[New-bugs-announce] [issue11660] closure with too few cells segfaults

Eric Snow report at bugs.python.org
Thu Mar 24 08:00:30 CET 2011 

New submission from Eric Snow <ericsnowcurrently at gmail.com>:

While perhaps esoteric, it looks like exec'ing a code object that has freevars, using a closure that has too few cells causes a segfault.  I believe the problem is around line 3276 of ceval.c at the PyTuple_GET_ITEM call:

    if (PyTuple_GET_SIZE(co->co_freevars)) {
        int i;
        for (i = 0; i < PyTuple_GET_SIZE(co->co_freevars); ++i) {
>>>         PyObject *o = PyTuple_GET_ITEM(closure, i);
            Py_INCREF(o);
            freevars[PyTuple_GET_SIZE(co->co_cellvars) + i] = o;
        }
    }

I only bring this up because I am toying around with exposing a wrapper around PyEval_EvalCodeEx that is a more fully featured version of exec.  Here is an example of code where I ran into the problem:

def outer():
    x = 5
    y = 6
    def f(): return x,y
    z = 7
    def g(): return z
    exec_closure(f.__code__, closure=g.__closure__)

Incidently, it looks there isn't any check to see if len(closure) > len(freevars), which I would expect to be disallowed.  However, I understand that there hasn't really been any point to worry about it due to the current usage of PyEval_EvalCodeEx.  

If the above two constraints are appropriate I would love to see them added in with something like the following:

    if (closure == NULL)
        &closure = PyTuple_New(0);
    if (!PyTuple_Check(closure)) {
        PyErr_Format(PyExc_TypeError,
                     "closure must be a tuple");
        goto fail;        
    }
    Py_ssize_t nfreevars = PyTuple_GET_SIZE(co->co_freevars);
    Py_ssize_t ncells = PyTuple_GET_SIZE(closure);
    if (nfreevars != ncells) {
        PyErr_Format(PyExc_SystemError,
                     "Expected %s cells, received %s", 
                     nfreevars, ncells);
        goto fail;        
    }
    if (nfreevars) {
        int i;
        for (i = 0; i < PyTuple_GET_SIZE(co->co_freevars); ++i) {
            PyObject *o = PyTuple_GET_ITEM(closure, i);
            Py_INCREF(o);
            freevars[PyTuple_GET_SIZE(co->co_cellvars) + i] = o;
        }
    }

Alternately, I could just add some validation into exec_closure, if it's not worth bothering in ceval.c.

----------
components: Interpreter Core
messages: 131961
nosy: ericsnow
priority: normal
severity: normal
status: open
title: closure with too few cells segfaults
type: crash
versions: Python 3.3

_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue11660>
_______________________________________

More information about the New-bugs-announce mailing list