Issue 36907: Crash due to borrowed references in _PyStack_UnpackDict() (original) (raw)
Created on 2019-05-13 19:40 by jdemeyer, last changed 2022-04-11 14:59 by admin. This issue is now closed.
Messages (9)
Author: Jeroen Demeyer (jdemeyer) * 
Date: 2019-05-13 19:40
class IntWithDict: def init(self, kwargs): self.kwargs = kwargs def index(self): self.kwargs.clear() L = [2i for i in range(10000)] return 0 x = IntWithDict(dont_inherit=float()) compile("", "", "", x, **x.kwargs)
The above crashes CPython due to the usage of borrowed references in _PyStack_UnpackDict(): the dict x.kwargs contains the only reference to the float() object stored in x.kwargs
When parsing the arguments, x.int() is called, which clears the dict, removing the only reference to that float()
Author: Jeroen Demeyer (jdemeyer) *
Date: 2019-05-13 19:51
Ideally, this would be fixed together with #36904.
Author: Jeroen Demeyer (jdemeyer) *
Date: 2019-05-13 20:09
The idea of #36904 could be used here: define a special kind of tuple, which is like an ordinary tuple followed by a C array of PyObject* entries (all refcounted), terminated by a NULL to know where it ends. A special deallocation function would decref all entries.
Author: Petr Viktorin (petr.viktorin) * 
Date: 2019-05-22 11:09
New changeset 77aa396bb9415428de09112ddf6b34bb843811eb by Petr Viktorin (Jeroen Demeyer) in branch 'master': bpo-36907: fix refcount bug in _PyStack_UnpackDict() (GH-13381) https://github.com/python/cpython/commit/77aa396bb9415428de09112ddf6b34bb843811eb
Author: Petr Viktorin (petr.viktorin) *
Date: 2019-05-22 11:16
Jeroen, do you want to also do a backport for 3.7?
Author: Jeroen Demeyer (jdemeyer) *
Date: 2019-05-22 11:35
Jeroen, do you want to also do a backport for 3.7?
Don't we have a bot for that?
Author: Petr Viktorin (petr.viktorin) *
Date: 2019-05-22 11:41
We do, but here the test will need to be changed:
Python 3.7.3+ (heads/3.7:791e5fcbab, May 22 2019, 13:37:27) [GCC 9.1.1 20190503 (Red Hat 9.1.1-1)] on linux Type "help", "copyright", "credits" or "license" for more information.
class IntWithDict: ... def init(self, **kwargs): ... self.kwargs = kwargs ... def index(self): ... self.kwargs.clear() ... return 0 ... x = IntWithDict(dont_inherit=float()) compile("", "", "", x, **x.kwargs) Traceback (most recent call last): File "", line 1, in TypeError: an integer is required (got type IntWithDict)
Author: Jeroen Demeyer (jdemeyer) *
Date: 2019-05-22 12:12
Using int instead of index works. PR coming right away.
Author: Petr Viktorin (petr.viktorin) *
Date: 2019-05-22 12:52
New changeset d092caf096fa48baadfc0900792206bb5aa0192d by Petr Viktorin (Jeroen Demeyer) in branch '3.7': bpo-36907: fix refcount bug in _PyStack_UnpackDict() (GH-13381) (GH-13493) https://github.com/python/cpython/commit/d092caf096fa48baadfc0900792206bb5aa0192d
History
Date
User
Action
Args
2022-04-11 14:59:15
admin
set
github: 81088
2019-05-22 12:52:41
petr.viktorin
set
status: open -> closed
resolution: fixed
stage: patch review -> resolved
2019-05-22 12:52:18
petr.viktorin
set
messages: +
2019-05-22 12:14:06
jdemeyer
set
pull_requests: + <pull%5Frequest13408>
2019-05-22 12:12:26
jdemeyer
set
messages: +
2019-05-22 11:41:43
petr.viktorin
set
messages: +
2019-05-22 11:35:25
jdemeyer
set
messages: +
2019-05-22 11:16:59
petr.viktorin
set
messages: +
2019-05-22 11:09:40
petr.viktorin
set
nosy: + petr.viktorin
messages: +
2019-05-17 10:35:05
jdemeyer
set
pull_requests: + <pull%5Frequest13292>
2019-05-14 09:44:43
jdemeyer
set
keywords: + patch
stage: patch review
pull_requests: + <pull%5Frequest13217>
2019-05-13 20:09:21
jdemeyer
set
messages: +
2019-05-13 19:51:44
jdemeyer
set
messages: +
2019-05-13 19:40:22
jdemeyer
set
type: crash
2019-05-13 19:40:03
jdemeyer
create