gh-115874: Don't use module state in teedataobject tp_dealloc (#116204)

Co-authored-by: Brandt Bucher <brandtbucher@microsoft.com>

Lib/test/test_itertools.py

@@ -1,7 +1,7 @@
 import doctest
 import unittest
 from test import support
-from test.support import threading_helper
+from test.support import threading_helper, script_helper
 from itertools import *
 import weakref
 from decimal import Decimal
@@ -1699,6 +1699,14 @@ class TestBasicOps(unittest.TestCase):
             self.pickletest(proto, a, compare=ans)
             self.pickletest(proto, b, compare=ans)
 
+    def test_tee_dealloc_segfault(self):
+        # gh-115874: segfaults when accessing module state in tp_dealloc.
+        script = (
+            "import typing, copyreg, itertools; "
+            "copyreg.buggy_tee = itertools.tee(())"
+        )
+        script_helper.assert_python_ok("-c", script)
+
     # Issue 13454: Crash when deleting backward iterator from tee()
     def test_tee_del_backward(self):
         forward, backward = tee(repeat(None, 20000000))

Modules/itertoolsmodule.c

@@ -815,10 +815,9 @@ teedataobject_traverse(teedataobject *tdo, visitproc visit, void * arg)
 }
 
 static void
-teedataobject_safe_decref(PyObject *obj, PyTypeObject *tdo_type)
+teedataobject_safe_decref(PyObject *obj)
 {
-    while (obj && Py_IS_TYPE(obj, tdo_type) &&
-           Py_REFCNT(obj) == 1) {
+    while (obj && Py_REFCNT(obj) == 1) {
         PyObject *nextlink = ((teedataobject *)obj)->nextlink;
         ((teedataobject *)obj)->nextlink = NULL;
         Py_SETREF(obj, nextlink);
@@ -837,8 +836,7 @@ teedataobject_clear(teedataobject *tdo)
         Py_CLEAR(tdo->values[i]);
     tmp = tdo->nextlink;
     tdo->nextlink = NULL;
-    itertools_state *state = get_module_state_by_cls(Py_TYPE(tdo));
-    teedataobject_safe_decref(tmp, state->teedataobject_type);
+    teedataobject_safe_decref(tmp);
     return 0;
 }