coveragepy
coveragepy copied to clipboard
Published
20 hours ago •
nedbat
nedbat
null array indexing in coverage/ctracer/tracer.c
This issue was found by running UndefinedBehaviourSanitizer in our internal builds at Google: coverage/ctracer/tracer.c's CTracer_handle_return() is sometimes called in situations where self->pdata_stack->stack is NULL after the call to CTracer_set_pdata_stack(), but CTracer_handle_return() still tries to index the stack to set self->pcur_entry. As far as I can tell self->pdata_stack->depth is always -1 in that case, meaning the NULL array gets indexed with a non-0 index (that would also be out of bounds). I can't tell if this is intentional or not (i.e. whether the resulting value of self->pcur_entry actually matters.)
Here's a diff to reproduce the error without ubsan:
--- a/coverage/ctracer/tracer.c
+++ b/coverage/ctracer/tracer.c
@@ -722,6 +722,11 @@ CTracer_handle_return(CTracer *self, PyFrameObject *frame)
if (CTracer_set_pdata_stack(self) < 0) {
goto error;
}
+ if (self->pdata_stack->stack == NULL) {
+ fprintf(stderr, "stack = NULL, depth = %d\n",
+ self->pdata_stack->depth);
+ abort();
+ }
self->pcur_entry = &self->pdata_stack->stack[self->pdata_stack->depth];
if (self->pdata_stack->depth >= 0) {
