gh-118561: Fix crash involving list.extend in free-threaded build (#118723)

The `list_preallocate_exact` function did not zero initialize array
contents. In the free-threaded build, this could expose uninitialized
memory to concurrent readers between the call to
`list_preallocate_exact` and the filling of the array contents with
items.

diff --git a/Misc/NEWS.d/next/Core and Builtins/2024-05-07-16-57-56.gh-issue-118561.wNMKVd.rst b/Misc/NEWS.d/next/Core and Builtins/2024-05-07-16-57-56.gh-issue-118561.wNMKVd.rst
new file mode 100644 (file)
index 0000000..9eaf0ab
--- /dev/null
+++ b/Misc/NEWS.d/next/Core and Builtins/2024-05-07-16-57-56.gh-issue-118561.wNMKVd.rst
@@ -0,0 +1,2 @@
+Fix race condition in free-threaded build where :meth:`list.extend` could expose
+uninitialied memory to concurrent readers.

diff --git a/Objects/listobject.c b/Objects/listobject.c
index 3c4e2d2e6ed7ded1ba3427528dbfaef8f4755ff5..7070165014f1379bec55cb257c9b9bf14b37ed5d 100644 (file)
--- a/Objects/listobject.c
+++ b/Objects/listobject.c
@@ -192,6 +192,7 @@ list_preallocate_exact(PyListObject *self, Py_ssize_t size)
         return -1;
     }
     items = array->ob_item;
+    memset(items, 0, size * sizeof(PyObject *));
 #else
     items = PyMem_New(PyObject*, size);
     if (items == NULL) {
@@ -199,7 +200,7 @@ list_preallocate_exact(PyListObject *self, Py_ssize_t size)
         return -1;
     }
 #endif
-    self->ob_item = items;
+    FT_ATOMIC_STORE_PTR_RELEASE(self->ob_item, items);
     self->allocated = size;
     return 0;
 }