Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork34k
Closed
Description
Crash report
What happened?
Description
A race condition exists in theperf trampoline implementation (Python/perf_trampoline.c). When togglingsys.activate_stack_trampoline("perf") andsys.deactivate_stack_trampoline() while multiple threads are executing bytecode, a Use-After-Free (UAF) or invalid memory access occurs.
The root cause is thatfree_code_arenas (viamunmap) releases executable memory while worker threads are still executing within a trampoline frame or attempting to unwind through it.
Impact
- Python 3.12.x: Results in an immediateSegmentation Fault (SIGSEGV). The unwinder (
libgcc_s) attempts to access unmapped memory during a stack walk. - Python 3.13 / 3.14: Results in aSystemError: error return without exception set. This indicates internal state corruption or a C-API violation where the runtime detects an invalid state but fails to handle it gracefully.
Technical Details
GDB analysis confirms that while one thread is executingfree_code_arenas -> munmap to remove the executable memory page, another thread is simultaneously attempting_Unwind_ForcedUnwind through a frame located within that exact memory region.
Root Cause Analysis (GDB)
- Thread A: Executing
sys.deactivate_stack_trampoline()->_PyPerfTrampoline_Fini->free_code_arenas. - Thread B: Simultaneous execution or unwinding. The instruction pointer (IP) references a frame that is unmapped mid-process.
- Error:
Cannot access memory at address <hex_address>, confirming the memory was freed while still in use by the unwinder.
Reproduction
The issue is most consistent when pinned to a single core to force specific thread interleaving.
Steps:
- Save the attached file.
- Run via:
taskset -c 0 python3 poc.py
(I have also included a gdb backtrace output from the crash to confirm it)
Environment
- OS: Linux (Perf trampoline is Linux-specific)
- Versions: Python 3.12.12 (SIGSEGV), Python 3.13.x/3.14.dev (SystemError)
- Component:
Python/perf_trampoline.c
Traceback
#0 x86_64_fallback_frame_state (context=0x725ace5fc750, fs=0x725ace5fc510) at ./md-unwind-support.h:63 pc = 0x725ab661e00a <error: Cannot access memory at address 0x725ab661e00a> sc = <optimized out> new_cfa = <optimized out> pc = <optimized out> sc = <optimized out> new_cfa = <optimized out> uc_ = <optimized out>#1 uw_frame_state_for (context=context@entry=0x725ace5fc750, fs=fs@entry=0x725ace5fc510) at ../../../src/libgcc/unwind-dw2.c:1013 fde = 0x0 cie = <optimized out> aug = <optimized out> insn = <optimized out> end = <optimized out>#2 0x0000725ab6c86c8a in _Unwind_ForcedUnwind_Phase2 (exc=exc@entry=0x725ace5fdd30, context=context@entry=0x725ace5fc750, frames_p=frames_p@entry=0x725ace5fc658) at ../../../src/libgcc/unwind.inc:162 fs = {regs = {reg = {{loc = {reg = 2855248878, offset = 2855248878, exp = 0xaa2fa3ee <error: Cannot access memory at address 0xaa2fa3ee>}}, {loc = {reg = 125734335006864, offset = 125734335006864, exp = 0x725ace5fc890 "\260\310_\316Zr"}}, {loc = {reg = 18446744073709551544, offset = -72, exp = 0xffffffffffffffb8 <error: Cannot access memory at address 0xffffffffffffffb8>}}, {loc = {reg = 18446744073709551560, offset = -56, exp = 0xffffffffffffffc8 <error: Cannot access memory at address 0xffffffffffffffc8>}}, {loc = {reg = 0, offset = 0, exp = 0x0}}, {loc = {reg = 18446744073709551560, offset = -56, exp = 0xffffffffffffffc8 <error: Cannot access memory at address 0xffffffffffffffc8>}}, {loc = {reg = 18446744073709551568, offset = -48, exp = 0xffffffffffffffd0 <error: Cannot access memory at address 0xffffffffffffffd0>}}, {loc = {reg = 0, offset = 0, exp = 0x0}}, {loc = {reg = 18446744073709551600, offset = -16, exp = 0xfffffffffffffff0 <error: Cannot access memory at address 0xfffffffffffffff0>}}, {loc = {reg = 125734160964688, offset = 125734160964688, exp = 0x725ac4001c50 ""}}, {loc = {reg = 125734335006240, offset = 125734335006240, exp = 0x725ace5fc620 "P\307_\316Zr"}}, {loc = {reg = 125734374027697, offset = 125734374027697, exp = 0x725ad0b331b1 <_dl_open+257> "H\213E\230H\201Ĉ"}}, {loc = {reg = 18446744073709551576, offset = -40, exp = 0xffffffffffffffd8 <error: Cannot access memory at address 0xffffffffffffffd8>}}, {loc = {reg = 18446744073709551584, offset = -32, exp = 0xffffffffffffffe0 <error: Cannot access memory at address 0xffffffffffffffe0>}}, {loc = {reg = 18446744073709551592, offset = -24, exp = 0xffffffffffffffe8 <error: Cannot access memory at address 0xffffffffffffffe8>}}, {loc = {reg = 18446744073709551600, offset = -16, exp = 0xfffffffffffffff0 <error: Cannot access memory at address 0xfffffffffffffff0>}}, {loc = {reg = 18446744073709551608, offset = -8, exp = 0xfffffffffffffff8 <error: Cannot access memory at address 0xfffffffffffffff8>}}, {loc = {reg = 18446744073709551592, offset = -24, exp = 0xffffffffffffffe8 <error: Cannot access memory at address 0xffffffffffffffe8>}}}, how = '\000' <repeats 17 times>, cfa_how = CFA_UNSET, prev = 0x0, cfa_offset = 0, cfa_reg = 0, cfa_exp = 0x0}, pc = 0x0, personality = 0x0, data_align = 0, code_align = 0, retaddr_column = 0, fde_encoding = 0 '\000', lsda_encoding = 0 '\000', saw_z = 0 '\000', signal_frame = 0 '\000', eh_ptr = 0x0} action = <optimized out> stop = 0x725ad00a55c0 <unwind_stop> stop_argument = 0x725ace5fcee0 code = <optimized out> stop_code = <optimized out> frames = 7#3 0x0000725ab6c873c0 in _Unwind_ForcedUnwind (exc=0x725ace5fdd30, stop=stop@entry=0x725ad00a55c0 <unwind_stop>, stop_argument=<optimized out>) at ../../../src/libgcc/unwind.inc:218 this_context = {reg = {0x725ace5fc848, 0x725ace5fc850, 0x0, 0x725ace5fc858, 0x0, 0x0, 0x725ace5fc880, 0x0, 0x0, 0x0, 0x0, 0x0, 0x725ace5fc860, 0x725ace5fc868, 0x725ace5fc870, 0x725ace5fc878, 0x725ace5fc888, 0x0}, cfa = 0x725ace5fc890, ra = 0x725ad00a57a4 <__GI___pthread_unwind+68>, lsda = 0x0, bases = {tbase = 0x0, dbase = 0x0, func = 0x725ab6c87290 <_Unwind_ForcedUnwind>}, flags = 4611686018427387904, version = 0, args_size = 0, by_value = '\000' <repeats 17 times>} cur_context = {reg = {0x725ace5fc848, 0x725ace5fc850, 0x0, 0x725ace5fcb08, 0x0, 0x0, 0x725ace5fcb10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x725ace5fcb18, 0x725ace5fcb20, 0x725ace5fcb28, 0x725ace5fcb30, 0x725ace5fcb38, 0x0}, cfa = 0x725ace5fcb40, ra = 0x725ab661e00a, lsda = 0x0, bases = {tbase = 0x0, dbase = 0x0, func = 0x725ad0512bd0 <_PyEval_EvalFrameDefault>}, flags = 4611686018427387904, version = 0, args_size = 0, by_value = '\000' <repeats 17 times>} code = <optimized out> frames = 125734373979420#4 0x0000725ad00a57a4 in __GI___pthread_unwind (buf=<optimized out>) at ./nptl/unwind.c:130 ibuf = <optimized out> self = <optimized out>#5 0x0000725ad009dd22 in __do_cancel () at ../sysdeps/nptl/pthreadP.h:271 self = <optimized out>#6 __GI___pthread_exit (value=value@entry=0x0) at ./nptl/pthread_exit.c:36No locals.#7 0x0000725ad0707be9 in PyThread_exit_thread () at Python/thread_pthread.h:370No locals.#8 0x0000725ad06c417b in take_gil (tstate=tstate@entry=0x575c3c885740) at Python/ceval_gil.c:434 err = <optimized out> interp = <optimized out> ceval = <optimized out> gil = <optimized out> __func__ = "take_gil" drop_requested = <optimized out>#9 0x0000725ad06c4d33 in _Py_HandlePending (tstate=tstate@entry=0x575c3c885740) at Python/ceval_gil.c:1058 runtime = <optimized out> ceval = <optimized out> interp_ceval_state = <optimized out> __func__ = "_Py_HandlePending"#10 0x0000725ad0517202 in _PyEval_EvalFrameDefault (tstate=<optimized out>, frame=<optimized out>, throwflag=<optimized out>) at Python/ceval.c:836 __func__ = "_PyEval_EvalFrameDefault" opcode_targets = {0x725ad05125b7 <_PyEval_EvalFrameDefault-1561>, 0x725ad0518b48 <_PyEval_EvalFrameDefault+24440>, 0x725ad0518b91 <_PyEval_EvalFrameDefault+24513>, 0x725ad0518530 <_PyEval_EvalFrameDefault+22880>, 0x725ad0518bc4 <_PyEval_EvalFrameDefault+24564>, 0x725ad0518d64 <_PyEval_EvalFrameDefault+24980>, 0x725ad05167c8 <_PyEval_EvalFrameDefault+15352>, 0x725ad051685c <_PyEval_EvalFrameDefault+15500>, 0x725ad051665b <_PyEval_EvalFrameDefault+14987>, 0x725ad051a0c5 <_PyEval_EvalFrameDefault+29941>, 0x725ad051670a <_PyEval_EvalFrameDefault+15162>, 0x725ad0518e4e <_PyEval_EvalFrameDefault+25214>, 0x725ad0515a21 <_PyEval_EvalFrameDefault+11857>, 0x725ad0516484 <_PyEval_EvalFrameDefault+14516>, 0x725ad0516373 <_PyEval_EvalFrameDefault+14243>, 0x725ad051630c <_PyEval_EvalFrameDefault+14140>, 0x725ad05165c7 <_PyEval_EvalFrameDefault+14839>, 0x725ad05125af <_PyEval_EvalFrameDefault.cold>, 0x725ad0516518 <_PyEval_EvalFrameDefault+14664>, 0x725ad05181c8 <_PyEval_EvalFrameDefault+22008>, 0x725ad051829e <_PyEval_EvalFrameDefault+22222>, 0x725ad0516b5d <_PyEval_EvalFrameDefault+16269>, 0x725ad05183f0 <_PyEval_EvalFrameDefault+22560>, 0x725ad0517394 <_PyEval_EvalFrameDefault+18372>, 0x725ad0517560 <_PyEval_EvalFrameDefault+18832>, 0x725ad051690b <_PyEval_EvalFrameDefault+15675>, 0x725ad05169f9 <_PyEval_EvalFrameDefault+15913>, 0x725ad0516a99 <_PyEval_EvalFrameDefault+16073>, 0x725ad051733b <_PyEval_EvalFrameDefault+18283>, 0x725ad0517a60 <_PyEval_EvalFrameDefault+20112>, 