bpo-41654: Fix deallocator of MemoryError to account for subclasses#22020
bpo-41654: Fix deallocator of MemoryError to account for subclasses#22020pablogsal merged 2 commits intopython:masterfrom
Conversation
pablogsal
force-pushed
the
bpo-41654
branch
4 times, most recently
from
e204706 to
faefcf6
Compare
pablogsal
force-pushed
the
bpo-41654
branch
2 times, most recently
from
0e25645 to
3941f94
Compare
When allocating MemoryError classes, there is some logic to use pre-allocated instances in a freelist only if the type that is being allocated is not a subclass of MemoryError. Unfortunately in the destructor this logic is not present so the freelist is altered even with subclasses of MemoryError.
| return Py_TYPE(self)->tp_free((PyObject *)self); | ||
| } | ||
|
|
||
| _PyObject_GC_UNTRACK(self); |
There was a problem hiding this comment.
This is a bugfix. Once this PR is merged, you may propose a PR to fix it in 3.9 and 3.8 as well. I'm surprised that _PyObject_GC_UNTRACK() doesn't crash (assert failure) on subclasses.
There was a problem hiding this comment.
This PR will be backported to all supported branches....do you want a separate PR for them?
There was a problem hiding this comment.
"This PR will be backported to all supported branches" oh ok, in this case, there is no need for a separated change ;-)
There was a problem hiding this comment.
This bug has been here since forever! 😨
vstinner
left a comment
vstinner
left a comment
There was a problem hiding this comment.
LGTM. Thanks for the fix @pablogsal!
I tested manually bug.py script attached to https://bugs.python.org/issue41654 : it crashs without the fix, it pass with the fix. I tested Python built in debug mode.
Objects/exceptions.c
Outdated
There was a problem hiding this comment.
nitpick: Can you update this line same like line 2323 after you updated this line ;)
There was a problem hiding this comment.
nitpick: Can you update this line same like line 2323 after you updated this line ;)
Here it does not make sense because we don't have an instance yet.
There was a problem hiding this comment.
oh, sorry~. Forget my comment.
Objects/exceptions.c
Outdated
There was a problem hiding this comment.
oh, sorry~. Forget my comment.
|
Thanks @pablogsal for the PR 🌮🎉.. I'm working now to backport this PR to: 3.6, 3.7, 3.8, 3.9. |
|
Sorry @pablogsal, I had trouble checking out the |
|
Sorry, @pablogsal, I could not cleanly backport this to |
|
Sorry @pablogsal, I had trouble checking out the |
|
Sorry, @pablogsal, I could not cleanly backport this to |
|
@pablogsal: I don't think that this change is related to security. Why do you want to backport it to 3.6 and 3.7? https://bugs.python.org/issue41654 type is "crash", not "security". |
I normally qualify segfaults/buffer overflow as security as they can be maliciously used, but it may be a stretch. Let's backport to 3.8 and 3.9 only. |
…sses (pythonGH-22020) When allocating MemoryError classes, there is some logic to use pre-allocated instances in a freelist only if the type that is being allocated is not a subclass of MemoryError. Unfortunately in the destructor this logic is not present so the freelist is altered even with subclasses of MemoryError.. (cherry picked from commit 9b648a9) Co-authored-by: Pablo Galindo <Pablogsal@gmail.com>
|
GH-22045 is a backport of this pull request to the 3.9 branch. |
|
GH-22046 is a backport of this pull request to the 3.8 branch. |
…subclasses (pythonGH-22020) When allocating MemoryError classes, there is some logic to use pre-allocated instances in a freelist only if the type that is being allocated is not a subclass of MemoryError. Unfortunately in the destructor this logic is not present so the freelist is altered even with subclasses of MemoryError.. (cherry picked from commit 9b648a9) Co-authored-by: Pablo Galindo <Pablogsal@gmail.com>. (cherry picked from commit 87e91ae) Co-authored-by: Pablo Galindo <Pablogsal@gmail.com>
…subclasses (GH-22020) (GH-22046) When allocating MemoryError classes, there is some logic to use pre-allocated instances in a freelist only if the type that is being allocated is not a subclass of MemoryError. Unfortunately in the destructor this logic is not present so the freelist is altered even with subclasses of MemoryError.. (cherry picked from commit 9b648a9) Co-authored-by: Pablo Galindo <Pablogsal@gmail.com>. (cherry picked from commit 87e91ae) Co-authored-by: Pablo Galindo <Pablogsal@gmail.com>
…sses (GH-22020) (GH-22045) When allocating MemoryError classes, there is some logic to use pre-allocated instances in a freelist only if the type that is being allocated is not a subclass of MemoryError. Unfortunately in the destructor this logic is not present so the freelist is altered even with subclasses of MemoryError.. (cherry picked from commit 9b648a9) Co-authored-by: Pablo Galindo <Pablogsal@gmail.com>
…ythonGH-22020) When allocating MemoryError classes, there is some logic to use pre-allocated instances in a freelist only if the type that is being allocated is not a subclass of MemoryError. Unfortunately in the destructor this logic is not present so the freelist is altered even with subclasses of MemoryError.
8 participants
When allocating MemoryError classes, there is some logic to use
pre-allocated instances in a freelist only if the type that is being
allocated is not a subclass of MemoryError. Unfortunately in the
destructor this logic is not present so the freelist is altered even
with subclasses of MemoryError.
https://bugs.python.org/issue41654