Hello,
Several people asked me to put the long-term effort re. PEPs 489 and 573 in words, so I've written a document that I'd like to submit as an informational PEP and/or a HOWTO.
A rendered version is available at: https://hackmd.io/@encukou/module-state It's in Markdown: I've gotten so used to MD that translating to ReST once sounds easier than drafting in ReST. If you have a HackMD account and would like to co-author or fix typos directly, I can give you access.
Isolating Extension Modules
Abstract
Traditionally, state of Python extension modules was kept in C static
variables, which have process-wide scope.
This document describes problems of such per-process state, and efforts
to make per-module state, a better default, possible and easy to use.
The document also describes how to switch to per-module state where possible. The switch involves allocating space for that state, switching from static types to heap types, and—perhaps most importantly—accessing per-module state from code.
About this document
This document does not introduce any changes: those should be done in their own PEPs (or issues, if small enough). Rather, it covers the motivation behind an effort that spans multiple releases.
Once support is reasonably complete, the text can be moved to a HOWTO in the documentation. Meanwhile, in the spirit of documentation-driven development, gaps in the text show where to focus the effort.
Whenever the document mentions *extension modules*, the advice also applies to *built-in* modules, such as the C parts of the standard library. The standard library is expected to switch to per-module state early.
PEPs related to this effort are:
- PEP 384 -- *Defining a Stable ABI*, which added C API for creating heap types
- PEP 489 -- *Multi-phase extension module initialization*
- PEP 573 -- *Module State Access from C Extension Methods*
This document is concerned with Python's public C API. Nothing is specific to CPython.
Motivation
An *interpreter* is the context in which Python code runs. It contains configuration (e.g. the import path) and runtime state (e.g. the set of imported modules).
Python supports running multiple interpreters in one process. There are two cases to think about. Users may run interpreters:
- in sequence, with several
Py_InitializeEx/Py_FinalizeExcycles, and - in parallel, managing “sub-interpreters” using
Py_NewInterpreter/Py_EndInterpreter.
Both cases (and combinations of them) would be most useful when embedding Python within a library. Libraries generally shouldn't make assumptions about the application that uses them, which includes assumptions about a process-wide “main Python interpreter”.
Currently, CPython doesn't handle this use case well.
Many extension modules (and even some stdlib modules) use *per-process*
global state, because C static variables are extremely easy to use.
Thus, data that should be specific to an interpreter ends up being
shared between interpreters.
Unless the extension developer is careful, it is very easy to introduce
edge cases that lead to crashes when a module is loaded in more than one
interpreter.
Unfortunately, *per-interpreter* state is not easy to achieve: extension authors tend to not keep multiple interpreters in mind when developing, and it is currently cumbersome to test the behavior.
Rationale for Per-module State
Instead of focusing on per-interpreter state, Python's C API is evolving to better support the more granular *per-module* state. By default, C-level data will be attached to a *module object*. Each interpreter will then create its own module object, keeping data separate. For testing the isolation, multiple module objects can even be loaded in a single interpreter.
Per-module state provides an easy way to think about lifetime and
resource ownership: the extension module author will set up when a
module object is created, and clean up when it's freed.
In this regard, a module is just like any other PyObject *; there are
no “on interpreter shutdown” hooks to think about (or forget about).
### Easy-to-use Module State as a Goal
It is currently cumbersome or impossible to do everything the C API offers while keeping modules isolated. Enabled by PEP 384, changes in PEPs 489 and 573 (and future planned ones) aim to first make it *possible* to build modules this way, and then to make it *easy* to write new modules this way and to convert old ones, so that it can become a natural default.
Even if per-module state becomes the default, there will be use cases for different levels of encapsulation: per-process, per-interpreter, per-thread or per-task state. The goal is to treat these as exceptional cases: extension authors will need to think more carefully about them.
### Non-goals: Speedups and the GIL
There is some effort to speed up CPython by making the GIL per-interpreter. While isolating interpreters helps that effort, defaulting to per-module state will be beneficial even if no speed-up is achieved.
How to make modules safe with multiple interpreters
There are many ways to correctly support multiple interpreters in extension modules. The rest of this text describes the preferred way to write such a module, or convert an existing module.
Note that support is a work in progress; the API for some features your module needs might not yet be ready.
A full example module is (XXX currently available in a fork on GitHub; later it should be in the CPython source tree).
