john/McRogueFace
1
0
Fork 0
Code Issues 26 Pull requests Projects Releases Wiki Activity

[Bugfix] WangSet.terrain_enum() calls Python with a pending error -> _PyErr_Occurred assertion / abort #322

New issue
Open
opened 2026-06-21 20:42:04 +00:00 by john · 0 comments
john commented 2026-06-21 20:42:04 +00:00
Owner
Copy link

Summary

PyWangSet::terrain_enum (src/tiled/PyWangSet.cpp:148) invokes a Python callable via PyObject_Call while a Python exception is already set. In a debug CPython this trips the assertion !_PyErr_Occurred(tstate) in _PyObject_Call and aborts; in release builds it is undefined/erratic behavior (the call proceeds with a stale error pending).

Found by the #312 fuzz campaign (fuzz_import_parsers target) feeding a malformed Tiled .tsx wangset.

Crash output

mcrfpy_fuzz: modules/cpython/Objects/call.c:342: _PyObject_Call: Assertion `!_PyErr_Occurred(tstate)' failed.
==ERROR: libFuzzer: deadly signal
    #9  _PyObject_Call                       modules/cpython/Objects/call.c:342
    #10 PyObject_Call                        modules/cpython/Objects/call.c:373
    #11 PyWangSet::terrain_enum(...)         src/tiled/PyWangSet.cpp:148
    #12 method_vectorcall_NOARGS

Analysis

terrain_enum() builds a Python IntEnum from the wangset's parsed colors. On malformed input some earlier step sets a Python error (e.g. a failed attribute/format on a corrupt color name) that is not cleared, then terrain_enum calls into Python again with the error still pending. The fix is to ensure no error is pending before PyObject_Call (check/propagate or PyErr_Clear at the right boundary), or to bail out cleanly when an error is already set.

Repro

echo 'ADw/eG1sIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9IlVURi04Ij8+Cjx0aWxlc2V0IHZlcnNpb249IjEuMTAiIHRpbGVkdmVyc2lvbj0iMS4xMC4yIiBuYW1lPSJ0ZXN0X3RpbGVzZXQiIHRpbGV3aWR0aD0iMTYiIHRpbGVoZWlnaHQ9IjE2IiB0aWxlY291bnQ9IjE2IiBjb2x1bW5zPSI0Ij4KIDxpbWFnZSBzb3VyY2U9InRlc3RfdGlsZXNldC5wbmciIHdpZHRoPSI2NCIgaGVpZ2h0PSI2NCIvPgogPHByb3BlcnRpZXM+CiAgPHByb3BlcnR5IG5hbWU9ImF1dGhvciIgdmFsdWU9InRlc3QiLz4KICA8cHJvcGVydHkgbmFtZT0idmVyc2lvbiIgdHlwZT0iaW50IiB2YWx1ZT0iMSIvPgogPC9wcm9wZXJ0aWVzPgogPHRpbGUgaWQ9IjAiPgogIDxwcm9wZXJ0aWVzPgogICA8cHJvcGVydHkgbmFtZT0idGVycmFpbiIgdmFsdWU9ImdyYXNzIi8+CiAgIDxwcm9wZXJ0eSBuYW1lPSJ3YWxrYWJsZSIgdHlwZT0iYm9vbCIgdmFsdWU9InRydWUiLz4KICA8L3Byb3BlcnRpZXM+CiAgPGFuaW1hdGlvbj4KICAgPGZyYW1lIHRpbGVpZD0iMCIgZHVyYXRpb249IjUwMCIvPgogICA8ZnJhbWUgdGlsZWlkPSI0IiBkdXJhdGlvbj0iNTAwIi8+CiAgPC9hbmltYXRpb24+CiA8L3RpbGU+CiA8dGlsZSBpZD0iMSI+CiAgPHByb3B0aXJlZXM+CiAgIDxwcm9wZXJ0eSBuYW1lPSJ0ZXJyYWluIiB2YWx1ZT0iZGlydCIvPgogIDwvcHJvcGVydGllcz4KIDwvdGlsZT4KIDx3YW5nc2V0cz4KICA8d2FuZ3NldCBuYW1lPSJ0ZXJyYWluIiB0eXBlPSJjb3JuZXIiIHS0bGU9Ii0xIj4KICAgPHdhbmdjb2xvciBuYW1lPSJHtra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tnJhc3MiIGNvbG9yPSIjMDBmZjAwIiB0aWxlPSIwIiBwcm9iYWJpbGl0eT0iMSIvPgogICA8d2FuZ2NvbG9yIG5hbWU9IkRpcnQiIGNvbG9yPSIjOGI0NTEzIiB0aWxlPSIxIiBwcm9iYWJpbGl0eT0iMSIvPgogICA8d2FuZ3RpbGUgdGlsZWlkPSIwIiB3YW5naWQ9IjAsMSwwLDEsMCwxLDAsMSIvPgogICA8d2FuZ3RpbGUgdGlsZWlkPSIxIiB3YW5naWQ9IjAsMiwwLDIsMCwyLDAsMiIvPgogICA8hWFuZ3RpbGUgdGlsZWlkPSI4IiB3YW5naWQ9IjAsMiwwLDEsMCwxLDAsMSIvPgogICA8d2FuZ3RpbGUgdGlsZWlkPSI5IiB3YW5naWQ9IjAsMSwwLDEsMCwxLDAsMiIvPgogICA8d2FuZ3RpbGUgdGlsZWlkPSIxMCIgd2FuZ2lkPSIwLDEsMCwxLDAsMiwwLDEiLz4KICAgPHdhbmd0aWxlIHRpbGVpZD0iMTEiIHdhbmdpZD0iMCwxLDAsMiwwLDEsMCwxIi8+CiAgPC93YW5nc2V0PgogPC93YW5nc2V0cz4KPC90aWxlc2V0Pgo=' | base64 -d > /tmp/crash.bin
cd build-fuzz && MCRF_LIB_DIR=../__lib_debug PYTHONHOME=../__lib/Python MCRF_FUZZ_TARGET=import_parsers ./mcrfpy_fuzz /tmp/crash.bin

Suggested labels

Bugfix, system:python-binding, priority:tier2-foundation (apply via web — MCP label bug)

Related: #312, #283.

## Summary `PyWangSet::terrain_enum` (src/tiled/PyWangSet.cpp:148) invokes a Python callable via `PyObject_Call` while a Python exception is already set. In a debug CPython this trips the assertion `!_PyErr_Occurred(tstate)` in `_PyObject_Call` and aborts; in release builds it is undefined/erratic behavior (the call proceeds with a stale error pending). Found by the #312 fuzz campaign (`fuzz_import_parsers` target) feeding a malformed Tiled `.tsx` wangset. ## Crash output ``` mcrfpy_fuzz: modules/cpython/Objects/call.c:342: _PyObject_Call: Assertion `!_PyErr_Occurred(tstate)' failed. ==ERROR: libFuzzer: deadly signal #9 _PyObject_Call modules/cpython/Objects/call.c:342 #10 PyObject_Call modules/cpython/Objects/call.c:373 #11 PyWangSet::terrain_enum(...) src/tiled/PyWangSet.cpp:148 #12 method_vectorcall_NOARGS ``` ## Analysis `terrain_enum()` builds a Python `IntEnum` from the wangset's parsed colors. On malformed input some earlier step sets a Python error (e.g. a failed attribute/format on a corrupt color name) that is not cleared, then `terrain_enum` calls into Python again with the error still pending. The fix is to ensure no error is pending before `PyObject_Call` (check/propagate or `PyErr_Clear` at the right boundary), or to bail out cleanly when an error is already set. ## Repro ```sh echo 'ADw/eG1sIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9IlVURi04Ij8+Cjx0aWxlc2V0IHZlcnNpb249IjEuMTAiIHRpbGVkdmVyc2lvbj0iMS4xMC4yIiBuYW1lPSJ0ZXN0X3RpbGVzZXQiIHRpbGV3aWR0aD0iMTYiIHRpbGVoZWlnaHQ9IjE2IiB0aWxlY291bnQ9IjE2IiBjb2x1bW5zPSI0Ij4KIDxpbWFnZSBzb3VyY2U9InRlc3RfdGlsZXNldC5wbmciIHdpZHRoPSI2NCIgaGVpZ2h0PSI2NCIvPgogPHByb3BlcnRpZXM+CiAgPHByb3BlcnR5IG5hbWU9ImF1dGhvciIgdmFsdWU9InRlc3QiLz4KICA8cHJvcGVydHkgbmFtZT0idmVyc2lvbiIgdHlwZT0iaW50IiB2YWx1ZT0iMSIvPgogPC9wcm9wZXJ0aWVzPgogPHRpbGUgaWQ9IjAiPgogIDxwcm9wZXJ0aWVzPgogICA8cHJvcGVydHkgbmFtZT0idGVycmFpbiIgdmFsdWU9ImdyYXNzIi8+CiAgIDxwcm9wZXJ0eSBuYW1lPSJ3YWxrYWJsZSIgdHlwZT0iYm9vbCIgdmFsdWU9InRydWUiLz4KICA8L3Byb3BlcnRpZXM+CiAgPGFuaW1hdGlvbj4KICAgPGZyYW1lIHRpbGVpZD0iMCIgZHVyYXRpb249IjUwMCIvPgogICA8ZnJhbWUgdGlsZWlkPSI0IiBkdXJhdGlvbj0iNTAwIi8+CiAgPC9hbmltYXRpb24+CiA8L3RpbGU+CiA8dGlsZSBpZD0iMSI+CiAgPHByb3B0aXJlZXM+CiAgIDxwcm9wZXJ0eSBuYW1lPSJ0ZXJyYWluIiB2YWx1ZT0iZGlydCIvPgogIDwvcHJvcGVydGllcz4KIDwvdGlsZT4KIDx3YW5nc2V0cz4KICA8d2FuZ3NldCBuYW1lPSJ0ZXJyYWluIiB0eXBlPSJjb3JuZXIiIHS0bGU9Ii0xIj4KICAgPHdhbmdjb2xvciBuYW1lPSJHtra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tnJhc3MiIGNvbG9yPSIjMDBmZjAwIiB0aWxlPSIwIiBwcm9iYWJpbGl0eT0iMSIvPgogICA8d2FuZ2NvbG9yIG5hbWU9IkRpcnQiIGNvbG9yPSIjOGI0NTEzIiB0aWxlPSIxIiBwcm9iYWJpbGl0eT0iMSIvPgogICA8d2FuZ3RpbGUgdGlsZWlkPSIwIiB3YW5naWQ9IjAsMSwwLDEsMCwxLDAsMSIvPgogICA8d2FuZ3RpbGUgdGlsZWlkPSIxIiB3YW5naWQ9IjAsMiwwLDIsMCwyLDAsMiIvPgogICA8hWFuZ3RpbGUgdGlsZWlkPSI4IiB3YW5naWQ9IjAsMiwwLDEsMCwxLDAsMSIvPgogICA8d2FuZ3RpbGUgdGlsZWlkPSI5IiB3YW5naWQ9IjAsMSwwLDEsMCwxLDAsMiIvPgogICA8d2FuZ3RpbGUgdGlsZWlkPSIxMCIgd2FuZ2lkPSIwLDEsMCwxLDAsMiwwLDEiLz4KICAgPHdhbmd0aWxlIHRpbGVpZD0iMTEiIHdhbmdpZD0iMCwxLDAsMiwwLDEsMCwxIi8+CiAgPC93YW5nc2V0PgogPC93YW5nc2V0cz4KPC90aWxlc2V0Pgo=' | base64 -d > /tmp/crash.bin cd build-fuzz && MCRF_LIB_DIR=../__lib_debug PYTHONHOME=../__lib/Python MCRF_FUZZ_TARGET=import_parsers ./mcrfpy_fuzz /tmp/crash.bin ``` ## Suggested labels `Bugfix`, `system:python-binding`, `priority:tier2-foundation` (apply via web — MCP label bug) Related: #312, #283.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
feature/issues-317-319-verify-bugs
feature/issue-316-sparse-perspective
feature/issue-314-doc-followthrough
feature/api-freeze-313-314
threedee
emscripten-mcrogueface
rogueliketutorial25
alpha_presentable
alpha_streamline_2
alpha_streamline_1
interpreter_mode
grid_entity_integration
reprs_and_member_names
break_up_ui_h
standardize_font_handling
standardize_vector_handling
standardize_color_handling
standardize_texture_handling
raii_pyobjects
rebase-for-7DRL_Feb-2024
engjam_uicollection
engjam_ui_overhaul
0.2.3-prerelease-7drl2026-emscripten
Labels
Clear labels   
Alpha Release Requirement

