[issue7788] segfault when deleting from a list using slice with very big `step' value
Mark Dickinson dicki...@gmail.com added the comment: Yes, adding carefully placed (size_t) casts seems like the right way to solve the problem. I've fixed all (I think) the warnings in r78183, r78184, r78189. I also fixed one case (unrelated to this issue) of potential undefined behaviour from signed overflow. -- resolution: - fixed stage: needs patch - committed/rejected status: open - closed ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue7788 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue7788] segfault when deleting from a list using slice with very big `step' value
Marcin Bachry hegel...@gmail.com added the comment: I had odd problems matching line numbers reported by Windows compiler to actual sources, so I used gcc -Wextra to produce (even more) signedness warnings against Python 2.x r77957: listobject.c:132: warning: comparison between signed and unsigned integer expressions listobject.c:1435: warning: comparison between signed and unsigned integer expressions listobject.c:2639: warning: comparison between signed and unsigned integer expressions listobject.c:2655: warning: comparison between signed and unsigned integer expressions listobject.c:2661: warning: comparison between signed and unsigned integer expressions listobject.c:2670: warning: comparison between signed and unsigned integer expressions bytearrayobject.c:708: warning: comparison between signed and unsigned integer expressions bytearrayobject.c:716: warning: comparison between signed and unsigned integer expressions bytearrayobject.c:920: warning: comparison between signed and unsigned integer expressions arraymodule.c:745: warning: comparison between signed and unsigned integer expressions arraymodule.c:751: warning: comparison between signed and unsigned integer expressions arraymodule.c:835: warning: comparison between signed and unsigned integer expressions arraymodule.c:890: warning: comparison between signed and unsigned integer expressions arraymodule.c:1228: warning: comparison between signed and unsigned integer expressions arraymodule.c:1310: warning: comparison between signed and unsigned integer expressions arraymodule.c:1326: warning: comparison between signed and unsigned integer expressions arraymodule.c:1389: warning: comparison between signed and unsigned integer expressions arraymodule.c:1450: warning: comparison between signed and unsigned integer expressions arraymodule.c:1807: warning: comparison between signed and unsigned integer expressions arraymodule.c:1814: warning: comparison between signed and unsigned integer expressions Most of them are due to comparisons between size_t variables and Py_SIZE() macro which points to signed ob_size member of type structure. Because the sequence types above don't hold negative numbers in ob_size, I think we can silence the warnings by doing explicit casts to size_t. Or we can ignore the warnings in buildbot. What do you think? -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue7788 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue7788] segfault when deleting from a list using slice with very big `step' value
Mark Dickinson dicki...@gmail.com added the comment: This patch is producing warnings about signed - unsigned comparisons on the Windows buildbots; these should be fixed. See: http://www.python.org/dev/buildbot/all/builders/x86%20XP-4%202.6/builds/781/steps/compile/logs/warnings -- priority: release blocker - normal status: closed - open ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue7788 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue7788] segfault when deleting from a list using slice with very big `step' value
Mark Dickinson dicki...@gmail.com added the comment: Perfect! Applied in r77821 through r77824; thank you. -- status: open - closed ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue7788 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue7788] segfault when deleting from a list using slice with very big `step' value
New submission from Jan Kaliszewski z...@chopin.edu.pl: del list_instance([start : stop : very_big_step]) causes segfaults... The boundary values seem to be: * start -- near length of the list * stop -- near (-length) of the list * very_big_step -- near sys.maxint Let examples speak... from sys import maxint del range(10)[::maxint] Segmentation fault from sys import maxint del range(10)[13::maxint] del range(10)[12::maxint] del range(10)[11::maxint] del range(10)[10::maxint] del range(10)[9::maxint] Segmentation fault from sys import maxint del range(10)[:-13:maxint] del range(10)[:-12:maxint] del range(10)[:-11:maxint] del range(10)[:-10:maxint] del range(10)[:-9:maxint] Segmentation fault from sys import maxint del range(10)[-8:8:maxint-5] del range(10)[-8:8:maxint-4] del range(10)[-8:8:maxint-3] del range(10)[-8:8:maxint-2] Segmentation fault System Info: * Python 2.5.4 (r254:67916, Apr 4 2009, 17:55:16) * [GCC 4.3.3] on linux2 * sys.maxint == 2147483647, sys.byteorder == 'little' * Processor: Pentium 4 * libc version: 2.9 (2.9-4ubuntu6) -- components: Interpreter Core messages: 98348 nosy: zuo severity: normal status: open title: segfault when deleting from a list using slice with very big `step' value type: crash versions: Python 2.5 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue7788 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue7788] segfault when deleting from a list using slice with very big `step' value
Jan Kaliszewski z...@chopin.edu.pl added the comment: ** Erratum ** -- was: del list_instance([start : stop : very_big_step]) causes segfaults... -- should be: del list_instance[start : stop : very_big_step] causes segfaults... ** Post scriptum ** In each example only the last statement causes segmentation fault (previous are OK, and I attached them on purpose -- to show exemplary boundary values when things start going wrong). -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue7788 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue7788] segfault when deleting from a list using slice with very big `step' value
Ezio Melotti ezio.melo...@gmail.com added the comment: This is what I get on trunk: Python 2.7a2+ (trunk:77754:77755, Jan 26 2010, 20:16:49) [GCC 4.4.1] on linux2 Type help, copyright, credits or license for more information. from sys import maxint del range(10)[::maxint] del range(10)[:-9:maxint] del range(10)[-8:8:maxint-2] del range(10)[9::maxint] Segmentation fault Confirmed on py3k too. -- nosy: +ezio.melotti priority: - normal stage: - test needed versions: +Python 2.6, Python 2.7, Python 3.1, Python 3.2 -Python 2.5 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue7788 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue7788] segfault when deleting from a list using slice with very big `step' value
Changes by Mark Dickinson dicki...@gmail.com: -- nosy: +mark.dickinson ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue7788 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue7788] segfault when deleting from a list using slice with very big `step' value
