BUG: segfault from calling __class__ on functions like atleast_1d #28788
Description
Describe the issue:
It's possible to segfault the interpreter by calling __class__ of certain functions.
Reproduce the code example:
import numpy
numpy.atleast_1d.__class__()Error message:
Thread 1 "python" received signal SIGSEGV, Segmentation fault.
#0 0x00007ffff4359385 in dispatcher_dealloc ()
from /home/danzin/venvs/3.13_upstream_fusil_venv/lib/python3.13t/site-packages/numpy/_core/_multiarray_umath.cpython-313t-x86_64-linux-gnu.so
#1 0x0000555555b70b19 in _Py_Dealloc (op=0x7fffb5c19cb0) at Objects/object.c:2939
#2 0x00007ffff4359c98 in dispatcher_new ()
from /home/danzin/venvs/3.13_upstream_fusil_venv/lib/python3.13t/site-packages/numpy/_core/_multiarray_umath.cpython-313t-x86_64-linux-gnu.so
#3 0x0000555555bf74df in type_call (
self=self@entry=0x7ffff4c38ac0 <PyArrayFunctionDispatcher_Type>, args=0x7fffb5b05090,
kwds=kwds@entry=0x0) at Objects/typeobject.c:1985
#4 0x0000555555a48f82 in _PyObject_MakeTpCall (tstate=0x5555566c6300 <_PyRuntime+326528>,
callable=0x7ffff4c38ac0 <PyArrayFunctionDispatcher_Type>, args=<optimized out>, nargs=0,
keywords=0x0) at Objects/call.c:242
#5 0x0000555555dbd570 in _PyEval_EvalFrameDefault (tstate=<optimized out>,
frame=<optimized out>, throwflag=<optimized out>) at Python/generated_cases.c.h:813
#6 0x0000555555dac3eb in PyEval_EvalCode (co=co@entry=0x7fffb544dc10,
globals=globals@entry=0x7fffb4755770, locals=locals@entry=0x7fffb4755770)
at Python/ceval.c:604
#7 0x0000555555da0ac6 in builtin_exec_impl (source=0x7fffb544dc10, globals=0x7fffb4755770,
locals=0x7fffb4755770, closure=0x0, module=<optimized out>) at Python/bltinmodule.c:1143
#8 builtin_exec (module=<optimized out>, args=<optimized out>, args@entry=0x5290000057e0,
nargs=nargs@entry=2, kwnames=kwnames@entry=0x0) at Python/clinic/bltinmodule.c.h:556
#9 0x0000555555b645ca in cfunction_vectorcall_FASTCALL_KEYWORDS (func=<optimized out>,
args=0x5290000057e0, nargsf=<optimized out>, kwnames=0x0) at Objects/methodobject.c:441
#10 0x0000555555a484db in _PyObject_VectorcallTstate (tstate=0x5555566c6300 <_PyRuntime+326528>,
callable=0x7fffb425e780, args=0x7fffb5b05090, nargsf=140737352520448,
kwnames=0x7ffff4c38acc <PyArrayFunctionDispatcher_Type+12>)
at ./Include/internal/pycore_call.h:168
#11 0x0000555555dbd570 in _PyEval_EvalFrameDefault (tstate=<optimized out>,
frame=<optimized out>, throwflag=<optimized out>) at Python/generated_cases.c.h:813
#12 0x0000555555dac3eb in PyEval_EvalCode (co=co@entry=0x7fffb4f01690,
globals=globals@entry=0x7fffb4755770, locals=locals@entry=0x7fffb4755770)
at Python/ceval.c:604
#13 0x0000555555da0ac6 in builtin_exec_impl (source=0x7fffb4f01690, globals=0x7fffb4755770,
locals=0x7fffb4755770, closure=0x0, module=<optimized out>) at Python/bltinmodule.c:1143
#14 builtin_exec (module=<optimized out>, args=<optimized out>, args@entry=0x529000005380,
nargs=nargs@entry=2, kwnames=kwnames@entry=0x0) at Python/clinic/bltinmodule.c.h:556
#15 0x0000555555b645ca in cfunction_vectorcall_FASTCALL_KEYWORDS (func=<optimized out>,
args=0x529000005380, nargsf=<optimized out>, kwnames=0x0) at Objects/methodobject.c:441
#16 0x0000555555a484db in _PyObject_VectorcallTstate (tstate=0x5555566c6300 <_PyRuntime+326528>,
callable=0x7fffb425e780, args=0x7fffb5b05090, nargsf=140737352520448,
kwnames=0x7ffff4c38acc <PyArrayFunctionDispatcher_Type+12>)
at ./Include/internal/pycore_call.h:168
#17 0x0000555555dbd570 in _PyEval_EvalFrameDefault (tstate=<optimized out>,
frame=<optimized out>, throwflag=<optimized out>) at Python/generated_cases.c.h:813
#18 0x0000555555fbbba3 in pymain_run_module (modname=0x5555562e34a0 <str> L"_pyrepl",
set_argv0=set_argv0@entry=0) at Modules/main.c:349
#19 0x0000555555fbd3a9 in pymain_run_stdin (
config=config@entry=0x555556697d88 <_PyRuntime+136712>) at Modules/main.c:575
#20 0x0000555555fbac61 in pymain_run_python (exitcode=0x7fffffffd7e4) at Modules/main.c:699
#21 Py_RunMain () at Modules/main.c:775
#22 0x0000555555fbb73e in pymain_main (args=<optimized out>) at Modules/main.c:805
#23 0x0000555555fbb8a4 in Py_BytesMain (argc=1, argv=<optimized out>) at Modules/main.c:829
#24 0x00007ffff7c2a3b8 in __libc_start_call_main (main=main@entry=0x55555588a630 <main>,
argc=argc@entry=1, argv=argv@entry=0x7fffffffdbc8)
at ../sysdeps/nptl/libc_start_call_main.h:58
#25 0x00007ffff7c2a47b in __libc_start_main_impl (main=0x55555588a630 <main>, argc=1,
argv=0x7fffffffdbc8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>,
stack_end=0x7fffffffdbb8) at ../csu/libc-start.c:360
#26 0x00005555557a9105 in _start ()Python and NumPy Versions:
2.3.0.dev0+git20250415.e151f0d
3.13.3+ experimental free-threading build (heads/3.13:83cb89b941b, Apr 18 2025, 20:59:43) [Clang 19.1.7 (++20250114103253+cd708029e0b2-1exp120250114103309.40)]
Runtime Environment:
[{'numpy_version': '2.3.0.dev0+git20250415.e151f0d',
'python': '3.13.3+ experimental free-threading build '
'(heads/3.13:83cb89b941b, Apr 18 2025, 20:59:43) [Clang 19.1.7 '
'(++20250114103253+cd708029e0b2-1exp120250114103309.40)]',
'uname': uname_result(system='Linux', node='beesknees', release='6.11.0-24-generic', version='https://github.com/numpy/numpy/pull/24-Ubuntu SMP PREEMPT_DYNAMIC Fri Mar 14 18:13:56 UTC 2025', machine='x86_64')},
{'simd_extensions': {'baseline': ['SSE', 'SSE2', 'SSE3'],
'found': ['SSSE3',
'SSE41',
'POPCNT',
'SSE42',
'AVX',
'F16C',
'FMA3',
'AVX2',
'AVX512F',
'AVX512CD',
'AVX512_SKX',
'AVX512_CLX',
'AVX512_CNL',
'AVX512_ICL'],
'not_found': ['AVX512_KNL', 'AVX512_KNM', 'AVX512_SPR']}},
{'architecture': 'SkylakeX',
'filepath': '/home/danzin/venvs/3.13_upstream_fusil_venv/lib/python3.13t/site-packages/numpy.libs/libscipy_openblas64_-56d6093b.so',
'internal_api': 'openblas',
'num_threads': 16,
'prefix': 'libscipy_openblas',
'threading_layer': 'pthreads',
'user_api': 'blas',
'version': '0.3.29'}]
Context for the issue:
I have been fuzzing Numpy using fusil by @vstinner. I realize these crashes are unlikely to be triggered in normal usage and therefore might be of low priority.
The fuzzing was done with an ASAN free-threading clang build and not confirmed on a GILfull non-sanitizer GCC build yet.