0x725ad051b029 <_PyEval_EvalFrameDefault+33881>, 0x725ad051b160 <_PyEval_EvalFrameDefault+34192>, 0x725ad0517e44 <_PyEval_EvalFrameDefault+21108>, 0x725ad0517e8f <_PyEval_EvalFrameDefault+21183>, 0x725ad0519630 <_PyEval_EvalFrameDefault+27232>, 0x725ad051b8d6 <_PyEval_EvalFrameDefault+36102>, 0x725ad051ba21 <_PyEval_EvalFrameDefault+36433>, 0x725ad051b26b <_PyEval_EvalFrameDefault+34459>, 0x725ad051a86d <_PyEval_EvalFrameDefault+31901>, 0x725ad0519496 <_PyEval_EvalFrameDefault+26822>, 0x725ad0517c0a <_PyEval_EvalFrameDefault+20538>, 0x725ad051ae5f <_PyEval_EvalFrameDefault+33423>, 0x725ad051a4fa <_PyEval_EvalFrameDefault+31018>, 0x725ad05180a2 <_PyEval_EvalFrameDefault+21714>, 0x725ad051a0ec <_PyEval_EvalFrameDefault+29980>, 0x725ad051aa20 <_PyEval_EvalFrameDefault+32336>, 0x725ad051ab80 <_PyEval_EvalFrameDefault+32688>, 0x725ad051780c <_PyEval_EvalFrameDefault+19516>, 0x725ad0517930 <_PyEval_EvalFrameDefault+19808>, 0x725ad051b1ab <_PyEval_EvalFrameDefault+34267>, 0x725ad05186b5 <_PyEval_EvalFrameDefault+23269>, 0x725ad0513630 <_PyEval_EvalFrameDefault+2656>, 0x725ad051b59c <_PyEval_EvalFrameDefault+35276>, 0x725ad051b6b8 <_PyEval_EvalFrameDefault+35560>, 0x725ad051617d <_PyEval_EvalFrameDefault+13741>, 0x725ad0514c50 <_PyEval_EvalFrameDefault+8320>, 0x725ad0517720 <_PyEval_EvalFrameDefault+19280>, 0x725ad051982f <_PyEval_EvalFrameDefault+27743>, 0x725ad05198ec <_PyEval_EvalFrameDefault+27932>, 0x725ad05199e0 <_PyEval_EvalFrameDefault+28176>, 0x725ad0518a3f <_PyEval_EvalFrameDefault+24175>, 0x725ad05188a7 <_PyEval_EvalFrameDefault+23767>, 0x725ad051a72b <_PyEval_EvalFrameDefault+31579>, 0x725ad051a7cc <_PyEval_EvalFrameDefault+31740>, 0x725ad0519aef <_PyEval_EvalFrameDefault+28447>, 0x725ad0519ba4 <_PyEval_EvalFrameDefault+28628>, 0x725ad0513eba <_PyEval_EvalFrameDefault+4842>, 0x725ad0514004 <_PyEval_EvalFrameDefault+5172>, 0x725ad0517ee8 <_PyEval_EvalFrameDefault+21272>, 0x725ad051b50f <_PyEval_EvalFrameDefault+35135>, 0x725ad0514617 <_PyEval_EvalFrameDefault+6727>, 0x725ad0514d6e <_PyEval_EvalFrameDefault+8606>, 0x725ad0514808 <_PyEval_EvalFrameDefault+7224>, 0x725ad05142d9 <_PyEval_EvalFrameDefault+5897>, 0x725ad0514d2c <_PyEval_EvalFrameDefault+8540>, 0x725ad051a033 <_PyEval_EvalFrameDefault+29795>, 0x725ad051438f <_PyEval_EvalFrameDefault+6079>, 0x725ad05146bf <_PyEval_EvalFrameDefault+6895>, 0x725ad0514570 <_PyEval_EvalFrameDefault+6560>, 0x725ad0514460 <_PyEval_EvalFrameDefault+6288>, 0x725ad0516d9a <_PyEval_EvalFrameDefault+16842>, 0x725ad051b865 <_PyEval_EvalFrameDefault+35989>, 0x725ad051b7d4 <_PyEval_EvalFrameDefault+35844>, 0x725ad051857f <_PyEval_EvalFrameDefault+22959>, 0x725ad051907b <_PyEval_EvalFrameDefault+25771>, 0x725ad0515323 <_PyEval_EvalFrameDefault+10067>, 0x725ad0518ef4 <_PyEval_EvalFrameDefault+25380>, 0x725ad05158ed <_PyEval_EvalFrameDefault+11549>, 0x725ad0519145 <_PyEval_EvalFrameDefault+25973>, 0x725ad051506f <_PyEval_EvalFrameDefault+9375>, 0x725ad0514dde <_PyEval_EvalFrameDefault+8718>, 0x725ad0514e76 <_PyEval_EvalFrameDefault+8870>, 0x725ad0514edb <_PyEval_EvalFrameDefault+8971>, 0x725ad051a675 <_PyEval_EvalFrameDefault+31397>, 0x725ad0516061 <_PyEval_EvalFrameDefault+13457>, 0x725ad0514a09 <_PyEval_EvalFrameDefault+7737>, 0x725ad0515fe6 <_PyEval_EvalFrameDefault+13334>, 0x725ad0515813 <_PyEval_EvalFrameDefault+11331>, 0x725ad0515890 <_PyEval_EvalFrameDefault+11456>, 0x725ad0518eb5 <_PyEval_EvalFrameDefault+25317>, 0x725ad05191a8 <_PyEval_EvalFrameDefault+26072>, 0x725ad05153ad <_PyEval_EvalFrameDefault+10205>, 0x725ad0513a3c <_PyEval_EvalFrameDefault+3692>, 0x725ad0515c1d <_PyEval_EvalFrameDefault+12365>, 0x725ad05150c7 <_PyEval_EvalFrameDefault+9463>, 0x725ad051524e <_PyEval_EvalFrameDefault+9854>, 0x725ad0514177 <_PyEval_EvalFrameDefault+5543>, 0x725ad0515938 <_PyEval_EvalFrameDefault+11624>, 0x725ad051a292 <_PyEval_EvalFrameDefault+30402>, 0x725ad051a3cb <_PyEval_EvalFrameDefault+30715>, 0x725ad051a430 <_PyEval_EvalFrameDefault+30816>, 0x725ad0515580 <_PyEval_EvalFrameDefault+10672>, 0x725ad05154d9 <_PyEval_EvalFrameDefault+10505>, 0x725ad0514950 <_PyEval_EvalFrameDefault+7552>, 0x725ad05192be <_PyEval_EvalFrameDefault+26350>, 0x725ad0519346 <_PyEval_EvalFrameDefault+26486>, 0x725ad051542b <_PyEval_EvalFrameDefault+10331>, 0x725ad0516c28 <_PyEval_EvalFrameDefault+16472>, 0x725ad0516cb2 <_PyEval_EvalFrameDefault+16610>, 0x725ad0515e25 <_PyEval_EvalFrameDefault+12885>, 0x725ad051ae1c <_PyEval_EvalFrameDefault+33356>, 0x725ad0518632 <_PyEval_EvalFrameDefault+23138>, 0x725ad0519df7 <_PyEval_EvalFrameDefault+29223>, 