bpo-31095: fix potential crash during GC (GH-2974)

bpo-31095: fix potential crash during GC (GH-2974) · python/cpython@a6296d3

14 files changed

lines changed

Original file line number	Diff line number	Diff line change
@@ -728,8 +728,9 @@ functions. With :c:func:`Py_VISIT`, :c:func:`Noddy_traverse` can be simplified:
`728`	`728`	`uniformity across these boring implementations.`
`729`	`729`
`730`	`730`	`We also need to provide a method for clearing any subobjects that can`
`731`		`-participate in cycles. We implement the method and reimplement the deallocator`
`732`		`-to use it::`
	`731`	`+participate in cycles.`
	`732`	`+`
	`733`	`+::`
`733`	`734`
`734`	`735`	`static int`
`735`	`736`	`Noddy_clear(Noddy *self)`
`@@ -747,13 +748,6 @@ to use it::`
`747`	`748`	`return 0;`
`748`	`749`	`}`
`749`	`750`
`750`		`- static void`
`751`		`- Noddy_dealloc(Noddy* self)`
`752`		`- {`
`753`		`- Noddy_clear(self);`
`754`		`- Py_TYPE(self)->tp_free((PyObject*)self);`
`755`		`- }`
`756`		`-`
`757`	`751`	Notice the use of a temporary variable in :c:func:`Noddy_clear`. We use the
`758`	`752`	`temporary variable so that we can set each member to NULL before decrementing`
`759`	`753`	`its reference count. We do this because, as was discussed earlier, if the`
`@@ -776,6 +770,23 @@ be simplified::`
`776`	`770`	`return 0;`
`777`	`771`	`}`
`778`	`772`
	`773`	+Note that :c:func:`Noddy_dealloc` may call arbitrary functions through
	`774`	+``__del__`` method or weakref callback. It means circular GC can be
	`775`	`+triggered inside the function. Since GC assumes reference count is not zero,`
	`776`	+we need to untrack the object from GC by calling :c:func:`PyObject_GC_UnTrack`
	`777`	`+before clearing members. Here is reimplemented deallocator which uses`
	`778`	+:c:func:`PyObject_GC_UnTrack` and :c:func:`Noddy_clear`.
	`779`	`+`
	`780`	`+::`
	`781`	`+`
	`782`	`+ static void`
	`783`	`+ Noddy_dealloc(Noddy* self)`
	`784`	`+ {`
	`785`	`+ PyObject_GC_UnTrack(self);`
	`786`	`+ Noddy_clear(self);`
	`787`	`+ Py_TYPE(self)->tp_free((PyObject*)self);`
	`788`	`+ }`
	`789`	`+`
`779`	`790`	Finally, we add the :const:`Py_TPFLAGS_HAVE_GC` flag to the class flags::
`780`	`791`
`781`	`792`	`Py_TPFLAGS_DEFAULT \| Py_TPFLAGS_BASETYPE \| Py_TPFLAGS_HAVE_GC, /* tp_flags */`

Original file line number	Diff line number	Diff line change
`@@ -46,6 +46,7 @@ Noddy_clear(Noddy *self)`
`46`	`46`	`static void`
`47`	`47`	`Noddy_dealloc(Noddy* self)`
`48`	`48`	`{`
	`49`	`+PyObject_GC_UnTrack(self);`
`49`	`50`	`Noddy_clear(self);`
`50`	`51`	`Py_TYPE(self)->tp_free((PyObject*)self);`
`51`	`52`	`}`

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	+Fix potential crash during GC caused by ``tp_dealloc`` which doesn't call
	`2`	+``PyObject_GC_UnTrack()``.