Changes by Florent Xicluna la...@yahoo.fr: -- nosy: +flox, haypo ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue7788 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue7788] segfault when deleting from a list using slice with very big `step' value
Mark Dickinson dicki...@gmail.com added the comment: Raising priority: it shouldn't be possible to crash Python this easily. Ezio, are you on a 64-bit or 32-bit system? -- priority: normal - critical ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue7788 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue7788] segfault when deleting from a list using slice with very big `step' value
Ezio Melotti ezio.melo...@gmail.com added the comment: 32bit, with sys.maxint/maxsize == 2147483647. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue7788 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue7788] segfault when deleting from a list using slice with very big `step' value
Jan Kaliszewski z...@chopin.edu.pl added the comment: Interesting that in Py2.5... del range(10)[::maxint] ...this causes segfault but in Py2.6 is ok, as well as in Py3.0 (with maxsize insetad of maxint). (That's why I didn't noticed that it concerns newer version than 2.5, and marked only 2.5). But, as Ezio noted, e.g.: del range(10)[5::maxint] ...crashes all of them, e.g: Python 3.0.1+ (r301:69556, Apr 15 2009, 15:59:22) [GCC 4.3.3] on linux2 from sys import maxsize del list(range(10))[::maxsize] # - OK del list(range(10))[5::maxsize] Segmentation fault -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue7788 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue7788] segfault when deleting from a list using slice with very big `step' value
Jan Kaliszewski z...@chopin.edu.pl added the comment: PS. Is such a data-dependant segfault considered as security problem? (if it is, maybe Python2.5 shuld be kept in Versions list) -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue7788 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue7788] segfault when deleting from a list using slice with very big `step' value
Mark Dickinson dicki...@gmail.com added the comment: I don't immediately see why it would be considered a security issue. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue7788 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue7788] segfault when deleting from a list using slice with very big `step' value
Florent Xicluna la...@yahoo.fr added the comment: For the record: del bytearray('%%%')[1::1333] Segmentation fault -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue7788 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue7788] segfault when deleting from a list using slice with very big `step' value
Mark Dickinson dicki...@gmail.com added the comment: There's a suspicious looking test in list_ass_subscript in Objects/listobject.c: if (cur + step = Py_SIZE(self)) { lim = Py_SIZE(self) - cur - 1; } I think what's happening here is that cur + step is overflowing, so that the test fails. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue7788 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue7788] segfault when deleting from a list using slice with very big `step' value
Marcin Bachry hegel...@gmail.com added the comment: I think the expression cur + step in line 2660 of listobject.c (py2.7 trunk) overflows to negative value and the if branch isn't entered. if (cur + step = Py_SIZE(self)) { lim = Py_SIZE(self) - cur - 1; } If I change the type of cur variable to unsigned int, the bug disappears. I don't know if it's ok to have unsigned cur here though - but I feel it is. -- keywords: +patch nosy: +marcin.bachry Added file: http://bugs.python.org/file16015/maybe-a-fix.diff ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue7788 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue7788] segfault when deleting from a list using slice with very big `step' value
Mark Dickinson dicki...@gmail.com added the comment: Thanks. Yes, that fix seems to work. I also tried rewriting the suspect test as if (step = Py_SIZE(self) - cur) but this produced a different failure: it looks like there's more than one point with potential overflow for cur. Not to mention that the 'cur += step' in the for loop can produce undefined behaviour. So making cur unsigned looks like the right solution here. It would be good to review the rest of this function for similar problems while we're fixing this. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue7788 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue7788] segfault when deleting from a list using slice with very big `step' value
Mark Dickinson dicki...@gmail.com added the comment: And judging by flox's result for bytearray, we should check all the other sequence types, too. -- stage: test needed - needs patch ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue7788 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue7788] segfault when deleting from a list using slice with very big `step' value
Marcin Bachry hegel...@gmail.com added the comment: Using grep I found the same code in Modules/arraymodule.c: from array import array del array('i', range(10))[9::1333] -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue7788 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue7788] segfault when deleting from a list using slice with very big `step' value
Mark Dickinson dicki...@gmail.com added the comment: Nice! Marcin, are you interested in contributing a patch that fixes the three known cases (bytearray, list, array), and also adds suitable tests? -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue7788 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue7788] segfault when deleting from a list using slice with very big `step' value
Marcin Bachry hegel...@gmail.com added the comment: Yes, I can give a shot. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue7788 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue7788] segfault when deleting from a list using slice with very big `step' value
Mark Dickinson dicki...@gmail.com added the comment: Great---thank you! I'll review the patch when it's ready. -- assignee: - mark.dickinson ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue7788 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue7788] segfault when deleting from a list using slice with very big `step' value
Mark Dickinson dicki...@gmail.com added the comment: Raising priority again. I'm not sure when 3.1.2 is going out, but I'd like to make sure that this issue at least gets considered before it does. -- priority: critical - release blocker ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue7788 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue7788] segfault when deleting from a list using slice with very big `step' value
Marcin Bachry hegel...@gmail.com added the comment: I attach the patch. I changed signedness in all three sequence types and made sure tests crash when run on unpatched Python. -- Added file: http://bugs.python.org/file16019/fix.diff ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue7788 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com