Commits

Anonymous committed 361fad6

PyType_Ready(): Complain if the type is a base type, and gc'able, and
tp_free is NULL or PyObject_Del at the end. Because it's a base type
it must call tp_free in its dealloc function, and because it's gc'able
it must not call PyObject_Del.

inherit_slots(): Don't inherit tp_free unless the type and its base
agree about whether they're gc'able. If the type is gc'able and the
base is not, and the base uses the default PyObject_Del for its
tp_free, give the type PyObject_GC_Del for its tp_free (the appropriate
default for a gc'able type).

cPickle.c: The Pickler and Unpickler types claim to be base classes
and gc'able, but their dealloc functions didn't call tp_free.
Repaired that. Also call PyType_Ready() on these typeobjects, so
that the correct (PyObject_GC_Del) default memory-freeing function
gets plugged into these types' tp_free slots.

Comments (0)

Files changed (3)

 Release date: XX-XXX-2003
 ============================
 
+- C API:  PyType_Ready():  If a type declares that it participates in gc
+  (Py_TPFLAGS_HAVE_GC), and its base class does not, and its base class's
+  tp_free slot is the default _PyObject_Del, and type does not define
+  a tp_free slot itself, _PyObject_GC_Del is assigned to type->tp_free.
+  Previously _PyObject_Del was inherited, which could at best lead to a
+  segfault.  In addition, if even after this magic the type's tp_free
+  slot is _PyObject_Del or NULL, and the type is a base type
+  (Py_TPFLAGS_BASETYPE), TypeError is raised:  since the type is a base
+  type, its dealloc function must call type->tp_free, and since the type
+  is gc'able, tp_free must not be NULL or _PyObject_Del.
+
 - Windows:  file.truncate(size) failed on large files when size didn't
   fit in 32 bits.  This was fixed by backporting new Windows truncation
   code and tests from 2.3.

Modules/cPickle.c

         free(self->write_buf);
     }
 
-    PyObject_GC_Del(self);
+    self->ob_type->tp_free((PyObject *)self);
 }
 
 static int
         free(self->buf);
     }
 
-    PyObject_GC_Del(self);
+    self->ob_type->tp_free((PyObject *)self);
 }
 
 static int
 
 #define INIT_STR(S) UNLESS(S ## _str=PyString_InternFromString(#S)) return -1;
 
+    if (PyType_Ready(&Unpicklertype) < 0)
+    	return -1;
+    if (PyType_Ready(&Picklertype) < 0)
+    	return -1;
+  
     INIT_STR(__class__);
     INIT_STR(__getinitargs__);
     INIT_STR(__dict__);

Objects/typeobject.c

 		COPYSLOT(tp_descr_set);
 		COPYSLOT(tp_init);
 		COPYSLOT(tp_alloc);
-		COPYSLOT(tp_free);
 		COPYSLOT(tp_is_gc);
+		if ((type->tp_flags & Py_TPFLAGS_HAVE_GC) ==
+		    (base->tp_flags & Py_TPFLAGS_HAVE_GC)) {
+			/* They agree about gc. */
+			COPYSLOT(tp_free);
+		}
+		else if ((type->tp_flags & Py_TPFLAGS_HAVE_GC) &&
+			 type->tp_free == NULL &&
+			 base->tp_free == _PyObject_Del) {
+			/* A bit of magic to plug in the correct default
+			 * tp_free function when a derived class adds gc,
+			 * didn't define tp_free, and the base uses the
+			 * default non-gc tp_free.
+			 */
+			type->tp_free = _PyObject_GC_Del;
+		}
+		/* else they didn't agree about gc, and there isn't something
+		 * obvious to be done -- the type is on its own.
+		 */
 	}
 }
 
 			inherit_slots(type, (PyTypeObject *)b);
 	}
 
+	/* Sanity check for tp_free. */
+	if (PyType_IS_GC(type) && (type->tp_flags & Py_TPFLAGS_BASETYPE) &&
+	    (type->tp_free == NULL || type->tp_free == _PyObject_Del)) {
+	    	/* This base class needs to call tp_free, but doesn't have
+	    	 * one, or its tp_free is for non-gc'ed objects.
+	    	 */
+		PyErr_Format(PyExc_TypeError, "type '%.100s' participates in "
+			     "gc and is a base type but has inappropriate "
+			     "tp_free slot",
+			     type->tp_name);
+		goto error;
+	}
+
 	/* if the type dictionary doesn't contain a __doc__, set it from
 	   the tp_doc slot.
 	 */
 	Py_INCREF(Py_None);
 	return Py_None;
 }
-  
+
 static PyObject *
 wrap_descr_delete(PyObject *self, PyObject *args, void *wrapped)
 {