Crash (i.e. cause the interpreter to stop working and force close) Python

16

3

I would like to see who can make Python have a fatal crash with the most creative code. This means that when the program runs, Windows for example, will take over and pop up with something like “IDLE has stopped working”, or Linux will do whatever Linux does when a program crashes.

Rules:

  1. This must be made in Python 2.7 or above (So old bugs aren't exploited that have been fixed in future versions of Python).

  2. The definition of "crash" is "make IDLE or Python exit in an unintended way." This does not mean "make IDLE or Python halt and give a traceback". This also means exit, sys.quit, abort etc are not valid answers. For example, this will not be accepted:

    import sys
try:
     print c # Crashes Here, as c is not defined.
 except NameError, SyntaxError:
     print "Oh No!"
     sys.exit()

  3. Making Python stop responding is not accepted.

  4. The code must be explained on what it does to crash. A link to a bug report is fine.

The most upvoted answer after 10 days wins! Begin!!

EDIT: May I make it clear that the objective is not to make Python just halt executing the program with a traceback. The objective is to make Python completely crash or stop working. This means that if this task is successfully accomplished, Windows would give this (I'm not crashing Word here, it's just an example of what should happen for a different program):

error dialogue

or this:

error dialogue 2

George

Posted 2014-02-27T19:08:50.263

Reputation: 1 355

Question was closed 2016-08-10T08:09:07.413

6I'm voting to close this question as off-topic because this question asks for malicious code. – AdmBorkBork – 2016-08-04T13:22:06.950

1The tag [tag:code-challenge] requires an objective winning criterion. I think most creative isn't objective enough... – Howard – 2014-02-27T19:16:06.700

Ok - Ill change it to as short as possible, like most other challenges.. Creative is quite ambiguous actually... – George – 2014-02-27T19:17:29.617

@GeorgeH If creative is what you were looking for, [tag:popularity-contest] works perfectly. I personally feel that this would be best as a popularity contest. In the future, you can run your question through the sandbox where these kinks can be worked out before posting.

– Justin – 2014-02-27T20:04:18.013

And its a lot clearer this time too (Does this question have the most edits ever now!!) – George – 2014-02-27T21:58:30.370

2@People with High Rep, my prnt in the question is intentional. – George – 2014-03-01T01:11:42.897

prnt doesn't make Python crash, it makes it raise a SyntaxError. So the comment in your example code is wrong. – David Z – 2014-03-01T06:08:48.050

Fixed now. Fixed print and changed it to C – George – 2014-03-01T14:21:31.130

Answers

18

Should have been a code-golfing contest ;) - I guess the creativity is the statement the code makes: "I just don't know what's happening here..."

Copy and paste the following character in IDLE running on Windows:

The crash has something to do with the character being encoded as UTF-16 by Windows and the unsuccessful conversion to a UTF-8 character by IDLE...

Edit: python bug #13153

David Herrmann

Posted 2014-02-27T19:08:50.263

Reputation: 1 544

I'm not sure if this is really a valid answer. The question says "when the program runs". But here the program is never really run. IDLE crashes when you merely paste the ``, before you can even run it. – Sebastian Negraszus – 2014-02-28T17:08:55.317

Yeah, I have to agree with @Sebastian. In a Python program you start with a text file and run the Python interpreter on it, but it shouldn't matter how you make the text file. – David Z – 2014-03-01T06:11:00.747

1

Um... http://puu.sh/7eVar.png

– Oberon – 2014-03-01T16:35:11.230

It works on Mac too! – TheDoctor – 2014-03-04T19:09:24.747

19

ctypes abuse:

import ctypes;ctypes.string_at(1)

This casts 1 to an address and dereferences it. On any sane system (i.e. one on which 0x00000001 is not a mapped address), this will segfault instantly.

nneonneo

Posted 2014-02-27T19:08:50.263

Reputation: 11 445

On my machine, this doesn't seem to crash the interpreter. A traceback with a WindowsError error is displayed. – Dhara – 2014-02-28T08:14:33.020

@Dhara: Ah, that would be ctypes' structured exception handler catching the crash. I am certain you can crash Python with ctypes in Windows in some other way, but perhaps not in so few characters. – nneonneo – 2014-02-28T19:22:53.030

12

60

import sys
sys.setrecursionlimit(1<<30)
f=lambda f:f(f)
f(f)

Not my own idea. Copied from the Python Wiki here.

