Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LOAD_ATTR_SLOT and STORE_ATTR_SLOT don't check the owner's type #99257

Closed
brandtbucher opened this issue Nov 8, 2022 · 0 comments
Closed

LOAD_ATTR_SLOT and STORE_ATTR_SLOT don't check the owner's type #99257

brandtbucher opened this issue Nov 8, 2022 · 0 comments
Assignees
@brandtbucher
Labels
3.11 3.12 interpreter-core (Objects, Python, Grammar, and Parser dirs) release-blocker type-crash A hard crash of the interpreter, possibly with a core dump

Comments

@brandtbucher
Copy link
Member

brandtbucher commented Nov 8, 2022
edited by bedevere-bot

When specializing LOAD_ATTR_SLOT, we don't check whether the given member descriptor is valid for the type we got it from.

Here is a problematic example, where one class "borrows" a slot from another:

>>> class Class:
...     __slots__ = ("slot",)
... 
>>> class Sneaky:
...     borrowed = Class.slot
... 
>>> def f(o):
...     return o.borrowed
... 
>>> o = Sneaky()

The unspecialized code behaves correctly:

>>> f(o)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "<stdin>", line 2, in f
TypeError: descriptor 'slot' for 'Class' objects doesn't apply to a 'Sneaky' object

However, the specialized code crashes, since it is accessing memory past the end of the object:

>>> f(o)
Segmentation fault

We can fix this by performing the same check that the member descriptor performs (PyObject_TypeCheck(obj, descr->d_type)) when specializing.

CC @markshannon
@brandtbucher brandtbucher added interpreter-core (Objects, Python, Grammar, and Parser dirs) release-blocker 3.11 type-crash A hard crash of the interpreter, possibly with a core dump 3.12 labels Nov 8, 2022
@brandtbucher brandtbucher self-assigned this Nov 8, 2022
This was referenced Nov 8, 2022
Merged
Merged
markshannon pushed a commit that referenced this issue Nov 10, 2022
@brandtbucher
GH-99257: Check the owner's type when specializing slots (GH-99258)
9d69284
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Nov 10, 2022
@brandtbucher @miss-islington
pythonGH-99257: Check the owner's type when specializing slots (pytho…
5e76567 
…nGH-99258)

(cherry picked from commit 9d69284)

Co-authored-by: Brandt Bucher <brandtbucher@microsoft.com>
brandtbucher added a commit that referenced this issue Nov 10, 2022
@miss-islington @brandtbucher
[3.11] GH-99257: Check the owner's type when specializing slots (GH-9…
f9a68be 
…9324)

(cherry picked from commit 9d69284)

Co-authored-by: Brandt Bucher <brandtbucher@microsoft.com>
ethanfurman pushed a commit to ethanfurman/cpython that referenced this issue Nov 12, 2022
@brandtbucher @ethanfurman
pythonGH-99257: Check the owner's type when specializing slots (pytho…
b455477 
…nGH-99258)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@brandtbucher brandtbucher

Labels
3.11 3.12 interpreter-core (Objects, Python, Grammar, and Parser dirs) release-blocker type-crash A hard crash of the interpreter, possibly with a core dump
Projects
Release and Deferred blockers
Archived in project
Milestone
No milestone
Development

No branches or pull requests
1 participant
@brandtbucher