Skip to content

gh-142349: Fix refcount corruption in lazy import specialization#144733

Merged
Yhg1s merged 1 commit intopython:mainfrom
pablogsal:lazy-cleanup-2
Feb 12, 2026
Merged

gh-142349: Fix refcount corruption in lazy import specialization#144733
Yhg1s merged 1 commit intopython:mainfrom
pablogsal:lazy-cleanup-2

Conversation

@pablogsal
Copy link
Member

@pablogsal pablogsal commented Feb 12, 2026
edited by bedevere-app bot
Loading

_PyDict_LookupIndexAndValue() returns a borrowed reference via _Py_dict_lookup(), but specialize_load_global_lock_held() called Py_DECREF(value) on it when bailing out for lazy imports. Each time the adaptive counter fired while a lazy import was still in globals, this stole one reference from the dict's object. With 8+ threads racing through LOAD_GLOBAL during concurrent lazy import resolution, enough triggers accumulated to drive the refcount to zero while the dict and other threads still referenced the object, causing use-after-free.

@pablogsal pablogsal requested a review from DinoV February 12, 2026 08:26
@pablogsal pablogsal requested a review from Yhg1s February 12, 2026 08:26
@pablogsal pablogsal changed the title gh-142351: Fix refcount corruption in lazy import specialization gh-142349: Fix refcount corruption in lazy import specialization Feb 12, 2026
@bedevere-app bedevere-app bot mentioned this pull request Feb 12, 2026
Open
pablogsal
pablogsal commented Feb 12, 2026
View reviewed changes
Yhg1s
Yhg1s reviewed Feb 12, 2026
View reviewed changes
Copy link
Member

@Yhg1s Yhg1s left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this is good enough for a free-threaded build. The error case happens when _PyImport_LoadLazyImportTstate is called with a borrowed reference. The GIL won't be protecting that borrowed reference in a free-threaded build, so the INCREF already happens too late. We need the caller to acquire an owned reference instead, in a safe way. But... where does this happen? As far as I can tell the callers all own the reference they pass.

@pablogsal pablogsal marked this pull request as draft February 12, 2026 10:49
@pablogsal
Copy link
Member Author

pablogsal commented Feb 12, 2026

But... where does this happen? As far as I can tell the callers all own the reference they pass.

If that were true then there would not be crashes no?

@Yhg1s
Copy link
Member

Yhg1s commented Feb 12, 2026

If that were true then there would not be crashes no?

Unless the problem is actually something different, yes :) I would like to know which it is.

@pablogsal
Remove spurious Py_DECREF on borrowed ref in LOAD_GLOBAL specialization
c7defe2 
_PyDict_LookupIndexAndValue() returns a borrowed reference via
_Py_dict_lookup(), but specialize_load_global_lock_held() called
Py_DECREF(value) on it when bailing out for lazy imports. Each time
the adaptive counter fired while a lazy import was still in globals,
this stole one reference from the dict's object. With 8+ threads
racing through LOAD_GLOBAL during concurrent lazy import resolution,
enough triggers accumulated to drive the refcount to zero while the
dict and other threads still referenced the object, causing
use-after-free.
@pablogsal pablogsal marked this pull request as ready for review February 12, 2026 11:21
@pablogsal
Copy link
Member Author

pablogsal commented Feb 12, 2026

If that were true then there would not be crashes no?

Unless the problem is actually something different, yes :) I would like to know which it is.

Narrator: and the problem was indeed something different. Kind of

@Yhg1s Yhg1s enabled auto-merge (squash) February 12, 2026 11:22
@Yhg1s Yhg1s merged commit 072cd7c into python:main Feb 12, 2026
51 checks passed
@robsdedude robsdedude mentioned this pull request Feb 12, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Yhg1s Yhg1s Yhg1s approved these changes

@kumaraditya303 kumaraditya303 kumaraditya303 approved these changes

@brettcannon brettcannon Awaiting requested review from brettcannon

@DinoV DinoV Awaiting requested review from DinoV

@ericsnowcurrently ericsnowcurrently Awaiting requested review from ericsnowcurrently

@ncoghlan ncoghlan Awaiting requested review from ncoghlan

@warsaw warsaw Awaiting requested review from warsaw

Assignees

No one assigned

Labels

skip news

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pablogsal @Yhg1s @kumaraditya303