Title: crash in long_vectorcall in longobject.c · Issue #114050 · python/cpython · GitHub
Open Graph Title: crash in long_vectorcall in longobject.c · Issue #114050 · python/cpython
X Title: crash in long_vectorcall in longobject.c · Issue #114050 · python/cpython
Description: Crash report What happened? PyErr_Format function has wrong a format string %s. So, the format string must be removed. A python executable with building attached patch file do work well. trigger code class evil(1): pass Root cause source...
Open Graph Description: Crash report What happened? PyErr_Format function has wrong a format string %s. So, the format string must be removed. A python executable with building attached patch file do work well. trigger co...
X Description: Crash report What happened? PyErr_Format function has wrong a format string %s. So, the format string must be removed. A python executable with building attached patch file do work well. trigger co...
Opengraph URL: https://github.com/python/cpython/issues/114050
X: @github
Domain: github.com
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"crash in long_vectorcall in longobject.c","articleBody":"# Crash report\n\n### What happened?\n\n\n\nPyErr_Format function has wrong a format string `%s`.\nSo, the format string must be removed.\nA python executable with building attached patch file do work well.\n\n\n\n1. trigger code\n```python\nclass evil(1):\n pass\n\n```\n\n\n\n\n2. Root cause source location\n\n\n```c\nstatic PyObject *\nlong_vectorcall(PyObject *type, PyObject * const*args,\n size_t nargsf, PyObject *kwnames)\n{\n Py_ssize_t nargs = PyVectorcall_NARGS(nargsf);\n if (kwnames != NULL) {\n PyThreadState *tstate = PyThreadState_GET();\n return _PyObject_MakeTpCall(tstate, type, args, nargs, kwnames);\n }\n switch (nargs) {\n case 0:\n return _PyLong_GetZero();\n case 1:\n return PyNumber_Long(args[0]);\n case 2:\n return long_new_impl(_PyType_CAST(type), args[0], args[1]);\n default:\n return PyErr_Format(PyExc_TypeError,\n \"int expected at most 2 argument%s, got %zd\", // \u003c-- here\n nargs);\n }\n}\n```\n\n\n4. patch file\n[bugfix.patch](https://github.com/python/cpython/files/13930636/bugfix.patch)\n\n5. asan log\n\u003cdetails\u003e\u003csummary\u003e asan\u003c/summary\u003e\n\u003cp\u003e\n\n==146567==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000003 (pc 0xffffa3159950 bp 0xffffcc068cc0 sp 0xffffcc068cc0 T0)\n==146567==The signal is caused by a READ memory access.\n==146567==Hint: address points to the zero page.\n #0 0xffffa3159950 (/lib/aarch64-linux-gnu/libc.so.6+0x99950)\n #1 0xffffa334e078 in __interceptor_strlen ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:387\n #2 0xaaaaca78de70 in unicode_fromformat_write_cstr Objects/unicodeobject.c:2384\n #3 0xaaaaca78f3f0 in unicode_fromformat_arg Objects/unicodeobject.c:2697\n #4 0xaaaaca78fa1c in PyUnicode_FromFormatV Objects/unicodeobject.c:2816\n #5 0xaaaaca926bc4 in _PyErr_FormatV Python/errors.c:1161\n #6 0xaaaaca9246e4 in PyErr_Format Python/errors.c:1196\n #7 0xaaaaca62187c in long_vectorcall Objects/longobject.c:6173\n #8 0xaaaaca58a540 in _PyObject_VectorcallDictTstate Objects/call.c:135\n #9 0xaaaaca58a7b8 in PyObject_VectorcallDict Objects/call.c:159\n #10 0xaaaaca861a10 in builtin___build_class__ Python/bltinmodule.c:216\n #11 0xaaaaca66cc70 in cfunction_vectorcall_FASTCALL_KEYWORDS Objects/methodobject.c:441\n #12 0xaaaaca58661c in _PyObject_VectorcallTstate Include/internal/pycore_call.h:168\n #13 0xaaaaca586758 in PyObject_Vectorcall Objects/call.c:327\n #14 0xaaaaca8a2120 in _PyEval_EvalFrameDefault Python/generated_cases.c.h:4344\n #15 0xaaaaca8d5574 in _PyEval_EvalFrame Include/internal/pycore_ceval.h:115\n #16 0xaaaaca8d5574 in _PyEval_Vector Python/ceval.c:1783\n #17 0xaaaaca8d573c in PyEval_EvalCode Python/ceval.c:591\n #18 0xaaaaca9cb214 in run_eval_code_obj Python/pythonrun.c:1294\n #19 0xaaaaca9ce108 in run_mod Python/pythonrun.c:1379\n #20 0xaaaaca9cebfc in PyRun_InteractiveOneObjectEx Python/pythonrun.c:287\n #21 0xaaaaca9d0ce8 in _PyRun_InteractiveLoopObject Python/pythonrun.c:136\n #22 0xaaaaca9d16c8 in _PyRun_AnyFileObject Python/pythonrun.c:71\n #23 0xaaaaca9d181c in PyRun_AnyFileExFlags Python/pythonrun.c:103\n #24 0xaaaacaa2dbd0 in pymain_run_stdin Modules/main.c:517\n #25 0xaaaacaa2f9b8 in pymain_run_python Modules/main.c:631\n #26 0xaaaacaa2fc18 in Py_RunMain Modules/main.c:707\n #27 0xaaaacaa2fe08 in pymain_main Modules/main.c:737\n #28 0xaaaacaa30144 in Py_BytesMain Modules/main.c:761\n #29 0xaaaaca3eb4dc in main Programs/python.c:15\n #30 0xffffa30e73f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58\n #31 0xffffa30e74c8 in __libc_start_main_impl ../csu/libc-start.c:392\n #32 0xaaaaca3eb3ec in _start (/home/kk/projects/cpython/python+0x27b3ec)\n\nAddressSanitizer can not provide additional info.\nSUMMARY: AddressSanitizer: SEGV (/lib/aarch64-linux-gnu/libc.so.6+0x99950)\n==146567==ABORTING\n\n\n\u003c/p\u003e\n\u003c/details\u003e \n\n6. work well stdout in interpreter\n\n```\n\u003e\u003e\u003e class evil(1):\n... \tpass\n...\nTraceback (most recent call last):\n File \"\u003cstdin\u003e\", line 1, in \u003cmodule\u003e\n class evil(1):\nTypeError: int expected at most 2 arguments, got 3\n\u003e\u003e\u003e\n```\n\n### CPython versions tested on:\n\nCPython main branch\n\n### Operating systems tested on:\n\nLinux\n\n### Output from running 'python -VV' on the command line:\n\nPython 3.13.0a2 (tags/v3.13.0a2-dirty:9c4347ef8b, Jan 14 2024, 06:56:06) [GCC 11.4.0]\n\n\u003c!-- gh-linked-prs --\u003e\n### Linked PRs\n* gh-114067\n\u003c!-- /gh-linked-prs --\u003e\n","author":{"url":"https://github.com/kcatss","@type":"Person","name":"kcatss"},"datePublished":"2024-01-14T07:11:53.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":5},"url":"https://github.com/114050/cpython/issues/114050"}| route-pattern | /_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format) |
| route-controller | voltron_issues_fragments |
| route-action | issue_layout |
| fetch-nonce | v2:909f21bd-6910-8640-0c5c-742fedec7fad |
| current-catalog-service-hash | 81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114 |
| request-id | 9700:C07BE:30C0D0:410685:6969C27B |
| html-safe-nonce | 6076f8ee85ed72d1d6b20c5fdbc3848293caa866e0717466aa5fc526e915dab5 |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiI5NzAwOkMwN0JFOjMwQzBEMDo0MTA2ODU6Njk2OUMyN0IiLCJ2aXNpdG9yX2lkIjoiNzYwNTU2Mzg1MzcxODAxMjUzOSIsInJlZ2lvbl9lZGdlIjoiaWFkIiwicmVnaW9uX3JlbmRlciI6ImlhZCJ9 |
| visitor-hmac | 1566d8501f24662747198ac17ae940b1f6ec528de8ef397b0e99de89c77b73cb |
| hovercard-subject-tag | issue:2080612803 |
| github-keyboard-shortcuts | repository,issues,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/python/cpython/114050/issue_layout |
| twitter:image | https://opengraph.githubassets.com/3b5d05f406425d5776ad9874f36b8adfbf52ebe0231c0f46401b8f272b22abfc/python/cpython/issues/114050 |
| twitter:card | summary_large_image |
| og:image | https://opengraph.githubassets.com/3b5d05f406425d5776ad9874f36b8adfbf52ebe0231c0f46401b8f272b22abfc/python/cpython/issues/114050 |
| og:image:alt | Crash report What happened? PyErr_Format function has wrong a format string %s. So, the format string must be removed. A python executable with building attached patch file do work well. trigger co... |
| og:image:width | 1200 |
| og:image:height | 600 |
| og:site_name | GitHub |
| og:type | object |
| og:author:username | kcatss |
| hostname | github.com |
| expected-hostname | github.com |
| None | acedec8b5f975d9e3d494ddd8f949b0b8a0de59d393901e26f73df9dcba80056 |
| turbo-cache-control | no-preview |
| go-import | github.com/python/cpython git https://github.com/python/cpython.git |
| octolytics-dimension-user_id | 1525981 |
| octolytics-dimension-user_login | python |
| octolytics-dimension-repository_id | 81598961 |
| octolytics-dimension-repository_nwo | python/cpython |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 81598961 |
| octolytics-dimension-repository_network_root_nwo | python/cpython |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | false |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | 83c08c21cdda978090dc44364b71aa5bc6dcea79 |
| ui-target | canary-1 |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width