This issue is a blocker to 0.1 Alpha release of McRogueFace.

  
Bugfix

   
Demo Target

Functionality to demonstrate; Depends on new features, but this issue isn't for writing them.

  
Documentation

   
Major Feature

Significant time and effort required.

  
Minor Feature

Some effort required to create or overhaul functionality.

  
priority:tier1-active

Current development focus - critical path to v1.0

  
priority:tier2-foundation

Important foundation work - not blocking v1.0

  
priority:tier3-future

Future features - deferred until after v1.0

  
priority:tier4-deferred

   
Refactoring & Cleanup

no new functionality, just improving the codebase.

  
system:animation

Animation and property interpolation

  
system:documentation

Documentation infrastructure

  
system:grid

Grid system and spatial containers

  
system:input

Input handling and events

  
system:performance

Performance optimization and profiling

  
system:procgen

Procedural Generation (Noise, BSP, Heightmap)

  
system:python-binding

Python/C++ binding layer

  
system:rendering

Rendering pipeline and visuals

  
system:ui-hierarchy

UI component hierarchy and composition

  
Tiny Feature

quick and easy - a few lines or with little interconnection around the codebase

  
workflow:blocked

Blocked by other work - waiting on dependencies

  
workflow:needs-benchmark

Needs performance testing and benchmarks

  
workflow:needs-documentation

Needs documentation before or after implementation

No labels
Alpha Release Requirement
Bugfix
Demo Target
Documentation
Major Feature
Minor Feature
priority:tier1-active
priority:tier2-foundation
priority:tier3-future
priority:tier4-deferred
Refactoring & Cleanup
system:animation
system:documentation
system:grid
system:input
system:performance
system:procgen
system:python-binding
system:rendering
system:ui-hierarchy
Tiny Feature
workflow:blocked
workflow:needs-benchmark
workflow:needs-documentation
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
john/McRogueFace#322
No description provided.