Use-after-free by mutating set during set operations

[sweeneyde]

BPO	46615
Nosy	@tim-one, @rhettinger, @serhiy-storchaka, @miss-islington, @sweeneyde
PRs	bpo-46615: Don't crash when set operations mutate the sets #31120 [3.10] bpo-46615: Don't crash when set operations mutate the sets (GH-31120) #31284 [3.9] bpo-46615: Don't crash when set operations mutate the sets (GH-31120) #31312
Files	picklecrasher.py: Randomized crasher for uses of PyDict_Next in _pickle.c

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = None
created_at = <Date 2022-02-02.18:01:22.729>
labels = ['interpreter-core', '3.10', '3.9', 'type-crash', '3.11']
title = 'Use-after-free by mutating set during set operations'
updated_at = <Date 2022-02-19.05:24:06.142>
user = 'https://github.com/sweeneyde'

bugs.python.org fields:

activity = <Date 2022-02-19.05:24:06.142>
actor = 'Dennis Sweeney'
assignee = 'none'
closed = False
closed_date = None
closer = None
components = ['Interpreter Core']
creation = <Date 2022-02-02.18:01:22.729>
creator = 'Dennis Sweeney'
dependencies = []
files = ['50631']
hgrepos = []
issue_num = 46615
keywords = ['patch']
message_count = 13.0
messages = ['412386', '412387', '412389', '412444', '412448', '412487', '412489', '412494', '413085', '413097', '413175', '413176', '413530']
nosy_count = 5.0
nosy_names = ['tim.peters', 'rhettinger', 'serhiy.storchaka', 'miss-islington', 'Dennis Sweeney']
pr_nums = ['31120', '31284', '31312']
priority = 'normal'
resolution = None
stage = 'patch review'
status = 'open'
superseder = None
type = 'crash'
url = 'https://bugs.python.org/issue46615'
versions = ['Python 3.9', 'Python 3.10', 'Python 3.11']

[sweeneyde]

Maybe related to https://bugs.python.org/issue8420

Somewhat obscure, but using only standard Python, and no frame- or gc-hacks, it looks like we can get a use-after-free:

from random import random

BADNESS = 0.0

class Bad:
    def __eq__(self, other):
        if random() < BADNESS:
            set1.clear()
        if random() < BADNESS:
            set2.clear()
        return True
    def __hash__(self):
        return 42

SIZE = 100
TRIALS = 10_000

ops = [
    "|", "|=",
    "==", "!=",
    "<", "<=",
    ">", ">=",
    # "&",  # crash!
    # "&=", # crash!
    "^",
    # "^=", # crash
    # "-", # crash
    "-=",
]

for op in ops:
    stmt = f"set1 {op} set2"
    print(stmt, "...")
    for _ in range(TRIALS):
        BADNESS = 0.00
        set1 = {Bad() for _ in range(SIZE)}
        set2 = {Bad() for _ in range(SIZE)}
        BADNESS = 0.02
        exec(stmt)
    print("ok.")

[sweeneyde]

replacing return True with return random() < 0.5 makes all of the operations crash, except for | and |=.

[sweeneyde]

set1.isdisjoint(set2) also crashes