Suspend Python threads before fork()

youknowone · youknowone · commit c7de8f092353 · 2026-03-06T10:21:46.000+09:00
Implement CPython-style stop-the-world for pre-fork thread suspension.

- Add per-thread state tracking (DETACHED/ATTACHED/SUSPENDED) in
  ThreadSlot, mirroring CPython's tstate-&gt;state.
- enter_vm() transitions DETACHED→ATTACHED (CAS, blocks if SUSPENDED);
  exiting transitions ATTACHED→DETACHED.
- StopTheWorldState (like _stoptheworld_state):
  - stop_the_world(): sets requested flag, CAS parks DETACHED threads,
    polls with 1ms condvar timeout for ATTACHED threads to self-suspend.
  - start_the_world(): sets all SUSPENDED→DETACHED, clears flag.
- check_signals() calls suspend_if_needed() which transitions
  ATTACHED→SUSPENDED and waits until released.
- os.fork() calls stop_the_world/start_the_world around libc::fork().
diff --git a/crates/common/src/lock.rs b/crates/common/src/lock.rs
@@ -68,43 +68,45 @@ pub type PyMappedRwLockWriteGuard<'a, T> = MappedRwLockWriteGuard<'a, RawRwLock,
 
 // can add fn const_{mutex,rw_lock}() if necessary, but we probably won't need to
 
-/// Reset a `PyMutex` to its initial (unlocked) state after `fork()`.
+/// Reset a lock to its initial (unlocked) state by zeroing its bytes.
 ///
-/// After `fork()`, locks held by dead parent threads would deadlock in the
-/// child. This writes `RawMutex::INIT` via the `Mutex::raw()` accessor,
-/// bypassing the normal unlock path which may interact with parking_lot's
-/// internal waiter queues.
+/// After `fork()`, any lock held by a now-dead thread would remain
+/// permanently locked. We zero the raw bytes (the unlocked state for all
+/// `parking_lot` raw lock types) instead of using the normal unlock path,
+/// which would interact with stale waiter queues.
 ///
 /// # Safety
 ///
 /// Must only be called from the single-threaded child process immediately
 /// after `fork()`, before any other thread is created.
-#[cfg(unix)]
-pub unsafe fn reinit_mutex_after_fork<T: ?Sized>(mutex: &PyMutex<T>) {
-    // Use Mutex::raw() to access the underlying lock without layout assumptions.
-    // parking_lot::RawMutex (AtomicU8) and RawCellMutex (Cell<bool>) both
-    // represent the unlocked state as all-zero bytes.
+/// The type `T` must represent the unlocked state as all-zero bytes
+/// (true for `parking_lot::RawMutex`, `RawRwLock`, `RawReentrantMutex`, etc.).
+pub unsafe fn zero_reinit_after_fork<T>(lock: *const T) {
     unsafe {
-        let raw = mutex.raw() as *const RawMutex as *mut u8;
-        core::ptr::write_bytes(raw, 0, core::mem::size_of::<RawMutex>());
+        core::ptr::write_bytes(lock as *mut u8, 0, core::mem::size_of::<T>());
     }
 }
 
-/// Reset a `PyRwLock` to its initial (unlocked) state after `fork()`.
+/// Reset a `PyMutex` after `fork()`. See [`zero_reinit_after_fork`].
+///
+/// # Safety
 ///
-/// Same rationale as [`reinit_mutex_after_fork`] — dead threads' read or
-/// write locks would cause permanent deadlock in the child.
+/// Must only be called from the single-threaded child process immediately
+/// after `fork()`, before any other thread is created.
+#[cfg(unix)]
+pub unsafe fn reinit_mutex_after_fork<T: ?Sized>(mutex: &PyMutex<T>) {
+    unsafe { zero_reinit_after_fork(mutex.raw()) }
+}
+
+/// Reset a `PyRwLock` after `fork()`. See [`zero_reinit_after_fork`].
 ///
 /// # Safety
 ///
 /// Must only be called from the single-threaded child process immediately
 /// after `fork()`, before any other thread is created.
 #[cfg(unix)]
 pub unsafe fn reinit_rwlock_after_fork<T: ?Sized>(rwlock: &PyRwLock<T>) {
-    unsafe {
-        let raw = rwlock.raw() as *const RawRwLock as *mut u8;
-        core::ptr::write_bytes(raw, 0, core::mem::size_of::<RawRwLock>());
-    }
+    unsafe { zero_reinit_after_fork(rwlock.raw()) }
 }
 
