python
diff --git a/‎Lib/test/test_dict.py
Lines changed: 18 additions & 0 deletions b/‎Lib/test/test_dict.py
Lines changed: 18 additions & 0 deletions
diff --git a/‎Misc/NEWS.d/next/Core_and_Builtins/2024-08-17-17-26-25.gh-issue-123083.9xWLJ-.rst
Lines changed: 1 addition & 0 deletions b/‎Misc/NEWS.d/next/Core_and_Builtins/2024-08-17-17-26-25.gh-issue-123083.9xWLJ-.rst
Lines changed: 1 addition & 0 deletions
diff --git a/‎Python/bytecodes.c
Lines changed: 5 additions & 4 deletions b/‎Python/bytecodes.c
Lines changed: 5 additions & 4 deletions
@@ -1476,6 +1476,24 @@ def test_dict_items_result_gc_reversed(self):
         gc.collect()
         self.assertTrue(gc.is_tracked(next(it)))
 
+    def test_store_evilattr(self):
+        class EvilAttr:
+            def __init__(self, d):
+                self.d = d
+
+            def __del__(self):
+                if 'attr' in self.d:
+                    del self.d['attr']
+                gc.collect()
+
+        class Obj:
+            pass
+
+        obj = Obj()
+        obj.__dict__ = {}
+        for _ in range(10):
+            obj.attr = EvilAttr(obj.__dict__)
+
     def test_str_nonstr(self):
         # cpython uses a different lookup function if the dict only contains
         # `str` keys. Make sure the unoptimized path is used when a non-`str`
 
@@ -0,0 +1 @@
+Fix a potential use-after-free in ``STORE_ATTR_WITH_HINT``.
@@ -1999,14 +1999,15 @@ dummy_func(
                 new_version = _PyDict_NotifyEvent(tstate->interp, PyDict_EVENT_MODIFIED, dict, name, value);
                 ep->me_value = value;
             }
-            Py_DECREF(old_value);
-            STAT_INC(STORE_ATTR, hit);
             /* Ensure dict is GC tracked if it needs to be */
             if (!_PyObject_GC_IS_TRACKED(dict) && _PyObject_GC_MAY_BE_TRACKED(value)) {
                 _PyObject_GC_TRACK(dict);
             }
-            /* PEP 509 */
-            dict->ma_version_tag = new_version;
+            dict->ma_version_tag = new_version; // PEP 509
+            // old_value should be DECREFed after GC track checking is done, if not, it could raise a segmentation fault,
+            // when dict only holds the strong reference to value in ep->me_value.
+            Py_DECREF(old_value);
+            STAT_INC(STORE_ATTR, hit);
             Py_DECREF(owner);
         }
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	+Fix a potential use-after-free in ``STORE_ATTR_WITH_HINT``.
Original file line number	Diff line number	Diff line change
`@@ -1999,14 +1999,15 @@ dummy_func(`
`1999`	`1999`	`new_version = _PyDict_NotifyEvent(tstate->interp, PyDict_EVENT_MODIFIED, dict, name, value);`
`2000`	`2000`	`ep->me_value = value;`
`2001`	`2001`	`}`
`2002`		`- Py_DECREF(old_value);`
`2003`		`- STAT_INC(STORE_ATTR, hit);`
`2004`	`2002`	`/* Ensure dict is GC tracked if it needs to be */`
`2005`	`2003`	`if (!_PyObject_GC_IS_TRACKED(dict) && _PyObject_GC_MAY_BE_TRACKED(value)) {`
`2006`	`2004`	`_PyObject_GC_TRACK(dict);`
`2007`	`2005`	`}`
`2008`		`- /* PEP 509 */`
`2009`		`- dict->ma_version_tag = new_version;`
	`2006`	`+ dict->ma_version_tag = new_version; // PEP 509`
	`2007`	`+ // old_value should be DECREFed after GC track checking is done, if not, it could raise a segmentation fault,`
	`2008`	`+ // when dict only holds the strong reference to value in ep->me_value.`
	`2009`	`+ Py_DECREF(old_value);`
	`2010`	`+ STAT_INC(STORE_ATTR, hit);`
`2010`	`2011`	`Py_DECREF(owner);`
`2011`	`2012`	`}`
`2012`	`2013`