[pypy-commit] extradoc extradoc: add

arigo Mon, 05 Dec 2016 00:06:58 -0800

Author: Armin Rigo <[email protected]>
Branch: extradoc
Changeset: r5759:011142ec6be4
Date: 2016-12-05 09:05 +0100
http://bitbucket.org/pypy/extradoc/changeset/011142ec6be4/


Log:    add

diff --git a/planning/py3.5/cpython-crashers.rst 
b/planning/py3.5/cpython-crashers.rst
--- a/planning/py3.5/cpython-crashers.rst
+++ b/planning/py3.5/cpython-crashers.rst
@@ -64,6 +64,21 @@
     f()
     sys.settrace(None)
 
+* I didn't try, but it seems that typeobject.c:mro_internal() is prone
+  to a refcount crash.  It does this::
+
+     old_mro = type->tp_mro;
+     ...mro_invoke()...  /* might cause reentrance */
+     type->tp_mro = new_mro;
+     ...
+     Py_XDECREF(old_mro);
+
+  This last XDECREF drops the reference held by the previous value of
+  ``type->tp_mro`` after we changed it.  But ``type->tp_mro`` might have
+  changed because of mro_invoke(), which calls pure Python code.  If it
+  did change, then old_mro is no longer the old value of
+  ``type->tp_mro``.  The wrong object gets decrefed.
+
 
 Non-segfaulting bugs
 --------------------
_______________________________________________
pypy-commit mailing list
[email protected]
https://mail.python.org/mailman/listinfo/pypy-commit

[pypy-commit] extradoc extradoc: add

Reply via email to