[pypy-issue] [issue760] Malicious code object segfaults

lvh tracker at bugs.pypy.org
Fri Jun 24 23:30:04 CEST 2011

New submission from lvh <_ at lvh.cc>:

Pypy is to succeptible to being talked sternly to.

If I politely (in lowercase), tell it to explode, it will correctly raise

import new
new.function(new.code(0, 5, 8, 0, "kaboom", (), (),(), "", "", 0, ""), {})()

However, if I start to yell instead, it segfaults:

new.function(new.code(0, 5, 8, 0, "KABOOM", (), (),(), "", "", 0, ""), {})()

In all seriousness, this is because the ordinals in "kaboom" are too high, and
those bytecode ops don't actually exist. "KABOOM" produces entirely valid
(although nonsensical) bytecode, though. Here's the dis.dis output:

>>> dis.dis(f)
  0           0 INPLACE_LSHIFT      
              1 BINARY_XOR          
              2 BINARY_OR           
              3 INPLACE_OR          
              4 INPLACE_OR          
              5 INPLACE_AND  

The theory is that it is trying to apply the operation to things that should be
on its stack, but there is emphatically nothing there. Explosions ensue.

messages: 2659
nosy: lac, lvh, pypy-issue
priority: bug
status: chatting
title: Malicious code object segfaults

PyPy bug tracker <tracker at bugs.pypy.org>

More information about the pypy-issue mailing list