PyType_Ready(): Complain if the type is a base type, and gc'able, and
tp_free is NULL or PyObject_Del at the end. Because it's a base type
it must call tp_free in its dealloc function, and because it's gc'able
it must not call PyObject_Del.
inherit_slots(): Don't inherit tp_free unless the type and its base
agree about whether they're gc'able. If the type is gc'able and the
base is not, and the base uses the default PyObject_Del for its
tp_free, give the type PyObject_GC_Del for its tp_free (the appropriate
default for a gc'able type).
cPickle.c: The Pickler and Unpickler types claim to be base classes
and gc'able, but their dealloc functions didn't call tp_free.
Repaired that. Also call PyType_Ready() on these typeobjects, so
that the correct (PyObject_GC_Del) default memory-freeing function
gets plugged into these types' tp_free slots.
diff --git a/Misc/NEWS b/Misc/NEWS
index b351711..b7b444a 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -75,6 +75,17 @@
C API
-----
+- PyType_Ready(): If a type declares that it participates in gc
+ (Py_TPFLAGS_HAVE_GC), and its base class does not, and its base class's
+ tp_free slot is the default _PyObject_Del, and type does not define
+ a tp_free slot itself, _PyObject_GC_Del is assigned to type->tp_free.
+ Previously _PyObject_Del was inherited, which could at best lead to a
+ segfault. In addition, if even after this magic the type's tp_free
+ slot is _PyObject_Del or NULL, and the type is a base type
+ (Py_TPFLAGS_BASETYPE), TypeError is raised: since the type is a base
+ type, its dealloc function must call type->tp_free, and since the type
+ is gc'able, tp_free must not be NULL or _PyObject_Del.
+
New platforms
-------------
diff --git a/Modules/cPickle.c b/Modules/cPickle.c
index 733587e..b928e47 100644
--- a/Modules/cPickle.c
+++ b/Modules/cPickle.c
@@ -2853,7 +2853,7 @@
Py_XDECREF(self->inst_pers_func);
Py_XDECREF(self->dispatch_table);
PyMem_Free(self->write_buf);
- PyObject_GC_Del(self);
+ self->ob_type->tp_free((PyObject *)self);
}
static int
@@ -5212,7 +5212,7 @@
free(self->buf);
}
- PyObject_GC_Del(self);
+ self->ob_type->tp_free((PyObject *)self);
}
static int
@@ -5534,6 +5534,11 @@
#define INIT_STR(S) if (!( S ## _str=PyString_InternFromString(#S))) return -1;
+ if (PyType_Ready(&Unpicklertype) < 0)
+ return -1;
+ if (PyType_Ready(&Picklertype) < 0)
+ return -1;
+
INIT_STR(__class__);
INIT_STR(__getinitargs__);
INIT_STR(__dict__);
diff --git a/Objects/typeobject.c b/Objects/typeobject.c
index 9a23227..18b50fc 100644
--- a/Objects/typeobject.c
+++ b/Objects/typeobject.c
@@ -3044,8 +3044,25 @@
COPYSLOT(tp_dictoffset);
COPYSLOT(tp_init);
COPYSLOT(tp_alloc);
- COPYSLOT(tp_free);
COPYSLOT(tp_is_gc);
+ if ((type->tp_flags & Py_TPFLAGS_HAVE_GC) ==
+ (base->tp_flags & Py_TPFLAGS_HAVE_GC)) {
+ /* They agree about gc. */
+ COPYSLOT(tp_free);
+ }
+ else if ((type->tp_flags & Py_TPFLAGS_HAVE_GC) &&
+ type->tp_free == NULL &&
+ base->tp_free == _PyObject_Del) {
+ /* A bit of magic to plug in the correct default
+ * tp_free function when a derived class adds gc,
+ * didn't define tp_free, and the base uses the
+ * default non-gc tp_free.
+ */
+ type->tp_free = PyObject_GC_Del;
+ }
+ /* else they didn't agree about gc, and there isn't something
+ * obvious to be done -- the type is on its own.
+ */
}
}
@@ -3149,6 +3166,19 @@
inherit_slots(type, (PyTypeObject *)b);
}
+ /* Sanity check for tp_free. */
+ if (PyType_IS_GC(type) && (type->tp_flags & Py_TPFLAGS_BASETYPE) &&
+ (type->tp_free == NULL || type->tp_free == PyObject_Del)) {
+ /* This base class needs to call tp_free, but doesn't have
+ * one, or its tp_free is for non-gc'ed objects.
+ */
+ PyErr_Format(PyExc_TypeError, "type '%.100s' participates in "
+ "gc and is a base type but has inappropriate "
+ "tp_free slot",
+ type->tp_name);
+ goto error;
+ }
+
/* if the type dictionary doesn't contain a __doc__, set it from
the tp_doc slot.
*/