Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork33.7k
Closed
Description
Bug report
The order of operations inSTORE_ATTR_WITH_HINT differs from the dictionary implementation in a way that is not safe:
Lines 2235 to 2242 in35d8ac7
| new_version=_PyDict_NotifyEvent(tstate->interp,event,dict,name,PyStackRef_AsPyObjectBorrow(value)); | |
| ep->me_value=PyStackRef_AsPyObjectSteal(value); | |
| Py_XDECREF(old_value); | |
| STAT_INC(STORE_ATTR,hit); | |
| /* Ensure dict is GC tracked if it needs to be */ | |
| if (!_PyObject_GC_IS_TRACKED(dict)&&_PyObject_GC_MAY_BE_TRACKED(PyStackRef_AsPyObjectBorrow(value))) { | |
| _PyObject_GC_TRACK(dict); | |
| } |
It's not safe to call_PyObject_GC_MAY_BE_TRACKED(value) after thePy_XDECREF call. The dictionary may hold the only strong reference tovalue inep->me_value, and that can be modified during thePy_XDECREF call.
Note thatdictobject.c does the trackingbefore modifying the dictionary -- not after it -- and so avoids this problem.