classification
Title: type cache updates might run cleanup code in an inconsistent state
Type: behavior Stage:
Components: Interpreter Core Versions: Python 3.0, Python 2.6
process
Status: closed Resolution: accepted
Dependencies: Superseder:
Assigned To: Nosy List: arigo, georg.brandl, scoder
Priority: normal Keywords: patch

Created on 2008-05-28 11:07 by scoder, last changed 2008-05-29 14:35 by georg.brandl. This issue is now closed.

Files
File name Uploaded Description Edit
possible-decref-before-set-fix.patch scoder, 2008-05-28 11:07
Messages (5)
msg67445 - (view) Author: Stefan Behnel (scoder) * (Python committer) Date: 2008-05-28 11:07
Similar to the "decref before set" issue solved by Py_CLEAR(), the code
in typeobject.c calls DECREF in the middle of a cache update. This
leaves one cache entry in an invalid state during the DECREF call, which
might result in running cleanup code in this state. If this code depends
on an attribute lookup, this might lead to a cache lookup, which in turn
can access the infected part of the cache. In the worst case, such a
scenario can lead to a crash as it accesses an already cleaned-up object.

Here is a patch that fixes this.
msg67450 - (view) Author: Georg Brandl (georg.brandl) * (Python committer) Date: 2008-05-28 15:57
Thanks, committed in r63760.
msg67480 - (view) Author: Armin Rigo (arigo) * (Python committer) Date: 2008-05-29 08:07
This was actually not a bug because the object being decref'ed
is guaranteed to be exactly a string or None, as told in the comment
about the 'name' field.  So no user code could possibly run during
this Py_DECREF() call.
msg67484 - (view) Author: Stefan Behnel (scoder) * (Python committer) Date: 2008-05-29 08:17
Ok, I buy that argument. The patch may be considered a code uglification
then.
msg67495 - (view) Author: Georg Brandl (georg.brandl) * (Python committer) Date: 2008-05-29 14:35
Reverted in r63787.
History
Date User Action Args
2008-05-29 14:35:51georg.brandlsetmessages: + msg67495
2008-05-29 08:17:16scodersetmessages: + msg67484
2008-05-29 08:07:15arigosetnosy: + arigo
messages: + msg67480
2008-05-28 15:57:16georg.brandlsetstatus: open -> closed
resolution: accepted
messages: + msg67450
nosy: + georg.brandl
2008-05-28 11:07:17scodercreate