[issue31166] null pointer deref and segfault in _PyObject_Alloc (obmalloc.c:1258)
geeknik
report at bugs.python.org
Thu Aug 10 03:51:30 EDT 2017
geeknik added the comment:
So if I leave UBSan and ASan out of the equation and compile with gcc and run this script:
Program received signal SIGSEGV, Segmentation fault.
update_refs (containers=<optimized out>) at Modules/gcmodule.c:353
353 _PyGCHead_SET_REFS(gc, Py_REFCNT(FROM_GC(gc)));
(gdb) bt
#0 update_refs (containers=<optimized out>) at Modules/gcmodule.c:353
#1 collect (generation=generation at entry=2,
n_collected=n_collected at entry=0x7fffffffe2f8,
n_uncollectable=n_uncollectable at entry=0x7fffffffe300,
nofail=nofail at entry=0) at Modules/gcmodule.c:962
#2 0x00005555555d5365 in collect_with_callback (generation=2)
at Modules/gcmodule.c:1135
#3 PyGC_Collect () at Modules/gcmodule.c:1622
#4 _PyGC_CollectIfEnabled () at Modules/gcmodule.c:1635
#5 0x00005555555b8e28 in Py_FinalizeEx () at Python/pylifecycle.c:978
#6 0x00005555555b9225 in Py_FinalizeEx () at Python/pylifecycle.c:1119
#7 0x00005555555d2ed2 in Py_Main (argc=<optimized out>, argv=<optimized out>)
at Modules/main.c:921
#8 0x00005555555aa1cb in main (argc=2, argv=<optimized out>)
at ./Programs/python.c:102
(gdb) list
348 update_refs(PyGC_Head *containers)
349 {
350 PyGC_Head *gc = containers->gc.gc_next;
351 for (; gc != containers; gc = gc->gc.gc_next) {
352 assert(_PyGCHead_REFS(gc) == GC_REACHABLE);
353 _PyGCHead_SET_REFS(gc, Py_REFCNT(FROM_GC(gc)));
354 /* Python's cyclic gc should never see an incoming refcount
355 * of 0: if something decref'ed to 0, it should have been
356 * deallocated immediately at that time.
357 * Possible cause (if the assert triggers): a tp_dealloc
Valgrind shows a null deref as well after some invalid reads and conditional jumps. I've attached the log, it's a bit verbose.
----------
Added file: http://bugs.python.org/file47071/31166.txt
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue31166>
_______________________________________
More information about the Python-bugs-list
mailing list