Crash in _elementtree.c after #24061

[mglae]

Crash report

Tell us what happened, ideally including a minimal, reproducible example (https://stackoverflow.com/help/minimal-reproducible-example).

Since updating LibreELEC master from Python 3.9.15 to 3.11/3.11.1 there are several reports of crashes in _elementtree module, see xbmc/xbmc#22344.

It is hard to reproduce, you have to set up a minimal kodi addon like:

import xbmcaddon
import xbmcgui
import xbmc
import xbmcvfs
import xml.etree.ElementTree as ET

addon       = xbmcaddon.Addon()
addonname   = addon.getAddonInfo('name')

gpath = xbmcvfs.translatePath("special://profile/guisettings.xml")

tree = ET.parse(gpath)
root = tree.getroot()
l = root.find('.//setting[@id="locale.language"]').text

... and start it a few hundred to thousand times.

Error messages

Enter any relevant error message caused by the crash, including a core dump if there is one.

Typical stack trace is:

Core was generated by `/usr/lib/kodi/kodi.bin --standalone -fs'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x0000000000000000 in ?? ()
[Current thread is 1 (Thread 0x7f13220136c0 (LWP 58189))]
[...]

Thread 1 (Thread 0x7f13220136c0 (LWP 58189)):
#0  0x0000000000000000 in ?? ()
No symbol table info available.
#1  0x00007f13505150d6 in _elementtree_XMLParser___init___impl (self=self@entry=0x7f13242102b0, target=target@entry=0x1e1e4e0 <_Py_NoneStruct>, encoding=encoding@entry=0x0) at /home/docker/LibreELEC.tv/build.LibreELEC-x11.x86_64-11.0-devel-mg-debug/build/Python3-3.11.1/Modules/_elementtree.c:3647
No locals.
#2  0x00007f1350515555 in _elementtree_XMLParser___init__ (self=0x7f13242102b0, args=<optimized out>, kwargs=<optimized out>) at /home/docker/LibreELEC.tv/build.LibreELEC-x11.x86_64-11.0-devel-mg-debug/build/Python3-3.11.1/Modules/clinic/_elementtree.c.h:845
        return_value = -1
        _keywords = {0x7f135051a238 "target", 0x7f135051a23f "encoding", 0x0}
        _parser = {format = 0x0, keywords = 0x7f135051dd10 <_keywords.23>, fname = 0x7f1350519fc6 "XMLParser", custom_msg = 0x0, pos = 0, min = 0, max = 0, kwtuple = 0x0, next = 0x0}
        argsbuf = {0x7f13241557b8, 0x7f135051ede0 <XMLParser_Type>}
        fastargs = <optimized out>
        nargs = <optimized out>
        noptargs = <optimized out>
        target = 0x1e1e4e0 <_Py_NoneStruct>
        encoding = 0x0
#3  0x00007f1381ed8afa in type_call (type=<optimized out>, args=0x7f138223c2d8 <_PyRuntime+58904>, kwds=0x0) at /home/docker/LibreELEC.tv/build.LibreELEC-x11.x86_64-11.0-devel-mg-debug/build/Python3-3.11.1/Objects/typeobject.c:1112
        res = <optimized out>
        obj = 0x7f13242102b0
        tstate = <optimized out>
#4  0x00007f1381e8e304 in _PyObject_MakeTpCall (tstate=tstate@entry=0x7f1324146e40, callable=callable@entry=0x7f135051ede0 <XMLParser_Type>, args=args@entry=0x7f13241557b8, nargs=<optimized out>, keywords=0x0) at /home/docker/LibreELEC.tv/build.LibreELEC-x11.x86_64-11.0-devel-mg-debug/build/Python3-3.11.1/Objects/call.c:214
        call = 0x7f1381ed8a70 <type_call>
        argstuple = 0x7f138223c2d8 <_PyRuntime+58904>
        kwdict = 0x0
        result = 0x0
#5  0x00007f1381e8e3bd in _PyObject_VectorcallTstate (tstate=0x7f1324146e40, callable=callable@entry=0x7f135051ede0 <XMLParser_Type>, args=args@entry=0x7f13241557b8, nargsf=<optimized out>, kwnames=kwnames@entry=0x0) at /home/docker/LibreELEC.tv/build.LibreELEC-x11.x86_64-11.0-devel-mg-debug/build/Python3-3.11.1/Include/internal/pycore_call.h:90
        nargs = <optimized out>
        func = <optimized out>
        res = <optimized out>
#6  0x00007f1381e8e422 in PyObject_Vectorcall (callable=callable@entry=0x7f135051ede0 <XMLParser_Type>, args=args@entry=0x7f13241557b8, nargsf=<optimized out>, kwnames=kwnames@entry=0x0) at /home/docker/LibreELEC.tv/build.LibreELEC-x11.x86_64-11.0-devel-mg-debug/build/Python3-3.11.1/Objects/call.c:299
