[docs] [issue32322] Heap type with Py_TPFLAGS_HAVE_GC leads to segfault due to not incrementing type object refcout in PyObject_GC_New

Rostislav Kondratenko report at bugs.python.org
Thu Dec 14 09:44:08 EST 2017


New submission from Rostislav Kondratenko <grostik at gmail.com>:

If one creates a type with both Py_TPFLAGS_HAVE_GC and Py_TPFLAGS_HEAPTYPE set and implemented, one has to create instances with PyObject_GC_New() per current docs: https://docs.python.org/3.7/c-api/gcsupport.html .

However, PyObject_GC_New() unlike PyType_GenericAlloc() does not increment refcount of a type object. As the refcount is still decremented when instances are destroyed, it leads to steady drain on type object's refcount. Eventually it reaches zero and the type object gets deleted while there are still instances and references to it. And it usually results in crash after a number of instances (20-50 is usually enough) is created and destroyed.

One should either update the docs to point that call to PyType_GenericAlloc() would be sufficient (as it would use _PyObject_GC_Malloc() and increment refcount when appropriate) or update _PyObject_GC_New() code to increment type object's refcount when the type is heap type. Or both.

----------
assignee: docs at python
components: Documentation, Interpreter Core
messages: 308302
nosy: docs at python, rkond
priority: normal
severity: normal
status: open
title: Heap type with Py_TPFLAGS_HAVE_GC leads to segfault due to not incrementing type object refcout in PyObject_GC_New
type: crash
versions: Python 3.5, Python 3.6, Python 3.7

_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue32322>
_______________________________________


More information about the docs mailing list