 /// Reset a `PyThreadMutex` to its initial (unlocked, unowned) state after `fork()`.
diff --git a/crates/vm/src/stdlib/imp.rs b/crates/vm/src/stdlib/imp.rs
@@ -47,12 +47,7 @@ mod lock {
     pub(crate) unsafe fn reinit_after_fork() {
         if IMP_LOCK.is_locked() && !IMP_LOCK.is_owned_by_current_thread() {
             // Held by a dead thread — reset to unlocked.
-            // Same pattern as RLock::_at_fork_reinit in thread.rs.
-            unsafe {
-                let old: &crossbeam_utils::atomic::AtomicCell<RawRMutex> =
-                    core::mem::transmute(&IMP_LOCK);
-                old.swap(RawRMutex::INIT);
-            }
+            unsafe { rustpython_common::lock::zero_reinit_after_fork(&IMP_LOCK) };
         }
     }
 }
diff --git a/crates/vm/src/stdlib/posix.rs b/crates/vm/src/stdlib/posix.rs
@@ -908,14 +908,22 @@ pub mod module {
     fn fork(vm: &VirtualMachine) -> i32 {
         warn_if_multi_threaded("fork", vm);
 
-        let pid: i32;
         py_os_before_fork(vm);
-        unsafe {
-            pid = libc::fork();
-        }
+
+        // Like CPython's PyOS_BeforeFork: stop all other Python threads
+        // so they are at safe points, not holding internal Rust/C locks.
+        #[cfg(feature = "threading")]
+        vm.state.stop_the_world.stop_the_world(vm);
+
+        let pid = unsafe { libc::fork() };
         if pid == 0 {
+            #[cfg(feature = "threading")]
+            vm.state.stop_the_world.reset_after_fork();
             py_os_after_fork_child(vm);
         } else {
+            // Like CPython's PyOS_AfterFork_Parent: resume all threads
+            #[cfg(feature = "threading")]
+            vm.state.stop_the_world.start_the_world(vm);
             py_os_after_fork_parent(vm);
         }
         pid
diff --git a/crates/vm/src/stdlib/thread.rs b/crates/vm/src/stdlib/thread.rs
@@ -23,7 +23,6 @@ pub(crate) mod _thread {
         sync::{Arc, Weak},
     };
     use core::{cell::RefCell, time::Duration};
-    use crossbeam_utils::atomic::AtomicCell;
     use parking_lot::{
         RawMutex, RawThreadId,
         lock_api::{RawMutex as RawMutexT, RawMutexTimed, RawReentrantMutex},
@@ -150,17 +149,12 @@ pub(crate) mod _thread {
             Ok(())
         }
 
+        #[cfg(unix)]
         #[pymethod]
         fn _at_fork_reinit(&self, _vm: &VirtualMachine) -> PyResult<()> {
-            // Reset the mutex to unlocked by directly writing the INIT value.
-            // Do NOT call unlock() here — after fork(), unlock_slow() would
-            // try to unpark stale waiters from dead parent threads.
-            let new_mut = RawMutex::INIT;
-            unsafe {
-                let old_mutex: &AtomicCell<RawMutex> = core::mem::transmute(&self.mu);
-                old_mutex.swap(new_mut);
-            }
-
+            // Overwrite lock state to unlocked. Do NOT call unlock() here —
+            // after fork(), unlock_slow() would try to unpark stale waiters.
+            unsafe { rustpython_common::lock::zero_reinit_after_fork(&self.mu) };
             Ok(())
         }
 
@@ -250,18 +244,13 @@ pub(crate) mod _thread {
             Ok(())
         }
 
+        #[cfg(unix)]
         #[pymethod]
         fn _at_fork_reinit(&self, _vm: &VirtualMachine) -> PyResult<()> {
-            // Reset the reentrant mutex to unlocked by directly writing INIT.
-            // Do NOT call unlock() — after fork(), the slow path would try
-            // to unpark stale waiters from dead parent threads.
+            // Overwrite lock state to unlocked. Do NOT call unlock() here —
+            // after fork(), unlock_slow() would try to unpark stale waiters.
             self.count.store(0, core::sync::atomic::Ordering::Relaxed);
-            let new_mut = RawRMutex::INIT;
-            unsafe {
-                let old_mutex: &AtomicCell<RawRMutex> = core::mem::transmute(&self.mu);
-                old_mutex.swap(new_mut);
-            }
-
+            unsafe { rustpython_common::lock::zero_reinit_after_fork(&self.mu) };
             Ok(())
         }
 
