René's URL Explorer Experiment

{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Double-inheriting from two buffer classes can cause corruption","articleBody":"If you have a class that double-inherits from two buffer classes implemented in C, of which the first only implements `bf_getbuffer` and the second also implements `bf_releasebuffer`, then if you create a memoryview from the child class, on release the second class's `bf_releasebuffer` will be called, which may break that class's invariants.\r\n\r\nDemonstration:\r\n\r\n\u003cdetails\u003e\r\n\r\n```\r\ndiff --git a/Modules/_testcapi/buffer.c b/Modules/_testcapi/buffer.c\r\nindex aff9a477ef..3cfa19a57b 100644\r\n--- a/Modules/_testcapi/buffer.c\r\n+++ b/Modules/_testcapi/buffer.c\r\n@@ -89,14 +89,50 @@ static PyTypeObject testBufType = {\r\n     .tp_members = testbuf_members\r\n };\r\n \r\n+\r\n+static int\r\n+getbufferonly_getbuf(testBufObject *self, Py_buffer *view, int flags)\r\n+{\r\n+    PyObject *bytes = PyBytes_FromString(\"test\");\r\n+    if (bytes == NULL) {\r\n+        return -1;\r\n+    }\r\n+    // Save a reference\r\n+    if (PyObject_SetAttrString((PyObject *)Py_TYPE(self), \"bytes\", bytes) \u003c 0) {\r\n+        return -1;\r\n+    }\r\n+    int buf = PyObject_GetBuffer(bytes, view, flags);\r\n+    view-\u003eobj = Py_NewRef(self);\r\n+    return buf;\r\n+}\r\n+\r\n+static PyBufferProcs getbufferonly_as_buffer = {\r\n+    .bf_getbuffer = (getbufferproc) getbufferonly_getbuf,\r\n+};\r\n+\r\n+static PyTypeObject getBufferOnlyType = {\r\n+    PyVarObject_HEAD_INIT(NULL, 0)\r\n+    .tp_name = \"getBufferOnlyType\",\r\n+    .tp_basicsize = sizeof(PyObject),\r\n+    .tp_flags = Py_TPFLAGS_DEFAULT | Py_TPFLAGS_BASETYPE,\r\n+    .tp_new = PyType_GenericNew,\r\n+    .tp_as_buffer = \u0026getbufferonly_as_buffer,\r\n+};\r\n+\r\n int\r\n _PyTestCapi_Init_Buffer(PyObject *m) {\r\n     if (PyType_Ready(\u0026testBufType) \u003c 0) {\r\n         return -1;\r\n     }\r\n+    if (PyType_Ready(\u0026getBufferOnlyType) \u003c 0) {\r\n+        return -1;\r\n+    }\r\n     if (PyModule_AddObjectRef(m, \"testBuf\", (PyObject *)\u0026testBufType)) {\r\n         return -1;\r\n     }\r\n+    if (PyModule_AddObjectRef(m, \"getBufferOnly\", (PyObject *)\u0026getBufferOnlyType)) {\r\n+        return -1;\r\n+    }\r\n \r\n     return 0;\r\n }\r\n```\r\n\r\n\u003c/details\u003e\r\n\r\n```\r\n% ./python.exe \r\nPython 3.12.0a7+ (heads/pep688fix-dirty:5536853ed0, May  7 2023, 07:53:16) [Clang 14.0.0 (clang-1400.0.29.202)] on darwin\r\nType \"help\", \"copyright\", \"credits\" or \"license\" for more information.\r\n\u003e\u003e\u003e import _testcapi\r\n\u003e\u003e\u003e class X(_testcapi.getBufferOnly, bytearray): pass\r\n... \r\n\u003e\u003e\u003e with memoryview(X()): pass\r\n... \r\nAssertion failed: (obj-\u003eob_exports \u003e= 0), function bytearray_releasebuffer, file bytearrayobject.c, line 64.\r\nzsh: abort      ./python.exe\r\n```\r\n\r\nThis is unlikely to happen in practice because in practice any useful C buffer class will have to store some data in its C struct, so it won't be possible to double-inherit from it and another buffer, but still we should ideally protect against it.\r\n\r\nI found out about this case while playing with PEP-688 edge cases in #104227, but the reproduction case does not rely on PEP 688 changes, and it should reproduce also on earlier Python versions. (The exact assertion failure won't, because I added that assertion in #104227; previously, you'd just set the bytearray's ob_exports field to -1 and havoc would ensue.)","author":{"url":"https://github.com/JelleZijlstra","@type":"Person","name":"JelleZijlstra"},"datePublished":"2023-05-08T17:01:24.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":2},"url":"https://github.com/104297/cpython/issues/104297"}