### Isolated Module Objects
The key point to keep in mind when developing an extension module is that several module objects can be created from a single shared library. For example:
>>> import sys
>>> import binascii
>>> old_binascii = binascii
>>> del sys.modules['binascii']
>>> import binascii # create a new module object
>>> old_binascii == binascii
False
As a rule of thumb, the two modules should be completely independent. All objects and state specific to the module should be encapsulated within the module object, not shared with other module objects, and cleaned up when the module object is deallocated. Exceptions are possible (see “Managing global state” below) but they will need more thought and attention to edge cases than code that follows this rule of thumb.
While some modules could do with less stringent restrictions, isolated modules make it easier to set clear expectations (and guidelines) that work across a variety of use cases.
### Surprising Edge Cases
Note that isolated modules do create some surprising edge cases.
Most notably, each module object will typically not share its classes
and exceptions with other similar modules.
Continuing from the example above, note that old_binascii.Error and
binascii.Error are separate objects.
In the following code, the exception is *not* caught:
>>> old_binascii.Error == binascii.Error
False
>>> try:
... old_binascii.unhexlify(b'qwertyuiop')
... except binascii.Error:
... print('boo')
...
Traceback (most recent call last):
File "<stdin>", line 2, in <module>
binascii.Error: Non-hexadecimal digit found
This is expected. Notice that pure-Python modules behave the same way: it is a part of how Python works.
The goal is to make extension modules safe at the C level, not to make
hacks (like mutating sys.modules or sharing objects across
interpreters) behave intuitively.
### Managing Global State
Sometimes, state of a Python module is not specific to that module, but to the entire process (or something else “more global” than a module). For example:
- The
readlinemodule provides access to *the* terminal. - A module running on a circuit board wants to control *the* on-board LED.
In these cases, the Python module should provide *access* to the global state, rather than *own* it. If possible, write the module so that multiple copies of it can access the state independently (along with other libraries, whether for Python or other languages).
If that is not possible, consider explicit locking.
If it is necessary to use process-global state, the simplest way to avoid issues with multiple interpreters is to explicitly prevent a module from being loaded more than once per process—see “An Opt-Out Method” below.
### Managing Per-module state
To use per-module state, use multi-phase extension module initialization introduced in PEP 489. This signals that your module supports multiple interpreters correctly.
Set PyModuleDef.m_size to a positive number to request that many bytes
of storage local to the module.
Usually, this will be set to the size of some module-specific struct,
which can store all of the module's C-level state.
In particular, it is where you should put pointers to classes (including
exceptions) and settings (e.g. csv.field_size_limit) which the C code
needs to function.
[Note] Another option is to store state in the module's
__dict__, but you must avoid crashing when users modify__dict__from Python code. This means error- and type-checking at the C level, which is easy to get wrong and hard to test sufficiently.
If the module state includes PyObject pointers, the module object must
hold references to those objects and implement module-level hooks
m_traverse, m_clear, m_free.
These work like tp_traverse, tp_clear, tp_free of a class.
Adding them will require some work and make the code longer; this is the
price for modules which can be unloaded cleanly.
An example of a module with per-module state is (XXX currently available in a fork on GitHub; later it should be in the CPython source tree), with module initialization is at the bottom of the file.
### Opt-Out: Limiting to One Module Object per Process
A non-negative PyModuleDef.m_size signals that a module supports
multiple interpreters correctly.
If this is not yet the case for your module, you can explicitly make
your module loadable only once per process.
Raising an exception is better than mysteriously crashing in C code!
For example:
static int loaded = 0;
static int
exec_module(PyObject* module)
{
if (loaded) {
PyErr_SetString(PyExc_ImportError,
"cannot load module more than once per process");
return -1;
}
loaded = 1;
... // rest of initialization
}
When your module becomes ready, you can remove this check.
### Module state access from functions
Accessing the state from module-level functions is straightforward.
Functions get the module object as their first argument; for extracting
the state there is PyModule_GetState:
static PyObject *
func(PyObject *module, PyObject *args)
{
my_struct *state = (my_struct*)PyModule_GetState(module);
if (state == NULL) {
return NULL;
}
... // rest of logic
}
(Note that PyModule_GetState may return NULL without seting an
exception if there is no module state, i.e. PyModuleDef.m_size was
zero. In your own module, you're in control of m_size, so this is easy
to prevent.)
### Heap types
Traditionally, types defined in C code were static, that is, static PyTypeObject structures defined directly in code and initialized using
PyType_Ready().
Such types are necessarily shared across the process.
