Title: atexit.register with bad input segfaults on exit
Type: crash Stage:
Components: Versions: Python 3.0
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: skip.montanaro Nosy List: ajaksu2, christian.heimes, skip.montanaro
Priority: release blocker Keywords: patch

Created on 2008-08-24 20:39 by ajaksu2, last changed 2008-09-23 00:53 by skip.montanaro. This issue is now closed.

File name Uploaded Description Edit
atexit.diff skip.montanaro, 2008-09-18 14:16
Messages (10)
msg71862 - (view) Author: Daniel Diniz (ajaksu2) (Python triager) Date: 2008-08-24 20:39
The following crashes the interpreter on exit:

import sys, atexit; atexit.register(lambda: 1, 0, 0, (x for x in (1,2)),
0, 0); sys.exit()

Found with Fusil.
msg71866 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2008-08-24 20:53
I'm getting hundreds of lines

Fatal Python error: PyThreadState_Get: no current thread

The Python process segfaults in call_ll_exitfuncs -> atexit_cleanup() ->
atexit_clear() ->  atexit_delete_cb -> Py_DECREF(cb->args)
msg71872 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2008-08-24 21:10
I was able to trace the error to its apartment. During the cleanup
gen_del calls PyErr_Fetch() which fails in PyThreadState_GET().

The atexit cleanup method must be called much earlier.
call_ll_exitfunc() is too late. I suggest a new function that calls
atexit_cleanup() right after atexit_callfuncs().
msg73376 - (view) Author: Skip Montanaro (skip.montanaro) * (Python triager) Date: 2008-09-18 12:07
Why not just have atexit_callfuncs call atexit_cleanup at the end of its
msg73378 - (view) Author: Skip Montanaro (skip.montanaro) * (Python triager) Date: 2008-09-18 12:21
The attached patch causes an exception to print
at exit on my Mac:

>>> import sys, atexit
>>> atexit.register(lambda: 1, 0, 0, (x for x in (1,2)), 0, 0)
<function <lambda> at 0x5c91e0>
>>> sys.exit()
Error in atexit._run_exitfuncs:
TypeError: print_exception(): Exception expected for value, str found

Without the patch I get the same TypeError but it's
followed by a Bus error.

I don't know if the patch is right or wrong, better or worse than the
status quo, but I'll toss it out there for consideration.  It
certainly seems to subscribe to Christian's theme of calling
atexit_cleanup() earlier.
msg73381 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2008-09-18 13:27
I suggest you move the cleanup call before PyErr_Restore(). The current
code doesn't re-raise exception raised in the cleanup function.
msg73384 - (view) Author: Skip Montanaro (skip.montanaro) * (Python triager) Date: 2008-09-18 14:16
New patch.  This also makes the various atexit_*
functions static.
msg73590 - (view) Author: Skip Montanaro (skip.montanaro) * (Python triager) Date: 2008-09-22 19:45
I've taken this ticket.  Can someone please review and give
it a thumbs up or thumbs down?
msg73591 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2008-09-22 20:11
*thumbs up*
msg73610 - (view) Author: Skip Montanaro (skip.montanaro) * (Python triager) Date: 2008-09-23 00:53
Checked in as revision 66562.
Date User Action Args
2008-09-23 00:53:09skip.montanarosetstatus: open -> closed
resolution: fixed
messages: + msg73610
2008-09-22 20:11:21christian.heimessetmessages: + msg73591
2008-09-22 19:45:20skip.montanarosetassignee: skip.montanaro
messages: + msg73590
2008-09-22 19:43:06skip.montanarosetfiles: - atexit.diff
2008-09-18 14:16:49skip.montanarosetfiles: + atexit.diff
messages: + msg73384
2008-09-18 13:27:30christian.heimessetmessages: + msg73381
2008-09-18 12:21:23skip.montanarosetfiles: + atexit.diff
keywords: + patch
messages: + msg73378
2008-09-18 12:07:31skip.montanarosetnosy: + skip.montanaro
messages: + msg73376
2008-09-18 05:41:46barrysetpriority: deferred blocker -> release blocker
2008-09-04 01:15:12benjamin.petersonsetpriority: release blocker -> deferred blocker
2008-08-24 21:10:03christian.heimessetmessages: + msg71872
2008-08-24 20:53:23christian.heimessetnosy: + christian.heimes
messages: + msg71866
2008-08-24 20:44:40christian.heimessetpriority: release blocker
2008-08-24 20:39:11ajaksu2create