[ python-Bugs-782689 ] PyObject_Free unallocated memory read warning

SourceForge.net noreply at sourceforge.net
Tue Jun 15 23:11:46 EDT 2004 

Bugs item #782689, was opened at 2003-08-04 04:38
Message generated for change (Comment added) made by nnorwitz
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=782689&group_id=5470

Category: Python Interpreter Core
Group: Python 2.3
>Status: Closed
>Resolution: Fixed
Priority: 5
Submitted By: Grzegorz Makarewicz (makaron)
>Assigned to: Neal Norwitz (nnorwitz)
Summary: PyObject_Free unallocated memory read warning

Initial Comment:
win2k, vc6sp5

ADDRESS_IN_RANGE(p, pool->arenaindex)) is too simple
and may read unmanaged memory when "p" does not belong
to selected pool and there is something allocated by
python allocator and pool->arenaindex is smaller than
narenas (random case).

valgrind messages for PyObject_Free line 711:
Conditional jump or move depends on uninitialised value(s)
Use of uninitialised value of size 4
Invalid read of size 4

simple test:
#include <stdio.h>

extern void *PyObject_Malloc(int size);
extern void PyObject_Free(void *mem);


void main() {
	void *p0;
	void *p;
	int i;

	p0 = PyObject_Malloc(100);
	for(i = 1; i < 512; i++ ){
		p = PyObject_Malloc(i);
		PyObject_Free(p);
	}
	PyObject_Free(p0);
}


----------------------------------------------------------------------

>Comment By: Neal Norwitz (nnorwitz)
Date: 2004-06-15 23:11

Message:
Logged In: YES 
user_id=33168

Misc/README.valgrind was added as well as a default valgrind
suppression file that can be used.

----------------------------------------------------------------------

Comment By: Jeff Epler (jepler)
Date: 2003-08-10 15:40

Message:
Logged In: YES 
user_id=2772

Please see: 
http://mail.python.org/pipermail/python-dev/2002-October/029712.html
http://mail.python.org/pipermail/python-dev/2003-July/036740.html
.. and possibly other past python-dev threads.

It is believed that this UMR is safe (non-segfaulting) on systems with a few assumptions about memory allocation.  When the first test erroneously passes for a block not from a pool, the next check still gets the right result.

If the valgrind suppressions file isn't included in the Python distribution, perhaps it should be added. (how portable have these files been across valgrind versions?)

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=782689&group_id=5470

More information about the Python-bugs-list mailing list