From f45dfa87f52263fe30f8129d6f5c7ea577c60a61 Mon Sep 17 00:00:00 2001 From: Sam Gross Date: Tue, 7 May 2024 16:58:09 +0000 Subject: [PATCH 1/2] gh-118561: Fix crash involving list.extend in free-threaded build The `list_preallocate_exact` function did not zero initialize array contents. In the free-threaded build, this could expose uninitialized memory to concurrent readers between the call to `list_preallocate_exact` and the filling of the array contents with items. --- .../2024-05-07-16-57-56.gh-issue-118561.wNMKVd.rst | 2 ++ Objects/listobject.c | 3 ++- 2 files changed, 4 insertions(+), 1 deletion(-) create mode 100644 Misc/NEWS.d/next/Core and Builtins/2024-05-07-16-57-56.gh-issue-118561.wNMKVd.rst diff --git a/Misc/NEWS.d/next/Core and Builtins/2024-05-07-16-57-56.gh-issue-118561.wNMKVd.rst b/Misc/NEWS.d/next/Core and Builtins/2024-05-07-16-57-56.gh-issue-118561.wNMKVd.rst new file mode 100644 index 00000000000000..aca1dd8f2d52a9 --- /dev/null +++ b/Misc/NEWS.d/next/Core and Builtins/2024-05-07-16-57-56.gh-issue-118561.wNMKVd.rst @@ -0,0 +1,2 @@ +Fix race condition in free-threaded build where ``list.extend`` could expose +uninitialied memory to concurrent readers. diff --git a/Objects/listobject.c b/Objects/listobject.c index 3c4e2d2e6ed7de..7070165014f137 100644 --- a/Objects/listobject.c +++ b/Objects/listobject.c @@ -192,6 +192,7 @@ list_preallocate_exact(PyListObject *self, Py_ssize_t size) return -1; } items = array->ob_item; + memset(items, 0, size * sizeof(PyObject *)); #else items = PyMem_New(PyObject*, size); if (items == NULL) { @@ -199,7 +200,7 @@ list_preallocate_exact(PyListObject *self, Py_ssize_t size) return -1; } #endif - self->ob_item = items; + FT_ATOMIC_STORE_PTR_RELEASE(self->ob_item, items); self->allocated = size; return 0; } From 3a5c0c8785cbe02eff36dd6dfc3602cfb6fc4f37 Mon Sep 17 00:00:00 2001 From: Sam Gross Date: Thu, 9 May 2024 14:30:07 -0400 Subject: [PATCH 2/2] Update Misc/NEWS.d/next/Core and Builtins/2024-05-07-16-57-56.gh-issue-118561.wNMKVd.rst Co-authored-by: Donghee Na --- .../2024-05-07-16-57-56.gh-issue-118561.wNMKVd.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Misc/NEWS.d/next/Core and Builtins/2024-05-07-16-57-56.gh-issue-118561.wNMKVd.rst b/Misc/NEWS.d/next/Core and Builtins/2024-05-07-16-57-56.gh-issue-118561.wNMKVd.rst index aca1dd8f2d52a9..9eaf0abb8a6128 100644 --- a/Misc/NEWS.d/next/Core and Builtins/2024-05-07-16-57-56.gh-issue-118561.wNMKVd.rst +++ b/Misc/NEWS.d/next/Core and Builtins/2024-05-07-16-57-56.gh-issue-118561.wNMKVd.rst @@ -1,2 +1,2 @@ -Fix race condition in free-threaded build where ``list.extend`` could expose +Fix race condition in free-threaded build where :meth:`list.extend` could expose uninitialied memory to concurrent readers.