classification
Title: ctypes: segfault with large POINTER type names
Type: crash Stage: resolved
Components: ctypes, Extension Modules Versions: Python 3.5, Python 3.4, Python 2.7
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: meador.inge Nosy List: amaury.forgeotdarc, bbrazil, belopolsky, jesstess, meador.inge, python-dev, r.david.murray
Priority: normal Keywords: needs review, patch

Created on 2011-10-04 03:47 by meador.inge, last changed 2014-10-12 18:27 by r.david.murray. This issue is now closed.

Files
File name Uploaded Description Edit
issue13096.patch meador.inge, 2011-11-29 03:01 Patch against tip (3.3.0a0) review
Messages (9)
msg144850 - (view) Author: Meador Inge (meador.inge) * (Python committer) Date: 2011-10-04 03:47
Reproducible in 2.7 and tip:

[meadori@motherbrain cpython]$ ./python 
Python 3.3.0a0 (default:61de28fa5537+d05350c14e77+, Oct  3 2011, 21:47:04) 
[GCC 4.6.0 20110603 (Red Hat 4.6.0-10)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from ctypes import *
>>> T = type('x' * 2 ** 25, (Structure,), {})
>>> p = POINTER(T)
Segmentation fault (core dumped)
msg144851 - (view) Author: Meador Inge (meador.inge) * (Python committer) Date: 2011-10-04 03:51
There is similar crasher to this one that can be reproduced like:

[meadori@motherbrain cpython]$ ./python 
Python 3.3.0a0 (default:61de28fa5537+d05350c14e77+, Oct  3 2011, 21:47:04) 
[GCC 4.6.0 20110603 (Red Hat 4.6.0-10)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from ctypes import *
>>> p = POINTER('x' * 2 ** 25)
Segmentation fault (core dumped)

It should be fixed as well.
msg145257 - (view) Author: Brian Brazil (bbrazil) * Date: 2011-10-09 14:27
The problem is around line 1734 of callproc.c in tip:

    } else if (PyType_Check(cls)) {
        typ = (PyTypeObject *)cls;
        buf = alloca(strlen(typ->tp_name) + 3 + 1);
        sprintf(buf, "LP_%s", typ->tp_name);   <-- segfault is here

Replacing the alloca with a malloc fixes it, so I presume it's hitting the stack size limit as 2^25 is 32MB (my stack limit is 8MB).
msg145258 - (view) Author: Meador Inge (meador.inge) * (Python committer) Date: 2011-10-09 14:36
Yup, it is the 'alloca' call.  This issue and issue13097 are both 
'alloca' related as mentioned in issue12881.
msg148539 - (view) Author: Meador Inge (meador.inge) * (Python committer) Date: 2011-11-29 03:01
Here is a small patch against tip.  OK?
msg217341 - (view) Author: Jessica McKellar (jesstess) * Date: 2014-04-28 04:03
Thanks for the report and patch, meador.inge.

I'd prefer not to add more globals that are only used in one place, but doing so is consistent with the existing style of test_pointers.py, and there's plenty in this file that could be cleaned up in another ticket.

* The patch passes `make patchcheck`.
* The full test suite passes with this patch.
* The reproducers in this issue segfault for me without this patch and do not segfault with this patch.

lgtm!

=> commit review
msg217367 - (view) Author: Meador Inge (meador.inge) * (Python committer) Date: 2014-04-28 11:53
Thanks for the review and reminder about this issue, jesstess.  I will apply the patch later today.
msg229186 - (view) Author: Roundup Robot (python-dev) Date: 2014-10-12 18:27
New changeset e940bb13d010 by R David Murray in branch '3.4':
#13096: Fix segfault in CTypes POINTER handling of large values.
https://hg.python.org/cpython/rev/e940bb13d010

New changeset 02c9c3204a04 by R David Murray in branch 'default':
Merge: #13096: Fix segfault in CTypes POINTER handling of large values.
https://hg.python.org/cpython/rev/02c9c3204a04

New changeset ff59b0f9e142 by R David Murray in branch '2.7':
#13096: Fix segfault in CTypes POINTER handling of large values.
https://hg.python.org/cpython/rev/ff59b0f9e142
msg229187 - (view) Author: R. David Murray (r.david.murray) * (Python committer) Date: 2014-10-12 18:27
Committed.
History
Date User Action Args
2014-10-12 18:27:40r.david.murraysetstatus: open -> closed

versions: + Python 3.4
nosy: + r.david.murray

messages: + msg229187
resolution: fixed
stage: commit review -> resolved
2014-10-12 18:27:00python-devsetnosy: + python-dev
messages: + msg229186
2014-04-28 11:53:48meador.ingesetmessages: + msg217367
2014-04-28 04:03:29jesstesssetversions: + Python 3.5, - Python 3.2, Python 3.3
nosy: + jesstess

messages: + msg217341

keywords: + needs review
stage: patch review -> commit review
2011-11-29 03:01:17meador.ingesetfiles: + issue13096.patch
keywords: + patch
messages: + msg148539

stage: needs patch -> patch review
2011-11-29 02:33:45meador.ingesetassignee: meador.inge
2011-10-09 14:36:03meador.ingesetmessages: + msg145258
2011-10-09 14:27:02bbrazilsetnosy: + bbrazil
messages: + msg145257
2011-10-04 03:51:56meador.ingesetmessages: + msg144851
2011-10-04 03:47:38meador.ingecreate