objects.cext.capi.transitions.CApiTransitions.PythonToNativeNode;
 import com.oracle.graal.python.builtins.objects.cext.capi.transitions.CApiTransitions.ResolveHandleNode;
-import com.oracle.graal.python.builtins.objects.cext.capi.transitions.CApiTransitions.UpdateRefNode;
+import com.oracle.graal.python.builtins.objects.cext.capi.transitions.CApiTransitions.UpdateStrongRefNode;
 import com.oracle.graal.python.builtins.objects.cext.capi.transitions.CApiTransitionsFactory.NativeToPythonNodeGen;
 import com.oracle.graal.python.builtins.objects.cext.capi.transitions.CApiTransitionsFactory.PythonToNativeNodeGen;
 import com.oracle.graal.python.builtins.objects.cext.capi.transitions.GetNativeWrapperNode;
@@ -1189,7 +1189,7 @@ static void doDecref(Node inliningTarget, Object pointerObj,
                         @Cached(inline = false) CApiTransitions.ToPythonWrapperNode toPythonWrapperNode,
                         @Cached InlinedBranchProfile isWrapperProfile,
                         @Cached InlinedBranchProfile isNativeObject,
-                        @Cached UpdateRefNode updateRefNode,
+                        @Cached UpdateStrongRefNode updateRefNode,
                         @Cached(inline = false) CStructAccess.ReadI64Node readRefcount,
                         @Cached(inline = false) CStructAccess.WriteLongNode writeRefcount,
                         @Cached(inline = false) PCallCapiFunction callDealloc) {
@@ -1295,7 +1295,7 @@ public static Object executeUncached(Object pointerObject) {
         @Specialization
         static Object resolveLongCached(Node inliningTarget, long pointer,
                         @Exclusive @Cached ResolveHandleNode resolveHandleNode,
-                        @Exclusive @Cached UpdateRefNode updateRefNode) {
+                        @Exclusive @Cached UpdateStrongRefNode updateRefNode) {
             Object lookup = CApiTransitions.lookupNative(pointer);
             if (lookup != null) {
                 if (lookup instanceof PythonAbstractObjectNativeWrapper objectNativeWrapper) {
@@ -1313,7 +1313,7 @@ static Object resolveLongCached(Node inliningTarget, long pointer,
         static Object resolveGeneric(Node inliningTarget, Object pointerObject,
                         @CachedLibrary(limit = "3") InteropLibrary lib,
                         @Exclusive @Cached ResolveHandleNode resolveHandleNode,
-                        @Exclusive @Cached UpdateRefNode updateRefNode) {
+                        @Exclusive @Cached UpdateStrongRefNode updateRefNode) {
             if (lib.isPointer(pointerObject)) {
                 Object lookup;
                 long pointer;