@@ -1021,10 +1010,7 @@ pub(crate) mod _thread {
     /// Reset a parking_lot::Mutex to unlocked state after fork.
     #[cfg(unix)]
     fn reinit_parking_lot_mutex<T: ?Sized>(mutex: &parking_lot::Mutex<T>) {
-        unsafe {
-            let raw = mutex.raw() as *const parking_lot::RawMutex as *mut u8;
-            core::ptr::write_bytes(raw, 0, core::mem::size_of::<parking_lot::RawMutex>());
-        }
+        unsafe { rustpython_common::lock::zero_reinit_after_fork(mutex.raw()) };
     }
 
     // Thread handle state enum
diff --git a/crates/vm/src/vm/interpreter.rs b/crates/vm/src/vm/interpreter.rs
@@ -1,3 +1,5 @@
+#[cfg(all(unix, feature = "threading"))]
+use super::StopTheWorldState;
 use super::{Context, PyConfig, PyGlobalState, VirtualMachine, setting::Settings, thread};
 use crate::{
     PyResult, builtins, common::rc::PyRc, frozen::FrozenModule, getpath, py_freeze, stdlib::atexit,
@@ -124,6 +126,8 @@ where
         monitoring: PyMutex::default(),
         monitoring_events: AtomicCell::new(0),
         instrumentation_version: AtomicU64::new(0),
+        #[cfg(all(unix, feature = "threading"))]
+        stop_the_world: StopTheWorldState::new(),
     });
 
     // Create VM with the global state
diff --git a/crates/vm/src/vm/mod.rs b/crates/vm/src/vm/mod.rs
@@ -125,6 +125,123 @@ struct ExceptionStack {
     stack: Vec<Option<PyBaseExceptionRef>>,
 }
 
