mirror of
https://github.com/python/cpython.git
synced 2025-08-03 08:34:29 +00:00
An example that shows that _PyInstance_Lookup() does not fulfill
its documented purpose.
This commit is contained in:
Armin Rigo
parent
e900b494cb
commit
249205d9d6
1 changed files with 36 additions and 0 deletions
36
Lib/test/crashers/gc_has_finalizer.py
Normal file
36
Lib/test/crashers/gc_has_finalizer.py
Normal file
|
|
@ -0,0 +1,36 @@
|
|||
"""
|
||||
The gc module can still invoke arbitrary Python code and crash.
|
||||
This is an attack against _PyInstance_Lookup(), which is documented
|
||||
as follows:
|
||||
|
||||
The point of this routine is that it never calls arbitrary Python
|
||||
code, so is always "safe": all it does is dict lookups.
|
||||
|
||||
But of course dict lookups can call arbitrary Python code.
|
||||
The following code causes mutation of the object graph during
|
||||
the call to has_finalizer() in gcmodule.c, and that might
|
||||
segfault.
|
||||
"""
|
||||
|
||||
import gc
|
||||
|
||||
|
||||
class A:
|
||||
def __hash__(self):
|
||||
return hash("__del__")
|
||||
def __eq__(self, other):
|
||||
del self.other
|
||||
return False
|
||||
|
||||
a = A()
|
||||
b = A()
|
||||
|
||||
a.__dict__[b] = 'A'
|
||||
|
||||
a.other = b
|
||||
b.other = a
|
||||
|
||||
gc.collect()
|
||||
del a, b
|
||||
|
||||
gc.collect()
|
||||
Loading…
Add table
Add a link
Reference in a new issue