gh-143543: Fix re-entrant use-after-free in itertools.groupby (GH-143738)

VanshAgarwal24036 · skirpichev · encukou · web-flow · commit a91b5c3fb5ae · 2026-02-09T15:12:25.000+01:00
Co-authored-by: Sergey B Kirpichev &lt;skirpichev@gmail.com&gt;
Co-authored-by: Petr Viktorin &lt;encukou@gmail.com&gt;
diff --git a/Lib/test/test_itertools.py b/Lib/test/test_itertools.py
@@ -733,6 +733,27 @@ def keyfunc(obj):
         keyfunc.skip = 1
         self.assertRaises(ExpectedError, gulp, [None, None], keyfunc)
 
+    def test_groupby_reentrant_eq_does_not_crash(self):
+        # regression test for gh-143543
+        class Key:
+            def __init__(self, do_advance):
+                self.do_advance = do_advance
+
+            def __eq__(self, other):
+                if self.do_advance:
+                    self.do_advance = False
+                    next(g)
+                    return NotImplemented
+                return False
+
+        def keys():
+            yield Key(True)
+            yield Key(False)
+
+        g = itertools.groupby([None, None], keys().send)
+        next(g)
+        next(g)  # must pass with address sanitizer
+
     def test_filter(self):
         self.assertEqual(list(filter(isEven, range(6))), [0,2,4])
         self.assertEqual(list(filter(None, [0,1,0,2,0])), [1,2])
diff --git a/Misc/NEWS.d/next/Library/2026-01-13-10-38-43.gh-issue-143543.DeQRCO.rst b/Misc/NEWS.d/next/Library/2026-01-13-10-38-43.gh-issue-143543.DeQRCO.rst
@@ -0,0 +1,2 @@
+Fix a crash in itertools.groupby that could occur when a user-defined
+:meth:`~object.__eq__` method re-enters the iterator during key comparison.
diff --git a/Modules/itertoolsmodule.c b/Modules/itertoolsmodule.c
@@ -544,9 +544,19 @@ groupby_next(PyObject *op)
         else if (gbo->tgtkey == NULL)
             break;
         else {
-            int rcmp;
+            /* A user-defined __eq__ can re-enter groupby and advance the iterator,
+               mutating gbo->tgtkey / gbo->currkey while we are comparing them.
+               Take local snapshots and hold strong references so INCREF/DECREF
+               apply to the same objects even under re-entrancy. */
+            PyObject *tgtkey = gbo->tgtkey;
+            PyObject *currkey = gbo->currkey;
+
+            Py_INCREF(tgtkey);
+            Py_INCREF(currkey);
+            int rcmp = PyObject_RichCompareBool(tgtkey, currkey, Py_EQ);
+            Py_DECREF(tgtkey);
+            Py_DECREF(currkey);
 
-            rcmp = PyObject_RichCompareBool(gbo->tgtkey, gbo->currkey, Py_EQ);
             if (rcmp == -1)
                 return NULL;
             else if (rcmp == 0)

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+Fix a crash in itertools.groupby that could occur when a user-defined`
	`2`	+:meth:`~object.__eq__` method re-enters the iterator during key comparison.