[Numpy-discussion] Segfault using "fromstring" and reading variable length string

Christoph Gohlke cgohlke at uci.edu
Fri Apr 22 20:08:19 EDT 2011



On 4/22/2011 2:52 PM, Gökhan Sever wrote:
>
>
> On Fri, Apr 22, 2011 at 12:37 PM, Ralf Gommers
> <ralf.gommers at googlemail.com <mailto:ralf.gommers at googlemail.com>> wrote:
>
>     On Thu, Apr 21, 2011 at 10:06 PM, Gökhan Sever
>     <gokhansever at gmail.com <mailto:gokhansever at gmail.com>> wrote:
>     >  Hello,
>     >  Given this piece of code (I can provide the meg file off-the list
>     for those
>     >  who wants to reproduce the error)
>
>     Can you instead construct a test as simple as possible for this? It
>     sounds like you need only a two line string to reproduce this. The bug
>     sounds similar to http://projects.scipy.org/numpy/ticket/1689.
>
>     Ralf
>
>
> This simple case segfaults as well (The commented line works correctly):
>
> import numpy as np
> from StringIO import StringIO
>
> c = StringIO(" hello \r\n world \r\n")
>
> dt = np.dtype([('line1', '|S6'), ('line2', np.object_)])
> #dt = np.dtype([('line1', '|S9'), ('line2', '|S9')])
> k = np.fromstring(c.read(dt.itemsize), dt)[0]
>

I can reproduce the crash with a recent build of numpy 1.6. It is in 
arraytypes.c.src, line 521:

static PyObject *
OBJECT_getitem(char *ip, PyArrayObject *ap)
{
     PyObject *obj;
     NPY_COPY_PYOBJECT_PTR(&obj, ip);
     if (obj == NULL) {
         Py_INCREF(Py_None);
         return Py_None;
     }
     else {
         Py_INCREF(obj);   /* <== crash */
         return obj;
     }
}


There's no check whether obj is a valid PyObject (it is not in this case).

Christoph



More information about the NumPy-Discussion mailing list