Fork workaround (#628)

Co-authored-by: Michael Graeb <[email protected]>

Author: TingDaoK

.github/workflows/ci.yml

@@ -49,7 +49,6 @@ jobs:
         image:
           - x64
           - x86
-          - aarch64
         python:
           - cp38-cp38
           - cp39-cp39
@@ -65,23 +64,43 @@ jobs:
         with:
           role-to-assume: ${{ env.CRT_CI_ROLE }}
           aws-region: ${{ env.AWS_DEFAULT_REGION }}
-      # Only aarch64 needs this, but it doesn't hurt anything
-      - name: Install qemu/docker
-        run: docker run --privileged --rm tonistiigi/binfmt --install aarch64
-
       - name: Build ${{ env.PACKAGE_NAME }}
         run: |
           aws s3 cp s3://aws-crt-test-stuff/ci/${{ env.BUILDER_VERSION }}/linux-container-ci.sh ./linux-container-ci.sh && chmod a+x ./linux-container-ci.sh
           ./linux-container-ci.sh ${{ env.BUILDER_VERSION }} aws-crt-manylinux2014-${{ matrix.image }} build -p ${{ env.PACKAGE_NAME }} --python /opt/python/${{ matrix.python }}/bin/python
 
+  manylinux2014-arm64:
+    runs-on: ubuntu-24.04-arm
+    strategy:
+      fail-fast: false
+      matrix:
+        python:
+          - cp38-cp38
+          - cp39-cp39
+          - cp310-cp310
+          - cp311-cp311
+          - cp312-cp312
+          - cp313-cp313
+    permissions:
+      id-token: write # This is required for requesting the JWT
+    steps:
+      - name: configure AWS credentials (containers)
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ env.CRT_CI_ROLE }}
+          aws-region: ${{ env.AWS_DEFAULT_REGION }}
+      - name: Build ${{ env.PACKAGE_NAME }}
+        run: |
+          aws s3 cp s3://aws-crt-test-stuff/ci/${{ env.BUILDER_VERSION }}/linux-container-ci.sh ./linux-container-ci.sh && chmod a+x ./linux-container-ci.sh
+          ./linux-container-ci.sh ${{ env.BUILDER_VERSION }} aws-crt-manylinux2014-aarch64 build -p ${{ env.PACKAGE_NAME }} --python /opt/python/${{ matrix.python }}/bin/python
+
   musllinux-1-1:
     runs-on: ubuntu-24.04 # latest
     strategy:
       fail-fast: false
       matrix:
         image:
           - x64
-          - aarch64
         python:
           - cp38-cp38
           - cp39-cp39
@@ -97,18 +116,38 @@ jobs:
         with:
           role-to-assume: ${{ env.CRT_CI_ROLE }}
           aws-region: ${{ env.AWS_DEFAULT_REGION }}
-
-      # Only aarch64 needs this, but it doesn't hurt anything
-      - name: Install qemu/docker
-        run: docker run --privileged --rm tonistiigi/binfmt --install aarch64
-
       - name: Build ${{ env.PACKAGE_NAME }}
         run: |
           aws s3 cp s3://aws-crt-test-stuff/ci/${{ env.BUILDER_VERSION }}/linux-container-ci.sh ./linux-container-ci.sh && chmod a+x ./linux-container-ci.sh
           ./linux-container-ci.sh ${{ env.BUILDER_VERSION }} aws-crt-musllinux-1-1-${{ matrix.image }} build -p ${{ env.PACKAGE_NAME }} --python /opt/python/${{ matrix.python }}/bin/python
 
+  musllinux-1-1-arm64:
+    runs-on: ubuntu-24.04-arm
+    strategy:
+      fail-fast: false
+      matrix:
+        python:
+          - cp38-cp38
+          - cp39-cp39
+          - cp310-cp310
+          - cp311-cp311
+          - cp312-cp312
+          - cp313-cp313
+    permissions:
+      id-token: write # This is required for requesting the JWT
+    steps:
+      - name: configure AWS credentials (containers)
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ env.CRT_CI_ROLE }}
+          aws-region: ${{ env.AWS_DEFAULT_REGION }}
+      - name: Build ${{ env.PACKAGE_NAME }}
+        run: |
+          aws s3 cp s3://aws-crt-test-stuff/ci/${{ env.BUILDER_VERSION }}/linux-container-ci.sh ./linux-container-ci.sh && chmod a+x ./linux-container-ci.sh
+          ./linux-container-ci.sh ${{ env.BUILDER_VERSION }} aws-crt-musllinux-1-1-aarch64 build -p ${{ env.PACKAGE_NAME }} --python /opt/python/${{ matrix.python }}/bin/python
+
   raspberry:
-    runs-on: ubuntu-24.04 # latest
+    runs-on: ubuntu-24.04-arm
     strategy:
       fail-fast: false
       matrix:
@@ -123,10 +162,6 @@ jobs:
           role-to-assume: ${{ env.CRT_CI_ROLE }}
           aws-region: ${{ env.AWS_DEFAULT_REGION }}
 
