fix LOAD_INDEX/STORE_INDEX to use _DK_INDICES_BASE for well-defined pointer arithmetic

clintonsteiner · clintonsteiner · commit 4c889e8b75c1 · 2026-03-11T17:10:11.000-05:00
The previous macros used negative indexing from the PyDictKeysObject pointer
(e.g. ((int8_t*)keys)[-1-idx]) to access the indices stored before the struct.
This is undefined behavior: the compiler sees keys as typed PyDictKeysObject*
and negative indices are formally out-of-bounds, allowing MSVC's release optimizer
to generate incorrect hash table lookups.

Fix by using _DK_INDICES_BASE(keys) (the actual malloc base) with positive forward
indexing, which is well-defined pointer arithmetic within the allocation.
diff --git a/Objects/dictobject.c b/Objects/dictobject.c
@@ -182,8 +182,8 @@ ASSERT_DICT_LOCKED(PyObject *op)
 
 #define IS_DICT_SHARED(mp) _PyObject_GC_IS_SHARED(mp)
 #define SET_DICT_SHARED(mp) _PyObject_GC_SET_SHARED(mp)
-#define LOAD_INDEX(keys, size, idx) _Py_atomic_load_int##size##_relaxed(&((const int##size##_t*)(keys))[-1 - (idx)]);
-#define STORE_INDEX(keys, size, idx, value) _Py_atomic_store_int##size##_relaxed(&((int##size##_t*)(keys))[-1 - (idx)], (int##size##_t)value);
+#define LOAD_INDEX(keys, size, idx) _Py_atomic_load_int##size##_relaxed(&((const int##size##_t*)(_DK_INDICES_BASE(keys)))[(idx)]);
+#define STORE_INDEX(keys, size, idx, value) _Py_atomic_store_int##size##_relaxed(&((int##size##_t*)(_DK_INDICES_BASE(keys)))[(idx)], (int##size##_t)value);
 #define ASSERT_OWNED_OR_SHARED(mp) \
     assert(_Py_IsOwnedByCurrentThread((PyObject *)mp) || IS_DICT_SHARED(mp));
 
@@ -262,8 +262,8 @@ static inline void split_keys_entry_added(PyDictKeysObject *keys)
 #define UNLOCK_KEYS_IF_SPLIT(keys, kind)
 #define IS_DICT_SHARED(mp) (false)
 #define SET_DICT_SHARED(mp)
-#define LOAD_INDEX(keys, size, idx) ((const int##size##_t*)(keys))[-1 - (idx)]
-#define STORE_INDEX(keys, size, idx, value) ((int##size##_t*)(keys))[-1 - (idx)] = (int##size##_t)value
+#define LOAD_INDEX(keys, size, idx) ((const int##size##_t*)(_DK_INDICES_BASE(keys)))[(idx)]
+#define STORE_INDEX(keys, size, idx, value) ((int##size##_t*)(_DK_INDICES_BASE(keys)))[(idx)] = (int##size##_t)value
 
 static inline void split_keys_entry_added(PyDictKeysObject *keys)
 {
