gh-115103: Fix unregistering of QSBR state (#116480)

colesbury · web-flow · commit cca30230d992 · 2024-03-08T12:39:53.000-05:00
If a thread blocks while waiting on the `shared-&gt;mutex` lock, the array
of QSBR states may be reallocated. The `tstate-&gt;qsbr` values before the
lock is acquired may not be the same as the value after the lock is acquired.
diff --git a/Python/qsbr.c b/Python/qsbr.c
@@ -233,13 +233,17 @@ _Py_qsbr_register(_PyThreadStateImpl *tstate, PyInterpreterState *interp,
 void
 _Py_qsbr_unregister(_PyThreadStateImpl *tstate)
 {
+    struct _qsbr_shared *shared = tstate->qsbr->shared;
+
+    PyMutex_Lock(&shared->mutex);
+    // NOTE: we must load (or reload) the thread state's qbsr inside the mutex
+    // because the array may have been resized (changing tstate->qsbr) while
+    // we waited to acquire the mutex.
     struct _qsbr_thread_state *qsbr = tstate->qsbr;
-    struct _qsbr_shared *shared = qsbr->shared;
 
     assert(qsbr->seq == 0 && "thread state must be detached");
-
-    PyMutex_Lock(&shared->mutex);
     assert(qsbr->allocated && qsbr->tstate == (PyThreadState *)tstate);
+
     tstate->qsbr = NULL;
     qsbr->tstate = NULL;
     qsbr->allocated = false;
