gh-118331: Fix a couple of issues when list allocation fails (#130811)

* Fix use after free in list objects

Set the items pointer in the list object to NULL after the items array
is freed during list deallocation. Otherwise, we can end up with a list
object added to the free list that contains a pointer to an already-freed
items array.

* Mark `_PyList_FromStackRefStealOnSuccess` as escaping

I think technically it's not escaping, because the only object that
can be decrefed if allocation fails is an exact list, which cannot
execute arbitrary code when it is destroyed. However, this seems less
intrusive than trying to special cases objects in the assert in `_Py_Dealloc`
that checks for non-null stackpointers and shouldn't matter for performance.

Author: mpage

Diff for: Include/internal/pycore_opcode_metadata.h

@@ -1,6 +1,9 @@
 import sys
-from test import list_tests
+import textwrap
+from test import list_tests, support
 from test.support import cpython_only
+from test.support.import_helper import import_module
+from test.support.script_helper import assert_python_failure
 import pickle
 import unittest
 
@@ -309,5 +312,20 @@ def test_tier2_invalidates_iterator(self):
             a.append(4)
             self.assertEqual(list(it), [])
 
+    @support.cpython_only
+    def test_no_memory(self):
+        # gh-118331: Make sure we don't crash if list allocation fails
+        import_module("_testcapi")
+        code = textwrap.dedent("""
+        import _testcapi, sys
+        # Prime the freelist
+        l = [None]
+        del l
+        _testcapi.set_nomemory(0)
+        l = [None]
+        """)
+        _, _, err = assert_python_failure("-c", code)
+        self.assertIn("MemoryError", err.decode("utf-8"))
+
 if __name__ == "__main__":
     unittest.main()

Diff for: Include/internal/pycore_uop_metadata.h

@@ -533,6 +533,7 @@ list_dealloc(PyObject *self)
             Py_XDECREF(op->ob_item[i]);
         }
         free_list_items(op->ob_item, false);
+        op->ob_item = NULL;
     }
     if (PyList_CheckExact(op)) {
         _Py_FREELIST_FREE(lists, op, PyObject_GC_Del);

Diff for: Lib/test/test_list.py

@@ -632,7 +632,6 @@ def has_error_without_pop(op: parser.CodeDef) -> bool:
     "_PyGen_GetGeneratorFromFrame",
     "_PyInterpreterState_GET",
     "_PyList_AppendTakeRef",
-    "_PyList_FromStackRefStealOnSuccess",
     "_PyList_ITEMS",
     "_PyLong_CompactValue",
     "_PyLong_DigitCount",