Preventing one of many independent Python objects from decrefing to 0 and destroying the C pointer upon which the other Python objects depend

Question

I'm working with a legacy C library that I've wrapped with a Python C Extension. The C library has a recursive data structure Foo with an API similar to below:

Foo *Foo_create(void)  /* Create new Foo memory */

int Foo_push(Foo *parent, int field, Foo *child)  /* Add a child Foo to a parent Foo */

int Foo_destroy(Foo *foo) /* Framework will free all children, caller cannot reuse children after */

Foo *Foo_pop(Foo *parent, int field) /* User responsible for calling Foo_destroy on popped field */

I have a PyFoo struct that wraps Foo, something like:

typedef struct {
    PyObject_HEAD
    Foo *foo;
    PyObject *parent;
} PyFoo;

As well as other functions that wrap the Foo_* functions and incref/decref appropriately.

The problem I have come across is that it's possible for two independent PyFoo objects, with independent refcounts, to point to the same Foo *. If one of the PyFoo objects goes out of scope, it will call Foo_destroy, but the user may access the second PyFoo object and cause a segmentation fault.

I'm trying to prevent the user of my library from doing the following in Python:

parent = Foo()     # Foo_create();  parent's refcount is 1
a = Foo()          # Foo_create();  a's refcount is 1
parent[1] = a      # Foo_push(parent, 1, a); parent's refcount is 2; a's refcount is 1

b = parent.pop(1)  # Foo_pop(parent, 1); 
# parent's refcount is 1; a's refcount is 1; b's refcount is 1
# a and b's are now independent PyFoo objects with reference count = 1
# HOWEVER both of the *foo pointers point to the same memory

# Delete a, dropping reference count to 0, which calls Foo_destroy
del a              # parents refcount is 1; a's refcount is 0; b's refcount is 1

# Access b, which may segfault, since Foo_destroy was called in the last call.
print(b)

In other words, a and b both point to the same Foo memory. However, they are independent Python objects, with independent refcounts. Once a goes out of scope, it will destroy the memory that b points to. Accessing b will probably segfault.

This seems like this would be a common problem in writing Python Extensions.

I suppose what I want is some way to base the reference counting on the Foo pointer. For example, a and b should actually have the same identity in the above example. Or perhaps what I need is some data structure that counts the number of PyFoos that share the same Foo pointer, and Foo_destroy is only called when the the count for the Foo pointer drops to 0.

What is the idiomatic way to solve this problem?

---

Here is the corresponding scenario in C:

Foo *parent = Foo_create();
Foo *a = Foo_create();
Foo_push(parent, 1, a);
Foo *b = Foo_pop(parent, 1);
/* a and b both point to same memory */
Foo_destroy(a);
/* better not access b after this */
a = NULL;
b = NULL;

Answer 1

I suspect you don't have the information to "automatically" use the same PyFoo object, and you may well end up duplicating most of your internal Foo structure within PyFoo if you were to try to store it.

One fairly simple option that occurs to me is to have an internal dict mapping Foo* to a PyFoo object. Therefore you only create a new PyFoo if needed, but otherwise re-use the existing object. Obviously Foo* isn't a Python object so can't be stored directly in a dict, but you can store it as an integer easily enough using PyLong_FromVoidPtr. Use a WeakValueDictionary to hold the PyFoos so you don't keep them alive just by virtue of being in the dictionary.

An outline of your wrapping of Foo_pop would look a bit like:

PyObject* PyFoo_pop(args...) {
    Foo* popped = Foo_pop(args...);
    PyObject* pf = PyObject_GetItem(internal_dictionary_of_pyfoos,
                                  PyLong_FromVoidPtr(popped));
    if (pf == NULL) {
       pf = create_a_new_PyFoo(popped);
    }
    return pf;
}

create_a_new_PyFoo obviously needs to add the PyFoo to the dictionary as it's created.

Obviously that's vague, untested, and missing all error-checking, but it seems like an easy way of doing what you want without having to track too many of the details of Foo's internals.

