[3.6] bpo-31499, xml.etree: Fix xmlparser_gc_clear() crash (GH-3641) (#3645)

* bpo-31499, xml.etree: Fix xmlparser_gc_clear() crash xml.etree: xmlparser_gc_clear() now sets self.parser to NULL to prevent a crash in xmlparser_dealloc() if xmlparser_gc_clear() was called previously by the garbage collector, because the parser was part of a reference cycle. Co-Authored-By: Serhiy Storchaka <storchaka@gmail.com> (cherry picked from commit e727d41f)

[3.6] bpo-31499, xml.etree: Fix xmlparser_gc_clear() crash (GH-3641) (#3645)
* bpo-31499, xml.etree: Fix xmlparser_gc_clear() crash xml.etree: xmlparser_gc_clear() now sets self.parser to NULL to prevent a crash in xmlparser_dealloc() if xmlparser_gc_clear() was called previously by the garbage collector, because the parser was part of a reference cycle. Co-Authored-By: Serhiy Storchaka <storchaka@gmail.com> (cherry picked from commit e727d41f)
8afd7ab1 · Miss Islington (bot) · Victor Stinner · 84c89ef4 · 8afd7ab1 · 8afd7ab1
Kaydet (Commit) 8afd7ab1 authored Eyl 18, 2017 tarafından Miss Islington (bot) Kaydeden (comit) Victor Stinner Eyl 18, 2017
Showing with 26 additions and 1 deletion

test_xml_etree_c.py Lib/test/test_xml_etree_c.py +20 -0

2017-09-18-10-57-04.bpo-31499.BydYhf.rst ...S.d/next/Library/2017-09-18-10-57-04.bpo-31499.BydYhf.rst +1 -0

_elementtree.c Modules/_elementtree.c +5 -1

No files found.
--- a/Lib/test/test_xml_etree_c.py
+++ b/Lib/test/test_xml_etree_c.py
@@ -64,6 +64,26 @@ class MiscTests(unittest.TestCase):
        del root
        support.gc_collect()

+    def test_parser_ref_cycle(self):
+        # bpo-31499: xmlparser_dealloc() crashed with a segmentation fault when
+        # xmlparser_gc_clear() was called previously by the garbage collector,
+        # when the parser was part of a reference cycle.
+
+        def parser_ref_cycle():
+            parser = cET.XMLParser()
+            # Create a reference cycle using an exception to keep the frame
+            # alive, so the parser will be destroyed by the garbage collector
+            try:
+                raise ValueError
+            except ValueError as exc:
+                err = exc
+
+        # Create a parser part of reference cycle
+        parser_ref_cycle()
+        # Trigger an explicit garbage collection to break the reference cycle
+        # and so destroy the parser
+        support.gc_collect()
+

 @unittest.skipUnless(cET, 'requires _elementtree')
 class TestAliasWorking(unittest.TestCase):

--- a/Misc/NEWS.d/next/Library/2017-09-18-10-57-04.bpo-31499.BydYhf.rst
+++ b/Misc/NEWS.d/next/Library/2017-09-18-10-57-04.bpo-31499.BydYhf.rst
+xml.etree: Fix a crash when a parser is part of a reference cycle.
--- a/Modules/_elementtree.c
+++ b/Modules/_elementtree.c
@@ -3367,7 +3367,11 @@ xmlparser_gc_traverse(XMLParserObject *self, visitproc visit, void *arg)
 static int
 xmlparser_gc_clear(XMLParserObject *self)
 {
-    EXPAT(ParserFree)(self->parser);
+    if (self->parser != NULL) {
+        XML_Parser parser = self->parser;
+        self->parser = NULL;
+        EXPAT(ParserFree)(parser);
+    }

    Py_CLEAR(self->handle_close);
    Py_CLEAR(self->handle_pi);