Skip to content

gh-146452: Fix pickle segfault on concurrent mutation of dict and list#146470

Merged
kumaraditya303 merged 7 commits into
python:mainfrom
overlorde:fix-issue-146452
May 17, 2026
Merged

gh-146452: Fix pickle segfault on concurrent mutation of dict and list#146470
kumaraditya303 merged 7 commits into
python:mainfrom
overlorde:fix-issue-146452

Conversation

@overlorde
Copy link
Copy Markdown
Contributor

@overlorde overlorde commented Mar 26, 2026
edited by bedevere-app Bot
Loading

batch_dict_exact() in _pickle.c iterates dict items using PyDict_Next() which returns borrowed references. Without a critical section, a concurrent dict mutation can invalidate the borrowed reference before Py_INCREF, causing a segfault.

The fix wraps PyDict_Next() + Py_INCREF in Py_BEGIN_CRITICAL_SECTION(obj) to prevent the dict from being mutated while converting borrowed refs to owned refs. Same approach as the existing set iteration path in the same file (line 3656).

Crashes on both 3.14t (stock install) and main (with ASan). Reproducer in the linked issue.

  • Existing test_pickle passes (1000 tests, no regressions)
  • Added test_free_threading/test_pickle.py that segfaults without the fix and passes with it

@bedevere-app bedevere-app Bot mentioned this pull request Mar 26, 2026
Open
@overlorde
Copy link
Copy Markdown
Contributor Author

overlorde commented Mar 27, 2026

The set has a better way of doing this, should we go that way?

vstinner
vstinner reviewed Mar 27, 2026
View reviewed changes
Comment thread Modules/_pickle.c Outdated
if (dict_size - total == 1) {
/* gh-146452: Prevent concurrent dict mutation from
invalidating the borrowed refs from PyDict_Next(). */
Py_BEGIN_CRITICAL_SECTION(obj);
Copy link
Copy Markdown
Member

@vstinner vstinner Mar 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The critical section should be on the outer loop, not just on a single call according to the PyDict_Next() documentation:

      Py_BEGIN_CRITICAL_SECTION(self->dict);
      while (PyDict_Next(self->dict, &pos, &key, &value)) {
          ...
      }
      Py_END_CRITICAL_SECTION();

Copy link
Copy Markdown
Contributor Author

@overlorde overlorde Mar 27, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@vstinner thanks, there are two ways to do this, either go with the current go-to for wrapping up with the critical section, or make a new batch_dict_impl then wrap it with criticial_section_begin or critical_section_end inside the batch_dict. Tradeoff is adding an extra function, but way cleaner than the go-to approach because of its multiple layers of condition check based returns. I'm making a modification to my PR in a while.

@vstinner
Copy link
Copy Markdown
Member

vstinner commented Mar 27, 2026

Please avoid git push --force since it makes reviews harder to follow in GitHub.

@overlorde
Copy link
Copy Markdown
Contributor Author

overlorde commented Mar 27, 2026
edited
Loading

Admitting the mistake. should i open a new pr again or work on it? i couldn't catch the UBsan failure locally. but another run fixed it on remote.

kumaraditya303
kumaraditya303 reviewed Apr 5, 2026
View reviewed changes
Comment thread Lib/test/test_free_threading/test_pickle.py Outdated
@overlorde overlorde changed the title gh-146452: Fix pickle segfault when pickling dict with concurrent mutation gh-146452: Fix pickle segfault on concurrent mutation of dict and list Apr 27, 2026
kumaraditya303
kumaraditya303 reviewed May 17, 2026
View reviewed changes
Comment thread Misc/NEWS.d/next/Library/2026-03-26-09-30-00.gh-issue-146452.Y2N6qZ8J.rst Outdated
@kumaraditya303 kumaraditya303 merged commit e62a611 into python:main May 17, 2026
59 checks passed
@miss-islington-app
Copy link
Copy Markdown

miss-islington-app Bot commented May 17, 2026

Thanks @overlorde for the PR, and @kumaraditya303 for merging it 🌮🎉.. I'm working now to backport this PR to: 3.14.
🐍🍒⛏🤖

@bedevere-app
Copy link
Copy Markdown

bedevere-app Bot commented May 17, 2026

GH-149940 is a backport of this pull request to the 3.14 branch.

@bedevere-app bedevere-app Bot removed the needs backport to 3.14 bugs and security fixes label May 17, 2026
kumaraditya303 added a commit that referenced this pull request May 17, 2026
@miss-islington @overlorde @kumaraditya303
[3.14] gh-146452: Fix pickle segfault on concurrent mutation of dict …
f380f85 
…in pickle (GH-146470) (#149940)

gh-146452: Fix pickle segfault on concurrent mutation of dict in pickle (GH-146470)
(cherry picked from commit e62a611)

Co-authored-by: Farhan Saif <fsaif@uic.edu>
Co-authored-by: Kumar Aditya <kumaraditya@python.org>
manoj-km24 pushed a commit to manoj-km24/cpython that referenced this pull request May 17, 2026
@overlorde @kumaraditya303 @manoj-km24
pythongh-146452: Fix pickle segfault on concurrent mutation of dict i…
9748e40 
…n pickle (python#146470)

Co-authored-by: Kumar Aditya <kumaraditya@python.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vstinner vstinner vstinner left review comments

@kumaraditya303 kumaraditya303 kumaraditya303 approved these changes

Assignees

No one assigned

Labels

topic-free-threading

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@overlorde @vstinner @kumaraditya303