Skip to content

BUG: segfault from calling __class__ on functions like atleast_1d #28788

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
devdanzin opened this issue Apr 20, 2025 · 0 comments
Open

BUG: segfault from calling __class__ on functions like atleast_1d #28788

devdanzin opened this issue Apr 20, 2025 · 0 comments
Labels
00 - Bug Priority: low Valid, but not for immediate attention

Comments

@devdanzin
Copy link

Describe the issue:

It's possible to segfault the interpreter by calling __class__ of certain functions.

Reproduce the code example:

import numpy
numpy.atleast_1d.__class__()

Error message:

Thread 1 "python" received signal SIGSEGV, Segmentation fault.

#0  0x00007ffff4359385 in dispatcher_dealloc ()
   from /home/danzin/venvs/3.13_upstream_fusil_venv/lib/python3.13t/site-packages/numpy/_core/_multiarray_umath.cpython-313t-x86_64-linux-gnu.so
#1  0x0000555555b70b19 in _Py_Dealloc (op=0x7fffb5c19cb0) at Objects/object.c:2939
#2  0x00007ffff4359c98 in dispatcher_new ()
   from /home/danzin/venvs/3.13_upstream_fusil_venv/lib/python3.13t/site-packages/numpy/_core/_multiarray_umath.cpython-313t-x86_64-linux-gnu.so
#3  0x0000555555bf74df in type_call (
    self=self@entry=0x7ffff4c38ac0 <PyArrayFunctionDispatcher_Type>, args=0x7fffb5b05090,
    kwds=kwds@entry=0x0) at Objects/typeobject.c:1985
#4  0x0000555555a48f82 in _PyObject_MakeTpCall (tstate=0x5555566c6300 <_PyRuntime+326528>,
    callable=0x7ffff4c38ac0 <PyArrayFunctionDispatcher_Type>, args=<optimized out>, nargs=0,
    keywords=0x0) at Objects/call.c:242
#5  0x0000555555dbd570 in _PyEval_EvalFrameDefault (tstate=<optimized out>,
    frame=<optimized out>, throwflag=<optimized out>) at Python/generated_cases.c.h:813
#6  0x0000555555dac3eb in PyEval_EvalCode (co=co@entry=0x7fffb544dc10,
    globals=globals@entry=0x7fffb4755770, locals=locals@entry=0x7fffb4755770)
    at Python/ceval.c:604
#7  0x0000555555da0ac6 in builtin_exec_impl (source=0x7fffb544dc10, globals=0x7fffb4755770,
    locals=0x7fffb4755770, closure=0x0, module=<optimized out>) at Python/bltinmodule.c:1143
#8  builtin_exec (module=<optimized out>, args=<optimized out>, args@entry=0x5290000057e0,
    nargs=nargs@entry=2, kwnames=kwnames@entry=0x0) at Python/clinic/bltinmodule.c.h:556
#9  0x0000555555b645ca in cfunction_vectorcall_FASTCALL_KEYWORDS (func=<optimized out>,
    args=0x5290000057e0, nargsf=<optimized out>, kwnames=0x0) at Objects/methodobject.c:441
#10 0x0000555555a484db in _PyObject_VectorcallTstate (tstate=0x5555566c6300 <_PyRuntime+326528>,
    callable=0x7fffb425e780, args=0x7fffb5b05090, nargsf=140737352520448,
    kwnames=0x7ffff4c38acc <PyArrayFunctionDispatcher_Type+12>)
    at ./Include/internal/pycore_call.h:168
#11 0x0000555555dbd570 in _PyEval_EvalFrameDefault (tstate=<optimized out>,
    frame=<optimized out>, throwflag=<optimized out>) at Python/generated_cases.c.h:813
#12 0x0000555555dac3eb in PyEval_EvalCode (co=co@entry=0x7fffb4f01690,
    globals=globals@entry=0x7fffb4755770, locals=locals@entry=0x7fffb4755770)
    at Python/ceval.c:604
#13 0x0000555555da0ac6 in builtin_exec_impl (source=0x7fffb4f01690, globals=0x7fffb4755770,
    locals=0x7fffb4755770, closure=0x0, module=<optimized out>) at Python/bltinmodule.c:1143
#14 builtin_exec (module=<optimized out>, args=<optimized out>, args@entry=0x529000005380,
    nargs=nargs@entry=2, kwnames=kwnames@entry=0x0) at Python/clinic/bltinmodule.c.h:556
#15 0x0000555555b645ca in cfunction_vectorcall_FASTCALL_KEYWORDS (func=<optimized out>,
    args=0x529000005380, nargsf=<optimized out>, kwnames=0x0) at Objects/methodobject.c:441
#16 0x0000555555a484db in _PyObject_VectorcallTstate (tstate=0x5555566c6300 <_PyRuntime+326528>,
    callable=0x7fffb425e780, args=0x7fffb5b05090, nargsf=140737352520448,
    kwnames=0x7ffff4c38acc <PyArrayFunctionDispatcher_Type+12>)
    at ./Include/internal/pycore_call.h:168
#17 0x0000555555dbd570 in _PyEval_EvalFrameDefault (tstate=<optimized out>,
    frame=<optimized out>, throwflag=<optimized out>) at Python/generated_cases.c.h:813
#18 0x0000555555fbbba3 in pymain_run_module (modname=0x5555562e34a0 <str> L"_pyrepl",
    set_argv0=set_argv0@entry=0) at Modules/main.c:349
#19 0x0000555555fbd3a9 in pymain_run_stdin (
    config=config@entry=0x555556697d88 <_PyRuntime+136712>) at Modules/main.c:575
#20 0x0000555555fbac61 in pymain_run_python (exitcode=0x7fffffffd7e4) at Modules/main.c:699
#21 Py_RunMain () at Modules/main.c:775
#22 0x0000555555fbb73e in pymain_main (args=<optimized out>) at Modules/main.c:805
#23 0x0000555555fbb8a4 in Py_BytesMain (argc=1, argv=<optimized out>) at Modules/main.c:829
#24 0x00007ffff7c2a3b8 in __libc_start_call_main (main=main@entry=0x55555588a630 <main>,
    argc=argc@entry=1, argv=argv@entry=0x7fffffffdbc8)
    at ../sysdeps/nptl/libc_start_call_main.h:58
#25 0x00007ffff7c2a47b in __libc_start_main_impl (main=0x55555588a630 <main>, argc=1,
    argv=0x7fffffffdbc8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>,
    stack_end=0x7fffffffdbb8) at ../csu/libc-start.c:360
#26 0x00005555557a9105 in _start ()

