Skip to content

Instantly share code, notes, and snippets.

@devdanzin

devdanzin/crossinterp_bugs.md

Created March 18, 2026 10:06
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save devdanzin/a56b8cb579b1950b4206e8a42d6be650 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save devdanzin/a56b8cb579b1950b4206e8a42d6be650 to your computer and use it in GitHub Desktop.
Download ZIP
crossinterp.c: Use-after-free + leaked exception + shadowed variable
Raw
crossinterp_bugs.md

crossinterp.c: Use-after-free + leaked exception + shadowed variable

Summary

Three bugs in the cross-interpreter subsystem:

  1. _ensure_notshareableerror (crossinterp_exceptions.h:85): Missing return after _PyErr_SetRaisedException steals ctx ref. Falls through to code using freed pointer.
  2. _PyXI_UnwrapNotShareableError (crossinterp_data_lookup.h:102): Exception removed from thread state via _PyErr_GetRaisedException, then _PyXI_InitFailure fails → exception leaked, thread error indicator cleared.
  3. _pop_preserved (crossinterp.c:2968): Inner _PyXI_namespace *xidata shadows outer. goto error cleanup checks outer (NULL) variable → inner allocation leaked.

Reproducer (ref leak)

import _interpchannels as ch, sys

cid = ch.create()
before = sys.gettotalrefcount()
for i in range(10000):
    try:
        ch.send(cid, lambda: None, blocking=False)
    except Exception:
        pass
after = sys.gettotalrefcount()
ch.destroy(cid)
print(f"Leaked {after - before} refs (~{(after-before)//10000}/send)")
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment