Issue 1546288: crash in dict_equal (original) (raw)

I initially found this bug in the py3k branch, but it's reproducible in 2.5 as well (and probably older versions as well, as long as they have dict_equal()). It can be reproduced by using the attached patch to test_mutants.py.

The problem is in this fragment in dict_equal():

PyObject key = a->ma_table[i].me_key; / temporarily bump aval's refcount to ensure it stays

alive until we're done with it */

Py_INCREF(aval); bval = PyDict_GetItem((PyObject *)b, key);

The problem is that the only reference to 'key' may be in the hash table, and test_mutants.py removes it from the hash table, apparently before the comparison code is done with using it. The fix is to incref/decref key around the GetItem call.