        tstate = <optimized out>
#7  0x00007f1381f3d170 in _PyEval_EvalFrameDefault (tstate=0x7f1324146e40, frame=0x7f1324155738, throwflag=<optimized out>) at /home/docker/LibreELEC.tv/build.LibreELEC-x11.x86_64-11.0-devel-mg-debug/build/Python3-3.11.1/Python/ceval.c:4772
        is_meth = 0
        total_args = 0
        function = 0x7f135051ede0 <XMLParser_Type>
        positional_args = <optimized out>
        res = <optimized out>
        __func__ = "_PyEval_EvalFrameDefault"
        opcode = <optimized out>
        oparg = 0
        eval_breaker = 0x7f132412cb24
        cframe = {use_tracing = 0 '\000', current_frame = 0x7f1324155738, previous = 0x7f1324146f90}
        call_shape = <optimized out>
        prev_cframe = <optimized out>
        names = 0x7f132426a5b0
        consts = 0x7f13240351b0
        first_instr = 0x7f132426a898
        next_instr = 0x7f132426a8fa
        stack_pointer = 0x7f13241557b8
        exception_unwind = <optimized out>
        dying = <optimized out>
#8  0x00007f1381f3f624 in _PyEval_EvalFrame (tstate=tstate@entry=0x7f1324146e40, frame=frame@entry=0x7f1324155650, throwflag=throwflag@entry=0) at /home/docker/LibreELEC.tv/build.LibreELEC-x11.x86_64-11.0-devel-mg-debug/build/Python3-3.11.1/Include/internal/pycore_ceval.h:73
No locals.
#9  0x00007f1381f3f6ff in _PyEval_Vector (tstate=tstate@entry=0x7f1324146e40, func=func@entry=0x7f13240f8d00, locals=locals@entry=0x7f132403ffb0, args=args@entry=0x0, argcount=argcount@entry=0, kwnames=kwnames@entry=0x0) at /home/docker/LibreELEC.tv/build.LibreELEC-x11.x86_64-11.0-devel-mg-debug/build/Python3-3.11.1/Python/ceval.c:6435
        frame = 0x7f1324155650
        retval = <optimized out>
#10 0x00007f1381f3f7c3 in PyEval_EvalCode (co=co@entry=0x7f13240a2f00, globals=globals@entry=0x7f132403ffb0, locals=locals@entry=0x7f132403ffb0) at /home/docker/LibreELEC.tv/build.LibreELEC-x11.x86_64-11.0-devel-mg-debug/build/Python3-3.11.1/Python/ceval.c:1154
        tstate = 0x7f1324146e40
        builtins = 0x7f1324126100
        desc = {fc_globals = 0x7f132403ffb0, fc_builtins = 0x7f1324126100, fc_name = 0x7f1382233150 <_PyRuntime+21648>, fc_qualname = 0x7f1382233150 <_PyRuntime+21648>, fc_code = 0x7f13240a2f00, fc_defaults = 0x0, fc_kwdefaults = 0x0, fc_closure = 0x0}
        func = 0x7f13240f8d00
        res = <optimized out>
#11 0x00007f1381f772f7 in run_eval_code_obj (tstate=tstate@entry=0x7f1324146e40, co=co@entry=0x7f13240a2f00, globals=globals@entry=0x7f132403ffb0, locals=locals@entry=0x7f132403ffb0) at /home/docker/LibreELEC.tv/build.LibreELEC-x11.x86_64-11.0-devel-mg-debug/build/Python3-3.11.1/Python/pythonrun.c:1714
        v = <optimized out>
#12 0x00007f1381f773bd in run_mod (mod=mod@entry=0x7f132427ebb8, filename=filename@entry=0x7f1324197350, globals=globals@entry=0x7f132403ffb0, locals=locals@entry=0x7f132403ffb0, flags=flags@entry=0x0, arena=arena@entry=0x7f1324032d00) at /home/docker/LibreELEC.tv/build.LibreELEC-x11.x86_64-11.0-devel-mg-debug/build/Python3-3.11.1/Python/pythonrun.c:1735
        tstate = 0x7f1324146e40
        co = 0x7f13240a2f00
        v = <optimized out>
#13 0x00007f1381f7746d in pyrun_file (fp=fp@entry=0x7f13240a2f00, filename=filename@entry=0x7f1324197350, start=start@entry=257, globals=globals@entry=0x7f132403ffb0, locals=locals@entry=0x7f132403ffb0, closeit=closeit@entry=1, flags=0x0) at /home/docker/LibreELEC.tv/build.LibreELEC-x11.x86_64-11.0-devel-mg-debug/build/Python3-3.11.1/Python/pythonrun.c:1630
        arena = 0x7f1324032d00
        mod = 0x7f132427ebb8
        ret = <optimized out>
