Message278290
(Just to save time for anyone interested)
The last demonstration of the bug Serhiy mentioned is caused by the following (this was right only until Serhiy's patch earlier today):
- before importing collections.abc, str_iterator is not initialized, which means:
* Its tp_mro is NULL.
* _PyType_Lookup returns NULL (when called to lookup __length_hint__ in str_iterator (as part of operator.length_hint))
- on import, collections.abc also does 'Iterator.register(str_iterator)', which leads to the following call chain: ABCMeta.register(Iterator, str_iterator) => issubclass(str_iterator, Iterator) => PyObject_IsSubclass(str_iterator, Iterator) => Iterator.__subclasscheck__(Iterator, str_iterator) => Iterator.__subclasshook__(str_iterator) => collections.abc._check_methods(str_iterator, '__iter__', '__next__')
And _check_methods first does 'mro = C.__mro__', which ultimately calls type_getattro (which calls PyType_Ready in case tp_dict is NULL).
Anyway, with regard to the disconcerting comment:
/* If mro is NULL, the type is either not yet initialized
by PyType_Ready(), or already cleared by type_clear().
Either way the safest thing to do is to return NULL. */
Sorry for the newbie question, but why not add a Py_TPFLAGS_CLEARED flag to tp_flags?
Then we could assert in _PyType_Lookup (and maybe also in other places that call PyType_Ready, such as type_getattro) that the Py_TPFLAGS_CLEARED is not set..
I realize adding such a flag is really a big deal, but maybe it's worth catching sneaky bugs caused by Python's equivalent of Use-After-Free bugs? |
|
Date |
User |
Action |
Args |
2016-10-08 10:55:55 | Oren Milman | set | recipients:
+ Oren Milman, gvanrossum, terry.reedy, eric.smith, python-dev, serhiy.storchaka, ztane |
2016-10-08 10:55:55 | Oren Milman | set | messageid: <1475924155.08.0.734103357218.issue26906@psf.upfronthosting.co.za> |
2016-10-08 10:55:55 | Oren Milman | link | issue26906 messages |
2016-10-08 10:55:54 | Oren Milman | create | |
|