Navigation Menu

Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Accessing cython_runtime object when its reference count is 0 #2885

Closed
cshtarkov opened this issue Mar 4, 2019 · 2 comments
Closed

Accessing cython_runtime object when its reference count is 0 #2885

cshtarkov opened this issue Mar 4, 2019 · 2 comments

Comments

@cshtarkov
Copy link

The following piece of code ends up accessing the cython_runtime module when its reference count is 0 and its destructor has already been called. This is undefined behaviour and can cause the interpreter to crash.

import sys

def generator():
    yield
    yield

g = generator()
next(g)

del sys.modules["cython_runtime"]
del g

Even if sys.modules["cython_runtime"] is not deleted explicitly, the bug can still occur during shutdown depending on whether the reference count for g or cython_runtime goes down to 0 first.

The problem is caused by __Pyx_CLineForTraceback being called when stopping a started generator and trying to look up the cython_runtime.cline_in_traceback variable introduced in 0.26. See Exceptions.c#L665 and Exceptions.c#L673.

It only has a borrowed reference to cython_runtime from ModuleNode.py#L2839 obtained during initialisation which is not reference counted and thus there is no guarantee that the object has not already been destroyed.

I believe adding a call to code.put_incref() after obtaining the reference would be sufficient to resolve the issue, but there may be better ways of going about this.

Note that this particular example is not guaranteed to crash. However I confirmed the illegal access by
breaking at the lines mentioned above in a debugger, and seeing that __pyx_cython_runtime->ob_refcnt is 0 at the point of access.

@scoder scoder added this to the 0.29.7 milestone Mar 4, 2019
@scoder
Copy link
Contributor

scoder commented Mar 4, 2019

Right, PyImport_AddModule() returns a borrowed reference that we should better not keep un-owned.

@scoder scoder closed this as completed in 566fc5c Mar 4, 2019
@scoder
Copy link
Contributor

scoder commented Mar 4, 2019

Thanks for the excellent analysis.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants