[3.14] gh-151763: Fix possible crash on `CodeType` deallocation (GH-152034) (#152070)

author Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>

Wed, 24 Jun 2026 12:11:44 +0000 (14:11 +0200)

committer GitHub <noreply@github.com>

Wed, 24 Jun 2026 12:11:44 +0000 (12:11 +0000)
author Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
Wed, 24 Jun 2026 12:11:44 +0000 (14:11 +0200)
committer GitHub <noreply@github.com>
Wed, 24 Jun 2026 12:11:44 +0000 (12:11 +0000)
diff --git a/Misc/NEWS.d/next/Core_and_Builtins/2026-06-23-23-48-54.gh-issue-151763.Eu8pYQ.rst b/Misc/NEWS.d/next/Core_and_Builtins/2026-06-23-23-48-54.gh-issue-151763.Eu8pYQ.rst

new file mode 100644 (file)

index 0000000..d4746e9
--- /dev/null
+++ b/Misc/NEWS.d/next/Core_and_Builtins/2026-06-23-23-48-54.gh-issue-151763.Eu8pYQ.rst
@@ -0,0 +1 @@
+Fixes possible crash on :class:`types.CodeType` deallocation.
diff --git a/Objects/codeobject.c b/Objects/codeobject.c

index 66af1f1e160c84c239797da4937688a08b3c57d7..ff85b11ecbc23f16e6714f8223f7355fbe5581e7 100644 (file)
--- a/Objects/codeobject.c
+++ b/Objects/codeobject.c
@@ -745,6 +745,10 @@ _PyCode_New(struct _PyCodeConstructor *con)
          return NULL;
      }
  
+#ifdef Py_GIL_DISABLED
+    co->_co_unique_id = _Py_INVALID_UNIQUE_ID;
+#endif
+
      if (init_code(co, con) < 0) {
          Py_DECREF(co);
          return NULL;
@@ -2545,15 +2549,17 @@ code_dealloc(PyObject *self)
      FT_CLEAR_WEAKREFS(self, co->co_weakreflist);
      free_monitoring_data(co->_co_monitoring);
  #ifdef Py_GIL_DISABLED
-    // The first element always points to the mutable bytecode at the end of
-    // the code object, which will be freed when the code object is freed.
-    for (Py_ssize_t i = 1; i < co->co_tlbc->size; i++) {
-        char *entry = co->co_tlbc->entries[i];
-        if (entry != NULL) {
-            PyMem_Free(entry);
+    if (co->co_tlbc != NULL) {
+        // The first element always points to the mutable bytecode at the end of
+        // the code object, which will be freed when the code object is freed.
+        for (Py_ssize_t i = 1; i < co->co_tlbc->size; i++) {
+            char *entry = co->co_tlbc->entries[i];
+            if (entry != NULL) {
+                PyMem_Free(entry);
+            }
          }
+        PyMem_Free(co->co_tlbc);
      }
-    PyMem_Free(co->co_tlbc);
  #endif
      PyObject_Free(co);
  }
author	Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
	Wed, 24 Jun 2026 12:11:44 +0000 (14:11 +0200)
committer	GitHub <noreply@github.com>
	Wed, 24 Jun 2026 12:11:44 +0000 (12:11 +0000)
Misc/NEWS.d/next/Core_and_Builtins/2026-06-23-23-48-54.gh-issue-151763.Eu8pYQ.rst	[new file with mode: 0644]	patch \| blob
Objects/codeobject.c		patch \| blob \| blame \| history