为什么 python 的 eval 有长度限制?

2022-01-12 00:00:00 python eval segmentation-fault

问题描述

我并不主张这将是一个好主意,但我发现您可以通过在足够大的输入字符串上运行 eval 来使 Python 崩溃(检查 2.7 和 3.2):

I'm not advocating that this would ever be a good idea, but I've found that you can crash Python (2.7 and 3.2 checked) by running eval on a large enough input string:

def kill_python(N):
    S = '+'.join((str(n) for n in xrange(N)))
    return eval(S)

在我的电脑上 S 可以很好地生成,但是对于大约 N>74900 的值,Python 将失败并出现 Segmentation fault (core dumped).解释器可以处理的字符串(或解析树)的长度是否有限制?

On my computer S can be generated just fine, but for values of approximately N>74900, Python will fail with Segmentation fault (core dumped). Is there a limit to the length of string (or parse tree) that the interpreter can handle?

注意:我不需要这样做,对我来说这是一个更深层次的问题,反映出我对盒子里发生的事情一无所知.我想了解为什么 Python 在这里失败了,而且是灾难性的(为什么不抛出异常?)

Note: I don't need to do this, to me this is a deeper question reflecting my ignorance of what goes on inside the box. I'd like to understand why Python fails here, and so catastrophically (why not throw an exception?)


解决方案

这个问题是由 CPython 编译器中的堆栈溢出引起的.重现相同问题的简单方法是

This issue is caused by a stack overflow in the CPython compiler. An easy way to reproduce the same issue is

>>> code = compile("1" + "+1" * 1000000, "", "eval")
Segmentation fault

这证明段错误发生在编译阶段,而不是评估期间.(当然这个用gdb也很容易确认.)

which proves that the segfault is happening at the compile stage, not during evaluation. (Of course this is also easy to confirm with gdb.)

[旁注:对于较小的表达式,编译器无论如何都会在此处应用常量折叠,因此在代码执行期间唯一发生的事情就是加载结果:

[Side note: For smaller expressions, the compiler would apply constant folding here anyway, so the only thing happening during the execution of the code is to load the result:

>>> code = compile("1" + "+1" * 1000, "", "eval")
>>> eval(code)
1001
>>> dis.dis(code)
  1           0 LOAD_CONST            1000 (1001)
              3 RETURN_VALUE        

旁注结束.]

此问题是已知缺陷.Python 开发人员在 目录 Lib/test/crashes 的源代码分发.与此问题对应的是 Lib/测试/crashers/compiler_recursion.py.

This issue is a known defect. The Python developers collected several ways to crash the Python interpreter in the directory Lib/test/crashers of the source distribution. The one corresponding to this issue is Lib/test/crashers/compiler_recursion.py.

相关文章