Segfault from `asyncio.events._running_loop.setattr` with invalid name #127190

devdanzin · 2024-11-23T10:38:39Z

Crash report

What happened?

It's possible to segfault the interpreter by calling asyncio.events._running_loop.__setattr__ with a special class as name, as in this example:

import asyncio.events

class Liar1:
    def __eq__(self, other):
        return True

asyncio.events._running_loop.__setattr__(Liar1(), type)

The backtrace is:

#0  _copy_characters (to=<optimized out>, to_start=<optimized out>, from=<optimized out>,
    from_start=<optimized out>, how_many=<optimized out>, check_maxchar=0) at Objects/unicodeobject.c:1530
#1  0x000055555573497b in _copy_characters (check_maxchar=0, how_many=16842781, from_start=0,
    from=0x7ffff71a3cb0, to_start=<optimized out>, to=<optimized out>) at Objects/unicodeobject.c:1435
#2  _PyUnicode_FastCopyCharacters (how_many=16842781, from_start=0, from=0x7ffff71a3cb0,
    to_start=<optimized out>, to=<optimized out>) at Objects/unicodeobject.c:1562
#3  _PyUnicodeWriter_WriteStr (writer=0x7fffffffd660, str=0x7ffff71a3cb0) at Objects/unicodeobject.c:13635
#4  0x0000555555738abd in unicode_fromformat_arg (vargs=0x7fffffffd5d8,
    f=0x5555558d2a04 "U' is read-only", writer=0x7fffffffd660) at Objects/unicodeobject.c:2993
#5  unicode_from_format (writer=writer@entry=0x7fffffffd660,
    format=format@entry=0x5555558d29e8 "'%.100s' object attribute '%U' is read-only",
    vargs=vargs@entry=0x7fffffffd6c0) at Objects/unicodeobject.c:3167
#6  0x0000555555739a1f in PyUnicode_FromFormatV (
    format=format@entry=0x5555558d29e8 "'%.100s' object attribute '%U' is read-only",
    vargs=vargs@entry=0x7fffffffd6c0) at Objects/unicodeobject.c:3201
#7  0x00005555557c7770 in _PyErr_FormatV (vargs=0x7fffffffd6c0,
    format=0x5555558d29e8 "'%.100s' object attribute '%U' is read-only",
    exception=0x555555a89960 <_PyExc_AttributeError>, tstate=0x555555b08c10 <_PyRuntime+313456>)
    at Python/errors.c:1163
#8  PyErr_Format (exception=0x555555a89960 <_PyExc_AttributeError>,
    format=format@entry=0x5555558d29e8 "'%.100s' object attribute '%U' is read-only")
    at Python/errors.c:1198
#9  0x00005555558a613d in local_setattro (self=0x7ffff718d020, name=0x7ffff71a3cb0,
    v=0x555555a9c6e0 <PyType_Type>) at ./Modules/_threadmodule.c:1625
#10 0x00005555556dff7d in wrap_setattr (self=0x7ffff718d020, args=<optimized out>,
    wrapped=0x5555558a6070 <local_setattro>) at Objects/typeobject.c:9172

No threads, free-threading or JIT necessary for this to work.

In a debug built, an assertion fails instead:

Objects/unicodeobject.c:640: _PyUnicode_CheckConsistency: Assertion failed: PyType_HasFeature((_Py_TYPE(((PyObject*)((op))))), ((1UL << 28)))
Enable tracemalloc to get the memory block allocation traceback

object address  : 0x20000549920
object refcount : 2
object type     : 0x200011e2810
object type name: Liar1
object repr     : <__main__.Liar1 object at 0x20000549920>

Fatal Python error: _PyObject_AssertFailed: _PyObject_AssertFailed
Python runtime state: initialized
Aborted

Found using fusil by @vstinner.

CPython versions tested on:

3.13, 3.14, CPython main branch

Operating systems tested on:

Linux

Output from running 'python -VV' on the command line:

Python 3.14.0a2+ experimental free-threading build (heads/main-dirty:a13e94d84bf, Nov 23 2024, 07:16:19) [GCC 11.4.0]

Linked PRs

The text was updated successfully, but these errors were encountered:

colesbury · 2024-11-23T17:32:45Z

The report says it's not specific to the JIT or free-threading :)

@devdanzin - if you're able to reproduce an issue on both the default (with GIL) build and free threading, it's probably more helpful to report the python -VV output from the main build (instead of free threading).

vstinner · 2024-11-28T14:16:29Z

The bug is unrelated to asyncio, it's a bug in threading.local:

import threading

class Loop(threading.local):
    attr = 1

class Liar1:
    def __eq__(self, other):
        return True

loop = Loop()
loop.__setattr__(Liar1(), 2)

It's a minor bug in the error handling of local_setattro(). I'm working on a fix.

