`tkinter.Tk` segfault with invalid `className`

[devdanzin]

Crash report

What happened?

It's possible to crash Python by passing an invalid className to _tkinter.create, for example:

import  _tkinter 
_tkinter.create(None, '', '\U0010FFFF', None)

Or, using tkinter.Tk (repro thanks to @graingert and @JelleZijlstra):

% ./python.exe 
Python 3.14.0a0 experimental free-threading build (heads/gh-125331:c315120a535, Oct 30 2024, 11:22:31) [Clang 15.0.0 (clang-1500.3.9.4)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import tkinter
... tkinter.Tk(screenName=None, baseName='', className='\U0010FFFF')
... 
zsh: segmentation fault  ./python.exe

Backtrace looks like:

#0  0x00007ffff77bab5b in Tcl_UtfToUniChar () from /lib/x86_64-linux-gnu/libtcl8.6.so
#1  0x00007ffff77bc993 in ?? () from /lib/x86_64-linux-gnu/libtcl8.6.so
#2  0x00007ffff77bb795 in Tcl_UtfToTitle () from /lib/x86_64-linux-gnu/libtcl8.6.so
#3  0x00007ffff78b5083 in ?? () from /lib/x86_64-linux-gnu/libtk8.6.so
#4  0x00007ffff79dcf9d in Tcl_AppInit (interp=0x555555e14860) at ./Modules/tkappinit.c:40
#5  0x00007ffff79d92b4 in Tkapp_New (screenName=screenName@entry=0x0,
    className=className@entry=0x7ffff7c2c1c0 "\364\217\277\277", interactive=interactive@entry=0,
    wantobjects=wantobjects@entry=0, wantTk=wantTk@entry=1, sync=sync@entry=0, use=0x0)
    at ./Modules/_tkinter.c:730
#6  0x00007ffff79d953f in _tkinter_create_impl (module=module@entry=<module at remote 0x7ffff7ab9eb0>,
    screenName=screenName@entry=0x0, baseName=baseName@entry=0x555555c77ef0 <_PyRuntime+51344> "",
    className=className@entry=0x7ffff7c2c1c0 "\364\217\277\277", interactive=interactive@entry=0,
    wantobjects=wantobjects@entry=0, wantTk=1, sync=0, use=0x0) at ./Modules/_tkinter.c:3176
#7  0x00007ffff79d99c6 in _tkinter_create (module=<module at remote 0x7ffff7ab9eb0>, args=0x7ffff7fb0080,
    nargs=<optimized out>) at ./Modules/clinic/_tkinter.c.h:820
#8  0x00005555556f18b0 in cfunction_vectorcall_FASTCALL (
    func=<built-in method create of module object at remote 0x7ffff7ab9eb0>, args=0x7ffff7fb0080,
    nargsf=<optimized out>, kwnames=<optimized out>) at Objects/methodobject.c:436
#9  0x000055555567ba55 in _PyObject_VectorcallTstate (tstate=0x555555cbbc70 <_PyRuntime+329232>,
    callable=<built-in method create of module object at remote 0x7ffff7ab9eb0>, args=0x7ffff7fb0080,
    nargsf=9223372036854775812, kwnames=0x0) at ./Include/internal/pycore_call.h:167

Found using fusil by @vstinner.

CPython versions tested on:

3.12, 3.14, CPython main branch

Operating systems tested on:

Linux, macOS, Windows

Output from running 'python -VV' on the command line:

Python 3.14.0a1+ (heads/main:d467d9246c, Oct 30 2024, 22:52:43) [GCC 11.4.0]

[JelleZijlstra]

(I think @graingert came up with the tkinter.Tk repro, I just ran it :) )

[terryjreedy]

U+10FFFF is a valid code point but (edit) in a sense not a valid character. A nice choice for fuzzing. "There are also 66 non-characters. These are defined in part in Corrigendum #9: 34 values of the form U+nFFFE and U+nFFFF (where n is a value 0x00000, 0x10000, … 0xF0000, 0x100000), and 32 values U+FDD0 - U+FDEF."

tk doc says nothing directly about what is a class name but hints that is should be displayable. "Specifies a class for the window. ... Some window managers display the class name for windows in their dock ... ."

[picnixz]

cc @serhiy-storchaka

[serhiy-storchaka]

I suspect that this is a Tk or Tcl bug. I do not see anything wrong on our side. Tcl before 9.0 does not support non-BMP characters well, Tcl_UtfToUniChar() does not work, and somewhere they forget to check for error. This may be improved with Tcl 9.

[serhiy-storchaka]

On other hand, it is not so easy to reproduce this with a pure Tcl -- subprocess.call(['\U0010FFFF'], executable='tclsh') does not crash. There should be something else to trigger a crash.