Differences between revisions 8 and 9
Revision 8 as of 2006-06-03 16:12:23
Size: 6597
Editor: 87
Comment:
Revision 9 as of 2006-09-20 02:32:57
Size: 920
Editor: 219
Comment: wow gold
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
[[TableOfContents]]

While a lot of effort has gone into making it difficult or impossible to
crash the Python interpreter in normal usage, there are lots fairly easy
ways to crash the interpreter. The BDFL [http://mail.python.org/pipermail/python-dev/2006-January/059621.html pronounced] recently on the
python-dev mailing list:

{{{
    I'm not saying it's uncrashable. I'm saying that if you crash it, it's a
    bug unless proven harebrained.
}}}

I thought it might be worthwhile to document some ways the interpreter can
be crashed -- although most of these are very unlikely to crop up in real code.

There is also [http://svn.python.org/view/python/trunk/Lib/test/crashers/ a directory in SVN repository] that demonstrates known ways to crash Python.

== Bogus Input ==

Through Python 2.4 you could crash the interpreter by redirecting stdin from
a directory:

{{{
    % python2.4 -c 'import sys ; print sys.version'
    2.4.1 (#3, Jul 28 2005, 22:08:40)
    [GCC 3.3 20030304 (Apple Computer, Inc. build 1671)]
    % python2.4 < .
    Bus error
}}}

Starting with 2.5 the interpreter notices and aborts:

{{{
    % python2.5 -c 'import sys ; print sys.version'
    2.5a0 (41847M, Dec 29 2005, 22:21:03)
    [GCC 3.3 20030304 (Apple Computer, Inc. build 1671)]
    % python2.5 < .
    Fatal Python error: <stdin> is a directory
    Abort trap
}}}

Some modules also do not perform rigorous checking of data they operate
on. The marshal module can cause it to crash the interpreter when given
certain strings:

{{{
    $ python
    Python 2.4.2 (#2, Sep 30 2005, 21:19:01)
    [GCC 4.0.2 20050808 (prerelease) (Ubuntu 4.0.1-4ubuntu8)] on linux2
    Type "help", "copyright", "credits" or "license" for more information.
    >>> import os, marshal
    >>> while 1:
    ... try:
    ... marshal.loads(os.urandom(16))
    ... except:
    ... pass
    ...
    Segmentation fault
}}}

Executing random code, since the interpreter does not verify the well-formed-ness of the code object (invalids opcodes, wrong stack size, etc.). The following code is known to crashing python 2.4.3 on Windows XP as well as on Linux.

{{{
    from types import CodeType as code
    exec code(0, 5, 8, 0, "hello moshe", (), (), (), "", "", 0, "")
}}}

== Exhausting Resources ==

There are a number of areas where resource exhaustion can crash the
interpreter. Here's one fairly easy to demonstrate way to do it though:

{{{
    % python
    Python 2.5a0 (41847M, Dec 29 2005, 22:21:03)
    [GCC 3.3 20030304 (Apple Computer, Inc. build 1671)] on darwin
    Type "help", "copyright", "credits" or "license" for more information.
    >>> import sys
    >>> sys.setrecursionlimit(1<<30)
    >>> f = lambda f:f(f)
    >>> f(f)
    Segmentation fault
}}}

A slightly subtler example involves getting the interpreter to exhaust
some resource internally while performing a single operation:

{{{
    $ python
    Python 2.4.2 (#2, Sep 30 2005, 21:19:01)
    [GCC 4.0.2 20050808 (prerelease) (Ubuntu 4.0.1-4ubuntu8)] on linux2
    Type "help", "copyright", "credits" or "license" for more information.
    >>> f = lambda: None
    >>> for i in xrange(1000000):
    ... f = f.__call__
    ...
    >>> del f
    Segmentation fault
}}}

== GC/weakref interaction ==

Interaction between these two systems has historically been a sticky point for
CPython. There is still at least one problem in Python 2.4.2:

