René's URL Explorer Experiment

{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Deadlock when `array.fromfile` re-enters `append` via `__index__`","articleBody":"### What happened?\n\n`array.fromfile` calls the user-provided `f.read()`, and that callback can append objects to the same array while it is being resized. The append path grabs the array's write lock before converting the element, then calls the object's `__index__`. If `__index__` performs another `array.append` (as in the PoC), the second append blocks forever on the already-held `PyRwLock`, causing a deadlock instead of raising an error.\n\n**Proof of Concept:**\n```python\nimport array\n\na = array.array(\"b\")\n\nclass X:\n    def __index__(self):\n        a.append(0)\n        return 0\n\nclass R:\n    def read(self, n):\n        a.append(X())\n        return b\"\\0\" * n\n\na.fromfile(R(), 1)\n```\n\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eAffected Versions\u003c/strong\u003e\u003c/summary\u003e\n\n| RustPython Version | Status | Exit Code |\n|---|---|---|\n| `Python 3.13.0alpha (heads/main-dirty:21300f689, Dec 13 2025, 22:16:49)  [RustPython 0.4.0 with rustc 1.90.0-nightly (11ad40bb8 2025-06-28)]` | Deadlock | 124 |\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eVulnerable Code\u003c/strong\u003e\u003c/summary\u003e\n\n```c\n#[pymethod]\nfn fromfile(\u0026self, f: PyObjectRef, n: isize, vm: \u0026VirtualMachine) -\u003e PyResult\u003c()\u003e {\n    let b = vm.call_method(\u0026f, \"read\", (n_bytes,))?; // user f.read runs arbitrary code while the array can still be mutated\n    ...\n}\n\n#[pymethod]\nfn append(zelf: \u0026Py\u003cSelf\u003e, x: PyObjectRef, vm: \u0026VirtualMachine) -\u003e PyResult\u003c()\u003e {\n    zelf.try_resizable(vm)?.push(x, vm) // takes a non-reentrant PyRwLock write guard before converting x\n}\n\nimpl ArrayElement for i8 {\n    fn try_into_from_object(vm: \u0026VirtualMachine, obj: PyObjectRef) -\u003e PyResult\u003cSelf\u003e {\n        obj.try_index(vm)?.try_to_primitive(vm) // invokes __index__ while the write lock is held; reentrant array.append inside __index__ deadlocks\n    }\n}\n\nimpl BufferResizeGuard for PyArray {\n    fn try_resizable_opt(\u0026self) -\u003e Option\u003cSelf::Resizable\u003c'_\u003e\u003e {\n        let w = self.write(); // second append blocks here waiting on the same PyRwLock, hanging the interpreter\n        (self.exports.load(atomic::Ordering::SeqCst) == 0).then_some(w)\n    }\n}\n```\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eRust Output\u003c/strong\u003e\u003c/summary\u003e\n\n```\nProgram hangs forever\n```\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eCPython Output\u003c/strong\u003e\u003c/summary\u003e\n\n```\n(No output)\n```\n\u003c/details\u003e\n\n","author":{"url":"https://github.com/jackfromeast","@type":"Person","name":"jackfromeast"},"datePublished":"2025-12-27T04:53:28.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":2},"url":"https://github.com/6549/RustPython/issues/6549"}