[Python-Dev] CALL_ATTR patch

[Michael Hudson]

Guido van Rossum <guido@python.org> writes:

>> (Looking at PyObject_GenericGetAttr with that in mind, I wonder if
>> there isn't a possible crash there. In the first MRO lookup, looking
>> for descr's, if a non-data-descr is found, it is kept around but not
>> INCREF'd until later, after the instance-dict is searched. Am I
>> wrong in believing the PyDict_GetItem of the instance dict can call
>> Python code ?
>
> It can, if there's a key whose type has a custom __eq__ or __cmp__.
> So indeed, if this custom __eq__ is evil enough to delete the
> corresponding key from the class dict, it could cause descr to point
> to freed memory.  I won't try to construct a case, but it's not
> impossible. :-(

Indeed, there are several examples of this sort of thing already in
Lib/test/test_mutants.py.

Cheers,
M.

-- 
  If comp.lang.lisp *is* what vendors are relying on to make or
  break Lisp sales, that's more likely the problem than is the
  effect of any one of us on such a flimsy marketing strategy...
                                      -- Kent M Pitman, comp.lang.lisp