bpo-31095: Fix potential crash during GC (GH-3197)

bpo-31095: Fix potential crash during GC (GH-3197) · python/cpython@4cde4bd

10 files changed

lines changed

Original file line number	Diff line number	Diff line change
`@@ -748,8 +748,9 @@ simplified::`
`748`	`748`	`uniformity across these boring implementations.`
`749`	`749`
`750`	`750`	`We also need to provide a method for clearing any subobjects that can`
`751`		`-participate in cycles. We implement the method and reimplement the deallocator`
`752`		`-to use it::`
	`751`	`+participate in cycles.`
	`752`	`+`
	`753`	`+::`
`753`	`754`
`754`	`755`	`static int`
`755`	`756`	`Noddy_clear(Noddy *self)`
`@@ -767,13 +768,6 @@ to use it::`
`767`	`768`	`return 0;`
`768`	`769`	`}`
`769`	`770`
`770`		`- static void`
`771`		`- Noddy_dealloc(Noddy* self)`
`772`		`- {`
`773`		`- Noddy_clear(self);`
`774`		`- self->ob_type->tp_free((PyObject*)self);`
`775`		`- }`
`776`		`-`
`777`	`771`	Notice the use of a temporary variable in :c:func:`Noddy_clear`. We use the
`778`	`772`	`temporary variable so that we can set each member to NULL before decrementing`
`779`	`773`	`its reference count. We do this because, as was discussed earlier, if the`
@@ -796,6 +790,23 @@ decrementing of reference counts. With :c:func:`Py_CLEAR`, the
`796`	`790`	`return 0;`
`797`	`791`	`}`
`798`	`792`
	`793`	+Note that :c:func:`Noddy_dealloc` may call arbitrary functions through
	`794`	+``__del__`` method or weakref callback. It means circular GC can be
	`795`	`+triggered inside the function. Since GC assumes reference count is not zero,`
	`796`	+we need to untrack the object from GC by calling :c:func:`PyObject_GC_UnTrack`
	`797`	`+before clearing members. Here is reimplemented deallocator which uses`
	`798`	+:c:func:`PyObject_GC_UnTrack` and :c:func:`Noddy_clear`.
	`799`	`+`
	`800`	`+::`
	`801`	`+`
	`802`	`+ static void`
	`803`	`+ Noddy_dealloc(Noddy* self)`
	`804`	`+ {`
	`805`	`+ PyObject_GC_UnTrack(self);`
	`806`	`+ Noddy_clear(self);`
	`807`	`+ Py_TYPE(self)->tp_free((PyObject*)self);`
	`808`	`+ }`
	`809`	`+`
`799`	`810`	Finally, we add the :const:`Py_TPFLAGS_HAVE_GC` flag to the class flags::
`800`	`811`
`801`	`812`	`Py_TPFLAGS_DEFAULT \| Py_TPFLAGS_BASETYPE \| Py_TPFLAGS_HAVE_GC, /* tp_flags */`

Original file line number	Diff line number	Diff line change
`@@ -46,6 +46,7 @@ Noddy_clear(Noddy *self)`
`46`	`46`	`static void`
`47`	`47`	`Noddy_dealloc(Noddy* self)`
`48`	`48`	`{`
	`49`	`+PyObject_GC_UnTrack(self);`
`49`	`50`	`Noddy_clear(self);`
`50`	`51`	`Py_TYPE(self)->tp_free((PyObject*)self);`
`51`	`52`	`}`

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	+Fix potential crash during GC caused by ``tp_dealloc`` which doesn't call
	`2`	+``PyObject_GC_UnTrack()``.

Original file line number	Diff line number	Diff line change
`@@ -1271,6 +1271,8 @@ dequeiter_traverse(dequeiterobject dio, visitproc visit, void arg)`
`1271`	`1271`	`static void`
`1272`	`1272`	`dequeiter_dealloc(dequeiterobject *dio)`
`1273`	`1273`	`{`
	`1274`	`+/* bpo-31095: UnTrack is needed before calling any callbacks */`
	`1275`	`+PyObject_GC_UnTrack(dio);`
`1274`	`1276`	`Py_XDECREF(dio->deque);`
`1275`	`1277`	`PyObject_GC_Del(dio);`
`1276`	`1278`	`}`
`@@ -1556,6 +1558,8 @@ static PyMemberDef defdict_members[] = {`
`1556`	`1558`	`static void`
`1557`	`1559`	`defdict_dealloc(defdictobject *dd)`
`1558`	`1560`	`{`
	`1561`	`+/* bpo-31095: UnTrack is needed before calling any callbacks */`
	`1562`	`+PyObject_GC_UnTrack(dd);`
`1559`	`1563`	`Py_CLEAR(dd->default_factory);`
`1560`	`1564`	`PyDict_Type.tp_dealloc((PyObject *)dd);`
`1561`	`1565`	`}`

Original file line number	Diff line number	Diff line change
`@@ -143,6 +143,7 @@ partial_new(PyTypeObject type, PyObject args, PyObject *kw)`
`143`	`143`	`static void`
`144`	`144`	`partial_dealloc(partialobject *pto)`
`145`	`145`	`{`
	`146`	`+/* bpo-31095: UnTrack is needed before calling any callbacks */`
`146`	`147`	`PyObject_GC_UnTrack(pto);`
`147`	`148`	`if (pto->weakreflist != NULL)`
`148`	`149`	`PyObject_ClearWeakRefs((PyObject *) pto);`

