Guard against writing to reclaimed graalpy_finalizing memory

Author: timfel

graalpython/com.oracle.graal.python.cext/src/capi.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018, 2024, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2018, 2025, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * The Universal Permissive License (UPL), Version 1.0
@@ -951,7 +951,7 @@ Py_LOCAL_SYMBOL TruffleContext* TRUFFLE_CONTEXT;
  * that do not work during context shutdown! (This means that it would be safe
  * to share this global across multiple contexts.)
  */
-Py_LOCAL_SYMBOL int32_t graalpy_finalizing;
+Py_LOCAL_SYMBOL int8_t *_graalpy_finalizing = NULL;
 
 PyAPI_FUNC(void) initialize_graal_capi(TruffleEnv* env, void **builtin_closures, GCState *gc) {
     clock_t t = clock();
@@ -1007,10 +1007,16 @@ PyAPI_FUNC(void) initialize_graal_capi(TruffleEnv* env, void **builtin_closures,
 
 /*
  * This function is called from Java during C API initialization to get the
- * pointer `graalpy_finalizing`.
+ * pointer `_graalpy_finalizing`.
  */
-PyAPI_FUNC(int32_t *) GraalPy_get_finalize_capi_pointer() {
-    return &graalpy_finalizing;
+PyAPI_FUNC(int8_t *) GraalPy_get_finalize_capi_pointer() {
+    assert(!_graalpy_finalizing);
+    // We actually leak this memory on purpose. On the Java side, this is
+    // written to in a VM shutdown hook. Once such a hook is registered it
+    // sticks around, so we're leaking those hooks anyway. 1 byte more to leak
+    // does not strike me (timfel) as significant.
+    _graalpy_finalizing = (int8_t *)calloc(1, sizeof(int8_t));
+    return _graalpy_finalizing;
 }
 
 #if ((__linux__ && __GNU_LIBRARY__) || __APPLE__)

graalpython/com.oracle.graal.python.cext/src/capi.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2017, 2024, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2017, 2025, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * The Universal Permissive License (UPL), Version 1.0
@@ -157,7 +157,8 @@ PyAPI_DATA(uint32_t) Py_Truffle_Options;
 
 extern THREAD_LOCAL Py_LOCAL_SYMBOL PyThreadState *tstate_current;
 
-extern Py_LOCAL_SYMBOL int graalpy_finalizing;
+extern Py_LOCAL_SYMBOL int8_t *_graalpy_finalizing;
+#define graalpy_finalizing (_graalpy_finalizing != NULL && *_graalpy_finalizing)
 
 /* Flags definitions representing global (debug) options. */
 static MUST_INLINE int PyTruffle_Trace_Memory() {

graalpython/com.oracle.graal.python/src/com/oracle/graal/python/builtins/objects/cext/capi/CApiContext.java

@@ -1134,6 +1134,11 @@ public static Object loadCExtModule(Node location, PythonContext context, Module
      * know that it's not safe to do upcalls and that native wrappers might have been deallocated.
      * We need to do it in a VM shutdown hook to make sure C atexit won't crash even if our context
      * finalization didn't run.
+     *
+     * The memory of the shared library may have been re-used if the GraalPy context was shut down
+     * (cleanly or not), the sources were collected, and NFI's mechanism for unloading libraries
+     * triggered a dlclose that dropped the refcount of the python-native library to 0. We leak 1
+     * byte of memory and this shutdown hook for each context that ever initialized the C API.
      */
     private void addNativeFinalizer(PythonContext context, Object finalizingPointerObj) {
         final Unsafe unsafe = context.getUnsafe();
@@ -1143,7 +1148,8 @@ private void addNativeFinalizer(PythonContext context, Object finalizingPointerO
                 long finalizingPointer = lib.asPointer(finalizingPointerObj);
                 // We are writing off heap memory and registering a VM shutdown hook, there is no
                 // point in creating this thread via Truffle sandbox at this point
-                nativeFinalizerRunnable = () -> unsafe.putInt(finalizingPointer, 1);
+                nativeFinalizerRunnable = () -> unsafe.putByte(finalizingPointer, (byte) 1);
+                context.registerAtexitHook((c) -> nativeFinalizerRunnable.run());
                 nativeFinalizerShutdownHook = new Thread(nativeFinalizerRunnable);
                 Runtime.getRuntime().addShutdownHook(nativeFinalizerShutdownHook);
             } catch (UnsupportedMessageException e) {