This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: type_new doesn't allocate space for sentinal slot
Type: Stage:
Components: Interpreter Core Versions:
process
Status: closed Resolution: not a bug
Dependencies: Superseder:
Assigned To: Nosy List: Rhamphoryncus, gvanrossum
Priority: normal Keywords:

Created on 2007-10-05 00:00 by Rhamphoryncus, last changed 2022-04-11 14:56 by admin. This issue is now closed.

Messages (5)
msg56231 - (view) Author: Adam Olsen (Rhamphoryncus) Date: 2007-10-05 00:00
type_new() allocates the exact number of slots it's going to use, but
various other functions assume there's one more slot with a NULL name
field serving as a sentinel.  I'm unsure why it doesn't normally crash.
msg56239 - (view) Author: Guido van Rossum (gvanrossum) * (Python committer) Date: 2007-10-05 15:08
Can you be more specific as to on which line number the questionable
allocation happens, and which functions are depending on there being one
extra slot?
msg56241 - (view) Author: Adam Olsen (Rhamphoryncus) Date: 2007-10-05 17:18
typeobject.c:1842:type_new
	type = (PyTypeObject *)metatype->tp_alloc(metatype, nslots);
nslots may be 0.

typeobject.c:1966:type_new assigns this just-past-the-end address to
tp_members
	type->tp_members = PyHeapType_GET_MEMBERS(et);

type_new later calls PyType_Ready, which calls add_members.
typeobject.c:3062:add_members
	for (; memb->name != NULL; memb++) {

Interestingly, traverse_slots and clear_slots both use Py_Size rather
than name != NULL (so I was wrong about the extent of the problem.) 
Both seem only to be used for heap types.  add_members is used by both
heap types and static C types, so it needs to handle both behaviours.

One possible (if ugly) solution would be to switch iteration methods
depending on if Py_Size() is 0 or not, making sure type_new sets
tp_members to NULL if Py_Size() is 0.
msg56243 - (view) Author: Guido van Rossum (gvanrossum) * (Python committer) Date: 2007-10-05 18:07
Are you sure you're not missing the +1 on line 440 in PyType_GenericAlloc()?
msg56244 - (view) Author: Adam Olsen (Rhamphoryncus) Date: 2007-10-05 18:25
Ugh, you're right.

I refactored PyType_GenericAlloc out of my fork, which is why I got a crash.

Sorry for wasting your time.
History
Date User Action Args
2022-04-11 14:56:27adminsetgithub: 45578
2007-10-05 18:33:31gvanrossumsetstatus: open -> closed
resolution: not a bug
2007-10-05 18:25:12Rhamphoryncussetmessages: + msg56244
2007-10-05 18:07:51gvanrossumsetmessages: + msg56243
2007-10-05 17:18:01Rhamphoryncussetmessages: + msg56241
2007-10-05 15:08:37gvanrossumsetnosy: + gvanrossum
messages: + msg56239
2007-10-05 00:00:41Rhamphoryncuscreate