Issue #16602: When a weakref's target was part of a long deallocation chain, the object could remain reachable through its weakref even though its refcount had dropped to zero.

Thanks to Eugene Toder for diagnosing and reporting the issue.
2012-12-08 21:17:03 +01:00 · 2012-12-08 21:17:03 +01:00 · f93ed3fa67
parent a7129d38ed 62a0d6ea40
commit f93ed3fa67
4 changed files with 38 additions and 4 deletions
--- a/Include/weakrefobject.h
+++ b/Include/weakrefobject.h
@ -70,7 +70,17 @@ PyAPI_FUNC(Py_ssize_t) _PyWeakref_GetWeakrefCount(PyWeakReference *head);
 PyAPI_FUNC(void) _PyWeakref_ClearRef(PyWeakReference *self);
 #endif

-#define PyWeakref_GET_OBJECT(ref) (((PyWeakReference *)(ref))->wr_object)
+/* Explanation for the Py_REFCNT() check: when a weakref's target is part
+   of a long chain of deallocations which triggers the trashcan mechanism,
+   clearing the weakrefs can be delayed long after the target's refcount
+   has dropped to zero.  In the meantime, code accessing the weakref will
+   be able to "see" the target object even though it is supposed to be
+   unreachable.  See issue #16602. */
+
+#define PyWeakref_GET_OBJECT(ref)                           \
+    (Py_REFCNT(((PyWeakReference *)(ref))->wr_object) > 0   \
+     ? ((PyWeakReference *)(ref))->wr_object                \
+     : Py_None)


 #ifdef __cplusplus
--- a/Lib/test/test_weakref.py
+++ b/Lib/test/test_weakref.py
@ -776,6 +776,27 @@ class ReferencesTestCase(TestBase):
        self.assertEqual(hash(a), hash(42))
        self.assertRaises(TypeError, hash, b)

+    def test_trashcan_16602(self):
+        # Issue #16602: when a weakref's target was part of a long
+        # deallocation chain, the trashcan mechanism could delay clearing
+        # of the weakref and make the target object visible from outside
+        # code even though its refcount had dropped to 0.  A crash ensued.
+        class C:
+            def __init__(self, parent):
+                if not parent:
+                    return
+                wself = weakref.ref(self)
+                def cb(wparent):
+                    o = wself()
+                self.wparent = weakref.ref(parent, cb)
+
+        d = weakref.WeakKeyDictionary()
+        root = c = C(None)
+        for n in range(100):
+            d[c] = c = C(c)
+        del root
+        gc.collect()
+

 class SubclassableWeakrefTestCase(TestBase):

--- a/Misc/NEWS
+++ b/Misc/NEWS
@ -12,6 +12,10 @@ What's New in Python 3.3.1?
 Core and Builtins
 -----------------

+- Issue #16602: When a weakref's target was part of a long deallocation
+  chain, the object could remain reachable through its weakref even though
+  its refcount had dropped to zero.
+
 - Issue #16416: On Mac OS X, operating system data are now always
  encoded/decoded to/from UTF-8/surrogateescape, instead of the locale encoding
  (which may be ASCII if no locale environment variable is set), to avoid
--- a/Objects/weakrefobject.c
+++ b/Objects/weakrefobject.c
@ -52,9 +52,8 @@ clear_weakref(PyWeakReference *self)
 {
    PyObject *callback = self->wr_callback;

-    if (PyWeakref_GET_OBJECT(self) != Py_None) {
-        PyWeakReference **list = GET_WEAKREFS_LISTPTR(
-            PyWeakref_GET_OBJECT(self));
+    if (self->wr_object != Py_None) {
+        PyWeakReference **list = GET_WEAKREFS_LISTPTR(self->wr_object);

        if (*list == self)
            /* If 'self' is the end of the list (and thus self->wr_next == NULL)