bpo-31095: fix potential crash during GC (GH-2974) (#3196)

bpo-31095: fix potential crash during GC (GH-2974) (#3196) · python/cpython@0fcc033

14 files changed

lines changed

Original file line number	Diff line number	Diff line change
@@ -728,8 +728,9 @@ functions. With :c:func:`Py_VISIT`, :c:func:`Noddy_traverse` can be simplified:
`728`	`728`	`uniformity across these boring implementations.`
`729`	`729`
`730`	`730`	`We also need to provide a method for clearing any subobjects that can`
`731`		`-participate in cycles. We implement the method and reimplement the deallocator`
`732`		`-to use it::`
	`731`	`+participate in cycles.`
	`732`	`+`
	`733`	`+::`
`733`	`734`
`734`	`735`	`static int`
`735`	`736`	`Noddy_clear(Noddy *self)`
`@@ -747,13 +748,6 @@ to use it::`
`747`	`748`	`return 0;`
`748`	`749`	`}`
`749`	`750`
`750`		`- static void`
`751`		`- Noddy_dealloc(Noddy* self)`
`752`		`- {`
`753`		`- Noddy_clear(self);`
`754`		`- Py_TYPE(self)->tp_free((PyObject*)self);`
`755`		`- }`
`756`		`-`
`757`	`751`	Notice the use of a temporary variable in :c:func:`Noddy_clear`. We use the
`758`	`752`	`temporary variable so that we can set each member to NULL before decrementing`
`759`	`753`	`its reference count. We do this because, as was discussed earlier, if the`
`@@ -776,6 +770,23 @@ be simplified::`
`776`	`770`	`return 0;`
`777`	`771`	`}`
`778`	`772`
	`773`	+Note that :c:func:`Noddy_dealloc` may call arbitrary functions through
	`774`	+``__del__`` method or weakref callback. It means circular GC can be
	`775`	`+triggered inside the function. Since GC assumes reference count is not zero,`
	`776`	+we need to untrack the object from GC by calling :c:func:`PyObject_GC_UnTrack`
	`777`	`+before clearing members. Here is reimplemented deallocator which uses`
	`778`	+:c:func:`PyObject_GC_UnTrack` and :c:func:`Noddy_clear`.
	`779`	`+`
	`780`	`+::`
	`781`	`+`
	`782`	`+ static void`
	`783`	`+ Noddy_dealloc(Noddy* self)`
	`784`	`+ {`
	`785`	`+ PyObject_GC_UnTrack(self);`
	`786`	`+ Noddy_clear(self);`
	`787`	`+ Py_TYPE(self)->tp_free((PyObject*)self);`
	`788`	`+ }`
	`789`	`+`
`779`	`790`	Finally, we add the :const:`Py_TPFLAGS_HAVE_GC` flag to the class flags::
`780`	`791`
`781`	`792`	`Py_TPFLAGS_DEFAULT \| Py_TPFLAGS_BASETYPE \| Py_TPFLAGS_HAVE_GC, /* tp_flags */`

Original file line number	Diff line number	Diff line change
`@@ -46,6 +46,7 @@ Noddy_clear(Noddy *self)`
`46`	`46`	`static void`
`47`	`47`	`Noddy_dealloc(Noddy* self)`
`48`	`48`	`{`
	`49`	`+PyObject_GC_UnTrack(self);`
`49`	`50`	`Noddy_clear(self);`
`50`	`51`	`Py_TYPE(self)->tp_free((PyObject*)self);`
`51`	`52`	`}`

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	+Fix potential crash during GC caused by ``tp_dealloc`` which doesn't call
	`2`	+``PyObject_GC_UnTrack()``.

Original file line number	Diff line number	Diff line change
`@@ -1641,6 +1641,8 @@ dequeiter_traverse(dequeiterobject dio, visitproc visit, void arg)`
`1641`	`1641`	`static void`
`1642`	`1642`	`dequeiter_dealloc(dequeiterobject *dio)`
`1643`	`1643`	`{`
	`1644`	`+/* bpo-31095: UnTrack is needed before calling any callbacks */`
	`1645`	`+PyObject_GC_UnTrack(dio);`
`1644`	`1646`	`Py_XDECREF(dio->deque);`
`1645`	`1647`	`PyObject_GC_Del(dio);`
`1646`	`1648`	`}`
`@@ -2021,6 +2023,8 @@ static PyMemberDef defdict_members[] = {`
`2021`	`2023`	`static void`
`2022`	`2024`	`defdict_dealloc(defdictobject *dd)`
`2023`	`2025`	`{`
	`2026`	`+/* bpo-31095: UnTrack is needed before calling any callbacks */`
	`2027`	`+PyObject_GC_UnTrack(dd);`
`2024`	`2028`	`Py_CLEAR(dd->default_factory);`
`2025`	`2029`	`PyDict_Type.tp_dealloc((PyObject *)dd);`
`2026`	`2030`	`}`

