bpo-25750: fix refcounts in type_getattro() #6118
Conversation
|
Hello, and thanks for your contribution! I'm a bot set up to make sure that the project can legally accept your contribution by verifying you have signed the PSF contributor agreement (CLA). Unfortunately we couldn't find an account corresponding to your GitHub username on bugs.python.org (b.p.o) to verify you have signed the CLA (this might be simply due to a missing "GitHub Name" entry in your b.p.o account settings). This is necessary for legal reasons before we can look at your contribution. Please follow the steps outlined in the CPython devguide to rectify this issue. Thanks again to your contribution and we look forward to looking at it! |
There was a problem hiding this comment.
In https://bugs.python.org/issue25750#msg255566 you said:
My patch does fix the crash in Lib/test/crashers/borrowed_ref_2.py on Python 2.7.10.
Is it possible to convert https://github.com/python/cpython/blob/2.7/Lib/test/crashers/borrowed_ref_2.py to a simple test case?
Thanks!
I can try, but I never managed to get the vanilla Python testsuite to pass on my system, so it's hard to test it myself. |
|
We can use Travis to test it :) By the way, the test suite should pass on most systems. I suggest reporting test failures on your system on bugs.p.o. |
That example seems to crash only on Python 2, not Python 3. In fact, I do not know how to reproduce the crash on Python 3. |
|
I added a testcase. This was a lot harder to reproduce on Python 3.8 than Python 2.7, probably due to the changes regarding calling functions. |
|
So, in some sense, the backport to Python 2.7 is more important than the fix to Python 3.8. The underlying issue is the same, it's just harder to accidentally hit it because of unrelated changes. |
|
@berkerpeksag Can you please finish the review of this PR? |
Lib/test/test_descr.py
Outdated
| try: | ||
| from _testcapi import bad_get | ||
| except ImportError: | ||
| return |
There was a problem hiding this comment.
We can just skip the test with an explanation instead of returning None here.
| @@ -0,0 +1,2 @@ | |||
| Fix rare Python crash due to bad refcounting in ``type_getattro()`` if a | |||
| descriptor deletes itself from the class. | |||
There was a problem hiding this comment.
Please add "Patch by Jeroen Demeyer."
Modules/_testcapimodule.c
Outdated
| @@ -4776,6 +4798,7 @@ static PyMethodDef TestMethods[] = { | |||
| {"get_mapping_items", get_mapping_items, METH_O}, | |||
| {"test_pythread_tss_key_state", test_pythread_tss_key_state, METH_VARARGS}, | |||
| {"hamt", new_hamt, METH_NOARGS}, | |||
| {"bad_get", bad_get, METH_FASTCALL}, | |||
There was a problem hiding this comment.
Is there a particular reason to use METH_FASTCALL here? Can't we just use METH_VARARGS? Did you use it because it was easy to reproduce the crash in Python 3?
There was a problem hiding this comment.
Also, if it's not possible to crash the interpreter in a pure Python 3 code, I wonder whether we should only fix this in Python 2.7.
There was a problem hiding this comment.
if it's not possible to crash the interpreter in a pure Python 3 code
I never said that it's impossible. I just said that I didn't manage to. There is a lot of C code in CPython, I didn't audit all of it to ensure that it can't be used to get this crash. Even if I did, somebody might add a function tomorrow which does allow to induce the crash.
There was a problem hiding this comment.
Is there a particular reason to use METH_FASTCALL here?
Absolutely. When calling with METH_VARARGS, a temporary tuple is constructed which holds an additional reference. So there won't be a crash in that case. I'm guessing that this is also the reason why the crash is more likely to occur on Python 2.7.
Lib/test/test_descr.py
Outdated
| descr = Descr() | ||
| def __new__(cls): | ||
| cls.descr = None | ||
| cls.lst = [2**i for i in range(10000)] |
There was a problem hiding this comment.
I'm at work at the moment, so I don't have a chance to test this, but do we need cls.lst to reproduce the crash?
There was a problem hiding this comment.
do we need cls.lst to reproduce the crash?
That line is just to mess with the memory to ensure a sufficiently corrupted state.
|
If you insist, here is a pure Python 3 reproducer: However, this code is so artificial that it would be really strange to add it to the testsuite. I think that the current C code does a much better job of showing the error. |
|
I made the requested changes on the branch. |
First of all, it is possible to crash the interpreter using Second, CPython is more than just the Python interpreter: even if a bug is only relevant for the Python/C API, it's still a bug that should be fixed. So we can get this merged finally? It's an obvious bug fix, and I see nothing controversial about it. |
|
@vstinner You obviously care about abusing borrowed references... |
There was a problem hiding this comment.
The typeobject.c fix LGTM, but I'm not sure about the test. The test seems quite complicated and not reliable :-( Do we really have to add an unit test for that?
@serhiy-storchaka: Would you be ok to omit the test on such fix?
I dislike having a test doing "cls.descr = None" and "Create this large list to corrupt some unused memory". IMHO the test is too close to the exact C implementation.
|
I added a testcase by request of @berkerpeksag |
Why? That is exactly the main point of the test (unless you prefer |
If it becomes part of the test suite, it means that we have to support this weird use case. I'm not sure that it should be part of the "language specification". |
|
The whole point of this issue and PR is that someone is already depending on this behavior. We already have tests for more rare cases (e.g. https://bugs.python.org/issue31781) than this one. We could wrap the test with the |
So you think that doing |
|
I have no strong opinion on this change. I let someone else take a decision. |
When calling tp_descr_get(self, obj, type), make sure that we own a reference to "self"
|
Since the testcase is apparently controversial, I decided to separate it as a new pull request: #9084 I really hope that this issue can now finally be fixed. |
When calling tp_descr_get(self, obj, type), make sure that we own a strong reference to "self". (cherry picked from commit 8f73548) Co-authored-by: jdemeyer <[email protected]>
|
GH-9087 is a backport of this pull request to the 3.7 branch. |
|
GH-9088 is a backport of this pull request to the 3.6 branch. |
When calling tp_descr_get(self, obj, type), make sure that we own a strong reference to "self". (cherry picked from commit 8f73548) Co-authored-by: jdemeyer <[email protected]>
|
GH-9089 is a backport of this pull request to the 2.7 branch. |
When calling tp_descr_get(self, obj, type), make sure that we own a strong reference to "self". (cherry picked from commit 8f73548) Co-authored-by: jdemeyer <[email protected]>
I'm sorry for being picky :-(
Sure, I just merged it. miss-inlington bot created the 3 backports and I already approved them, they will be merged once the CI tests pass. |
When calling tp_descr_get(self, obj, type), make sure that we own a strong reference to "self". (cherry picked from commit 8f73548) Co-authored-by: jdemeyer <[email protected]>
When calling tp_descr_get(self, obj, type), make sure that we own a strong reference to "self". (cherry picked from commit 8f73548) Co-authored-by: jdemeyer <[email protected]>
When calling
tp_descr_get(attr, obj, type), make sure that we own a reference toattr. In the existing code, we only have a borrowed reference.This bug goes back to at least Python 2.7, so ideally it should be backported to all previous versions.
https://bugs.python.org/issue25750
Downstream: https://trac.sagemath.org/ticket/19633