Py_CLEAR(tmp) seg faults #47524

stutzbach · 2008-07-03T17:54:08Z

BPO	3274
Nosy	@ncoghlan, @avassalotti

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2008-07-13.20:43:46.039>
created_at = <Date 2008-07-03.17:54:08.316>
labels = ['interpreter-core', 'type-crash']
title = 'Py_CLEAR(tmp) seg faults'
updated_at = <Date 2008-07-13.20:43:46.005>
user = 'https://bugs.python.org/stutzbach'

bugs.python.org fields:

activity = <Date 2008-07-13.20:43:46.005>
actor = 'alexandre.vassalotti'
assignee = 'none'
closed = True
closed_date = <Date 2008-07-13.20:43:46.039>
closer = 'alexandre.vassalotti'
components = ['Interpreter Core']
creation = <Date 2008-07-03.17:54:08.316>
creator = 'stutzbach'
dependencies = []
files = []
hgrepos = []
issue_num = 3274
keywords = []
message_count = 4.0
messages = ['69213', '69498', '69500', '69621']
nosy_count = 3.0
nosy_names = ['ncoghlan', 'alexandre.vassalotti', 'stutzbach']
pr_nums = []
priority = 'normal'
resolution = 'fixed'
stage = None
status = 'closed'
superseder = None
type = 'crash'
url = 'https://bugs.python.org/issue3274'
versions = ['Python 2.5', 'Python 3.0']

stutzbach · 2008-07-03T17:54:07Z

I'm writing a C extension module and discovered that Py_CLEAR() causes a
crash if the programmer happened to name their variable "tmp". The
Py_CLEAR() macro internally uses the name "tmp" in a new scope, hiding
the callers "tmp", and calling Py_DECREF() on an essentially random bit
of memory.

I suggest changing Py_CLEAR() to use something a little less common than
"tmp". Perhaps "_py_tmp".

For easy reference, here's how Py_CLEAR() is defined now:

#define Py_CLEAR(op)				\
        do {                            	\
                if (op) {			\
                        PyObject *tmp = (PyObject *)(op);	\
                        (op) = NULL;		\
                        Py_DECREF(tmp);		\
                }				\
        } while (0)

ncoghlan · 2008-07-10T10:11:07Z

A better option may be to append _tmp to the passed in token:

#define Py_CLEAR(op)				\
        do {                            	\
                if (op) {			\
                        PyObject *op##_tmp = (PyObject *)(op);	\
                        (op) = NULL;		\
                        Py_DECREF(op##_tmp);		\
                }				\
        } while (0)

stutzbach · 2008-07-10T12:24:54Z

Appending _tmp is a good idea, but it won't work when the parameter
isn't a simple symbol. For example, there's a line in cPickle.c like
this: Py_CLEAR(*p).

avassalotti · 2008-07-13T20:43:46Z

Committed the fix r64927. Thanks.

stutzbach mannequin added interpreter-core (Objects, Python, Grammar, and Parser dirs) type-crash A hard crash of the interpreter, possibly with a core dump labels Jul 3, 2008

avassalotti closed this as completed Jul 13, 2008

ezio-melotti transferred this issue from another repository Apr 10, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Py_CLEAR(tmp) seg faults #47524

Py_CLEAR(tmp) seg faults #47524

stutzbach mannequin commented Jul 3, 2008

stutzbach mannequin commented Jul 3, 2008

ncoghlan commented Jul 10, 2008

stutzbach mannequin commented Jul 10, 2008

avassalotti commented Jul 13, 2008

Py_CLEAR(tmp) seg faults #47524

Py_CLEAR(tmp) seg faults #47524

Comments

stutzbach mannequin commented Jul 3, 2008

stutzbach mannequin commented Jul 3, 2008

ncoghlan commented Jul 10, 2008

stutzbach mannequin commented Jul 10, 2008

avassalotti commented Jul 13, 2008