---

WeakValueDictionary: as you say, it's accessed through a Python interface. The code is essentially just a C version of what you'd do in Python. Roughly:

PyObject *weakref_mod = PyImport_ImportModule("weakref");
PyObject *weakvaluedict = PyObject_GetAttrString(weakref_mod, "WeakValueDictionary");
PyObject *wd_instance = PyObject_CallFunctionObjArgs(weakvaluedict, NULL);

(Untested, and ignoring error checking). Note that it isn't a direct subclass of dict I think, so use PyObject_GetItem not PyDict_GetItem (which behaves slightly different and returns something with an incremented reference)

---

PyFoo: Note that C API types need some small modifications to be weak referenceable. An example is in the docs but roughly they need a PyObject* to store the weakref list, and tp_weakreflistoffset set in the type object. That obviously adds a little overhead.

Answer 2

Not sure about an "idiomatic way" but in cppyy (http://cppyy.org) I keep track of python objects (by type) to preserve identity and pybind11 (https://pybind11.readthedocs.io) does something similar, so it's a workable idea.

The only issue with C++, and thus not a concern for your case so just for completeness, is multiple (virtual) inheritance, where offsets between parent and derived classes are non-zero, so auto-casting is needed to make sure that when a pointer to a derived instance is returned as a pointer to base, the offset does not mess up the tracking.

To implement, keep a hash map of C pointer to Python object. When returning a Foo* to Python-land, check whether it already exists in the map, and re-use as needed. When the ref-count reaches 0, also remove the object from the map. Note that you do NOT need to increase the ref-count or keep weak references as the hash map never leaves C-land.

In addition, if you have control over Foo destruction in C-land, then I recommend a callback to set the Python proxy's Foo* to NULL and check for NULL in all access functions (cppyy does something like that, too, if the C++ provides callbacks).

EDIT: adding links to the code here otherwise I run out of characters.

First though: this is C++, so my life is a wee bit easier in that I can use STL containers w/o having to cast pointers to integers, but yes, if you were to do so, that's perfectly safe.

I collect references per type for performance reasons (keeps the maps smaller), see fCppObjects here: https://bitbucket.org/wlav/cpycppyy/raw/c6e7662bab1623e6cb15ddf59e94423a6081d66f/src/CPPScope.h

When a new proxy carrying a pointer to C++ is returned, said object is registered through the MemoryRegulator, and when an object goes away, it is unregistered: https://bitbucket.org/wlav/cpycppyy/raw/c6e7662bab1623e6cb15ddf59e94423a6081d66f/src/MemoryRegulator.h https://bitbucket.org/wlav/cpycppyy/raw/c6e7662bab1623e6cb15ddf59e94423a6081d66f/src/MemoryRegulator.cxx

The hooks are for frameworks to take over the behavior, e.g. one client code prefers to store all pointers in a single map.

The use of flags is for performance reasons of a few corner cases.

The lookup/registration happens in various places in the as objects can cross the boundary for various reasons (construction, function return, variable access). The function return is here: https://bitbucket.org/wlav/cpycppyy/raw/c6e7662bab1623e6cb15ddf59e94423a6081d66f/src/ProxyWrappers.cxx

look for the call in BindCppObjectNoCast.

The destruction happens when the object goes away, see the proxy class: https://bitbucket.org/wlav/cpycppyy/raw/c6e7662bab1623e6cb15ddf59e94423a6081d66f/src/CPPInstance.cxx and in particular op_dealloc_nofree(a helper to delete the C++ side, not (yet) Python), which is called from the normal tp_dealloc.

For pybind11, the functions are called register_instance and deregister_instance, which you can find here: https://raw.githubusercontent.com/pybind/pybind11/master/include/pybind11/detail/class.h

The registration happens into a single multimap called registered_instances that is found here: https://raw.githubusercontent.com/pybind/pybind11/master/include/pybind11/detail/internals.h

The lookup is in get_object_handle found here: https://raw.githubusercontent.com/pybind/pybind11/master/include/pybind11/cast.h and which does a matching of ptr and type.

Ie. pretty much the same thing as cppyy (just less efficient).

Answer 3

del a does not drop the reference count to 0 by itself; it only decrements the reference count, because it removes a single reference. b still refers to the object, so the reference count remains at 1, and there should be no call to Foo_destroy.