8000 gh-131998: Fix `NULL` dereference when using an unbound method descriptor in a specialized code path by ZeroIntensity · Pull Request #132000 · python/cpython · GitHub
[go: up one dir, main page]
Skip to content

gh-131998: Fix NULL dereference when using an unbound method descriptor in a specialized code path #132000

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 16 commits into from
Apr 8, 2025
Merged

gh-131998: Fix NULL dereference when using an unbound method descriptor in a specialized code path #132000

Changes from 1 commit
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
345ad57
Fix crash when the stackref is NULL.
ZeroIntensity Apr 2, 2025
1914aca
Add a test.
ZeroIntensity Apr 2, 2025
5101034
Add a test case.
ZeroIntensity Apr 2, 2025
2233afe
Add blurb
ZeroIntensity Apr 2, 2025
538c83b
Update Lib/test/test_types.py
ZeroIntensity Apr 2, 2025
04b61df
Try removing the 'import glob' now.
ZeroIntensity Apr 2, 2025
cd12c28
Add back the 'import glob', it doesn't reproduce.
ZeroIntensity Apr 2, 2025
f73dd59
Update Lib/test/test_types.py
ZeroIntensity Apr 2, 2025
a2a07ea
Check for 'total_args' instead of 'self'
ZeroIntensity Apr 2, 2025
aefcf8a
Merge branch 'main' into gh-131998-method-descriptor-crash
ZeroIntensity Apr 7, 2025
0eb6933
Fix the damn import.
ZeroIntensity Apr 7, 2025
d1d5c0a
Apply suggestions from code review
ZeroIntensity Apr 8, 2025
0261714
Remove 'import glob'
ZeroIntensity Apr 8, 2025
99037ae
Fix stray newline change.
ZeroIntensity Apr 8, 2025
d87de41
Remove comment.
ZeroIntensity Apr 8, 2025
363acec
Merge branch 'main' into gh-131998-method-descriptor-crash
Yhg1s Apr 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Apply suggestions from code review 
Co-authored-by: Mark Shannon <mark@hotpy.org>
  • Loading branch information
@ZeroIntensity @markshannon
ZeroIntensity and markshannon authored Apr 8, 2025
commit d1d5c0a933727235fe184fd64ee54bf2a4d8ade8
4 changes: 3 additions & 1 deletion Lib/test/test_types.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -681,9 +681,11 @@ def test_call_unbound_crash(self):
import glob
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need this import?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, the optimizer is finicky and I can't get it to reliably reproduce without the import. I'll add a comment for clarity.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I reproduce the crash in a reliable way without the import glob.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does it reliably reproduce in the test case? I think it only happens if you've already got some compiled bytecode to trigger the optimizer, which isn't the case in CI.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can replace import glob with just this code copied from Lib/types.py (a dependency of glob):

# CellType comes from types.py
def _cell_factory():
    a = 1
    def f():
        nonlocal a
    return f.__closure__[0]
CellType = type(_cell_factory())

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm ok-ish with keeping import glob, but add a comment explaining the purpose of this unused import.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does it reliably reproduce in the test case? I think it only happens if you've already got some compiled bytecode to trigger the optimizer, which isn't the case in CI.

Sorry, I mean that I can reproduce the crash without import glob when I run a script: ./python reproducer.py. I confirm that for this test case, import glob (or the code example that I proposed) is needed to trigger the bug.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added a comment.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This import shouldn't be needed with the changes below.


def call(part):
[] + ([] + [])
part.pop()

call(['a'])
for _ in range(3):
call(['a'])
try:
call(list)
except TypeError:
Expand Down
Loading
0