classification
Title: Access violation due to CancelSynchronousIo of console read
Type: crash Stage: resolved
Components: IO, Windows Versions: Python 3.7, Python 3.6
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: ZackerySpytz, eryksun, paul.moore, steve.dower, tim.golden, zach.ware
Priority: normal Keywords: easy (C), patch

Created on 2017-05-02 17:46 by eryksun, last changed 2019-07-23 15:42 by steve.dower. This issue is now closed.

Pull Requests
URL Status Linked Edit
PR 7911 merged valer, 2018-06-25 17:04
PR 8342 merged miss-islington, 2018-07-19 22:34
PR 8343 merged steve.dower, 2018-07-19 22:41
Messages (7)
msg292791 - (view) Author: Eryk Sun (eryksun) * (Python triager) Date: 2017-05-02 17:46
When ReadConsole is canceled by CancelSynchronousIo [1], for some reason the call still succeeds. It's probably related to the hack that maps STATUS_ALERTED to ERROR_OPERATION_ABORTED when a console read is interrupted by Ctrl+C.

The problem is that, when canceled, ReadConsole doesn't update the value of lpNumberOfCharsRead. Thus in read_console_w in Modules/_io/winconsoleio.c, the value of `n` is a random number that gets added to `readlen`, which is subsequently used to index into `buf`. The problem is the same for `n_read` in _PyOS_WindowsConsoleReadline.

For example, in 3.6:

    import sys, ctypes, threading
    kernel32 = ctypes.WinDLL('kernel32')
    hMain = kernel32.OpenThread(1, 0, kernel32.GetCurrentThreadId())
    t = threading.Timer(30, kernel32.CancelSynchronousIo, (hMain,))
    t.start()
    sys.stdin.readline()


    Breakpoint 0 hit
    KERNELBASE!ReadConsoleW:
    00007ffc`fb558200 4053            push    rbx
    0:000> pt
    KERNELBASE!GetImmersiveColorTypeFromName+0x49d2:
    00007ffc`fb5d2672 c3              ret
    0:000> r rax
    rax=0000000000000001
    0:000> ?? @$teb->LastErrorValue == 995
    bool true

    0:000> gu
    python36!read_console_w+0x8b:
    00000000`6e43a483 85c0            test    eax,eax
    0:000> ?? n
    unsigned long 0xefdc39e8
    0:000> g
    (1154.11fc): Access violation - code c0000005 (first chance)
    First chance exceptions are reported before any exception handling.
    This exception may be expected and handled.
    python36!read_console_w+0x11f:
    00000000`6e43a517 66833a0a        cmp     word ptr [rdx],0Ah
                                            ds:000001e8`cfb72c7e=????

If the value of `n` is initialized to (DWORD)-1, then checking for a failed or canceled call could be implemented as follows:

    if (!res || (n == (DWORD)-1 && GetLastError() ==
        ERROR_OPERATION_ABORTED)) {
        err = GetLastError();
        break;
    }

[1]: https://msdn.microsoft.com/en-us/library/ms684958
msg292793 - (view) Author: Eryk Sun (eryksun) * (Python triager) Date: 2017-05-02 17:54
Oops, I pasted the MSDN link for ReadConsole instead of CancelSynchronousIo [1].

[1]: https://msdn.microsoft.com/en-us/library/aa363794
msg321970 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2018-07-19 22:34
New changeset ce75df3031c86b78311b1ad76c39c0b39d7d7424 by Steve Dower (ValeriyaSinevich) in branch 'master':
bpo-30237: Output error when ReadConsole is canceled by CancelSynchronousIo. (GH-7911)
https://github.com/python/cpython/commit/ce75df3031c86b78311b1ad76c39c0b39d7d7424
msg322621 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2018-07-29 09:32
New changeset c3af73d580888b4d444264e79dce6ec0818522cd by Steve Dower (Miss Islington (bot)) in branch '3.7':
bpo-30237: Output error when ReadConsole is canceled by CancelSynchronousIo. (GH-7911)
https://github.com/python/cpython/commit/c3af73d580888b4d444264e79dce6ec0818522cd
msg322622 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2018-07-29 09:32
New changeset 28bbbdabb1e3601047530febac1b05b7b89dc65e by Steve Dower in branch '3.6':
bpo-30237: Output error when ReadConsole is canceled by CancelSynchronousIo. (GH-7911)
https://github.com/python/cpython/commit/28bbbdabb1e3601047530febac1b05b7b89dc65e
msg348322 - (view) Author: Zackery Spytz (ZackerySpytz) * (Python triager) Date: 2019-07-23 05:54
PR 7911 was merged and backported. Should this issue be closed?
msg348337 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2019-07-23 15:42
Yep, thanks for the ping!
History
Date User Action Args
2019-07-23 15:42:40steve.dowersetstatus: open -> closed
resolution: fixed
messages: + msg348337

stage: patch review -> resolved
2019-07-23 05:54:16ZackerySpytzsetnosy: + ZackerySpytz
messages: + msg348322
2018-07-29 09:32:32steve.dowersetmessages: + msg322622
2018-07-29 09:32:05steve.dowersetmessages: + msg322621
2018-07-19 22:41:07steve.dowersetpull_requests: + pull_request7877
2018-07-19 22:34:49miss-islingtonsetpull_requests: + pull_request7876
2018-07-19 22:34:11steve.dowersetmessages: + msg321970
2018-06-25 17:04:52valersetkeywords: + patch
stage: test needed -> patch review
pull_requests: + pull_request7514
2017-05-02 17:54:11eryksunsetmessages: + msg292793
2017-05-02 17:46:07eryksuncreate