0x725ad051375e <_PyEval_EvalFrameDefault+2958>, 0x725ad0518754 <_PyEval_EvalFrameDefault+23428>, 0x725ad05190e6 <_PyEval_EvalFrameDefault+25878>, 0x725ad0515650 <_PyEval_EvalFrameDefault+10880>, 0x725ad05197e0 <_PyEval_EvalFrameDefault+27664>, 0x725ad051b934 <_PyEval_EvalFrameDefault+36196>, 0x725ad051b98c <_PyEval_EvalFrameDefault+36284>, 0x725ad05184b8 <_PyEval_EvalFrameDefault+22760>, 0x725ad05136e6 <_PyEval_EvalFrameDefault+2838>, 0x725ad0519e14 <_PyEval_EvalFrameDefault+29252>, 0x725ad051a15e <_PyEval_EvalFrameDefault+30094>, 0x725ad051affb <_PyEval_EvalFrameDefault+33835>, 0x725ad05156b3 <_PyEval_EvalFrameDefault+10979>, 0x725ad051a243 <_PyEval_EvalFrameDefault+30323>, 0x725ad0513851 <_PyEval_EvalFrameDefault+3201>, 0x725ad05138a4 <_PyEval_EvalFrameDefault+3284>, 0x725ad051571e <_PyEval_EvalFrameDefault+11086>, 0x725ad051b9e1 <_PyEval_EvalFrameDefault+36369>, 0x725ad0513c43 <_PyEval_EvalFrameDefault+4211>, 0x725ad0513375 <_PyEval_EvalFrameDefault+1957>, 0x725ad0516d57 <_PyEval_EvalFrameDefault+16775>, 0x725ad0519dc4 <_PyEval_EvalFrameDefault+29172>, 0x725ad0517d70 <_PyEval_EvalFrameDefault+20896>, 0x725ad0517dcf <_PyEval_EvalFrameDefault+20991>, 0x725ad051620c <_PyEval_EvalFrameDefault+13884>, 0x725ad0515a95 <_PyEval_EvalFrameDefault+11973>, 0x725ad0513902 <_PyEval_EvalFrameDefault+3378>, 0x725ad0515008 <_PyEval_EvalFrameDefault+9272>, 0x725ad0519264 <_PyEval_EvalFrameDefault+26260>, 0x725ad051b095 <_PyEval_EvalFrameDefault+33989>, 0x725ad0514afb <_PyEval_EvalFrameDefault+7979>, 0x725ad0518f5f <_PyEval_EvalFrameDefault+25487>, 0x725ad051ad18 <_PyEval_EvalFrameDefault+33096>, 0x725ad0515ec8 <_PyEval_EvalFrameDefault+13048>, 0x725ad0513967 <_PyEval_EvalFrameDefault+3479>, 0x725ad0518fd9 <_PyEval_EvalFrameDefault+25609>, 0x725ad0518794 <_PyEval_EvalFrameDefault+23492>, 0x725ad0518a60 <_PyEval_EvalFrameDefault+24208>, 0x725ad0513aa7 <_PyEval_EvalFrameDefault+3799>, 0x725ad0515b3a <_PyEval_EvalFrameDefault+12138>, 0x725ad0515ba8 <_PyEval_EvalFrameDefault+12248>, 0x725ad0516299 <_PyEval_EvalFrameDefault+14025>, 0x725ad0515c88 <_PyEval_EvalFrameDefault+12472>, 0x725ad0514f8c <_PyEval_EvalFrameDefault+9148>, 0x725ad0514ef4 <_PyEval_EvalFrameDefault+8996>, 0x725ad0515cf6 <_PyEval_EvalFrameDefault+12582>, 0x725ad0519fdc <_PyEval_EvalFrameDefault+29708>, 0x725ad0519fdc <_PyEval_EvalFrameDefault+29708>, 0x725ad05172f3 <_PyEval_EvalFrameDefault+18211>, 0x725ad0516e1d <_PyEval_EvalFrameDefault+16973>, 0x725ad051892e <_PyEval_EvalFrameDefault+23902>, 0x725ad051899f <_PyEval_EvalFrameDefault+24015>, 0x725ad05160e7 <_PyEval_EvalFrameDefault+13591>, 0x725ad0515780 <_PyEval_EvalFrameDefault+11184>, 0x725ad0519fdc <_PyEval_EvalFrameDefault+29708> <repeats 60 times>, 0x725ad051626c <_PyEval_EvalFrameDefault+13980>, 0x725ad051a45a <_PyEval_EvalFrameDefault+30858>, 0x725ad0519d23 <_PyEval_EvalFrameDefault+29011>, 0x725ad0519a95 <_PyEval_EvalFrameDefault+28357>, 0x725ad0516e58 <_PyEval_EvalFrameDefault+17032>, 0x725ad05185e4 <_PyEval_EvalFrameDefault+23060>, 0x725ad0515dc0 <_PyEval_EvalFrameDefault+12784>, 0x725ad0513371 <_PyEval_EvalFrameDefault+1953>, 0x725ad0517fa9 <_PyEval_EvalFrameDefault+21465>, 0x725ad0518017 <_PyEval_EvalFrameDefault+21575>, 0x725ad051865f <_PyEval_EvalFrameDefault+23183>, 0x725ad051a68e <_PyEval_EvalFrameDefault+31422>, 0x725ad05193ce <_PyEval_EvalFrameDefault+26622>...} opcode = <optimized out> oparg = <optimized out> cframe = {current_frame = 0x725ad03021d8, previous = 0x725ace5fccf0} entry_frame = {f_code = 0x725ad022a590, previous = 0x725ad0b07188, f_funcobj = 0x1c20ce5fcad0, f_globals = 0x725ab8000030, f_builtins = 0x725ace5fcb30, f_locals = 0x725ace5fccf0, frame_obj = 0x725ad025ce40, prev_instr = 0x725ad022a650, stacktop = 0, return_offset = 0, owner = 3 '\003', localsplus = {0x725acff04f30}} kwnames = 0x0 prev_cframe = <optimized out> next_instr = 0x725ad025cf1a stack_pointer = 0x725ad0302240 exception_unwind = <optimized out> dying = <optimized out>#11 0x0000725ab661e00a in ?? ()No symbol table info available.#12 0x0000000000000000 in ?? ()No symbol table info available. Id Target Id Frame * 1 Thread 0x725ace5fd6c0 (LWP 12846) (Exiting) x86_64_fallback_frame_state (context=0x725ace5fc750, fs=0x725ace5fc510) at ./md-unwind-support.h:63 2 Thread 0x725ab77fe6c0 (LWP 12851) 0x0000725ad0098d71 in __futex_abstimed_wait_common64 (private=29274, cancel=true, abstime=0x725ab77fd8f0, op=137, expected=0, futex_word=0x725ad0a798ec <_PyRuntime+76844>) at ./nptl/futex-internal.c:57 3 Thread 0x725ab7fff6c0 (LWP 12850) 0x0000725ad0098d71 in __futex_abstimed_wait_common64 (private=0, cancel=true, abstime=0x725ab7ffe950, op=137, expected=0, futex_word=0x725ad0a798ec <_PyRuntime+76844>) at ./nptl/futex-internal.c:57 4 Thread 0x725acd5fb6c0 (LWP 12848) 0x0000725ad0098d71 in __futex_abstimed_wait_common64 (private=29274, cancel=true, abstime=0x725acd5fa8f0, op=137, expected=0, futex_word=0x725ad0a798ec <_PyRuntime+76844>) at ./nptl/futex-internal.c:57 5 Thread 0x725accdfa6c0 (LWP 12849) 0x0000725ad0098d71 in __futex_abstimed_wait_common64 (private=29274, cancel=true, abstime=0x725accdf98f0, op=137, expected=0, futex_word=0x725ad0a798ec <_PyRuntime+76844>) at ./nptl/futex-internal.c:57 6 Thread 0x725acedfe6c0 (LWP 12845) 0x0000725ad0098d71 in __futex_abstimed_wait_common64 (private=29274, cancel=true, abstime=0x725acedfd8f0, op=137, expected=0, futex_word=0x725ad0a798ec <_PyRuntime+76844>) at ./nptl/futex-internal.c:57 7 Thread 0x725acddfc6c0 (LWP 12847) 0x0000725ad0098d71 in __futex_abstimed_wait_common64 (private=0, cancel=true, abstime=0x725acddfb8f0, op=137, expected=0, futex_word=0x725ad0a798ec <_PyRuntime+76844>) at ./nptl/futex-internal.c:57 8 Thread 0x725acf5ff6c0 (LWP 12844) 0x0000725ad0098d71 in __futex_abstimed_wait_common64 (private=29274, cancel=true, abstime=0x725acf5fe8f0, op=137, expected=0, futex_word=0x725ad0a798ec <_PyRuntime+76844>) at ./nptl/futex-internal.c:57 9 Thread 0x725ad0b00b80 (LWP 12791) 0x0000725ad0125d7b in __GI_munmap () at ../sysdeps/unix/syscall-template.S:117Thread 9 (Thread 0x725ad0b00b80 (LWP 12791)):#0 0x0000725ad0125d7b in __GI_munmap () at ../sysdeps/unix/syscall-template.S:117#1 0x0000725ad071b9f4 in free_code_arenas () at Python/perf_trampoline.c:315#2 _PyPerfTrampoline_FreeArenas () at Python/perf_trampoline.c:421#3 0x0000725ad06e7eb6 in finalize_interp_clear (tstate=tstate@entry=0x725ad0ad6db0 <_PyRuntime+458992>) at Python/pylifecycle.c:1788#4 0x0000725ad06ebd14 in Py_FinalizeEx () at Python/pylifecycle.c:2001#5 Py_FinalizeEx () at Python/pylifecycle.c:1812#6 0x0000725ad071d32f in Py_RunMain () at Modules/main.c:716#7 0x0000725ad071d4ee in pymain_main (args=0x7fffaf958bb0) at Modules/main.c:744#8 Py_BytesMain (argc=<optimized out>, argv=<optimized out>) at Modules/main.c:768#9 0x0000725ad002a1ca in __libc_start_call_main (main=main@entry=0x575c15e31060 <main>, argc=argc@entry=2, argv=argv@entry=0x7fffaf958d48) at ../sysdeps/nptl/libc_start_call_main.h:58#10 0x0000725ad002a28b in __libc_start_main_impl (main=0x575c15e31060 <main>, argc=2, argv=0x7fffaf958d48, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffaf958d38) at ../csu/libc-start.c:360#11 0x0000575c15e31095 in _start ()Thread 8 (Thread 0x725acf5ff6c0 (LWP 12844)):#0 0x0000725ad0098d71 in __futex_abstimed_wait_common64 (private=29274, cancel=true, abstime=0x725acf5fe8f0, op=137, expected=0, futex_word=0x725ad0a798ec <_PyRuntime+76844>) at ./nptl/futex-internal.c:57#1 __futex_abstimed_wait_common (cancel=true, private=29274, abstime=0x725acf5fe8f0, clockid=0, expected=0, futex_word=0x725ad0a798ec <_PyRuntime+76844>) at ./nptl/futex-internal.c:87#2 __GI___futex_abstimed_wait_cancelable64 (futex_word=futex_word@entry=0x725ad0a798ec <_PyRuntime+76844>, expected=expected@entry=0, clockid=clockid@entry=1, abstime=abstime@entry=0x725acf5fe8f0, private=private@entry=0) at ./nptl/futex-internal.c:139#3 0x0000725ad009bc8e in __pthread_cond_wait_common (abstime=0x725acf5fe8f0, clockid=1, mutex=0x725ad0a798f0 <_PyRuntime+76848>, cond=0x725ad0a798c0 <_PyRuntime+76800>) at ./nptl/pthread_cond_wait.c:503#4 ___pthread_cond_timedwait64 (cond=cond@entry=0x725ad0a798c0 <_PyRuntime+76800>, mutex=mutex@entry=0x725ad0a798f0 <_PyRuntime+76848>, abstime=abstime@entry=0x725acf5fe8f0) at ./nptl/pthread_cond_wait.c:652#5 0x0000725ad06c4085 in PyCOND_TIMEDWAIT (us=<optimized out>, mut=0x725ad0a798f0 <_PyRuntime+76848>, cond=0x725ad0a798c0 <_PyRuntime+76800>) at Python/condvar.h:73#6 take_gil (tstate=tstate@entry=0x575c3c88d420) at Python/ceval_gil.c:376#7 0x0000725ad06c4d33 in _Py_HandlePending (tstate=tstate@entry=0x575c3c88d420) at Python/ceval_gil.c:1058#8 0x0000725ad0517202 in _PyEval_EvalFrameDefault (tstate=<optimized out>, frame=<optimized out>, throwflag=<optimized out>) at Python/ceval.c:836#9 0x0000725ab6f0e00a in ?? ()#10 0x0000000000000000 in ?? ()Thread 7 (Thread 0x725acddfc6c0 (LWP 12847)):#0 0x0000725ad0098d71 in __futex_abstimed_wait_common64 (private=0, cancel=true, abstime=0x725acddfb8f0, op=137, expected=0, futex_word=0x725ad0a798ec <_PyRuntime+76844>) at ./nptl/futex-internal.c:57#1 __futex_abstimed_wait_common (cancel=true, private=0, abstime=0x725acddfb8f0, clockid=0, expected=0, futex_word=0x725ad0a798ec <_PyRuntime+76844>) at ./nptl/futex-internal.c:87#2 __GI___futex_abstimed_wait_cancelable64 (futex_word=futex_word@entry=0x725ad0a798ec <_PyRuntime+76844>, expected=expected@entry=0, clockid=clockid@entry=1, abstime=abstime@entry=0x725acddfb8f0, private=private@entry=0) at ./nptl/futex-internal.c:139#3 0x0000725ad009bc8e in __pthread_cond_wait_common (abstime=0x725acddfb8f0, clockid=1, mutex=0x725ad0a798f0 <_PyRuntime+76848>, cond=0x725ad0a798c0 <_PyRuntime+76800>) at ./nptl/pthread_cond_wait.c:503#4 ___pthread_cond_timedwait64 (cond=cond@entry=0x725ad0a798c0 <_PyRuntime+76800>, mutex=mutex@entry=0x725ad0a798f0 <_PyRuntime+76848>, abstime=abstime@entry=0x725acddfb8f0) at ./nptl/pthread_cond_wait.c:652#5 0x0000725ad06c4085 in PyCOND_TIMEDWAIT (us=<optimized out>, mut=0x725ad0a798f0 <_PyRuntime+76848>, cond=0x725ad0a798c0 <_PyRuntime+76800>) at Python/condvar.h:73#6 take_gil (tstate=tstate@entry=0x575c3c870600) at Python/ceval_gil.c:376#7 0x0000725ad06c4d33 in _Py_HandlePending (tstate=tstate@entry=0x575c3c870600) at Python/ceval_gil.c:1058#8 0x0000725ad0517202 in _PyEval_EvalFrameDefault (tstate=<optimized out>, frame=<optimized out>, throwflag=<optimized out>) at Python/ceval.c:836#9 0x0000725ab6f0e00a in ?? ()#10 0x0000000000000000 in ?? ()Thread 6 (Thread 0x725acedfe6c0 (LWP 12845)):#0 0x0000725ad0098d71 in __futex_abstimed_wait_common64 (private=29274, cancel=true, abstime=0x725acedfd8f0, op=137, expected=0, futex_word=0x725ad0a798ec <_PyRuntime+76844>) at ./nptl/futex-internal.c:57#1 __futex_abstimed_wait_common (cancel=true, private=29274, abstime=0x725acedfd8f0, clockid=0, expected=0, futex_word=0x725ad0a798ec <_PyRuntime+76844>) at ./nptl/futex-internal.c:87#2 __GI___futex_abstimed_wait_cancelable64 (futex_word=futex_word@entry=0x725ad0a798ec <_PyRuntime+76844>, expected=expected@entry=0, clockid=clockid@entry=1, abstime=abstime@entry=0x725acedfd8f0, private=private@entry=0) at ./nptl/futex-internal.c:139#3 0x0000725ad009bc8e in __pthread_cond_wait_common (abstime=0x725acedfd8f0, clockid=1, mutex=0x725ad0a798f0 <_PyRuntime+76848>, cond=0x725ad0a798c0 <_PyRuntime+76800>) at ./nptl/pthread_cond_wait.c:503#4 ___pthread_cond_timedwait64 (cond=cond@entry=0x725ad0a798c0 <_PyRuntime+76800>, mutex=mutex@entry=0x725ad0a798f0 <_PyRuntime+76848>, abstime=abstime@entry=0x725acedfd8f0) at ./nptl/pthread_cond_wait.c:652#5 0x0000725ad06c4085 in PyCOND_TIMEDWAIT (us=<optimized out>, mut=0x725ad0a798f0 <_PyRuntime+76848>, cond=0x725ad0a798c0 <_PyRuntime+76800>) at Python/condvar.h:73#6 take_gil (tstate=tstate@entry=0x575c3c893cc0) at Python/ceval_gil.c:376#7 0x0000725ad06c4d33 in _Py_HandlePending (tstate=tstate@entry=0x575c3c893cc0) at Python/ceval_gil.c:1058#8 0x0000725ad0517202 in _PyEval_EvalFrameDefault (tstate=<optimized out>, frame=<optimized out>, throwflag=<optimized out>) at Python/ceval.c:836#9 0x0000725ab6f0e00a in ?? ()#10 0x0000000000000000 in ?? ()Thread 5 (Thread 0x725accdfa6c0 (LWP 12849)):#0 0x0000725ad0098d71 in __futex_abstimed_wait_common64 (private=29274, cancel=true, abstime=0x725accdf98f0, op=137, expected=0, futex_word=0x725ad0a798ec <_PyRuntime+76844>) at ./nptl/futex-internal.c:57#1 __futex_abstimed_wait_common (cancel=true, private=29274, abstime=0x725accdf98f0, clockid=0, expected=0, futex_word=0x725ad0a798ec <_PyRuntime+76844>) at ./nptl/futex-internal.c:87#2 __GI___futex_abstimed_wait_cancelable64 (futex_word=futex_word@entry=0x725ad0a798ec <_PyRuntime+76844>, expected=expected@entry=0, clockid=clockid@entry=1, abstime=abstime@entry=0x725accdf98f0, private=private@entry=0) at ./nptl/futex-internal.c:139#3 0x0000725ad009bc8e in __pthread_cond_wait_common (abstime=0x725accdf98f0, clockid=1, mutex=0x725ad0a798f0 <_PyRuntime+76848>, cond=0x725ad0a798c0 <_PyRuntime+76800>) at ./nptl/pthread_cond_wait.c:503#4 ___pthread_cond_timedwait64 (cond=cond@entry=0x725ad0a798c0 <_PyRuntime+76800>, mutex=mutex@entry=0x725ad0a798f0 <_PyRuntime+76848>, abstime=abstime@entry=0x725accdf98f0) at ./nptl/pthread_cond_wait.c:652#5 0x0000725ad06c4085 in PyCOND_TIMEDWAIT (us=<optimized out>, mut=0x725ad0a798f0 <_PyRuntime+76848>, cond=0x725ad0a798c0 <_PyRuntime+76800>) at Python/condvar.h:73#6 take_gil (tstate=tstate@entry=0x575c3c86d660) at Python/ceval_gil.c:376#7 0x0000725ad06c4d33 in _Py_HandlePending (tstate=tstate@entry=0x575c3c86d660) at Python/ceval_gil.c:1058#8 0x0000725ad0517202 in _PyEval_EvalFrameDefault (tstate=<optimized out>, frame=<optimized out>, throwflag=<optimized