Fix int_mul SmallInt overflow clobber + get_iterator exception loss

jgarzik · claude · jgarzik · commit b1d830276daa · 2026-03-15T17:51:30.000Z
Two critical crash fixes:

1. int_mul: `mov rcx, rsi` clobbered ecx (right_tag) before the
   overflow path could use it. When SmallInt multiply overflowed
   (e.g. sys.maxsize * 2), the GMP conversion path used the
   clobbered tag, treating a SmallInt value as a heap pointer.
   Fix: save/restore ecx around the multiply.

2. get_iterator: when dunder_call_1 for __iter__ raised an exception
   (e.g. KeyboardInterrupt), get_iterator silently dropped it and
   fell through to __getitem__ fallback, corrupting state for
   subsequent operations.
   Fix: check current_exception after dunder_call_1 failure,
   propagate via eval_exception_unwind.

Real CPython test_list.py: 30/52 pass (was 20, no more crashes).

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/src/itertools.asm b/src/itertools.asm
@@ -153,6 +153,12 @@ DEF_FUNC get_iterator
     test edx, edx
     jnz .validate_iter
 
+    ; __iter__ returned NULL — check if exception pending (vs not found)
+    extern current_exception
+    mov rax, [rel current_exception]
+    test rax, rax
+    jnz .iter_exc_pending         ; exception raised by __iter__, propagate
+
     ; __iter__ not found — try __getitem__ sequence protocol
     mov rdi, rbx
     jmp .try_getitem
@@ -223,6 +229,17 @@ DEF_FUNC get_iterator
     lea rdi, [rel exc_TypeError_type]
     CSTRING rsi, "object is not iterable"
     call raise_exception
+
+.iter_exc_pending:
+    ; Exception was raised by __iter__. Propagate it via eval_exception_unwind.
+    extern eval_exception_unwind
+    extern eval_saved_r13
+    extern eval_saved_r15
+    mov [rel eval_saved_r13], r13
+    mov [rel eval_saved_r15], r15
+    pop rbx
+    leave
+    jmp eval_exception_unwind
 END_FUNC get_iterator
 
 ;; ============================================================================
diff --git a/src/pyo/int.asm b/src/pyo/int.asm
@@ -1206,12 +1206,16 @@ DEF_FUNC_BARE int_mul
     jne .gmp_path
 
     mov rax, rdi
+    push rcx                ; save right_tag (ecx) before clobber
     mov rcx, rsi
     imul rax, rcx
-    jo .gmp_path
+    jo .gmp_path_pop
+    add rsp, 8             ; discard saved right_tag
     RET_TAG_SMALLINT
     ret
 
+.gmp_path_pop:
+    pop rcx                 ; restore right_tag
 .gmp_path:
     push rbp
     mov rbp, rsp
