[ python-Bugs-992017 ] code that generates a segfault on Python 2.1-2.3

Tue Jun 13 23:55:22 CEST 2006

Bugs item #992017, was opened at 2004-07-15 16:56
Message generated for change (Comment added) made by bcannon
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=992017&group_id=5470

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Python Interpreter Core
Group: Python 2.4
Status: Closed
Resolution: Fixed
Priority: 7
Submitted By: Ted Bach (bachtor)
Assigned to: Nobody/Anonymous (nobody)
Summary: code that generates a segfault on Python 2.1-2.3

Initial Comment:
On a Redhat Linux 9 based system, the following causes
a segfault:

""" In python, you can call any expression.
"""

class foo:
  def __init__(s,times=1):
     s.times = times
  def __call__(s): print s.times
  def __mul__(s,o): return foo(o)
  def __coerce__(s,o):
    if isinstance(o,int):
      return o,s

(foo(3)*10)()   # no segfault

(10*foo(3))()   # segfaults
# prints 10

----------------------------------------------------------------------

>Comment By: Brett Cannon (bcannon)
Date: 2006-06-13 14:55

Message:
Logged In: YES 
user_id=357491

Actually, that's 46933, not 2 for the HEAD rev.

----------------------------------------------------------------------

Comment By: Brett Cannon (bcannon)
Date: 2006-06-13 14:51

Message:
Logged In: YES 
user_id=357491

Rev. 46932 for 2.5 and rev. 46934 for 2.4 has the fix.

----------------------------------------------------------------------

Comment By: Georg Brandl (birkenfeld)
Date: 2005-06-08 10:26

Message:
Logged In: YES 
user_id=1188172

Still persists with Python 2.4.

----------------------------------------------------------------------

Comment By: Armin Rigo (arigo)
Date: 2004-08-07 14:44

Message:
Logged In: YES 
user_id=4771

Here is a shorter example:

  class foo:
      def __coerce__(self, other):
          return other, self
  foo()+1   # segfault: infinite recursion in C

classobject.c seems hopelessly prone to infinite recursion in C: whenever an operation needs coercion, __coerce__ is called and the operator PyNumber_Xxx() is called again on the result.  The most obvious cases of recursion are taken care of, but there are and will always be more convoluted ways to create this recursion.

There might be a way to solve the problem cleanly but currently I only see the solution of adding a C recursion check (Py_EnterRecursiveCall / Py_LeaveRecursiveCall).

----------------------------------------------------------------------

Comment By: Dima Dorfman (ddorfman)
Date: 2004-07-22 07:18

Message:
Logged In: YES 
user_id=908995

This is not the same problem as bug #980352; this one is an infinite recusion 
in the instance code (deriving foo from object makes the example work).

----------------------------------------------------------------------

Comment By: Michael Hudson (mwh)
Date: 2004-07-16 06:45

Message:
Logged In: YES 
user_id=6656

Isn't this likely to be a dup of bug 

[ 980352 ] coercion results used dangerously

?  I haven't thought about either very hard, but both involve 
__coerce__ and core dumps...

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=992017&group_id=5470