The interpreter crashes when specializing bound method calls on unbound objects

[devdanzin]

Crash report

What happened?

The following code segfaults the interpreter:

import glob

for x in range(3):
    str_globber = glob._StringGlobber(None, None)
str_globber.selector(set())

try:
    str_globber.selector([True, True, False])
except:
    pass

globber_base = glob._GlobberBase(0, 0, 0, 0)
globber_base.selector(list)

(Edited by @ZeroIntensity) Smaller reproducer:

def call(part):
    part.pop()

call(['a'])
try:
    call(list)
except TypeError:
    raise

Backtrace:

Program received signal SIGSEGV, Segmentation fault.
_PyEval_EvalFrameDefault (tstate=tstate@entry=0x555555c6b558 <_PyRuntime+330424>, frame=0x7ffff7fb00a0, frame@entry=0x7ffff7fb0020, throwflag=throwflag@entry=0) at ./Include/object.h:270
270             return ob->ob_type;
(gdb) bt
#0  _PyEval_EvalFrameDefault (tstate=tstate@entry=0x555555c6b558 <_PyRuntime+330424>, frame=0x7ffff7fb00a0,
    frame@entry=0x7ffff7fb0020, throwflag=throwflag@entry=0) at ./Include/object.h:270
#1  0x000055555585db58 in _PyEval_EvalFrame (throwflag=0, frame=0x7ffff7fb0020, tstate=0x555555c6b558 <_PyRuntime+330424>)
    at ./Include/internal/pycore_ceval.h:119
#2  _PyEval_Vector (tstate=tstate@entry=0x555555c6b558 <_PyRuntime+330424>, func=func@entry=0x7ffff7a91b50,
    locals=locals@entry={'__name__': '__main__', '__doc__': None, '__package__': None, '__loader__': <SourceFileLoader(name='__main__', path='/home/fusil/runs/python-12/glob-cpu_load-invalid_mem_access-0x0000000000000008/source2.py') at remote 0x7ffff7a95b90>, '__spec__': None, '__builtins__': <module at remote 0x7ffff7befef0>, '__file__': '/home/fusil/runs/python-12/glob-cpu_load-invalid_mem_access-0x0000000000000008/source2.py', '__cached__': None, 'glob': <module at remote 0x7ffff7ad0170>, 'x': 2, 'str_globber': <_StringGlobber(sep=None, case_sensitive=None, case_pedantic=False, recursive=False) at remote 0x7ffff78ef630>, 'globber_base': <_GlobberBase(case_pedantic=0, case_sensitive=0, recursive=0, sep=0) at remote 0x7ffff7a7e6e0>}, args=args@entry=0x0, argcount=argcount@entry=0,
    kwnames=kwnames@entry=0x0) at Python/ceval.c:1908
#3  0x000055555585dc57 in PyEval_EvalCode (co=co@entry=<code at remote 0x7ffff7b5db60>,
    globals=globals@entry={'__name__': '__main__', '__doc__': None, '__package__': None, '__loader__': <SourceFileLoader(name='__main__', path='/home/fusil/runs/python-12/glob-cpu_load-invalid_mem_access-0x0000000000000008/source2.py') at remote 0x7ffff7a95b90>, '__spec__': None, '__builtins__': <module at remote 0x7ffff7befef0>, '__file__': '/home/fusil/runs/python-12/glob-cpu_load-invalid_mem_access-0x0000000000000008/source2.py', '__cached__': None, 'glob': <module at remote 0x7ffff7ad0170>, 'x': 2, 'str_globber': <_StringGlobber(sep=None, case_sensitive=None, case_pedantic=False, recursive=False) at remote 0x7ffff78ef630>, 'globber_base': <_GlobberBase(case_pedantic=0, case_sensitive=0, recursive=0, sep=0) at remote 0x7ffff7a7e6e0>},
    locals=locals@entry={'__name__': '__main__', '__doc__': None, '__package__': None, '__loader__': <SourceFileLoader(name='__main__', path='/home/fusil/runs/python-12/glob-cpu_load-invalid_mem_access-0x0000000000000008/source2.py') at remote 0x7ffff7a95b90>, '__spec__': None, '__builtins__': <module at remote 0x7ffff7befef0>, '__file__': '/home/fusil/runs/python-12/glob-cpu_load-invalid_mem_access-0x0000000000000008/source2.py', '__cached__': None, 'glob': <module at remote 0x7ffff7ad0170>, 'x': 2, 'str_globber': <_StringGlobber(sep=None, case_sensitive=None, case_pedantic=False, recursive=False) at remote 0x7ffff78ef630>, 'globber_base': <_GlobberBase(case_pedantic=0, case_sensitive=0, recursive=0, sep=0) at remote 0x7ffff7a7e6e0>}) at Python/ceval.c:836
#4  0x00005555558eb82e in run_eval_code_obj (tstate=tstate@entry=0x555555c6b558 <_PyRuntime+330424>, co=co@entry=0x7ffff7b5db60,
    globals=globals@entry={'__name__': '__main__', '__doc__': None, '__package__': None, '__loader__': <SourceFileLoader(name='__main__', path='/home/fusil/runs/python-12/glob-cpu_load-invalid_mem_access-0x0000000000000008/source2.py') at remote 0x7ffff7a95b90>, '__spec__': None, '__builtins__': <module at remote 0x7ffff7befef0>, '__file__': '/home/fusil/runs/python-12/glob-cpu_load-invalid_mem_access-0x0000000000000008/source2.py', '__cached__': None, 'glob': <module at remote 0x7ffff7ad0170>, 'x': 2, 'str_globber': <_StringGlobber(sep=None, case_sensitive=None, case_pedantic=False, recursive=False) at remote 0x7ffff78ef630>, 'globber_base': <_GlobberBase(case_pedantic=0, case_sensitive=0, recursive=0, sep=0) at remote 0x7ffff7a7e6e0>},
    locals=locals@entry={'__name__': '__main__', '__doc__': None, '__package__': None, '__loader__': <SourceFileLoader(name='__main__', path='/home/fusil/runs/python-12/glob-cpu_load-invalid_mem_access-0x0000000000000008/source2.py') at remote 0x7ffff7a95b90>, '__spec__': None, '__builtins__': <module at remote 0x7ffff7befef0>, '__file__': '/home/fusil/runs/python-12/glob-cpu_load-invalid_mem_access-0x0000000000000008/source2.py', '__cached__': None, 'glob': <module at remote 0x7ffff7ad0170>, 'x': 2, 'str_globber': <_StringGlobber(sep=None, case_sensitive=None, case_pedantic=False, recursive=False) at remote 0x7ffff78ef630>, 'globber_base': <_GlobberBase(case_pedantic=0, case_sensitive=0, recursive=0, sep=0) at remote 0x7ffff7a7e6e0>}) at Python/pythonrun.c:1365
#5  0x00005555558ec92e in run_mod (mod=mod@entry=0x555555e0e230, filename=filename@entry='/home/fusil/runs/python-12/glob-cpu_load-invalid_mem_access-0x0000000000000008/source2.py', globals=globals@entry={'__name__': '__main__', '__doc__': None, '__package__': None, '__loader__': <SourceFileLoader(name='__main__', path='/home/fusil/runs/python-12/glob-cpu_load-invalid_mem_access-0x0000000000000008/source2.py') at remote 0x7ffff7a95b90>, '__spec__': None, '__builtins__': <module at remote 0x7ffff7befef0>, '__file__': '/home/fusil/runs/python-12/glob-cpu_load-invalid_mem_access-0x0000000000000008/source2.py', '__cached__': None, 'glob': <module at remote 0x7ffff7ad0170>, 'x': 2, 'str_globber': <_StringGlobber(sep=None, case_sensitive=None, case_pedantic=False, recursive=False) at remote 0x7ffff78ef630>, 'globber_base': <_GlobberBase(case_pedantic=0, case_sensitive=0, recursive=0, sep=0) at remote 0x7ffff7a7e6e0>}, locals=locals@entry={'__name__': '__main__', '__doc__': None, '__package__': None, '__loader__': <SourceFileLoader(name='__main__', path='/home/fusil/runs/python-12/glob-cpu_load-invalid_mem_access-0x0000000000000008/source2.py') at remote 0x7ffff7a95b90>, '__spec__': None, '__builtins__': <module at remote 0x7ffff7befef0>, '__file__': '/home/fusil/runs/python-12/glob-cpu_load-invalid_mem_access-0x0000000000000008/source2.py', '__cached__': None, 'glob': <module at remote 0x7ffff7ad0170>, 'x': 2, 'str_globber': <_StringGlobber(sep=None, case_sensitive=None, case_pedantic=False, recursive=False) at remote 0x7ffff78ef630>, 'globber_base': <_GlobberBase(case_pedantic=0, case_sensitive=0, recursive=0, sep=0) at remote 0x7ffff7a7e6e0>}, flags=flags@entry=0x7fffffffdb68, arena=arena@entry=0x7ffff7ab3f40, interactive_src=0x0, generate_new_source=0) at Python/pythonrun.c:1436
#6  0x00005555558eccdb in pyrun_file (fp=fp@entry=0x555555df2410, filename=filename@entry='/home/fusil/runs/python-12/glob-cpu_load-invalid_mem_access-0x0000000000000008/source2.py', start=start@entry=257, globals=globals@entry={'__name__': '__main__', '__doc__': None, '__package__': None, '__loader__': <SourceFileLoader(name='__main__', path='/home/fusil/runs/python-12/glob-cpu_load-invalid_mem_access-0x0000000000000008/source2.py') at remote 0x7ffff7a95b90>, '__spec__': None, '__builtins__': <module at remote 0x7ffff7befef0>, '__file__': '/home/fusil/runs/python-12/glob-cpu_load-invalid_mem_access-0x0000000000000008/source2.py', '__cached__': None, 'glob': <module at remote 0x7ffff7ad0170>, 'x': 2, 'str_globber': <_StringGlobber(sep=None, case_sensitive=None, case_pedantic=False, recursive=False) at remote 0x7ffff78ef630>, 'globber_base': <_GlobberBase(case_pedantic=0, case_sensitive=0, recursive=0, sep=0) at remote 0x7ffff7a7e6e0>}, locals=locals@entry={'__name__': '__main__', '__doc__': None, '__package__': None, '__loader__': <SourceFileLoader(name='__main__', path='/home/fusil/runs/python-12/glob-cpu_load-invalid_mem_access-0x0000000000000008/source2.py') at remote 0x7ffff7a95b90>, '__spec__': None, '__builtins__': <module at remote 0x7ffff7befef0>, '__file__': '/home/fusil/runs/python-12/glob-cpu_load-invalid_mem_access-0x0000000000000008/source2.py', '__cached__': None, 'glob': <module at remote 0x7ffff7ad0170>, 'x': 2, 'str_globber': <_StringGlobber(sep=None, case_sensitive=None, case_pedantic=False, recursive=False) at remote 0x7ffff78ef630>, 'globber_base': <_GlobberBase(case_pedantic=0, case_sensitive=0, recursive=0, sep=0) at remote 0x7ffff7a7e6e0>}, closeit=closeit@entry=1, flags=0x7fffffffdb68) at Python/pythonrun.c:1293
#7  0x00005555558eeff1 in _PyRun_SimpleFileObject (fp=fp@entry=0x555555df2410, filename=filename@entry='/home/fusil/runs/python-12/glob-cpu_load-invalid_mem_access-0x0000000000000008/source2.py', closeit=closeit@entry=1, flags=flags@entry=0x7fffffffdb68) at Python/pythonrun.c:521
#8  0x00005555558ef2ba in _PyRun_AnyFileObject (fp=fp@entry=0x555555df2410, filename=filename@entry='/home/fusil/runs/python-12/glob-cpu_load-invalid_mem_access-0x0000000000000008/source2.py', closeit=closeit@entry=1, flags=flags@entry=0x7fffffffdb68) at Python/pythonrun.c:81
#9  0x000055555591ebd4 in pymain_run_file_obj (program_name=program_name@entry='/home/danzin/projects/cpython/python', filename=filename@entry='/home/fusil/runs/python-12/glob-cpu_load-invalid_mem_access-0x0000000000000008/source2.py', skip_source_first_line=0) at Modules/main.c:396
#10 0x000055555591ef72 in pymain_run_file (config=config@entry=0x555555c36688 <_PyRuntime+113640>) at Modules/main.c:415
#11 0x000055555592050d in pymain_run_python (exitcode=exitcode@entry=0x7fffffffdcf4) at Modules/main.c:680
#12 0x000055555592056e in Py_RunMain () at Modules/main.c:761
#13 0x00005555559205e5 in pymain_main (args=args@entry=0x7fffffffdd50) at Modules/main.c:791
#14 0x00005555559206a8 in Py_BytesMain (argc=<optimized out>, argv=<optimized out>) at Modules/main.c:815
#15 0x00005555555d7926 in main (argc=<optimized out>, argv=<optimized out>) at ./Programs/python.c:15

Found using fusil by @vstinner.

CPython versions tested on:

CPython main branch

Operating systems tested on:

Linux

Output from running 'python -VV' on the command line:

Python 3.14.0a6+ (heads/main:3a8cefba0b6, Apr 1 2025, 21:31:55) [GCC 11.4.0]

Linked PRs

• gh-131998: Fix NULL dereference when using an unbound method descriptor in a specialized code path #132000
• [3.13] gh-131998: Fix NULL dereference when using an unbound method descriptor in a specialized code path (GH-132000) #132262

[ZeroIntensity]

Looks like a 3.14 regression.

[vstinner]

Looks like a 3.14 regression.

I can reproduce the crash on Python 3.13.

[ZeroIntensity]

Hmm, I couldn't. Let me double check.

[vstinner]

I can reproduce the crash on a Python 3.13 release build (PGO+LTO). I cannot reproduce the crash on a Python 3.13 debug build (--with-pydebug CFLAGS="-O0").

[ZeroIntensity]

Ah, this doesn't occur on a 3.13.2 release build, so this will be a neat surprise in the upcoming release next week.

[vstinner]

The crash on Python 3.13.2 using the Fedora 41 package:

$ cat x.py 
def call(part):
    part.pop()
call(['a'])
try:
    call(list)
except TypeError:
    raise

$ python3.13 -VV
Python 3.13.2 (main, Feb  4 2025, 00:00:00) [GCC 14.2.1 20250110 (Red Hat 14.2.1-7)]

$ python3.13 x.py 
Erreur de segmentation (core dumped)

[ZeroIntensity]

I can reproduce using that script on 3.13.2, but not the original one that @devdanzin provided.