`STORE_ATTR_WITH_HINT` has potential use-after-free

# Bug report

The order of operations in `STORE_ATTR_WITH_HINT` differs from the dictionary implementation in a way that is not safe:

https://github.com/python/cpython/blob/35d8ac7cd7ed6cd3d84af721dce970da59bd5f68/Python/bytecodes.c#L2235-L2242

It's not safe to call `_PyObject_GC_MAY_BE_TRACKED(value)` after the `Py_XDECREF` call. The dictionary may hold the only strong reference to `value` in `ep->me_value`, and that can be modified during the `Py_XDECREF` call.

Note that `dictobject.c` does the tracking *before* modifying the dictionary -- not after it -- and so avoids this problem.


### Linked PRs
* gh-123092
* gh-123235
* gh-123237

	new_version = _PyDict_NotifyEvent(tstate->interp, event, dict, name, PyStackRef_AsPyObjectBorrow(value));
	ep->me_value = PyStackRef_AsPyObjectSteal(value);
	Py_XDECREF(old_value);
	STAT_INC(STORE_ATTR, hit);
	/* Ensure dict is GC tracked if it needs to be */
	if (!_PyObject_GC_IS_TRACKED(dict) && _PyObject_GC_MAY_BE_TRACKED(PyStackRef_AsPyObjectBorrow(value))) {
	_PyObject_GC_TRACK(dict);
	}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

`STORE_ATTR_WITH_HINT` has potential use-after-free #123083

Bug report

Linked PRs

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

pFad - (p)hone/(F)rame/(a)nonymizer/(d)eclutterfier! Saves Data!

Uh oh!

STORE_ATTR_WITH_HINT has potential use-after-free #123083

Description

Bug report

Linked PRs

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions

pFad - (p)hone/(F)rame/(a)nonymizer/(d)eclutterfier! Saves Data!

`STORE_ATTR_WITH_HINT` has potential use-after-free #123083