Bug report

Bug description:

I found 22 free-threading race conditions during a partial Xint Code scan of cpython. These only apply to the free-threaded build, and were all found and tested on commit 0534774 built with ./configure --disable-gil --enable-asan on an M3 Mac.

I'm attaching a zip file with detailed writeups of each, as well as reproduction cases for 15 of the 22 issues. I don't have scripts reproducing the findings numbered 21, 36, 82, 94, 106, 115, or 124. Race conditions can be difficult to trigger, and even the scripts I provided are trying to win tight races and may not always work.

I know this is a lot. @colesbury suggested I create a combined issue to make the triage discussion easier.

Let me know if you have any questions or concerns. The issues were found and written up by an automated system, but I have put additional work into the validation and reporting. I do want to be respectful of everyone's time while helping to make Python better.

Writeups

Individual writeups and reproduction scripts: cpython-ft.zip

Many of the scripts are expected to crash, however some of them only produce exceptions or corrupted output. You should be able to run any of the scripts with PYTHON_GIL=1 set in your environment if you want to see a baseline without the race condition.

Finding List

• (17) Unlocked __init__ races with PRNG state access in Modules/_randommodule.c
• (21) Racy EVP_MD cache overwrite leaks references in Modules/_hashopenssl.c
• (36) Borrowed type lookup races to use-after-free in Objects/typeobject.c
• (49) SNI callback callable race use-after-free in Modules/_ssl.c
• (61) Racy weakref head load before incref in Objects/typeobject.c
• (62) Concurrent kwargs growth causes heap overwrite in Objects/call.c
• (69) Unsynchronized extra pointer dereference in len in Modules/_elementtree.c
• (82) Non-atomic list slot memmove in shared list delete in Objects/listobject.c
• (84) Iterator path bypasses buffered object lock in Modules/_io/bufferedio.c
• (87) Unsynchronized Element.text borrowed-pointer race in Modules/_elementtree.c
• (89) Unsynchronized dict iteration causes borrowed-ref UAF in Modules/_pickle.c
• (91) Racy list item borrow causes UAF in Modules/_pickle.c
• (94) Async-exception setter races thread-state free in Python/pystate.c
• (96) Racy GC callback list iteration in Python/gc_free_threading.c
• (106) Immediate decref races lock-free reader in Modules/_ctypes/_ctypes.c
• (108) Borrowed dict used after lock release in Objects/dictobject.c
• (115) Split clear frees keys without QSBR in Objects/dictobject.c
• (124) Stale keys race in attribute hint fastpath in Python/bytecodes.c
• (125) Struct reinit races with pack/unpack in Modules/_struct.c
• (128) Borrowed list item raced before incref in Objects/bytesobject.c
• (129) Reentrant __index__ causes released-buffer dereference in Objects/memoryobject.c
• (132) Non-atomic exports race in memoryview.hex in Objects/memoryobject.c

CPython versions tested on:

3.14

Operating systems tested on:

macOS