mirrors
/
cpython
mirror of https://github.com/python/cpython.git
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

gh-131998: Fix `NULL` dereference when using an unbound method descriptor in a specialized code path (#132000) 

Co-authored-by: sobolevn <mail@sobolevn.me>
Co-authored-by: Victor Stinner <vstinner@python.org>
Co-authored-by: Mark Shannon <mark@hotpy.org>
This commit is contained in:
Peter Bierma 2025-04-08 06:31:43 -04:00 committed by GitHub
parent 3eda146035
commit ac3c439cdf
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
5 changed files with 47 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
Lib/test/test_types.py
View File

@ -4,6 +4,7 @@
run_with_locale, cpython_only, no_rerun, run_with_locale, cpython_only, no_rerun,
MISSING_C_DOCSTRINGS, EqualToForwardRef, MISSING_C_DOCSTRINGS, EqualToForwardRef,
) )
from test.support.script_helper import assert_python_ok
from test.support.import_helper import import_fresh_module from test.support.import_helper import import_fresh_module
import collections.abc import collections.abc
@ -672,6 +673,24 @@ def test_traceback_and_frame_types(self):
def test_capsule_type(self): def test_capsule_type(self):
self.assertIsInstance(_datetime.datetime_CAPI, types.CapsuleType) self.assertIsInstance(_datetime.datetime_CAPI, types.CapsuleType)
def test_call_unbound_crash(self):
# GH-131998: The specialized instruction would get tricked into dereferencing
# a bound "self" that didn't exist if subsequently called unbound.
code = """if True:
def call(part):
[] + ([] + [])
part.pop()
for _ in range(3):
call(['a'])
try:
call(list)
except TypeError:
pass
"""
assert_python_ok("-c", code)
class UnionTests(unittest.TestCase): class UnionTests(unittest.TestCase):

2
Misc/NEWS.d/next/Core_and_Builtins/2025-04-01-22-24-19.gh-issue-131998.DvmZcT.rst Normal file
View File

@ -0,0 +1,2 @@
Fix a crash when using an unbound method :term:`descriptor` object in a
function where a bound method descriptor was used.

4
Python/bytecodes.c
View File

@ -4300,12 +4300,14 @@ dummy_func(
arguments--; arguments--;
total_args++; total_args++;
} }
EXIT_IF(total_args == 0);
PyMethodDescrObject *method = (PyMethodDescrObject *)callable_o; PyMethodDescrObject *method = (PyMethodDescrObject *)callable_o;
EXIT_IF(!Py_IS_TYPE(method, &PyMethodDescr_Type)); EXIT_IF(!Py_IS_TYPE(method, &PyMethodDescr_Type));
PyMethodDef *meth = method->d_method; PyMethodDef *meth = method->d_method;
EXIT_IF(meth->ml_flags != (METH_FASTCALL|METH_KEYWORDS)); EXIT_IF(meth->ml_flags != (METH_FASTCALL|METH_KEYWORDS));
PyTypeObject *d_type = method->d_common.d_type; PyTypeObject *d_type = method->d_common.d_type;
PyObject *self = PyStackRef_AsPyObjectBorrow(arguments[0]); PyObject *self = PyStackRef_AsPyObjectBorrow(arguments[0]);
assert(self != NULL);
EXIT_IF(!Py_IS_TYPE(self, d_type)); EXIT_IF(!Py_IS_TYPE(self, d_type));
STAT_INC(CALL, hit); STAT_INC(CALL, hit);
int nargs = total_args - 1; int nargs = total_args - 1;
@ -4378,12 +4380,14 @@ dummy_func(
arguments--; arguments--;
total_args++; total_args++;
} }
EXIT_IF(total_args == 0);
PyMethodDescrObject *method = (PyMethodDescrObject *)callable_o; PyMethodDescrObject *method = (PyMethodDescrObject *)callable_o;
/* Builtin METH_FASTCALL methods, without keywords */ /* Builtin METH_FASTCALL methods, without keywords */
EXIT_IF(!Py_IS_TYPE(method, &PyMethodDescr_Type)); EXIT_IF(!Py_IS_TYPE(method, &PyMethodDescr_Type));
PyMethodDef *meth = method->d_method; PyMethodDef *meth = method->d_method;
EXIT_IF(meth->ml_flags != METH_FASTCALL); EXIT_IF(meth->ml_flags != METH_FASTCALL);
PyObject *self = PyStackRef_AsPyObjectBorrow(arguments[0]); PyObject *self = PyStackRef_AsPyObjectBorrow(arguments[0]);
assert(self != NULL);
EXIT_IF(!Py_IS_TYPE(self, method->d_common.d_type)); EXIT_IF(!Py_IS_TYPE(self, method->d_common.d_type));
STAT_INC(CALL, hit); STAT_INC(CALL, hit);
int nargs = total_args - 1; int nargs = total_args - 1;

10
Python/executor_cases.c.h generated
View File

@ -5838,6 +5838,10 @@
arguments--; arguments--;
total_args++; total_args++;
} }
if (total_args == 0) {
UOP_STAT_INC(uopcode, miss);
JUMP_TO_JUMP_TARGET();
}
PyMethodDescrObject *method = (PyMethodDescrObject *)callable_o; PyMethodDescrObject *method = (PyMethodDescrObject *)callable_o;
if (!Py_IS_TYPE(method, &PyMethodDescr_Type)) { if (!Py_IS_TYPE(method, &PyMethodDescr_Type)) {
UOP_STAT_INC(uopcode, miss); UOP_STAT_INC(uopcode, miss);
@ -5850,6 +5854,7 @@
} }
PyTypeObject *d_type = method->d_common.d_type; PyTypeObject *d_type = method->d_common.d_type;
PyObject *self = PyStackRef_AsPyObjectBorrow(arguments[0]); PyObject *self = PyStackRef_AsPyObjectBorrow(arguments[0]);
assert(self != NULL);
if (!Py_IS_TYPE(self, d_type)) { if (!Py_IS_TYPE(self, d_type)) {
UOP_STAT_INC(uopcode, miss); UOP_STAT_INC(uopcode, miss);
JUMP_TO_JUMP_TARGET(); JUMP_TO_JUMP_TARGET();
@ -5990,6 +5995,10 @@
arguments--; arguments--;
total_args++; total_args++;
} }
if (total_args == 0) {
UOP_STAT_INC(uopcode, miss);
JUMP_TO_JUMP_TARGET();
}
PyMethodDescrObject *method = (PyMethodDescrObject *)callable_o; PyMethodDescrObject *method = (PyMethodDescrObject *)callable_o;
if (!Py_IS_TYPE(method, &PyMethodDescr_Type)) { if (!Py_IS_TYPE(method, &PyMethodDescr_Type)) {
UOP_STAT_INC(uopcode, miss); UOP_STAT_INC(uopcode, miss);
@ -6001,6 +6010,7 @@
JUMP_TO_JUMP_TARGET(); JUMP_TO_JUMP_TARGET();
} }
PyObject *self = PyStackRef_AsPyObjectBorrow(arguments[0]); PyObject *self = PyStackRef_AsPyObjectBorrow(arguments[0]);
assert(self != NULL);
if (!Py_IS_TYPE(self, method->d_common.d_type)) { if (!Py_IS_TYPE(self, method->d_common.d_type)) {
UOP_STAT_INC(uopcode, miss); UOP_STAT_INC(uopcode, miss);
JUMP_TO_JUMP_TARGET(); JUMP_TO_JUMP_TARGET();

12
Python/generated_cases.c.h generated
View File

@ -3333,6 +3333,11 @@
arguments--; arguments--;
total_args++; total_args++;
} }
if (total_args == 0) {
UPDATE_MISS_STATS(CALL);
assert(_PyOpcode_Deopt[opcode] == (CALL));
JUMP_TO_PREDICTED(CALL);
}
PyMethodDescrObject *method = (PyMethodDescrObject *)callable_o; PyMethodDescrObject *method = (PyMethodDescrObject *)callable_o;
if (!Py_IS_TYPE(method, &PyMethodDescr_Type)) { if (!Py_IS_TYPE(method, &PyMethodDescr_Type)) {
UPDATE_MISS_STATS(CALL); UPDATE_MISS_STATS(CALL);
@ -3346,6 +3351,7 @@
JUMP_TO_PREDICTED(CALL); JUMP_TO_PREDICTED(CALL);
} }
PyObject *self = PyStackRef_AsPyObjectBorrow(arguments[0]); PyObject *self = PyStackRef_AsPyObjectBorrow(arguments[0]);
assert(self != NULL);
if (!Py_IS_TYPE(self, method->d_common.d_type)) { if (!Py_IS_TYPE(self, method->d_common.d_type)) {
UPDATE_MISS_STATS(CALL); UPDATE_MISS_STATS(CALL);
assert(_PyOpcode_Deopt[opcode] == (CALL)); assert(_PyOpcode_Deopt[opcode] == (CALL));
@ -3453,6 +3459,11 @@
arguments--; arguments--;
total_args++; total_args++;
} }
if (total_args == 0) {
UPDATE_MISS_STATS(CALL);
assert(_PyOpcode_Deopt[opcode] == (CALL));
JUMP_TO_PREDICTED(CALL);
}
PyMethodDescrObject *method = (PyMethodDescrObject *)callable_o; PyMethodDescrObject *method = (PyMethodDescrObject *)callable_o;
if (!Py_IS_TYPE(method, &PyMethodDescr_Type)) { if (!Py_IS_TYPE(method, &PyMethodDescr_Type)) {
UPDATE_MISS_STATS(CALL); UPDATE_MISS_STATS(CALL);
@ -3467,6 +3478,7 @@
} }
PyTypeObject *d_type = method->d_common.d_type; PyTypeObject *d_type = method->d_common.d_type;
PyObject *self = PyStackRef_AsPyObjectBorrow(arguments[0]); PyObject *self = PyStackRef_AsPyObjectBorrow(arguments[0]);
assert(self != NULL);
if (!Py_IS_TYPE(self, d_type)) { if (!Py_IS_TYPE(self, d_type)) {
UPDATE_MISS_STATS(CALL); UPDATE_MISS_STATS(CALL);
assert(_PyOpcode_Deopt[opcode] == (CALL)); assert(_PyOpcode_Deopt[opcode] == (CALL));