[New-bugs-announce] [issue24427] subclass of multiprocessing Connection segfault upon attribute acces

[Charles-François Natali]

New submission from Charles-François Natali:

The following segfaults in _PyObject_GenericGetAttrWithDict:

"""
from socket import socketpair
from _multiprocessing import Connection


class Crash(Connection):
    pass

_, w = socketpair()

Crash(w.fileno()).bar
"""

#0  _PyObject_GenericGetAttrWithDict (dict=0xa6b001c, name=0xb7281020, obj=0x8c12478) at Objects/object.c:1427
#1  PyObject_GenericGetAttr (obj=0x8c12478, name=0xb7281020) at Objects/object.c:1461

(gdb) p *(obj + obj->ob_type->tp_dictoffset)
$8 = {ob_refcnt = 0, ob_type = 0x0}

It's probably not specific to this example, but I'm not familiar enough with object construction/descriptors to know what's going on here.

Note that the following atch fixes the crash, but I don't know why:
"""
--- a/Modules/_multiprocessing/connection.h     Wed Apr 15 19:30:38 2015 +0100
+++ b/Modules/_multiprocessing/connection.h     Wed Jun 10 20:25:15 2015 +0100
@@ -58,7 +58,7 @@
         return NULL;
     }
 
-    self = PyObject_New(ConnectionObject, type);
+    self = type->tp_alloc(type, 0);
     if (self == NULL)
         return NULL;
 
@@ -86,7 +86,7 @@
         CLOSE(self->handle);
         Py_END_ALLOW_THREADS
     }
-    PyObject_Del(self);
+    Py_TYPE(self)->tp_free((PyObject*)self);
 }
 
 /*
"""

----------
messages: 245140
nosy: neologix, pitrou
priority: normal
severity: normal
stage: needs patch
status: open
title: subclass of multiprocessing Connection segfault upon attribute acces

_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue24427>
_______________________________________