Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

gh-131998: FixNULL dereference when using an unbound method descriptor in a specialized code path#132000

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged

Conversation

ZeroIntensity
Copy link
Member

@ZeroIntensityZeroIntensity commentedApr 2, 2025
edited by bedevere-appbot
Loading

Copy link
Member

@sobolevnsobolevn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

(not a full review)

# GH-131998: The specialized instruction would get tricked into dereferencing
# a bound "self" that didn't exist if subsequently called unbound.
code = """if True:
import glob
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Do we need this import?

Copy link
MemberAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Yeah, the optimizer is finicky and I can't get it to reliably reproduce without the import. I'll add a comment for clarity.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I reproduce the crash in a reliable way without theimport glob.

Copy link
MemberAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Does it reliably reproduce in the test case? I think it only happens if you've already got some compiled bytecode to trigger the optimizer, which isn't the case in CI.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

You can replaceimport glob with just this code copied fromLib/types.py (a dependency ofglob):

# CellType comes from types.pydef_cell_factory():a=1deff():nonlocalareturnf.__closure__[0]CellType=type(_cell_factory())

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I'm ok-ish with keepingimport glob, but add a comment explaining the purpose of this unused import.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Does it reliably reproduce in the test case? I think it only happens if you've already got some compiled bytecode to trigger the optimizer, which isn't the case in CI.

Sorry, I mean that I can reproduce the crash withoutimport glob when I run a script:./python reproducer.py. I confirm that for this test case,import glob (or the code example that I proposed) is needed to trigger the bug.

Copy link
MemberAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I added a comment.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

This import shouldn't be needed with the changes below.

@vstinnervstinner added the needs backport to 3.13bugs and security fixes labelApr 2, 2025
Co-authored-by: Victor Stinner <vstinner@python.org>
@ZeroIntensityZeroIntensity marked this pull request as ready for reviewApril 2, 2025 10:12
Copy link
Member

@markshannonmarkshannon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

We need to guardtotal_args before readingself.

This applies toCALL_METHOD_DESCRIPTOR_FAST as well.

@bedevere-app
Copy link

A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated.

Once you have made the requested changes, please leave a comment on this pull request containing the phraseI have made the requested changes; please review again. I will then notify any core developers who have left a review that you're ready for them to take another look at this pull request.

@ZeroIntensity
Copy link
MemberAuthor

I have made the requested changes; please review again

@bedevere-app
Copy link

Thanks for making the requested changes!

@markshannon: please review the changes made to this pull request.

@python-cla-bot
Copy link

All commit authors signed the Contributor License Agreement.

CLA signed

@hugovk
Copy link
Member

This PR had a merge conflict.

Next 3.13/3.14 releases are tomorrow.

@ZeroIntensity
Copy link
MemberAuthor

Fixed the conflicts.

Friendly ping@markshannon -- this is a blocker for 3.13.3.

Copy link
Member

@markshannonmarkshannon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I think we can remove theimport glob by filling the stack with lists before the call.

# GH-131998: The specialized instruction would get tricked into dereferencing
# a bound "self" that didn't exist if subsequently called unbound.
code = """if True:
import glob
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

This import shouldn't be needed with the changes below.

@bedevere-app
Copy link

A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated.

Once you have made the requested changes, please leave a comment on this pull request containing the phraseI have made the requested changes; please review again. I will then notify any core developers who have left a review that you're ready for them to take another look at this pull request.

And if you don't make the requested changes, you will be poked with soft cushions!

@markshannon
Copy link
Member

FTR, here's the reproducer on main without importingglob.

>>>defcall(part):...     []+ ([]+ [])...part.pop()...>>>for_inrange(3):...call(['a'])...>>>call(list)Segmentationfault (coredumped)

@ZeroIntensity
Copy link
MemberAuthor

I'm not going to trigger the noisy bot again, but this should be good to go.

@Yhg1sYhg1senabled auto-merge (squash)April 8, 2025 10:08
@Yhg1sYhg1s merged commitac3c439 intopython:mainApr 8, 2025
64 checks passed
@miss-islington-app
Copy link

Thanks@ZeroIntensity for the PR, and@Yhg1s for merging it 🌮🎉.. I'm working now to backport this PR to: 3.13.
🐍🍒⛏🤖

@miss-islington-app
Copy link

Sorry,@ZeroIntensity and@Yhg1s, I could not cleanly backport this to3.13 due to a conflict.
Please backport usingcherry_picker on command line.

cherry_picker ac3c439cdfee8452f2bcceacd67a1f4e423ac3cf 3.13

@ZeroIntensity
Copy link
MemberAuthor

I'll deal with the backport.

ZeroIntensity added a commit to ZeroIntensity/cpython that referenced this pull requestApr 8, 2025
…method descriptor in a specialized code path (pythonGH-132000)(cherry picked from commitac3c439)Co-authored-by: Peter Bierma <zintensitydev@gmail.com>Co-authored-by: sobolevn <mail@sobolevn.me>Co-authored-by: Victor Stinner <vstinner@python.org>Co-authored-by: Mark Shannon <mark@hotpy.org>
@bedevere-app
Copy link

GH-132262 is a backport of this pull request to the3.13 branch.

@bedevere-appbedevere-appbot removed the needs backport to 3.13bugs and security fixes labelApr 8, 2025
@ZeroIntensityZeroIntensity deleted the gh-131998-method-descriptor-crash branchApril 8, 2025 10:39
Yhg1s pushed a commit that referenced this pull requestApr 8, 2025
… descriptor in a specialized code path (GH-132000) (#132262)(cherry picked from commitac3c439)Co-authored-by: Peter Bierma <zintensitydev@gmail.com>Co-authored-by: sobolevn <mail@sobolevn.me>Co-authored-by: Victor Stinner <vstinner@python.org>Co-authored-by: Mark Shannon <mark@hotpy.org>
seehwan pushed a commit to seehwan/cpython that referenced this pull requestApr 16, 2025
…descriptor in a specialized code path (python#132000)Co-authored-by: sobolevn <mail@sobolevn.me>Co-authored-by: Victor Stinner <vstinner@python.org>Co-authored-by: Mark Shannon <mark@hotpy.org>
Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment
Reviewers

@vstinnervstinnervstinner left review comments

@Yhg1sYhg1sYhg1s left review comments

@sobolevnsobolevnsobolevn left review comments

@markshannonmarkshannonmarkshannon requested changes

Assignees

@Yhg1sYhg1s

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

6 participants
@ZeroIntensity@hugovk@markshannon@vstinner@Yhg1s@sobolevn
[8]ページ先頭
©2009-2025 Movatter.jp