Skip to content

gh-152951 - Fix double DECREF when newblock fails during deque.extend calls#152961

Merged
sobolevn merged 2 commits into
python:mainfrom
stestagg:gh-152951
Jul 3, 2026
Merged

gh-152951 - Fix double DECREF when newblock fails during deque.extend calls#152961
sobolevn merged 2 commits into
python:mainfrom
stestagg:gh-152951

Conversation

@stestagg

@stestagg stestagg commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

When deque.extend is called, items from the passed-in sequence are appended using deque_append_lock_held.
deque_append_lock_held steals the reference to item, and (if needed) allocates a new block to store the item.

If the netblock call fails, then deque_append_lock_held DECREFs the item and returns -1

BUT: if deque_extend_impl sees the -1 return from deque_append_lock_held, it also DECREF's item again, despite not owning it any more. This can cause negative refcounts and crashes.

This fix removes the output DECREF, as it's handled by the inner func already.

There's no tests for this, as triggering an allocation failure within newblock is a bit tricky to do reliably.

@stestagg stestagg requested a review from rhettinger as a code owner July 3, 2026 14:10
@stestagg stestagg changed the title gh-152951 - Fix double free when newblock fails during deque.extend calls gh-152951 - Fix double DECREF when newblock fails during deque.extend calls Jul 3, 2026

@sobolevn sobolevn left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In two other places where we call deque_append_lock_held we pass Py_NewRef(item), so the reference would be owned by the deque.

Here we don't do that, because tp_iternext returns new references.
So, we can remove the second decref.

@sobolevn sobolevn added needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes needs backport to 3.15 pre-release feature fixes, bugs and security fixes labels Jul 3, 2026
@stestagg

stestagg commented Jul 3, 2026

Copy link
Copy Markdown
Contributor Author

Thanks again @sobolevn!

@sobolevn sobolevn merged commit a90576d into python:main Jul 3, 2026
66 checks passed
@miss-islington-app

Copy link
Copy Markdown

Thanks @stestagg for the PR, and @sobolevn for merging it 🌮🎉.. I'm working now to backport this PR to: 3.13, 3.14, 3.15.
🐍🍒⛏🤖

@bedevere-app

bedevere-app Bot commented Jul 3, 2026

Copy link
Copy Markdown

GH-152971 is a backport of this pull request to the 3.15 branch.

@bedevere-app bedevere-app Bot removed the needs backport to 3.15 pre-release feature fixes, bugs and security fixes label Jul 3, 2026
@bedevere-app

bedevere-app Bot commented Jul 3, 2026

Copy link
Copy Markdown

GH-152972 is a backport of this pull request to the 3.14 branch.

@bedevere-app bedevere-app Bot removed the needs backport to 3.14 bugs and security fixes label Jul 3, 2026
@bedevere-app

bedevere-app Bot commented Jul 3, 2026

Copy link
Copy Markdown

GH-152973 is a backport of this pull request to the 3.13 branch.

@bedevere-app bedevere-app Bot removed the needs backport to 3.13 bugs and security fixes label Jul 3, 2026
sobolevn pushed a commit that referenced this pull request Jul 3, 2026
…ue.extend calls (GH-152961) (#152973)

gh-152951 - Fix double DECREF when `newblock` fails during deque.extend calls (GH-152961)
(cherry picked from commit a90576d)

Co-authored-by: Steve Stagg <stestagg@gmail.com>
sobolevn pushed a commit that referenced this pull request Jul 3, 2026
…ue.extend calls (GH-152961) (#152972)

gh-152951 - Fix double DECREF when `newblock` fails during deque.extend calls (GH-152961)
(cherry picked from commit a90576d)

Co-authored-by: Steve Stagg <stestagg@gmail.com>
sobolevn pushed a commit that referenced this pull request Jul 3, 2026
…ue.extend calls (GH-152961) (#152971)

gh-152951 - Fix double DECREF when `newblock` fails during deque.extend calls (GH-152961)
(cherry picked from commit a90576d)

Co-authored-by: Steve Stagg <stestagg@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants