Differences between revisions 6 and 7
Revision 6 as of 2006-04-21 22:46:46
Size: 6239
Editor: 66
Comment:
Revision 7 as of 2006-06-03 14:19:40
Size: 6572
Editor: 87
Comment: added "executing random code"
Deletions are marked like this. Additions are marked like this.
Line 59: Line 59:
}}}

Executing random code, since the interpreter does not verify the well-formed-ness of the code object (invalids opcodes, wrong stack size, etc.). The following code is known to crashing python 2.4.3 on winxp.

{{{
    from types import CodeType as code
    exec code(0, 5, 8, 0, "hello moshe", (), (), (), "", "", 0, "")

TableOfContents

While a lot of effort has gone into making it difficult or impossible to crash the Python interpreter in normal usage, there are lots fairly easy ways to crash the interpreter. The BDFL [http://mail.python.org/pipermail/python-dev/2006-January/059621.html pronounced] recently on the python-dev mailing list: 

    I'm not saying it's uncrashable. I'm saying that if you crash it, it's a
    bug unless proven harebrained.

I thought it might be worthwhile to document some ways the interpreter can be crashed -- although most of these are very unlikely to crop up in real code.

There is also [http://svn.python.org/view/python/trunk/Lib/test/crashers/ a directory in SVN repository] that demonstrates known ways to crash Python.

Bogus Input

Through Python 2.4 you could crash the interpreter by redirecting stdin from a directory: 

    % python2.4 -c 'import sys ; print sys.version'
    2.4.1 (#3, Jul 28 2005, 22:08:40) 
    [GCC 3.3 20030304 (Apple Computer, Inc. build 1671)]
    % python2.4 < .
    Bus error

Starting with 2.5 the interpreter notices and aborts: 

    % python2.5 -c 'import sys ; print sys.version'
    2.5a0 (41847M, Dec 29 2005, 22:21:03) 
    [GCC 3.3 20030304 (Apple Computer, Inc. build 1671)]
    % python2.5 < .
    Fatal Python error: <stdin> is a directory
    Abort trap

Some modules also do not perform rigorous checking of data they operate on. The marshal module can cause it to crash the interpreter when given certain strings: 

    $ python
    Python 2.4.2 (#2, Sep 30 2005, 21:19:01) 
    [GCC 4.0.2 20050808 (prerelease) (Ubuntu 4.0.1-4ubuntu8)] on linux2
    Type "help", "copyright", "credits" or "license" for more information.
    >>> import os, marshal
    >>> while 1:
    ...     try:
    ...         marshal.loads(os.urandom(16))
    ...     except:
    ...         pass
    ... 
    Segmentation fault

Executing random code, since the interpreter does not verify the well-formed-ness of the code object (invalids opcodes, wrong stack size, etc.). The following code is known to crashing python 2.4.3 on winxp. 

    from types import CodeType as code
    exec code(0, 5, 8, 0, "hello moshe", (), (), (), "", "", 0, "")

Exhausting Resources

There are a number of areas where resource exhaustion can crash the interpreter. Here's one fairly easy to demonstrate way to do it though: 

    % python
    Python 2.5a0 (41847M, Dec 29 2005, 22:21:03) 
    [GCC 3.3 20030304 (Apple Computer, Inc. build 1671)] on darwin
    Type "help", "copyright", "credits" or "license" for more information.
    >>> import sys
    >>> sys.setrecursionlimit(1<<30)
    >>> f = lambda f:f(f)
    >>> f(f)
    Segmentation fault

A slightly subtler example involves getting the interpreter to exhaust some resource internally while performing a single operation: 

    $ python
    Python 2.4.2 (#2, Sep 30 2005, 21:19:01) 
    [GCC 4.0.2 20050808 (prerelease) (Ubuntu 4.0.1-4ubuntu8)] on linux2
    Type "help", "copyright", "credits" or "license" for more information.
    >>> f = lambda: None
    >>> for i in xrange(1000000):
    ...     f = f.__call__
    ... 
    >>> del f
    Segmentation fault

GC/weakref interaction

Interaction between these two systems has historically been a sticky point for CPython. There is still at least one problem in Python 2.4.2: 

    $ python
    Python 2.4.2 (#2, Sep 30 2005, 21:19:01) 
    [GCC 4.0.2 20050808 (prerelease) (Ubuntu 4.0.1-4ubuntu8)] on linux2
    Type "help", "copyright", "credits" or "license" for more information.
    >>> import weakref
    >>> ref = None
    >>> class Target:
    ...   def __del__(self):
    ...       global ref
    ...       ref = weakref.ref(self)
    ... 
    >>> def g():
    ...   w = Target()
    ...   w = None
    ...   print ref()
    ... 
    >>> g()
    Segmentation fault

Dangerous Modules

Some modules are designed to allow programmers access to the guts of things. Naturally, they also give programmers the opportunity to shoot themselves in the foot. Here are a few.

  • The new module allows you to construct various types of objects that normally can't be explicitly created from the interpreter. You can, for example, create code objects and give them arbitrary strings as their "bytecode". There's no telling how successfully the interpreter will handle such abuses.

  • The dl module is available on many Unix systems. It provides an interpreter-level interface to the dlopen() function, giving you dynamic access to the functions in arbitrary shared libraries. No checks are performed on the arguments to the functions you call. Hilarity can thus ensue. (The ctypes module, under consideration for inclusion in Python 2.5, provides similar functionality.)

  • The buffer builtin can also be dangerous, since it notionally claims a reference to a range of memory, but does so without going through a Python object or using the standard Python refcount system. This is visible when, for example, constructing a buffer from an array.array, then resizing the array such that it internally realloc()s its storage, moving the memory in the process. The buffer will now refer to an invalid pointer.

  • The gc module can be manipulated to give access to partially constructed object, accessing fields of which can cause crashes.

I`ve got another way:

I have written a Tkinter GUI editor [called "GWiz"] to help me create and maintain Tk GUIs for my own projects. [The editor itself is a GWiz project, too.] On several occasions, I have forgotten to close the GWiz-created GUI before exiting I.D.L.E., and Python [always?] crashes on exit with an "application requested an abnormal termination" error requester. When I remember to close my app before closing I.D.L.E., everything goes away cleanly. I should add code to GWiz to do sys.atexit() clean-up, but I do not know how to UNregister atexit callbacks; it would be easy enough to fix, but it would require that the atexit module`s call-back registration return the item added to the call-back list, and the addition of another function to remove items from the call-back list. I can post modifications to the library module, if someone will tell me where to post them.

-- ["lwickjr"], 2006-Apr-21

CrashingPython (last edited 2014-02-10 15:07:35 by JoakimEk)

Unable to edit the page? See the FrontPage for instructions.