search

flintlib / python-flint

Python bindings for Flint and Arb
MIT License
132 stars 27 forks source link

Memory management routines of flint can crash interpreter #244

Open skirpichev opened 1 day ago

skirpichev commented 1 day ago

Consider:

$ ulimit -v $((1024*64))
$ python
Python 3.11.9+ (heads/3.11:795f2597a4, Aug 29 2024, 14:29:51) [GCC 12.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import flint
>>> a = flint.fmpz(200)<<1000000000
GNU MP: Cannot reallocate memory (old_size=16 new_size=125000008)
Aborted
$

Unfortunately, https://flintlib.org/doc/memory.html page lacks notes like the GMP manual, "13. Custom allocation": "There’s currently no defined way for the allocation functions to recover from an error such as out of memory, they must terminate program execution."

Or this is a flint bug, not a docs issue? It seems, despite fmpzt is a re-implemented (using low-level mpn* functions) mpz_t - it shares same memory-management behaviour. In this case it could be possible to carefully propagate memory errors.

fredrik-johansson commented 1 day ago

"There’s currently no defined way for the allocation functions to recover from an error such as out of memory, they must terminate program execution."

You can try to recover from a memory error in GMP or FLINT by intercepting the abort signal, it's just risky. You'll be fine most of the time but you risk leaking memory and occasionally corrupting data.

Sage does this for FLINT so it should be possible to do the same thing in python-flint:

sage: ZZ["x"].gen() ^ 1000000000000
Exception (FLINT memory_manager). Unable to allocate memory (8).
...
RuntimeError: Aborted
skirpichev commented 1 day ago

On Sat, Nov 23, 2024 at 02:06:52AM -0800, Fredrik Johansson wrote:

You can try to recover from a memory error in GMP or FLINT by intercepting the abort signal, it's just risky. You'll be fine most of the time but you risk leaking memory and occasionally corrupting data.

I'm not sure why you guess about "most of time". IMO, this is worse than plain abort() - essentially you left program (e.g. Python interpreter) in some undefined state, from which you can't recover (or save your data). Perhaps, this may work sometimes, e.g. in my or your examples: when you in one shot trying to allocate too much memory. But this looks rather an artificial case.

GMP seems to be correct here: "Getting a different fatal error action is a good use for custom allocation functions" (c). E.g. https://github.com/aleaxit/gmpy/pull/513

oscarbenjamin commented 1 day ago

Would flint_set_abort handle this or is that not applicable to a memory error like this?

I had been considering whether python-flint should use cysignals. There is some discussion on the sage mailing list about making cysignals work on Windows.