Remove spurious Py_DECREF on borrowed ref in LOAD_GLOBAL specialization

pablogsal · pablogsal · commit c7defe26c026 · 2026-02-12T11:16:57.000Z
_PyDict_LookupIndexAndValue() returns a borrowed reference via
_Py_dict_lookup(), but specialize_load_global_lock_held() called
Py_DECREF(value) on it when bailing out for lazy imports. Each time
the adaptive counter fired while a lazy import was still in globals,
this stole one reference from the dict's object. With 8+ threads
racing through LOAD_GLOBAL during concurrent lazy import resolution,
enough triggers accumulated to drive the refcount to zero while the
dict and other threads still referenced the object, causing
use-after-free.
diff --git a/Python/specialize.c b/Python/specialize.c
@@ -1321,7 +1321,6 @@ specialize_load_global_lock_held(
     }
     if (value != NULL && PyLazyImport_CheckExact(value)) {
         SPECIALIZATION_FAIL(LOAD_GLOBAL, SPEC_FAIL_ATTR_MODULE_LAZY_VALUE);
-        Py_DECREF(value);
         goto fail;
     }
     PyInterpreterState *interp = _PyInterpreterState_GET();

Original file line number	Diff line number	Diff line change
`@@ -1321,7 +1321,6 @@ specialize_load_global_lock_held(`
`1321`	`1321`	`}`
`1322`	`1322`	`if (value != NULL && PyLazyImport_CheckExact(value)) {`
`1323`	`1323`	`SPECIALIZATION_FAIL(LOAD_GLOBAL, SPEC_FAIL_ATTR_MODULE_LAZY_VALUE);`
`1324`		`- Py_DECREF(value);`
`1325`	`1324`	`goto fail;`
`1326`	`1325`	`}`
`1327`	`1326`	`PyInterpreterState *interp = _PyInterpreterState_GET();`