定位Python built-in函数的源码实现

用Python开发的代码,有些时候会出现一些故障,这些故障很难从Python级调试中排查出原因。此时,需要对Python解释器进行C级调试,以排查更底层的原因。本文以定位Python built-in函数的源码实现为例,展示这种C级调试的片段。

Q:

我想查看os.system()的源码

>>> import os
>>> os.system

>>> os.__file__
'/usr/lib/python2.7/os.pyc'

>>> import inspect
>>> inspect.getfile(os)
'/usr/lib/python2.7/os.pyc'
>>> inspect.getmodule(os)

这些信息不是我想要的。

A: scz 2015-09-21 10:21

# gdb -q --args /usr/bin/python2.7-dbg -c 'import os;os.system("echo $$;/bin/sleep 1")'

built-in函数名等于system时断下:

(gdb) b PyCFunction_Call if (0==strcmp(((PyCFunctionObject *)func)->m_ml->ml_name,"system"))
Breakpoint 1 at 0x80bc2a1: file ../Objects/methodobject.c, line 73.
(gdb) r
...
Breakpoint 1, PyCFunction_Call (func=, arg=('echo $$;/bin/sleep 1',), kw=0x0) at ../Objects/methodobject.c:73
73          PyCFunctionObject* f = (PyCFunctionObject*)func;

PyCFunction_Call()用于调用built-in函数。

(gdb) output func

即将调用built-in函数system()。查看此时的模块名:

(gdb) output *(PyCFunctionObject *)func
{
  _ob_next = 0xb7d30c68,
  _ob_prev = 0xb7d30cd8,
  ob_refcnt = 4,
  ob_type = 0x82b9780 ,
  m_ml = 0x82f72b0 ,
  m_self = 0x0,
  m_module = 'posix'
}
(gdb) x/s PyString_AsString(((PyCFunctionObject *)func)->m_module)
0xb7d303fc:     "posix"

模块名不是想像中的os,而是posix,意味着os模块调用了posix模块。

针对PyCFunction_Call()设置条件断点时,不要轻易检查m_module,除非确知其名。

查看此时的函数信息:

(gdb) output *(((PyCFunctionObject *)func)->m_ml)
{
  ml_name = 0x826e8c9 "system",
  ml_meth = 0x81f5ea9 ,
  ml_flags = 1,
  ml_doc = 0x82f3f40  "system(command) -> exit_status\n\nExecute the command (a string) in a subshell."
}
(gdb) x/s ((PyCFunctionObject *)func)->m_ml->ml_name
0x826e8c9:      "system"
(gdb) output/x ((PyCFunctionObject *)func)->m_ml->ml_meth
0x81f5ea9
(gdb) info symbol 0x81f5ea9
(gdb) info symbol ((PyCFunctionObject *)func)->m_ml->ml_meth
posix_system in section .text of /usr/bin/python2.7-dbg

built-in函数system()对应的C实现是posix_system():

(gdb) list posix_system
2791    "system(command) -> exit_status\n\n\
2792    Execute the command (a string) in a subshell.");
2793
2794    static PyObject *
2795    posix_system(PyObject *self, PyObject *args)
2796    {
2797        char *command;
2798        long sts;
2799        if (!PyArg_ParseTuple(args, "s:system", &command))
2800            return NULL;
(gdb) info source
Current source file is ../Modules/posixmodule.c
Compilation directory is /home/packages/python/2.7/d/python2.7-2.7.9/build-debug
Located in /usr/src/python/python2.7-2.7.9/Modules/posixmodule.c
Contains 9512 lines.
Source language is c.
Compiled with DWARF 2 debugging format.
Does not include preprocessor macro info.

现在知道os.system()对应posixmodule.c中的posix_system()。我一般在Source Insight里查看精确版本的源码实现,如果想快速了解大概,可以在线查看:

http://svn.python.org/projects/python/trunk/Modules/posixmodule.c http://hg.python.org/cpython/file/2.7/Modules/posixmodule.c

(gdb) tb *posix_system
Temporary breakpoint 2 at 0x81f5ea9: file ../Modules/posixmodule.c, line 2796.
(gdb) c
Continuing.

Temporary breakpoint 2, posix_system (self=, args=) at ../Modules/posixmodule.c:2796
2796    {
(gdb) bt 10
#0  posix_system (self=, args=) at ../Modules/posixmodule.c:2796
#1  0x080bc300 in PyCFunction_Call (func=, arg=('echo $$;/bin/sleep 1',), kw=0x0) at ../Objects/methodobject.c:81
#2  0x08149d0b in call_function (pp_stack=0xbffff804, oparg=1) at ../Python/ceval.c:4033
#3  0x081454ec in PyEval_EvalFrameEx (f=Frame 0xb7c5c034, for file , line 1, in  (), throwflag=0) at ../Python/ceval.c:2679
#4  0x08147a77 in PyEval_EvalCodeEx ... at ../Python/ceval.c:3265
#5  0x0813d035 in PyEval_EvalCode ... at ../Python/ceval.c:667
#6  0x08172b65 in run_mod ... at ../Python/pythonrun.c:1371
#7  0x08172a71 in PyRun_StringFlags ... at ../Python/pythonrun.c:1334
#8  0x081716de in ... at ../Python/pythonrun.c:975
#9  0x0818983d in Py_Main (argc=3, argv=0xbffffc84) at ../Modules/main.c:584
(More stack frames follow...)

不要用”until *posix_system”,until有个很微妙的限制:

(gdb) help until
Execute until the program reaches a source line greater than the current
or a specified location (same args as break command) within the current frame.

注意这句,”within the current frame”。一般意义上until *addr并不等价于tb *addr;c。而我们通常想要的是后者。这与windbg的g addr命令有显著不同。以前被坑过,跑飞了还奇怪为什么,辛辛苦苦得到的中间状态就这么没了。

其实,如果确知os.system()会调用C函数system(),可以直接针对后者下断,然后查看调用栈回溯:

(gdb) tb *system
Temporary breakpoint 3 at 0xb7fa9be0: file pt-system.c, line 27.
(gdb) c
Continuing.

Temporary breakpoint 3, system (line=0xb7c448fc "echo $$;/bin/sleep 1") at pt-system.c:27
27      {
(gdb) bt 5
#0  system (line=0xb7c448fc "echo $$;/bin/sleep 1") at pt-system.c:27
#1  0x081f5efc in posix_system (self=0x0, args=('echo $$;/bin/sleep 1',)) at ../Modules/posixmodule.c:2802
#2  0x080bc300 in PyCFunction_Call (func=, arg=('echo $$;/bin/sleep 1',), kw=0x0) at ../Objects/methodobject.c:81
#3  0x08149d0b in call_function (pp_stack=0xbffff804, oparg=1) at ../Python/ceval.c:4033
#4  0x081454ec in PyEval_EvalFrameEx (f=Frame 0xb7c5c034, for file , line 1, in  (), throwflag=0) at ../Python/ceval.c:2679
(More stack frames follow...)

从中一眼就看到posixmodule.c的posix_system()。

我前面演示的复杂方案是广谱方案。

Spread the word. Share this post!

Meet The Author

C/ASM程序员

Leave Comment