Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Setting negative tp_dictoffset on PyLong subclass leads to crash #112743

Open
encukou opened this issue Dec 5, 2023 · 0 comments
Open

Setting negative tp_dictoffset on PyLong subclass leads to crash #112743

encukou opened this issue Dec 5, 2023 · 0 comments
Assignees
@markshannon
Labels
3.12 bugs and security fixes topic-C-API type-bug An unexpected behavior, bug, or error

Comments

@encukou
Copy link
Member

encukou commented Dec 5, 2023
edited
Loading

Bug report

Bug description:

In Python 3.12, it is no longer possible to subclass int by extending basicsize and setting a negative tp_dictoffset.

The 3.11 docs suggest that this might work:

A negative offset is more expensive to use, and should only be used when the instance structure contains a variable-length part. This is used for example to add an instance variable dictionary to subtypes of str or tuple.

That is, while int is not given as an explicit example, but there's nothing to imply it would be different than str or tuple.

Indeed, it works on Python 3.11, but fails in 3.12 when accessing the __dict__, as Python calls _PyObject_ComputedDictPointer, which tries to compute the dict offset using abs(ob_size), which is invalid for int on 3.12.

I'm not the best person to judge whether this is a bad bug, acceptable backwards-incompatible change, or perhaps it's a misuse of 3.11 API (but I can't see exactly how it's misused).

The 3.12 What's new does mention tp_dictoffset-related breaking changes:

The use of tp_dictoffset and tp_weaklistoffset is still supported, but does not fully support multiple inheritance (gh-95589), and performance may be worse.

But multiple inheritance is not in play here.

@markshannon, any thoughts?

Reproducer (hope I didn't simplify too much):

extmodule.c:

#include "Python.h"
#include "structmember.h"   // for PyMemberDef API in 3.11 & below

static PyTypeObject *basetype = &PyLong_Type;

static int
mod_exec(PyObject *m)
{
    PyObject *type = PyType_FromModuleAndSpec(
        m,
        &(PyType_Spec) {
            .name = "ext.MySubclass",
            .basicsize = basetype->tp_basicsize + sizeof(PyDictObject*),
            .flags = Py_TPFLAGS_DEFAULT | Py_TPFLAGS_BASETYPE,
            .slots = (PyType_Slot[]) {
                {Py_tp_members, (PyMemberDef[]) {
                    {
                        "__dictoffset__", T_PYSSIZET,
                        -sizeof(PyDictObject*), READONLY},
                    {NULL},
                }},
                {0, 0}, 
            }},
        (PyObject*)basetype);
    if (!type) return -1;
    if (PyModule_AddType(m, (PyTypeObject*)type) == -1) return -1;
    Py_DECREF(type);

    return 0;
}

static struct PyModuleDef mod_def = {
    PyModuleDef_HEAD_INIT,
    .m_name = "ext",
    .m_slots = (PyModuleDef_Slot[]) {
        {Py_mod_exec, mod_exec},
        {0, NULL}
    },
};

PyMODINIT_FUNC
PyInit_ext(void)
{
    return PyModuleDef_Init(&mod_def);
}

repro.py:

import ext
print(ext)

obj = ext.MySubclass(1)
obj.attr = 'foo'
assert obj.attr == 'foo'

Compiling is tricky with distutils gone, but on Fedora a command to compile & run is:
gcc $(python3.12-config --cflags --ldflags) -fPIC --shared extmodule.c -o ext.so && python3.12d -Xdev repro.py

Crashes on 3.12, works on 3.11 or with basetype = &PyUnicode_Type.

CPython versions tested on:

3.11, 3.12

Operating systems tested on:

Linux
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
3.12 bugs and security fixes topic-C-API type-bug An unexpected behavior, bug, or error
2 participants
@encukou @markshannon