diff options
| author | INADA Naoki <methane@users.noreply.github.com> | 2017-08-24 14:55:17 +0900 | 
|---|---|---|
| committer | GitHub <noreply@github.com> | 2017-08-24 14:55:17 +0900 | 
| commit | a6296d34a478b4f697ea9db798146195075d496c (patch) | |
| tree | 6a26d56297f7d85dd6a8f18bca96e0c4ffb60802 | |
| parent | bf9075a0c55186d2f34df63e6c8512dd6414ff4b (diff) | |
| download | cpython-git-a6296d34a478b4f697ea9db798146195075d496c.tar.gz | |
bpo-31095: fix potential crash during GC (GH-2974)
| -rw-r--r-- | Doc/extending/newtypes.rst | 29 | ||||
| -rw-r--r-- | Doc/includes/noddy4.c | 1 | ||||
| -rw-r--r-- | Misc/NEWS.d/next/Core and Builtins/2017-08-01-18-48-30.bpo-31095.bXWZDb.rst | 2 | ||||
| -rw-r--r-- | Modules/_collectionsmodule.c | 4 | ||||
| -rw-r--r-- | Modules/_elementtree.c | 4 | ||||
| -rw-r--r-- | Modules/_functoolsmodule.c | 7 | ||||
| -rw-r--r-- | Modules/_io/bytesio.c | 2 | ||||
| -rw-r--r-- | Modules/_json.c | 6 | ||||
| -rw-r--r-- | Modules/_ssl.c | 3 | ||||
| -rw-r--r-- | Modules/_struct.c | 2 | ||||
| -rw-r--r-- | Objects/dictobject.c | 6 | ||||
| -rw-r--r-- | Objects/setobject.c | 3 | ||||
| -rw-r--r-- | Parser/asdl_c.py | 2 | ||||
| -rw-r--r-- | Python/Python-ast.c | 2 | 
14 files changed, 60 insertions, 13 deletions
| diff --git a/Doc/extending/newtypes.rst b/Doc/extending/newtypes.rst index bd09aa695d..f0e8985c61 100644 --- a/Doc/extending/newtypes.rst +++ b/Doc/extending/newtypes.rst @@ -728,8 +728,9 @@ functions.  With :c:func:`Py_VISIT`, :c:func:`Noddy_traverse` can be simplified:     uniformity across these boring implementations.  We also need to provide a method for clearing any subobjects that can -participate in cycles.  We implement the method and reimplement the deallocator -to use it:: +participate in cycles. + +::     static int     Noddy_clear(Noddy *self) @@ -747,13 +748,6 @@ to use it::         return 0;     } -   static void -   Noddy_dealloc(Noddy* self) -   { -       Noddy_clear(self); -       Py_TYPE(self)->tp_free((PyObject*)self); -   } -  Notice the use of a temporary variable in :c:func:`Noddy_clear`. We use the  temporary variable so that we can set each member to *NULL* before decrementing  its reference count.  We do this because, as was discussed earlier, if the @@ -776,6 +770,23 @@ be simplified::         return 0;     } +Note that :c:func:`Noddy_dealloc` may call arbitrary functions through +``__del__`` method or weakref callback. It means circular GC can be +triggered inside the function.  Since GC assumes reference count is not zero, +we need to untrack the object from GC by calling :c:func:`PyObject_GC_UnTrack` +before clearing members. Here is reimplemented deallocator which uses +:c:func:`PyObject_GC_UnTrack` and :c:func:`Noddy_clear`. + +:: + +   static void +   Noddy_dealloc(Noddy* self) +   { +       PyObject_GC_UnTrack(self); +       Noddy_clear(self); +       Py_TYPE(self)->tp_free((PyObject*)self); +   } +  Finally, we add the :const:`Py_TPFLAGS_HAVE_GC` flag to the class flags::     Py_TPFLAGS_DEFAULT | Py_TPFLAGS_BASETYPE | Py_TPFLAGS_HAVE_GC, /* tp_flags */ diff --git a/Doc/includes/noddy4.c b/Doc/includes/noddy4.c index eb9622a87d..08ba4c3d91 100644 --- a/Doc/includes/noddy4.c +++ b/Doc/includes/noddy4.c @@ -46,6 +46,7 @@ Noddy_clear(Noddy *self)  static void  Noddy_dealloc(Noddy* self)  { +    PyObject_GC_UnTrack(self);      Noddy_clear(self);      Py_TYPE(self)->tp_free((PyObject*)self);  } diff --git a/Misc/NEWS.d/next/Core and Builtins/2017-08-01-18-48-30.bpo-31095.bXWZDb.rst b/Misc/NEWS.d/next/Core and Builtins/2017-08-01-18-48-30.bpo-31095.bXWZDb.rst new file mode 100644 index 0000000000..ca1f8bafba --- /dev/null +++ b/Misc/NEWS.d/next/Core and Builtins/2017-08-01-18-48-30.bpo-31095.bXWZDb.rst @@ -0,0 +1,2 @@ +Fix potential crash