New submission from Armin Rigo:
PyFrameObject.f_gen is a pointer (not a reference) to a generator/coroutine
object. But the latter doesn't always correctly clean it up when it dies.
This pointer is used by frame.clear().
Here is an example I made, which ends in a segfault. This example assumes we
apply the patch of issue27811 first, otherwise it just crashes earlier in the
same way as issue27811.
# execute this with "python -Werror"
import gc
async def f():
pass
cr = f()
frame = cr.cr_frame
del cr
gc.collect()
# create some randomness to reuse the memory just freed by 'cr'
import asyncio
print("ping")
frame.clear()
Patch attached. No test, but you can copy the above example.
----------
components: Interpreter Core
files: patch2.diff
keywords: needs review, patch
messages: 273200
nosy: arigo
priority: normal
severity: normal
status: open
title: PyFrameObject.f_gen can be left pointing to a dangling generator
versions: Python 3.6
Added file: http://bugs.python.org/file44166/patch2.diff
_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue27812>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
