Description
co_consts can contain values of any type, including mutable ones. For example:
def f():
print(())
code = f.__code__
code = code.replace(co_consts=(None, []))
exec(code)This is dangerous especially in the free-threaded build, which
- de-duplicates constants and
- immortalizes constants and relies them to be immortal
The “feature” is untested, as seen from the above snippet failing an assertion in free-threaded build.
Mutable subclasses of immutable built-in types are especially “interesting” here.
A solution would be to only allow built-in immutable marshallable types (booleans, integers, floating-point numbers, complex numbers, strings, bytes, tuples, frozensets, code objects, None, Ellipsis, StopIteration), excluding sublasses. That's a backwards-incompatible change.
Note that CPython now already recursively analyzes co_consts; there's little cost to doing additional inspection.
My current plan is:
- Disallow “bad” values in free-threaded builds in 3.14, as this build is still experimental and this breaks vital invariants.
- Deprecate “bad” values in regular build, and initially plan to disallow them in 3.16. (Minimal PEP-387 deprecation period chosen because this “feature” is very likely to interfere with optimizations, and unlikely to get proper test coverage.)
Until then, please avoid assuming that code constants are “sane”. (cc @brandtbucher @markshannon @colesbury)