python: deprecate Python::acquire_gil
#1788
Conversation
davidhewitt
force-pushed
the
deprecate-acquire-gil
branch
from
36688b9 to
a64ce43
Compare
There was a problem hiding this comment.
Makes GILGuard::acquire_gil an unsafe public API.
I think that this is a mistake and that having this is too confusing.
This function is not crystal clear about how it's supposed to be used safely.
The "interpreter needs to be initialized", what does that mean? How do I do that? How do I know that it is? It's not clear from the context whether I need to call some function first or it's a config somewhere that needs to be set. And then the GILGuards need to be dropped in order - this sounds like something where it's easy to get a corner case where this goes wrong unnoticed. (also I'm guessing it would be a really bad idea to mem::forget one of these)
In contrast a function like Python::assume_gil_acquired communicates this better; if you use the token it gives you (or anything derived from it) in any context where you're not actually holding the GIL then, well, you get yourself some UB.
The name is too attractive.
When you're new and looking through the docs, this looks a lot like "this is what I need". Certainly more so than Python::with_gil. I'm concerned this nudges people into using this unsafe function everywhere and this is undesirable, especially when it's something that "seems to work".
Its purpose.
Where is this function useful? Can it do things Python::with_gil can't? If yes, then we have to accept that people are sometimes forced to use this function, in which case it being unsafe is undesirable. If no, then why do we have it?
src/gil.rs
Outdated
| /// around the C-API Python_EnsureGIL. This means that multiple `acquire_gil()` calls are | ||
| /// allowed, and will not deadlock. However, `GILGuard`s must be dropped in the reverse order | ||
| /// to acquisition. Failing to do this will corrupt the Python GIL state. | ||
| pub unsafe fn acquire_gil() -> GILGuard { |
There was a problem hiding this comment.
This needs doc examples showing correct and incorrect usage.
|
Thanks, that's really great points. I think what I'll do is remove |
|
👍 Does that mean |
|
Yes, I guess so. I think that's a good thing. (Eventually we will want to get rid of GILPool as well.) |
This makes no sense to me - even if people are forced to use a function sometimes, it needs to be unsafe if we can't guarantee safety. It's better than not providing the functionality at all. FFI is not a perfect world where we can make everything safe for all use cases. |
davidhewitt
force-pushed
the
deprecate-acquire-gil
branch
from
a64ce43 to
36ae1f2
Compare
It absolutely needs to be marked unsafe if necessary.
I'm concerned about:
I think it's great that users can use almost everything in pyo3 without using unsafe. If we make a core unsafe api like this that people are forced to use (or think they are forced to use) that would be a bad thing. And we should think carefully about introducing that, or introduce it in such a way that it's safe. |
We made safety adjustments all the time in the past when it turned out that some API could lead to unsound behavior. As long as the unsafety, and the way to use the API soundly, are documented, this is fine for me.
But what's the alternative? Remove it, making that corner case impossible? We already have such core unsafe APIs, for example https://docs.rs/pyo3/0.14.2/pyo3/fn.with_embedded_python_interpreter.html |
|
I mean, I agree with all those things. I'm just saying that if we need to have an api like that it would be nice if it could be safe. |
|
An as-of-yet undiscussed alternative to removing I'm not totally sure I love that as an idea - I'm not entirely certain there aren't weird edge cases I haven't thought of, and adding another thread local would introduce a performance hit... Aside, I'm beginning to think this PR does too much. I might split out the deoptimising |
|
I'd like to get the deprecation merged and do these optimizations in the future - are there any outstanding concerns around this? Also, I've been thinking about supporting subinterpreters and I think that is much easier if Gilguard is off the board. |
|
I think we need to communicate the Have you seen discussion in #2346? I'm getting a bit unsure about sub-interpreter support and was thinking we might need to disable it explicitly for soundness reasons. |
|
Are you working on a rebase right now? Otherwise I'll just open a new PR with these changes. |
|
Please go ahead. I was planning to cut this back a lot and just deprecate acquire_gil for now (not change with_gil for the moment until we also start reworking the core objects to not need the gilpool). |
|
Closing in favour of #2549 |
From discussion in #1683 and #1769
Python::acquire_gil.Python::with_gilalways acquire the GIL (removingEnsureGILoptimization).MakesGILGuard::acquire_gilan unsafe public API.GILGuard::drop.Not mergeable because there's a ton of deprecation warnings. Needs #1786 and maybe one other PR to migrate PyO3's own codebase from
acquire_gil->with_gil.