GH-96975: Skip incomplete frames in PyEval_GetFrame (GH-97018)

miss-islington · brandtbucher · pablogsal · commit 154b3cd75164 · 2022-10-22T20:09:00.000+01:00
(cherry picked from commit 8fd2c3b) Co-authored-by: Brandt Bucher <brandtbucher@microsoft.com>
diff --git a/Lib/test/test_embed.py b/Lib/test/test_embed.py
@@ -1709,6 +1709,9 @@ def test_audit_run_stdin(self):
                                       timeout=support.SHORT_TIMEOUT,
                                       returncode=1)
 
+    def test_get_incomplete_frame(self):
+        self.run_embedded_interpreter("test_get_incomplete_frame")
+
 
 class MiscTests(EmbeddingTestsMixin, unittest.TestCase):
     def test_unicode_id_init(self):
diff --git a/Misc/NEWS.d/next/Core and Builtins/2022-09-21-16-06-37.gh-issue-96975.BmE0XY.rst b/Misc/NEWS.d/next/Core and Builtins/2022-09-21-16-06-37.gh-issue-96975.BmE0XY.rst
@@ -0,0 +1,2 @@
+Fix a crash occurring when :c:func:`PyEval_GetFrame` is called while the
+topmost Python frame is in a partially-initialized state.
diff --git a/Programs/_testembed.c b/Programs/_testembed.c
@@ -1950,6 +1950,73 @@ static int test_repeated_init_and_inittab(void)
     return 0;
 }
 
+static void wrap_allocator(PyMemAllocatorEx *allocator);
+static void unwrap_allocator(PyMemAllocatorEx *allocator);
+
+static void *
+malloc_wrapper(void *ctx, size_t size)
+{
+    PyMemAllocatorEx *allocator = (PyMemAllocatorEx *)ctx;
+    unwrap_allocator(allocator);
+    PyEval_GetFrame();  // BOOM!
+    wrap_allocator(allocator);
+    return allocator->malloc(allocator->ctx, size);
+}
+
+static void *
+calloc_wrapper(void *ctx, size_t nelem, size_t elsize)
+{
+    PyMemAllocatorEx *allocator = (PyMemAllocatorEx *)ctx;
+    return allocator->calloc(allocator->ctx, nelem, elsize);
+}
+
+static void *
+realloc_wrapper(void *ctx, void *ptr, size_t new_size)
+{
+    PyMemAllocatorEx *allocator = (PyMemAllocatorEx *)ctx;
+    return allocator->realloc(allocator->ctx, ptr, new_size);
+}
+
+static void
+free_wrapper(void *ctx, void *ptr)
+{
+    PyMemAllocatorEx *allocator = (PyMemAllocatorEx *)ctx;
+    allocator->free(allocator->ctx, ptr);
+}
+
+static void
+wrap_allocator(PyMemAllocatorEx *allocator)
+{
+    PyMem_GetAllocator(PYMEM_DOMAIN_OBJ, allocator);
+    PyMemAllocatorEx wrapper = {
+        .malloc = &malloc_wrapper,
+        .calloc = &calloc_wrapper,
+        .realloc = &realloc_wrapper,
+        .free = &free_wrapper,
+        .ctx = allocator,
+    };
+    PyMem_SetAllocator(PYMEM_DOMAIN_OBJ, &wrapper);
+}
+
+static void
+unwrap_allocator(PyMemAllocatorEx *allocator)
+{
+    PyMem_SetAllocator(PYMEM_DOMAIN_OBJ, allocator);
+}
+
+static int
+test_get_incomplete_frame(void)
+{
+    _testembed_Py_Initialize();
+    PyMemAllocatorEx allocator;
+    wrap_allocator(&allocator);
+    // Force an allocation with an incomplete (generator) frame:
+    int result = PyRun_SimpleString("(_ for _ in ())");
+    unwrap_allocator(&allocator);
+    Py_Finalize();
+    return result;
+}
+
 
 /* *********************************************************
  * List of test cases and the function that implements it.
@@ -2032,6 +2099,7 @@ static struct TestCase TestCases[] = {
 #ifndef MS_WINDOWS
     {"test_frozenmain", test_frozenmain},
 #endif
+    {"test_get_incomplete_frame", test_get_incomplete_frame},
 
     {NULL, NULL}
 };
diff --git a/Python/ceval.c b/Python/ceval.c
@@ -7115,11 +7115,14 @@ _PyEval_GetFrame(void)
 PyFrameObject *
 PyEval_GetFrame(void)
 {
-    PyThreadState *tstate = _PyThreadState_GET();
-    if (tstate->cframe->current_frame == NULL) {
+    _PyInterpreterFrame *frame = _PyEval_GetFrame();
+    while (frame && _PyFrame_IsIncomplete(frame)) {
+        frame = frame->previous;
+    }
+    if (frame == NULL) {
         return NULL;
     }
-    PyFrameObject *f = _PyFrame_GetFrameObject(tstate->cframe->current_frame);
+    PyFrameObject *f = _PyFrame_GetFrameObject(frame);
     if (f == NULL) {
         PyErr_Clear();
     }

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	+Fix a crash occurring when :c:func:`PyEval_GetFrame` is called while the
	`2`	`+topmost Python frame is in a partially-initialized state.`
Original file line number	Diff line number	Diff line change
`@@ -7115,11 +7115,14 @@ _PyEval_GetFrame(void)`
`7115`	`7115`	`PyFrameObject *`
`7116`	`7116`	`PyEval_GetFrame(void)`
`7117`	`7117`	`{`
`7118`		`- PyThreadState *tstate = _PyThreadState_GET();`
`7119`		`- if (tstate->cframe->current_frame == NULL) {`
	`7118`	`+ _PyInterpreterFrame *frame = _PyEval_GetFrame();`
	`7119`	`+ while (frame && _PyFrame_IsIncomplete(frame)) {`
	`7120`	`+ frame = frame->previous;`
	`7121`	`+ }`
	`7122`	`+ if (frame == NULL) {`
`7120`	`7123`	`return NULL;`
`7121`	`7124`	`}`
`7122`		`- PyFrameObject *f = _PyFrame_GetFrameObject(tstate->cframe->current_frame);`
	`7125`	`+ PyFrameObject *f = _PyFrame_GetFrameObject(frame);`
`7123`	`7126`	`if (f == NULL) {`
`7124`	`7127`	`PyErr_Clear();`
`7125`	`7128`	`}`