during GC caused by ``tp_dealloc`` which doesn't call +``PyObject_GC_UnTrack()``. diff --git a/Modules/_collectionsmodule.c b/Modules/_collectionsmodule.c index aa582ed8de..adbe789700 100644 --- a/Modules/_collectionsmodule.c +++ b/Modules/_collectionsmodule.c @@ -1717,6 +1717,8 @@ dequeiter_traverse(dequeiterobject *dio, visitproc visit, void *arg)  static void  dequeiter_dealloc(dequeiterobject *dio)  { +    /* bpo-31095: UnTrack is needed before calling any callbacks */ +    PyObject_GC_UnTrack(dio);      Py_XDECREF(dio->deque);      PyObject_GC_Del(dio);  } @@ -2097,6 +2099,8 @@ static PyMemberDef defdict_members[] = {  static void  defdict_dealloc(defdictobject *dd)  { +    /* bpo-31095: UnTrack is needed before calling any callbacks */ +    PyObject_GC_UnTrack(dd);      Py_CLEAR(dd->default_factory);      PyDict_Type.tp_dealloc((PyObject *)dd);  } diff --git a/Modules/_elementtree.c b/Modules/_elementtree.c index 3537f19b1c..857005a2a9 100644 --- a/Modules/_elementtree.c +++ b/Modules/_elementtree.c @@ -627,6 +627,7 @@ element_gc_clear(ElementObject *self)  static void  element_dealloc(ElementObject* self)  { +    /* bpo-31095: UnTrack is needed before calling any callbacks */      PyObject_GC_UnTrack(self);      Py_TRASHCAN_SAFE_BEGIN(self) @@ -2076,6 +2077,8 @@ elementiter_dealloc(ElementIterObject *it)  {      Py_ssize_t i = it->parent_stack_used;      it->parent_stack_used = 0; +    /* bpo-31095: UnTrack is needed before calling any callbacks */ +    PyObject_GC_UnTrack(it);      while (i--)          Py_XDECREF(it->parent_stack[i].parent);      PyMem_Free(it->parent_stack); @@ -2083,7 +2086,6 @@ elementiter_dealloc(ElementIterObject *it)      Py_XDECREF(it->sought_tag);      Py_XDECREF(it->root_element); -    PyObject_GC_UnTrack(it);      PyObject_GC_Del(it);  } diff --git a/Modules/_functoolsmodule.c b/Modules/_functoolsmodule.c index da1d2e16db..33761a4666 100644 --- a/Modules/_functoolsmodule.c +++ b/Modules/_functoolsmodule.c @@ -113,6 +113,7 @@ partial_new(PyTypeObject *type, PyObject *args, PyObject *kw)  static void  partial_dealloc(partialobject *pto)  { +    /* bpo-31095: UnTrack is needed before calling any callbacks */      PyObject_GC_UnTrack(pto);      if (pto->weakreflist != NULL)          PyObject_ClearWeakRefs((PyObject *) pto); @@ -1073,7 +1074,11 @@ lru_cache_clear_list(lru_list_elem *link)  static void  lru_cache_dealloc(lru_cache_object *obj)  { -    lru_list_elem *list = lru_cache_unlink_list(obj); +    lru_list_elem *list; +    /* bpo-31095: UnTrack is needed before calling any callbacks */ +    PyObject_GC_UnTrack(obj); + +    list = lru_cache_unlink_list(obj);      Py_XDECREF(obj->maxsize_O);      Py_XDECREF(obj->func);      Py_XDECREF(obj->cache); diff --git a/Modules/_io/bytesio.c b/Modules/_io/bytesio.c index 42c7f7933e..ba33f8c50d 100644 --- a/Modules/_io/bytesio.c +++ b/Modules/_io/bytesio.c @@ -1084,6 +1084,8 @@ bytesiobuf_traverse(bytesiobuf *self, visitproc visit, void *arg)  static void  bytesiobuf_dealloc(bytesiobuf *self)  { +    /* bpo-31095: UnTrack is needed before calling any callbacks */ +    PyObject_GC_UnTrack(self);      Py_CLEAR(self->source);      Py_TYPE(self)->tp_free(self);  } diff --git a/Modules/_json.c b/Modules/_json.c index 6cc31c6e37..54fc90cfec 100644 --- a/Modules/_json.c +++ b/Modules/_json.c @@ -655,7 +655,8 @@ py_encode_basestring(PyObject* self UNUSED, PyObject *pystr)  static void  scanner_dealloc(PyObject *self)  { -    /* Deallocate scanner object */ +    /* bpo-31095: UnTrack is needed before calling any callbacks */ +    PyObject_GC_UnTrack(self);      scanner_clear(self);      Py_TYPE(self)->tp_free(self);  } @@ -1778,7 +1779,8 @@ bail:  static void  encoder_dealloc(PyObject *self)  { -    /* Deallocate Encoder */ +    /* bpo-31095: