[issue38006] Crash in remove() weak reference callback of weakref.WeakValueDictionary at Python exit

Mon, 02 Sep 2019 05:35:10 -0700 

Pablo Galindo Salgado <[email protected]> added the comment:

I think the real problem is in vectorcall. tp_clear will make sure all internal 
pointers are either NULL or valid (by using Py_CLEAR, which also protects 
against re-entrancy) and it the responsibility of the object or its users to 
check that the fields that are needed are valid. From the docs on tp_clear:

> The Py_CLEAR() macro should be used, because clearing references is delicate: 
> the reference to the contained object must not be decremented until after the 
> pointer to the contained object is set to NULL. This is because decrementing 
> the reference count may cause the contained object to become trash, 
> triggering a chain of reclamation activity that may include invoking 
> arbitrary Python code (due to finalizers, or weakref callbacks, associated 
> with the contained object). If it’s possible for such code to reference self 
> again, it’s important that the pointer to the contained object be NULL at 
> that time, so that self knows the contained object can no longer be used. 

Notice the "so that self knows the contained object can no longer be used". I 
think _PyFunction_Vectorcall is missing the check "to see of the contained 
object can or cannot be used". Here the contained object being everything that 
has being cleaned before:

    Py_CLEAR(op->func_code);
    Py_CLEAR(op->func_globals);
    Py_CLEAR(op->func_module);
    Py_CLEAR(op->func_name);
    Py_CLEAR(op->func_defaults);
    Py_CLEAR(op->func_kwdefaults);
    Py_CLEAR(op->func_doc);
    Py_CLEAR(op->func_dict);
    Py_CLEAR(op->func_closure); <----- Everything before this
    Py_CLEAR(op->func_annotations);
    Py_CLEAR(op->func_qualname);

I think it will be enough to make a check for func_code being NULL in 
_PyFunction_Vectorcall or before.

----------

_______________________________________
Python tracker <[email protected]>
<https://bugs.python.org/issue38006>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

Reply via email to