bpo-39382: Avoid dangling object use in abstract_issubclass()

[Jongy]

Take a reference of __bases__ tuple item before releasing the tuple reference,
as it may destroy the tuple, possibly destroying (some of) its items.

@serhiy-storchaka, I will look into your suggestion in the bpo and see if I can reproduce it with a short snippet, so I can add tests for it. I will also think of some way to simplify the code, this function became too complicated with this change, perhaps it's time to break it?

Therefore, opening as a draft for the meantime.

https://bugs.python.org/issue39382

[pppery]

Does

class FakeClass:
    def __init__(self,base=False):
        self.base = base
    @property
    def __bases__(self):
        if self.base:
            return ()
        return (FakeClass(True),)
issubclass(FakeClass(), int)

work as a test case? It crashes for me on Python 3.7

[Jongy]

Yeah, it appears to exhibit the same outcome. It crashes on master (4c1b6a6) but doesn't crash on this branch. Thanks for that, @pppery !

Well, this snippet is much less complicated than what I was trying to achieve (as I described in the bpo, I encountered this while using rpyc so I tried to imitate rpyc's netref objects with the metaclasses magics).

I don't understand though, while it exhibits the bug, this doesn't:

class A:
    pass

class B:
    @property
    def __bases__(self):
        return (A(), )

print(issubclass(B(), int))

I've added prints in abstract_issubclass before it modifies the refcounts. In both cases (your example, and the one above) the retrieved bases tuple has 1 reference, and the object inside it has 1 reference as well. In both cases, after the Py_DECREF, the derived object has refcount of 0. But yours crashes and mine does not?

[pppery]

I don't know why that works either.

[serhiy-storchaka]

I get a crash with both examples.

[Jongy]

Weird. My assumption is that in the second example, another object gets allocated in the exact, same memory chunk, and so abstract_issubclass continues operating on it and not on poisoned memory. But I haven't verified that.

Anyway, I'll add a test using the first example, and a NEWS entry.

[Jongy]

The following snippet crashes:

class A:
    @property
    def __bases__(self):
        return (int, )


class B:
    @property
    def __bases__(self):
        return (A(), )


assert issubclass(B(), int)

(and the assert passes on this branch)

I'll add a test based on it.

[Jongy]

The following snippet crashes

In the test_isinstance.py file it didn't. When I added a dummy member to the class, it did. I guess it really has something to do with the class object size and its memory being reused.

[Jongy]

Perhaps just take a ref of derived before the loop, and remove this variable and its checks altogether? My intention with derived_ref was to avoid unnecessary memory writes to a shared/common location.

[serhiy-storchaka]

Yes, it may simplify the code, at cost of making it slightly slower. But this is not performance critical code, it is only called when any of arguments is not a type (very unusual case).

Alternatively, you can keep a reference to bases until you get a new bases. Py_SETREF may help to keep the code shorter: Py_SETREF(bases, abstract_get_bases(derived)), but it may still look less obvious.

Left it on to you. All variants are good enough.

[Jongy]

Py_SETREF seems nice. I didn't know of this macro. I'll use it.

[serhiy-storchaka]

It is not public. Don't use it in third-party code. It is safer to copy its definition under other name if you need it.

[Jongy]

Sorry, I don't think I understood that last comment of yours. What do you mean by third-party code? Using it here is okay, right?

[serhiy-storchaka]

In your own code, in the code of your company or in the code of other projects except CPython.

It is not the part of the public C API and can be renamed, changed or removed in new Python versions.

[Jongy]

Mhm, I see. Thanks for the tip!

[serhiy-storchaka]

LGTM. Just added suggestion to reword the NEWS entry.

[serhiy-storchaka]

Yes, it may simplify the code, at cost of making it slightly slower. But this is not performance critical code, it is only called when any of arguments is not a type (very unusual case).

Alternatively, you can keep a reference to bases until you get a new bases. Py_SETREF may help to keep the code shorter: Py_SETREF(bases, abstract_get_bases(derived)), but it may still look less obvious.

