From c7defe26c026a4e4118c3d90c8e00ecfbb9c7a92 Mon Sep 17 00:00:00 2001 From: Pablo Galindo Salgado Date: Thu, 12 Feb 2026 11:16:57 +0000 Subject: [PATCH] Remove spurious Py_DECREF on borrowed ref in LOAD_GLOBAL specialization _PyDict_LookupIndexAndValue() returns a borrowed reference via _Py_dict_lookup(), but specialize_load_global_lock_held() called Py_DECREF(value) on it when bailing out for lazy imports. Each time the adaptive counter fired while a lazy import was still in globals, this stole one reference from the dict's object. With 8+ threads racing through LOAD_GLOBAL during concurrent lazy import resolution, enough triggers accumulated to drive the refcount to zero while the dict and other threads still referenced the object, causing use-after-free. --- Python/specialize.c | 1 - 1 file changed, 1 deletion(-) diff --git a/Python/specialize.c b/Python/specialize.c index 7c02e929d47d9e..5ba016f83ea077 100644 --- a/Python/specialize.c +++ b/Python/specialize.c @@ -1321,7 +1321,6 @@ specialize_load_global_lock_held( } if (value != NULL && PyLazyImport_CheckExact(value)) { SPECIALIZATION_FAIL(LOAD_GLOBAL, SPEC_FAIL_ATTR_MODULE_LAZY_VALUE); - Py_DECREF(value); goto fail; } PyInterpreterState *interp = _PyInterpreterState_GET();