|  | Segv in mmap.move() | | |
| | | magnus.lycka@gmail.com |  |
|  Posted: Wed Jul 23, 2008 6:07 pm Post subject: Segv in mmap.move() |  |
Does anyone recognize this little Python crasher?
I'll file a bug report unless someone notices it as an already
documented bug. I found some open mmap bugs, but it wasn't
obvious to me that this problem was one of those...
Python 2.5.2 (r252:60911, Apr 21 2008, 11:12:42)
[GCC 4.2.3 (Ubuntu 4.2.3-2ubuntu7)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
| Quote: | import mmap
data = mmap.mmap(-1, 1)
data.move(1,1,-1)
Segmenteringsfel (core dumped) |
I first noticed the problem under Windows in 2.5.1. |
| |
| | | Terry Reedy | |
| | Posted: Wed Jul 23, 2008 8:31 pm Post subject: Re: Segv in mmap.move() | |
| |  | |
magnus.lycka@gmail.com wrote:
| Quote: | Does anyone recognize this little Python crasher?
I'll file a bug report unless someone notices it as an already
documented bug. I found some open mmap bugs, but it wasn't
obvious to me that this problem was one of those...
Python 2.5.2 (r252:60911, Apr 21 2008, 11:12:42)
[GCC 4.2.3 (Ubuntu 4.2.3-2ubuntu7)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
import mmap
data = mmap.mmap(-1, 1)
data.move(1,1,-1)
Segmenteringsfel (core dumped)
I first noticed the problem under Windows in 2.5.1.
|
On WinXP Py3.0b2, I see two bugs here.
1. For a length 1 sequence, the only offsets allowed should be 0.
However, I can index to what I suspect is a null terminator byte at
offset len(seq). This should be internally accessible only just as for
regular strings and bytes (which also have null terminators, I believe).
Indexing any farther past what should be the end gives the IndexError
I expected when indexing just past the end. (Slicing and iterating,
however, work correctly.)
| Quote: | import mmap
d=mmap.mmap(-1,5)
d[:]=b'abcde'
d[0], d[4],d[5]
(97, 101, 0) |
2. Running your code, or d.move(1,2,-1), I get python.exe 'encountered a
problem ...shutting down ... Send report?' (yes) and window closed.
Running IDLE, same msg, but after send report, IDLE shell restarted. Cute.
Modules/mmapmodule.c - mmap_move_method declares count as unsigned.
Further experimentation shows that the problem is telling it to move
exactly -1 bytes, which I am sure gets translated to 2**32-1 = 4294967295 by
PyArg_ParseTuple(args, "kkk:move", &dest, &src, &count)
Passing 2**32-1 also crashes, while 2*32-2 and other bad values give
| Quote: | d.move(1,2,2**32-2)
Traceback (most recent call last): |
File "<pyshell#51>", line 1, in <module>
d.move(1,2,2**32-2)
ValueError: source or destination out of range
I suspect the 2**32-1 bug is in C memmove, perhap inherited from a
common source.
I think either a)the docs should warn that a count of -1== 4294967295
(on 32bit machines) and just that may crash the interpreter or b) the
wrapper of the underlying C function should raise ValueError for -1
also. The goal of 'no crashes' suggests the latter if sensibly possible.
Terry Jan Reedy |
| |
|
|