UnTrack is needed before calling any callbacks */ +    PyObject_GC_UnTrack(self);      encoder_clear(self);      Py_TYPE(self)->tp_free(self);  } diff --git a/Modules/_ssl.c b/Modules/_ssl.c index 1380c57511..e8abcb286f 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -2778,6 +2778,8 @@ context_clear(PySSLContext *self)  static void  context_dealloc(PySSLContext *self)  { +    /* bpo-31095: UnTrack is needed before calling any callbacks */ +    PyObject_GC_UnTrack(self);      context_clear(self);      SSL_CTX_free(self->ctx);  #ifdef OPENSSL_NPN_NEGOTIATED @@ -4292,6 +4294,7 @@ static PyTypeObject PySSLMemoryBIO_Type = {  static void  PySSLSession_dealloc(PySSLSession *self)  { +    /* bpo-31095: UnTrack is needed before calling any callbacks */      PyObject_GC_UnTrack(self);      Py_XDECREF(self->ctx);      if (self->session != NULL) { diff --git a/Modules/_struct.c b/Modules/_struct.c index b5fbc43564..69a1e996d0 100644 --- a/Modules/_struct.c +++ b/Modules/_struct.c @@ -1589,6 +1589,8 @@ typedef struct {  static void  unpackiter_dealloc(unpackiterobject *self)  { +    /* bpo-31095: UnTrack is needed before calling any callbacks */ +    PyObject_GC_UnTrack(self);      Py_XDECREF(self->so);      PyBuffer_Release(&self->buf);      PyObject_GC_Del(self); diff --git a/Objects/dictobject.c b/Objects/dictobject.c index e395f4dabb..f055170750 100644 --- a/Objects/dictobject.c +++ b/Objects/dictobject.c @@ -1847,6 +1847,8 @@ dict_dealloc(PyDictObject *mp)      PyObject **values = mp->ma_values;      PyDictKeysObject *keys = mp->ma_keys;      Py_ssize_t i, n; + +    /* bpo-31095: UnTrack is needed before calling any callbacks */      PyObject_GC_UnTrack(mp);      Py_TRASHCAN_SAFE_BEGIN(mp)      if (values != NULL) { @@ -3270,6 +3272,8 @@ dictiter_new(PyDictObject *dict, PyTypeObject *itertype)  static void  dictiter_dealloc(dictiterobject *di)  { +    /* bpo-31095: UnTrack is needed before calling any callbacks */ +    _PyObject_GC_UNTRACK(di);      Py_XDECREF(di->di_dict);      Py_XDECREF(di->di_result);      PyObject_GC_Del(di); @@ -3629,6 +3633,8 @@ dictiter_reduce(dictiterobject *di)  static void  dictview_dealloc(_PyDictViewObject *dv)  { +    /* bpo-31095: UnTrack is needed before calling any callbacks */ +    _PyObject_GC_UNTRACK(dv);      Py_XDECREF(dv->dv_dict);      PyObject_GC_Del(dv);  } diff --git a/Objects/setobject.c b/Objects/setobject.c index 2347b9d70a..5c61bc7179 100644 --- a/Objects/setobject.c +++ b/Objects/setobject.c @@ -553,6 +553,7 @@ set_dealloc(PySetObject *so)      setentry *entry;      Py_ssize_t used = so->used; +    /* bpo-31095: UnTrack is needed before calling any callbacks */      PyObject_GC_UnTrack(so);      Py_TRASHCAN_SAFE_BEGIN(so)      if (so->weakreflist != NULL) @@ -809,6 +810,8 @@ typedef struct {  static void  setiter_dealloc(setiterobject *si)  { +    /* bpo-31095: UnTrack is needed before calling any callbacks */ +    _PyObject_GC_UNTRACK(si);      Py_XDECREF(si->si_set);      PyObject_GC_Del(si);  } diff --git a/Parser/asdl_c.py b/Parser/asdl_c.py index b367e10231..f6c3a66117 100644 --- a/Parser/asdl_c.py +++ b/Parser/asdl_c.py @@ -633,6 +633,8 @@ typedef struct {  static void  ast_dealloc(AST_object *self)  { +    /* bpo-31095: UnTrack is needed before calling any callbacks */ +    PyObject_GC_UnTrack(self);      Py_CLEAR(self->dict);      Py_TYPE(self)->tp_free(self);  } diff --git a/Python/Python-ast.c b/Python/Python-ast.c index 77852f923f..2f1e737ea6 100644 --- a/Python/Python-ast.c +++ b/Python/Python-ast.c @@ -520,6 +520,8 @@ typedef struct {  static void  ast_dealloc(AST_object *self)  { +    /* bpo-31095: UnTrack is needed before calling any callbacks */ +    PyObject_GC_UnTrack(self);      Py_CLEAR(self->dict);      Py_TYPE(self)->tp_free(self);  } | 
