https://github.com/python/cpython/commit/e8b34391e557b44a6f836dff2bfb61769f7b2e39
commit: e8b34391e557b44a6f836dff2bfb61769f7b2e39
branch: 3.15
author: Miss Islington (bot) <[email protected]>
committer: sobolevn <[email protected]>
date: 2026-06-24T12:17:41Z
summary:

[3.15] gh-151763: Fix possible crash on `CodeType` deallocation (GH-152034) 
(#152069)

gh-151763: Fix possible crash on `CodeType` deallocation (GH-152034)
(cherry picked from commit 22dd5b5b374c8eb4def7d55bb8de5928e345c73a)

Co-authored-by: sobolevn <[email protected]>

files:
A 
Misc/NEWS.d/next/Core_and_Builtins/2026-06-23-23-48-54.gh-issue-151763.Eu8pYQ.rst
M Objects/codeobject.c

diff --git 
a/Misc/NEWS.d/next/Core_and_Builtins/2026-06-23-23-48-54.gh-issue-151763.Eu8pYQ.rst
 
b/Misc/NEWS.d/next/Core_and_Builtins/2026-06-23-23-48-54.gh-issue-151763.Eu8pYQ.rst
new file mode 100644
index 000000000000000..d4746e992f8779d
--- /dev/null
+++ 
b/Misc/NEWS.d/next/Core_and_Builtins/2026-06-23-23-48-54.gh-issue-151763.Eu8pYQ.rst
@@ -0,0 +1 @@
+Fixes possible crash on :class:`types.CodeType` deallocation.
diff --git a/Objects/codeobject.c b/Objects/codeobject.c
index 4ede8de6e8adc5f..03036020b1cb1ae 100644
--- a/Objects/codeobject.c
+++ b/Objects/codeobject.c
@@ -743,6 +743,10 @@ _PyCode_New(struct _PyCodeConstructor *con)
         return NULL;
     }
 
+#ifdef Py_GIL_DISABLED
+    co->_co_unique_id = _Py_INVALID_UNIQUE_ID;
+#endif
+
     if (init_code(co, con) < 0) {
         Py_DECREF(co);
         return NULL;
@@ -2449,15 +2453,17 @@ code_dealloc(PyObject *self)
     FT_CLEAR_WEAKREFS(self, co->co_weakreflist);
     free_monitoring_data(co->_co_monitoring);
 #ifdef Py_GIL_DISABLED
-    // The first element always points to the mutable bytecode at the end of
-    // the code object, which will be freed when the code object is freed.
-    for (Py_ssize_t i = 1; i < co->co_tlbc->size; i++) {
-        char *entry = co->co_tlbc->entries[i];
-        if (entry != NULL) {
-            PyMem_Free(entry);
+    if (co->co_tlbc != NULL) {
+        // The first element always points to the mutable bytecode at the end 
of
+        // the code object, which will be freed when the code object is freed.
+        for (Py_ssize_t i = 1; i < co->co_tlbc->size; i++) {
+            char *entry = co->co_tlbc->entries[i];
+            if (entry != NULL) {
+                PyMem_Free(entry);
+            }
         }
+        PyMem_Free(co->co_tlbc);
     }
-    PyMem_Free(co->co_tlbc);
 #endif
     PyObject_Free(co);
 }

_______________________________________________
Python-checkins mailing list -- [email protected]
To unsubscribe send an email to [email protected]
https://mail.python.org/mailman3//lists/python-checkins.python.org
Member address: [email protected]

Reply via email to