classification
Title: Crash: getattr(type, '__getattribute__')(type, type)
Type: crash Stage: resolved
Components: Interpreter Core Versions: Python 3.2, Python 3.3
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: amaury.forgeotdarc, benjamin.peterson, haypo, loewis, python-dev, skrah
Priority: normal Keywords:

Created on 2012-03-16 12:33 by skrah, last changed 2012-03-16 15:58 by python-dev. This issue is now closed.

Files
File name Uploaded Description Edit
crasher.py skrah, 2012-03-16 12:33
Messages (9)
msg156017 - (view) Author: Stefan Krah (skrah) * (Python committer) Date: 2012-03-16 12:33
Hi -- I'm getting a segfault running the attached crasher.py script.
Valgrind traces it down to an Invalid free() / delete / delete[] in
_PyUnicode_Ready().

Reproduce:
==========

Rev: 870c0ef7e8a2
Build: ./configure --without-pymalloc CFLAGS="-O0 -g" && make

$ ./python crasher.py 
Segmentation fault


$ valgrind --db-attach=yes --suppressions=./Misc/valgrind-python.supp ./python crasher.py
==3476== Memcheck, a memory error detector
==3476== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al.
==3476== Using Valgrind-3.6.1 and LibVEX; rerun with -h for copyright info
==3476== Command: ./python crasher.py
==3476== 
==3476== Invalid free() / delete / delete[]
==3476==    at 0x4C2748D: free (vg_replace_malloc.c:366)
==3476==    by 0x44763C: _PyUnicode_Ready (unicodeobject.c:1405)
==3476==    by 0x44ACF8: PyUnicode_FromFormatV (unicodeobject.c:2500)
==3476==    by 0x4A1CF4: PyErr_Format (errors.c:621)
==3476==    by 0x42F8FE: type_getattro (typeobject.c:2551)
==3476==    by 0x43493A: wrap_binaryfunc (typeobject.c:4317)
==3476==    by 0x550008: wrapper_call (descrobject.c:1067)
==3476==    by 0x532C93: PyObject_Call (abstract.c:2150)
==3476==    by 0x49012B: PyEval_CallObjectWithKeywords (ceval.c:3920)
==3476==    by 0x54F136: wrapperdescr_call (descrobject.c:309)
==3476==    by 0x532C93: PyObject_Call (abstract.c:2150)
==3476==    by 0x491A1E: ext_do_call (ceval.c:4355)
==3476==  Address 0x4 is not stack'd, malloc'd or (recently) free'd
==3476==
msg156023 - (view) Author: Stefan Krah (skrah) * (Python committer) Date: 2012-03-16 13:07
3.2 also crashes. 2.7 runs fine. So it's certainly not related
to the new Unicode API.
msg156026 - (view) Author: Stefan Krah (skrah) * (Python committer) Date: 2012-03-16 13:49
I've traced it down to this line:

>>> getattr(type, '__getattribute__')(type, type)
Segmentation fault


Setting to 'normal', since there are apparently more of these.
msg156029 - (view) Author: Amaury Forgeot d'Arc (amaury.forgeotdarc) * (Python committer) Date: 2012-03-16 14:04
One-line crasher:
  type.__getattribute__(type, type)
Python 2.7 does not crash reliably, but is not exempt from the bug:
  type.__getattribute__(type, 1.1j)
msg156037 - (view) Author: Roundup Robot (python-dev) Date: 2012-03-16 14:37
New changeset b7bad204b34f by Benjamin Peterson in branch '3.2':
check to make sure the attribute is a string (#14334)
http://hg.python.org/cpython/rev/b7bad204b34f

New changeset e44591015cf0 by Benjamin Peterson in branch 'default':
merge 3.2 (#14334)
http://hg.python.org/cpython/rev/e44591015cf0
msg156043 - (view) Author: Roundup Robot (python-dev) Date: 2012-03-16 14:46
New changeset d1cf6008a565 by Benjamin Peterson in branch '2.7':
check to make sure the attribute is a string (#14334)
http://hg.python.org/cpython/rev/d1cf6008a565
msg156045 - (view) Author: Benjamin Peterson (benjamin.peterson) * (Python committer) Date: 2012-03-16 14:49
It doesn't crash for me anymore.
msg156052 - (view) Author: Amaury Forgeot d'Arc (amaury.forgeotdarc) * (Python committer) Date: 2012-03-16 15:09
well, on 2.6 and 2.7 the following has weird output and crashes:

def test(obj):
    try:
        type(obj).__getattribute__(obj, (1,))
    except AttributeError as e:
        print(e)
class C:
    pass
test(str)
test(C)
test(C())
msg156056 - (view) Author: Roundup Robot (python-dev) Date: 2012-03-16 15:58
New changeset 3d4d52e47431 by Benjamin Peterson in branch '2.7':
check for string attribute names in old-style classes (closes #14334)
http://hg.python.org/cpython/rev/3d4d52e47431
History
Date User Action Args
2012-03-16 15:58:58python-devsetstatus: open -> closed

messages: + msg156056
stage: needs patch -> resolved
2012-03-16 15:09:12amaury.forgeotdarcsetstatus: closed -> open

messages: + msg156052
2012-03-16 14:49:31benjamin.petersonsetstatus: open -> closed

nosy: + benjamin.peterson
messages: + msg156045

resolution: fixed
2012-03-16 14:46:32python-devsetmessages: + msg156043
2012-03-16 14:37:00python-devsetnosy: + python-dev
messages: + msg156037
2012-03-16 14:04:55amaury.forgeotdarcsetnosy: + amaury.forgeotdarc
messages: + msg156029
2012-03-16 13:49:06skrahsetpriority: high -> normal

messages: + msg156026
title: Invalid free in _PyUnicode_Ready() -> Crash: getattr(type, '__getattribute__')(type, type)
2012-03-16 13:07:50skrahsetmessages: + msg156023
versions: + Python 3.2
2012-03-16 12:33:40skrahcreate