Currently the descriptor (self) argument to __get__ is passed borrowed, since _PyType_LookupId returns a borrowed reference (see _PyObject_LookupSpecial and lookup_maybe_method in Objects/typeobject.c). This should instead own the reference.

Why? Callee-borrowing-from-caller is the established norm across the C API. You mention use-after-free, but can you elaborate on how that can happen in practice?

https://docs.python.org/3/extending/extending.html?highlight=borrowed#ownership-rules says:

"""When you pass an object reference into another function, in general, the function borrows the reference from you — if it needs to store it, it will use Py_INCREF() to become an independent owner."""

Hi Dennis,

Sorry, let me be more clear. CPython in general ensures that objects passed in as arguments to a function will live for the duration of the function call if they are otherwise untouched. As it is now, this invariant is not maintained when calling the __get__ descriptor. Right now, it is not only borrowed by the callee but also not owned by the caller (!).

Max

Ah, and another piece of the puzzle: this can happen in runtimes like Cinder that provide their own native code entrypoints to functions like a __get__.

Hi Max,

My apologies -- my first message was probably too dismissive.

Is there any way to make the existing code crash with pure Python, and can we then add such a test case? If not with pure Python, then perhaps with some minimal reproducible example using the C API?

Also, does the change have any effect on microbenchmarks involving the modified functions?

# This needs to be C code for this to fail, I'm writing it in Python for clarity and brevity

class D:
    def __get__(self, instance, owner):
       del C.d
       # There are now no strong references to self
       self.whatever # Access to freed memory

# This can be Python

class C:
    d = D()

C.d

If this can only be triggered from C code, it less of a concern.

The PR increases cost on a critical path, so we ought to be wary of applying it unless a known problem is being solved.

Note, this code path has survived two decades of deployment.  Also, the PR doesn't have a test to demonstrate that it fixes anything.  Those facts give some evidence that the PR has every user paying to solve a problem that almost no one actually has.