Sharing them between module objects requires paying attention to any
state they own or access. To limit the possible issues, static types are
immutable at the Python level: for example, you can't set
str.myattribute = 123.
[Note] Sharing truly immutable objects between interpreters is fine, as long as they don't provide access to mutable objects. But, every Python object has a mutable implementation detail: the reference count. Changes to the refcount are guarded by the GIL. Thus, code that shares any Python objects across interpreters implicitly depends on CPython's current, process-wide GIL.
An alternative to static types is *heap-allocated types*, or heap types
for short.
These correspond more closely to classes created by Python’s class
statement.
Heap types can be created by filling a PyType_Spec structure, a
description or “blueprint” of a class, and calling
PyType_FromModuleAndSpec() to construct a new class object.
[note] Other functions, like
PyType_FromSpec(), can also create heap types, butPyType_FromModuleAndSpec()associates the module with the class, granting access to the module state to methods.
The class should generally be stored in *both* the module state (for
safe access from C) and the module's __dict__ (for access from Python
code).
### Module State Access from Classes
If you have a type object defined with PyType_FromModuleAndSpec(),
call PyType_GetModule to get the associated module, then
PyModule_GetState to get the module's state.
These steps can be combined with PyType_GetModuleState to save typing
some tedious error-handling boilerplate:
my_struct *state = (my_struct*)PyType_GetModuleState(type);
if (state === NULL) {
return NULL;
}
### Module State Access from Regular Methods
Accessing the module-level state from methods of a class is somewhat more complicated, but possible thanks to changes introduced in PEP 573. To get the state, you need to first get the *defining class*, and then get the module state from it.
The largest roadblock is getting *the class a method was defined in*, or that method's “defining class” for short. The defining class can have a reference to the module it is part of.
It is important to not confuse the defining class with Py_TYPE(self).
If the method is called on a *subclass* of your type, Py_TYPE(self)
will refer to that subclass, which may be defined in different module
than yours.
In the following Python example, the defining class of the method
Base.get_defining_class is Base, even if type(self) == Sub:
class Base:
def get_defining_class(self):
return __class__
class Sub(Base):
pass
To get its “defining class”, a method must use the METH_METHOD | METH_FASTCALL | METH_KEYWORDS calling
convention
and the corresponding PyCMethod
signature:
PyObject *PyCMethod(
PyObject *self, // object the method was called on
PyTypeObject *defining_class, // defining class
PyObject *const *args, // C array of arguments
Py_ssize_t nargs, // length of "args"
PyObject *kwnames) // NULL, or dict of keyword arguments
Once you have the defining class, call PyType_GetModuleState to get
the state of its associated module.
For example:
static PyObject *
example_method(PyObject *self,
PyTypeObject *defining_class,
PyObject *const *args,
Py_ssize_t nargs,
PyObject *kwnames)
{
my_struct *state = (my_struct*)PyType_GetModuleState(defining_class);
if (state === NULL) {
return NULL;
}
... // rest of logic
}
PyDoc_STRVAR(example_method_doc, "...");
static PyMethodDef my_methods[] = {
{"example_method",
(PyCFunction)(void(*)(void))example_method,
METH_METHOD|METH_FASTCALL|METH_KEYWORDS,
example_method_doc}
{NULL},
}
Open Issues
Several issues around per-module state and heap types are still open.
Discussions about improving the situation are best held on the capi-sig mailing list.
### Module State Access from Slot Methods, Getters and Setters
Currently (as of Python 3.9), there is no API to access the module state from:
- slot methods (meaning type slots, such as
tp_new,nb_addortp_iternext) - getters and setters defined with
tp_getset
Type Checking
Currently (as of Python 3.9), there is no good API to write Py*_Check
functions (like PyUnicode_Check exists for str, a static type) for
heap types.
This check ensures whether instances have a particular C layout.
### Metaclasses
Currently (as of Python 3.9), there is no good API to specify the
*metaclass* of a heap type, that is, the ob_type field of the type object.
### Per-Class scope
It is also not possible to attach state to *types*.
While PyHeapTypeObject is a variable-size object (PyVarObject), but
its variable-size storage is currently consumed by slots.
There will also be issues if several classes in an inheritance hierarchy
need state.
Copyright
This document is placed in the public domain or under the CC0-1.0-Universal license, whichever is more permissive.
.. Local Variables: mode: indented-text indent-tabs-mode: nil sentence-end-double-space: t fill-column: 70 coding: utf-8 End: