[Python-checkins] bpo-25750: fix refcounts in type_getattro() (GH-6118) (GH-9091)
Victor Stinner
webhook-mailer at python.org
Fri Sep 7 04:15:42 EDT 2018
https://github.com/python/cpython/commit/bf2bd8f8a1d88de60c114de957f50fe2433e3937
commit: bf2bd8f8a1d88de60c114de957f50fe2433e3937
branch: 2.7
author: Victor Stinner <vstinner at redhat.com>
committer: GitHub <noreply at github.com>
date: 2018-09-07T10:15:31+02:00
summary:
bpo-25750: fix refcounts in type_getattro() (GH-6118) (GH-9091)
When calling tp_descr_get(self, obj, type), make sure that
we own a strong reference to "self".
(cherry picked from commit 8f735485acf2e35a75d2fa019feb8f905598c4e5)
files:
A Misc/NEWS.d/next/Core and Builtins/2018-03-14-21-42-17.bpo-25750.lxgkQz.rst
M Objects/typeobject.c
diff --git a/Misc/NEWS.d/next/Core and Builtins/2018-03-14-21-42-17.bpo-25750.lxgkQz.rst b/Misc/NEWS.d/next/Core and Builtins/2018-03-14-21-42-17.bpo-25750.lxgkQz.rst
new file mode 100644
index 000000000000..09ffb368b7c6
--- /dev/null
+++ b/Misc/NEWS.d/next/Core and Builtins/2018-03-14-21-42-17.bpo-25750.lxgkQz.rst
@@ -0,0 +1,2 @@
+Fix rare Python crash due to bad refcounting in ``type_getattro()`` if a
+descriptor deletes itself from the class. Patch by Jeroen Demeyer.
diff --git a/Objects/typeobject.c b/Objects/typeobject.c
index d576b8250d01..844fb0074920 100644
--- a/Objects/typeobject.c
+++ b/Objects/typeobject.c
@@ -2611,6 +2611,7 @@ type_getattro(PyTypeObject *type, PyObject *name)
PyTypeObject *metatype = Py_TYPE(type);
PyObject *meta_attribute, *attribute;
descrgetfunc meta_get;
+ PyObject* res;
if (!PyString_Check(name)) {
PyErr_Format(PyExc_TypeError,
@@ -2632,6 +2633,7 @@ type_getattro(PyTypeObject *type, PyObject *name)
meta_attribute = _PyType_Lookup(metatype, name);
if (meta_attribute != NULL) {
+ Py_INCREF(meta_attribute);
meta_get = Py_TYPE(meta_attribute)->tp_descr_get;
if (meta_get != NULL && PyDescr_IsData(meta_attribute)) {
@@ -2639,10 +2641,11 @@ type_getattro(PyTypeObject *type, PyObject *name)
* writes. Assume the attribute is not overridden in
* type's tp_dict (and bases): call the descriptor now.
*/
- return meta_get(meta_attribute, (PyObject *)type,
- (PyObject *)metatype);
+ res = meta_get(meta_attribute, (PyObject *)type,
+ (PyObject *)metatype);
+ Py_DECREF(meta_attribute);
+ return res;
}
- Py_INCREF(meta_attribute);
}
/* No data descriptor found on metatype. Look in tp_dict of this
@@ -2650,18 +2653,21 @@ type_getattro(PyTypeObject *type, PyObject *name)
attribute = _PyType_Lookup(type, name);
if (attribute != NULL) {
/* Implement descriptor functionality, if any */
- descrgetfunc local_get = Py_TYPE(attribute)->tp_descr_get;
+ descrgetfunc local_get;
+ Py_INCREF(attribute);
+ local_get = Py_TYPE(attribute)->tp_descr_get;
Py_XDECREF(meta_attribute);
if (local_get != NULL) {
/* NULL 2nd argument indicates the descriptor was
* found on the target object itself (or a base) */
- return local_get(attribute, (PyObject *)NULL,
- (PyObject *)type);
+ res = local_get(attribute, (PyObject *)NULL,
+ (PyObject *)type);
+ Py_DECREF(attribute);
+ return res;
}
- Py_INCREF(attribute);
return attribute;
}
More information about the Python-checkins
mailing list