Unaligned write in convertsimple()

[matoro]

While running the test suite for reportlab on sparc, an unaligned write is issued, which is fatal (SIGBUS) on the sparc architecture. I've submitted a fix in #94141, confirmed that it removes the crash and allows the entire reportlab test suite to pass, as well as passing the cpython test suite.

#0  0xfff80001007a98ac in convertsimple (arg=0x1000089a9d0, p_format=0x7feffb25bf8, p_va=0x7feffb260e0, flags=2, msgbuf=0x7feffb25e48 "", bufsize=256, freelist=0x7feffb25d38) at Python/getargs.c:921
921                 *psize = count;
(gdb) l
916             if (count < 0)
917                 return converterr(buf, arg, msgbuf, bufsize);
918             if (*format == '#') {
919                 REQUIRE_PY_SSIZE_T_CLEAN;
920                 Py_ssize_t *psize = va_arg(*p_va, Py_ssize_t*);
921                 *psize = count;
922                 format++;
923             } else {
924                 if (strlen(*p) != (size_t)count) {
925                     PyErr_SetString(PyExc_ValueError, "embedded null byte");
(gdb) ptype count
type = long
(gdb) p count
$1 = 14520
(gdb) ptype psize
type = long *
(gdb) p psize
$2 = (Py_ssize_t *) 0x7feffb261fc
(gdb) p 0x7feffb261fc % sizeof(long)
$3 = 4

Error messages

py-bt.txt - this is a Python traceback of the crash site generated by gdb's py-bt command.

bt-full.txt - traditional gdb backtrace.

Your environment

• CPython versions tested on: Observed issue on 3.10.5 and 3.9.12
• Operating system and architecture: Gentoo Linux 5.18.5 on 64-bit sparc.

[serhiy-storchaka]

I do not think that it can be unaligned in a correct code. Could you please show us the caller code? I suspect it contains a bug. Most likely -- passes a pointer to 32-bit integer where the pointer to Py_ssize_t is expected.

[matoro]

I do not think that it can be unaligned in a correct code. Could you please show us the caller code? I suspect it contains a bug. Most likely -- passes a pointer to 32-bit integer where the pointer to Py_ssize_t is expected.

Hi Serhiy, thank you for taking a look at this. I'm unsure what information you're looking for that's not already contained in the two tracebacks I provided - the should have the entire call stack for both the native and Python sides, with locals.

I was able to reproduce again with a simple clone from the reportlab master branch, with the below commands:

$ git clone 'https://github.com/MrBitBucket/reportlab-mirror'
$ pushd reportlab-mirror
$ python3.10 setup.py build
$ PYTHONPATH=../build/lib.linux-sparc64-cpython-310 python3.10 test_graphics_images.py -v
.......Bus error (core dumped)
$ file core
core: ELF 64-bit MSB core file, SPARC V9, total store ordering, version 1 (SYSV), SVR4-style, from 'python3.10 test_graphics_images.py -v', real uid: 1000, effective uid: 1000, real gid: 1000, effective gid: 1000, execfn: '/usr/bin/python3.10'

I can provide access to the live system this is occurring on if you do not have one to debug!

[matoro]

I do not think that it can be unaligned in a correct code. Could you please show us the caller code? I suspect it contains a bug. Most likely -- passes a pointer to 32-bit integer where the pointer to Py_ssize_t is expected.

Actually, based on what you mentioned here I took another look, and this indeed seems to be a bug in the downstream project. They are defining the length for a bytes-like object as an int: https://github.com/MrBitBucket/reportlab-mirror/blob/master/src/rl_addons/renderPM/_renderPM.c#L1322. It passes when I change this definition to a Py_ssize_t. I will close this bug & PR and submit this to the reportlab project. Thank you and sorry for the trouble!