This causes an infinite recursion, and is not stopped by the interpreter because we changed the recursion limit.

user12205

Posted 2014-02-27T19:08:50.263

Reputation: 8 752

Thanks - this is a great answer, but for the wrong question! The objective has not been clarified in the question. Thanks for your answer though. – George – 2014-02-27T21:58:12.460

2

@George H Sorry I'm not using a Windows machine now, but isn't a segmentation fault that causes the python interpreter to dump core enough? http://i.imgur.com/5gSGBpr.png

– user12205 – 2014-02-27T22:20:24.810

10

signal abuse (non-Windows only):

import os;os.kill(0,4)

On most systems (on which SIGILL = 4) this will kill Python with an "illegal instruction" error.

Or you can kill the program using the killer alarm clock:

import signal;signal.alarm(1)

After one second, Python dies with the cryptic message "Alarm clock".

nneonneo

Posted 2014-02-27T19:08:50.263

Reputation: 11 445

Other single character signal codes that work include 1, 3, 5, 6, 8 and 9. – user12205 – 2014-02-27T22:55:22.233

9

In Python 3.3:

exec(type((lambda:0).__code__)(0,1,0,0,0,b'',(),(),(),'','',1,b''))

In Python 2.7 code objects are slightly different:

exec type((lambda:0).func_code)(0,1,0,0,'Q',(),(),(),'','',0,'')

Yes, you can pass any old rubbish to the byte code interpreter and it executes it (Python issue #17187).

user2186

Posted 2014-02-27T19:08:50.263

Reputation:

Shorter (Python 2.x): exec type((lambda:0).func_code)(0,1,0,0,'Q',(),(),(),'','',0,'') – nneonneo – 2014-02-27T22:52:15.463

Thanks! And in Python 3 we can use .__code__. – None – 2014-02-27T23:03:14.657

6

Recursive iterators use the C stack, not the Python stack (issue #14010 and issue #14507):

i=''
for _ in range(9**6):i=filter(int,i)
del i

user2186

Posted 2014-02-27T19:08:50.263

Reputation:

This doesn't crash Python 2.7.11 on my Mac, but it does crash Python 3.5.1. – nneonneo – 2016-08-11T16:51:30.343

4

One easy way to crash the interpreter is to trick it into deallocating None:

import ctypes, sys
(ctypes.c_char*4).from_address(id(None))[:] = '\0'*4

As a bonus, here's a clever way to segfault Python 2:

import ctypes, struct, sys
inner = ()
outer = (inner,)
c_outer = (ctypes.c_char * sys.getsizeof(outer)).from_address(id(outer))
inner_index = c_outer[:].find(struct.pack('P', id(inner)))
c_outer[inner_index:inner_index+struct.calcsize('P')] = struct.pack('P', id(outer))
print outer

What exactly this does is left as an exercise to the reader.

Fraxtil

Posted 2014-02-27T19:08:50.263

Reputation: 2 495

2First one: set refcount of None to zero, causing it to be deallocated hilariously. Second one: construct and print a self-referencing tuple. – nneonneo – 2014-03-03T17:51:28.800

3

Someone thought they could prevent new FlagsType objects from being created by setting FlagsType.tp_new = NULL, but they forgot to remove the method (issue #13204):

import sys
t=type(sys.flags)
t.__new__(t)

(sys.version_info has the same bug.)

user2186

Posted 2014-02-27T19:08:50.263

Reputation:

3

Use of alloca in ctypes module (issue #13096):

from ctypes import *
POINTER('a'*9**8)

user2186

Posted 2014-02-27T19:08:50.263

Reputation:

0

One possible way which crashes my Python with MemoryError:

x=[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]

VisioN

Posted 2014-02-27T19:08:50.263

Reputation: 4 490

2This doesnt work for me - it just makes Python halt with a MemoryError. It needs to be closed by the OS. – George – 2014-02-27T19:24:57.207

2Huh. The error happens at a surprisingly shallow depth. – user2357112 supports Monica – 2014-02-28T13:14:44.293

Asked: 2014-02-27T19:08:50.263

Viewed: 6 199 times

Active: 2015-05-09T02:31:23.453