Fix ext detection, HeapMethodDef ownership, WASM error

youknowone · youknowone · commit a2fe158a9734 · 2026-03-06T01:17:55.000+09:00
- Remove HAS_EXT gc_bits flag; detect ext from type flags
  using raw pointer reads to avoid Stacked Borrows violations
- Store HeapMethodDef owner in payload instead of dict hack
- Clear dict entries in gc_clear_raw to break cycles
- Add WASM error fallback when exception serialization fails
diff --git a/.cspell.dict/rust-more.txt b/.cspell.dict/rust-more.txt
@@ -6,6 +6,7 @@ bindgen
 bitand
 bitflags
 bitor
+bitvec
 bitxor
 bstr
 byteorder
@@ -58,6 +59,7 @@ powi
 prepended
 punct
 replacen
+retag
 rmatch
 rposition
 rsplitn
@@ -89,5 +91,3 @@ widestring
 winapi
 winresource
 winsock
-bitvec
-Bitvec
diff --git a/crates/vm/src/builtins/builtin_func.rs b/crates/vm/src/builtins/builtin_func.rs
@@ -16,6 +16,8 @@ pub struct PyNativeFunction {
     pub(crate) value: &'static PyMethodDef,
     pub(crate) zelf: Option<PyObjectRef>,
     pub(crate) module: Option<&'static PyStrInterned>, // None for bound method
+    /// Prevent HeapMethodDef from being freed while this function references it
+    pub(crate) _method_def_owner: Option<PyObjectRef>,
 }
 
 impl PyPayload for PyNativeFunction {
diff --git a/crates/vm/src/builtins/descriptor.rs b/crates/vm/src/builtins/descriptor.rs
@@ -37,6 +37,8 @@ pub struct PyMethodDescriptor {
     pub method: &'static PyMethodDef,
     // vectorcall: vector_call_func,
     pub objclass: &'static Py<PyType>, // TODO: move to tp_members
+    /// Prevent HeapMethodDef from being freed while this descriptor references it
+    pub(crate) _method_def_owner: Option<PyObjectRef>,
 }
 
 impl PyMethodDescriptor {
@@ -49,6 +51,7 @@ impl PyMethodDescriptor {
             },
             method,
             objclass: typ,
+            _method_def_owner: None,
         }
     }
 }
diff --git a/crates/vm/src/function/method.rs b/crates/vm/src/function/method.rs
@@ -123,6 +123,7 @@ impl PyMethodDef {
             zelf: None,
             value: self,
             module: None,
+            _method_def_owner: None,
         }
     }
 
@@ -144,6 +145,7 @@ impl PyMethodDef {
                 zelf: Some(obj),
                 value: self,
                 module: None,
+                _method_def_owner: None,
             },
             class,
         }
@@ -162,6 +164,7 @@ impl PyMethodDef {
             zelf: Some(obj),
             value: self,
             module: None,
+            _method_def_owner: None,
         };
         PyRef::new_ref(
             function,
@@ -217,6 +220,7 @@ impl PyMethodDef {
             zelf: Some(class.to_owned().into()),
             value: self,
             module: None,
+            _method_def_owner: None,
         };
         PyNativeMethod { func, class }.into_ref(ctx)
     }
@@ -293,14 +297,12 @@ impl Py<HeapMethodDef> {
     }
 
     pub fn build_function(&self, vm: &VirtualMachine) -> PyRef<PyNativeFunction> {
-        let function = unsafe { self.method() }.to_function();
-        let dict = vm.ctx.new_dict();
-        dict.set_item("__method_def__", self.to_owned().into(), vm)
-            .unwrap();
+        let mut function = unsafe { self.method() }.to_function();
+        function._method_def_owner = Some(self.to_owned().into());
         PyRef::new_ref(
             function,
             vm.ctx.types.builtin_function_or_method_type.to_owned(),
-            Some(dict),
+            None,
         )
     }
 
@@ -309,14 +311,12 @@ impl Py<HeapMethodDef> {
         class: &'static Py<PyType>,
         vm: &VirtualMachine,
     ) -> PyRef<PyMethodDescriptor> {
-        let function = unsafe { self.method() }.to_method(class, &vm.ctx);
-        let dict = vm.ctx.new_dict();
-        dict.set_item("__method_def__", self.to_owned().into(), vm)
-            .unwrap();
+        let mut function = unsafe { self.method() }.to_method(class, &vm.ctx);
+        function._method_def_owner = Some(self.to_owned().into());
         PyRef::new_ref(
             function,
             vm.ctx.types.method_descriptor_type.to_owned(),
-            Some(dict),
+            None,
         )
     }
 }
diff --git a/crates/vm/src/object/core.rs b/crates/vm/src/object/core.rs
@@ -17,7 +17,7 @@ use super::{
 };
 use crate::object::traverse_object::PyObjVTable;
 use crate::{
-    builtins::{PyDictRef, PyType, PyTypeRef},
+    builtins::{PyDict, PyDictRef, PyType, PyTypeRef},
     common::{
         atomic::{Ordering, PyAtomic, Radium},
         linked_list::{Link, Pointers},
@@ -257,8 +257,6 @@ bitflags::bitflags! {
         const SHARED_INLINE = 1 << 5;
         /// Use deferred reference counting
         const DEFERRED = 1 << 6;
-        /// Object has ObjExt prefix allocation
-        const HAS_EXT = 1 << 7;
     }
 }
 
