[issue25769] Crash due to using weakref referent without acquiring a strong reference

Sun, 29 Nov 2015 21:16:40 -0800 

New submission from lplatypus:

I have encountered some crashes in a multithreaded application which appear to 
be due to a bug in weakref_richcompare in Objects/weakref.c

(I am using Python 2.7.9, but the same weakref code exists in 3.5 and hg 
default branch too)

weakref_richcompare ends with the statement:

    return PyObject_RichCompare(PyWeakref_GET_OBJECT(self),
                                PyWeakref_GET_OBJECT(other), op);

At this point the code has established that the referents of "self" and "other" 
are still alive, and it is trying to compare the referents.  However it has not 
acquired a strong reference to the referents, so I think it is possible for one 
of them to be deleted half way through this comparison.  This can lead to a 
crash, because PyObject_RichCompare assumes that the PyObject*’s it was passed 
will remain usable for the duration of the call.

The crash dumps I have seen involve data corruption consistent with one of 
these PyObject's being deleted and the memory used for something else, eg:

00 python27!try_3way_compare+0x15 [objects\object.c @ 712]
01 python27!try_3way_to_rich_compare+0xb [objects\object.c @ 901]
02 python27!do_richcmp+0x2c [objects\object.c @ 935]
03 python27!PyObject_RichCompare+0x99 [objects\object.c @ 982]
04 python27!weakref_richcompare+0x6a [objects\weakrefobject.c @ 212]

In this example, in try_3way_compare the value of v->ob_type was 0x5f637865, 
which is ASCII "exc_" and not a valid pointer at all.

Other places in weakrefobject.c seem to have a similar weakness, eg in 
weakref_hash and weakref_repr.

I have not been successful in producing a small test case to demonstrate this 
crash.

----------
components: Interpreter Core
messages: 255608
nosy: ldeller
priority: normal
severity: normal
status: open
title: Crash due to using weakref referent without acquiring a strong reference
type: crash
versions: Python 2.7, Python 3.2, Python 3.3, Python 3.4, Python 3.5, Python 3.6

_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue25769>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

Reply via email to