Skip to content

gh-131998: Fix NULL dereference when using an unbound method descriptor in a specialized code path #132000

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 16 commits into from
Apr 8, 2025
Merged

gh-131998: Fix NULL dereference when using an unbound method descriptor in a specialized code path #132000

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
345ad57
Fix crash when the stackref is NULL.
ZeroIntensity Apr 2, 2025
1914aca
Add a test.
ZeroIntensity Apr 2, 2025
5101034
Add a test case.
ZeroIntensity Apr 2, 2025
2233afe
Add blurb
ZeroIntensity Apr 2, 2025
538c83b
Update Lib/test/test_types.py
ZeroIntensity Apr 2, 2025
04b61df
Try removing the 'import glob' now.
ZeroIntensity Apr 2, 2025
cd12c28
Add back the 'import glob', it doesn't reproduce.
ZeroIntensity Apr 2, 2025
f73dd59
Update Lib/test/test_types.py
ZeroIntensity Apr 2, 2025
a2a07ea
Check for 'total_args' instead of 'self'
ZeroIntensity Apr 2, 2025
aefcf8a
Merge branch 'main' into gh-131998-method-descriptor-crash
ZeroIntensity Apr 7, 2025
0eb6933
Fix the damn import.
ZeroIntensity Apr 7, 2025
d1d5c0a
Apply suggestions from code review
ZeroIntensity Apr 8, 2025
0261714
Remove 'import glob'
ZeroIntensity Apr 8, 2025
99037ae
Fix stray newline change.
ZeroIntensity Apr 8, 2025
d87de41
Remove comment.
ZeroIntensity Apr 8, 2025
363acec
Merge branch 'main' into gh-131998-method-descriptor-crash
Yhg1s Apr 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 19 additions & 0 deletions Lib/test/test_types.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
run_with_locale, cpython_only, no_rerun,
MISSING_C_DOCSTRINGS, EqualToForwardRef,
)
from test.support.script_helper import assert_python_ok
from test.support.import_helper import import_fresh_module

import collections.abc
Expand Down Expand Up @@ -672,6 +673,24 @@ def test_traceback_and_frame_types(self):
def test_capsule_type(self):
self.assertIsInstance(_datetime.datetime_CAPI, types.CapsuleType)

def test_call_unbound_crash(self):
# GH-131998: The specialized instruction would get tricked into dereferencing
# a bound "self" that didn't exist if subsequently called unbound.
code = """if True:

def call(part):
[] + ([] + [])
part.pop()

for _ in range(3):
call(['a'])
try:
call(list)
except TypeError:
pass
"""
assert_python_ok("-c", code)


class UnionTests(unittest.TestCase):

Expand Down
2 changes: 2 additions & 0 deletions Misc/NEWS.d/next/Core_and_Builtins/2025-04-01-22-24-19.gh-issue-131998.DvmZcT.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
Fix a crash when using an unbound method :term:`descriptor` object in a
function where a bound method descriptor was used.
4 changes: 4 additions & 0 deletions Python/bytecodes.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4300,12 +4300,14 @@ dummy_func(
arguments--;
total_args++;
}
EXIT_IF(total_args == 0);
PyMethodDescrObject *method = (PyMethodDescrObject *)callable_o;
EXIT_IF(!Py_IS_TYPE(method, &PyMethodDescr_Type));
PyMethodDef *meth = method->d_method;
EXIT_IF(meth->ml_flags != (METH_FASTCALL|METH_KEYWORDS));
PyTypeObject *d_type = method->d_common.d_type;
PyObject *self = PyStackRef_AsPyObjectBorrow(arguments[0]);
assert(self != NULL);
EXIT_IF(!Py_IS_TYPE(self, d_type));
STAT_INC(CALL, hit);
int nargs = total_args - 1;
Expand Down Expand Up @@ -4378,12 +4380,14 @@ dummy_func(
arguments--;
total_args++;
}
EXIT_IF(total_args == 0);
PyMethodDescrObject *method = (PyMethodDescrObject *)callable_o;
/* Builtin METH_FASTCALL methods, without keywords */
EXIT_IF(!Py_IS_TYPE(method, &PyMethodDescr_Type));
PyMethodDef *meth = method->d_method;
EXIT_IF(meth->ml_flags != METH_FASTCALL);
PyObject *self = PyStackRef_AsPyObjectBorrow(arguments[0]);
assert(self != NULL);
EXIT_IF(!Py_IS_TYPE(self, method->d_common.d_type));
STAT_INC(CALL, hit);
int nargs = total_args - 1;
Expand Down
10 changes: 10 additions & 0 deletions Python/executor_cases.c.h
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

12 changes: 12 additions & 0 deletions Python/generated_cases.c.h
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading