Message 351037 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	vstinner
Recipients	Mark.Shannon, christian.heimes, jdemeyer, lukasz.langa, pablogsal, petr.viktorin, pitrou, vstinner
Date	2019-09-02.21:09:21
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1567458562.26.0.560752796978.issue38006@roundup.psfhosted.org>
In-reply-to

Content
I investigated the FreeIPA crash. * Python 3.8 behaves differently because func_clear() has been implemented (bpo-33418, commit 3c452404ae178b742967589a0bb4a5ec768d76e0) * The bug is a crash on a function call (_PyFunction_Vectorcall) because the function has been cleared (by func_clear), but there was still a weak reference using this function as its callback. * Note: the function is called during it's being cleared by func_clear(). * The GC has a workaround for weak references part of "unreachable" objects, but its handle_weakrefs() function doesn't work because CFFI CField_Type type doesn't implement tp_traverse. -- PR 15641 just hides the real bug. One issue is that CFFI doesn't implement correctly the GC protocol. If an object contains another object, its type must: * Have Py_TPFLAGS_HAVE_GC flag * Implement tp_traverse * Use PyObject_GC_Malloc() to allocate an object * Call PyObject_GC_Track() on created object Another issue is that the GC doesn't prevent the crash. Would it be possible to prevent the crash without changing the behavior (ex: still call weakref callbacks)?

I investigated the FreeIPA crash.

* Python 3.8 behaves differently because func_clear() has been implemented (bpo-33418, commit 3c452404ae178b742967589a0bb4a5ec768d76e0)

* The bug is a crash on a function call (_PyFunction_Vectorcall) because the function has been cleared (by func_clear), but there was still a weak reference using this function as its callback.

* Note: the function is called *during* it's being cleared by func_clear().

* The GC has a workaround for weak references part of "unreachable" objects, but its handle_weakrefs() function doesn't work because CFFI CField_Type type doesn't implement tp_traverse.

--

PR 15641 just hides the real bug.

One issue is that CFFI doesn't implement correctly the GC protocol. If an object contains another object, its type must:

* Have Py_TPFLAGS_HAVE_GC flag
* Implement tp_traverse
* Use PyObject_GC_Malloc() to allocate an object
* Call PyObject_GC_Track() on created object

Another issue is that the GC doesn't prevent the crash. Would it be possible to prevent the crash without changing the behavior (ex: still call weakref callbacks)?

History
Date	User	Action	Args
2019-09-02 21:09:22	vstinner	set	recipients: + vstinner, pitrou, christian.heimes, petr.viktorin, lukasz.langa, Mark.Shannon, jdemeyer, pablogsal
2019-09-02 21:09:22	vstinner	set	messageid: <1567458562.26.0.560752796978.issue38006@roundup.psfhosted.org>
2019-09-02 21:09:22	vstinner	link	issue38006 messages
2019-09-02 21:09:21	vstinner	create