[Python-Dev] XXX - in funcobject.c
Guido van Rossum
guido at python.org
Tue Feb 5 23:39:01 CET 2008
On Feb 5, 2008 2:07 PM, Amaury Forgeot d'Arc <amauryfa at gmail.com> wrote:
> Guido van Rossum wrote:
> > I think we really *are* talking about the caller -- the caller owns
> > the dict, if it managed to delete something from the dict before the
> > callee can incref it, you'd have trouble. I don't immediately see how
> > this could happen, which is probably why I left it as an XXX
> > comment...
>
> I found one way to call python code before the callee can incref the
> args: the __eq__ between variable names and the dict entries. The
> following snippet crashes the trunk version on win32:
>
> class Name(str):
> def __eq__(self, other):
> del d[self]
> return str.__eq__(self, other)
> def __hash__(self):
> return str.__hash__(self)
>
> d = {Name("a"):1, Name("b"):2}
> def f(a, b): print a,b
>
> f(**d) # Segfault
>
>
> There are several variants of this crasher; they all have more than
> one keyword argument, and keywords strings must override __eq__ or
> __hash__.
> I could not find any other way to execute python code in this area.
Thanks Amaury! Do you think it would be sufficient to change the
PyString_Check() call in PyEval_EvalCodeEx into a
PyString_CheckExact() call? Or is the proper fix to incref the values
going into the kw array and decref them upon exit?
--
--Guido van Rossum (home page: http://www.python.org/~guido/)
More information about the Python-Dev
mailing list