[issue29438] SIGSEGV in PyObject_Malloc on python 3.6 and 3.7
INADA Naoki
report at bugs.python.org
Sat Feb 4 03:03:21 EST 2017
INADA Naoki added the comment:
4385 int was_shared = cached == ((PyDictObject *)dict)->ma_keys;
4386 res = PyDict_SetItem(dict, key, value);
4387 if (was_shared && cached != ((PyDictObject *)dict)->ma_keys) {
4388 /* PyDict_SetItem() may call dictresize and convert split table
...
4401 */
4402 if (cached->dk_refcnt == 1) {
4403 CACHED_KEYS(tp) = make_keys_shared(dict);
4404 }
4405 else {
4406 CACHED_KEYS(tp) = NULL;
4407 }
L4402 accessed free `cached` object.
At PyDict_SetItem() in L4386, some callback is called through weakref callback,
and the callback inserts something into this dict. shared key object (cached) is freed.
So right way to fix it may be DK_INCREF() before PyDict_SetItem().
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue29438>
_______________________________________
More information about the Python-bugs-list
mailing list