-
-
Notifications
You must be signed in to change notification settings - Fork 30.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bpo-40412: Nullify inittab_copy during finalization #19746
Conversation
Otherwise we leave a dangling pointer to free'd memory. If we then initialize a new interpreter in the same process and call PyImport_ExtendInittab, we will (likely) crash when calling PyMem_RawRealloc(inittab_copy, ...) since the pointer address is bogus.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Good catch! How did you notice this?
I discovered it while writing tests for PyOxidizer's custom meta path importer. The tests initialize several Python interpreters per process. Also, is it too late to get this patch in 3.8.3? |
@indygreg mind doing a quick news entry? This close to beta means people are starting to care about every change more and more. You can use https://blurb-it.herokuapp.com/ as linked from "Details" for the bedevere/news line if you want to use a web form to fill it out. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Simplification of the news entry and then this is ready to go!
Misc/NEWS.d/next/C API/2020-05-01-17-28-04.bpo-40412.dE0D8N.rst
Outdated
Show resolved
Hide resolved
A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated. Once you have made the requested changes, please leave a comment on this pull request containing the phrase |
@indygreg: Status check is done, and it's a failure ❌ . |
OK, thanks to the flag being set for submitting my own suggestions, this PR looks good to go! I have set it to automerge and backport to 3.8 and 3.7. |
I also tossed in a 3.6 backport in case Ned wants to take it due to it being a memory thing. |
@indygreg: Status check is done, and it's a failure ❌ . |
@indygreg: Status check is done, and it's a success ✅ . |
Thanks @indygreg for the PR 🌮🎉.. I'm working now to backport this PR to: 3.6, 3.7, 3.8. |
Otherwise we leave a dangling pointer to free'd memory. If we then initialize a new interpreter in the same process and call PyImport_ExtendInittab, we will (likely) crash when calling PyMem_RawRealloc(inittab_copy, ...) since the pointer address is bogus. Automerge-Triggered-By: @brettcannon (cherry picked from commit 64224a4) Co-authored-by: Gregory Szorc <[email protected]>
GH-19841 is a backport of this pull request to the 3.8 branch. |
Otherwise we leave a dangling pointer to free'd memory. If we then initialize a new interpreter in the same process and call PyImport_ExtendInittab, we will (likely) crash when calling PyMem_RawRealloc(inittab_copy, ...) since the pointer address is bogus. Automerge-Triggered-By: @brettcannon (cherry picked from commit 64224a4) Co-authored-by: Gregory Szorc <[email protected]>
GH-19842 is a backport of this pull request to the 3.7 branch. |
Sorry, @indygreg, I could not cleanly backport this to |
While NULLifying the invalid pointer is certainly worthy of backporting everywhere, I'm not sure this issue is reproducible on Python <3.8. The reason is that the code that clears this pointer appears to be called after I've already thrown away PyOxidizer's code to support Python 3.7 and can't easily test. This will require a source inspection to validate against older versions. |
Otherwise we leave a dangling pointer to free'd memory. If we then initialize a new interpreter in the same process and call PyImport_ExtendInittab, we will (likely) crash when calling PyMem_RawRealloc(inittab_copy, ...) since the pointer address is bogus. Automerge-Triggered-By: @brettcannon (cherry picked from commit 64224a4) Co-authored-by: Gregory Szorc <[email protected]>
Hum, inittab_copy is freed by pymain_free(). I added this function to clear objects and memory which cannot be freed by Py_Finalize() for backward compatibility. The PEP 587 says:
I understood that PyImport_AppendInittab() can be called only once, but Py_Initialize() and Py_Finalized() can be called multiple times: the PyImport_AppendInittab() call is expected to be saved even after Py_Finalized(). I understand that this change only impacts C code which calls Py_RunMain() or Py_Main() multiple times. I'm not sure if it was supported previously, but it's a good thing if slowly Python supports it :-) |
I introduced the issue in Python 3.7 with commit 92a3c6f:
A backport of the fix sounds safe, but I don't think that it is safe to call Py_Main() multiple times in Python 3.7. Maybe it works, I don't know :-) |
Otherwise we leave a dangling pointer to free'd memory. If we
then initialize a new interpreter in the same process and call
PyImport_ExtendInittab, we will (likely) crash when calling
PyMem_RawRealloc(inittab_copy, ...) since the pointer address
is bogus.
https://bugs.python.org/issue40412
Automerge-Triggered-By: @brettcannon