[fuzzer] Parser null deref with continuation characters and generator parenthesis error #89657
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
assignee = None closed_at = <Date 2021-10-20.16:53:29.072> created_at = <Date 2021-10-16.14:24:17.142> labels = ['interpreter-core', '3.10', '3.9', 'type-crash', '3.11'] title = '[fuzzer] Parser null deref with continuation characters and generator parenthesis error' updated_at = <Date 2021-11-20.17:59:41.789> user = 'https://github.com/ammaraskar'
activity = <Date 2021-11-20.17:59:41.789> actor = 'miss-islington' assignee = 'none' closed = True closed_date = <Date 2021-10-20.16:53:29.072> closer = 'lukasz.langa' components = ['Parser'] creation = <Date 2021-10-16.14:24:17.142> creator = 'ammar2' dependencies =  files =  hgrepos =  issue_num = 45494 keywords = ['patch'] message_count = 11.0 messages = ['404082', '404099', '404117', '404119', '404341', '404349', '404359', '404494', '404497', '406677', '406678'] nosy_count = 6.0 nosy_names = ['gregory.p.smith', 'lukasz.langa', 'ammar2', 'lys.nikolaou', 'pablogsal', 'miss-islington'] pr_nums = ['28993', '29070', '29071', '29108', '29672'] priority = 'high' resolution = 'fixed' stage = 'resolved' status = 'closed' superseder = None type = 'crash' url = 'https://bugs.python.org/issue45494' versions = ['Python 3.9', 'Python 3.10', 'Python 3.11']
The text was updated successfully, but these errors were encountered:
Another parser crash found by the fuzzer:
>>> import ast >>> ast.literal_eval('"\\\n"(1for c in I,\\\n\\')  17916 segmentation fault ./python >>> import ast >>> ast.literal_eval(r''' ... "\ ... "(1for c in I,\ ... \ ''')  17935 segmentation fault ./python
Raw ASAN stacktrace
==1668==The signal is caused by a READ memory access.
I confirmed that 3.9 does NOT seem to have the problem:
Python 3.9.5 (default, May 19 2021, 11:32:47) [GCC 9.3.0] on linux Type "help", "copyright", "credits" or "license" for more information. >>> x = r''' ... "\ ... "(1for c in I,\ ... \ ''' >>> import ast >>> ast.literal_eval(x) Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/usr/lib/python3.9/ast.py", line 62, in literal_eval node_or_string = parse(node_or_string, mode='eval') File "/usr/lib/python3.9/ast.py", line 50, in parse return compile(source, filename, mode, flags, File "<unknown>", line 3 "\ ^ SyntaxError: Generator expression must be parenthesized
Note: this *does* fail on 3.9, too. Even if it doesn't crash the production build, it does fail an assertion in a pydebug build:
test_error_offset_continuation_characters (test.test_exceptions.ExceptionTests) ... Assertion failed: (!_PyErr_Occurred(tstate)), function _PyObject_Call, file Objects/call.c, line 261.
Current thread 0x00000001184d1dc0 (most recent call first):
Hello @ammaraskar, it looks like you are (or were) fuzzing this repository, and you’ve found some interesting bugs. 🥇
I would like to create a Python based test case reduction test suite that contains fuzzer generated outputs, and benchmark automatic test case reducers how they perform on Python inputs. It looks like to me you have opened this issue with the already reduced input that caused malfunction. Is it possible that you still have the output of the fuzzer, which is free of any reduction?
I’m also interested in these issues of yours:
with the same motivation.
Thanks in advance,