gh-122527: Fix a crash on deallocation of PyStructSequence
#122577
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The `PyStructSequence` destructor would crash if it was deallocated after its type's dictionary was cleared by the GC, because it couldn't compute the "real size" of the instance. This could occur with relatively straightforward code in the free-threaded build or with a reference cycle involving the type in the default build, due to differing orders in which `tp_clear()` was called. Account for the non-sequence fields in `tp_basicsize` and use that, along with `Py_SIZE()`, to compute the "real" size of a `PyStructSequence` in the dealloc function. This avoids the accesses to the type's dictionary during dealloc, which were unsafe.
encukou
approved these changes
Aug 2, 2024
|
I think we should probably backport this to 3.13. And maybe 3.12? What do you think? |
|
I'll add the labels to get the PRs setup and CI started. If the decision ends up not to backport, we can just close those PRs. |
colesbury
added
needs backport to 3.12
|
Thanks @colesbury for the PR, and @encukou for merging it 🌮🎉.. I'm working now to backport this PR to: 3.12. |
|
Thanks @colesbury for the PR, and @encukou for merging it 🌮🎉.. I'm working now to backport this PR to: 3.13. |
|
Sorry, @colesbury and @encukou, I could not cleanly backport this to |
miss-islington
pushed a commit
to miss-islington/cpython
that referenced
this pull request
Aug 2, 2024
…ythonGH-122577) The `PyStructSequence` destructor would crash if it was deallocated after its type's dictionary was cleared by the GC, because it couldn't compute the "real size" of the instance. This could occur with relatively straightforward code in the free-threaded build or with a reference cycle involving the type in the default build, due to differing orders in which `tp_clear()` was called. Account for the non-sequence fields in `tp_basicsize` and use that, along with `Py_SIZE()`, to compute the "real" size of a `PyStructSequence` in the dealloc function. This avoids the accesses to the type's dictionary during dealloc, which were unsafe. (cherry picked from commit 4b63cd1) Co-authored-by: Sam Gross <[email protected]>
|
GH-122625 is a backport of this pull request to the 3.13 branch. |
|
GH-122626 is a backport of this pull request to the 3.12 branch. |
|
For 3.13.1, definitely. 3.12, doesn't have free-threading, and skipping a version when backporting is confusing, so I'd backport it after 3.13.1. Does that sound reasonable? |
brandtbucher
pushed a commit
to brandtbucher/cpython
that referenced
this pull request
Aug 7, 2024
…ythonGH-122577) The `PyStructSequence` destructor would crash if it was deallocated after its type's dictionary was cleared by the GC, because it couldn't compute the "real size" of the instance. This could occur with relatively straightforward code in the free-threaded build or with a reference cycle involving the type in the default build, due to differing orders in which `tp_clear()` was called. Account for the non-sequence fields in `tp_basicsize` and use that, along with `Py_SIZE()`, to compute the "real" size of a `PyStructSequence` in the dealloc function. This avoids the accesses to the type's dictionary during dealloc, which were unsafe.
| @@ -41,12 +41,20 @@ get_type_attr_as_size(PyTypeObject *tp, PyObject *name) | |||
| get_type_attr_as_size(tp, &_Py_ID(n_sequence_fields)) | |||
| #define REAL_SIZE_TP(tp) \ | |||
| get_type_attr_as_size(tp, &_Py_ID(n_fields)) | |||
| #define REAL_SIZE(op) REAL_SIZE_TP(Py_TYPE(op)) | |||
| #define REAL_SIZE(op) get_real_size((PyObject *)op) | |||
There was a problem hiding this comment.
Why not change also REAL_SIZE_TP?
There was a problem hiding this comment.
The new calculation involves Py_SIZE(op), so we can't do it on the type alone.
| script_helper.assert_python_ok("-c", textwrap.dedent(r""" | ||
| import time | ||
| t = time.gmtime() | ||
| type(t).refcyle = t |
blhsing
pushed a commit
to blhsing/cpython
that referenced
this pull request
Aug 22, 2024
…ythonGH-122577) The `PyStructSequence` destructor would crash if it was deallocated after its type's dictionary was cleared by the GC, because it couldn't compute the "real size" of the instance. This could occur with relatively straightforward code in the free-threaded build or with a reference cycle involving the type in the default build, due to differing orders in which `tp_clear()` was called. Account for the non-sequence fields in `tp_basicsize` and use that, along with `Py_SIZE()`, to compute the "real" size of a `PyStructSequence` in the dealloc function. This avoids the accesses to the type's dictionary during dealloc, which were unsafe.
Yhg1s
pushed a commit
that referenced
this pull request
Sep 2, 2024
…H-122577) (#122625) gh-122527: Fix a crash on deallocation of `PyStructSequence` (GH-122577) The `PyStructSequence` destructor would crash if it was deallocated after its type's dictionary was cleared by the GC, because it couldn't compute the "real size" of the instance. This could occur with relatively straightforward code in the free-threaded build or with a reference cycle involving the type in the default build, due to differing orders in which `tp_clear()` was called. Account for the non-sequence fields in `tp_basicsize` and use that, along with `Py_SIZE()`, to compute the "real" size of a `PyStructSequence` in the dealloc function. This avoids the accesses to the type's dictionary during dealloc, which were unsafe. (cherry picked from commit 4b63cd1) Co-authored-by: Sam Gross <[email protected]>
ambv
pushed a commit
that referenced
this pull request
Sep 6, 2024
…H-122577) (#122626) The `PyStructSequence` destructor would crash if it was deallocated after its type's dictionary was cleared by the GC, because it couldn't compute the "real size" of the instance. This could occur with relatively straightforward code in the free-threaded build or with a reference cycle involving the type in the default build, due to differing orders in which `tp_clear()` was called. Account for the non-sequence fields in `tp_basicsize` and use that, along with `Py_SIZE()`, to compute the "real" size of a `PyStructSequence` in the dealloc function. This avoids the accesses to the type's dictionary during dealloc, which were unsafe. (cherry picked from commit 4b63cd1)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The
PyStructSequencedestructor would crash if it was deallocated after its type's dictionary was cleared by the GC, because it couldn't compute the "real size" of the instance. This could occur with relatively straightforward code in the free-threaded build or with a reference cycle involving the type in the default build, due to differing orders in whichtp_clear()was called.Account for the non-sequence fields in
tp_basicsizeand use that, along withPy_SIZE(), to compute the "real" size of aPyStructSequencein the dealloc function. This avoids the accesses to the type's dictionary during dealloc, which were unsafe.