gh-151535: Bound _remote_debugging asyncio awaited_by graph recursion

tonghuaroot · tonghuaroot · commit 67e7b05b9503 · 2026-06-16T16:48:39.000+08:00
diff --git a/Lib/test/test_external_inspection.py b/Lib/test/test_external_inspection.py
@@ -1164,6 +1164,85 @@ async def main():
             finally:
                 _cleanup_sockets(client_socket, server_socket)
 
+    @skip_if_not_supported
+    @unittest.skipIf(
+        sys.platform == "linux" and not PROCESS_VM_READV_SUPPORTED,
+        "Test only runs on Linux with process_vm_readv support",
+    )
+    def test_async_deep_awaited_by_chain_is_bounded(self):
+        # A very deep awaited_by chain in the target (which a corrupted or
+        # concurrently-mutated remote process can also present as a cycle) must
+        # not drive unbounded C recursion in the debugger. get_async_stack_trace
+        # should raise instead of overflowing the stack.
+        depth = 2000
+        port = find_unused_port()
+        script = textwrap.dedent(
+            f"""\
+            import asyncio
+            import socket
+            import time
+
+            sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+            sock.connect(('localhost', {port}))
+
+            async def main():
+                started = asyncio.Event()
+
+                async def leaf():
+                    while not started.is_set():
+                        await asyncio.sleep(0)
+                    end = time.time() + 10_000
+                    while time.time() < end:
+                        pass
+
+                leaf_t = asyncio.ensure_future(leaf())
+
+                async def waiter(child):
+                    await child
+
+                cur = leaf_t
+                tasks = [cur]
+                for _ in range({depth}):
+                    cur = asyncio.ensure_future(waiter(cur))
+                    tasks.append(cur)
+
+                for _ in range(5):
+                    await asyncio.sleep(0)
+
+                sock.sendall(b"ready")
+                started.set()
+                try:
+                    await leaf_t
+                finally:
+                    for t in tasks:
+                        t.cancel()
+
+            asyncio.run(main())
+            """
+        )
+
+        with os_helper.temp_dir() as work_dir:
+            script_dir = os.path.join(work_dir, "script_pkg")
+            os.mkdir(script_dir)
+
+            server_socket = _create_server_socket(port)
+            script_name = _make_test_script(script_dir, "script", script)
+            client_socket = None
+            try:
+                with _managed_subprocess([sys.executable, script_name]) as p:
+                    client_socket, _ = server_socket.accept()
+                    server_socket.close()
+                    server_socket = None
+
+                    _wait_for_signal(client_socket, b"ready")
+
+                    unwinder = RemoteUnwinder(p.pid)
+                    with self.assertRaises(RuntimeError) as cm:
+                        unwinder.get_async_stack_trace()
+                    self.assertIn("too deep or cyclic", str(cm.exception))
+            finally:
+                _cleanup_sockets(client_socket, server_socket)
+
     @skip_if_not_supported
     @unittest.skipIf(
         sys.platform == "linux" and not PROCESS_VM_READV_SUPPORTED,
diff --git a/Misc/NEWS.d/next/Library/2026-06-15-10-08-29.gh-issue-151535.CIumHj.rst b/Misc/NEWS.d/next/Library/2026-06-15-10-08-29.gh-issue-151535.CIumHj.rst
@@ -0,0 +1,3 @@
+:meth:`!RemoteUnwinder.get_async_stack_trace` no longer crashes when the
+target process presents a deeply nested or concurrently-mutated ``awaited_by``
+graph; a :exc:`RuntimeError` is now raised instead.
diff --git a/Modules/_remote_debugging/_remote_debugging.h b/Modules/_remote_debugging/_remote_debugging.h
@@ -147,6 +147,7 @@ typedef enum _WIN32_THREADSTATE {
 #define MAX_STACK_CHUNK_SIZE (16 * 1024 * 1024)  /* 16 MB max for stack chunks */
 #define MAX_LONG_DIGITS 64  /* Allows values up to ~2^1920 */
 #define MAX_SET_TABLE_SIZE (1 << 20)  /* 1 million entries max for set iteration */
+#define MAX_TASK_AWAITED_BY_DEPTH 1000  /* Bound recursion over the awaited_by graph */
 
 #ifndef MAX
 #define MAX(a, b) ((a) > (b) ? (a) : (b))
diff --git a/Modules/_remote_debugging/asyncio.c b/Modules/_remote_debugging/asyncio.c
@@ -516,6 +516,17 @@ parse_task(
 // Forward declaration for mutual recursion
 static int process_waiter_task(RemoteUnwinderObject *unwinder, uintptr_t key_addr, void *context);
 
+// Carries the recursion depth so a cyclic or corrupted remote awaited_by graph
+// cannot drive unbounded C recursion and overflow the debugger's stack.
+typedef struct {
+    PyObject *result;
+    int depth;
+} waiter_context_t;
+
+static int process_task_and_waiters_impl(
+    RemoteUnwinderObject *unwinder, uintptr_t task_addr, PyObject *result,
+    int depth);
+
 // Processor function for parsing tasks in sets
 static int
 process_task_parser(
@@ -658,19 +669,30 @@ process_single_task_node(
     return -1;
 }
 
-int
-process_task_and_waiters(
+static int
+process_task_and_waiters_impl(
     RemoteUnwinderObject *unwinder,
     uintptr_t task_addr,
-    PyObject *result
+    PyObject *result,
+    int depth
 ) {
     // First, add this task to the result
     if (process_single_task_node(unwinder, task_addr, NULL, result) < 0) {
         return -1;
     }
 
     // Now find all tasks that are waiting for this task and process them
-    return process_task_awaited_by(unwinder, task_addr, process_waiter_task, result);
+    waiter_context_t ctx = {result, depth};
+    return process_task_awaited_by(unwinder, task_addr, process_waiter_task, &ctx);
+}
+
+int
+process_task_and_waiters(
+    RemoteUnwinderObject *unwinder,
+    uintptr_t task_addr,
+    PyObject *result
+) {
+    return process_task_and_waiters_impl(unwinder, task_addr, result, 0);
 }
 
 // Processor function for task waiters
@@ -680,8 +702,17 @@ process_waiter_task(
     uintptr_t key_addr,
     void *context
 ) {
-    PyObject *result = (PyObject *)context;
-    return process_task_and_waiters(unwinder, key_addr, result);
+    waiter_context_t *ctx = (waiter_context_t *)context;
+    if (ctx->depth >= MAX_TASK_AWAITED_BY_DEPTH) {
+        PyErr_SetString(PyExc_RuntimeError,
+                        "Task awaited_by chain is too deep or cyclic "
+                        "(corrupted remote memory)");
+        set_exception_cause(unwinder, PyExc_RuntimeError,
+                            "Task awaited_by recursion limit exceeded");
+        return -1;
+    }
+    return process_task_and_waiters_impl(unwinder, key_addr, ctx->result,
+                                         ctx->depth + 1);
 }
 
 /* ============================================================================
@@ -978,7 +1009,8 @@ process_running_task_chain(
     }
 
     // Now find all tasks that are waiting for this task and process them
-    if (process_task_awaited_by(unwinder, running_task_addr, process_waiter_task, result) < 0) {
+    waiter_context_t ctx = {result, 0};
+    if (process_task_awaited_by(unwinder, running_task_addr, process_waiter_task, &ctx) < 0) {
         return -1;
     }
 

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	+:meth:`!RemoteUnwinder.get_async_stack_trace` no longer crashes when the
	`2`	+target process presents a deeply nested or concurrently-mutated ``awaited_by``
	`3`	+graph; a :exc:`RuntimeError` is now raised instead.