type_new doesn't allocate space for sentinal slot #45578

Rhamphoryncus · 2007-10-05T00:00:42Z

BPO	1237
Nosy	@gvanrossum

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2007-10-05.18:33:31.760>
created_at = <Date 2007-10-05.00:00:41.783>
labels = ['interpreter-core', 'invalid']
title = "type_new doesn't allocate space for sentinal slot"
updated_at = <Date 2007-10-05.18:33:31.759>
user = 'https://bugs.python.org/Rhamphoryncus'

bugs.python.org fields:

activity = <Date 2007-10-05.18:33:31.759>
actor = 'gvanrossum'
assignee = 'none'
closed = True
closed_date = <Date 2007-10-05.18:33:31.760>
closer = 'gvanrossum'
components = ['Interpreter Core']
creation = <Date 2007-10-05.00:00:41.783>
creator = 'Rhamphoryncus'
dependencies = []
files = []
hgrepos = []
issue_num = 1237
keywords = []
message_count = 5.0
messages = ['56231', '56239', '56241', '56243', '56244']
nosy_count = 2.0
nosy_names = ['gvanrossum', 'Rhamphoryncus']
pr_nums = []
priority = 'normal'
resolution = 'not a bug'
stage = None
status = 'closed'
superseder = None
type = None
url = 'https://bugs.python.org/issue1237'
versions = []

Rhamphoryncus · 2007-10-05T00:00:41Z

type_new() allocates the exact number of slots it's going to use, but
various other functions assume there's one more slot with a NULL name
field serving as a sentinel. I'm unsure why it doesn't normally crash.

gvanrossum · 2007-10-05T15:08:38Z

Can you be more specific as to on which line number the questionable
allocation happens, and which functions are depending on there being one
extra slot?

Rhamphoryncus · 2007-10-05T17:18:01Z

typeobject.c:1842:type_new
type = (PyTypeObject *)metatype->tp_alloc(metatype, nslots);
nslots may be 0.

typeobject.c:1966:type_new assigns this just-past-the-end address to
tp_members
type->tp_members = PyHeapType_GET_MEMBERS(et);

type_new later calls PyType_Ready, which calls add_members.
typeobject.c:3062:add_members
	for (; memb->name != NULL; memb++) {

Interestingly, traverse_slots and clear_slots both use Py_Size rather
than name != NULL (so I was wrong about the extent of the problem.)
Both seem only to be used for heap types. add_members is used by both
heap types and static C types, so it needs to handle both behaviours.

One possible (if ugly) solution would be to switch iteration methods
depending on if Py_Size() is 0 or not, making sure type_new sets
tp_members to NULL if Py_Size() is 0.

gvanrossum · 2007-10-05T18:07:51Z

Are you sure you're not missing the +1 on line 440 in PyType_GenericAlloc()?

Rhamphoryncus · 2007-10-05T18:25:13Z

Ugh, you're right.

I refactored PyType_GenericAlloc out of my fork, which is why I got a crash.

Sorry for wasting your time.

Rhamphoryncus mannequin added the interpreter-core (Objects, Python, Grammar, and Parser dirs) label Oct 5, 2007

gvanrossum closed this as completed Oct 5, 2007

gvanrossum added the invalid label Oct 5, 2007

ezio-melotti transferred this issue from another repository Apr 10, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

type_new doesn't allocate space for sentinal slot #45578

type_new doesn't allocate space for sentinal slot #45578

Rhamphoryncus mannequin commented Oct 5, 2007

Rhamphoryncus mannequin commented Oct 5, 2007

gvanrossum commented Oct 5, 2007

Rhamphoryncus mannequin commented Oct 5, 2007

gvanrossum commented Oct 5, 2007

Rhamphoryncus mannequin commented Oct 5, 2007

type_new doesn't allocate space for sentinal slot #45578

type_new doesn't allocate space for sentinal slot #45578

Comments

Rhamphoryncus mannequin commented Oct 5, 2007

Rhamphoryncus mannequin commented Oct 5, 2007

gvanrossum commented Oct 5, 2007

Rhamphoryncus mannequin commented Oct 5, 2007

gvanrossum commented Oct 5, 2007

Rhamphoryncus mannequin commented Oct 5, 2007