+/// Stop-the-world state for fork safety. Before `fork()`, the requester
+/// stops all other Python threads so they are not holding internal locks.
+#[cfg(all(unix, feature = "threading"))]
+pub struct StopTheWorldState {
+    /// Fast-path flag checked in the bytecode loop (like `_PY_EVAL_PLEASE_STOP_BIT`)
+    pub(crate) requested: AtomicBool,
+    /// Ident of the thread that requested the stop (like `stw->requester`)
+    requester: AtomicU64,
+    /// Signaled by suspending threads when their state transitions to SUSPENDED
+    notify_mutex: std::sync::Mutex<()>,
+    notify_cv: std::sync::Condvar,
+}
+
+#[cfg(all(unix, feature = "threading"))]
+impl StopTheWorldState {
+    pub const fn new() -> Self {
+        Self {
+            requested: AtomicBool::new(false),
+            requester: AtomicU64::new(0),
+            notify_mutex: std::sync::Mutex::new(()),
+            notify_cv: std::sync::Condvar::new(),
+        }
+    }
+
+    /// Wake the stop-the-world requester (called by each thread that suspends).
+    pub(crate) fn notify_suspended(&self) {
+        // Just signal the condvar; the requester holds the mutex.
+        self.notify_cv.notify_one();
+    }
+
+    /// Try to CAS detached threads directly to SUSPENDED and check whether
+    /// all non-requester threads are now SUSPENDED.
+    /// Like CPython's `park_detached_threads`.
+    fn park_detached_threads(&self, vm: &VirtualMachine) -> bool {
+        use thread::{THREAD_ATTACHED, THREAD_DETACHED, THREAD_SUSPENDED};
+        let requester = self.requester.load(Ordering::Relaxed);
+        let registry = vm.state.thread_frames.lock();
+        let mut all_suspended = true;
+        for (&id, slot) in registry.iter() {
+            if id == requester {
+                continue;
+            }
+            let state = slot.state.load(Ordering::Relaxed);
+            if state == THREAD_DETACHED {
+                // CAS DETACHED → SUSPENDED (park without thread cooperation)
+                let _ = slot.state.compare_exchange(
+                    THREAD_DETACHED,
+                    THREAD_SUSPENDED,
+                    Ordering::AcqRel,
+                    Ordering::Relaxed,
+                );
+                all_suspended = false; // re-check on next poll
+            } else if state == THREAD_ATTACHED {
+                // Thread is in bytecode — it will see `requested` and self-suspend
+                all_suspended = false;
+            }
+            // THREAD_SUSPENDED → already parked
+        }
+        if all_suspended {
+            // Verify once more after dropping the lock
+            return true;
+        }
+        all_suspended
+    }
+
+    /// Stop all non-requester threads. Like CPython's `stop_the_world`.
+    ///
+    /// 1. Sets `requested`, marking the requester thread.
+    /// 2. CAS detached threads to SUSPENDED.
+    /// 3. Waits (polling with 1 ms condvar timeout) for attached threads
+    ///    to self-suspend in `check_signals`.
+    pub fn stop_the_world(&self, vm: &VirtualMachine) {
+        let requester_ident = crate::stdlib::thread::get_ident();
+        self.requester.store(requester_ident, Ordering::Relaxed);
+        self.requested.store(true, Ordering::Release);
+
+        let deadline = std::time::Instant::now() + std::time::Duration::from_millis(500);
+        loop {
+            if self.park_detached_threads(vm) {
+                break;
+            }
+            let remaining = deadline.saturating_duration_since(std::time::Instant::now());
+            if remaining.is_zero() {
+                break;
+            }
+            // Wait up to 1 ms for a thread to notify us it suspended
+            let wait = remaining.min(std::time::Duration::from_millis(1));
+            let guard = self.notify_mutex.lock().unwrap();
+            let _ = self.notify_cv.wait_timeout(guard, wait);
+        }
+    }
+
+    /// Resume all suspended threads. Like CPython's `start_the_world`.
+    pub fn start_the_world(&self, vm: &VirtualMachine) {
+        use thread::{THREAD_DETACHED, THREAD_SUSPENDED};
+        let requester = self.requester.load(Ordering::Relaxed);
+        let registry = vm.state.thread_frames.lock();
+        for (&id, slot) in registry.iter() {
+            if id == requester {
+                continue;
+            }
+            if slot.state.load(Ordering::Relaxed) == THREAD_SUSPENDED {
+                slot.state.store(THREAD_DETACHED, Ordering::Release);
+            }
+        }
+        drop(registry);
+        self.requested.store(false, Ordering::Release);
+        self.requester.store(0, Ordering::Relaxed);
+    }
+
+    /// Reset after fork in the child (only one thread alive).
+    pub fn reset_after_fork(&self) {
+        self.requested.store(false, Ordering::Relaxed);
+        self.requester.store(0, Ordering::Relaxed);
+    }
+}
+
 pub struct PyGlobalState {
     pub config: PyConfig,
     pub module_defs: BTreeMap<&'static str, &'static builtins::PyModuleDef>,
@@ -165,6 +282,9 @@ pub struct PyGlobalState {
     /// Incremented on every monitoring state change. Code objects compare their
     /// local version against this to decide whether re-instrumentation is needed.
     pub instrumentation_version: AtomicU64,
+    /// Stop-the-world state for pre-fork thread suspension
+    #[cfg(all(unix, feature = "threading"))]
+    pub stop_the_world: StopTheWorldState,
 }
 
 pub fn process_hash_secret_seed() -> u32 {
@@ -1482,6 +1602,10 @@ impl VirtualMachine {
             return Err(self.new_exception(self.ctx.exceptions.system_exit.to_owned(), vec![]));
         }
 
+        // Suspend this thread if stop-the-world is in progress
+        #[cfg(all(unix, feature = "threading"))]
+        thread::suspend_if_needed(&self.state.stop_the_world);
+
         #[cfg(not(target_arch = "wasm32"))]
         {
             crate::signal::check_signals(self)
diff --git a/crates/vm/src/vm/thread.rs b/crates/vm/src/vm/thread.rs

Original file line number	Diff line number	Diff line change
`@@ -47,12 +47,7 @@ mod lock {`
`47`	`47`	`pub(crate) unsafe fn reinit_after_fork() {`
`48`	`48`	`if IMP_LOCK.is_locked() && !IMP_LOCK.is_owned_by_current_thread() {`
`49`	`49`	`// Held by a dead thread — reset to unlocked.`
`50`		`- // Same pattern as RLock::_at_fork_reinit in thread.rs.`
`51`		`- unsafe {`
`52`		`- let old: &crossbeam_utils::atomic::AtomicCell<RawRMutex> =`
`53`		`- core::mem::transmute(&IMP_LOCK);`
`54`		`- old.swap(RawRMutex::INIT);`
`55`		`- }`
	`50`	`+ unsafe { rustpython_common::lock::zero_reinit_after_fork(&IMP_LOCK) };`
`56`	`51`	`}`
`57`	`52`	`}`
`58`	`53`	`}`