Python and NumPy Versions:

2.3.0.dev0+git20250415.e151f0d
3.13.3+ experimental free-threading build (heads/3.13:83cb89b941b, Apr 18 2025, 20:59:43) [Clang 19.1.7 (++20250114103253+cd708029e0b2-1exp120250114103309.40)]

Runtime Environment:

[{'numpy_version': '2.3.0.dev0+git20250415.e151f0d',
'python': '3.13.3+ experimental free-threading build '
'(heads/3.13:83cb89b941b, Apr 18 2025, 20:59:43) [Clang 19.1.7 '
'(++20250114103253+cd708029e0b2-1exp120250114103309.40)]',
'uname': uname_result(system='Linux', node='beesknees', release='6.11.0-24-generic', version='https://github.com/numpy/numpy/pull/24-Ubuntu SMP PREEMPT_DYNAMIC Fri Mar 14 18:13:56 UTC 2025', machine='x86_64')},
{'simd_extensions': {'baseline': ['SSE', 'SSE2', 'SSE3'],
'found': ['SSSE3',
'SSE41',
'POPCNT',
'SSE42',
'AVX',
'F16C',
'FMA3',
'AVX2',
'AVX512F',
'AVX512CD',
'AVX512_SKX',
'AVX512_CLX',
'AVX512_CNL',
'AVX512_ICL'],
'not_found': ['AVX512_KNL', 'AVX512_KNM', 'AVX512_SPR']}},
{'architecture': 'SkylakeX',
'filepath': '/home/danzin/venvs/3.13_upstream_fusil_venv/lib/python3.13t/site-packages/numpy.libs/libscipy_openblas64_-56d6093b.so',
'internal_api': 'openblas',
'num_threads': 16,
'prefix': 'libscipy_openblas',
'threading_layer': 'pthreads',
'user_api': 'blas',
'version': '0.3.29'}]

Context for the issue:

I have been fuzzing Numpy using fusil by @vstinner. I realize these crashes are unlikely to be triggered in normal usage and therefore might be of low priority.

The fuzzing was done with an ASAN free-threading clang build and not confirmed on a GILfull non-sanitizer GCC build yet.
@devdanzin devdanzin mentioned this issue Apr 22, 2025
Open
@seberg seberg added the Priority: low Valid, but not for immediate attention label Apr 25, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
00 - Bug Priority: low Valid, but not for immediate attention
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@seberg @devdanzin