[New-bugs-announce] [issue40903] Segfault in new PEG parser

Steve Stagg report at bugs.python.org
Sun Jun 7 18:09:09 EDT 2020


New submission from Steve Stagg <stestagg at gmail.com>:

The input `p=p=` causes python 3.10 to crash.

I bisected the change, and the behavior appears to have been introduced by 16ab07063cb564c1937714bd39d6915172f005b5 (bpo-40334: Correctly identify invalid target in assignment errors (GH-20076) )

Steps to reproduce:

$ echo 'p=p=' | /path/to/python3.10
=== SIGSEGV (Address boundary error)


Analysis:

This code is an invalid assignment, and the parser tries to generate a useful message for this case (invalid_assignment_rule).

However, the `target` of the assignment is a Name node.

The invalid_assignment_rule function tries to identify the target of the assignment, to create a useful description for the error menssage by calling `_PyPegen_get_invalid_target`, passing in the Name Node.

`PyPegen_get_invalid_target` returns NULL if the type is a Name type (pegen.c:2114).

The result of this call is then passed unconditionally to _PyPegen_get_expr_name, which is expecting a statement, not NULL.

Error happens here: pegen.c:164
`_PyPegen_get_expr_name(expr_ty e)` is being called with `e = 0x0`

----------
components: Interpreter Core
messages: 370916
nosy: stestagg
priority: normal
severity: normal
status: open
title: Segfault in new PEG parser
type: crash
versions: Python 3.10

_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue40903>
_______________________________________


More information about the New-bugs-announce mailing list