@@ -356,11 +354,20 @@ pub(super) struct PyInner<T> {
 pub(crate) const SIZEOF_PYOBJECT_HEAD: usize = core::mem::size_of::<PyInner<()>>();
 
 impl<T> PyInner<T> {
-    /// Check if this object has an ObjExt prefix.
-    /// Uses the per-instance HAS_EXT bit in gc_bits, set at allocation time.
+    /// Check if this object has an ObjExt prefix based on type flags.
+    /// Uses raw pointer reads to avoid Stacked Borrows violations during bootstrap,
+    /// where type objects have self-referential typ pointers that may be mutated.
     #[inline(always)]
     fn has_ext(&self) -> bool {
-        GcBits::from_bits_retain(self.gc_bits.load(Ordering::Relaxed)).contains(GcBits::HAS_EXT)
+        // Read slots via raw pointers only — creating a &Py<PyType> reference
+        // would retag the entire object, conflicting with &mut writes during bootstrap.
+        let typ_ptr = self.typ.load_raw();
+        let slots = unsafe { core::ptr::addr_of!((*typ_ptr).0.payload.slots) };
+        let flags = unsafe { core::ptr::addr_of!((*slots).flags).read() };
+        let member_count = unsafe { core::ptr::addr_of!((*slots).member_count).read() };
+        flags.has_feature(crate::types::PyTypeFlags::HAS_DICT)
+            || flags.has_feature(crate::types::PyTypeFlags::HAS_WEAKREF)
+            || member_count > 0
     }
 
     /// Access the ObjExt prefix at a negative offset from this PyInner.
@@ -943,16 +950,20 @@ impl<T: PyPayload + core::fmt::Debug> PyInner<T> {
     /// For objects with ext, the allocation layout is: [ObjExt][PyInner<T>]
     fn new(payload: T, typ: PyTypeRef, dict: Option<PyDictRef>) -> *mut Self {
         let member_count = typ.slots.member_count;
-        let needs_ext = dict.is_some()
-            || typ
-                .slots
-                .flags
-                .has_feature(crate::types::PyTypeFlags::HAS_DICT)
+        let needs_ext = typ
+            .slots
+            .flags
+            .has_feature(crate::types::PyTypeFlags::HAS_DICT)
             || typ
                 .slots
                 .flags
                 .has_feature(crate::types::PyTypeFlags::HAS_WEAKREF)
             || member_count > 0;
+        debug_assert!(
+            needs_ext || dict.is_none(),
+            "dict passed to type '{}' without HAS_DICT flag",
+            typ.name()
+        );
 
         if needs_ext {
             let ext_layout = core::alloc::Layout::new::<ObjExt>();
@@ -975,7 +986,7 @@ impl<T: PyPayload + core::fmt::Debug> PyInner<T> {
                 inner_ptr.write(Self {
                     ref_count: RefCount::new(),
                     vtable: PyObjVTable::of::<T>(),
-                    gc_bits: Radium::new(GcBits::HAS_EXT.bits()),
+                    gc_bits: Radium::new(0),
                     gc_generation: Radium::new(GC_UNTRACKED),
                     gc_pointers: Pointers::new(),
                     typ: PyAtomicRef::from(typ),
@@ -1660,6 +1671,8 @@ impl PyObject {
         if let Some(ext) = obj.0.ext_ref() {
             if let Some(dict) = ext.dict.as_ref() {
                 let dict_ref = dict.get();
+                // Clear dict entries to break cycles, then collect the dict itself
+                PyDict::clear(&dict_ref);
                 result.push(dict_ref.into());
             }
             for slot in ext.slots.iter() {
@@ -2330,7 +2343,7 @@ pub(crate) fn init_type_hierarchy() -> (PyTypeRef, PyTypeRef, PyTypeRef) {
                 PyInner::<PyType> {
                     ref_count: RefCount::new(),
                     vtable: PyObjVTable::of::<PyType>(),
-                    gc_bits: Radium::new(GcBits::HAS_EXT.bits()),
+                    gc_bits: Radium::new(0),
                     gc_generation: Radium::new(GC_UNTRACKED),
                     gc_pointers: Pointers::new(),
                     payload: type_payload,
@@ -2345,7 +2358,7 @@ pub(crate) fn init_type_hierarchy() -> (PyTypeRef, PyTypeRef, PyTypeRef) {
                 PyInner::<PyType> {
                     ref_count: RefCount::new(),
                     vtable: PyObjVTable::of::<PyType>(),
-                    gc_bits: Radium::new(GcBits::HAS_EXT.bits()),
+                    gc_bits: Radium::new(0),
                     gc_generation: Radium::new(GC_UNTRACKED),
                     gc_pointers: Pointers::new(),
                     payload: object_payload,
diff --git a/crates/vm/src/object/ext.rs b/crates/vm/src/object/ext.rs
@@ -315,6 +315,14 @@ impl<T: PyPayload> Deref for PyAtomicRef<T> {
 }
 