Left it on to you. All variants are good enough.

[serhiy-storchaka]

abstract_issubclass() is an implementation detail. Python users do not know anything about it. Use things which expose the bug on the Python level: issubclass().

Also "hold reference to __bases__ tuple item" says how the bug has been fixed. Instead describe what the bug looked itself from the point of view of the common Python user (a crash in issubclass() when __bases__ contains the only reference to its item, or something like).

[Jongy]

Gotcha, will change it to a more user-facing message.

[serhiy-storchaka]

Great!

Apologies, but I forgot about one tiny detail. Do you mind to add your name in Misc/ACKS and add the sentence "Patch by yourname." to the end of the NEWS entry?

[serhiy-storchaka]

It is not public. Don't use it in third-party code. It is safer to copy its definition under other name if you need it.

[codecov]

Codecov Report

Merging #18530 into master will decrease coverage by 0.08%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##           master   #18530      +/-   ##
==========================================
- Coverage   82.20%   82.11%   -0.09%     
==========================================
  Files        1958     1955       -3     
  Lines      589743   584066    -5677     
  Branches    44457    44457              
==========================================
- Hits       484772   479631    -5141     
+ Misses      95308    94788     -520     
+ Partials     9663     9647      -16     

Impacted Files	Coverage Δ
Lib/distutils/tests/test_bdist_rpm.py	30.00% <0.00%> (-65.00%)	⬇️
Lib/distutils/command/bdist_rpm.py	7.63% <0.00%> (-56.88%)	⬇️
Lib/test/test_urllib2net.py	76.92% <0.00%> (-13.85%)	⬇️
Lib/test/test_smtpnet.py	78.57% <0.00%> (-12.86%)	⬇️
Lib/ftplib.py	63.85% <0.00%> (-6.06%)	⬇️
Lib/test/test_ftplib.py	87.11% <0.00%> (-4.72%)	⬇️
Tools/scripts/db2pickle.py	17.82% <0.00%> (-3.97%)	⬇️
Tools/scripts/pickle2db.py	16.98% <0.00%> (-3.78%)	⬇️
Lib/test/test_socket.py	71.94% <0.00%> (-3.87%)	⬇️
Lib/test/test_asyncio/test_base_events.py	91.84% <0.00%> (-3.45%)	⬇️
... and 326 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update c33bdbb...f71d08d. Read the comment docs.

[Jongy]

Apologies, but I forgot about one tiny detail. Do you mind to add your name in Misc/ACKS and add the sentence "Patch by yourname." to the end of the NEWS entry?

Ofc, will add.

Not sure about this Mac failure. I don't think it's related to my change.

About the commit message for the squash: The first commit message is not entirely relevant anymore, so I'm thinking something about:

[bpo-39382](https://bugs.python.org/issue39382): Avoid dangling object use in abstract_issubclass()

Hold reference of __bases__ tuple until tuple item is done with, because by
dropping the reference the item may be destroyed.

[serhiy-storchaka]

Ignore the failure on macOS. It is not related.

[Jongy]

@serhiy-storchaka anything else needed, or it looks ready to you?

[serhiy-storchaka]

Thank you for your contribution @Jongy. It was a pleasure to review your PR, and I hope this is not a last your PR to CPython.

Thank you for your example @pppery. It helped a lot!

[miss-islington]

Thanks @Jongy for the PR, and @serhiy-storchaka for merging it 🌮🎉.. I'm working now to backport this PR to: 3.7.
🐍🍒⛏🤖

[miss-islington]

Thanks @Jongy for the PR, and @serhiy-storchaka for merging it 🌮🎉.. I'm working now to backport this PR to: 3.8.
🐍🍒⛏🤖

[bedevere-bot]

GH-18606 is a backport of this pull request to the 3.7 branch.

[bedevere-bot]

GH-18607 is a backport of this pull request to the 3.8 branch.

[Jongy]

Thanks @serhiy-storchaka :)