Original file line number	Diff line number	Diff line change
`@@ -1717,6 +1717,8 @@ dequeiter_traverse(dequeiterobject dio, visitproc visit, void arg)`
`1717`	`1717`	`static void`
`1718`	`1718`	`dequeiter_dealloc(dequeiterobject *dio)`
`1719`	`1719`	`{`
	`1720`	`+/* bpo-31095: UnTrack is needed before calling any callbacks */`
	`1721`	`+PyObject_GC_UnTrack(dio);`
`1720`	`1722`	`Py_XDECREF(dio->deque);`
`1721`	`1723`	`PyObject_GC_Del(dio);`
`1722`	`1724`	`}`
`@@ -2097,6 +2099,8 @@ static PyMemberDef defdict_members[] = {`
`2097`	`2099`	`static void`
`2098`	`2100`	`defdict_dealloc(defdictobject *dd)`
`2099`	`2101`	`{`
	`2102`	`+/* bpo-31095: UnTrack is needed before calling any callbacks */`
	`2103`	`+PyObject_GC_UnTrack(dd);`
`2100`	`2104`	`Py_CLEAR(dd->default_factory);`
`2101`	`2105`	`PyDict_Type.tp_dealloc((PyObject *)dd);`
`2102`	`2106`	`}`

Original file line number	Diff line number	Diff line change
`@@ -627,6 +627,7 @@ element_gc_clear(ElementObject *self)`
`627`	`627`	`static void`
`628`	`628`	`element_dealloc(ElementObject* self)`
`629`	`629`	`{`
	`630`	`+/* bpo-31095: UnTrack is needed before calling any callbacks */`
`630`	`631`	`PyObject_GC_UnTrack(self);`
`631`	`632`	`Py_TRASHCAN_SAFE_BEGIN(self)`
`632`	`633`
`@@ -2076,14 +2077,15 @@ elementiter_dealloc(ElementIterObject *it)`
`2076`	`2077`	`{`
`2077`	`2078`	`Py_ssize_t i = it->parent_stack_used;`
`2078`	`2079`	`it->parent_stack_used = 0;`
	`2080`	`+/* bpo-31095: UnTrack is needed before calling any callbacks */`
	`2081`	`+PyObject_GC_UnTrack(it);`
`2079`	`2082`	`while (i--)`
`2080`	`2083`	`Py_XDECREF(it->parent_stack[i].parent);`
`2081`	`2084`	`PyMem_Free(it->parent_stack);`
`2082`	`2085`
`2083`	`2086`	`Py_XDECREF(it->sought_tag);`
`2084`	`2087`	`Py_XDECREF(it->root_element);`
`2085`	`2088`
`2086`		`-PyObject_GC_UnTrack(it);`
`2087`	`2089`	`PyObject_GC_Del(it);`
`2088`	`2090`	`}`
`2089`	`2091`

Original file line number	Diff line number	Diff line change
`@@ -113,6 +113,7 @@ partial_new(PyTypeObject type, PyObject args, PyObject *kw)`
`113`	`113`	`static void`
`114`	`114`	`partial_dealloc(partialobject *pto)`
`115`	`115`	`{`
	`116`	`+/* bpo-31095: UnTrack is needed before calling any callbacks */`
`116`	`117`	`PyObject_GC_UnTrack(pto);`
`117`	`118`	`if (pto->weakreflist != NULL)`
`118`	`119`	`PyObject_ClearWeakRefs((PyObject *) pto);`
`@@ -1073,7 +1074,11 @@ lru_cache_clear_list(lru_list_elem *link)`
`1073`	`1074`	`static void`
`1074`	`1075`	`lru_cache_dealloc(lru_cache_object *obj)`
`1075`	`1076`	`{`
`1076`		`-lru_list_elem *list = lru_cache_unlink_list(obj);`
	`1077`	`+lru_list_elem *list;`
	`1078`	`+/* bpo-31095: UnTrack is needed before calling any callbacks */`
	`1079`	`+PyObject_GC_UnTrack(obj);`
	`1080`	`+`
	`1081`	`+list = lru_cache_unlink_list(obj);`
`1077`	`1082`	`Py_XDECREF(obj->maxsize_O);`
`1078`	`1083`	`Py_XDECREF(obj->func);`
`1079`	`1084`	`Py_XDECREF(obj->cache);`

