[issue28883] Python 3.5.2 crashers (from PyPy)
Armin Rigo
report at bugs.python.org
Tue Dec 6 06:53:06 EST 2016
Armin Rigo added the comment:
(C6) I didn't try, but it seems that typeobject.c:mro_internal() is prone
to a refcount crash. It does this::
old_mro = type->tp_mro;
...mro_invoke()... /* might cause reentrance */
type->tp_mro = new_mro;
...
Py_XDECREF(old_mro);
This last XDECREF drops the reference held by the previous value of
``type->tp_mro`` after we changed it. But ``type->tp_mro`` might have
changed because of mro_invoke(), which calls pure Python code. If it
did change, then old_mro is no longer the old value of
``type->tp_mro``. The wrong object gets decrefed.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue28883>
_______________________________________
More information about the Python-bugs-list
mailing list