out>) at Python/ceval.c:836#9 0x0000725ab6f0e00a in ?? ()#10 0x0000000000000000 in ?? ()Thread 4 (Thread 0x725acd5fb6c0 (LWP 12848)):#0 0x0000725ad0098d71 in __futex_abstimed_wait_common64 (private=29274, cancel=true, abstime=0x725acd5fa8f0, op=137, expected=0, futex_word=0x725ad0a798ec <_PyRuntime+76844>) at ./nptl/futex-internal.c:57#1 __futex_abstimed_wait_common (cancel=true, private=29274, abstime=0x725acd5fa8f0, clockid=0, expected=0, futex_word=0x725ad0a798ec <_PyRuntime+76844>) at ./nptl/futex-internal.c:87#2 __GI___futex_abstimed_wait_cancelable64 (futex_word=futex_word@entry=0x725ad0a798ec <_PyRuntime+76844>, expected=expected@entry=0, clockid=clockid@entry=1, abstime=abstime@entry=0x725acd5fa8f0, private=private@entry=0) at ./nptl/futex-internal.c:139#3 0x0000725ad009bc8e in __pthread_cond_wait_common (abstime=0x725acd5fa8f0, clockid=1, mutex=0x725ad0a798f0 <_PyRuntime+76848>, cond=0x725ad0a798c0 <_PyRuntime+76800>) at ./nptl/pthread_cond_wait.c:503#4 ___pthread_cond_timedwait64 (cond=cond@entry=0x725ad0a798c0 <_PyRuntime+76800>, mutex=mutex@entry=0x725ad0a798f0 <_PyRuntime+76848>, abstime=abstime@entry=0x725acd5fa8f0) at ./nptl/pthread_cond_wait.c:652#5 0x0000725ad06c4085 in PyCOND_TIMEDWAIT (us=<optimized out>, mut=0x725ad0a798f0 <_PyRuntime+76848>, cond=0x725ad0a798c0 <_PyRuntime+76800>) at Python/condvar.h:73#6 take_gil (tstate=tstate@entry=0x575c3c8768a0) at Python/ceval_gil.c:376#7 0x0000725ad06c4d33 in _Py_HandlePending (tstate=tstate@entry=0x575c3c8768a0) at Python/ceval_gil.c:1058#8 0x0000725ad0517202 in _PyEval_EvalFrameDefault (tstate=<optimized out>, frame=<optimized out>, throwflag=<optimized out>) at Python/ceval.c:836#9 0x0000725ab661e00a in ?? ()#10 0x0000000000000000 in ?? ()Thread 3 (Thread 0x725ab7fff6c0 (LWP 12850)):#0 0x0000725ad0098d71 in __futex_abstimed_wait_common64 (private=0, cancel=true, abstime=0x725ab7ffe950, op=137, expected=0, futex_word=0x725ad0a798ec <_PyRuntime+76844>) at ./nptl/futex-internal.c:57#1 __futex_abstimed_wait_common (cancel=true, private=0, abstime=0x725ab7ffe950, clockid=0, expected=0, futex_word=0x725ad0a798ec <_PyRuntime+76844>) at ./nptl/futex-internal.c:87#2 __GI___futex_abstimed_wait_cancelable64 (futex_word=futex_word@entry=0x725ad0a798ec <_PyRuntime+76844>, expected=expected@entry=0, clockid=clockid@entry=1, abstime=abstime@entry=0x725ab7ffe950, private=private@entry=0) at ./nptl/futex-internal.c:139#3 0x0000725ad009bc8e in __pthread_cond_wait_common (abstime=0x725ab7ffe950, clockid=1, mutex=0x725ad0a798f0 <_PyRuntime+76848>, cond=0x725ad0a798c0 <_PyRuntime+76800>) at ./nptl/pthread_cond_wait.c:503#4 ___pthread_cond_timedwait64 (cond=cond@entry=0x725ad0a798c0 <_PyRuntime+76800>, mutex=mutex@entry=0x725ad0a798f0 <_PyRuntime+76848>, abstime=abstime@entry=0x725ab7ffe950) at ./nptl/pthread_cond_wait.c:652#5 0x0000725ad06c4085 in PyCOND_TIMEDWAIT (us=<optimized out>, mut=0x725ad0a798f0 <_PyRuntime+76848>, cond=0x725ad0a798c0 <_PyRuntime+76800>) at Python/condvar.h:73#6 take_gil (tstate=tstate@entry=0x575c3c84ef40) at Python/ceval_gil.c:376#7 0x0000725ad06c4d33 in _Py_HandlePending (tstate=tstate@entry=0x575c3c84ef40) at Python/ceval_gil.c:1058#8 0x0000725ad0517202 in _PyEval_EvalFrameDefault (tstate=<optimized out>, frame=<optimized out>, throwflag=<optimized out>) at Python/ceval.c:836#9 0x0000725ad05975bd in _PyEval_EvalFrame (throwflag=0, frame=0x725acff2d338, tstate=<optimized out>) at ./Include/internal/pycore_ceval.h:89#10 gen_send_ex2 (closing=0, exc=0, presult=<synthetic pointer>, arg=0x0, gen=0x725acff2d2f0) at Objects/genobject.c:230#11 gen_iternext (gen=0x725acff2d2f0) at Objects/genobject.c:603#12 0x0000725ad0560504 in PyIter_Next (iter=iter@entry=0x725acff2d2f0) at Objects/abstract.c:2847#13 0x0000725ad068f1ab in builtin_sum_impl (module=<optimized out>, start=<optimized out>, iterable=<optimized out>) at Python/bltinmodule.c:2565#14 builtin_sum (module=<optimized out>, args=<optimized out>, nargs=<optimized out>, kwnames=<optimized out>) at Python/clinic/bltinmodule.c.h:1143#15 0x0000725ad05196e0 in _PyEval_EvalFrameDefault (tstate=<optimized out>, frame=<optimized out>, throwflag=<optimized out>) at ./Include/cpython/methodobject.h:50#16 0x0000725ad057d733 in _PyObject_VectorcallTstate (kwnames=0x0, nargsf=1, args=0x725ab7ffee18, callable=0x725acff59620, tstate=0x575c3c84ef40) at ./Include/internal/pycore_call.h:92#17 method_vectorcall (method=<optimized out>, args=0x725ad0a79428 <_PyRuntime+75624>, nargsf=<optimized out>, kwnames=0x0) at Objects/classobject.c:69#18 