Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why is there a length limit to python's eval?

Tags:

I'm not advocating that this would ever be a good idea, but I've found that you can crash Python (2.7 and 3.2 checked) by running eval on a large enough input string:

def kill_python(N):     S = '+'.join((str(n) for n in xrange(N)))     return eval(S) 

On my computer S can be generated just fine, but for values of approximately N>74900, Python will fail with Segmentation fault (core dumped). Is there a limit to the length of string (or parse tree) that the interpreter can handle?

Note: I don't need to do this, to me this is a deeper question reflecting my ignorance of what goes on inside the box. I'd like to understand why Python fails here, and so catastrophically (why not throw an exception?)

like image 728
Hooked Avatar asked Jul 24 '12 16:07

Hooked


People also ask

Why is eval not recommended?

Reasons to Avoid Using eval() Here's some of the reasons to avoid using it: Malicious code : invoking eval can crash a computer. For example: if you use eval server-side and a mischievous user decides to use an infinite loop as their username.

What can I use instead of eval in Python?

literal_eval may be a safer alternative. literal_eval() would only evaluate literals, not algebraic expressions.

What is the purpose of eval in Python?

Answer: eval is a built-in- function used in python, eval function parses the expression argument and evaluates it as a python expression. In simple words, the eval function evaluates the “String” like a python expression and returns the result as an integer.

What is the use of eval () method in List explain with an example?

In this program, expression can have sqrt() method and variable a only. All other methods and variables are unavailable. Restricting the use of eval() by passing globals and locals dictionaries will make your code secure particularly when you are using input provided by the user to the eval() method.


1 Answers

This issue is caused by a stack overflow in the CPython compiler. An easy way to reproduce the same issue is

>>> code = compile("1" + "+1" * 1000000, "", "eval") Segmentation fault 

which proves that the segfault is happening at the compile stage, not during evaluation. (Of course this is also easy to confirm with gdb.)

[Side note: For smaller expressions, the compiler would apply constant folding here anyway, so the only thing happening during the execution of the code is to load the result:

>>> code = compile("1" + "+1" * 1000, "", "eval") >>> eval(code) 1001 >>> dis.dis(code)   1           0 LOAD_CONST            1000 (1001)               3 RETURN_VALUE         

End of side note.]

This issue is a known defect. The Python developers collected several ways to crash the Python interpreter in the directory Lib/test/crashers of the source distribution. The one corresponding to this issue is Lib/test/crashers/compiler_recursion.py.

like image 162
Sven Marnach Avatar answered Sep 23 '22 17:09

Sven Marnach