https://github.com/python/cpython/commit/072cd7c33627a90e9399d9d880d764407584b08e
commit: 072cd7c33627a90e9399d9d880d764407584b08e
branch: main
author: Pablo Galindo Salgado <[email protected]>
committer: Yhg1s <[email protected]>
date: 2026-02-12T11:45:28Z
summary:
gh-142349: Fix refcount corruption in lazy import specialization (#144733)
Remove spurious Py_DECREF on borrowed ref in LOAD_GLOBAL specialization
_PyDict_LookupIndexAndValue() returns a borrowed reference via
_Py_dict_lookup(), but specialize_load_global_lock_held() called
Py_DECREF(value) on it when bailing out for lazy imports. Each time
the adaptive counter fired while a lazy import was still in globals,
this stole one reference from the dict's object. With 8+ threads
racing through LOAD_GLOBAL during concurrent lazy import resolution,
enough triggers accumulated to drive the refcount to zero while the
dict and other threads still referenced the object, causing
use-after-free.
files:
M Python/specialize.c
diff --git a/Python/specialize.c b/Python/specialize.c
index 7c02e929d47d9e..5ba016f83ea077 100644
--- a/Python/specialize.c
+++ b/Python/specialize.c
@@ -1321,7 +1321,6 @@ specialize_load_global_lock_held(
}
if (value != NULL && PyLazyImport_CheckExact(value)) {
SPECIALIZATION_FAIL(LOAD_GLOBAL, SPEC_FAIL_ATTR_MODULE_LAZY_VALUE);
- Py_DECREF(value);
goto fail;
}
PyInterpreterState *interp = _PyInterpreterState_GET();
_______________________________________________
Python-checkins mailing list -- [email protected]
To unsubscribe send an email to [email protected]
https://mail.python.org/mailman3//lists/python-checkins.python.org
Member address: [email protected]