 impl<T: PyPayload> PyAtomicRef<T> {
+    /// Load the raw pointer without creating a reference.
+    /// Avoids Stacked Borrows retag, safe for use during bootstrap
+    /// when type objects have self-referential pointers being mutated.
+    #[inline(always)]
+    pub(super) fn load_raw(&self) -> *const Py<T> {
+        self.inner.load(Ordering::Relaxed).cast::<Py<T>>()
+    }
+
     /// # Safety
     /// The caller is responsible to keep the returned PyRef alive
     /// until no more reference can be used via PyAtomicRef::deref()
diff --git a/crates/wasm/src/convert.rs b/crates/wasm/src/convert.rs
@@ -49,7 +49,15 @@ pub fn py_err_to_js_err(vm: &VirtualMachine, py_err: &Py<PyBaseException>) -> Js
                 serde_wasm_bindgen::to_value(&exceptions::SerializeException::new(vm, py_err));
             match res {
                 Ok(err_info) => PyError::new(err_info).into(),
-                Err(e) => e.into(),
+                Err(_) => {
+                    // Fallback: create a basic JS Error with the exception type and message
+                    let exc_type = py_err.class().name().to_string();
+                    let msg = match py_err.as_object().str(vm) {
+                        Ok(s) => format!("{exc_type}: {s}"),
+                        Err(_) => exc_type,
+                    };
+                    js_sys::Error::new(&msg).into()
+                }
             }
         }
     }

Original file line number	Diff line number	Diff line change
`@@ -16,6 +16,8 @@ pub struct PyNativeFunction {`
`16`	`16`	`pub(crate) value: &'static PyMethodDef,`
`17`	`17`	`pub(crate) zelf: Option<PyObjectRef>,`
`18`	`18`	`pub(crate) module: Option<&'static PyStrInterned>, // None for bound method`
	`19`	`+ /// Prevent HeapMethodDef from being freed while this function references it`
	`20`	`+ pub(crate) _method_def_owner: Option<PyObjectRef>,`
`19`	`21`	`}`
`20`	`22`
`21`	`23`	`impl PyPayload for PyNativeFunction {`
Original file line number	Diff line number	Diff line change
`@@ -37,6 +37,8 @@ pub struct PyMethodDescriptor {`
`37`	`37`	`pub method: &'static PyMethodDef,`
`38`	`38`	`// vectorcall: vector_call_func,`
`39`	`39`	`pub objclass: &'static Py<PyType>, // TODO: move to tp_members`
	`40`	`+ /// Prevent HeapMethodDef from being freed while this descriptor references it`
	`41`	`+ pub(crate) _method_def_owner: Option<PyObjectRef>,`
`40`	`42`	`}`
`41`	`43`
`42`	`44`	`impl PyMethodDescriptor {`
`@@ -49,6 +51,7 @@ impl PyMethodDescriptor {`
`49`	`51`	`},`
`50`	`52`	`method,`
`51`	`53`	`objclass: typ,`
	`54`	`+ _method_def_owner: None,`
`52`	`55`	`}`
`53`	`56`	`}`
`54`	`57`	`}`
Original file line number	Diff line number	Diff line change
`@@ -49,7 +49,15 @@ pub fn py_err_to_js_err(vm: &VirtualMachine, py_err: &Py<PyBaseException>) -> Js`
`49`	`49`	`serde_wasm_bindgen::to_value(&exceptions::SerializeException::new(vm, py_err));`
`50`	`50`	`match res {`
`51`	`51`	`Ok(err_info) => PyError::new(err_info).into(),`
`52`		`- Err(e) => e.into(),`
	`52`	`+ Err(_) => {`
	`53`	`+ // Fallback: create a basic JS Error with the exception type and message`
	`54`	`+ let exc_type = py_err.class().name().to_string();`
	`55`	`+ let msg = match py_err.as_object().str(vm) {`
	`56`	`+ Ok(s) => format!("{exc_type}: {s}"),`
	`57`	`+ Err(_) => exc_type,`
	`58`	`+ };`
	`59`	`+ js_sys::Error::new(&msg).into()`
	`60`	`+ }`
`53`	`61`	`}`
`54`	`62`	`}`
`55`	`63`	`}`