This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: readline macros can segfault Python
Type: crash Stage: resolved
Components: Library (Lib) Versions: Python 3.10, Python 3.9, Python 3.8
process
Status: closed Resolution: out of date
Dependencies: Superseder:
Assigned To: Nosy List: gumnos, martin.panter, vstinner
Priority: normal Keywords:

Created on 2015-09-28 20:53 by gumnos, last changed 2022-04-11 14:58 by admin. This issue is now closed.

Messages (5)
msg251800 - (view) Author: Tim Chase (gumnos) Date: 2015-09-28 20:53
Attempting to use a readline macro (use "C-x (" to start recording, "C-x )" to stop recording, and "C-x e" to playback) with more than one newline in it will cause a segfault.  The behavior also presents in the [`rlwrap` tool](https://github.com/hanslub42/rlwrap/issues/36) but not in `bash`.  I've tested and reproduced with Python 2.[4-6] and 3.4, but I don't see any similar bug-reports that would suggest that the problem doesn't also exist in all 3.x series releases.  To reproduce, in a `readline`-enabled Python:

    $ python
    …
    >>> import cmd
    >>> cmd.Cmd().cmdloop()  
    (Cmd) # do "C-x ( <NL> <NL> C-x ) C-x e" and it segfaults

The author of `rlwrap` is working to create a minimum working example, and I'm not sure whether this is a problem with the underlying `libreadline` or just how it's being used by `rlwrap` and Python.
msg251810 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2015-09-28 23:50
Python uses an user handler "rlhandler()" which calls rl_callback_handler_remove(). Is it safe to call rl_callback_handler_remove() in an user handler?

Traceback on the crash:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000000000 in ?? ()
(gdb) where
#0  0x0000000000000000 in ?? ()
#1  0x0000003d0c22d67e in rl_callback_read_char () at ../callback.c:238
#2  0x00007ffff149ce85 in readline_until_enter_or_signal (prompt=prompt@entry=0x7ffff17ef598 "(Cmd) ", signal=signal@entry=0x7fffffffd52c)
    at /home/haypo/prog/python/default/Modules/readline.c:1143
#3  0x00007ffff149cfaa in call_readline (sys_stdin=0x3cecfba8e0 <_IO_2_1_stdin_>, sys_stdout=0x3cecfbb620 <_IO_2_1_stdout_>, prompt=0x7ffff17ef598 "(Cmd) ")
    at /home/haypo/prog/python/default/Modules/readline.c:1231
#4  0x00000000005ae97a in PyOS_Readline (sys_stdin=0x3cecfba8e0 <_IO_2_1_stdin_>, sys_stdout=0x3cecfbb620 <_IO_2_1_stdout_>, prompt=0x7ffff17ef598 "(Cmd) ")
    at Parser/myreadline.c:211
#5  0x000000000052ec57 in builtin_input_impl (module=module@entry=0x7ffff189bc58, prompt=<optimized out>) at Python/bltinmodule.c:1924
#6  0x000000000052f054 in builtin_input (module=0x7ffff189bc58, args=<optimized out>) at Python/clinic/bltinmodule.c.h:546
(...)


Other trace with source code of readline:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000000000 in ?? ()
Missing separate debuginfos, use: dnf debuginfo-install ncurses-libs-5.9-18.20150214.fc22.x86_64
(gdb) up
#1  0x0000003d0c22d67e in rl_callback_read_char () at ../callback.c:238
238		  (*rl_linefunc) (line);
(gdb) print rl_linefunc
$1 = (rl_vcpfunc_t *) 0x0
msg268969 - (view) Author: Martin Panter (martin.panter) * (Python committer) Date: 2016-06-21 05:19
I think Victor may be on the right track. Since the macro contains two newlines, a single call to rl_callback_read_char() is going to produce two calls back to the rl_callback_handler_install() handler to receive each line.

I can make the example from the Readline documentation <https://cnswww.cns.cwru.edu/php/chet/readline/readline.html#SEC43> crash the same way that Python does. First, add a macro to ~/.inputrc, which causes an exclamation mark (!) to enter two lines at once:

"!": "exit\ncrash\n"

Now, typing an exclamation mark will cause the example program (and Python!) to crash.

In the description of rl_callback_read_char() <https://cnswww.cns.cwru.edu/php/chet/readline/readline.html#IDX335>, it says “If the ‘lhandler’ function returns . . .”. That seems to be hinting at using something like setjmp() to avoid the function returning, which might help, but I am not sure.
msg268976 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2016-06-21 09:23
"I can make the example from the Readline documentation ... crash the same way that Python does."

Hum, so maybe the bug should be reported to readline, no?
http://cnswww.cns.cwru.edu/php/chet/readline/rltop.html#Bugs
msg380588 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2020-11-09 14:46
No activity for 4 years, I close the issue.
History
Date User Action Args
2022-04-11 14:58:21adminsetgithub: 69446
2020-11-09 14:46:59vstinnersetstatus: open -> closed
resolution: out of date
messages: + msg380588

stage: resolved
2020-11-07 19:56:36iritkatrielsetversions: + Python 3.8, Python 3.9, Python 3.10, - Python 2.7, Python 3.2, Python 3.3, Python 3.4, Python 3.5, Python 3.6
2017-11-12 04:19:56martin.panterlinkissue32009 superseder
2016-06-21 09:23:25vstinnersetmessages: + msg268976
2016-06-21 05:19:46martin.pantersetnosy: + martin.panter
messages: + msg268969
2015-09-28 23:50:26vstinnersetnosy: + vstinner
messages: + msg251810
2015-09-28 20:53:09gumnoscreate