[backport to 3.5] bpo-29438: Fixed use-after-free in key sharing dict#40
[backport to 3.5] bpo-29438: Fixed use-after-free in key sharing dict#40methane merged 1 commit intopython:3.5from
Conversation
methane
changed the title
| } | ||
| if (value == NULL) { | ||
| res = PyDict_DelItem(dict, key); | ||
| if (cached != ((PyDictObject *)dict)->ma_keys) { |
There was a problem hiding this comment.
Why these lines are deleted?
There was a problem hiding this comment.
In Python 3.5, PyDict_DelItem won't resize dict. So cached == dict->ma_keys in most cases.
One exception is callback called by weakref or __del__ inserts some items to the dict and resize happened.
In this case, cached != CACHED_KEYS(tp), so DK_DECREF(cached) will be "use-after-free".
In such case, the insertion from the callback would update CACHED_KEYS(tp) correctly.
So clearing CACHED_KEYS(tp) doesn't make sense for most case.
Even when the callback inserts items through __dict__ (not regular attribute access), skipping CACHED_KEYS(tp) = NULL
doesn't cause uncontrolled memory growth. And it happens very rarely.
So I think this code is not worth enough.
Remove `get_lazy_modules` from docs
Move bytecode_offset=-1 initialization into hir_c_alloc_instr so the invariant is structurally enforced — even if hir_c_init_instr is accidentally skipped, bytecode_offset will be -1 (not 0 from calloc). Add runtime regression test in hir_instr_c_verify.cpp that verifies the invariant for all three allocation paths (raw alloc, init_instr, init_deopt). Runs at startup via __attribute__((constructor)). Addresses gap flagged 5 times (Pythia python#14, python#40, python#59, librarian x2).
4 participants
No description provided.