Fix race condition: create unreachable_refs under read locks

youknowone · youknowone · commit b279716aab79 · 2026-03-04T23:29:15.000+09:00
Move unreachable_refs creation before drop(gen_locks) so that raw
pointer dereferences and refcount increments happen while generation
list read locks are held. Previously, after dropping read locks, other
threads could untrack and free objects, causing use-after-free when
creating strong references from the raw GcPtr pointers.

Also add linked list integrity assertions and diagnostic warnings
for debugging GC list corruption.
diff --git a/crates/common/src/linked_list.rs b/crates/common/src/linked_list.rs
@@ -157,6 +157,15 @@ impl<L: Link> LinkedList<L, L::Target> {
         let ptr = L::as_raw(&val);
         assert_ne!(self.head, Some(ptr));
         unsafe {
+            // Verify the node is not already in a list (pointers must be clean)
+            assert!(
+                L::pointers(ptr).as_ref().get_prev().is_none(),
+                "push_front: node already has prev pointer (double-insert?)"
+            );
+            assert!(
+                L::pointers(ptr).as_ref().get_next().is_none(),
+                "push_front: node already has next pointer (double-insert?)"
+            );
             L::pointers(ptr).as_mut().set_next(self.head);
             L::pointers(ptr).as_mut().set_prev(None);
 
@@ -226,7 +235,11 @@ impl<L: Link> LinkedList<L, L::Target> {
     pub unsafe fn remove(&mut self, node: NonNull<L::Target>) -> Option<L::Handle> {
         unsafe {
             if let Some(prev) = L::pointers(node).as_ref().get_prev() {
-                debug_assert_eq!(L::pointers(prev).as_ref().get_next(), Some(node));
+                assert_eq!(
+                    L::pointers(prev).as_ref().get_next(),
+                    Some(node),
+                    "linked list corruption: prev->next != node (prev={prev:p}, node={node:p})"
+                );
                 L::pointers(prev)
                     .as_mut()
                     .set_next(L::pointers(node).as_ref().get_next());
@@ -239,7 +252,11 @@ impl<L: Link> LinkedList<L, L::Target> {
             }
 
             if let Some(next) = L::pointers(node).as_ref().get_next() {
-                debug_assert_eq!(L::pointers(next).as_ref().get_prev(), Some(node));
+                assert_eq!(
+                    L::pointers(next).as_ref().get_prev(),
+                    Some(node),
+                    "linked list corruption: next->prev != node (next={next:p}, node={node:p})"
+                );
                 L::pointers(next)
                     .as_mut()
                     .set_prev(L::pointers(node).as_ref().get_prev());
diff --git a/crates/vm/src/gc_state.rs b/crates/vm/src/gc_state.rs
@@ -281,6 +281,16 @@ impl GcState {
                 count.fetch_sub(1, Ordering::SeqCst);
                 obj_ref.clear_gc_tracked();
                 obj_ref.set_gc_generation(GC_UNTRACKED);
+            } else {
+                // Object claims to be in this generation but wasn't found in the list.
+                // This indicates a bug: the object was already removed from the list
+                // without updating gc_generation, or was never inserted.
+                eprintln!(
+                    "GC WARNING: untrack_object failed to remove obj={obj:p} from gen={obj_gen}, \
+                     tracked={}, gc_gen={}",
+                    obj_ref.is_gc_tracked(),
+                    obj_ref.gc_generation()
+                );
             }
             return;
         }
@@ -472,10 +482,10 @@ impl GcState {
             );
         }
 
-        // Create strong references to reachable objects while read locks are
-        // still held. After dropping gen_locks, other threads can untrack+free
-        // objects, making the raw pointers in `reachable` dangling.
-        // Strong refs keep objects alive for promote_survivors.
+        // Create strong references while read locks are still held.
+        // After dropping gen_locks, other threads can untrack+free objects,
+        // making the raw pointers in `reachable`/`unreachable` dangling.
+        // Strong refs keep objects alive for later phases.
         let survivor_refs: Vec<PyObjectRef> = reachable
             .iter()
             .filter_map(|ptr| {
@@ -488,6 +498,18 @@ impl GcState {
             })
             .collect();
 
+        let unreachable_refs: Vec<crate::PyObjectRef> = unreachable
+            .iter()
+            .filter_map(|ptr| {
+                let obj = unsafe { ptr.0.as_ref() };
+                if obj.strong_count() > 0 {
+                    Some(obj.to_owned())
+                } else {
+                    None
+                }
+            })
+            .collect();
+
         if unreachable.is_empty() {
             drop(gen_locks);
             self.promote_survivors(generation, &survivor_refs);
@@ -501,19 +523,6 @@ impl GcState {
 
         // Step 6: Finalize unreachable objects and handle resurrection
 
-        // 6a: Get references to all unreachable objects
-        let unreachable_refs: Vec<crate::PyObjectRef> = unreachable
-            .iter()
-            .filter_map(|ptr| {
-                let obj = unsafe { ptr.0.as_ref() };
-                if obj.strong_count() > 0 {
-                    Some(obj.to_owned())
-                } else {
-                    None
-                }
-            })
-            .collect();
-
         if unreachable_refs.is_empty() {
             self.promote_survivors(generation, &survivor_refs);
             self.generations[0].count.store(0, Ordering::SeqCst);
diff --git a/crates/vm/src/object/core.rs b/crates/vm/src/object/core.rs
@@ -176,6 +176,16 @@ pub(super) unsafe fn default_dealloc<T: PyPayload>(obj: *mut PyObject) {
         unsafe {
             crate::gc_state::gc_state().untrack_object(ptr);
         }
+        // Verify untrack cleared the tracked flag and generation
+        debug_assert!(
+            !obj_ref.is_gc_tracked(),
+            "object still tracked after untrack_object"
+        );
+        debug_assert_eq!(
+            obj_ref.gc_generation(),
+            crate::object::GC_UNTRACKED,
+            "gc_generation not reset after untrack_object"
+        );
     }
 
     // Extract child references before deallocation to break circular refs (tp_clear)
