Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

BUG: PyArray_BufferConverter is unsafe

See original GitHub issue

This function:

  1. Calls PyObject_GetBuffer
  2. Extracts a data pointer
  3. Calls PyBuffer_Release
  4. Returns the pointer to the caller

PyBuffer_Release calls PyBufferProcs.bf_releasebuffer(PyObject *exporter, Py_buffer *view), which according to the docs may “free all memory associated with view, and gives no requirement that view remains alive as long as exporter.

So in principle a type that allocates a buffer for itself on the fly in bf_getbuffer and deletes it when the last uses releases it will cause a use-after-free in numpy.

I don’t know if any implementers of the buffer protocol actually do this, but my reading of it is that they are permitted to.

Issue Analytics

  • State:open
  • Created 4 years ago
  • Comments:5 (5 by maintainers)

github_iconTop GitHub Comments

1reaction
sebergcommented, Jan 27, 2020

Was going to open, but then went to lunch first: https://bugs.python.org/issue39471 I may look into proposing actually changes to the text. If we can agree on my interpretation, we can clean up very ugly and very slow code in the buffer protocol implementation (it currently slows down scalar math by 20+%). (EDIT: But I suppose only after Python fixes their ArgParse code 😦)

1reaction
sebergcommented, Jan 27, 2020

This is strange. I think I would like if the buffer interface specified that while the buffer struct fields (such as strides, etc.) get free’d by PyBuffer_Release the actual memory pointed to must be owned by the original object (this would solve our problem with the very annoying _dealloc_cached_buffer_info). I think this is the intention and true, but…

Now this function returns a PyArray_Chunk and not a buffer, so if you make the clarification that I say above, it is actually completely fine.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Buffer(number) is unsafe · Issue #4660 · nodejs/node - GitHub
Today, the node.js Buffer constructor is overloaded to handle many different argument types like String , Array , Object , TypedArrayView ( ...
Read more >
Arraybuffer conversion error while Unzipping and Load ...
I am trying to unzip a zipped file, and if one of the files is a shapefile, then load it as a variable....
Read more >
331660 - Large ArrayBuffers are very unstable - chromium
This test no longer crashes the tab, but refreshing the page after a successful run throws the error "Uncaught RangeError: Invalid array buffer...
Read more >
How to convert ArrayBuffer to and from String
However, because they recently landed in the JavaScript world, sometimes they are misinterpreted or misused. Semantically, an ArrayBuffer is ...
Read more >
ArrayBuffer, binary arrays - The Modern JavaScript Tutorial
What if we attempt to write an out-of-bounds value into a typed array? There will be no error. But extra bits are cut-off....
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

BUG: Large overhead in some random functions

Next page

error when using numpy