Cannot safely Py_EndInterpreter in 3.14b1

[b-pass]

Crash report

What happened?

Stack trace:

#0  tstate_delete_common.constprop.0 (tstate=tstate@entry=0x555555666ca0, release_gil=0) at ../Python/pystate.c:1854
#1  0x00007ffff78cd341 in zapthreads (interp=0x7ffff74c8010) at ../Python/pystate.c:1915
#2  PyInterpreterState_Delete (interp=0x7ffff74c8010) at ../Python/pystate.c:1016
#3  0x00005555555552ef in main () at repro.c:16

(note the address passed to tstate_delete_common is definitely corrupt, and not the address of any PyThreadState created in this program)

This was triggered by creating a new PyThreeadState for the interpreter, switching to it, deleting an old thread state for the same interpreter, and then calling Py_EndInterpreter (on the new thread state).

repro.c:

#include <Python.h>

int main()
{
        Py_Initialize();

        PyThreadState *orig = NULL;
        PyInterpreterConfig cfg =  _PyInterpreterConfig_INIT;
        Py_NewInterpreterFromConfig(&orig, &cfg);

        PyThreadState *temp = PyThreadState_New(orig->interp);
        PyThreadState_Swap(temp);
        PyThreadState_Clear(orig);
        PyThreadState_Delete(orig);
        Py_EndInterpreter(temp);

        Py_Finalize();
}

Compiled with $ gcc -O1 -ggdb repro.cpp -I/usr/include/python3.14 -lpython3.14

CPython versions tested on:

3.14

Operating systems tested on:

Linux

Output from running 'python -VV' on the command line:

Python 3.14.0b1 (main, May 8 2025, 08:57:13) [GCC 13.3.0]

Linked PRs

• gh-134144: Fix use-after-free in zapthreads() #134145
• [3.14] gh-134144: Fix use-after-free in zapthreads() (GH-134145) #134182

[ZeroIntensity]

@ericsnowcurrently This is the zapthreads problem that I was talking about yesterday.

I'm pretty sure #128640 will fix this.

[b-pass]

I updated the example code to a complete compilable description, this crashes for me. Using deadsnakes repo on ubuntu 24.04, which is 3.14.b1.

[ZeroIntensity]

Huh, that repro looks wrong. PyThreadState_Delete cannot be called with a thread state that is attached.

[b-pass]

Huh, that repro looks wrong. PyThreadState_Delete cannot be called with a thread state that is attached.

Does the PyThreadState_Swap not detach it?

[ZeroIntensity]

Oh wait, I see that you delete orig, not temp.

[b-pass]

If it matters, the reason I am doing it this way is that in 3.12 you can't actually delete (via PyThreadState_Delete) the first PyThreadState of the interpreter ... it looks to me like it never gets zero'd out (because it is the one that has storage inside the interpreterstate) so it causes an abort when it is subsequently reallocated. :( So you have to leave that one allocated. This is fixed in 3.13+