[ python-Bugs-931877 ] Segfault in object_reduce_ex

SourceForge.net noreply at sourceforge.net
Sat Apr 1 03:43:41 CEST 2006 

Bugs item #931877, was opened at 2004-04-08 19:46
Message generated for change (Comment added) made by zseil
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=931877&group_id=5470

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Python Interpreter Core
Group: Python 2.3
Status: Open
Resolution: None
Priority: 5
Submitted By: Tim Peters (tim_one)
Assigned to: Nobody/Anonymous (nobody)
Summary: Segfault in object_reduce_ex

Initial Comment:
Shane Hathaway bumped into this, unbounded recursion 
in typeobject.c's object_reduce_ex().  This occurs in 
Python 2.3.3 and current CVS.

Assigned to Guido, to ponder whether object_reduce_ex 
is doing what it should; if it is (which seems likely to 
me), I suppose we need to inject a recursion counter to 
prevent the segfault.

The failing case is short, but I'll attach it (temp99.py) to 
avoid SF line mangling.  While the test uses pickle, same 
symptom if it's changed to use cPickle instead.

Jim Fulton's analysis:

"""
This is a very clever infinite loop.  The proxy doesn't
actually proxy, but it does manage to confuse reduce 
about what's going on.

reduce tries to figure out if it has been overridden by
asking whether the class's reduce is the same as
object.__reduce__. It doesn't expect to be lied to
about the class.  Things wouldn't have been so bad if
the proxy had proxied __reduce__ as well as __class__.
"""

The priority hasn't been bumped, because "the real 
code" from which this was whittled down wasn't doing 
what it needed to do anyway, and the recursion went 
away when the real code was repaired.

----------------------------------------------------------------------

Comment By: Žiga Seilnacht (zseil)
Date: 2006-04-01 03:43

Message:
Logged In: YES 
user_id=1326842


See patch #1462488. If that patch is accepted, this bug
should be closed as fixed.

----------------------------------------------------------------------

Comment By: Guido van Rossum (gvanrossum)
Date: 2006-03-15 06:05

Message:
Logged In: YES 
user_id=6380

Unassigning. I need to concentrate on Python 3000.

----------------------------------------------------------------------

Comment By: Georg Brandl (birkenfeld)
Date: 2006-01-10 22:58

Message:
Logged In: YES 
user_id=1188172

Still crashing with 2.5...

----------------------------------------------------------------------

Comment By: Nathan Srebro (nati)
Date: 2004-11-30 02:26

Message:
Logged In: YES 
user_id=63133

This infinite recursion also occurs in another place, that
got me stumped for a couple of days when old code that
worked with Python 2.2 stopped working.  If __class__ is not
fidgeted with (as in original bug report), but a descriptor
returns a custom reduce for the class, but not for its
objects, reduce enters an infinite loop on the object:

"""
class descriptor_for_reduce(object):
    def __get__(self,obj,tp=None):
        if obj is not None: return
super(ASpecialClass,obj).__reduce__
        return self.reducer
    def reducer(self,proto=None):
        return "VerySpecial"

class ASpecialClass(object):
    __reduce__ = descriptor_for_reduce()

copy.copy(ASpecialClass())
"""

ASpecialClass().__reduce__ is object.__reduce__, which is
implemented by typeobject.c:object_reduce_ex.  This function
(that doesn't know if its called as the __reduce__ or the
__reduce_ex__ method) tries to detect if the object's
__reduce__ is overridden.  It does so by checking if the
object's class's __reduce__ is overridden, and in fact it
is.  It then assumes that the object's __reduce__ is
overridden, and calls it.  But the object's __reduce__ is
the same function, causing the infinite loop.

If __reduce_ex__ is used instead of __reduce__, the problem
goes away, ASpecialClass().__reduce_ex__() return the usual
tuple, and ASpecialClass.__reduce_ex__() return
"VerySpecial".  But when __reduce__ is overridden,
ASpecialClass().__reduce__() enters an infinite loop.

I believe this is a legitimate example that should behave
just as when __reduce_ex__ is overridden.  The example
doesn't lie about __class__, and it is certainly legitimate
for define a property that behaves differently for the class
and for its objects.

Where did this come up and why would I ever care about a
class's __reduce__?  The __reduce__ attribute of a class is
never used by (the standard) pickle or copy, since
save_global() is called instead. However, I have a custom
pickler, implemented as a subclass of pickle.Pickler, which
falls back on the class's __reduce__ when save_global()
fails.  This way, I can pickle certain classes that are
created at run-time (and can be easily recreated, e.g. from
their bases and dictionaries).


----------------------------------------------------------------------

Comment By: Tim Peters (tim_one)
Date: 2004-04-08 19:51

Message:
Logged In: YES 
user_id=31435

Hmm!  The temp99.py download link doesn't work for me.  
Here's the content in case it doesn't work for others either:

"""
import cPickle as pickle
from pickle import dumps

class SimpleItem:
    def __reduce__(self):
        return (self.__class__, None, {})

class Proxy(object):
    __class__ =  property(lambda self: self.__target.__class__)

    def __init__(self, target):
        self.__target = target

    def __getstate__(self):
        raise RuntimeError("No don't pickle me!  Aaarrgghh!")

p = Proxy(SimpleItem())
dumps(p)
"""

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=931877&group_id=5470

More information about the Python-bugs-list mailing list