By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
464,706 Members | 1,301 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 464,706 IT Pros & Developers. It's quick & easy.

Segv in mmap.move()

P: n/a
Does anyone recognize this little Python crasher?

I'll file a bug report unless someone notices it as an already
documented bug. I found some open mmap bugs, but it wasn't
obvious to me that this problem was one of those...

Python 2.5.2 (r252:60911, Apr 21 2008, 11:12:42)
[GCC 4.2.3 (Ubuntu 4.2.3-2ubuntu7)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>import mmap
data = mmap.mmap(-1, 1)
data.move(1,1,-1)
Segmenteringsfel (core dumped)

I first noticed the problem under Windows in 2.5.1.
Jul 23 '08 #1
Share this Question
Share on Google+
1 Reply

P: n/a


ma**********@gmail.com wrote:
Does anyone recognize this little Python crasher?

I'll file a bug report unless someone notices it as an already
documented bug. I found some open mmap bugs, but it wasn't
obvious to me that this problem was one of those...

Python 2.5.2 (r252:60911, Apr 21 2008, 11:12:42)
[GCC 4.2.3 (Ubuntu 4.2.3-2ubuntu7)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>>import mmap
data = mmap.mmap(-1, 1)
data.move(1,1,-1)
Segmenteringsfel (core dumped)

I first noticed the problem under Windows in 2.5.1.
On WinXP Py3.0b2, I see two bugs here.

1. For a length 1 sequence, the only offsets allowed should be 0.
However, I can index to what I suspect is a null terminator byte at
offset len(seq). This should be internally accessible only just as for
regular strings and bytes (which also have null terminators, I believe).
Indexing any farther past what should be the end gives the IndexError
I expected when indexing just past the end. (Slicing and iterating,
however, work correctly.)
>>import mmap
d=mmap.mmap(-1,5)
>>d[:]=b'abcde'
d[0], d[4],d[5]
(97, 101, 0)

2. Running your code, or d.move(1,2,-1), I get python.exe 'encountered a
problem ...shutting down ... Send report?' (yes) and window closed.
Running IDLE, same msg, but after send report, IDLE shell restarted. Cute.

Modules/mmapmodule.c - mmap_move_method declares count as unsigned.
Further experimentation shows that the problem is telling it to move
exactly -1 bytes, which I am sure gets translated to 2**32-1 = 4294967295 by
PyArg_ParseTuple(args, "kkk:move", &dest, &src, &count)
Passing 2**32-1 also crashes, while 2*32-2 and other bad values give
>>d.move(1,2,2**32-2)
Traceback (most recent call last):
File "<pyshell#51>", line 1, in <module>
d.move(1,2,2**32-2)
ValueError: source or destination out of range

I suspect the 2**32-1 bug is in C memmove, perhap inherited from a
common source.

I think either a)the docs should warn that a count of -1== 4294967295
(on 32bit machines) and just that may crash the interpreter or b) the
wrapper of the underlying C function should raise ValueError for -1
also. The goal of 'no crashes' suggests the latter if sensibly possible.

Terry Jan Reedy

Jul 23 '08 #2

This discussion thread is closed

Replies have been disabled for this discussion.