[New-bugs-announce] [issue41060] `with a as b` segfault in new peg parser

Steve Stagg report at bugs.python.org
Sat Jun 20 17:36:11 EDT 2020 

New submission from Steve Stagg <stestagg at gmail.com>:

Hi

Fuzzing found the following:

$ ./python/bin/python3
Python 3.10.0a0 (heads/master:eb0d5c38de, Jun 20 2020, 21:35:36) 
[Clang 10.0.0 ] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> with a as b
fish: “./python/bin/python3” terminated by signal SIGSEGV (Address boundary error)

with stacktrace:
* thread #1, name = 'run', stop reason = signal SIGSEGV: invalid address (fault address: 0x20)
  * frame #0: 0x0000555555a08feb run`with_item_rule at parser.c:15382:20
    frame #1: 0x0000555555a08e96 run`with_item_rule(p=0x00007ffff78b9e40) at parser.c:4330
    frame #2: 0x00005555559d22e9 run`compound_stmt_rule at parser.c:17930:21
    frame #3: 0x00005555559d227c run`compound_stmt_rule at parser.c:4139
    frame #4: 0x00005555559d1a64 run`compound_stmt_rule(p=<unavailable>) at parser.c:1931
    frame #5: 0x00005555559d016c run`statements_rule at parser.c:1230:18
    frame #6: 0x00005555559d00fb run`statements_rule at parser.c:16156
    frame #7: 0x00005555559cff4d run`statements_rule(p=<unavailable>) at parser.c:1189
    frame #8: 0x00005555559cb2bc run`_PyPegen_parse at parser.c:722:18
    frame #9: 0x00005555559cb28d run`_PyPegen_parse(p=0x00007ffff78b9e40) at parser.c:24688
    frame #10: 0x00005555559c5349 run`_PyPegen_run_parser(p=0x00007ffff78b9e40) at pegen.c:1083:17
    frame #11: 0x00005555559c6458 run`_PyPegen_run_parser_from_string(str=<unavailable>, start_rule=<unavailable>, filename_ob=0x00007ffff788db30, flags=<unavailable>, arena=<unavailable>) at pegen.c:1201:14
    frame #12: 0x00005555555eea84 run`PyPegen_ASTFromStringObject(str="with'lZ''</'as sdbm.N", filename=0x00007ffff788db30, mode=257, flags=0x0000000000000000, arena=0x00007ffff78e4910) at peg_api.c:27:21
    frame #13: 0x00005555555a8413 run`PyRun_StringFlags(str="with'lZ''</'as sdbm.N", start=<unavailable>, globals=0x00007ffff788d940, locals=0x00007ffff788d940, flags=0x0000000000000000) at pythonrun.c:1029:11
    frame #14: 0x00005555555a8202 run`PyRun_SimpleStringFlags(command="with'lZ''</'as sdbm.N", flags=0x0000000000000000) at pythonrun.c:429:9
    frame #15: 0x0000555555595936 run`main(argc=<unavailable>, argv=<unavailable>) at run.c:19:3
    frame #16: 0x00007ffff7c35002 libc.so.6`__libc_start_main + 242
    frame #17: 0x000055555559568e run`_start + 46

This appears to be similar to: https://bugs.python.org/issue40903, where GET_INVALID_TARGET is being called with an Attribute Node, which returns None, and this result is passed, unchecked into `PyPegen_get_expr_name`

----------
components: Interpreter Core
messages: 371964
nosy: stestagg
priority: normal
severity: normal
status: open
title: `with a as b` segfault in new peg parser
type: crash
versions: Python 3.10, Python 3.9

_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue41060>
_______________________________________

More information about the New-bugs-announce mailing list