Skip to content

_PyObject_ResurrectEnd may deallocate object in the "resurrection" case #130202

New issue
New issue
Closed
Closed
_PyObject_ResurrectEnd may deallocate object in the "resurrection" case#130202
Assignees
colesbury
Labels
topic-free-threadingtype-bugAn unexpected behavior, bug, or errortype-crashA hard crash of the interpreter, possibly with a core dump
@colesbury

Description

@colesbury
colesbury
opened on Feb 16, 2025

Bug report

See #130163 (comment) for reproducer.

Yeah, I think that's another bug with _PyObject_ResurrectEnd. In the resurrection case, the object may still be deallocated. In particular, _Py_brc_queue_object() may immediately free the object or lead to it being freed by another thread. The calls below _PyObject_ResurrectEnd() are not safe:

cpython/Objects/object.c

Lines 594 to 604 in 655fc8a

if (!_PyObject_ResurrectEnd(self)) {
return 0; /* this is the normal path out */
}
/* tp_finalize resurrected it! Make it look like the original Py_DECREF
* never happened. */
_Py_ResurrectReference(self);
_PyObject_ASSERT(self,
(!_PyType_IS_GC(Py_TYPE(self))
|| _PyObject_GC_IS_TRACKED(self)));

We either need to ensure that the object remains alive after _PyObject_ResurrectEnd() returns 1, or rearrange the resurrection code.

Originally posted by @colesbury in #130163

I am not yet sure how we want to fix this.

Linked PRs

Metadata

Metadata

Assignees

Labels

topic-free-threadingtype-bugAn unexpected behavior, bug, or errortype-crashA hard crash of the interpreter, possibly with a core dump

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions