Union within structure causes segfault

Bug #1026224 reported by avxs on 2012-07-18
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python2.7 (Ubuntu)
Undecided
Unassigned
Precise
Undecided
Unassigned
python3.2 (Ubuntu)
Undecided
Unassigned
Precise
Undecided
Unassigned

Bug Description

The following C program and python script result in a segmentation fault of the Python interpreter.

C program:

typedef struct AVS_Value AVS_Value;
struct AVS_Value {
 short type;
 short array_size;
 union {
  void* clip;
  long boolean;
  int integer;
  float floating;
  const char* string;
  const AVS_Value* val;
 } d;
};

int avs_set_var(void* p, const char* n, AVS_Value v) {
 return 0;
}

Python script:

import ctypes

avidll = ctypes.CDLL("./libtestlib.so")

class AVS_Value(ctypes.Structure, object):
    def __init__(self, val=None):
        self.type = 0 # 'i'
        self.array_size = 1
        self.d.i = 2

class U(ctypes.Union):
    _fields_ = [("c", ctypes.c_void_p),
                ("b", ctypes.c_long),
                ("i", ctypes.c_int),
                ("f", ctypes.c_float),
                ("s", ctypes.c_char_p),
                ("a", ctypes.POINTER(AVS_Value))]

AVS_Value._fields_ = [("type", ctypes.c_short),
                      ("array_size", ctypes.c_short),
                      ("d", U)]

avs_set_var = avidll.avs_set_var
avs_set_var.restype = ctypes.c_int
avs_set_var.argtypes = [ctypes.c_void_p, ctypes.c_char_p, AVS_Value]

print avs_set_var(ctypes.c_void_p(), b'test', AVS_Value())

Run like this:
$ gcc -shared -O0 mylib.c -o libmylib.so
$ python test.py
(segmentation fault)

(gdb) bt
#0 0x00007ffff61d6490 in examine_argument () from /usr/lib/python2.7/lib-dynload/_ctypes.so
#1 0x00007ffff61d65ba in ffi_prep_cif_machdep () from /usr/lib/python2.7/lib-dynload/_ctypes.so
#2 0x00007ffff61d3447 in ffi_prep_cif () from /usr/lib/python2.7/lib-dynload/_ctypes.so
#3 0x00007ffff61c7275 in _ctypes_callproc () from /usr/lib/python2.7/lib-dynload/_ctypes.so
#4 0x00007ffff61c7aa2 in PyCFuncPtr_call.2798 () from /usr/lib/python2.7/lib-dynload/_ctypes.so
#5 0x00000000004c7c76 in PyObject_Call ()
#6 0x000000000042aa4a in PyEval_EvalFrameEx ()
#7 0x00000000004317f2 in PyEval_EvalCodeEx ()
#8 0x000000000054b171 in PyRun_FileExFlags ()
#9 0x000000000054b7d8 in PyRun_SimpleFileExFlags ()
#10 0x000000000054c5d6 in Py_Main ()
#11 0x00007ffff68e576d in __libc_start_main () from /lib/x86_64-linux-gnu/libc.so.6
#12 0x000000000041b931 in _start ()

For reference, I tried this on 64-bit Natty and 32-bit Precise, both of which succeeded. The Python 3.2 interpreter also suffers from this issue.

Matthias Klose (doko) wrote :

this works with 2.7 and 3.3 in raring (13.04). Needs identifying the corresponding patch for 12.04 LTS. Maybe you could recheck with a recent libffi backported to 12.04 LTS?

Changed in python2.7 (Ubuntu):
status: New → Fix Released
Changed in python3.2 (Ubuntu):
status: New → Fix Released
Changed in python2.7 (Ubuntu Precise):
milestone: none → precise-updates
Changed in python3.2 (Ubuntu Precise):
milestone: none → precise-updates
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers