Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Crash with an evil custom mro() on a metaclass #92112

Closed
izbyshev opened this issue May 1, 2022 · 6 comments
Closed

Crash with an evil custom mro() on a metaclass #92112

izbyshev opened this issue May 1, 2022 · 6 comments
Labels
type-crash A hard crash of the interpreter, possibly with a core dump

Comments

@izbyshev
Copy link
Contributor

izbyshev commented May 1, 2022

Crash report

There is a path in type_mro_modified that results in double-free of *mro_meth:

A reproducer:

class B:
    pass

class M(type):
    def mro(cls):
        del M.mro
        return (B,)

class C(metaclass=M):
    pass

Crash with the debug CPython:

$ ./python mro-crasher.py
/home/test/cpython/Include/object.h:601: _Py_NegativeRefcount: Assertion failed: object has negative ref count
<object at 0x7f88c12d1a90 is freed>
Fatal Python error: _PyObject_AssertFailed: _PyObject_AssertFailed
Python runtime state: initialized

Current thread 0x00007f88c13cb080 (most recent call first):
  File "/home/test/mro-crasher.py", line 9 in <module>
Aborted (core dumped)

This bug was introduced in #73052.
@izbyshev izbyshev added the type-crash A hard crash of the interpreter, possibly with a core dump label May 1, 2022
@izbyshev
Copy link
Contributor Author

izbyshev commented May 1, 2022

I'll open a PR shortly.

@izbyshev
Copy link
Contributor Author

izbyshev commented May 1, 2022

Opened #92113. @JulienPalard

JelleZijlstra pushed a commit that referenced this issue May 6, 2022
gh-92112: Fix crash triggered by an evil custom mro() (#92113)
85354ed
JelleZijlstra pushed a commit to JelleZijlstra/cpython that referenced this issue May 6, 2022
@JelleZijlstra
[3.10] pythongh-92112: Fix crash triggered by an evil custom mro() (p…
078e034 
…ythonGH-92113).

(cherry picked from commit 85354ed)

Co-authored-by: Alexey Izbyshev <[email protected]>
JelleZijlstra pushed a commit to JelleZijlstra/cpython that referenced this issue May 6, 2022
@JelleZijlstra
[3.9] pythongh-92112: Fix crash triggered by an evil custom mro() (p…
2a420e9 
…ythonGH-92113).

(cherry picked from commit 85354ed)

Co-authored-by: Alexey Izbyshev <[email protected]>
JelleZijlstra added a commit that referenced this issue May 7, 2022
@JelleZijlstra
[3.10] gh-92112: Fix crash triggered by an evil custom mro() (GH-92113
4674b31 
) (#92370)

(cherry picked from commit 85354ed)

Co-authored-by: Alexey Izbyshev <[email protected]>
@JulienPalard
Copy link
Member

Fixed by @izbyshev in #92113 (Thank you!).

ambv pushed a commit that referenced this issue May 16, 2022
@JelleZijlstra
[3.9] gh-92112: Fix crash triggered by an evil custom mro() (GH-92113
f82b324 
…) (GH-92372)

(cherry picked from commit 85354ed)

Co-authored-by: Alexey Izbyshev <[email protected]>
@The-Compiler The-Compiler mentioned this issue May 26, 2022
Closed
hello-adam pushed a commit to hello-adam/cpython that referenced this issue Jun 2, 2022
@JelleZijlstra @hello-adam
[3.9] pythongh-92112: Fix crash triggered by an evil custom mro() (p…
0562a9e 
…ythonGH-92113) (pythonGH-92372)

(cherry picked from commit 85354ed)

Co-authored-by: Alexey Izbyshev <[email protected]>
@ctismer
Copy link
Contributor

ctismer commented Jun 2, 2023

@izbyshev Thanks a lot for fixing this! We had problems with PySide and type creation and did a crude work-around.
The error is gone since Python 3.9.13.
Unfortunately, the same error is still in Python 3.8 (which we hopefully deprecate soon).
Is it ok if I re-open it?

@ctismer ctismer reopened this Jun 2, 2023
@JelleZijlstra
Copy link
Member

3.8 is in security fix-only mode, so we probably won't fix this.

@ctismer ctismer closed this as completed Jun 2, 2023
@ctismer
Copy link
Contributor

ctismer commented Jun 2, 2023

Ok, I understand. Closing the issue, again. Thanks

qtprojectorg pushed a commit to qtproject/pyside-pyside-setup that referenced this issue Jun 6, 2023
@ctismer
Shiboken: Remove an old patch that is no longer necessary
30a6849 
An old refcounting problem from 2019 was fixed by a crude
patch to class creation in basewrapper.cpp .
This patch now creates an assertion error in debug mode
when running the test for issue PYSIDE-2354.

The problem was actually a CPython bug and does only exist
in Python 3.8 until Python 3.9.12, for all other versions
it works fine.

See python/cpython#92112

[ChangeLog][shiboken6] An old patch for a Python 3.8-3.9.13 error was
                       timed out and removed from current versions.

Task-number: PYSIDE-939
Task-number: PYSIDE-2354
Change-Id: I6c077294dc61491b47b6e75e95fd669144fa0471
Pick-to: 6.5
Reviewed-by: Friedemann Kleint <[email protected]>
Reviewed-by: Adrian Herrmann <[email protected]>
qtprojectorg pushed a commit to qtproject/pyside-pyside-setup that referenced this issue Jun 6, 2023
@ctismer
Shiboken: Remove an old patch that is no longer necessary
95857c8 
An old refcounting problem from 2019 was fixed by a crude
patch to class creation in basewrapper.cpp .
This patch now creates an assertion error in debug mode
when running the test for issue PYSIDE-2354.

The problem was actually a CPython bug and does only exist
in Python 3.8 until Python 3.9.12, for all other versions
it works fine.

See python/cpython#92112

[ChangeLog][shiboken6] An old patch for a Python 3.8-3.9.13 error was
                       timed out and removed from current versions.

Task-number: PYSIDE-939
Task-number: PYSIDE-2354
Change-Id: I6c077294dc61491b47b6e75e95fd669144fa0471
Reviewed-by: Friedemann Kleint <[email protected]>
Reviewed-by: Adrian Herrmann <[email protected]>
(cherry picked from commit 30a6849)
Reviewed-by: Qt Cherry-pick Bot <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type-crash A hard crash of the interpreter, possibly with a core dump
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@JulienPalard @JelleZijlstra @ctismer @izbyshev