[issue31166] null pointer deref and segfault in _PyObject_Alloc (obmalloc.c:1258)

INADA Naoki added the comment: We ignores several crashes caused by exposing internal object through gc or weakref module. This case is not special enough to care. -- resolution: -> wont fix stage: -> resolved status: open -> closed ___ Python tra

[issue31166] null pointer deref and segfault in _PyObject_Alloc (obmalloc.c:1258)

STINNER Victor added the comment: "But we should check dicts of all parents. It will has significant penalty, especially for classes having long mro (inheriting metaclass from typing module cause long mro)." Oh right. That would defeat the whole purpose of the cache. Maybe we should not fix t

[issue31166] null pointer deref and segfault in _PyObject_Alloc (obmalloc.c:1258)

STINNER Victor added the comment: Another solution is to replace class dict with a special type which invalidates the type cache on dict[key]=value. -- ___ Python tracker ___ __

[issue31166] null pointer deref and segfault in _PyObject_Alloc (obmalloc.c:1258)

INADA Naoki added the comment: But we should check dicts of all parents. It will has significant penalty, especially for classes having long mro (inheriting metaclass from typing module cause long mro). -- ___ Python tracker

[issue31166] null pointer deref and segfault in _PyObject_Alloc (obmalloc.c:1258)

STINNER Victor added the comment: > I don't know we should fix it or not. I don't have any idea fix this without > any performance penalty. The PEP 509 (dict version) might help if we want to fix this bug. -- nosy: +haypo ___ Python tracker

[issue31166] null pointer deref and segfault in _PyObject_Alloc (obmalloc.c:1258)

INADA Naoki added the comment: As Benjamin commented, this is caused by mutating internal dict. PyType_Lookup() use "method cache", based on "tp_version_tag" in the type object. When you modify internal dict directly, namespace is changed without invalidating tp_version_tag. So cached pointer i

[issue31166] null pointer deref and segfault in _PyObject_Alloc (obmalloc.c:1258)

geeknik added the comment: So if I leave UBSan and ASan out of the equation and compile with gcc and run this script: Program received signal SIGSEGV, Segmentation fault. update_refs (containers=) at Modules/gcmodule.c:353 353 _PyGCHead_SET_REFS(gc, Py_REFCNT(FROM_GC(gc))); (gdb) bt

[issue31166] null pointer deref and segfault in _PyObject_Alloc (obmalloc.c:1258)

INADA Naoki added the comment: I think it's false positive of ASAN. We have dynamically sized block. https://github.com/python/cpython/blob/3b0f620c1a2a21272a9e2aeca6ca1d1ac10f8162/Objects/dict-common.h#L49-L69 dictobject.c:547 calls memcpy to fill the block and head pointer is defined as `int8

[issue31166] null pointer deref and segfault in _PyObject_Alloc (obmalloc.c:1258)

Benjamin Peterson added the comment: Yeah, bad things happen when the underlying class dict, which isn't normally exposed to Python, is mutated. -- nosy: +benjamin.peterson ___ Python tracker _

[issue31166] null pointer deref and segfault in _PyObject_Alloc (obmalloc.c:1258)

New submission from geeknik: Python 3.7 git commit 3ca9f50 compiled with afl-clang-fast on Ubuntu 16 x64. The following script triggers undefined-behavior followed by a null pointer dereference and a segfault. import gc t0ing0=object() class A(object): def f():0 x=t0ing0 r=gc.get_refe