New submission from Lauri Alanko:
In Modules/_ctypes/stgdict.c:567 there is a suspicious line:
stgdict->length = len; /* ADD ffi_ofs? */
That is, the length field of the stgdict is set to the number of fields in the
immediate Structure class, and the number of fields in the parent class
(ffi_ofs) is questionably left out. This is wrong.
The length field is used in PyCStgDict_clone to copy the ffi_type descriptors
for struct elements to a derived struct type. If length is short, not all
element types are copied, and the resulting array is not NULL-terminated.
So the problem manifests when you inherit from a structure type, update the
_fields_ of the inherited type, and then inherit again from the updated type.
Even then everything might seem normal, since the elements array is actually
not used very much.
However, attached is a test case that segfaults at least with debug builds on
ARM with the VFP ABI. The non-null-terminated element type array is traversed
to find if the structure can be passed in floating point registers, eventually
resulting in dereferencing 0xfbfbfbfb.
The test program should print out pi. To avoid the hassle of a separate C
component, the program abuses the standard atan2 function by pretending it
takes a struct of two doubles instead of two separate double parameters. This
does not make a difference to the ABI.
Fixing the bug is trivial. Just change the line to:
stgdict->length = ffi_ofs + len;
----------
components: ctypes
files: t1.py
messages: 189992
nosy: lauri.alanko
priority: normal
severity: normal
status: open
title: Updating _fields_ of a derived struct type yields a bad cif
type: crash
versions: Python 3.3
Added file: http://bugs.python.org/file30369/t1.py
_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue18060>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
