Issue #18328: Reorder ops in PyThreadState_Delete*() functions. Now the

tiran · tiran · commit 1d5b933504c7 · 2013-07-01T23:43:09.000+02:00
tstate is first removed from TLS and then deallocated. CID 1019639 (#1 of 1): Use after free (USE_AFTER_FREE) use_after_free: Using freed pointer tstate.
diff --git a/Misc/NEWS b/Misc/NEWS
@@ -10,6 +10,9 @@ What's New in Python 3.4.0 Alpha 1?
 Core and Builtins
 -----------------
 
+- Issue #18328: Reorder ops in PyThreadState_Delete*() functions. Now the
+  tstate is first removed from TLS and then deallocated.
+
 - Issue #13483: Use VirtualAlloc in obmalloc on Windows.
 
 - Issue #18184: PyUnicode_FromFormat() and PyUnicode_FromFormatV() now raise
diff --git a/Python/pystate.c b/Python/pystate.c
@@ -374,11 +374,11 @@ PyThreadState_Delete(PyThreadState *tstate)
 {
     if (tstate == _Py_atomic_load_relaxed(&_PyThreadState_Current))
         Py_FatalError("PyThreadState_Delete: tstate is still current");
-    tstate_delete_common(tstate);
 #ifdef WITH_THREAD
     if (autoInterpreterState && PyThread_get_key_value(autoTLSkey) == tstate)
         PyThread_delete_key_value(autoTLSkey);
 #endif /* WITH_THREAD */
+    tstate_delete_common(tstate);
 }
 
 
@@ -392,9 +392,9 @@ PyThreadState_DeleteCurrent()
         Py_FatalError(
             "PyThreadState_DeleteCurrent: no current tstate");
     _Py_atomic_store_relaxed(&_PyThreadState_Current, NULL);
-    tstate_delete_common(tstate);
     if (autoInterpreterState && PyThread_get_key_value(autoTLSkey) == tstate)
         PyThread_delete_key_value(autoTLSkey);
+    tstate_delete_common(tstate);
     PyEval_ReleaseLock();
 }
 #endif /* WITH_THREAD */
