From: Victor Stinner Date: Fri, 9 Aug 2024 14:33:24 +0000 (+0200) Subject: [3.12] gh-122695: Fix double-free when using `gc.get_referents` with a freed `_asynci... X-Git-Tag: v3.12.6~83 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c57a33d006ab77ed643d780c5a2883bc3554f9db;p=thirdparty%2FPython%2Fcpython.git [3.12] gh-122695: Fix double-free when using `gc.get_referents` with a freed `_asyncio.FutureIter` (#122837) (#122859) [3.13] gh-122695: Fix double-free when using `gc.get_referents` with a freed `_asyncio.FutureIter` (#122837) * Backport #122834 for 3.13 (cherry picked from commit e8fb088dbaa71dd5f0146b2f4a8f7ecbe2ce9625) Co-authored-by: Peter Bierma --- diff --git a/Lib/test/test_asyncio/test_futures.py b/Lib/test/test_asyncio/test_futures.py index 2184b2091f84..6fd7436450ad 100644 --- a/Lib/test/test_asyncio/test_futures.py +++ b/Lib/test/test_asyncio/test_futures.py @@ -641,6 +641,14 @@ class CFutureTests(BaseFutureTests, test_utils.TestCase): with self.assertRaises(AttributeError): del fut._log_traceback + def test_future_iter_get_referents_segfault(self): + # See https://github.com/python/cpython/issues/122695 + import _asyncio + it = iter(self._new_future(loop=self.loop)) + del it + evil = gc.get_referents(_asyncio) + gc.collect() + @unittest.skipUnless(hasattr(futures, '_CFuture'), 'requires the C _asyncio module') diff --git a/Misc/NEWS.d/next/Library/2024-08-08-15-05-58.gh-issue-122695.f7pwBv.rst b/Misc/NEWS.d/next/Library/2024-08-08-15-05-58.gh-issue-122695.f7pwBv.rst new file mode 100644 index 000000000000..cc6bc38f4194 --- /dev/null +++ b/Misc/NEWS.d/next/Library/2024-08-08-15-05-58.gh-issue-122695.f7pwBv.rst @@ -0,0 +1,2 @@ +Fixed double-free when using :func:`gc.get_referents` with a freed +:class:`asyncio.Future` iterator. diff --git a/Modules/_asynciomodule.c b/Modules/_asynciomodule.c index 6b969edca298..1bf6b6e31c42 100644 --- a/Modules/_asynciomodule.c +++ b/Modules/_asynciomodule.c @@ -3606,14 +3606,6 @@ module_traverse(PyObject *mod, visitproc visit, void *arg) Py_VISIT(state->iscoroutine_typecache); Py_VISIT(state->context_kwname); - - // Visit freelist. - PyObject *next = (PyObject*) state->fi_freelist; - while (next != NULL) { - PyObject *current = next; - Py_VISIT(current); - next = (PyObject*) ((futureiterobject*) current)->future; - } return 0; }