STINNER Victor added the comment:
The bug is at this line:
Breakpoint 6, xmlparser_gc_clear (self=0x7ffff7e28c08) at
/home/haypo/prog/python/master/Modules/_elementtree.c:3414
static int
xmlparser_gc_clear(XMLParserObject *self)
{
EXPAT(ParserFree)(self->parser); // <--- HERE
...
}
This function calls XML_ParserFree() twice on the same parser object. The first
call is fine and frees the memory. Since we now use Python memory allocators,
XML_ParserFree() fills the freed memory with 0xDB byte pattern (when Python is
in debug mode).
The second XML_ParserFree() call uses freed memory (filled with 0xDB in debug
mode).
Call 1: a GC collection
Breakpoint 6, xmlparser_gc_clear (self=0x7ffff7e28c08) at
/home/haypo/prog/python/master/Modules/_elementtree.c:3414
(gdb) up
#1 0x0000000000446636 in delete_garbage (collectable=0x7fffffffd9a0,
old=0x9b8f90 <_PyRuntime+432>) at Modules/gcmodule.c:759
(gdb) up
#2 0x0000000000446ade in collect (generation=2, n_collected=0x7fffffffda30,
n_uncollectable=0x7fffffffda28, nofail=0) at Modules/gcmodule.c:911
(gdb) cont
Continuing.
Call 2: xmlparser_dealloc()
Breakpoint 6, xmlparser_gc_clear (self=0x7ffff7e28c08) at
/home/haypo/prog/python/master/Modules/_elementtree.c:3414
(gdb) up
#1 0x00007ffff0038cb8 in xmlparser_dealloc (self=0x7ffff7e28c08) at
/home/haypo/prog/python/master/Modules/_elementtree.c:3435
IMHO it's an obvious bug in Python. The question is more why/how the code
didn't crash before? :-)
----------
_______________________________________
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue31499>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
