bpo-36907: fix refcount bug in _PyStack_UnpackDict() (GH-13381) (GH-1…

bpo-36907: fix refcount bug in _PyStack_UnpackDict() (GH-13381) (GH-1… · python/cpython@d092caf

3 files changed

lines changed

Original file line number	Diff line number	Diff line change
`@@ -8,6 +8,7 @@`
`8`	`8`	`import struct`
`9`	`9`	`import collections`
`10`	`10`	`import itertools`
	`11`	`+import gc`
`11`	`12`
`12`	`13`
`13`	`14`	`class FunctionCalls(unittest.TestCase):`
`@@ -438,6 +439,22 @@ def test_fastcall_keywords(self):`
`438`	`439`	`result = _testcapi.pyobject_fastcallkeywords(func, args, kwnames)`
`439`	`440`	`self.check_result(result, expected)`
`440`	`441`
	`442`	`+def test_fastcall_clearing_dict(self):`
	`443`	`+# Test bpo-36907: the point of the test is just checking that this`
	`444`	`+# does not crash.`
	`445`	`+class IntWithDict:`
	`446`	`+__slots__ = ["kwargs"]`
	`447`	`+def __init__(self, **kwargs):`
	`448`	`+self.kwargs = kwargs`
	`449`	`+def __int__(self):`
	`450`	`+self.kwargs.clear()`
	`451`	`+gc.collect()`
	`452`	`+return 0`
	`453`	`+x = IntWithDict(dont_inherit=IntWithDict())`
	`454`	`+# We test the argument handling of "compile" here, the compilation`
	`455`	`+# itself is not relevant. When we pass flags=x below, x.__int__() is`
	`456`	`+# called, which changes the keywords dict.`
	`457`	`+compile("pass", "", "exec", x, **x.kwargs)`
`441`	`458`
`442`	`459`	`if __name__ == "__main__":`
`443`	`460`	`unittest.main()`

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	+Fix a crash when calling a C function with a keyword dict (``f(**kwargs)``)
	`2`	+and changing the dict ``kwargs`` while that function is running.

Original file line number	Diff line number	Diff line change
`@@ -542,10 +542,14 @@ _PyMethodDef_RawFastCallDict(PyMethodDef method, PyObject self,`
`542`	`542`	`}`
`543`	`543`
`544`	`544`	`result = (*fastmeth) (self, stack, nargs, kwnames);`
`545`		`-if (stack != args) {`
	`545`	`+if (kwnames != NULL) {`
	`546`	`+Py_ssize_t i, n = nargs + PyTuple_GET_SIZE(kwnames);`
	`547`	`+for (i = 0; i < n; i++) {`
	`548`	`+Py_DECREF(stack[i]);`
	`549`	`+ }`
`546`	`550`	`PyMem_Free((PyObject **)stack);`
	`551`	`+Py_DECREF(kwnames);`
`547`	`552`	`}`
`548`		`-Py_XDECREF(kwnames);`
`549`	`553`	`break;`
`550`	`554`	`}`
`551`	`555`
`@@ -1379,8 +1383,11 @@ _PyStack_UnpackDict(PyObject const args, Py_ssize_t nargs, PyObject *kwargs,`
`1379`	`1383`	`return -1;`
`1380`	`1384`	`}`
`1381`	`1385`
`1382`		`-/* Copy position arguments (borrowed references) */`
`1383`		`-memcpy(stack, args, nargs * sizeof(stack[0]));`
	`1386`	`+/* Copy positional arguments */`
	`1387`	`+for (i = 0; i < nargs; i++) {`
	`1388`	`+Py_INCREF(args[i]);`
	`1389`	`+stack[i] = args[i];`
	`1390`	`+ }`
`1384`	`1391`
`1385`	`1392`	`kwstack = stack + nargs;`
`1386`	`1393`	`pos = i = 0;`
`@@ -1389,8 +1396,8 @@ _PyStack_UnpackDict(PyObject const args, Py_ssize_t nargs, PyObject *kwargs,`
`1389`	`1396`	`called in the performance critical hot code. */`
`1390`	`1397`	`while (PyDict_Next(kwargs, &pos, &key, &value)) {`
`1391`	`1398`	`Py_INCREF(key);`
	`1399`	`+Py_INCREF(value);`
`1392`	`1400`	`PyTuple_SET_ITEM(kwnames, i, key);`
`1393`		`-/* The stack contains borrowed references */`
`1394`	`1401`	`kwstack[i] = value;`
`1395`	`1402`	`i++;`
`1396`	`1403`	`}`