[Python-checkins] r84446 - python/branches/release27-maint/Lib/test/crashers/gc_has_finalizer.py
armin.rigo
python-checkins at python.org
Fri Sep 3 11:26:14 CEST 2010
Author: armin.rigo
Date: Fri Sep 3 11:26:14 2010
New Revision: 84446
Log:
An example that shows that _PyInstance_Lookup() does not fulfill
its documented purpose.
Added:
python/branches/release27-maint/Lib/test/crashers/gc_has_finalizer.py (contents, props changed)
Added: python/branches/release27-maint/Lib/test/crashers/gc_has_finalizer.py
==============================================================================
--- (empty file)
+++ python/branches/release27-maint/Lib/test/crashers/gc_has_finalizer.py Fri Sep 3 11:26:14 2010
@@ -0,0 +1,36 @@
+"""
+The gc module can still invoke arbitrary Python code and crash.
+This is an attack against _PyInstance_Lookup(), which is documented
+as follows:
+
+ The point of this routine is that it never calls arbitrary Python
+ code, so is always "safe": all it does is dict lookups.
+
+But of course dict lookups can call arbitrary Python code.
+The following code causes mutation of the object graph during
+the call to has_finalizer() in gcmodule.c, and that might
+segfault.
+"""
+
+import gc
+
+
+class A:
+ def __hash__(self):
+ return hash("__del__")
+ def __eq__(self, other):
+ del self.other
+ return False
+
+a = A()
+b = A()
+
+a.__dict__[b] = 'A'
+
+a.other = b
+b.other = a
+
+gc.collect()
+del a, b
+
+gc.collect()
More information about the Python-checkins
mailing list