Segv in mmap.move()

Collapse
This topic is closed.
X
X
 
  • Time
  • Show
Clear All
new posts
  • magnus.lycka@gmail.com

    Segv in mmap.move()

    Does anyone recognize this little Python crasher?

    I'll file a bug report unless someone notices it as an already
    documented bug. I found some open mmap bugs, but it wasn't
    obvious to me that this problem was one of those...

    Python 2.5.2 (r252:60911, Apr 21 2008, 11:12:42)
    [GCC 4.2.3 (Ubuntu 4.2.3-2ubuntu7)] on linux2
    Type "help", "copyright" , "credits" or "license" for more information.
    >>import mmap
    >>data = mmap.mmap(-1, 1)
    >>data.move(1,1 ,-1)
    Segmenteringsfe l (core dumped)

    I first noticed the problem under Windows in 2.5.1.


  • Terry Reedy

    #2
    Re: Segv in mmap.move()



    magnus.lycka@gm ail.com wrote:
    Does anyone recognize this little Python crasher?
    >
    I'll file a bug report unless someone notices it as an already
    documented bug. I found some open mmap bugs, but it wasn't
    obvious to me that this problem was one of those...
    >
    Python 2.5.2 (r252:60911, Apr 21 2008, 11:12:42)
    [GCC 4.2.3 (Ubuntu 4.2.3-2ubuntu7)] on linux2
    Type "help", "copyright" , "credits" or "license" for more information.
    >>>import mmap
    >>>data = mmap.mmap(-1, 1)
    >>>data.move(1, 1,-1)
    Segmenteringsfe l (core dumped)
    >
    I first noticed the problem under Windows in 2.5.1.
    On WinXP Py3.0b2, I see two bugs here.

    1. For a length 1 sequence, the only offsets allowed should be 0.
    However, I can index to what I suspect is a null terminator byte at
    offset len(seq). This should be internally accessible only just as for
    regular strings and bytes (which also have null terminators, I believe).
    Indexing any farther past what should be the end gives the IndexError
    I expected when indexing just past the end. (Slicing and iterating,
    however, work correctly.)
    >>import mmap
    >>d=mmap.mmap (-1,5)
    >>d[:]=b'abcde'
    >>d[0], d[4],d[5]
    (97, 101, 0)

    2. Running your code, or d.move(1,2,-1), I get python.exe 'encountered a
    problem ...shutting down ... Send report?' (yes) and window closed.
    Running IDLE, same msg, but after send report, IDLE shell restarted. Cute.

    Modules/mmapmodule.c - mmap_move_metho d declares count as unsigned.
    Further experimentation shows that the problem is telling it to move
    exactly -1 bytes, which I am sure gets translated to 2**32-1 = 4294967295 by
    PyArg_ParseTupl e(args, "kkk:move", &dest, &src, &count)
    Passing 2**32-1 also crashes, while 2*32-2 and other bad values give
    >>d.move(1,2,2* *32-2)
    Traceback (most recent call last):
    File "<pyshell#5 1>", line 1, in <module>
    d.move(1,2,2**3 2-2)
    ValueError: source or destination out of range

    I suspect the 2**32-1 bug is in C memmove, perhap inherited from a
    common source.

    I think either a)the docs should warn that a count of -1== 4294967295
    (on 32bit machines) and just that may crash the interpreter or b) the
    wrapper of the underlying C function should raise ValueError for -1
    also. The goal of 'no crashes' suggests the latter if sensibly possible.

    Terry Jan Reedy

    Comment

    Working...