Double decref and dereferencing after decref in int()

[serhiy-storchaka]

BPO	16060
Nosy	@birkenfeld, @jcea, @mdickinson, @benjaminp, @serhiy-storchaka
Files	float2int_dbl_decref.patch float2int_dbl_decref_2.patch

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = 'https://github.com/mdickinson'
closed_at = <Date 2012-09-28.13:35:29.207>
created_at = <Date 2012-09-27.08:46:57.883>
labels = ['interpreter-core', 'type-crash']
title = 'Double decref and dereferencing after decref in int()'
updated_at = <Date 2012-09-29.07:27:39.936>
user = 'https://github.com/serhiy-storchaka'

bugs.python.org fields:

activity = <Date 2012-09-29.07:27:39.936>
actor = 'python-dev'
assignee = 'mark.dickinson'
closed = True
closed_date = <Date 2012-09-28.13:35:29.207>
closer = 'georg.brandl'
components = ['Interpreter Core']
creation = <Date 2012-09-27.08:46:57.883>
creator = 'serhiy.storchaka'
dependencies = []
files = ['27316', '27319']
hgrepos = []
issue_num = 16060
keywords = ['patch']
message_count = 12.0
messages = ['171371', '171376', '171380', '171382', '171383', '171385', '171386', '171388', '171415', '171424', '171461', '171556']
nosy_count = 6.0
nosy_names = ['georg.brandl', 'jcea', 'mark.dickinson', 'benjamin.peterson', 'python-dev', 'serhiy.storchaka']
pr_nums = []
priority = 'high'
resolution = 'fixed'
stage = None
status = 'closed'
superseder = None
type = 'crash'
url = 'https://bugs.python.org/issue16060'
versions = ['Python 3.3']

[serhiy-storchaka]

In function convert_integral_to_int() in file Objects/abstract.c integral double decrefed and dereferenced after decrefing if returned value of __int__() is not int. Python 3.3 only affected.

Here is a patch.

[mdickinson]

Nice catch! And indeed, the following code generates a segfault on my machine:

    class B(object):
        def __int__(self):
            return 43.0

    class A(object):
        def __trunc__(self):
            return B()

    int(A())

The patch should probably include a regression test.

[serhiy-storchaka]

And indeed, the following code generates a segfault on my machine:

I was going to give similar example and assign crash type to issue, but on my machine it does not generate a segfault.

The patch should probably include a regression test.

Someone borrowed Guido's time machine and have already done this test (see NonIntegral in Lib/test/test_int.py).

[mdickinson]

That test doesn't look quite the same, though: the return value of __trunc__ is an object that has __trunc__ rather than __int__. And all the existing tests pass on my machine without issues.

[mdickinson]

Here's patch that adds a regression test.

[serhiy-storchaka]

Ah, it generates a segfault in debug mode.

LGTM.

[python-dev]

New changeset 690287f8ea95 by Mark Dickinson in branch 'default':
Issue bpo-16060: Fix a double DECREF in int() implementation. Thanks Serhiy Storchaka.
http://hg.python.org/cpython/rev/690287f8ea95

[mdickinson]

Applied. Thanks!

I'm not sure whether this is worthy of inclusion in Python 3.3.0; on one hand, it's a segfault from core Python. On the other, it doesn't look that easy to trigger by accident.

On balance, I'd say it's safe to wait for Python 3.3.1 for this. Adding Georg to the nosy in case he disagrees.

[jcea]

Serhiy, I wonder how you found this :)

[serhiy-storchaka]

Serhiy, I wonder how you found this :)

I just looked at the code for bpo-16036.

[birkenfeld]

Applied: d23eb81bd482.

[python-dev]

New changeset d23eb81bd482 by Mark Dickinson in branch 'default':
Issue bpo-16060: Fix a double DECREF in int() implementation. Thanks Serhiy Storchaka.
http://hg.python.org/cpython/rev/d23eb81bd482