New in 2.2.2!

In inherit_slots(), get rid of the COPYSLOT(tp_dictoffset).  Copying
the offset from a non-dominant base makes no sense: either the
non-dominant base has a nonzero tp_dictoffset, and then we should have
already copied it from the dominant base (at the very end of
inherit_special()), or the non-dominant base has no tp_dictoffset and
for some reason type_new() decided not to add one.  The tp_dictoffset
from a non-dominant base is likely to conflict with the instance
layout of the dominant base, so copying the tp_dictoffset from the
non-dominant base would be a really bad idea in that case.  This bug
can only be triggered by multiple inheritance from an extension class
that doesn't set tp_dictoffset and a new-style user-level class that
does have one.  There are no such extension classes in the
distribution, but there are 3rd party ones.  (Zope3 now has one,
that's how I found this. :-)

I've asked a few heavy users of new-style classes, extension classes
and metaclasses (David Abrahams and Kevin Jacobs), and neither of them
found any problems in their test suite after applying this fix, so I
assume it's safe.

diff --git a/Objects/typeobject.c b/Objects/typeobject.c
index d134e0c407b14db54ca878ccbd43a045e7f77584..8a1adc914594d5345d4567d12c15f8fdfc67d5d8 100644 (file)
--- a/Objects/typeobject.c
+++ b/Objects/typeobject.c
@@ -2087,7 +2087,6 @@ inherit_slots(PyTypeObject *type, PyTypeObject *base)
        if (type->tp_flags & base->tp_flags & Py_TPFLAGS_HAVE_CLASS) {
                COPYSLOT(tp_descr_get);
                COPYSLOT(tp_descr_set);
-               COPYSLOT(tp_dictoffset);
                COPYSLOT(tp_init);
                COPYSLOT(tp_alloc);
                COPYSLOT(tp_free);