[New-bugs-announce] [issue40903] Segfault in new PEG parser
Steve Stagg
report at bugs.python.org
Sun Jun 7 18:09:09 EDT 2020
New submission from Steve Stagg <stestagg at gmail.com>:
The input `p=p=` causes python 3.10 to crash.
I bisected the change, and the behavior appears to have been introduced by 16ab07063cb564c1937714bd39d6915172f005b5 (bpo-40334: Correctly identify invalid target in assignment errors (GH-20076) )
Steps to reproduce:
$ echo 'p=p=' | /path/to/python3.10
=== SIGSEGV (Address boundary error)
Analysis:
This code is an invalid assignment, and the parser tries to generate a useful message for this case (invalid_assignment_rule).
However, the `target` of the assignment is a Name node.
The invalid_assignment_rule function tries to identify the target of the assignment, to create a useful description for the error menssage by calling `_PyPegen_get_invalid_target`, passing in the Name Node.
`PyPegen_get_invalid_target` returns NULL if the type is a Name type (pegen.c:2114).
The result of this call is then passed unconditionally to _PyPegen_get_expr_name, which is expecting a statement, not NULL.
Error happens here: pegen.c:164
`_PyPegen_get_expr_name(expr_ty e)` is being called with `e = 0x0`
----------
components: Interpreter Core
messages: 370916
nosy: stestagg
priority: normal
severity: normal
status: open
title: Segfault in new PEG parser
type: crash
versions: Python 3.10
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue40903>
_______________________________________
More information about the New-bugs-announce
mailing list