Don't make the assumption that the first argument is a string. Use repr() to format the argument instead.

Don't make the assumption that the 'name' argument is a string. Use repr() to format the 'name' argument instead.

vstinner · 2024-11-28T14:51:09Z

I wrote PR #127366 to fix the issue.

Don't make the assumption that the 'name' argument is a string. Use repr() to format the 'name' argument instead.

Don't make the assumption that the 'name' argument is a string. Use repr() to format the 'name' argument instead. (cherry picked from commit 20657fb) Co-authored-by: Victor Stinner <vstinner@python.org>

vstinner · 2024-11-28T16:37:44Z

Fixed by 20657fb. Thanks for your report @devdanzin.

…27368) gh-127190: Fix local_setattro() error handling (GH-127366) Don't make the assumption that the 'name' argument is a string. Use repr() to format the 'name' argument instead. (cherry picked from commit 20657fb) Co-authored-by: Victor Stinner <vstinner@python.org>

…27367) gh-127190: Fix local_setattro() error handling (GH-127366) Don't make the assumption that the 'name' argument is a string. Use repr() to format the 'name' argument instead. (cherry picked from commit 20657fb) Co-authored-by: Victor Stinner <vstinner@python.org>

devdanzin added the type-crash A hard crash of the interpreter, possibly with a core dump label Nov 23, 2024

picnixz added the topic-asyncio label Nov 23, 2024

github-project-automation bot added this to asyncio Nov 23, 2024

github-project-automation bot moved this to Todo in asyncio Nov 23, 2024

picnixz added extension-modules C modules in the Modules dir 3.13 bugs and security fixes topic-free-threading 3.14 new features, bugs and security fixes topic-JIT labels Nov 23, 2024

colesbury removed topic-free-threading topic-JIT labels Nov 23, 2024

vstinner removed the topic-asyncio label Nov 28, 2024

vstinner added a commit to vstinner/cpython that referenced this issue Nov 28, 2024

pythongh-127190: Fix local_setattro() error handling

21065c8

Don't make the assumption that the first argument is a string. Use repr() to format the argument instead.

vstinner added a commit to vstinner/cpython that referenced this issue Nov 28, 2024

pythongh-127190: Fix local_setattro() error handling

3aed959

Don't make the assumption that the first argument is a string. Use repr() to format the argument instead.

vstinner added a commit to vstinner/cpython that referenced this issue Nov 28, 2024

pythongh-127190: Fix local_setattro() error handling

77a860a

Don't make the assumption that the 'name' argument is a string. Use repr() to format the 'name' argument instead.

bedevere-app bot mentioned this issue Nov 28, 2024

gh-127190: Fix local_setattro() error handling #127366

Merged

vstinner added a commit that referenced this issue Nov 28, 2024

gh-127190: Fix local_setattro() error handling (#127366)

20657fb

Don't make the assumption that the 'name' argument is a string. Use repr() to format the 'name' argument instead.

This was referenced Nov 28, 2024

[3.13] gh-127190: Fix local_setattro() error handling (GH-127366) #127367

Merged

[3.12] gh-127190: Fix local_setattro() error handling (GH-127366) #127368

Merged

vstinner closed this as completed Nov 28, 2024

github-project-automation bot moved this from Todo to Done in asyncio Nov 28, 2024

github-actions bot mentioned this issue Dec 1, 2024

Monthly issue metrics report hugovk/test#88

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Segfault from `asyncio.events._running_loop.setattr` with invalid name #127190

Segfault from `asyncio.events._running_loop.setattr` with invalid name #127190

devdanzin commented Nov 23, 2024 •

edited by bedevere-app bot

Loading

colesbury commented Nov 23, 2024

vstinner commented Nov 28, 2024

vstinner commented Nov 28, 2024

vstinner commented Nov 28, 2024

Segfault from asyncio.events._running_loop.__setattr__ with invalid name #127190

Segfault from asyncio.events._running_loop.__setattr__ with invalid name #127190

Comments

devdanzin commented Nov 23, 2024 • edited by bedevere-app bot Loading

Crash report

What happened?

CPython versions tested on:

Operating systems tested on:

Output from running 'python -VV' on the command line:

Linked PRs

colesbury commented Nov 23, 2024

vstinner commented Nov 28, 2024

vstinner commented Nov 28, 2024

vstinner commented Nov 28, 2024

Segfault from `asyncio.events._running_loop.setattr` with invalid name #127190

Segfault from `asyncio.events._running_loop.setattr` with invalid name #127190

devdanzin commented Nov 23, 2024 •

edited by bedevere-app bot

Loading