Incorrect arguments in function select() cause segfault

[xxm]

BPO	44718
Nosy	@ronaldoussoren

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = None
created_at = <Date 2021-07-23.04:25:27.360>
labels = ['interpreter-core', '3.8', '3.9', '3.10', '3.11', '3.7', 'type-crash']
title = 'Incorrect arguments in function select()  cause segfault'
updated_at = <Date 2021-07-23.08:48:04.728>
user = 'https://bugs.python.org/xxm'

bugs.python.org fields:

activity = <Date 2021-07-23.08:48:04.728>
actor = 'ronaldoussoren'
assignee = 'none'
closed = False
closed_date = None
closer = None
components = ['Interpreter Core']
creation = <Date 2021-07-23.04:25:27.360>
creator = 'xxm'
dependencies = []
files = []
hgrepos = []
issue_num = 44718
keywords = []
message_count = 2.0
messages = ['398027', '398036']
nosy_count = 2.0
nosy_names = ['ronaldoussoren', 'xxm']
pr_nums = []
priority = 'normal'
resolution = None
stage = None
status = 'open'
superseder = None
type = 'crash'
url = 'https://bugs.python.org/issue44718'
versions = ['Python 3.6', 'Python 3.7', 'Python 3.8', 'Python 3.9', 'Python 3.10', 'Python 3.11']

[xxm]

The following program can trigger segfault on all releases of Python. I think it may be caused by incorrect arguments.

Version of Python: 3.6 - master(3.11.0a0)
system: ubuntu 16.04

test.py
================================

import select

def test_select_mutated():
    a = []

    class F:
        def fileno(a):
            del test_select_mutated()[-1]
            return sys.__stdout__.fileno()
    a[:] = [F()] * 10
    select.select([], a, []), ([], a[:5], [])

test_select_mutated()

================================

output:
---------------------------------------------------------------------
xxm@xxm:~$ '/home/xxm/Desktop/compiler/cpython-main/python' test.py
Segmentation fault (core dumped)
---------------------------------------------------------------------

[ronaldoussoren]

The problem is related to recursion, the code basically ends up with an unlimited number of iterations of select.select and test_select_mutated on the call stack and this doesn't trigger the stack depth checker.

The following definition of class F triggers the same error:

    class F:
        def fileno(self):
            test_select_mutated()
            return self.fileno()

The call stack behaviour can be observed by using the fault handler (python3.9 -Xfaulthandler crash.py), although you won't see select.select in the traceback due to it being a C extension function.

Fixing this would basically require adding a stack depth check to the PyObject_Call family of functions. I don't know if a PR for that would be accepted due to the possible performance impact.