Oren Milman added the comment:
(Just to save time for anyone interested)
The last demonstration of the bug Serhiy mentioned is caused by the following
(this was right only until Serhiy's patch earlier today):
- before importing collections.abc, str_iterator is not initialized, which
means:
* Its tp_mro is NULL.
* _PyType_Lookup returns NULL (when called to lookup __length_hint__ in
str_iterator (as part of operator.length_hint))
- on import, collections.abc also does 'Iterator.register(str_iterator)',
which leads to the following call chain: ABCMeta.register(Iterator,
str_iterator) => issubclass(str_iterator, Iterator) =>
PyObject_IsSubclass(str_iterator, Iterator) =>
Iterator.__subclasscheck__(Iterator, str_iterator) =>
Iterator.__subclasshook__(str_iterator) =>
collections.abc._check_methods(str_iterator, '__iter__', '__next__')
And _check_methods first does 'mro = C.__mro__', which ultimately calls
type_getattro (which calls PyType_Ready in case tp_dict is NULL).
Anyway, with regard to the disconcerting comment:
/* If mro is NULL, the type is either not yet initialized
by PyType_Ready(), or already cleared by type_clear().
Either way the safest thing to do is to return NULL. */
Sorry for the newbie question, but why not add a Py_TPFLAGS_CLEARED flag to
tp_flags?
Then we could assert in _PyType_Lookup (and maybe also in other places that
call PyType_Ready, such as type_getattro) that the Py_TPFLAGS_CLEARED is not
set..
I realize adding such a flag is really a big deal, but maybe it's worth
catching sneaky bugs caused by Python's equivalent of Use-After-Free bugs?
----------
nosy: +Oren Milman
_______________________________________
Python tracker <[email protected]>
<http://bugs.python.org/issue26906>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
