[issue21435] Segfault with cyclic reference and asyncio.Future
Tim Peters
report at bugs.python.org
Tue May 6 06:51:51 CEST 2014
Tim Peters added the comment:
Sorry for the earlier noise. I'm fighting a flu and my head is mush :-(
Anyway, this doesn't look obvious. We get to this point:
if (Py_REFCNT(op) == 1) {
/* op will be destroyed */
gc = gc->gc.gc_prev;
}
and op is the type object for class B. gc gets set to the previous object, a list. Everything looks fine at this point. But when we get back from:
Py_DECREF(op);
the list's gc.gc_next field has been overwritten with NULL. That's why gc gets set to NULL on the next trip through the loop.
I spaced out stepping through all the type deallocation code, and didn't find exactly when the list's gc_next is overwritten. The list's gc_prev is still fine. Perhaps some code called _PyObject_GC_UNTRACK on the list object (which NULLs out the gc_next pointer but not the gc_prev pointer).
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue21435>
_______________________________________
More information about the Python-bugs-list
mailing list