Original file line number	Diff line number	Diff line change
`@@ -653,6 +653,7 @@ element_gc_clear(ElementObject *self)`
`653`	`653`	`static void`
`654`	`654`	`element_dealloc(ElementObject* self)`
`655`	`655`	`{`
	`656`	`+/* bpo-31095: UnTrack is needed before calling any callbacks */`
`656`	`657`	`PyObject_GC_UnTrack(self);`
`657`	`658`	`Py_TRASHCAN_SAFE_BEGIN(self)`
`658`	`659`
`@@ -2025,6 +2026,9 @@ static void`
`2025`	`2026`	`elementiter_dealloc(ElementIterObject *it)`
`2026`	`2027`	`{`
`2027`	`2028`	`ParentLocator *p = it->parent_stack;`
	`2029`	`+/* bpo-31095: UnTrack is needed before calling any callbacks */`
	`2030`	`+PyObject_GC_UnTrack(it);`
	`2031`	`+`
`2028`	`2032`	`while (p) {`
`2029`	`2033`	`ParentLocator *temp = p;`
`2030`	`2034`	`Py_XDECREF(p->parent);`
`@@ -2034,8 +2038,6 @@ elementiter_dealloc(ElementIterObject *it)`
`2034`	`2038`
`2035`	`2039`	`Py_XDECREF(it->sought_tag);`
`2036`	`2040`	`Py_XDECREF(it->root_element);`
`2037`		`-`
`2038`		`-PyObject_GC_UnTrack(it);`
`2039`	`2041`	`PyObject_GC_Del(it);`
`2040`	`2042`	`}`
`2041`	`2043`

Original file line number	Diff line number	Diff line change
`@@ -116,6 +116,7 @@ partial_new(PyTypeObject type, PyObject args, PyObject *kw)`
`116`	`116`	`static void`
`117`	`117`	`partial_dealloc(partialobject *pto)`
`118`	`118`	`{`
	`119`	`+/* bpo-31095: UnTrack is needed before calling any callbacks */`
`119`	`120`	`PyObject_GC_UnTrack(pto);`
`120`	`121`	`if (pto->weakreflist != NULL)`
`121`	`122`	`PyObject_ClearWeakRefs((PyObject *) pto);`
`@@ -1039,7 +1040,11 @@ lru_cache_clear_list(lru_list_elem *link)`
`1039`	`1040`	`static void`
`1040`	`1041`	`lru_cache_dealloc(lru_cache_object *obj)`
`1041`	`1042`	`{`
`1042`		`-lru_list_elem *list = lru_cache_unlink_list(obj);`
	`1043`	`+lru_list_elem *list;`
	`1044`	`+/* bpo-31095: UnTrack is needed before calling any callbacks */`
	`1045`	`+PyObject_GC_UnTrack(obj);`
	`1046`	`+`
	`1047`	`+list = lru_cache_unlink_list(obj);`
`1043`	`1048`	`Py_XDECREF(obj->maxsize_O);`
`1044`	`1049`	`Py_XDECREF(obj->func);`
`1045`	`1050`	`Py_XDECREF(obj->cache);`

Original file line number	Diff line number	Diff line change
`@@ -1133,6 +1133,8 @@ bytesiobuf_traverse(bytesiobuf self, visitproc visit, void arg)`
`1133`	`1133`	`static void`
`1134`	`1134`	`bytesiobuf_dealloc(bytesiobuf *self)`
`1135`	`1135`	`{`
	`1136`	`+/* bpo-31095: UnTrack is needed before calling any callbacks */`
	`1137`	`+PyObject_GC_UnTrack(self);`
`1136`	`1138`	`Py_CLEAR(self->source);`
`1137`	`1139`	`Py_TYPE(self)->tp_free(self);`
`1138`	`1140`	`}`

Original file line number	Diff line number	Diff line change
`@@ -655,7 +655,8 @@ py_encode_basestring(PyObject* self UNUSED, PyObject *pystr)`
`655`	`655`	`static void`
`656`	`656`	`scanner_dealloc(PyObject *self)`
`657`	`657`	`{`
`658`		`-/* Deallocate scanner object */`
	`658`	`+/* bpo-31095: UnTrack is needed before calling any callbacks */`
	`659`	`+PyObject_GC_UnTrack(self);`
`659`	`660`	`scanner_clear(self);`
`660`	`661`	`Py_TYPE(self)->tp_free(self);`
`661`	`662`	`}`
`@@ -1793,7 +1794,8 @@ encoder_listencode_list(PyEncoderObject s, _PyAccu acc,`
`1793`	`1794`	`static void`
`1794`	`1795`	`encoder_dealloc(PyObject *self)`
`1795`	`1796`	`{`
`1796`		`-/* Deallocate Encoder */`
	`1797`	`+/* bpo-31095: UnTrack is needed before calling any callbacks */`
	`1798`	`+PyObject_GC_UnTrack(self);`
`1797`	`1799`	`encoder_clear(self);`
`1798`	`1800`	`Py_TYPE(self)->tp_free(self);`
`1799`	`1801`	`}`

Original file line number	Diff line number	Diff line change
`@@ -2465,6 +2465,8 @@ context_clear(PySSLContext *self)`
`2465`	`2465`	`static void`
`2466`	`2466`	`context_dealloc(PySSLContext *self)`
`2467`	`2467`	`{`
	`2468`	`+/* bpo-31095: UnTrack is needed before calling any callbacks */`
	`2469`	`+PyObject_GC_UnTrack(self);`
`2468`	`2470`	`context_clear(self);`
`2469`	`2471`	`SSL_CTX_free(self->ctx);`
`2470`	`2472`	`#ifdef OPENSSL_NPN_NEGOTIATED`

Original file line number	Diff line number	Diff line change
`@@ -1581,6 +1581,8 @@ typedef struct {`
`1581`	`1581`	`static void`
`1582`	`1582`	`unpackiter_dealloc(unpackiterobject *self)`
`1583`	`1583`	`{`
	`1584`	`+/* bpo-31095: UnTrack is needed before calling any callbacks */`
	`1585`	`+PyObject_GC_UnTrack(self);`
`1584`	`1586`	`Py_XDECREF(self->so);`
`1585`	`1587`	`PyBuffer_Release(&self->buf);`
`1586`	`1588`	`PyObject_GC_Del(self);`