-      # set arm arch
-      - name: Install qemu/docker
-        run: docker run --privileged --rm tonistiigi/binfmt --install linux/arm/v7
-
       - name: Build ${{ env.PACKAGE_NAME }}
         run: |
           aws s3 cp s3://aws-crt-test-stuff/ci/${{ env.BUILDER_VERSION }}/linux-container-ci.sh ./linux-container-ci.sh && chmod a+x ./linux-container-ci.sh

README.md

@@ -32,7 +32,36 @@ git submodule update --init
 python3 -m pip install .
 ```
 
-To use from your Python application, declare `awscrt` as a dependency.
+See [Advanced Build Options](#advanced-build-options) for more info about building from source.
+
+## Fork and Multiprocessing
+
+aws-crt-python uses background threads. This makes [os.fork()](https://docs.python.org/3/library/os.html#os.fork) unsafe. In a forked child process, all background threads vanish. The child will hang or crash when it tries to communicate with any of these (vanished) threads.
+
+Unfortunately, Python's [multiprocessing](https://docs.python.org/3/library/multiprocessing.html) module defaults to using fork when it creates child processes (on POSIX systems except macOS, in Python versions 3.13 and earlier). `multiprocessing` is used under the hood by many tools that do work in parallel, including [concurrent.futures.ProcessPoolExecutor](https://docs.python.org/3/library/concurrent.futures.html#concurrent.futures.ProcessPoolExecutor), and [pytorch.multiprocessing](https://pytorch.org/docs/stable/multiprocessing.html).
+
+If you need to use `multiprocessing` with aws-crt-python, set it to use "spawn" or "forkserver" instead of "fork" ([see docs](https://docs.python.org/3/library/multiprocessing.html#contexts-and-start-methods)). The Python community agrees, and `multiprocessing` will changes its default from "fork" to "spawn" in 3.14. It already uses "spawn" by default on macOS (because system libraries may start threads) and on Windows (because fork does not exist).
+
+If you **must** use fork with aws-crt-python, you may be able to avoid hangs and crashes if you manage your threads very carefully:
+
+1.	Release all CRT resources with background threads (e.g. clean up any `io.EventLoopGroup` instances).
+2.	Join all CRT threads before forking (use `common.join_all_native_threads()` ).
+
+For an example, see `test.test_s3.py.S3RequestTest.test_fork_workaround` .
+
+## Mac-Only TLS Behavior
+
+Please note that on Mac, once a private key is used with a certificate, that certificate-key pair is imported into the Mac Keychain. All subsequent uses of that certificate will use the stored private key and ignore anything passed in programmatically. Beginning in v0.6.2, when a stored private key from the Keychain is used, the following will be logged at the "info" log level:
+
+```
+static: certificate has an existing certificate-key pair that was previously imported into the Keychain. Using key from Keychain instead of the one provided.
+```
+
+## Crash Handler
+
+You can enable the crash handler by setting the environment variable `AWS_CRT_CRASH_HANDLER=1` . This will print the callstack to `stderr` in the event of a fatal error.
+
+## Advanced Build Options
 
 ### OpenSSL and LibCrypto
 
@@ -54,20 +83,23 @@ set environment variable `AWS_CRT_BUILD_USE_SYSTEM_LIBCRYPTO=1` while building f
 ```sh
 AWS_CRT_BUILD_USE_SYSTEM_LIBCRYPTO=1 python3 -m pip install --no-binary :all: --verbose awscrt
 ```
+
 ( `--no-binary :all:` ensures you do not use the precompiled wheel from PyPI)
 
-aws-crt-python also exposes a number of cryptographic primitives. 
+aws-crt-python also exposes a number of cryptographic primitives.
 On Unix, those depend on libcrypto as described above.
 On Apple and Windows OS level crypto libraries are used whenever possible.
-One exception to above statement is that for ED25519 keygen on Windows and Apple, 
+One exception to above statement is that for ED25519 keygen on Windows and Apple,
 libcrypto is used as no viable OS level alternative exists. In that case Unix level notes
-about libcrypto apply to Apple and Windows as well. Libcrypto usage for ED25519 support is 
+about libcrypto apply to Apple and Windows as well. Libcrypto usage for ED25519 support is
 enabled on Windows and Apple by default and can be disabled by setting environment variable
 `AWS_CRT_BUILD_DISABLE_LIBCRYPTO_USE_FOR_ED25519_EVERYWHERE` as follows:
 (Note: ED25519 keygen functions will start returning not supported error in this case)
+
 ```sh
 AWS_CRT_BUILD_DISABLE_LIBCRYPTO_USE_FOR_ED25519_EVERYWHERE=1 python3 -m pip install --no-binary :all: --verbose awscrt
 ```
+
 ( `--no-binary :all:` ensures you do not use the precompiled wheel from PyPI)
 
 ### AWS_CRT_BUILD_USE_SYSTEM_LIBS ###
@@ -84,14 +116,3 @@ AWS_CRT_BUILD_USE_SYSTEM_LIBS=1 python3 -m pip install .
 ```
 
