[Python-Dev] Before 2.5 - More signed integer overflows

Mon Sep 18 08:59:39 CEST 2006

On 9/17/06, "Martin v. Löwis" <martin at v.loewis.de> wrote:
> Neal Norwitz schrieb:
> > I also tested the fix (see patch below) for the abs() issue and it
> > seemed to work for 4.1.1 on 64-bit.  I'll apply the patch to head and
> > 2.5 and a test after 2.5 is out.
>
> Please also add it to 2.4.

Yes

>
> > Index: Objects/intobject.c
> > ===================================================================
> > --- Objects/intobject.c (revision 51886)
> > +++ Objects/intobject.c (working copy)
> > @@ -763,7 +763,7 @@
> >        register long a, x;
> >        a = v->ob_ival;
> >        x = -a;
> > -       if (a < 0 && x < 0) {
> > +       if (a < 0 && (unsigned long)x == 0-(unsigned long)x) {
>
> Hmm. Shouldn't this drop 'x' and use 'a' instead? If a is
> -sys.maxint-1, -a is already undefined.

Yes, probably.  I didn't review carefully.

> P.S. As for finding these problems, I would have hoped that
> -ftrapv could help - unfortunately, gcc breaks with this
> option (consumes incredible amounts of memory).

I'm getting a crash when running test_builtin and test_calendar (at
least) with gcc 4.1.1 on amd64.  It's happening in pymalloc, though I
don't know what the cause is.  I thought I tested with gcc 4.1 before,
but probably would have been in debug mode.

n
--
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 22020)]
PyObject_Malloc (nbytes=40) at obmalloc.c:746
746                             if ((pool->freeblock = *(block **)bp) != NULL) {
(gdb) p bp
$1 = (block *) 0x2a9558d41800 <Address 0x2a9558d41800 out of bounds>
(gdb) l
741                              * Pick up the head block of its free list.
742                              */
743                             ++pool->ref.count;
744                             bp = pool->freeblock;
745                             assert(bp != NULL);
746                             if ((pool->freeblock = *(block **)bp) != NULL) {
747                                     UNLOCK();
748                                     return (void *)bp;
749                             }
750                             /*
(gdb) p *pool
$2 = {ref = {_padding = 0x1a <Address 0x1a out of bounds>, count = 26},
  freeblock = 0x2a9558d41800 <Address 0x2a9558d41800 out of bounds>,
  nextpool = 0x2a95eac000, prevpool = 0x620210, arenaindex = 0, szidx = 4,
  nextoffset = 4088, maxnextoffset = 4056}
(gdb) p size
$3 = 4