[Python-bugs-list] [Bug #115987] Crash in __coerce__ (2.0b2)
noreply@sourceforge.net
noreply@sourceforge.net
Wed, 4 Oct 2000 20:02:09 -0700
Bug #115987, was updated on 2000-Oct-04 01:26
Here is a current snapshot of the bug.
Project: Python
Category: Core
Status: Open
Resolution: None
Bug Group: None
Priority: 7
Summary: Crash in __coerce__ (2.0b2)
Details: The example below results in a hard crash (Application Error) on w2k.
Python 2.0b2 (#6, Sep 26 2000, 14:59:21) [MSC 32 bit (Intel)] on win32
Type "copyright", "credits" or "license" for more information.
>>> class A:
... def __init__(self, v):
... self.v = v
... def __iadd__(self, v):
... return self.v + v
... def __coerce__(self, x):
... print "__coerce__", v
...
>>> a = A(5)
>>> a += 6
__coerce__
The instruction at "0x1e127647" referenced memory as 0x00000046". The memory could not be "read".
Follow-Ups:
Date: 2000-Oct-04 06:18
By: fdrake
Comment:
On Linux, I get the expected NameError after it prints "__coerce__".
Assigned to TIm since this appears to be Windows-specific.
-------------------------------------------------------
Date: 2000-Oct-04 20:02
By: tim_one
Comment:
Reassigned to Thomas, removed Platform-Specific.
INPLACE_ADD is leaving trash on the eval stack here, so what happens after that is a crap shoot (Windows just happens to blow up doing Py_INCREF(that_trash) later).
INPLACE_ADD calls PyNumber_InPlaceAdd.
That calls PyInstance_HalfBinOp.
That calls the __coerce__ method, which prints "__coerce__", wants to raise a NameError, and "coerced" is NULL.
So PyInstance_HalfBinOp returns -1, but has never stored into its **r_result argument.
Its **r_result argument was PyNumber_InPlaceAdd's &x, where x is an uninitialized local PyObject*.
PyNumber_InPlaceAdd returns this stack trash as its result.
INPLACE_ADD then pushes the trash on Python's stack.
Since the trash didn't happen to be NULL on Windows, ceval thinks everything is fine and continues on to the STORE_NAME opcode (which eventually leads to the blowup).
-------------------------------------------------------
For detailed info, follow this link:
http://sourceforge.net/bugs/?func=detailbug&bug_id=115987&group_id=5470