classification
Title: Python 3: Segfault instead of MemoryError when bytearray too big
Type: crash Stage: resolved
Components: Interpreter Core Versions: Python 3.5, Python 3.4
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: Arfrever, ezio.melotti, jwilk, pitrou, python-dev, serhiy.storchaka, swanson, vstinner
Priority: normal Keywords: patch

Created on 2014-09-04 10:38 by swanson, last changed 2014-11-02 17:43 by pitrou. This issue is now closed.

Files
File name Uploaded Description Edit
issue19087.patch jwilk, 2014-10-14 16:54 review
ba_resize.patch pitrou, 2014-11-02 16:08 review
Messages (10)
msg226356 - (view) Author: (swanson) Date: 2014-09-04 10:38
On Python 3, but not Python 2, you crash with a Segmentation Fault instead of getting a MemoryError as expected.  It seems to only be a problem with bytearray, not with other things like tuple:

$ python3
Python 3.4.0 (default, Apr 11 2014, 13:05:18) 
[GCC 4.8.2] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> bytearray(0x7FFFFFFF)
Segmentation fault (core dumped)
$ 


compare to:


$ python
Python 2.7.6 (default, Mar 22 2014, 22:59:38) 
[GCC 4.8.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> bytearray(0x7FFFFFFF)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
MemoryError
>>> 


$ python3
Python 3.4.0 (default, Apr 11 2014, 13:05:18) 
[GCC 4.8.2] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> (0,)*0x7FFFFFFF
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
MemoryError
>>>
msg226358 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2014-09-04 11:57
Looks as integer overflow introduced in issue19087.

+    if (size + logical_offset + 1 < alloc) {
msg229314 - (view) Author: Jakub Wilk (jwilk) Date: 2014-10-14 16:54
This patch should fix it.
msg229322 - (view) Author: Jakub Wilk (jwilk) Date: 2014-10-14 17:44
On a second thought, "logical_offset + 1" alone could overflow; and there are apparently other possible integer overflows in this function.
msg230496 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2014-11-02 15:59
"logical_offset + 1" can't overflow because logical_offset is an offset in allocated array not counting final null byte.
msg230497 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2014-11-02 15:59
Note that there are two possible crashes in debug mode:

$ ./python -c "bytearray(2**31-1)"
Erreur de segmentation

$ ./python -c "bytearray(2**31-2)"
python: Objects/obmalloc.c:1179: _PyObject_Alloc: Assertion `nelem <= ((Py_ssize_t)(((size_t)-1)>>1)) / elsize' failed.
Abandon
msg230499 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2014-11-02 16:08
Here is a patch. It also fixes a bug in the debug allocators, which didn't properly check for Py_ssize_t overflow.
msg230505 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2014-11-02 17:06
LGTM.
msg230509 - (view) Author: Roundup Robot (python-dev) Date: 2014-11-02 17:42
New changeset 1590c594550e by Antoine Pitrou in branch '3.4':
Issue #22335: Fix crash when trying to enlarge a bytearray to 0x7fffffff bytes on a 32-bit platform.
https://hg.python.org/cpython/rev/1590c594550e

New changeset f0b334ae95c9 by Antoine Pitrou in branch 'default':
Issue #22335: Fix crash when trying to enlarge a bytearray to 0x7fffffff bytes on a 32-bit platform.
https://hg.python.org/cpython/rev/f0b334ae95c9
msg230510 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2014-11-02 17:43
Thank you. This is now pushed.
History
Date User Action Args
2014-11-02 17:43:23pitrousetstatus: open -> closed
resolution: fixed
messages: + msg230510

stage: commit review -> resolved
2014-11-02 17:42:57python-devsetnosy: + python-dev
messages: + msg230509
2014-11-02 17:06:10serhiy.storchakasetmessages: + msg230505
stage: patch review -> commit review
2014-11-02 16:08:20pitrousetcomponents: + Interpreter Core
stage: needs patch -> patch review
2014-11-02 16:08:11pitrousetfiles: + ba_resize.patch

messages: + msg230499
2014-11-02 15:59:45pitrousetmessages: + msg230497
2014-11-02 15:59:16serhiy.storchakasetmessages: + msg230496
2014-11-02 15:16:25ezio.melottisetnosy: + ezio.melotti
2014-10-14 23:49:18Arfreversetnosy: + Arfrever
2014-10-14 17:44:29jwilksetmessages: + msg229322
2014-10-14 16:54:31jwilksetfiles: + issue19087.patch

nosy: + jwilk
messages: + msg229314

keywords: + patch
2014-09-04 11:57:58vstinnersetnosy: + vstinner
2014-09-04 11:57:10serhiy.storchakasetversions: + Python 3.5
nosy: + serhiy.storchaka, pitrou

messages: + msg226358

stage: needs patch
2014-09-04 10:38:57swansoncreate