BUG: Slot * of type X succeeded with an exception set #28786
Description
Describe the issue:
It's possible to make the interpreter abort with a Fatal Python error by calling many different functions/methods with invalid values, where type X can also vary.
Reproduce the code example:
import numpy
numpy.convolve.__wrapped__('a', [list[int], 1])
# or
numpy.polymul._implementation('a', [list[int], 1])Error message:
Fatal Python error: _Py_CheckSlotResult: Slot * of type int succeeded with an exception set
Python runtime state: initialized
TypeError: can't multiply sequence by non-int of type 'types.GenericAlias'
Extension modules: numpy._core._multiarray_umath, numpy.linalg._umath_linalg (total: 2)
Aborted
#0 __pthread_kill_implementation (threadid=<optimized out>, signo=6, no_tid=0) at ./nptl/pthread_kill.c:44
#1 __pthread_kill_internal (threadid=<optimized out>, signo=6) at ./nptl/pthread_kill.c:78
#2 __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=6) at ./nptl/pthread_kill.c:89
#3 0x00007ffff7c4519e in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#4 0x00007ffff7c28902 in __GI_abort () at ./stdlib/abort.c:79
#5 0x0000555555f13714 in fatal_error_exit (status=status@entry=-1) at Python/pylifecycle.c:3160
#6 0x0000555555f133de in fatal_error (fd=fd@entry=2, header=header@entry=0, prefix=prefix@entry=0x0, msg=msg@entry=0x0, status=status@entry=-1) at Python/pylifecycle.c:3376
#7 0x0000555555f136ee in _Py_FatalErrorFormat (func=<optimized out>, format=<optimized out>) at Python/pylifecycle.c:3422
#8 0x0000555555a48370 in _Py_CheckSlotResult (obj=obj@entry=0x55555667dd38 <_PyRuntime+30136>, slot_name=slot_name@entry=0x555556194b60 <str> "*", success=<optimized out>)
at Objects/call.c:80
#9 0x00005555559f2833 in binary_op1 (v=0x55555667dd38 <_PyRuntime+30136>, w=0x555556692dd0 <_PyRuntime+116304>, op_slot=op_slot@entry=16, op_name=0x555556194b60 <str> "*")
at Objects/abstract.c:962
#10 0x00005555559f2bc8 in PyNumber_Multiply (v=0x40851, w=0x40851) at Objects/abstract.c:1179
#11 0x00007ffff4241cf3 in OBJECT_dot () from /home/danzin/venvs/3.13_upstream_fusil_venv/lib/python3.13t/site-packages/numpy/_core/_multiarray_umath.cpython-313t-x86_64-linux-gnu.so
#12 0x00007ffff43d0fda in _pyarray_correlate () from /home/danzin/venvs/3.13_upstream_fusil_venv/lib/python3.13t/site-packages/numpy/_core/_multiarray_umath.cpython-313t-x86_64-linux-gnu.so
#13 0x00007ffff43d23a2 in PyArray_Correlate () from /home/danzin/venvs/3.13_upstream_fusil_venv/lib/python3.13t/site-packages/numpy/_core/_multiarray_umath.cpython-313t-x86_64-linux-gnu.so
#14 0x00007ffff43d25a4 in array_correlate () from /home/danzin/venvs/3.13_upstream_fusil_venv/lib/python3.13t/site-packages/numpy/_core/_multiarray_umath.cpython-313t-x86_64-linux-gnu.so
#15 0x0000555555b645ca in cfunction_vectorcall_FASTCALL_KEYWORDS (func=<optimized out>, args=0x5290000058d0, nargsf=<optimized out>, kwnames=0x0) at Objects/methodobject.c:441
#16 0x0000555555a484db in _PyObject_VectorcallTstate (tstate=0x5555566c6300 <_PyRuntime+326528>, callable=0x7fffb4bd8040, args=0x40851, nargsf=6, kwnames=0x0)
at ./Include/internal/pycore_call.h:168
#17 0x0000555555dbd570 in _PyEval_EvalFrameDefault (tstate=<optimized out>, frame=<optimized out>, throwflag=<optimized out>) at Python/generated_cases.c.h:813
#18 0x0000555555dac3eb in PyEval_EvalCode (co=co@entry=0x7fffb5461690, globals=globals@entry=0x7fffb4755770, locals=locals@entry=0x7fffb4755770) at Python/ceval.c:604
#19 0x0000555555da0ac6 in builtin_exec_impl (source=0x7fffb5461690, globals=0x7fffb4755770, locals=0x7fffb4755770, closure=0x0, module=<optimized out>) at Python/bltinmodule.c:1143
#20 builtin_exec (module=<optimized out>, args=<optimized out>, args@entry=0x5290000057e0, nargs=nargs@entry=2, kwnames=kwnames@entry=0x0) at Python/clinic/bltinmodule.c.h:556
