mirrors/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-09-27 10:50:04 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 13

GH-99729: Unlink frames before clearing them (GH-100030)

Browse source
This commit is contained in:
Brandt Bucher 2022-12-06 06:01:38 -08:00 committed by GitHub
parent 85d5a7e8ef
commit b72014c783
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 60 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

42
Lib/test/test_frame.py
View file

@ -2,6 +2,7 @@ import gc
import re import re
import sys import sys
import textwrap import textwrap
import threading
import types import types
import unittest import unittest
import weakref import weakref
@ -11,6 +12,7 @@ except ImportError:
_testcapi = None _testcapi = None
from test import support from test import support
from test.support import threading_helper
from test.support.script_helper import assert_python_ok from test.support.script_helper import assert_python_ok
@ -329,6 +331,46 @@ class TestIncompleteFrameAreInvisible(unittest.TestCase):
if old_enabled: if old_enabled:
gc.enable() gc.enable()
@support.cpython_only
@threading_helper.requires_working_threading()
def test_sneaky_frame_object_teardown(self):
class SneakyDel:
def __del__(self):
"""
Stash a reference to the entire stack for walking later.
It may look crazy, but you'd be surprised how common this is
when using a test runner (like pytest). The typical recipe is:
ResourceWarning + -Werror + a custom sys.unraisablehook.
"""
nonlocal sneaky_frame_object
sneaky_frame_object = sys._getframe()
class SneakyThread(threading.Thread):
"""
A separate thread isn't needed to make this code crash, but it does
make crashes more consistent, since it means sneaky_frame_object is
backed by freed memory after the thread completes!
"""
def run(self):
"""Run SneakyDel.__del__ as this frame is popped."""
ref = SneakyDel()
sneaky_frame_object = None
t = SneakyThread()
t.start()
t.join()
# sneaky_frame_object can be anything, really, but it's crucial that
# SneakyThread.run's frame isn't anywhere on the stack while it's being
# torn down:
self.assertIsNotNone(sneaky_frame_object)
while sneaky_frame_object is not None:
self.assertIsNot(
sneaky_frame_object.f_code, SneakyThread.run.__code__
)
sneaky_frame_object = sneaky_frame_object.f_back
@unittest.skipIf(_testcapi is None, 'need _testcapi') @unittest.skipIf(_testcapi is None, 'need _testcapi')
class TestCAPI(unittest.TestCase): class TestCAPI(unittest.TestCase):

3
Misc/NEWS.d/next/Core and Builtins/2022-11-26-04-00-41.gh-issue-99729.A3ovwQ.rst Normal file
View file

@ -0,0 +1,3 @@
Fix an issue that could cause frames to be visible to Python code as they
are being torn down, possibly leading to memory corruption or hard crashes
of the interpreter.

5
Python/bytecodes.c
View file

@ -619,7 +619,10 @@ dummy_func(
DTRACE_FUNCTION_EXIT(); DTRACE_FUNCTION_EXIT();
_Py_LeaveRecursiveCallPy(tstate); _Py_LeaveRecursiveCallPy(tstate);
assert(frame != &entry_frame); assert(frame != &entry_frame);
frame = cframe.current_frame = pop_frame(tstate, frame); // GH-99729: We need to unlink the frame *before* clearing it:
_PyInterpreterFrame *dying = frame;
frame = cframe.current_frame = dying->previous;
_PyEvalFrameClearAndPop(tstate, dying);
_PyFrame_StackPush(frame, retval); _PyFrame_StackPush(frame, retval);
goto resume_frame; goto resume_frame;
} }

13
Python/ceval.c
View file

@ -1009,14 +1009,6 @@ trace_function_exit(PyThreadState *tstate, _PyInterpreterFrame *frame, PyObject
return 0; return 0;
} }
static _PyInterpreterFrame *
pop_frame(PyThreadState *tstate, _PyInterpreterFrame *frame)
{
_PyInterpreterFrame *prev_frame = frame->previous;
_PyEvalFrameClearAndPop(tstate, frame);
return prev_frame;
}
int _Py_CheckRecursiveCallPy( int _Py_CheckRecursiveCallPy(
PyThreadState *tstate) PyThreadState *tstate)
@ -1432,7 +1424,10 @@ exit_unwind:
assert(_PyErr_Occurred(tstate)); assert(_PyErr_Occurred(tstate));
_Py_LeaveRecursiveCallPy(tstate); _Py_LeaveRecursiveCallPy(tstate);
assert(frame != &entry_frame); assert(frame != &entry_frame);
frame = cframe.current_frame = pop_frame(tstate, frame); // GH-99729: We need to unlink the frame *before* clearing it:
_PyInterpreterFrame *dying = frame;
frame = cframe.current_frame = dying->previous;
_PyEvalFrameClearAndPop(tstate, dying);
if (frame == &entry_frame) { if (frame == &entry_frame) {
/* Restore previous cframe and exit */ /* Restore previous cframe and exit */
tstate->cframe = cframe.previous; tstate->cframe = cframe.previous;

3
Python/frame.c
View file

@ -127,6 +127,9 @@ _PyFrame_Clear(_PyInterpreterFrame *frame)
* to have cleared the enclosing generator, if any. */ * to have cleared the enclosing generator, if any. */
assert(frame->owner != FRAME_OWNED_BY_GENERATOR || assert(frame->owner != FRAME_OWNED_BY_GENERATOR ||
_PyFrame_GetGenerator(frame)->gi_frame_state == FRAME_CLEARED); _PyFrame_GetGenerator(frame)->gi_frame_state == FRAME_CLEARED);
// GH-99729: Clearing this frame can expose the stack (via finalizers). It's
// crucial that this frame has been unlinked, and is no longer visible:
assert(_PyThreadState_GET()->cframe->current_frame != frame);
if (frame->frame_obj) { if (frame->frame_obj) {
PyFrameObject *f = frame->frame_obj; PyFrameObject *f = frame->frame_obj;
frame->frame_obj = NULL; frame->frame_obj = NULL;

5
Python/generated_cases.c.h generated
View file

@ -628,7 +628,10 @@
DTRACE_FUNCTION_EXIT(); DTRACE_FUNCTION_EXIT();
_Py_LeaveRecursiveCallPy(tstate); _Py_LeaveRecursiveCallPy(tstate);
assert(frame != &entry_frame); assert(frame != &entry_frame);
frame = cframe.current_frame = pop_frame(tstate, frame); // GH-99729: We need to unlink the frame *before* clearing it:
_PyInterpreterFrame *dying = frame;
frame = cframe.current_frame = dying->previous;
_PyEvalFrameClearAndPop(tstate, dying);
_PyFrame_StackPush(frame, retval); _PyFrame_StackPush(frame, retval);
goto resume_frame; goto resume_frame;
} }