From c839c2f2262cc95e1831ad514f52abd8128367da Mon Sep 17 00:00:00 2001
From: Armin Rigo <arigo@tunes.org>
Date: Mon, 25 Sep 2006 15:16:26 +0000
Subject: Another crasher.

---
 Lib/test/crashers/loosing_mro_ref.py | 36 ++++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 Lib/test/crashers/loosing_mro_ref.py

diff --git a/Lib/test/crashers/loosing_mro_ref.py b/Lib/test/crashers/loosing_mro_ref.py
new file mode 100644
index 0000000..f0b8047
--- /dev/null
+++ b/Lib/test/crashers/loosing_mro_ref.py
@@ -0,0 +1,36 @@
+"""
+There is a way to put keys of any type in a type's dictionary.
+I think this allows various kinds of crashes, but so far I have only
+found a convoluted attack of _PyType_Lookup(), which uses the mro of the
+type without holding a strong reference to it.  Probably works with
+super.__getattribute__() too, which uses the same kind of code.
+"""
+
+class MyKey(object):
+    def __hash__(self):
+        return hash('mykey')
+
+    def __cmp__(self, other):
+        # the following line decrefs the previous X.__mro__
+        X.__bases__ = (Base2,)
+        # trash all tuples of length 3, to make sure that the items of
+        # the previous X.__mro__ are really garbage
+        z = []
+        for i in range(1000):
+            z.append((i, None, None))
+        return -1
+
+
+class Base(object):
+    mykey = 'from Base'
+
+class Base2(object):
+    mykey = 'from Base2'
+
+class X(Base):
+    # you can't add a non-string key to X.__dict__, but it can be
+    # there from the beginning :-)
+    locals()[MyKey()] = 5
+
+print X.mykey
+# I get a segfault, or a slightly wrong assertion error in a debug build.
-- 
cgit v0.12