➜
This issue tracker has been migrated to GitHub,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2020-12-09 11:05 by Erik-Lamers1, last changed 2022-04-11 14:59 by admin.
| Pull Requests | |||
|---|---|---|---|
| URL | Status | Linked | Edit |
| PR 23744 | merged | serhiy.storchaka, 2020-12-12 12:31 | |
| PR 25634 | open | serhiy.storchaka, 2021-04-26 16:29 | |
| Messages (6) | |||
|---|---|---|---|
| msg382791 - (view) | Author: Erik Lamers (Erik-Lamers1) | Date: 2020-12-09 11:05 | |
For Python version 3.7 and above the following statement will end up in a segfault.
eval("1 + 100"*1000000)
Whereas Python versions 3.6 and below would tread this as a Recursion error.
|
|||
| msg382844 - (view) | Author: Steve Stagg (stestagg) | Date: 2020-12-10 21:04 | |
Looks like it was introduced by https://github.com/python/cpython/commit/7ea143ae795a9fd57eaccf490d316bdc13ee9065: bpo-29469: Move constant folding to AST optimizer (GH-2858) |
|||
| msg382849 - (view) | Author: Steve Stagg (stestagg) | Date: 2020-12-10 21:34 | |
In python 3.7/8, It's a stack overflow in the constant folding code.
On master, the overflow seems to come out of validate_expr.c.
* thread #1, name = 'python3', stop reason = signal SIGSEGV: invalid address (fault address: 0x7fffff7feff8)
frame #0: 0x00005555557aadba python3`validate_expr(exp=0x00005555602617c0, ctx=Load) at ast.c:224:16
221 }
222 return validate_exprs(exp->v.BoolOp.values, Load, 0);
223 case BinOp_kind:
-> 224 return validate_expr(exp->v.BinOp.left, Load) &&
225 validate_expr(exp->v.BinOp.right, Load);
226 case UnaryOp_kind:
227 return validate_expr(exp->v.UnaryOp.operand, Load);
300,000 ish stack frames of this:
frame #70832: 0x00005555557aadbf python3`validate_expr(exp=0x000055556150af40, ctx=Load) at ast.c:224:16
frame #70833: 0x00005555557aadbf python3`validate_expr(exp=0x000055556150b050, ctx=Load) at ast.c:224:16
frame #70834: 0x00005555557aadbf python3`validate_expr(exp=0x000055556150b160, ctx=Load) at ast.c:224:16
frame #70835: 0x00005555557aadbf python3`validate_expr(exp=0x000055556150b270, ctx=Load) at ast.c:224:16
frame #70836: 0x00005555557aadbf python3`validate_expr(exp=0x000055556150b380, ctx=Load) at ast.c:224:16
frame #70837: 0x00005555557aadbf python3`validate_expr(exp=0x000055556150b490, ctx=Load) at ast.c:224:16
frame #70838: 0x00005555557aadbf python3`validate_expr(exp=0x000055556150b5a0, ctx=Load) at ast.c:224:16
frame #70839: 0x00005555557aadbf python3`validate_expr(exp=0x000055556150b6b0, ctx=Load) at ast.c:224:16
On the one hand, pure python code should never segfault, on the other hand, `eval`ling untrusted input has bigger problems than a segfault on carefully crafted input.
|
|||
| msg382910 - (view) | Author: Serhiy Storchaka (serhiy.storchaka) *  |
Date: 2020-12-12 12:44 | |
This is known issue, but interesting that the cause of the crash is different in 3.7-3.8 and 3.9+. PR 23744 adds recursion checks in the AST validator and optimizer similar to the checks in the symtable. It should not break any existing code because too deep AST tree did not pass checks in the symtable in any case. But it does not solve all problems. A compound statement with too many "elif"s is still crashed because the new parser uses recursion in C to parse it (elif_stmt_rule). I think it should be a separate issue. |
|||
| msg391850 - (view) | Author: Serhiy Storchaka (serhiy.storchaka) * |
Date: 2021-04-25 10:38 | |
New changeset face87c94e67ad9c72b9a3724f112fd76c1002b9 by Serhiy Storchaka in branch 'master': bpo-42609: Check recursion depth in the AST validator and optimizer (GH-23744) https://github.com/python/cpython/commit/face87c94e67ad9c72b9a3724f112fd76c1002b9 |
|||
| msg410562 - (view) | Author: Irit Katriel (iritkatriel) * |
Date: 2022-01-14 14:30 | |
Apart from the 3.9 backport this is complete. |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:59:39 | admin | set | github: 86775 |
| 2022-01-17 22:43:22 | iritkatriel | link | issue42712 superseder |
| 2022-01-14 14:30:39 | iritkatriel | set | nosy:
+ iritkatriel, lukasz.langa messages: + msg410562 versions: - Python 3.7, Python 3.8 |
| 2021-04-26 16:29:48 | serhiy.storchaka | set | pull_requests: + pull_request24328 |
| 2021-04-25 10:45:04 | serhiy.storchaka | link | issue43664 superseder |
| 2021-04-25 10:38:05 | serhiy.storchaka | set | messages: + msg391850 |
| 2020-12-14 22:30:14 | BTaskaya | set | nosy:
+ BTaskaya |
| 2020-12-12 12:44:04 | serhiy.storchaka | set | messages: + msg382910 |
| 2020-12-12 12:31:35 | serhiy.storchaka | set | keywords:
+ patch nosy: + serhiy.storchaka pull_requests: + pull_request22602 stage: patch review |
| 2020-12-11 10:12:29 | hongweipeng | set | nosy:
+ hongweipeng |
| 2020-12-11 00:43:12 | corona10 | set | nosy:
+ methane |
| 2020-12-11 00:42:52 | corona10 | set | nosy:
+ corona10 |
| 2020-12-10 21:34:01 | stestagg | set | messages: + msg382849 |
| 2020-12-10 21:04:19 | stestagg | set | nosy:
+ stestagg messages: + msg382844 |
| 2020-12-09 12:01:06 | pmpp | set | nosy:
+ pmpp |
| 2020-12-09 11:06:31 | Erik-Lamers1 | set | title: Eval with two high string multiplication crashes newer Python versions -> Eval with too high string multiplication crashes newer Python versions |
| 2020-12-09 11:05:21 | Erik-Lamers1 | set | versions: + Python 3.7, Python 3.8, Python 3.9 |
| 2020-12-09 11:05:07 | Erik-Lamers1 | create | |