0x0000725ad0785eba in thread_run (boot_raw=0x575c3c834740) at ./Modules/_threadmodule.c:1116#19 0x0000725ad07078fb in pythread_wrapper (arg=<optimized out>) at Python/thread_pthread.h:237#20 0x0000725ad009caa4 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:447#21 0x0000725ad0129c6c in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78Thread 2 (Thread 0x725ab77fe6c0 (LWP 12851)):#0 0x0000725ad0098d71 in __futex_abstimed_wait_common64 (private=29274, cancel=true, abstime=0x725ab77fd8f0, op=137, expected=0, futex_word=0x725ad0a798ec <_PyRuntime+76844>) at ./nptl/futex-internal.c:57#1 __futex_abstimed_wait_common (cancel=true, private=29274, abstime=0x725ab77fd8f0, clockid=0, expected=0, futex_word=0x725ad0a798ec <_PyRuntime+76844>) at ./nptl/futex-internal.c:87#2 __GI___futex_abstimed_wait_cancelable64 (futex_word=futex_word@entry=0x725ad0a798ec <_PyRuntime+76844>, expected=expected@entry=0, clockid=clockid@entry=1, abstime=abstime@entry=0x725ab77fd8f0, private=private@entry=0) at ./nptl/futex-internal.c:139#3 0x0000725ad009bc8e in __pthread_cond_wait_common (abstime=0x725ab77fd8f0, clockid=1, mutex=0x725ad0a798f0 <_PyRuntime+76848>, cond=0x725ad0a798c0 <_PyRuntime+76800>) at ./nptl/pthread_cond_wait.c:503#4 ___pthread_cond_timedwait64 (cond=cond@entry=0x725ad0a798c0 <_PyRuntime+76800>, mutex=mutex@entry=0x725ad0a798f0 <_PyRuntime+76848>, abstime=abstime@entry=0x725ab77fd8f0) at ./nptl/pthread_cond_wait.c:652#5 0x0000725ad06c4085 in PyCOND_TIMEDWAIT (us=<optimized out>, mut=0x725ad0a798f0 <_PyRuntime+76848>, cond=0x725ad0a798c0 <_PyRuntime+76800>) at Python/condvar.h:73#6 take_gil (tstate=tstate@entry=0x575c3c8a51f0) at Python/ceval_gil.c:376#7 0x0000725ad06c4d33 in _Py_HandlePending (tstate=tstate@entry=0x575c3c8a51f0) at Python/ceval_gil.c:1058#8 0x0000725ad0517202 in _PyEval_EvalFrameDefault (tstate=<optimized out>, frame=<optimized out>, throwflag=<optimized out>) at Python/ceval.c:836#9 0x0000725ab6f0e00a in ?? ()#10 0x0000000000000000 in ?? ()Thread 1 (Thread 0x725ace5fd6c0 (LWP 12846) (Exiting)):#0 x86_64_fallback_frame_state (context=0x725ace5fc750, fs=0x725ace5fc510) at ./md-unwind-support.h:63#1 uw_frame_state_for (context=context@entry=0x725ace5fc750, fs=fs@entry=0x725ace5fc510) at ../../../src/libgcc/unwind-dw2.c:1013#2 0x0000725ab6c86c8a in _Unwind_ForcedUnwind_Phase2 (exc=exc@entry=0x725ace5fdd30, context=context@entry=0x725ace5fc750, frames_p=frames_p@entry=0x725ace5fc658) at ../../../src/libgcc/unwind.inc:162#3 0x0000725ab6c873c0 in _Unwind_ForcedUnwind (exc=0x725ace5fdd30, stop=stop@entry=0x725ad00a55c0 <unwind_stop>, stop_argument=<optimized out>) at ../../../src/libgcc/unwind.inc:218#4 0x0000725ad00a57a4 in __GI___pthread_unwind (buf=<optimized out>) at ./nptl/unwind.c:130#5 0x0000725ad009dd22 in __do_cancel () at ../sysdeps/nptl/pthreadP.h:271#6 __GI___pthread_exit (value=value@entry=0x0) at ./nptl/pthread_exit.c:36#7 0x0000725ad0707be9 in PyThread_exit_thread () at Python/thread_pthread.h:370#8 0x0000725ad06c417b in take_gil (tstate=tstate@entry=0x575c3c885740) at Python/ceval_gil.c:434#9 0x0000725ad06c4d33 in _Py_HandlePending (tstate=tstate@entry=0x575c3c885740) at Python/ceval_gil.c:1058#10 0x0000725ad0517202 in _PyEval_EvalFrameDefault (tstate=<optimized out>, frame=<optimized out>, throwflag=<optimized out>) at Python/ceval.c:836#11 0x0000725ab661e00a in ?? ()#12 0x0000000000000000 in ?? ()PoC
importsysimportthreadingimporttimeimportos#consistent seg fault crash PoC for perf trampolinedefheavy_workload():""" Runs continuous Python bytecode loops. This keeps the thread inside the 'py_trampoline_evaluator' function in the C runtime, making it vulnerable when the state is freed. """whileTrue:# Simple arithmetic to keep the interpreter busy_=sum(i*iforiinrange(500))deftrigger_race():print(f"[+] PID:{os.getpid()}")print("[+] Spawning worker threads to occupy the evaluator...")# Spawn multiple threads to increase the probability that one is# inside the critical section when we deactivate.for_inrange(8):t=threading.Thread(target=heavy_workload,daemon=True)t.start()print("[+] Starting toggle loop (Activate <-> Deactivate)...")print("[!] This may take a few seconds to crash the interpreter.")iteration=0whileTrue:sys.activate_stack_trampoline("perf")# No sleep, no prints, just pure racesys.deactivate_stack_trampoline()if__name__=="__main__":trigger_race()
CPython versions tested on:
3.12, 3.14, 3.13
Operating systems tested on:
Linux
Output from running 'python -VV' on the command line:
Python 3.12.12 (main, Dec 22 2025, 15:14:56) [GCC 13.3.0]