Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crashes in _elementtree due to unsafe decrefs of Element.text and Element.tail #75909

Closed
orenmn mannequin opened this issue Oct 8, 2017 · 6 comments
Closed

crashes in _elementtree due to unsafe decrefs of Element.text and Element.tail #75909

orenmn mannequin opened this issue Oct 8, 2017 · 6 comments
Labels
3.7 (EOL) end of life topic-XML type-crash A hard crash of the interpreter, possibly with a core dump

Comments

@orenmn
Copy link
Mannequin

orenmn mannequin commented Oct 8, 2017

BPO 31728
Nosy @serhiy-storchaka, @orenmn
PRs
  • bpo-31728: Prevent crashes in _elementtree due to unsafe cleanup of Element.text and Element.tail #3924
  • [3.6] bpo-31728: Prevent crashes in _elementtree due to unsafe cleanup of Element.text and Element.tail (GH-3924) #3945
  • [2.7] bpo-31728: Prevent crashes in _elementtree due to unsafe cleanup of Element.text and Element.tail (GH-3924) #3950
    		•

    Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = None
closed_at = <Date 2017-10-11.13:44:11.722>
created_at = <Date 2017-10-08.20:16:27.328>
labels = ['expert-XML', '3.7', 'type-crash']
title = 'crashes in _elementtree due to unsafe decrefs of Element.text and Element.tail'
updated_at = <Date 2017-10-11.13:44:11.720>
user = 'https://github.com/orenmn'

    bugs.python.org fields:

    activity = <Date 2017-10-11.13:44:11.720>
actor = 'serhiy.storchaka'
assignee = 'none'
closed = True
closed_date = <Date 2017-10-11.13:44:11.722>
closer = 'serhiy.storchaka'
components = ['XML']
creation = <Date 2017-10-08.20:16:27.328>
creator = 'Oren Milman'
dependencies = []
files = []
hgrepos = []
issue_num = 31728
keywords = ['patch']
message_count = 6.0
messages = ['303917', '304013', '304079', '304087', '304132', '304135']
nosy_count = 2.0
nosy_names = ['serhiy.storchaka', 'Oren Milman']
pr_nums = ['3924', '3945', '3950']
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'crash'
url = 'https://bugs.python.org/issue31728'
versions = ['Python 2.7', 'Python 3.6', 'Python 3.7']
    @orenmn
    Copy link
    Mannequin Author

    orenmn mannequin commented Oct 8, 2017

    The following code causes the interpreter to crash:
    import xml.etree.ElementTree
    class X:
    def __del__(self):
    elem.clear()
    elem = xml.etree.ElementTree.Element('elem')
    elem.text = X()
    elem.clear()

    This is because _elementtree_Element_clear_impl() decrefs self->text in an
    unsafe manner.
    For the same reason, but for self->tail, a crash would happen if we replaced
    'elem.text = X()' with 'elem.tail = X()'.

    Similarly, the following code also causes the interpreter to crash:
    import xml.etree.ElementTree
    class X:
    def __del__(self):
    elem.clear()
    elem = xml.etree.ElementTree.Element('elem')
    elem.text = X()
    elem.text = X()

    This is because element_text_setter() decrefs self->text in an unsafe manner.
    element_tail_setter() does the same for self->tail, so again, if we replaced
    'elem.text = X()' with 'elem.tail = X()', we would also get a crash.

    @orenmn orenmn mannequin added 3.7 (EOL) end of life topic-XML type-crash A hard crash of the interpreter, possibly with a core dump labels Oct 8, 2017
    @orenmn
    Copy link
    Mannequin Author

    orenmn mannequin commented Oct 10, 2017

    As serhiy pointed out in a comment in PR 3924, setting self->text or self->tail to
    NULL might lead to an assertion failure, so we should also prevent the following
    assertion failure (and the similar one for tail):
    import xml.etree.ElementTree
    class X:
    def __del__(self):
    elem.text

    elem = xml.etree.ElementTree.Element('elem')
    elem.text = X()
    elem.__setstate__({'tag': None}) # implicitly also set elem.text to None

    @serhiy-storchaka
    Copy link
    Member

    New changeset 39ecb9c by Serhiy Storchaka (Oren Milman) in branch 'master':
    bpo-31728: Prevent crashes in _elementtree due to unsafe cleanup of Element.text and Element.tail (bpo-3924)
    39ecb9c

    @serhiy-storchaka
    Copy link
    Member

    New changeset a8ac71d by Serhiy Storchaka (Miss Islington (bot)) in branch '3.6':
    [3.6] bpo-31728: Prevent crashes in _elementtree due to unsafe cleanup of Element.text and Element.tail (GH-3924) (bpo-3945)
    a8ac71d

    @serhiy-storchaka
    Copy link
    Member

    New changeset f15058a by Serhiy Storchaka (Oren Milman) in branch '2.7':
    [2.7] bpo-31728: Prevent crashes in _elementtree due to unsafe cleanup of Element.text and Element.tail (GH-3924) (bpo-3950)
    f15058a

    @serhiy-storchaka
    Copy link
    Member

    Thank you Oren!

    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Assignees
    No one assigned
    Labels
    3.7 (EOL) end of life topic-XML type-crash A hard crash of the interpreter, possibly with a core dump
    Projects
    None yet
    Milestone
    No milestone
    Development

    No branches or pull requests
    1 participant
    @serhiy-storchaka