Skip to content

gh-131998: Fix NULL dereference when using an unbound method descriptor in a specialized code path #132000

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 16 commits into from
Apr 8, 2025
+47 −0
Merged

gh-131998: Fix NULL dereference when using an unbound method descriptor in a specialized code path #132000

Show file tree
Hide file tree
Changes from 7 commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
345ad57
Fix crash when the stackref is NULL.
ZeroIntensity Apr 2, 2025
1914aca
Add a test.
ZeroIntensity Apr 2, 2025
5101034
Add a test case.
ZeroIntensity Apr 2, 2025
2233afe
Add blurb
ZeroIntensity Apr 2, 2025
538c83b
Update Lib/test/test_types.py
ZeroIntensity Apr 2, 2025
04b61df
Try removing the 'import glob' now.
ZeroIntensity Apr 2, 2025
cd12c28
Add back the 'import glob', it doesn't reproduce.
ZeroIntensity Apr 2, 2025
f73dd59
Update Lib/test/test_types.py
ZeroIntensity Apr 2, 2025
a2a07ea
Check for 'total_args' instead of 'self'
ZeroIntensity Apr 2, 2025
aefcf8a
Merge branch 'main' into gh-131998-method-descriptor-crash
ZeroIntensity Apr 7, 2025
0eb6933
Fix the damn import.
ZeroIntensity Apr 7, 2025
d1d5c0a
Apply suggestions from code review
ZeroIntensity Apr 8, 2025
0261714
Remove 'import glob'
ZeroIntensity Apr 8, 2025
99037ae
Fix stray newline change.
ZeroIntensity Apr 8, 2025
d87de41
Remove comment.
ZeroIntensity Apr 8, 2025
363acec
Merge branch 'main' into gh-131998-method-descriptor-crash
Yhg1s Apr 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 20 additions & 0 deletions Lib/test/test_types.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
run_with_locale, cpython_only, no_rerun,
MISSING_C_DOCSTRINGS,
)
from test.support.script_helper import assert_python_ok
import collections.abc
from collections import namedtuple, UserDict
import copy
Expand Down Expand Up @@ -646,6 +647,25 @@ def test_traceback_and_frame_types(self):
def test_capsule_type(self):
self.assertIsInstance(_datetime.datetime_CAPI, types.CapsuleType)

def test_gh131998(self):
# GH-131998: The specialized instruction would get tricked into dereferencing
# a bound "self" that didn't exist if subsequently called unbound.
code = """if True:
# The optimizer is finicky, and the easiest way (that I know of)
# to get it to reproduce in CI is by importing a Python module at runtime.
import glob
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need this import?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, the optimizer is finicky and I can't get it to reliably reproduce without the import. I'll add a comment for clarity.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I reproduce the crash in a reliable way without the import glob.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does it reliably reproduce in the test case? I think it only happens if you've already got some compiled bytecode to trigger the optimizer, which isn't the case in CI.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can replace import glob with just this code copied from Lib/types.py (a dependency of glob):

# CellType comes from types.py
def _cell_factory():
    a = 1
    def f():
        nonlocal a
    return f.__closure__[0]
CellType = type(_cell_factory())

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm ok-ish with keeping import glob, but add a comment explaining the purpose of this unused import.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does it reliably reproduce in the test case? I think it only happens if you've already got some compiled bytecode to trigger the optimizer, which isn't the case in CI.

Sorry, I mean that I can reproduce the crash without import glob when I run a script: ./python reproducer.py. I confirm that for this test case, import glob (or the code example that I proposed) is needed to trigger the bug.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added a comment.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This import shouldn't be needed with the changes below.

def call(part):
part.pop()
call(['a'])
try:
call(list)
except TypeError:
pass
"""
assert_python_ok("-c", code)


class UnionTests(unittest.TestCase):

Expand Down
2 changes: 2 additions & 0 deletions Misc/NEWS.d/next/Core_and_Builtins/2025-04-01-22-24-19.gh-issue-131998.DvmZcT.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
Fix a crash when using an unbound method :term:`descriptor` object in a
function where a bound method descriptor was used.
2 changes: 2 additions & 0 deletions Python/bytecodes.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4304,6 +4304,7 @@ dummy_func(
EXIT_IF(meth->ml_flags != (METH_FASTCALL|METH_KEYWORDS));
PyTypeObject *d_type = method->d_common.d_type;
PyObject *self = PyStackRef_AsPyObjectBorrow(arguments[0]);
EXIT_IF(self == NULL);
EXIT_IF(!Py_IS_TYPE(self, d_type));
STAT_INC(CALL, hit);
int nargs = total_args - 1;
Expand Down Expand Up @@ -4382,6 +4383,7 @@ dummy_func(
PyMethodDef *meth = method->d_method;
EXIT_IF(meth->ml_flags != METH_FASTCALL);
PyObject *self = PyStackRef_AsPyObjectBorrow(arguments[0]);
EXIT_IF(self == NULL);
EXIT_IF(!Py_IS_TYPE(self, method->d_common.d_type));
STAT_INC(CALL, hit);
int nargs = total_args - 1;
Expand Down
8 changes: 8 additions & 0 deletions Python/executor_cases.c.h
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

10 changes: 10 additions & 0 deletions Python/generated_cases.c.h
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading