From 249205d9d674b8311cc8655e827ca4aa2928442f Mon Sep 17 00:00:00 2001
From: Armin Rigo <arigo@tunes.org>
Date: Fri, 3 Sep 2010 09:26:14 +0000
Subject: An example that shows that _PyInstance_Lookup() does not fulfill its
 documented purpose.

---
 Lib/test/crashers/gc_has_finalizer.py | 36 +++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 Lib/test/crashers/gc_has_finalizer.py

diff --git a/Lib/test/crashers/gc_has_finalizer.py b/Lib/test/crashers/gc_has_finalizer.py
new file mode 100644
index 0000000..737959b
--- /dev/null
+++ b/Lib/test/crashers/gc_has_finalizer.py
@@ -0,0 +1,36 @@
+"""
+The gc module can still invoke arbitrary Python code and crash.
+This is an attack against _PyInstance_Lookup(), which is documented
+as follows:
+
+    The point of this routine is that it never calls arbitrary Python
+    code, so is always "safe":  all it does is dict lookups.
+
+But of course dict lookups can call arbitrary Python code.
+The following code causes mutation of the object graph during
+the call to has_finalizer() in gcmodule.c, and that might
+segfault.
+"""
+
+import gc
+
+
+class A:
+    def __hash__(self):
+        return hash("__del__")
+    def __eq__(self, other):
+        del self.other
+        return False
+
+a = A()
+b = A()
+
+a.__dict__[b] = 'A'
+
+a.other = b
+b.other = a
+
+gc.collect()
+del a, b
+
+gc.collect()
-- 
cgit v0.12