Original file line number	Diff line number	Diff line change
`@@ -1084,6 +1084,8 @@ bytesiobuf_traverse(bytesiobuf self, visitproc visit, void arg)`
`1084`	`1084`	`static void`
`1085`	`1085`	`bytesiobuf_dealloc(bytesiobuf *self)`
`1086`	`1086`	`{`
	`1087`	`+/* bpo-31095: UnTrack is needed before calling any callbacks */`
	`1088`	`+PyObject_GC_UnTrack(self);`
`1087`	`1089`	`Py_CLEAR(self->source);`
`1088`	`1090`	`Py_TYPE(self)->tp_free(self);`
`1089`	`1091`	`}`

Original file line number	Diff line number	Diff line change
`@@ -655,7 +655,8 @@ py_encode_basestring(PyObject* self UNUSED, PyObject *pystr)`
`655`	`655`	`static void`
`656`	`656`	`scanner_dealloc(PyObject *self)`
`657`	`657`	`{`
`658`		`-/* Deallocate scanner object */`
	`658`	`+/* bpo-31095: UnTrack is needed before calling any callbacks */`
	`659`	`+PyObject_GC_UnTrack(self);`
`659`	`660`	`scanner_clear(self);`
`660`	`661`	`Py_TYPE(self)->tp_free(self);`
`661`	`662`	`}`
`@@ -1778,7 +1779,8 @@ encoder_listencode_list(PyEncoderObject s, _PyAccu acc,`
`1778`	`1779`	`static void`
`1779`	`1780`	`encoder_dealloc(PyObject *self)`
`1780`	`1781`	`{`
`1781`		`-/* Deallocate Encoder */`
	`1782`	`+/* bpo-31095: UnTrack is needed before calling any callbacks */`
	`1783`	`+PyObject_GC_UnTrack(self);`
`1782`	`1784`	`encoder_clear(self);`
`1783`	`1785`	`Py_TYPE(self)->tp_free(self);`
`1784`	`1786`	`}`

Original file line number	Diff line number	Diff line change
`@@ -2778,6 +2778,8 @@ context_clear(PySSLContext *self)`
`2778`	`2778`	`static void`
`2779`	`2779`	`context_dealloc(PySSLContext *self)`
`2780`	`2780`	`{`
	`2781`	`+/* bpo-31095: UnTrack is needed before calling any callbacks */`
	`2782`	`+PyObject_GC_UnTrack(self);`
`2781`	`2783`	`context_clear(self);`
`2782`	`2784`	`SSL_CTX_free(self->ctx);`
`2783`	`2785`	`#ifdef OPENSSL_NPN_NEGOTIATED`
`@@ -4292,6 +4294,7 @@ static PyTypeObject PySSLMemoryBIO_Type = {`
`4292`	`4294`	`static void`
`4293`	`4295`	`PySSLSession_dealloc(PySSLSession *self)`
`4294`	`4296`	`{`
	`4297`	`+/* bpo-31095: UnTrack is needed before calling any callbacks */`
`4295`	`4298`	`PyObject_GC_UnTrack(self);`
`4296`	`4299`	`Py_XDECREF(self->ctx);`
`4297`	`4300`	`if (self->session != NULL) {`

Original file line number	Diff line number	Diff line change
`@@ -1589,6 +1589,8 @@ typedef struct {`
`1589`	`1589`	`static void`
`1590`	`1590`	`unpackiter_dealloc(unpackiterobject *self)`
`1591`	`1591`	`{`
	`1592`	`+/* bpo-31095: UnTrack is needed before calling any callbacks */`
	`1593`	`+PyObject_GC_UnTrack(self);`
`1592`	`1594`	`Py_XDECREF(self->so);`
`1593`	`1595`	`PyBuffer_Release(&self->buf);`
`1594`	`1596`	`PyObject_GC_Del(self);`