Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork33.7k
Closed
Description
Crash report
What happened?
Hello when building cpython with address sanitizer test_opt.py crashed with a global-buffer-overflow, I will add build flags, reduced code that causes crash.
https://github.com/python/cpython/blob/main/Lib/test/test_capi/test_opt.py
./configure CFLAGS="-fsanitize=address -g" LDFLAGS="-fsanitize=address" CXXFLAGS="-fsanitize=address -g”makemake test
After this you can reproduce it just by running following scripts reduced from test_opt.py
importcontextlibimporttextwrapimportunittestfromtest.supportimportimport_helper_testinternalcapi=import_helper.import_module("_testinternalcapi")@contextlib.contextmanagerdeftemporary_optimizer(opt):_testinternalcapi.set_optimizer(opt)classTestOptimizerAPI(unittest.TestCase):deftest_long_loop(self):ns= {}exec(textwrap.dedent(""),ns)opt=_testinternalcapi.new_counter_optimizer()withtemporary_optimizer(opt):returnif__name__=="__main__":unittest.main()
Stack trace will be:
==24730==ERROR:AddressSanitizer:global-buffer-overflowonaddress0x0001056cb7b8atpc0x000105054760bp0x00016b1af940sp0x00016b1af938READofsize8at0x0001056cb7b8threadT0#0 0x10505475c in visit_decref gc.c:531#1 0x1050aebf4 in executor_traverse optimizer.c:392#2 0x105054358 in deduce_unreachable gc.c:1162#3 0x105052690 in gc_collect_region gc.c:1509#4 0x10504fa08 in _PyGC_Collect gc.c:1815#5 0x105131e20 in gc_collect gcmodule.c.h:140#6 0x104df22f8 in cfunction_vectorcall_FASTCALL_KEYWORDS methodobject.c:441#7 0x104d2c244 in PyObject_Vectorcall call.c:327#8 0x104fd576c in _PyEval_EvalFrameDefault generated_cases.c.h:813#9 0x104d327c4 in method_vectorcall classobject.c:92#10 0x104d2c030 in _PyVectorcall_Call call.c:273#11 0x104fd4c04 in _PyEval_EvalFrameDefault generated_cases.c.h:1267#12 0x104d2abf8 in _PyObject_VectorcallDictTstate call.c:135#13 0x104d2d0dc in _PyObject_Call_Prepend call.c:504#14 0x104e6f70c in slot_tp_call typeobject.c:9225#15 0x104d2afcc in _PyObject_MakeTpCall call.c:242#16 0x104fd576c in _PyEval_EvalFrameDefault generated_cases.c.h:813#17 0x104d327c4 in method_vectorcall classobject.c:92#18 0x104d2c030 in _PyVectorcall_Call call.c:273#19 0x104fd4c04 in _PyEval_EvalFrameDefault generated_cases.c.h:1267#20 0x104d2abf8 in _PyObject_VectorcallDictTstate call.c:135#21 0x104d2d0dc in _PyObject_Call_Prepend call.c:504#22 0x104e6f70c in slot_tp_call typeobject.c:9225#23 0x104d2afcc in _PyObject_MakeTpCall call.c:242#24 0x104fd576c in _PyEval_EvalFrameDefault generated_cases.c.h:813#25 0x104d327c4 in method_vectorcall classobject.c:92#26 0x104d2c030 in _PyVectorcall_Call call.c:273#27 0x104fd4c04 in _PyEval_EvalFrameDefault generated_cases.c.h:1267#28 0x104d2abf8 in _PyObject_VectorcallDictTstate call.c:135#29 0x104d2d0dc in _PyObject_Call_Prepend call.c:504#30 0x104e6f70c in slot_tp_call typeobject.c:9225#31 0x104d2afcc in _PyObject_MakeTpCall call.c:242#32 0x104fd576c in _PyEval_EvalFrameDefault generated_cases.c.h:813#33 0x104d2abf8 in _PyObject_VectorcallDictTstate call.c:135#34 0x104d2d0dc in _PyObject_Call_Prepend call.c:504#35 0x104e724e8 in slot_tp_init typeobject.c:9469#36 0x104e633e8 in type_call typeobject.c:1854#37 0x104d2afcc in _PyObject_MakeTpCall call.c:242#38 0x104fd576c in _PyEval_EvalFrameDefault generated_cases.c.h:813#39 0x104fb425c in PyEval_EvalCode ceval.c:601#40 0x1050ddcb8 in run_mod pythonrun.c:1376#41 0x1050d98e8 in _PyRun_SimpleFileObject pythonrun.c:461#42 0x1050d8f7c in _PyRun_AnyFileObject pythonrun.c:77#43 0x10512f140 in Py_RunMain main.c:707#44 0x10512ff80 in pymain_main main.c:737#45 0x1051304a0 in Py_BytesMain main.c:761#46 0x18f5a60dc (<unknown module>)0x0001056cb7b8islocated8bytesbeforeglobalvariable'COLD_EXITS'definedin'Python/optimizer.c' (0x1056cb7c0)ofsize272000x0001056cb7b8islocated23bytesafterglobalvariable 'cold_exits_initialized' defined in 'Python/optimizer.c' (0x1056cb7a0) of size 1SUMMARY:AddressSanitizer:global-buffer-overflowgc.c:531invisit_decrefShadowbytesaroundthebuggyaddress:0x0001056cb500:000000000000000000000000000000000x0001056cb580:000000000000000000000000f9f9f9f90x0001056cb600:f9f9f9f9f9f9f9f901f9f9f9000000000x0001056cb680:000000000000000000000000000000000x0001056cb700:000000000000000000000002f9f9f9f9=>0x0001056cb780:00f9f9f901f9f9[f9]00000000000000000x0001056cb800:000000000000000000000000000000000x0001056cb880:000000000000000000000000000000000x0001056cb900:000000000000000000000000000000000x0001056cb980:000000000000000000000000000000000x0001056cba00:00000000000000000000000000000000Shadowbytelegend (oneshadowbyterepresents8applicationbytes):Addressable:00Partiallyaddressable:01020304050607Heapleftredzone:faFreedheapregion:fdStackleftredzone:f1Stackmidredzone:f2Stackrightredzone:f3Stackafterreturn:f5Stackuseafterscope:f8Globalredzone:f9Globalinitorder:f6Poisonedbyuser:f7Containeroverflow:fcArraycookie:acIntraobjectredzone:bbASaninternal:feLeftallocaredzone:caRightallocaredzone:cb==24730==ABORTINGzsh:abort```### CPythonversionstestedon:3.12### Operatingsystemstestedon:macOS### Outputfromrunning 'python-VV'onthecommandline:Python3.12.3 (main,Apr92024,08:09:14) [Clang15.0.0 (clang-1500.3.9.4)]<!--gh-linked-prs-->### LinkedPRs*gh-118117<!-- /gh-linked-prs-->