New submission from Serhiy Storchaka:
There is a catch when convert static types to dynamic types using
PyType_FromSpec(). tp_new is not inherited for static types whose base class is
'object' (see a comment in inherit_special() in Objects/typeobject.c:4569 for
explanation). Such types left not callable and not pickleable unless tp_new is
explicitly specified. But since PyType_FromSpec() creates heap types, tp_new is
inherited from the base 'object' class. Converted types unexpectedly becomes
callable and pickleable. Since object.__new__ wouldn't insure the invariants
that the extension type's own factory function ensures, instantiated object can
be in inconsistent state. Using it can lead to a crash. We already fallen two
time in this catch with _tkinter (issue15721) and curses.panel (issue14936)
modules (fixed in issue23815).
We should document this catch and a way to avoid it (explicitly set tp_new to
NULL for the result of PyType_FromSpec()). Both the C API documentation and PEP
384 should be updated. Would be great if standard examples include a case of
non-callable heap type.
As option we can introduce more handy way to set tp_new to NULL by adding
{Py_tp_new, NULL} to slots array (currently this doesn't have any effect). But
this is new feature.
----------
assignee: docs@python
components: Documentation
messages: 265152
nosy: docs@python, loewis, serhiy.storchaka
priority: high
severity: normal
status: open
title: The danger of PyType_FromSpec()
type: security
versions: Python 3.5, Python 3.6
_______________________________________
Python tracker <[email protected]>
<http://bugs.python.org/issue26979>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
