From 632fad393304db484f508d1833a9fda52b7f193a Mon Sep 17 00:00:00 2001 From: Amaury Forgeot d'Arc Date: Sat, 16 Feb 2008 20:55:24 +0000 Subject: [PATCH] Prevent a crash with nested scopes, again caused by calling Py_DECREF when the pointer is still present in the containing structure. --- Lib/test/test_scope.py | 18 ++++++++++++++++++ Misc/NEWS | 3 +++ Objects/cellobject.c | 4 +++- 3 files changed, 24 insertions(+), 1 deletion(-) diff --git a/Lib/test/test_scope.py b/Lib/test/test_scope.py index db88dbd5130..cd2d98c075c 100644 --- a/Lib/test/test_scope.py +++ b/Lib/test/test_scope.py @@ -597,6 +597,24 @@ self.assert_(X.passed) f(4)() + def testFreeingCell(self): + # Test what happens when a finalizer accesses + # the cell where the object was stored. + class Special: + def __del__(self): + nestedcell_get() + + def f(): + global nestedcell_get + def nestedcell_get(): + return c + + c = (Special(),) + c = 2 + + f() # used to crash the interpreter... + + def test_main(): run_unittest(ScopeTests) diff --git a/Misc/NEWS b/Misc/NEWS index 74466d69143..c8c4a0347c6 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -12,6 +12,9 @@ What's New in Python 2.6 alpha 1? Core and builtins ----------------- +- Fixed several potential crashes, all caused by specially crafted __del__ + methods exploiting objects in temporarily inconsistent state. + - Issue #2115: Important speedup in setting __slot__ attributes. Also prevent a possible crash: an Abstract Base Class would try to access a slot on a registered virtual subclass. diff --git a/Objects/cellobject.c b/Objects/cellobject.c index dc684d5b671..b72d43be67c 100644 --- a/Objects/cellobject.c +++ b/Objects/cellobject.c @@ -31,13 +31,15 @@ PyCell_Get(PyObject *op) int PyCell_Set(PyObject *op, PyObject *obj) { + PyObject* oldobj; if (!PyCell_Check(op)) { PyErr_BadInternalCall(); return -1; } - Py_XDECREF(((PyCellObject*)op)->ob_ref); + oldobj = PyCell_GET(op); Py_XINCREF(obj); PyCell_SET(op, obj); + Py_XDECREF(oldobj); return 0; }