René's URL Explorer Experiment

{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Double-free in Argument Clinic `str_converter` generated code","articleBody":"Argument Clinic `str_converter` generate such code when `encoding` is set\r\n(see function `test_str_converter_encoding` in file Lib/test/clinic.test):\r\n```c\r\n    /* -- snip -- */\r\n    if (!_PyArg_ParseStack(args, nargs, \"esesetes#et#:test_str_converter_encoding\",\r\n        \"idna\", \u0026a, \"idna\", \u0026b, \"idna\", \u0026c, \"idna\", \u0026d, \u0026d_length, \"idna\", \u0026e, \u0026e_length)) {\r\n        goto exit;\r\n    }\r\n    return_value = test_str_converter_encoding_impl(module, a, b, c, d, d_length, e, e_length);\r\n\r\nexit:\r\n    /* Cleanup for a */\r\n    if (a) {\r\n       PyMem_FREE(a);\r\n    }\r\n    /* Cleanup for b */\r\n    if (b) {\r\n       PyMem_FREE(b);\r\n    }\r\n    /* Cleanup for c */\r\n    if (c) {\r\n       PyMem_FREE(c);\r\n    }\r\n    /* -- snip -- */\r\n```\r\n\r\nIf parsing `a` successes, `a` will be assigned an address points to an allocated memory.\r\nAfter that, if parsing `b` fails, the memory which `a` points to is freed by function `_PyArg_ParseStack`,\r\nand `_PyArg_ParseStack` returns 0, then control flow goes to label \"exit\".\r\nAt this time, `a` is not NULL, so the memory it points to is freed again, which cause a double-free problem and a runtime crash.\r\n\r\nThis bug is found in https://github.com/python/cpython/pull/96178 \"Argument Clinic functional test\".\n\n\u003c!-- gh-pr-number: gh-99241 --\u003e\n* PR: gh-99241\n\u003c!-- /gh-pr-number --\u003e\n\n\n\u003c!-- gh-pr-number: gh-99890 --\u003e\n* PR: gh-99890\n\u003c!-- /gh-pr-number --\u003e\n\n\n\u003c!-- gh-pr-number: gh-100352 --\u003e\n* PR: gh-100352\n\u003c!-- /gh-pr-number --\u003e\n\n\n\u003c!-- gh-pr-number: gh-100353 --\u003e\n* PR: gh-100353\n\u003c!-- /gh-pr-number --\u003e\n\n\n\u003c!-- gh-pr-number: gh-100385 --\u003e\n* PR: gh-100385\n\u003c!-- /gh-pr-number --\u003e\n\n\n\u003c!-- gh-pr-number: gh-100386 --\u003e\n* PR: gh-100386\n\u003c!-- /gh-pr-number --\u003e\n","author":{"url":"https://github.com/colorfulappl","@type":"Person","name":"colorfulappl"},"datePublished":"2022-11-08T07:39:40.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":7},"url":"https://github.com/99240/cpython/issues/99240"}