Uninitialized value usage of localspluskinds in assemble.c's makecode function

[ammaraskar]

Bug report

Bug description:

Recreator

./python -c "class i:[super for()in d]*[__class__*4for()in d]"
<string>:1: SyntaxWarning: invalid decimal literal
[1]    23793 segmentation fault  ./python -c "class i:[super for()in d]*[__class__*4for()in d]"

Details

This issue was found through the oss-fuzz compilation fuzzer. Here is the MSAN stack trace:

==691==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x5661f67ca290 in get_localsplus_counts cpython3/Objects/codeobject.c:344:13
    #1 0x5661f67c95a7 in _PyCode_Validate cpython3/Objects/codeobject.c:433:5
    #2 0x5661f6a17be2 in makecode cpython3/Python/assemble.c:614:8
    #3 0x5661f6a17be2 in _PyAssemble_MakeCodeObject cpython3/Python/assemble.c:754:14
    #4 0x5661f612aa99 in optimize_and_assemble_code_unit cpython3/Python/compile.c:7655:10
    ...

 Uninitialized value was created by a heap allocation
    #0 0x5661f5b307b2 in __interceptor_malloc /src/llvm-project/compiler-rt/lib/msan/msan_interceptors.cpp:1007:3
    #1 0x5661f675e32c in _PyBytes_FromSize cpython3/Objects/bytesobject.c:96:31
    #2 0x5661f675e00a in PyBytes_FromStringAndSize cpython3/Objects/bytesobject.c:129:27
    #3 0x5661f6a15d32 in makecode cpython3/Python/assemble.c:580:23
    #4 0x5661f6a15d32 in _PyAssemble_MakeCodeObject cpython3/Python/assemble.c:754:14
   ...

---

I haven't done any debugging yet but my hunch is that this code is hitting a path in compute_localsplus_info

cpython/Python/assemble.c

Line 475 in f912e5a

compute_localsplus_info(_PyCompile_CodeUnitMetadata *umd, int nlocalsplus,

that ends up not setting the localspluskinds made here

cpython/Python/assemble.c

Lines 580 to 587 in f912e5a

	localspluskinds = PyBytes_FromStringAndSize(NULL, nlocalsplus);
	if (localspluskinds == NULL) {
	goto error;
	}
	if (compute_localsplus_info(umd, nlocalsplus,
	localsplusnames, localspluskinds) == ERROR) {
	goto error;
	}

and when this eventually gets to _PyCode_Validate it causes it to read uninitialized memory.

CPython versions tested on:

CPython main branch

Operating systems tested on:

Linux

Linked PRs

• gh-119666: fix multiple class-scope comprehensions referencing __class__ #120295
• [3.13] gh-119666: fix multiple class-scope comprehensions referencing __class__ (GH-120295) #120299
• [3.12] gh-119666: fix multiple class-scope comprehensions referencing __class__ (GH-120295) #120300

[alex]

Marked as security and crash, since msan indicates UB which are all provisionally security issues.

[ammaraskar]

cc @iritkatriel @markshannon as owners of assemble.c

[iritkatriel]

It seems that __class__ here is in u_varnames, u_cellvars and u_freevars.
There are two more args: .0 and super.

In optimize_and_assemble_code_unit it calculates that nlocalsplus is 4, which is incorrect. In compute_localsplus_info it populates 3 items in localsplus, and since it has size 4, this leaves entry 3 as NULL.

Question is whether this needs to be fixed in the compiler, or there is something here that should be rejected by the parser.

CC @carljm .

[iritkatriel]

CC @JelleZijlstra

[JelleZijlstra]

This should be fixed in the compiler; the code is legal. Here is a variation that runs fine in 3.11 but crashes (with a SystemError in this case) in 3.12:

class i: [super for _ in [1]] + [__class__ if False else 1 for _ in [2]]

[carljm]

Seems almost certainly related to comprehension inlining; I can take the investigation from here @iritkatriel if you want to assign to me.

[iritkatriel]

Done.