Skip to content

Possible memory leak in gc_mark_span_push #141212

New issue
New issue
Open
Open
Possible memory leak in gc_mark_span_push#141212
Assignees
sergey-miryanov
Labels
interpreter-core(Objects, Python, Grammar, and Parser dirs)topic-free-threadingtype-bugAn unexpected behavior, bug, or error
@sergey-miryanov

Description

@sergey-miryanov
sergey-miryanov
opened on Nov 7, 2025

Bug report

Bug description:

gc_mark_span_push uses PyMem_Realloc to reallocate the memory buffer and uses it as follows:

cpython/Python/gc_free_threading.c

Lines 678 to 681 in d13ee0a

ss->stack = (gc_span_t *)PyMem_Realloc(ss->stack, ss->capacity * sizeof(gc_span_t));
if (ss->stack == NULL) {
return -1;
}

There are two is one problem:
1. Undefined behavior - The original pointer ptr is invalidated and any access to it is undefined behavior (even if reallocation was in-place).
2. Memory leak if PyMem_Realloc fails - the original buffer will not be freed, but ss->stack pointer will be overwritten.

I have a PR ready.

CPython versions tested on:

CPython main branch

Operating systems tested on:

No response

Linked PRs

Metadata

Metadata

Assignees

Labels

interpreter-core(Objects, Python, Grammar, and Parser dirs)topic-free-threadingtype-bugAn unexpected behavior, bug, or error

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions