Bugs item #1451641, was opened at 2006-03-16 15:43
Message generated for change (Comment added) made by rhettinger
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=1451641&group_id=5470
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Parser/Compiler
Group: Python 2.4
>Status: Closed
>Resolution: Invalid
Priority: 5
Submitted By: Kristján Valur (krisvale)
Assigned to: Nobody/Anonymous (nobody)
Summary: segfault in optimize_code()
Initial Comment:
The function optimize_code() is called, for example
when unpickling code objects. However, with corrupt
data it can cause segfaults.
This is because of code such as:
tgt = GETJUMPTGT(codestr, (i+1))
if (codestr[tgt])
continue;
tgt can in this case easily be some nonsense and
cause access violation when used as an index into
codestr. This behaviour has been observed.
My particular patch is this:
#define CHECK_I(i) do {if ((i)<0 || (i)>=codelen)
goto exitError;}while(0)
#define CHECKARG(i) do {CHECK_I(i+1); CHECK_I(i+2);}
while(0)
#define CHECKJUMPTGT(i) do{CHECKARG(i); CHECK_I(i);}
while(0)
then, adding tests such as
CHECKJUMPTGT(j);
before code that looks like
tgt = GETJUMPTGT(j);
and
CHECK_I(tgt);
before
codestr[tgt] = foo;
Also, this function needs to be able to raise an
exception. jcompile() must be able to deal with this
case.
Finally, this is also an issue in 2.3 (actually, I
discovered it there, but a quick look seems to
indicate it being a problem in 2.4 too.
----------------------------------------------------------------------
>Comment By: Raymond Hettinger (rhettinger)
Date: 2006-03-16 18:27
Message:
Logged In: YES
user_id=80475
For 2.4, Michael is correct and the optimizer only applied
to internally generated code.
Also, FWIW, in Py2.5, I'm planning to move the optimizer
to appear before the assembler instead of after -- this
will both speed it up and simplify it.
Also, discussions on python-dev have noted that there are
a number of ways to make bad things happen if you execute
corrupt byte-code. IIRC, there is a proposal for a Java
style byte-code verifier to be put in place someday.
----------------------------------------------------------------------
Comment By: Michael Hudson (mwh)
Date: 2006-03-16 18:14
Message:
Logged In: YES
user_id=6656
I don't *think* optimize_code is called for unmarshalled code objects any more
(i.e. in 2.4 and 2.5/SVN HEAD). But I could be wrong.
If not, and so optimize_code is only called with code freshly generated from
the
compiler, this isn't really an issue, is it?
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=1451641&group_id=5470
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
