search

IronLanguages / ironpython3

Implementation of Python 3.x for .NET Framework that is built on top of the Dynamic Language Runtime.
Apache License 2.0
2.49k stars 287 forks source link

Memory leak when assigning to a bytearray via subscripting. #1618

Open xiaxinmeng opened 1 year ago

xiaxinmeng commented 1 year ago

See the following code, we slice a bytearray object via subscripting, ironpython crashes. This test works well on CPython 3.9.0.

test.py


class X:
    def __index__(self):
        del b[0:0x10000]
        return 1

b = bytearray(b"A"*0x100)
b[::X()] = bytearray(b"B"*0x8000)

Error message:

>>'ironpython/ironpython3/bin/Debug/net6.0/ipy' test.py
.........
  at Microsoft.Scripting.Hosting.Shell.CommandLine.Run(ScriptEngine engine, IConsole console, ConsoleOptions options) in /home/xxm/Desktop/IFuzzer/experiment_on_different_interpreter/ironpython/ironpython3/Src/DLR/Src/Microsoft.Dynamic/Hosting/Shell/CommandLine.cs:line 100
   at Microsoft.Scripting.Hosting.Shell.ConsoleHost.RunCommandLine() in /home/xxm/Desktop/IFuzzer/experiment_on_different_interpreter/ironpython/ironpython3/Src/DLR/Src/Microsoft.Dynamic/Hosting/Shell/ConsoleHost.cs:line 386
   at Microsoft.Scripting.Hosting.Shell.ConsoleHost.ExecuteInternal() in /home/xxm/Desktop/IFuzzer/experiment_on_different_interpreter/ironpython/ironpython3/Src/DLR/Src/Microsoft.Dynamic/Hosting/Shell/ConsoleHost.cs:line 321
   at PythonConsoleHost.ExecuteInternal() in /home/xxm/Desktop/IFuzzer/experiment_on_different_interpreter/ironpython/ironpython3/Src/IronPythonConsole/Console.cs:line 165
   at Microsoft.Scripting.Hosting.Shell.ConsoleHost.Execute() in /home/xxm/Desktop/IFuzzer/experiment_on_different_interpreter/ironpython/ironpython3/Src/DLR/Src/Microsoft.Dynamic/Hosting/Shell/ConsoleHost.cs:line 299
   at Microsoft.Scripting.Hosting.Shell.ConsoleHost.Run(String[] args) in /home/xxm/Desktop/IFuzzer/experiment_on_different_interpreter/ironpython/ironpython3/Src/DLR/Src/Microsoft.Dynamic/Hosting/Shell/ConsoleHost.cs:line 197
   at PythonConsoleHost.Main(String[] args) in /home/xxm/Desktop/IFuzzer/experiment_on_different_interpreter/ironpython/ironpython3/Src/IronPythonConsole/Console.cs:line 199
Aborted (core dumped)

System info: ironpython3-debug(main branch):IronPython 3.4.0b1 DEBUG (3.4.0.0010)[.NETCoreApp,Version=v6.0 on .NET 6.0.11 (64-bit)] on linux operating system: Ubuntu 18.04.6 LTS

slozier commented 1 year ago

Thanks! Seems to hit an assertion error in debug mode.

slozier commented 1 year ago

This one is interesting, I guess would need to break up our slice evaluation into two steps. CPython introduced C APIs to do this in 3.6.1 (PySlice_Unpack and PySlice_AdjustIndices). I'm guessing to fix this very issue?

Interestingly we can crash the latest CPython with a variation...

class X:
    def __index__(self):
        b.extend(b"aaa")
        return 2

b = bytearray(b"A"*10)
b[::X()] = b"c" * 8
b