{{{
    $ python
    Python 2.4.2 (#2, Sep 30 2005, 21:19:01)
    [GCC 4.0.2 20050808 (prerelease) (Ubuntu 4.0.1-4ubuntu8)] on linux2
    Type "help", "copyright", "credits" or "license" for more information.
    >>> import weakref
    >>> ref = None
    >>> class Target:
    ... def __del__(self):
    ... global ref
    ... ref = weakref.ref(self)
    ...
    >>> def g():
    ... w = Target()
    ... w = None
    ... print ref()
    ...
    >>> g()
    Segmentation fault
}}}

== Dangerous Modules ==

Some modules are designed to allow programmers access to the guts of
things. Naturally, they also give programmers the opportunity to shoot
themselves in the foot. Here are a few.

 * The {{{new}}} module allows you to construct various types of objects
 that normally can't be explicitly created from the interpreter. You can,
 for example, create {{{code}}} objects and give them arbitrary strings as
 their "bytecode". There's no telling how successfully the interpreter will
 handle such abuses.

 * The {{{dl}}} module is available on many Unix systems. It provides an
 interpreter-level interface to the {{{dlopen()}}} function, giving you
 dynamic access to the functions in arbitrary shared libraries. No checks
 are performed on the arguments to the functions you call. Hilarity can
 thus ensue. (The {{{ctypes}}} module, under consideration for inclusion in
 Python 2.5, provides similar functionality.)

 * The {{{buffer}}} builtin can also be dangerous, since it notionally claims
 a reference to a range of memory, but does so without going through a Python
 object or using the standard Python refcount system. This is visible when,
 for example, constructing a buffer from an {{{array.array}}}, then resizing
 the {{{array}}} such that it internally {{{realloc()}}}s its storage, moving
 the memory in the process. The {{{buffer}}} will now refer to an invalid
 pointer.

 * The {{{gc}}} module can be manipulated to give access to partially constructed
 object, accessing fields of which can cause crashes.



----

I`ve got another way:

I have written a Tkinter GUI editor [called "GWiz"] to help me create and maintain Tk GUIs for my own projects. [The editor itself is a GWiz project, too.] On several occasions, I have forgotten to close the GWiz-created GUI before exiting I.D.L.E., and Python [always?] crashes on exit with an "application requested an abnormal termination" error requester. When I remember to close my app before closing I.D.L.E., everything goes away cleanly. I should add code to GWiz to do sys.atexit() clean-up, but I do not know how to UNregister atexit callbacks; it would be easy enough to fix, but it would require that the atexit module`s call-back registration return the item added to the call-back list, and the addition of another function to remove items from the call-back list. I can post modifications to the library module, if someone will tell me where to post them.

-- ["lwickjr"], 2006-Apr-21
[http://www.bjsoufang.com 公寓]
[http://www.tdke.com.cn 北京租房]
[http://www.zhantian.com.cn 租房]
[http://www.3720.cn 北京公寓]
[http://www.bigart.cn 干洗店]
[http://www.bigart.cn 干洗设备]
[http://www.bigart.cn 干洗加盟]
[http://www.asdy.cn 干洗店]
[http://www.asdy.cn 干洗加盟]
[http://www.asdy.cn 干洗设备]
[http://www.cepada.cn 对讲机]
[http://www.zxdrying.com 干燥设备]
[http://www.yiqiu.com 干燥机]
[http://www.cxdry.com 干燥设备]
[http://www.yiqiu.com 干燥设备]
[http://www.wow2008.net wow gold]
[http://blizzardwar.com wow gold]
[http://wow2008.blogspot.com eq2 gold]
[http://buywowgold2008.blogspot.com wow gold]
[http://WorldofWarcraftgold2008.blogspot.com World of Warcraft gold]
[http://Drycleaning2008.blogspot.com Dry cleaning]
[http://langrenjiazu.blogspot.com buy wow gold]
[http://InternetGame2008.blogspot.com Internet Game]

CrashingPython (last edited 2014-02-10 15:07:35 by JoakimEk)

Unable to edit the page? See the FrontPage for instructions.