Original file line number	Diff line number	Diff line change
`@@ -745,6 +745,7 @@ bytesio_setstate(bytesio self, PyObject state)`
`745`	`745`	`static void`
`746`	`746`	`bytesio_dealloc(bytesio *self)`
`747`	`747`	`{`
	`748`	`+/* bpo-31095: UnTrack is needed before calling any callbacks */`
`748`	`749`	`_PyObject_GC_UNTRACK(self);`
`749`	`750`	`if (self->buf != NULL) {`
`750`	`751`	`PyMem_Free(self->buf);`

Original file line number	Diff line number	Diff line change
`@@ -840,7 +840,8 @@ py_encode_basestring_ascii(PyObject* self UNUSED, PyObject *pystr)`
`840`	`840`	`static void`
`841`	`841`	`scanner_dealloc(PyObject *self)`
`842`	`842`	`{`
`843`		`-/* Deallocate scanner object */`
	`843`	`+/* bpo-31095: UnTrack is needed before calling any callbacks */`
	`844`	`+PyObject_GC_UnTrack(self);`
`844`	`845`	`scanner_clear(self);`
`845`	`846`	`Py_TYPE(self)->tp_free(self);`
`846`	`847`	`}`
`@@ -2298,7 +2299,8 @@ encoder_listencode_list(PyEncoderObject s, PyObject rval, PyObject *seq, Py_ss`
`2298`	`2299`	`static void`
`2299`	`2300`	`encoder_dealloc(PyObject *self)`
`2300`	`2301`	`{`
`2301`		`-/* Deallocate Encoder */`
	`2302`	`+/* bpo-31095: UnTrack is needed before calling any callbacks */`
	`2303`	`+PyObject_GC_UnTrack(self);`
`2302`	`2304`	`encoder_clear(self);`
`2303`	`2305`	`Py_TYPE(self)->tp_free(self);`
`2304`	`2306`	`}`

Original file line number	Diff line number	Diff line change
`@@ -2214,6 +2214,8 @@ context_clear(PySSLContext *self)`
`2214`	`2214`	`static void`
`2215`	`2215`	`context_dealloc(PySSLContext *self)`
`2216`	`2216`	`{`
	`2217`	`+/* bpo-31095: UnTrack is needed before calling any callbacks */`
	`2218`	`+PyObject_GC_UnTrack(self);`
`2217`	`2219`	`context_clear(self);`
`2218`	`2220`	`SSL_CTX_free(self->ctx);`
`2219`	`2221`	`#ifdef OPENSSL_NPN_NEGOTIATED`

Original file line number	Diff line number	Diff line change
`@@ -1076,6 +1076,7 @@ dict_dealloc(register PyDictObject *mp)`
`1076`	`1076`	`{`
`1077`	`1077`	`register PyDictEntry *ep;`
`1078`	`1078`	`Py_ssize_t fill = mp->ma_fill;`
	`1079`	`+/* bpo-31095: UnTrack is needed before calling any callbacks */`
`1079`	`1080`	`PyObject_GC_UnTrack(mp);`
`1080`	`1081`	`Py_TRASHCAN_SAFE_BEGIN(mp)`
`1081`	`1082`	`for (ep = mp->ma_table; fill > 0; ep++) {`
`@@ -2576,6 +2577,8 @@ dictiter_new(PyDictObject dict, PyTypeObject itertype)`
`2576`	`2577`	`static void`
`2577`	`2578`	`dictiter_dealloc(dictiterobject *di)`
`2578`	`2579`	`{`
	`2580`	`+/* bpo-31095: UnTrack is needed before calling any callbacks */`
	`2581`	`+_PyObject_GC_UNTRACK(di);`
`2579`	`2582`	`Py_XDECREF(di->di_dict);`
`2580`	`2583`	`Py_XDECREF(di->di_result);`
`2581`	`2584`	`PyObject_GC_Del(di);`
`@@ -2855,6 +2858,8 @@ typedef struct {`
`2855`	`2858`	`static void`
`2856`	`2859`	`dictview_dealloc(dictviewobject *dv)`
`2857`	`2860`	`{`
	`2861`	`+/* bpo-31095: UnTrack is needed before calling any callbacks */`
	`2862`	`+_PyObject_GC_UNTRACK(dv);`
`2858`	`2863`	`Py_XDECREF(dv->dv_dict);`
`2859`	`2864`	`PyObject_GC_Del(dv);`
`2860`	`2865`	`}`

Original file line number	Diff line number	Diff line change
`@@ -549,6 +549,7 @@ set_dealloc(PySetObject *so)`
`549`	`549`	`{`
`550`	`550`	`register setentry *entry;`
`551`	`551`	`Py_ssize_t fill = so->fill;`
	`552`	`+/* bpo-31095: UnTrack is needed before calling any callbacks */`
`552`	`553`	`PyObject_GC_UnTrack(so);`
`553`	`554`	`Py_TRASHCAN_SAFE_BEGIN(so)`
`554`	`555`	`if (so->weakreflist != NULL)`
`@@ -811,6 +812,8 @@ typedef struct {`
`811`	`812`	`static void`
`812`	`813`	`setiter_dealloc(setiterobject *si)`
`813`	`814`	`{`
	`815`	`+/* bpo-31095: UnTrack is needed before calling any callbacks */`
	`816`	`+_PyObject_GC_UNTRACK(si);`
`814`	`817`	`Py_XDECREF(si->si_set);`
`815`	`818`	`PyObject_GC_Del(si);`
`816`	`819`	`}`