René's URL Explorer Experiment

{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Panic in hash wrapping when user hash returns oversized int","articleBody":"### What happened?\n\nCalling `hash()` on an object whose `__hash__` returns an oversized integer (e.g., `1 \u003c\u003c 63`) causes a panic in hash_wrapper. The wrapper attempts to convert the BigInt to i64, then falls back to `% u64::MAX`, but that remainder can still be outside i64 and leads to `unwrap()` on None instead of raising a Python exception or normalizing safely.\n\n**Proof of Concept:**\n```python\nclass Evil:\n    def __hash__(self):\n        return 1 \u003c\u003c 63\n\nhash(Evil())\n```\n\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eAffected Versions\u003c/strong\u003e\u003c/summary\u003e\n\n| RustPython Version | Status | Exit Code |\n|---|---|---|\n| `Python 3.13.0alpha (heads/main-dirty:21300f689, Dec 13 2025, 22:16:49) [RustPython 0.4.0 with rustc 1.90.0-nightly (11ad40bb8 2025-06-28)]` | Panic | 1 |\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eVulnerable Code\u003c/strong\u003e\u003c/summary\u003e\n\n```c\nfn hash_wrapper(zelf: \u0026PyObject, vm: \u0026VirtualMachine) -\u003e PyResult\u003cPyHash\u003e {\n    let hash_obj = vm.call_special_method(zelf, identifier!(vm, __hash__), ())?;\n    let py_int = hash_obj\n        .downcast_ref::\u003cPyInt\u003e()\n        .ok_or_else(|| vm.new_type_error(\"__hash__ method should return an integer\"))?;\n    let big_int = py_int.as_bigint();\n    let hash: PyHash = big_int\n        .to_i64()\n        .unwrap_or_else(|| (big_int % BigInt::from(u64::MAX)).to_i64().unwrap()); // Bug: u64::MAX should be i64::Max\n    Ok(hash)\n}\n```\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eRust Output\u003c/strong\u003e\u003c/summary\u003e\n\n```\nthread 'main' panicked at crates/vm/src/types/slot.rs:369:72:\ncalled `Option::unwrap()` on a `None` value\nstack backtrace:\n   0: __rustc::rust_begin_unwind\n             at /rustc/11ad40bb839ca16f74784b4ab72596ad85587298/library/std/src/panicking.rs:697:5\n   1: core::panicking::panic_fmt\n             at /rustc/11ad40bb839ca16f74784b4ab72596ad85587298/library/core/src/panicking.rs:75:14\n   2: core::panicking::panic\n             at /rustc/11ad40bb839ca16f74784b4ab72596ad85587298/library/core/src/panicking.rs:145:5\n   3: core::option::unwrap_failed\n             at /rustc/11ad40bb839ca16f74784b4ab72596ad85587298/library/core/src/option.rs:2072:5\n   4: core::option::Option\u003cT\u003e::unwrap\n             at /home/jackfromeast/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/option.rs:1005:21\n   5: rustpython_vm::types::slot::hash_wrapper::{{closure}}\n             at ./crates/vm/src/types/slot.rs:369:72\n   6: core::option::Option\u003cT\u003e::unwrap_or_else\n             at /home/jackfromeast/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/option.rs:1050:21\n   7: rustpython_vm::types::slot::hash_wrapper\n             at ./crates/vm/src/types/slot.rs:369:10\n   8: rustpython_vm::protocol::object::\u003cimpl rustpython_vm::object::core::PyObject\u003e::hash\n             at ./crates/vm/src/protocol/object.rs:663:20\n   9: rustpython_vm::stdlib::builtins::builtins::hash\n             at ./crates/vm/src/stdlib/builtins.rs:440:13\n  10: core::ops::function::Fn::call\n             at /home/jackfromeast/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ops/function.rs:79:5\n  11: rustpython_vm::function::builtin::\u003cimpl rustpython_vm::function::builtin::sealed::PyNativeFnInternal\u003c(rustpython_vm::function::builtin::OwnedParam\u003cT1\u003e,),R,rustpython_vm::vm::VirtualMachine\u003e for F\u003e::call_\n             at ./crates/vm/src/function/builtin.rs:126:17\n  12: \u003cF as rustpython_vm::function::builtin::IntoPyNativeFn\u003c(T,R,VM)\u003e\u003e::call\n             at ./crates/vm/src/function/builtin.rs:92:14\n  13: rustpython_vm::function::builtin::into_func::{{closure}}\n             at ./crates/vm/src/function/builtin.rs:50:40\n  14: \u003crustpython_vm::builtins::builtin_func::PyNativeFunction as rustpython_vm::types::slot::Callable\u003e::call\n             at ./crates/vm/src/builtins/builtin_func.rs:73:9\n  15: rustpython_vm::types::slot::Callable::slot_call\n             at ./crates/vm/src/types/slot.rs:1028:9\n  16: rustpython_vm::protocol::callable::PyCallable::invoke\n             at ./crates/vm/src/protocol/callable.rs:52:22\n  17: rustpython_vm::protocol::callable::\u003cimpl rustpython_vm::object::core::PyObject\u003e::call_with_args\n             at ./crates/vm/src/protocol/callable.rs:33:18\n  18: rustpython_vm::protocol::callable::\u003cimpl rustpython_vm::object::core::PyObject\u003e::call\n             at ./crates/vm/src/protocol/callable.rs:22:14\n  19: rustpython_vm::frame::ExecutingFrame::execute_call\n             at ./crates/vm/src/frame.rs:1880:30\n  20: rustpython_vm::frame::ExecutingFrame::execute_instruction\n             at ./crates/vm/src/frame.rs:667:22\n  21: rustpython_vm::frame::ExecutingFrame::run\n             at ./crates/vm/src/frame.rs:372:31\n  22: rustpython_vm::frame::\u003cimpl rustpython_vm::object::core::Py\u003crustpython_vm::frame::Frame\u003e\u003e::run::{{closure}}\n             at ./crates/vm/src/frame.rs:247:40\n  23: rustpython_vm::frame::\u003cimpl rustpython_vm::object::core::Py\u003crustpython_vm::frame::Frame\u003e\u003e::with_exec\n             at ./crates/vm/src/frame.rs:242:9\n  24: rustpython_vm::frame::\u003cimpl rustpython_vm::object::core::Py\u003crustpython_vm::frame::Frame\u003e\u003e::run\n             at ./crates/vm/src/frame.rs:247:14\n  25: rustpython_vm::vm::VirtualMachine::run_frame::{{closure}}\n             at ./crates/vm/src/vm/mod.rs:467:44\n  26: rustpython_vm::vm::VirtualMachine::with_frame::{{closure}}\n             at ./crates/vm/src/vm/mod.rs:495:26\n  27: rustpython_vm::vm::VirtualMachine::with_recursion\n             at ./crates/vm/src/vm/mod.rs:483:22\n  28: rustpython_vm::vm::VirtualMachine::with_frame\n             at ./crates/vm/src/vm/mod.rs:493:14\n  29: rustpython_vm::vm::VirtualMachine::run_frame\n             at ./crates/vm/src/vm/mod.rs:467:20\n  30: rustpython_vm::vm::VirtualMachine::run_code_obj\n             at ./crates/vm/src/vm/mod.rs:442:14\n  31: rustpython_vm::vm::compile::\u003cimpl rustpython_vm::vm::VirtualMachine\u003e::run_simple_file\n             at ./crates/vm/src/vm/compile.rs:93:26\n  32: rustpython_vm::vm::compile::\u003cimpl rustpython_vm::vm::VirtualMachine\u003e::run_any_file\n             at ./crates/vm/src/vm/compile.rs:57:14\n  33: rustpython_vm::vm::compile::\u003cimpl rustpython_vm::vm::VirtualMachine\u003e::run_script\n             at ./crates/vm/src/vm/compile.rs:50:14\n  34: rustpython::run_rustpython\n             at ./src/lib.rs:231:16\n  35: rustpython::run::{{closure}}\n             at ./src/lib.rs:112:41\n  36: rustpython_vm::vm::interpreter::Interpreter::run::{{closure}}\n             at ./crates/vm/src/vm/interpreter.rs:103:35\n  37: rustpython_vm::vm::interpreter::Interpreter::enter::{{closure}}\n             at ./crates/vm/src/vm/interpreter.rs:72:39\n  38: scoped_tls::ScopedKey\u003cT\u003e::set\n             at /home/jackfromeast/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/scoped-tls-1.0.1/src/lib.rs:137:9\n  39: rustpython_vm::vm::thread::enter_vm::{{closure}}\n             at ./crates/vm/src/vm/thread.rs:30:20\n  40: std::thread::local::LocalKey\u003cT\u003e::try_with\n             at /home/jackfromeast/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/thread/local.rs:315:12\n  41: std::thread::local::LocalKey\u003cT\u003e::with\n             at /home/jackfromeast/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/thread/local.rs:279:20\n  42: rustpython_vm::vm::thread::enter_vm\n             at ./crates/vm/src/vm/thread.rs:27:14\n  43: rustpython_vm::vm::interpreter::Interpreter::enter\n             at ./crates/vm/src/vm/interpreter.rs:72:9\n  44: rustpython_vm::vm::interpreter::Interpreter::run\n             at ./crates/vm/src/vm/interpreter.rs:103:24\n  45: rustpython::run\n             at ./src/lib.rs:112:27\n  46: rustpython::main\n             at ./src/main.rs:2:5\n  47: core::ops::function::FnOnce::call_once\n             at /home/jackfromeast/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ops/function.rs:250:5\nnote: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.\n```\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eCPython Output\u003c/strong\u003e\u003c/summary\u003e\n\n```\n(No output)\n```\n\u003c/details\u003e\n\n","author":{"url":"https://github.com/jackfromeast","@type":"Person","name":"jackfromeast"},"datePublished":"2025-12-27T04:53:40.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":3},"url":"https://github.com/6550/RustPython/issues/6550"}