#21 0x0000555555b645ca in cfunction_vectorcall_FASTCALL_KEYWORDS (func=<optimized out>, args=0x5290000057e0, nargsf=<optimized out>, kwnames=0x0) at Objects/methodobject.c:441
#22 0x0000555555a484db in _PyObject_VectorcallTstate (tstate=0x5555566c6300 <_PyRuntime+326528>, callable=0x7fffb425e780, args=0x40851, nargsf=6, kwnames=0x0)
at ./Include/internal/pycore_call.h:168
#23 0x0000555555dbd570 in _PyEval_EvalFrameDefault (tstate=<optimized out>, frame=<optimized out>, throwflag=<optimized out>) at Python/generated_cases.c.h:813
#24 0x0000555555dac3eb in PyEval_EvalCode (co=co@entry=0x7fffb4f01690, globals=globals@entry=0x7fffb4755770, locals=locals@entry=0x7fffb4755770) at Python/ceval.c:604
#25 0x0000555555da0ac6 in builtin_exec_impl (source=0x7fffb4f01690, globals=0x7fffb4755770, locals=0x7fffb4755770, closure=0x0, module=<optimized out>) at Python/bltinmodule.c:1143
#26 builtin_exec (module=<optimized out>, args=<optimized out>, args@entry=0x529000005380, nargs=nargs@entry=2, kwnames=kwnames@entry=0x0) at Python/clinic/bltinmodule.c.h:556
#27 0x0000555555b645ca in cfunction_vectorcall_FASTCALL_KEYWORDS (func=<optimized out>, args=0x529000005380, nargsf=<optimized out>, kwnames=0x0) at Objects/methodobject.c:441
#28 0x0000555555a484db in _PyObject_VectorcallTstate (tstate=0x5555566c6300 <_PyRuntime+326528>, callable=0x7fffb425e780, args=0x40851, nargsf=6, kwnames=0x0)
at ./Include/internal/pycore_call.h:168
#29 0x0000555555dbd570 in _PyEval_EvalFrameDefault (tstate=<optimized out>, frame=<optimized out>, throwflag=<optimized out>) at Python/generated_cases.c.h:813
#30 0x0000555555fbbba3 in pymain_run_module (modname=0x5555562e34a0 <str> L"_pyrepl", set_argv0=set_argv0@entry=0) at Modules/main.c:349
#31 0x0000555555fbd3a9 in pymain_run_stdin (config=config@entry=0x555556697d88 <_PyRuntime+136712>) at Modules/main.c:575
#32 0x0000555555fbac61 in pymain_run_python (exitcode=0x7fffffffd7e4) at Modules/main.c:699
#33 Py_RunMain () at Modules/main.c:775
#34 0x0000555555fbb73e in pymain_main (args=<optimized out>) at Modules/main.c:805
#35 0x0000555555fbb8a4 in Py_BytesMain (argc=1, argv=<optimized out>) at Modules/main.c:829Python and NumPy Versions:
2.3.0.dev0+git20250415.e151f0d
3.13.3+ experimental free-threading build (heads/3.13:83cb89b941b, Apr 18 2025, 20:59:43) [Clang 19.1.7 (++20250114103253+cd708029e0b2-1exp120250114103309.40)]
Runtime Environment:
{'numpy_version': '2.3.0.dev0+git20250415.e151f0d',
'python': '3.13.3+ experimental free-threading build '
'(heads/3.13:83cb89b941b, Apr 18 2025, 20:59:43) [Clang 19.1.7 '
'(++20250114103253+cd708029e0b2-1exp120250114103309.40)]',
'uname': uname_result(system='Linux', node='beesknees', release='6.11.0-24-generic', version='https://github.com/numpy/numpy/pull/24-Ubuntu SMP PREEMPT_DYNAMIC Fri Mar 14 18:13:56 UTC 2025', machine='x86_64')},
{'simd_extensions': {'baseline': ['SSE', 'SSE2', 'SSE3'],
'found': ['SSSE3',
'SSE41',
'POPCNT',
'SSE42',
'AVX',
'F16C',
'FMA3',
'AVX2',
'AVX512F',
'AVX512CD',
'AVX512_SKX',
'AVX512_CLX',
'AVX512_CNL',
'AVX512_ICL'],
'not_found': ['AVX512_KNL', 'AVX512_KNM', 'AVX512_SPR']}},
{'architecture': 'SkylakeX',
'filepath': '/home/danzin/venvs/3.13_upstream_fusil_venv/lib/python3.13t/site-packages/numpy.libs/libscipy_openblas64_-56d6093b.so',
'internal_api': 'openblas',
'num_threads': 16,
'prefix': 'libscipy_openblas',
'threading_layer': 'pthreads',
'user_api': 'blas',
'version': '0.3.29'}]
Context for the issue:
I have been fuzzing Numpy using fusil by @vstinner. I realize these crashes are unlikely to be triggered in normal usage and therefore might be of low priority.
The fuzzing was done with an ASAN free-threading clang build and not confirmed on a GILfull non-sanitizer GCC build yet.