A segmentation fault is generated in _ctypes.so when calling a function that returns a char pointer on a system 
with 64-bit pointer types.  The attached crash dump is from a Python 2.6.3 built from MacPorts ("port install 
python26 +no_tkinter"), but the same behaviour occurs with the Python 2.6.1 installed by Apple.

To reproduce, build the attached sample program ("testlib.c"):

% gcc -Wall -c testlib.o
% ld -dylib -o testlib.so testlib.o

Then, in Python:

# Common setup for each of the cases below.
>>> from ctypes import *
>>> lib = CDLL('testlib.so')

# Case 1: Integer return value (no crash).
>>> get_value = CFUNCTYPE(c_int)(lib.get_value)
>>> get_value()
12345

# Case 2: Pointer argument value (no crash).
>>> buf = create_string_buffer(256)
>>> copy_message = CFUNCTYPE(None, c_char_p)(lib.copy_message)
>>> copy_message(buf)

# Case 3: Pointer return value (crash).
>>> get_message = CFUNCTYPE(c_char_p)(lib.get_message)
>>> get_message()
Segmentation fault

-- System information:

% uname -a
MacOS 10.6.1
Darwin gorion.local 10.0.0 Darwin Kernel Version 10.0.0: Fri Jul 31 22:47:34 PDT 2009; root:xnu-
1456.1.25~1/RELEASE_I386 i386

% python
Python 2.6.3 (r263:75183, Oct 17 2009, 01:49:30) 
[GCC 4.2.1 (Apple Inc. build 5646) (dot 1)] on darwin

% gcc --version
i686-apple-darwin10-gcc-4.2.1 (GCC) 4.2.1 (Apple Inc. build 5646) (dot 1)

I believe this error occurs because a pointer value is being truncated to 
32 bits.  The exception code is

KERN_INVALID_ADDRESS at 0x00000000002fe020

If you add a diagnostic printout to the body of get_message(), you will 
see that its return value is 0x1002fe020, so in other words, the high-
order word 0x00000001 is being discarded somewhere.

You are using `CFUNCTYPE` wrong. `CFUNCTYPE` returns a type which will 
take a *Python function* (or an address of a function as integer). You 
provide `lib.get_message` as Python function, which is a wrapper object 
for the C function. By default, ctypes assumes an int as return type for 
C functions. On your platform, the size of an int is not the same as the 
size of a pointer. Therefore, the return value is truncated. You call 
the CFUNCTION which then calls `lib.get_message` which returns the 
truncated pointer as integer and then ctypes tries to make a `c_char_p` 
out of the integer which segfaults because it's truncated.

I think what you are really looking for is ``lib.get_message.restype = 
c_char_p``.

Thank you for setting me straight. 

I see now that I misunderstood the scope of `CFUNCTYPE`, as I was using 
it as a general wrapper when in fact it's only needed for callbacks. 
Mistakenly, I inferred from reading section 16.15.2.4 of the ctypes 
manual [1] that it would be necessary to create prototype wrappers for 
calls into the foreign library as well. Obviously that is not the case, 
since your described solution works fine.

[1] <http://www.python.org/doc/2.6.3/library/ctypes.html#function-
prototypes>