Avoid double-free of well-known native wrappers

Author: fangerer

graalpython/com.oracle.graal.python/src/com/oracle/graal/python/builtins/objects/cext/capi/transitions/CApiTransitions.java

@@ -1099,8 +1099,8 @@ private static long addNativeRefCount(long pointer, long refCntDelta) {
 
     private static long subNativeRefCount(long pointer, long refCntDelta) {
         long refCount = UNSAFE.getLong(pointer + TP_REFCNT_OFFSET);
-        assert (refCount & 0xFFFFFFFF00000000L) == 0 : String.format("suspicious refcnt value during managed adjustment for %016x (%d %016x + %d)\n", pointer, refCount, refCount, refCntDelta);
-        assert (refCount - refCntDelta) >= 0 : String.format("refcnt below zero during managed adjustment for %016x (%d %016x + %d)\n", pointer, refCount, refCount, refCntDelta);
+        assert (refCount & 0xFFFFFFFF00000000L) == 0 : String.format("suspicious refcnt value during managed adjustment for %016x (%d %016x - %d)\n", pointer, refCount, refCount, refCntDelta);
+        assert (refCount - refCntDelta) >= 0 : String.format("refcnt below zero during managed adjustment for %016x (%d %016x - %d)\n", pointer, refCount, refCount, refCntDelta);
 
         LOGGER.finest(() -> PythonUtils.formatJString("subNativeRefCount %x %x %d + %d", pointer, refCount, refCount, refCntDelta));
 

graalpython/com.oracle.graal.python/src/com/oracle/graal/python/runtime/PythonContext.java

@@ -438,11 +438,20 @@ public void setContextVarsContext(PContextVarsContext contextVarsContext) {
 
         public void dispose() {
             // This method may be called twice on the same object.
-            if (dict != null && dict.getNativeWrapper() != null) {
-                PyTruffleObjectFree.releaseNativeWrapperUncached(dict.getNativeWrapper());
+
+            /*
+             * Note: we may only free the native wrappers if they have no PythonObjectReference
+             * otherwise it could happen that we free them here and again in
+             * 'CApiTransitions.pollReferenceQueue'.
+             */
+            if (dict != null) {
+                PythonAbstractObjectNativeWrapper dictNativeWrapper = dict.getNativeWrapper();
+                if (dictNativeWrapper != null && dictNativeWrapper.ref == null) {
+                    PyTruffleObjectFree.releaseNativeWrapperUncached(dictNativeWrapper);
+                }
             }
             dict = null;
-            if (nativeWrapper != null) {
+            if (nativeWrapper != null && nativeWrapper.ref == null) {
                 PyTruffleObjectFree.releaseNativeWrapperUncached(nativeWrapper);
                 nativeWrapper = null;
             }
@@ -2026,7 +2035,12 @@ private void disposeThreadStates() {
     @TruffleBoundary
     private void cleanupCApiResources() {
         for (PythonNativeWrapper singletonNativeWrapper : singletonNativePtrs) {
-            if (singletonNativeWrapper != null) {
+            /*
+             * Note: we may only free the native wrappers if they have no PythonObjectReference
+             * otherwise it could happen that we free them here and again in
+             * 'CApiTransitions.pollReferenceQueue'.
+             */
+            if (singletonNativeWrapper != null && singletonNativeWrapper.ref == null) {
                 PyTruffleObjectFree.releaseNativeWrapperUncached(singletonNativeWrapper);
             }
         }