← index #17728Issue #17846
Related · high · value 1.603
QUERY · ISSUE

segfault with improper use of super()

openby jepleropened 2025-07-20updated 2025-07-20
bug

Port, board and/or hardware

unix, coverage build

MicroPython version

MicroPython v1.26.0-preview.387.ge4e97f5aa7.dirty on 2025-07-20; linux [GCC 12.2.0] version

Reproduction

Run the following code:

import framebuf

class FB(framebuf.FrameBuffer):
    def __init__(self, n):
        self = n
        super().__init__(bytearray(2 * n * n), n, n, framebuf.RGB565)

fb = FB(n=3)

Expected behaviour

super() should not segfault.

Observed behaviour

crash in native_base_init_wrapper

Program received signal SIGSEGV, Segmentation fault.
0x00005555556120c7 in native_base_init_wrapper (n_args=5, args=0x7fffffffd6c0, 
    kw_args=0x7fffffffd510) at ../../py/objtype.c:91
91	    instance_count_native_bases(self->base.type, &native_base);
(gdb) p self
$1 = (mp_obj_instance_t *) 0x7

Additional Information

This is a minimized version of a script produced by fuzzing micropython.

Code of Conduct

Yes, I agree

CANDIDATE · ISSUE

framebuf: crash with incorrect usage (native subclassing?)

openby jepleropened 2025-08-06updated 2025-08-06
bug

Port, board and/or hardware

unix port, coverage build, x86_64 linux

MicroPython version

MicroPython v1.26.0-preview.524.g255d74b5a8 on 2025-08-06; linux [GCC 12.2.0] version

Reproduction

Run the following Python code:

import framebuf
class FB(framebuffer.FrameBuffer): pass
FB.pixel(0,0,0)

Expected behaviour

A TypeError or other appropriate error is raised

Observed behaviour

A segmentation fault.

MicroPython v1.26.0-preview.524.g255d74b5a8 on 2025-08-06; linux [GCC 12.2.0] version
Use Ctrl-D to exit, Ctrl-E for paste mode
>>> import framebuf
>>> class FB(framebuf.FrameBuffer): pass
... 
>>> FB.pixel(0,0,0)

Program received signal SIGSEGV, Segmentation fault.
0x0000555555634845 in framebuf_pixel (n_args=3, args_in=0x7fffffffda30)
    at ../../extmod/modframebuf.c:376
376	    if (0 <= x && x < self->width && 0 <= y && y < self->height) {
(gdb) where
#0  0x0000555555634845 in framebuf_pixel (n_args=3, args_in=0x7fffffffda30)
    at ../../extmod/modframebuf.c:376
#1  0x00005555555fdf8d in fun_builtin_var_call (
    self_in=0x555555711250 <framebuf_pixel_obj>, n_args=3, n_kw=0, args=0x7fffffffda30)
    at ../../py/objfun.c:123

Additional Information

This was found by fuzzing.

Incidentally, when there is NOT a subclass involved, the error is detected:

>>> framebuf.FrameBuffer.pixel(0,0,0)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
TypeError: argument should be a 'FrameBuffer' not a 'int'

Code of Conduct

Yes, I agree

Keyboard

j / / n
next pair
k / / p
previous pair
1 / / h
show query pane
2 / / l
show candidate pane
c
copy suggested comment
r
toggle reasoning
g i
go to index
?
show this help
esc
close overlays

press ? or esc to close

copied