 If these dependencies are available as both static and shared libs, you can force the static ones to be used by setting: `AWS_CRT_BUILD_FORCE_STATIC_LIBS=1`
-
-## Mac-Only TLS Behavior
-
-Please note that on Mac, once a private key is used with a certificate, that certificate-key pair is imported into the Mac Keychain. All subsequent uses of that certificate will use the stored private key and ignore anything passed in programmatically. Beginning in v0.6.2, when a stored private key from the Keychain is used, the following will be logged at the "info" log level:
-
-```
-static: certificate has an existing certificate-key pair that was previously imported into the Keychain. Using key from Keychain instead of the one provided.
-```
-
-## Crash Handler
-You can enable the crash handler by setting the environment variable `AWS_CRT_CRASH_HANDLER=1`. This will print the callstack to `stderr` in the event of a fatal error.

awscrt/_test.py

@@ -3,6 +3,7 @@
 """
 import _awscrt
 from awscrt import NativeResource
+from awscrt.common import join_all_native_threads
 import gc
 import inspect
 import os
@@ -47,23 +48,6 @@ def dump_native_memory():
     return _awscrt.native_memory_dump()
 
 
-def join_all_native_threads(*, timeout_sec: float = -1.0) -> bool:
-    """
-    Waits for all native threads to complete their join call.
-
-    This can only be safely called from the main thread.
-    This call may be required for native memory usage to reach zero.
-
-    Args:
-        timeout_sec (float): Number of seconds to wait before a timeout exception is raised.
-            By default the wait is unbounded.
-
-    Returns:
-        bool: Returns whether threads could be joined before the timeout.
-    """
-    return _awscrt.thread_join_all_managed(timeout_sec)
-
-
 def check_for_leaks(*, timeout_sec=10.0):
     """
     Checks that all awscrt resources have been freed after a test.

awscrt/common.py

@@ -18,3 +18,20 @@ def get_cpu_count_for_group(group_idx: int) -> int:
     Returns number of processors in a given group.
     """
     return _awscrt.get_cpu_count_for_group(group_idx)
+
+
+def join_all_native_threads(*, timeout_sec: float = -1.0) -> bool:
+    """
+    Waits for all native threads to complete their join call.
+
+    This can only be safely called from the main thread.
+    This call may be required for native memory usage to reach zero.
+
+    Args:
+        timeout_sec (float): Number of seconds to wait before a timeout exception is raised.
+            By default the wait is unbounded.
+
+    Returns:
+        bool: Returns whether threads could be joined before the timeout.
+    """
+    return _awscrt.thread_join_all_managed(timeout_sec)

awscrt/s3.py

@@ -42,6 +42,7 @@ def acquire(self):
 
     def __enter__(self):
         self.acquire()
+        return self
 
     def release(self):
         _awscrt.s3_cross_process_lock_release(self._binding)

crt/aws-c-auth

@@ -46,10 +46,17 @@ PyObject *aws_py_thread_join_all_managed(PyObject *self, PyObject *args) {
         }
     }
     aws_thread_set_managed_join_timeout_ns(timeout_ns);
-
-    if (aws_thread_join_all_managed()) {
+    int res = AWS_OP_SUCCESS;
+    /* clang-format off */
+    Py_BEGIN_ALLOW_THREADS
+    /* Drop GIL to allow other threads callback into python to finish joining. */
+    res = aws_thread_join_all_managed();
+    Py_END_ALLOW_THREADS
+
+    if(res == AWS_OP_SUCCESS) {
+        Py_RETURN_TRUE;
+    } else {
         Py_RETURN_FALSE;
     }
-
-    Py_RETURN_TRUE;
+    /* clang-format on */
 }