From: Armin Rigo <arigo@tunes.org>
Date: Fri, 3 Sep 2010 09:26:14 +0000 (+0000)
Subject: An example that shows that _PyInstance_Lookup() does not fulfill
X-Git-Tag: v2.7.1rc1~345
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=249205d9d674b8311cc8655e827ca4aa2928442f;p=python

An example that shows that _PyInstance_Lookup() does not fulfill
its documented purpose.
---

diff --git a/Lib/test/crashers/gc_has_finalizer.py b/Lib/test/crashers/gc_has_finalizer.py
new file mode 100644
index 0000000000..737959bb9b
--- /dev/null
+++ b/Lib/test/crashers/gc_has_finalizer.py
@@ -0,0 +1,36 @@
+"""
+The gc module can still invoke arbitrary Python code and crash.
+This is an attack against _PyInstance_Lookup(), which is documented
+as follows:
+
+    The point of this routine is that it never calls arbitrary Python
+    code, so is always "safe":  all it does is dict lookups.
+
+But of course dict lookups can call arbitrary Python code.
+The following code causes mutation of the object graph during
+the call to has_finalizer() in gcmodule.c, and that might
+segfault.
+"""
+
+import gc
+
+
+class A:
+    def __hash__(self):
+        return hash("__del__")
+    def __eq__(self, other):
+        del self.other
+        return False
+
+a = A()
+b = A()
+
+a.__dict__[b] = 'A'
+
+a.other = b
+b.other = a
+
+gc.collect()
+del a, b
+
+gc.collect()