Fix a crasher where Python code managed to infinitely recurse in C code without

ever going back out to Python code in PyObject_Call().  Required introducing a
static RuntimeError instance so that normalizing an exception there is no
reliance on a recursive call that would put the exception system over the
recursion check itself.

Author: brettcannon

Include/pyerrors.h

@@ -161,6 +161,7 @@ PyAPI_DATA(PyObject *) PyExc_VMSError;
 #endif
 
 PyAPI_DATA(PyObject *) PyExc_MemoryErrorInst;
+PyAPI_DATA(PyObject *) PyExc_RecursionErrorInst;
 
 /* Predefined warning categories */
 PyAPI_DATA(PyObject *) PyExc_Warning;

Lib/test/crashers/infinite_rec_1.py

@@ -4,6 +4,7 @@
 from copy import deepcopy
 import warnings
 import types
+import new
 
 warnings.filterwarnings("ignore",
          r'complex divmod\(\), // and % are deprecated$',
@@ -1981,6 +1982,10 @@ def unsafecmp(a, b):
     unsafecmp(1, 1L)
     unsafecmp(1L, 1)
 
+def recursions():
+    if verbose:
+        print "Testing recursion checks ..."
+
     class Letter(str):
         def __new__(cls, letter):
             if letter == 'EPS':
@@ -1990,7 +1995,6 @@ def __str__(self):
             if not self:
                 return 'EPS'
             return self
-
     # sys.stdout needs to be the original to trigger the recursion bug
     import sys
     test_stdout = sys.stdout
@@ -2004,6 +2008,17 @@ def __str__(self):
         raise TestFailed, "expected a RuntimeError for print recursion"
     sys.stdout = test_stdout
 
+    # Bug #1202533.
+    class A(object):
+        pass
+    A.__mul__ = new.instancemethod(lambda self, x: self * x, None, A)
+    try:
+        A()*2
+    except RuntimeError:
+        pass
+    else:
+        raise TestFailed("expected a RuntimeError")
+
 def weakrefs():
     if verbose: print "Testing weak references..."
     import weakref
@@ -4395,6 +4410,7 @@ def test_main():
     overloading()
     methods()
     specials()
+    recursions()
     weakrefs()
     properties()
     supers()

Lib/test/crashers/infinite_rec_2.py

@@ -12,6 +12,12 @@ What's New in Python 2.6 alpha 1?
 Core and builtins
 -----------------
 
+- Issue #1202533: Fix infinite recursion calls triggered by calls to
+  PyObject_Call() never calling back out to Python code to trigger recursion
+  depth updates/checks.  Required the creation of a static RuntimeError
+  instance in case normalizing an exception put the recursion check value past
+  its limit.  Fixes crashers infinite_rec_(1|2|4|5).py.
+
 - Patch #1031213: Decode source line in SyntaxErrors back to its original source
   encoding.
 

Lib/test/crashers/infinite_rec_4.py

@@ -1857,7 +1857,11 @@ PyObject_Call(PyObject *func, PyObject *arg, PyObject *kw)
         ternaryfunc call;
 
 	if ((call = func->ob_type->tp_call) != NULL) {
-		PyObject *result = (*call)(func, arg, kw);
+		PyObject *result;
+		if (Py_EnterRecursiveCall(" while calling a Python object"))
+		    return NULL;
+		result = (*call)(func, arg, kw);
+		Py_LeaveRecursiveCall();
 		if (result == NULL && !PyErr_Occurred())
 			PyErr_SetString(
 				PyExc_SystemError,

Lib/test/crashers/infinite_rec_5.py

@@ -1912,6 +1912,12 @@ SimpleExtendsException(PyExc_Warning, UnicodeWarning,
  */
 PyObject *PyExc_MemoryErrorInst=NULL;
 
+/* Pre-computed RuntimeError instance for when recursion depth is reached.
+   Meant to be used when normalizing the exception for exceeding the recursion
+   depth will cause its own infinite recursion.
+*/
+PyObject *PyExc_RecursionErrorInst = NULL;
+
 /* module global functions */
 static PyMethodDef functions[] = {
     /* Sentinel */
@@ -2079,6 +2085,29 @@ _PyExc_Init(void)
     if (!PyExc_MemoryErrorInst)
         Py_FatalError("Cannot pre-allocate MemoryError instance\n");
 
+    PyExc_RecursionErrorInst = BaseException_new(&_PyExc_RuntimeError, NULL, NULL);
+    if (!PyExc_RecursionErrorInst)
+	Py_FatalError("Cannot pre-allocate RuntimeError instance for "
+			"recursion errors");
+    else {
+	PyBaseExceptionObject *err_inst =
+	    (PyBaseExceptionObject *)PyExc_RecursionErrorInst;
+	PyObject *args_tuple;
+	PyObject *exc_message;
+	exc_message = PyString_FromString("maximum recursion depth exceeded");
+	if (!exc_message)
+	    Py_FatalError("cannot allocate argument for RuntimeError "
+			    "pre-allocation");
+	args_tuple = PyTuple_Pack(1, exc_message);
+	if (!args_tuple)
+	    Py_FatalError("cannot allocate tuple for RuntimeError "
+			    "pre-allocation");
+	Py_DECREF(exc_message);
+	if (BaseException_init(err_inst, args_tuple, NULL))
+	    Py_FatalError("init of pre-allocated RuntimeError failed");
+	Py_DECREF(args_tuple);
+    }
+
     Py_DECREF(bltinmod);
 
 #if defined _MSC_VER && _MSC_VER >= 1400 && defined(__STDC_SECURE_LIB__)

Lib/test/test_descr.py

@@ -4854,16 +4854,7 @@ slot_tp_call(PyObject *self, PyObject *args, PyObject *kwds)
 	if (meth == NULL)
 		return NULL;
 
-	/* PyObject_Call() will end up calling slot_tp_call() again if
-	   the object returned for __call__ has __call__ itself defined
-	   upon it.  This can be an infinite recursion if you set
-	   __call__ in a class to an instance of it. */
-	if (Py_EnterRecursiveCall(" in __call__")) {
-		Py_DECREF(meth);
-		return NULL;
-	}
 	res = PyObject_Call(meth, args, kwds);
-	Py_LeaveRecursiveCall();
 
 	Py_DECREF(meth);
 	return res;

Misc/NEWS

@@ -132,6 +132,7 @@ PyErr_NormalizeException(PyObject **exc, PyObject **val, PyObject **tb)
 	PyObject *value = *val;
 	PyObject *inclass = NULL;
 	PyObject *initial_tb = NULL;
+	PyThreadState *tstate = NULL;
 
 	if (type == NULL) {
 		/* There was no exception, so nothing to do. */
@@ -207,7 +208,14 @@ PyErr_NormalizeException(PyObject **exc, PyObject **val, PyObject **tb)
 			Py_DECREF(initial_tb);
 	}
 	/* normalize recursively */
+	tstate = PyThreadState_GET();
+	if (++tstate->recursion_depth > Py_GetRecursionLimit()) {
+	    --tstate->recursion_depth;
+	    PyErr_SetObject(PyExc_RuntimeError, PyExc_RecursionErrorInst);
+	    return;
+	}
 	PyErr_NormalizeException(exc, val, tb);
+	--tstate->recursion_depth;
 }