Add tests for accessing uninitialized holders

Author: XuehaiPan

tests/CMakeLists.txt

@@ -148,6 +148,7 @@ set(PYBIND11_TEST_FILES
     test_exceptions
     test_factory_constructors
     test_gil_scoped
+    test_invalid_holder_access
     test_iostream
     test_kwargs_and_defaults
     test_local_bindings

tests/pybind11_tests.cpp

@@ -75,6 +75,19 @@ const char *cpp_std() {
 #endif
 }
 
+int cpp_std_num() {
+    return
+#if defined(PYBIND11_CPP20)
+        20;
+#elif defined(PYBIND11_CPP17)
+        17;
+#elif defined(PYBIND11_CPP14)
+        14;
+#else
+        11;
+#endif
+}
+
 PYBIND11_MODULE(pybind11_tests, m, py::mod_gil_not_used()) {
     m.doc() = "pybind11 test module";
 
@@ -88,6 +101,7 @@ PYBIND11_MODULE(pybind11_tests, m, py::mod_gil_not_used()) {
     m.attr("compiler_info") = py::none();
 #endif
     m.attr("cpp_std") = cpp_std();
+    m.attr("cpp_std_num") = cpp_std_num();
     m.attr("PYBIND11_INTERNALS_ID") = PYBIND11_INTERNALS_ID;
     // Free threaded Python uses UINT32_MAX for immortal objects.
     m.attr("PYBIND11_REFCNT_IMMORTAL") = UINT32_MAX;

tests/test_invalid_holder_access.cpp

@@ -0,0 +1,93 @@
+#include "pybind11_tests.h"
+
+#include <Python.h>
+#include <memory>
+#include <vector>
+
+class VectorOwns4PythonObjects {
+public:
+    void append(const py::object &obj) {
+        if (size() >= 4) {
+            throw std::out_of_range("Index out of range");
+        }
+        vec.emplace_back(obj);
+    }
+
+    void set_item(py::ssize_t i, const py::object &obj) {
+        if (!(i >= 0 && i < size())) {
+            throw std::out_of_range("Index out of range");
+        }
+        vec[py::size_t(i)] = obj;
+    }
+
+    py::object get_item(py::ssize_t i) const {
+        if (!(i >= 0 && i < size())) {
+            throw std::out_of_range("Index out of range");
+        }
+        return vec[py::size_t(i)];
+    }
+
+    py::ssize_t size() const { return py::ssize_t_cast(vec.size()); }
+
+    bool is_empty() const { return vec.empty(); }
+
+    void sanity_check() const {
+        auto current_size = size();
+        if (current_size < 0 || current_size > 4) {
+            throw std::out_of_range("Invalid size");
+        }
+    }
+
+    static int tp_traverse(PyObject *self_base, visitproc visit, void *arg) {
+#if PY_VERSION_HEX >= 0x03090000 // Python 3.9
+        Py_VISIT(Py_TYPE(self_base));
+#endif
+        auto *const instance = reinterpret_cast<py::detail::instance *>(self_base);
+        if (!instance->get_value_and_holder().holder_constructed()) {
+            // The holder has not been constructed yet. Skip the traversal to avoid segmentation
+            // faults.
+            return 0;
+        }
+        auto &self = py::cast<VectorOwns4PythonObjects &>(py::handle{self_base});
+        for (const auto &obj : self.vec) {
+            Py_VISIT(obj.ptr());
+        }
+        return 0;
+    }
+
+private:
+    std::vector<py::object> vec{};
+};
+
+TEST_SUBMODULE(invalid_holder_access, m) {
+    m.doc() = "Test invalid holder access";
+
+#if defined(PYBIND11_CPP14)
+    m.def("create_vector", []() -> std::unique_ptr<VectorOwns4PythonObjects> {
+        auto vec = std::make_unique<VectorOwns4PythonObjects>();
+        vec->append(py::none());
+        vec->append(py::int_(1));
+        vec->append(py::str("test"));
+        vec->append(py::tuple());
+        return vec;
+    });
+#endif
+
+    py::class_<VectorOwns4PythonObjects>(
+        m,
+        "VectorOwns4PythonObjects",
+        py::custom_type_setup([](PyHeapTypeObject *heap_type) -> void {
+            auto *const type = &heap_type->ht_type;
+            type->tp_flags |= Py_TPFLAGS_HAVE_GC;
+            type->tp_traverse = &VectorOwns4PythonObjects::tp_traverse;
+        }))
+        .def("append", &VectorOwns4PythonObjects::append, py::arg("obj"))
+        .def("set_item", &VectorOwns4PythonObjects::set_item, py::arg("i"), py::arg("obj"))
+        .def("get_item", &VectorOwns4PythonObjects::get_item, py::arg("i"))
+        .def("size", &VectorOwns4PythonObjects::size)
+        .def("is_empty", &VectorOwns4PythonObjects::is_empty)
+        .def("__setitem__", &VectorOwns4PythonObjects::set_item, py::arg("i"), py::arg("obj"))
+        .def("__getitem__", &VectorOwns4PythonObjects::get_item, py::arg("i"))
+        .def("__len__", &VectorOwns4PythonObjects::size)
+        .def("sanity_check", &VectorOwns4PythonObjects::sanity_check);
+}

tests/test_invalid_holder_access.py

@@ -0,0 +1,71 @@
+from __future__ import annotations
+
+import gc
+import weakref
+
+import pytest
+
+import pybind11_tests
+from pybind11_tests import invalid_holder_access as m
+
+XFAIL_REASON = "Known issues: https://github.com/pybind/pybind11/pull/5654"
+
+
+@pytest.mark.skipif(
+    pybind11_tests.cpp_std_num < 14,
+    reason="std::{unique_ptr,make_unique} not available in C++11",
+)
+def test_create_vector():
+    vec = m.create_vector()
+    assert vec.size() == 4
+    assert not vec.is_empty()
+    assert vec[0] is None
+    assert vec[1] == 1
+    assert vec[2] == "test"
+    assert vec[3] == ()
+
+
+def test_no_init():
+    with pytest.raises(TypeError, match=r"No constructor defined"):
+        m.VectorOwns4PythonObjects()
+    vec = m.VectorOwns4PythonObjects.__new__(m.VectorOwns4PythonObjects)
+    with pytest.raises(TypeError, match=r"No constructor defined"):
+        vec.__init__()
+
+
+# The test might succeed on some platforms with some compilers, but
+# it is not guaranteed to work everywhere. It is marked as xfail.
+@pytest.mark.xfail(reason=XFAIL_REASON, raises=SystemError, strict=False)
+def test_manual_new():
+    # Repeatedly trigger allocation without initialization (raw malloc'ed) to
+    # detect uninitialized memory bugs.
+    for _ in range(32):
+        # The holder is a pointer variable while the C++ ctor is not called.
+        vec = m.VectorOwns4PythonObjects.__new__(m.VectorOwns4PythonObjects)
+        if vec.is_empty():
+            # The C++ compiler initializes container correctly.
+            assert vec.size() == 0
+        else:
+            raise SystemError(
+                "Segmentation Fault: The C++ compiler initializes container incorrectly."
+            )
+        vec.append(1)
+        vec.append(2)
+        vec.append(3)
+        vec.append(4)
+
+
+@pytest.mark.skipif(
+    pybind11_tests.cpp_std_num < 14,
+    reason="std::{unique_ptr,make_unique} not available in C++11",
+)
+def test_gc_traverse():
+    vec = m.create_vector()
+    vec[3] = (vec, vec)
+
+    wr = weakref.ref(vec)
+    assert wr() is vec
+    del vec
+    for _ in range(10):
+        gc.collect()
+    assert wr() is None