New submission from STINNER Victor <victor.stin...@gmail.com>:
Lib/test/crashers/borrowed_ref_1.py contains the docstring:
"_PyType_Lookup() returns a borrowed reference.
This attacks the call in dictobject.c."
The file was added by Armin in 2006 by the changeset 4dd1a9383e47.
I just fixed #14211 which was a similar bug
(Lib/test/crashers/borrowed_ref_2.py), but I'm unable to reproduce this one.
Extract of dict_subscript():
missing = _PyObject_LookupSpecial((PyObject *)mp,
&PyId___missing__);
if (missing != NULL) {
res = PyObject_CallFunctionObjArgs(missing,
key, NULL);
Py_DECREF(missing);
return res;
}
I fail to see how missing can be destroyed before being used. Is it a problem
that missing is destroyed while we are calling it?
How can I trigger the crash in gdb?
----------
components: Interpreter Core
messages: 155190
nosy: arigo, haypo
priority: normal
severity: normal
status: open
title: Fix or drop Lib/test/crashers/borrowed_ref_1.py
type: crash
versions: Python 3.3
_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue14231>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
