Skip to content

specialized PRECALL opcodes don't check types #92063

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
sweeneyde opened this issue Apr 29, 2022 · 5 comments
Closed

specialized PRECALL opcodes don't check types #92063

sweeneyde opened this issue Apr 29, 2022 · 5 comments
Labels
3.11 only security fixes interpreter-core (Objects, Python, Grammar, and Parser dirs) release-blocker type-crash A hard crash of the interpreter, possibly with a core dump

Comments

@sweeneyde
Copy link
Member

On the main branch, on both Windows and Linux, this crashes:

class Thing:
    pass

thing = Thing()

for i in range(10):
    print(i)
    try:
        str.upper(thing)
    except TypeError:
        pass

print("ok")

Other methods like str.split, bytes.split, and list.sort fail similarly. I caught this by running

./python -m test test_descr -m test_proxy_call -R3:20

Looking through stack traces, it appears the failure is on the res = cfunc(...) call in PRECALL_METHOD_DESCRIPTOR_FAST_WITH_KEYWORDS instruction. It looks to be a 3.11-only bug.
@sweeneyde sweeneyde added 3.11 only security fixes type-crash A hard crash of the interpreter, possibly with a core dump interpreter-core (Objects, Python, Grammar, and Parser dirs) labels Apr 29, 2022
@sweeneyde
Copy link
Member Author

sweeneyde commented Apr 29, 2022
edited
Loading

If we're trying to emulate method_vectorcall_FASTCALL_KEYWORDS, then we're at least missing out on how method_check_args calls descr_check, which calls PyObject_TypeCheck(obj, descr->d_type). So we need one of these:

DEOPT_IF(!PyObject_TypeCheck(PEEK(nargs), callable->d_type));

or

DEOPT_IF(!Py_IS_TYPE(PEEK(nargs), callable->d_type));

I might have an off-by-one error.

cc @Fidget-Spinner @kumaraditya303

@sweeneyde
Copy link
Member Author

Marking as release blocker: it's easy to trigger but hard to reason about if you don't know about specialization, so it could create Heisenbugs, which would be unfortunate in the beta release.

@corona10
Copy link
Member

corona10 commented Apr 30, 2022
edited
Loading

FYI, macOS meets the same issue as expected.

@sweeneyde sweeneyde mentioned this issue Apr 30, 2022
Merged
@sweeneyde
Copy link
Member Author

It looks like PRECALL_NO_KW_METHOD_DESCRIPTOR_NOARGS is affected as well.

@sweeneyde
Copy link
Member Author

PRECALL_NO_KW_METHOD_DESCRIPTOR_O as well

@sweeneyde sweeneyde changed the title PRECALL_METHOD_DESCRIPTOR_FAST_WITH_KEYWORDS doesn't check types specialized PRECALL opcodes don't check types Apr 30, 2022
markshannon pushed a commit that referenced this issue Apr 30, 2022
@sweeneyde
gh-92063: Enforce types in specialized PRECALL opcodes (GH-92068)
868b1af 
* Check the types of PRECALL_METHOD_DESCRIPTOR_FAST_WITH_KEYWORDS

* fix PRECALL_NO_KW_METHOD_DESCRIPTOR_NOARGS as well

* fix PRECALL_NO_KW_METHOD_DESCRIPTOR_O

* fix PRECALL_NO_KW_METHOD_DESCRIPTOR_FAST
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3.11 only security fixes interpreter-core (Objects, Python, Grammar, and Parser dirs) release-blocker type-crash A hard crash of the interpreter, possibly with a core dump
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@corona10 @sweeneyde