Skip to content

Use after free (stackref borrow after close) in BINARY_OP_INPLACE_ADD_UNICODE #130786

New issue
New issue
Open
Open
Use after free (stackref borrow after close) in BINARY_OP_INPLACE_ADD_UNICODE#130786
Labels
interpreter-core(Objects, Python, Grammar, and Parser dirs)type-crashA hard crash of the interpreter, possibly with a core dump
@markshannon

Description

@markshannon
markshannon
opened on Mar 3, 2025

Crash report

What happened?

Using the Py_STACKREF_CLOSE_DEBUG option adding in #130785, we can detect a use-after-free in BINARY_OP_INPLACE_ADD_UNICODE:

 Fatal Python error: _Py_stackref_record_borrow: 
   Borrow of closed ref ID 15609203 at Python/generated_cases.c.h:59.
   Referred to instance of str at 0x55a2b6c5ff10. 
   Closed at Python/generated_cases.c.h:344

The problem is that the stack ref is closed before we deopt on line 736.

CPython versions tested on:

CPython main branch

Operating systems tested on:

No response

Output from running 'python -VV' on the command line:

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    interpreter-core(Objects, Python, Grammar, and Parser dirs)type-crashA hard crash of the interpreter, possibly with a core dump

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions