The interpreter crashes when specializing bound method calls on unbound objects #131998

devdanzin · 2025-04-02T01:30:21Z

Crash report

What happened?

The following code segfaults the interpreter:

import glob

for x in range(3):
    str_globber = glob._StringGlobber(None, None)
str_globber.selector(set())

try:
    str_globber.selector([True, True, False])
except:
    pass

globber_base = glob._GlobberBase(0, 0, 0, 0)
globber_base.selector(list)

(Edited by @ZeroIntensity) Smaller reproducer:

def call(part):
    part.pop()

call(['a'])
try:
    call(list)
except TypeError:
    raise

Backtrace:

Program received signal SIGSEGV, Segmentation fault.
_PyEval_EvalFrameDefault (tstate=tstate@entry=0x555555c6b558 <_PyRuntime+330424>, frame=0x7ffff7fb00a0, frame@entry=0x7ffff7fb0020, throwflag=throwflag@entry=0) at ./Include/object.h:270
270             return ob->ob_type;
(gdb) bt
#0  _PyEval_EvalFrameDefault (tstate=tstate@entry=0x555555c6b558 <_PyRuntime+330424>, frame=0x7ffff7fb00a0,
    frame@entry=0x7ffff7fb0020, throwflag=throwflag@entry=0) at ./Include/object.h:270
#1  0x000055555585db58 in _PyEval_EvalFrame (throwflag=0, frame=0x7ffff7fb0020, tstate=0x555555c6b558 <_PyRuntime+330424>)
    at ./Include/internal/pycore_ceval.h:119
#2  _PyEval_Vector (tstate=tstate@entry=0x555555c6b558 <_PyRuntime+330424>, func=func@entry=0x7ffff7a91b50,
    locals=locals@entry={'__name__': '__main__', '__doc__': None, '__package__': None, '__loader__': <SourceFileLoader(name='__main__', path='/home/fusil/runs/python-12/glob-cpu_load-invalid_mem_access-0x0000000000000008/source2.py') at remote 0x7ffff7a95b90>, '__spec__': None, '__builtins__': <module at remote 0x7ffff7befef0>, '__file__': '/home/fusil/runs/python-12/glob-cpu_load-invalid_mem_access-0x0000000000000008/source2.py', '__cached__': None, 'glob': <module at remote 0x7ffff7ad0170>, 'x': 2, 'str_globber': <_StringGlobber(sep=None, case_sensitive=None, case_pedantic=False, recursive=False) at remote 0x7ffff78ef630>, 'globber_base': <_GlobberBase(case_pedantic=0, case_sensitive=0, recursive=0, sep=0) at remote 0x7ffff7a7e6e0>}, args=args@entry=0x0, argcount=argcount@entry=0,
    kwnames=kwnames@entry=0x0) at Python/ceval.c:1908
#3  0x000055555585dc57 in PyEval_EvalCode (co=co@entry=<code at 
8000
remote 0x7ffff7b5db60>,
    globals=globals@entry={'__name__': '__main__', '__doc__': None, '__package__': None, '__loader__': <SourceFileLoader(name='__main__', path='/home/fusil/runs/python-12/glob-cpu_load-invalid_mem_access-0x0000000000000008/source2.py') at remote 0x7ffff7a95b90>, '__spec__': None, '__builtins__': <module at remote 0x7ffff7befef0>, '__file__': '/home/fusil/runs/python-12/glob-cpu_load-invalid_mem_access-0x0000000000000008/source2.py', '__cached__': None, 'glob': <module at remote 0x7ffff7ad0170>, 'x': 2, 'str_globber': <_StringGlobber(sep=None, case_sensitive=None, case_pedantic=False, recursive=False) at remote 0x7ffff78ef630>, 'globber_base': <_GlobberBase(case_pedantic=0, case_sensitive=0, recursive=0, sep=0) at remote 0x7ffff7a7e6e0>},
    locals=locals@entry={'__name__': '__main__', '__doc__': None, '__package__': None, '__loader__': <SourceFileLoader(name='__main__', path='/home/fusil/runs/python-12/glob-cpu_load-invalid_mem_access-0x0000000000000008/source2.py') at remote 0x7ffff7a95b90>, '__spec__': None, '__builtins__': <module at remote 0x7ffff7befef0>, '__file__': '/home/fusil/runs/python-12/glob-cpu_load-invalid_mem_access-0x0000000000000008/source2.py', '__cached__': None, 'glob': <module at remote 0x7ffff7ad0170>, 'x': 2, 'str_globber': <_StringGlobber(sep=None, case_sensitive=None, case_pedantic=False, recursive=False) at remote 0x7ffff78ef630>, 'globber_base': <_GlobberBase(case_pedantic=0, case_sensitive=0, recursive=0, sep=0) at remote 0x7ffff7a7e6e0>}) at Python/ceval.c:836
#4  0x00005555558eb82e in run_eval_code_obj (tstate=tstate@entry=0x555555c6b558 <_PyRuntime+330424>, co=co@entry=0x7ffff7b5db60,
    globals=globals@entry={'__name__': '__main__', '__doc__': None, '__package__': None, '__loader__': <SourceFileLoader(name='__main__', path='/home/fusil/runs/python-12/glob-cpu_load-invalid_mem_access-0x0000000000000008/source2.py') at remote 0x7ffff7a95b90>, '__spec__': None, '__builtins__': <module at remote 0x7ffff7befef0>, '__file__': '/home/fusil/runs/python-12/glob-cpu_load-invalid_mem_access-0x0000000000000008/source2.py', '__cached__': None, 'glob': <module at remote 0x7ffff7ad0170>, 'x': 2, 'str_globber': <_StringGlobber(sep=None, case_sensitive=None, case_pedantic=False, recursive=False) at remote 0x7ffff78ef630>, 'globber_base': <_GlobberBase(case_pedantic=0, case_sensitive=0, recursive=0, sep=0) at remote 0x7ffff7a7e6e0>},
    locals=locals@entry={'__name__': '__main__', '__doc__': None, '__package__': None, '__loader__': <SourceFileLoader(name='__main__', path='/home/fusil/runs/python-12/glob-cpu_load-invalid_mem_access-0x0000000000000008/source2.py') at remote 0x7ffff7a95b90>, '__spec__': None, '__builtins__': <module at remote 0x7ffff7befef0>, '__file__': '/home/fusil/runs/python-12/glob-cpu_load-invalid_mem_access-0x0000000000000008/source2.py', '__cached__': None, 'glob': <module at remote 0x7ffff7ad0170>, 'x': 2, 'str_globber': <_StringGlobber(sep=None, case_sensitive=None, case_pedantic=False, recursive=False) at remote 0x7ffff78ef630>, 'globber_base': <_GlobberBase(case_pedantic=0, case_sensitive=0, recursive=0, sep=0) at remote 0x7ffff7a7e6e0>}) at Python/pythonrun.c:1365
#5  0x00005555558ec92e in run_mod (mod=mod@entry=0x555555e0e230, filename=filename@entry='/home/fusil/runs/python-12/glob-cpu_load-invalid_mem_access-0x0000000000000008/source2.py', globals=globals@entry={'__name__': '__main__', '__doc__': None, '__package__': None, '__loader__': <SourceFileLoader(name='__main__', path='/home/fusil/runs/python-12/glob-cpu_load-invalid_mem_access-0x0000000000000008/source2.py') at remote 0x7ffff7a95b90>, '__spec__': None, '__builtins__': <module at remote 0x7ffff7befef0>, '__file__': '/home/fusil/runs/python-12/glob-cpu_load-invalid_mem_access-0x0000000000000008/source2.py', '__cached__': None, 'glob': <module at remote 0x7ffff7ad0170>, 'x': 2, 'str_globber': <_StringGlobber(sep=None, case_sensitive=None, case_pedantic=False, recursive=False) at remote 0x7ffff78ef630>, 'globber_base': <_GlobberBase(case_pedantic=0, case_sensitive=0, recursive=0, sep=0) at remote 0x7ffff7a7e6e0>}, locals=locals@entry={'__name__': '__main__', '__doc__': None, '__package__': None, '__loader__': <SourceFileLoader(name='__main__', path='/home/fusil/runs/python-12/glob-cpu_load-invalid_mem_access-0x0000000000000008/source2.py') at remote 0x7ffff7a95b90>, '__spec__': None, '__builtins__': <module at remote 0x7ffff7befef0>, '__file__': '/home/fusil/runs/python-12/glob-cpu_load-invalid_mem_access-0x0000000000000008/source2.py', '__cached__': None, 'glob': <module at remote 0x7ffff7ad0170>, 'x': 2, 'str_globber': <_StringGlobber(sep=None, case_sensitive=None, case_pedantic=False, recursive=False) at remote 0x7ffff78ef630>, 'globber_base': <_GlobberBase(case_pedantic=0, case_sensitive=0, recursive=0, sep=0) at remote 0x7ffff7a7e6e0>}, flags=flags@entry=0x7fffffffdb68, arena=arena@entry=0x7ffff7ab3f40, interactive_src=0x0, generate_new_source=0) at Python/pythonrun.c:1436
#6  0x00005555558eccdb in pyrun_file (fp=fp@entry=0x555555df2410, filename=filename@entry='/home/fusil/runs/python-12/glob-cpu_load-invalid_mem_access-0x0000000000000008/source2.py', start=start@entry=257, globals=globals@entry={'__name__': '__main__', '__doc__': None, '__package__': None, '__loader__': <SourceFileLoader(name='__main__', path='/home/fusil/runs/python-12/glob-cpu_load-invalid_mem_access-0x0000000000000008/source2.py') at remote 0x7ffff7a95b90>, '__spec__': None, '__builtins__': <module at remote 0x7ffff7befef0>, '__file__': '/home/fusil/runs/python-12/glob-cpu_load-invalid_mem_access-0x0000000000000008/source2.py', '__cached__': None, 'glob': <module at remote 0x7ffff7ad0170>, 'x': 2, 'str_globber': <_StringGlobber(sep=None, case_sensitive=None, case_pedantic=False, recursive=False) at remote 0x7ffff78ef630>, 'globber_base': <_GlobberBase(case_pedantic=0, case_sensitive=0, recursive=0, sep=0) at remote 0x7ffff7a7e6e0>}, locals=locals@entry={'__name__': '__main__', '__doc__': None, '__package__': None, '__loader__': <SourceFileLoader(name='__main__', path='/home/fusil/runs/python-12/glob-cpu_load-invalid_mem_access-0x0000000000000008/source2.py') at remote 0x7ffff7a95b90>, '__spec__': None, '__builtins__': <module at remote 0x7ffff7befef0>, '__file__': '/home/fusil/runs/python-12/glob-cpu_load-invalid_mem_access-0x0000000000000008/source2.py', '__cached__': None, 'glob': <module at remote 0x7ffff7ad0170>, 'x': 2, 'str_globber': <_StringGlobber(sep=None, case_sensitive=None, case_pedantic=False, recursive=False) at remote 0x7ffff78ef630>, 'globber_base': <_GlobberBase(case_pedantic=0, case_sensitive=0, recursive=0, sep=0) at remote 0x7ffff7a7e6e0>}, closeit=closeit@entry=1, flags=0x7fffffffdb68) at Python/pythonrun.c:1293
#7  0x00005555558eeff1 in _PyRun_SimpleFileObject (fp=fp@entry=0x555555df2410, filename=filename@entry='/home/fusil/runs/python-12/glob-cpu_load-invalid_mem_access-0x0000000000000008/source2.py', closeit=closeit@entry=1, flags=flags@entry=0x7fffffffdb68) at Python/pythonrun.c:521
#8  0x00005555558ef2ba in _PyRun_AnyFileObject (fp=fp@entry=0x555555df2410, filename=filename@entry='/home/fusil/runs/python-12/glob-cpu_load-invalid_mem_access-0x0000000000000008/source2.py', closeit=closeit@entry=1, flags=flags@entry=0x7fffffffdb68) at Python/pythonrun.c:81
#9  0x000055555591ebd4 in pymain_run_file_obj (program_name=program_name@entry='/home/danzin/projects/cpython/python', filename=filename@entry='/home/fusil/runs/python-12/glob-cpu_load-invalid_mem_access-0x0000000000000008/source2.py', skip_source_first_line=0) at Modules/main.c:396
#10 0x000055555591ef72 in pymain_run_file (config=config@entry=0x555555c36688 <_PyRuntime+113640>) at Modules/main.c:415
#11 0x000055555592050d in pymain_run_python (exitcode=exitcode@entry=0x7fffffffdcf4) at Modules/main.c:680
#12 0x000055555592056e in Py_RunMain () at Modules/main.c:761
#13 0x00005555559205e5 in pymain_main (args=args@entry=0x7fffffffdd50) at Modules/main.c:791
#14 0x00005555559206a8 in Py_BytesMain (argc=<optimized out>, argv=<optimized out>) at Modules/main.c:815
#15 0x00005555555d7926 in main (argc=<optimized out>, argv=<optimized out>) at ./Programs/python.c:15

Found using fusil by @vstinner.

CPython versions tested on:

CPython main branch

Operating systems tested on:

Linux

Output from running 'python -VV' on the command line:

Python 3.14.0a6+ (heads/main:3a8cefba0b6, Apr 1 2025, 21:31:55) [GCC 11.4.0]

Linked PRs

The text was updated successfully, but these errors were encountered:

ZeroIntensity · 2025-04-02T02:03:43Z

Looks like a 3.14 regression.

vstinner · 2025-04-02T09:26:26Z

Looks like a 3.14 regression.

I can reproduce the crash on Python 3.13.

ZeroIntensity · 2025-04-02T09:33:31Z

Hmm, I couldn't. Let me double check.

vstinner · 2025-04-02T09:36:14Z

I can reproduce the crash on a Python 3.13 release build (PGO+LTO). I cannot reproduce the crash on a Python 3.13 debug build (--with-pydebug CFLAGS="-O0").

ZeroIntensity · 2025-04-02T09:51:36Z

Ah, this doesn't occur on a 3.13.2 release build, so this will be a neat surprise in the upcoming release next week.

vstinner · 2025-04-02T09:58:50Z

The crash on Python 3.13.2 using the Fedora 41 package:

$ cat x.py 
def call(part):
    part.pop()
call(['a'])
try:
    call(list)
except TypeError:
    raise

$ python3.13 -VV
Python 3.13.2 (main, Feb  4 2025, 00:00:00) [GCC 14.2.1 20250110 (Red Hat 14.2.1-7)]

$ python3.13 x.py 
Erreur de segmentation (core dumped)

ZeroIntensity · 2025-04-02T10:02:39Z

I can reproduce using that script on 3.13.2, but not the original one that @devdanzin provided.

…ptor in a specialized code path (#132000) Co-authored-by: sobolevn <mail@sobolevn.me> Co-authored-by: Victor Stinner <vstinner@python.org> Co-authored-by: Mark Shannon <mark@hotpy.org>

…method descriptor in a specialized code path (pythonGH-132000) (cherry picked from commit ac3c439) Co-authored-by: Peter Bierma <zintensitydev@gmail.com> Co-authored-by: 8000 sobolevn <mail@sobolevn.me> Co-authored-by: Victor Stinner <vstinner@python.org> Co-authored-by: Mark Shannon <mark@hotpy.org>

… descriptor in a specialized code path (GH-132000) (#132262) (cherry picked from commit ac3c439) Co-authored-by: Peter Bierma <zintensitydev@gmail.com> Co-authored-by: sobolevn <mail@sobolevn.me> Co-authored-by: Victor Stinner <vstinner@python.org> Co-authored-by: Mark Shannon <mark@hotpy.org>

ZeroIntensity · 2025-04-08T11:03:30Z

Thanks everyone!

…descriptor in a specialized code path (python#132000) Co-authored-by: sobolevn <mail@sobolevn.me> Co-authored-by: Victor Stinner <vstinner@python.org> Co-authored-by: Mark Shannon <mark@hotpy.org>

devdanzin added the type-crash A hard crash of the interpreter, possibly with a core dump label Apr 2, 2025

ZeroIntensity added interpreter-core (Objects, Python, Grammar, and Parser dirs) 3.14 bugs and security fixes labels Apr 2, 2025

bedevere-app bot mentioned this issue Apr 2, 2025

gh-131998: Fix NULL dereference when using an unbound method descriptor in a specialized code path #132000

Merged

ZeroIntensity added the 3.13 bugs and security fixes label Apr 2, 2025

ZeroIntensity added the release-blocker label Apr 2, 2025

ezio-melotti added this to Release and Deferred blockers 🚫 Apr 2, 2025

github-project-automation bot moved this to Todo in Release and Deferred blockers 🚫 Apr 2, 2025

ZeroIntensity changed the title ~~Segfault accessing ob->ob_type in _PyEval_EvalFrameDefault~~ The interpreter crashes when specializing bound method calls on unbound objects Apr 2, 2025

ZeroIntensity added a commit to ZeroIntensity/cpython that referenced this issue Apr 7, 2025

Merge branch 'main' into pythongh-131998-method-descriptor-crash

aefcf8a

Yhg1s added a commit to ZeroIntensity/cpython that referenced this issue Apr 8, 2025

Merge branch 'main' into pythongh-131998-method-descriptor-crash

363acec

bedevere-app bot mentioned this issue Apr 8, 2025

[3.13] gh-131998: Fix NULL dereference when using an unbound method descriptor in a specialized code path (GH-132000) #132262

Merged

ZeroIntensity closed this as completed Apr 8, 2025

github-project-automation bot moved this from Todo to Done in Release and Deferred blockers 🚫 Apr 8, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

The interpreter crashes when specializing bound method calls on unbound objects #131998

The interpreter crashes when specializing bound method calls on unbound objects #131998

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

The interpreter crashes when specializing bound method calls on unbound objects #131998

The interpreter crashes when specializing bound method calls on unbound objects #131998

Comments

Uh oh!

Crash report

What happened?

CPython versions tested on:

Operating systems tested on:

Output from running 'python -VV' on the command line:

Linked PRs

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!