From 586cd0d12f978341877ce1f817ea708ccb6dba9e Mon Sep 17 00:00:00 2001 From: Radislav Chugunov Date: Thu, 22 Jun 2023 17:49:09 +0300 Subject: [PATCH 1/4] gh-105987: Fix reference counting issue in '_asyncio._swap_current_task' '_PyDict_GetItem_KnownHash' returns borrowed reference to previous task object, so consequent calls to '_PyDict_DelItem_KnownHash'/'_PyDict_SetItem_KnownHash' can deallocate it before it will be returned from 'swap_current_task' function --- .../test_asyncio/test_eager_task_factory.py | 20 +++++++++++++++++++ Modules/_asynciomodule.c | 12 ++++++----- 2 files changed, 27 insertions(+), 5 deletions(-) diff --git a/Lib/test/test_asyncio/test_eager_task_factory.py b/Lib/test/test_asyncio/test_eager_task_factory.py index 49d5dbb8940a96..bcf67b7b5aca8e 100644 --- a/Lib/test/test_asyncio/test_eager_task_factory.py +++ b/Lib/test/test_asyncio/test_eager_task_factory.py @@ -7,6 +7,9 @@ from unittest import mock from asyncio import tasks from test.test_asyncio import utils as test_utils +import test.support +from test.support.script_helper import assert_python_ok + MOCK_ANY = mock.ANY @@ -222,6 +225,23 @@ class PyEagerTaskFactoryLoopTests(EagerTaskFactoryLoopTests, test_utils.TestCase class CEagerTaskFactoryLoopTests(EagerTaskFactoryLoopTests, test_utils.TestCase): Task = getattr(tasks, '_CTask', None) + def test_issue105987(self): + code = """if 1: + from _asyncio import _swap_current_task + + class DummyTask: + pass + + class DummyLoop: + pass + + l = DummyLoop() + _swap_current_task(l, DummyTask()) + t = _swap_current_task(l, None) + """ + + _, out, err = assert_python_ok("-c", code) + self.assertFalse(err) class AsyncTaskCounter: def __init__(self, loop, *, task_class, eager): diff --git a/Modules/_asynciomodule.c b/Modules/_asynciomodule.c index 4b84c1de66be0e..66b45b43536811 100644 --- a/Modules/_asynciomodule.c +++ b/Modules/_asynciomodule.c @@ -2040,7 +2040,7 @@ swap_current_task(asyncio_state *state, PyObject *loop, PyObject *task) return NULL; } - prev_task = _PyDict_GetItem_KnownHash(state->current_tasks, loop, hash); + prev_task = Py_XNewRef(_PyDict_GetItem_KnownHash(state->current_tasks, loop, hash)); if (prev_task == NULL) { if (PyErr_Occurred()) { return NULL; @@ -2050,17 +2050,19 @@ swap_current_task(asyncio_state *state, PyObject *loop, PyObject *task) if (task == Py_None) { if (_PyDict_DelItem_KnownHash(state->current_tasks, loop, hash) == -1) { - return NULL; + goto error; } } else { if (_PyDict_SetItem_KnownHash(state->current_tasks, loop, task, hash) == -1) { - return NULL; + goto error; } } - Py_INCREF(prev_task); - return prev_task; + +error: + Py_DECREF(prev_task); + return NULL; } /* ----- Task */ From 7644f4b567d7ff509c1762a1c10f6c877520ae89 Mon Sep 17 00:00:00 2001 From: chgnrdv <52372310+chgnrdv@users.noreply.github.com> Date: Thu, 22 Jun 2023 18:00:15 +0300 Subject: [PATCH 2/4] removed extra newline --- Lib/test/test_asyncio/test_eager_task_factory.py | 1 - 1 file changed, 1 deletion(-) diff --git a/Lib/test/test_asyncio/test_eager_task_factory.py b/Lib/test/test_asyncio/test_eager_task_factory.py index bcf67b7b5aca8e..fc9ad8eb43bb1b 100644 --- a/Lib/test/test_asyncio/test_eager_task_factory.py +++ b/Lib/test/test_asyncio/test_eager_task_factory.py @@ -10,7 +10,6 @@ import test.support from test.support.script_helper import assert_python_ok - MOCK_ANY = mock.ANY From b0cb71da5896b0684e777240d4e8c2b1d874b781 Mon Sep 17 00:00:00 2001 From: "blurb-it[bot]" <43283697+blurb-it[bot]@users.noreply.github.com> Date: Thu, 22 Jun 2023 15:21:13 +0000 Subject: [PATCH 3/4] =?UTF-8?q?=F0=9F=93=9C=F0=9F=A4=96=20Added=20by=20blu?= =?UTF-8?q?rb=5Fit.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../next/Library/2023-06-22-15-21-11.gh-issue-105987.T7Kzrb.rst | 1 + 1 file changed, 1 insertion(+) create mode 100644 Misc/NEWS.d/next/Library/2023-06-22-15-21-11.gh-issue-105987.T7Kzrb.rst diff --git a/Misc/NEWS.d/next/Library/2023-06-22-15-21-11.gh-issue-105987.T7Kzrb.rst b/Misc/NEWS.d/next/Library/2023-06-22-15-21-11.gh-issue-105987.T7Kzrb.rst new file mode 100644 index 00000000000000..0bc97da4edf0f9 --- /dev/null +++ b/Misc/NEWS.d/next/Library/2023-06-22-15-21-11.gh-issue-105987.T7Kzrb.rst @@ -0,0 +1 @@ +Fix crash due to improper reference counting in :mod:`asyncio` eager task factory internal routines. From 1f4f46758736eacf649e7ff59a822ac05e16fd7b Mon Sep 17 00:00:00 2001 From: Radislav Chugunov Date: Thu, 22 Jun 2023 21:23:50 +0300 Subject: [PATCH 4/4] moved incref past NULL check --- Modules/_asynciomodule.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Modules/_asynciomodule.c b/Modules/_asynciomodule.c index 66b45b43536811..5b28f2dd28a221 100644 --- a/Modules/_asynciomodule.c +++ b/Modules/_asynciomodule.c @@ -2040,13 +2040,14 @@ swap_current_task(asyncio_state *state, PyObject *loop, PyObject *task) return NULL; } - prev_task = Py_XNewRef(_PyDict_GetItem_KnownHash(state->current_tasks, loop, hash)); + prev_task = _PyDict_GetItem_KnownHash(state->current_tasks, loop, hash); if (prev_task == NULL) { if (PyErr_Occurred()) { return NULL; } prev_task = Py_None; } + Py_INCREF(prev_task); if (task == Py_None) { if (_PyDict_DelItem_KnownHash(state->current_tasks, loop, hash) == -1) {