#14 0x00007f1381f79f73 in PyRun_FileExFlags (fp=0x7f13240a2f00, filename=<optimized out>, start=257, globals=0x7f132403ffb0, locals=0x7f132403ffb0, closeit=1, flags=0x0) at /home/docker/LibreELEC.tv/build.LibreELEC-x11.x86_64-11.0-devel-mg-debug/build/Python3-3.11.1/Python/pythonrun.c:1650
        filename_obj = 0x7f1324197350
        res = <optimized out>
#15 0x0000000000d5ac60 in CPythonInvoker::executeScript (this=<optimized out>, fp=<optimized out>, script=..., moduleDict=<optimized out>) at /home/docker/LibreELEC.tv/build.LibreELEC-x11.x86_64-11.0-devel-mg-debug/build/kodi-20.0rc2-Nexus/xbmc/interfaces/python/PythonInvoker.cpp:428
        m_Py_file_input = 257
#16 0x0000000000d5bfb0 in CPythonInvoker::execute (this=this@entry=0x3bf31e0, script=..., arguments=...) at /home/docker/LibreELEC.tv/build.LibreELEC-x11.x86_64-11.0-devel-mg-debug/build/kodi-20.0rc2-Nexus/xbmc/interfaces/python/PythonInvoker.cpp:319
        f = 0x7f1324197280
        pycontext = <optimized out>
        pyRealFilename = <optimized out>
        fp = 0x7f13240a2f00
        pythonPath = {_M_t = {_M_impl = {<std::allocator<std::_Rb_tree_node<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >> = {<std::__new_allocator<std::_Rb_tree_node<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >> = {<No data fields>}, <No data fields>}, <std::_Rb_tree_key_compare<std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >> = {_M_key_compare = {<std::binary_function<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, bool>> = {<No data fields>}, <No data fields>}}, <std::_Rb_tree_header> = {_M_header = {_M_color = std::_S_red, _M_parent = 0x7f1324197f80, _M_left = 0x7f1324197f80, _M_right = 0x7f1324197f80}, _M_node_count = 1}, <No data fields>}}}
        realFilename = {static npos = 18446744073709551615, _M_dataplus = {<std::allocator<char>> = {<std::__new_allocator<char>> = {<No data fields>}, <No data fields>}, _M_p = 0x7f13242769f0 "/storage/.kodi/addons/script.hello.world/addon.py"}, _M_string_length = 49, {_M_local_buf = "1\000\000\000\000\000\000\000\374d\033\177\023\177\000", _M_allocated_capacity = 49}}
        scriptDir = {static npos = 18446744073709551615, _M_dataplus = {<std::allocator<char>> = {<std::__new_allocator<char>> = {<No data fields>}, <No data fields>}, _M_p = 0x7f1324100e70 "/storage/.kodi/addons/script.hello.world"}, _M_string_length = 40, {_M_local_buf = ")\000\000\000\000\000\000\000P\250\233\003\000\000\000", _M_allocated_capacity = 41}}
        l_threadState = <optimized out>
        newInterp = <optimized out>
        sysArgv = <optimized out>
        module = <optimized out>
        moduleDict = 0x7f132403ffb0
        stopping = false
        failed = false
        exceptionType = {static npos = 18446744073709551615, _M_dataplus = {<std::allocator<char>> = {<std::__new_allocator<char>> = {<No data fields>}, <No data fields>}, _M_p = 0x7f13220125b0 ""}, _M_string_length = 0, {_M_local_buf = "\000(\001\"\023\177\000\000\b\000\000\000\000\000\000", _M_allocated_capacity = 139720151607296}}
        exceptionValue = {static npos = 18446744073709551615, _M_dataplus = {<std::allocator<char>> = {<std::__new_allocator<char>> = {<No data fields>}, <No data fields>}, _M_p = 0x7f1322012590 ""}, _M_string_length = 0, {_M_local_buf = "\000\263\233\003\000\000\000\000$\000\000\000\000\000\000", _M_allocated_capacity = 60535552}}
        exceptionTraceback = {static npos = 18446744073709551615, _M_dataplus = {<std::allocator<char>> = {<std::__new_allocator<char>> = {<No data fields>}, <No data fields>}, _M_p = 0x7f1322012570 ""}, _M_string_length = 0, {_M_local_buf = "\000\000\000$\023\177\000\000X\264\233\003\000\000\000", _M_allocated_capacity = 139720185085952}}
        stateToSet = <optimized out>
        lock = {_M_device = 0x0, _M_owns = 146}
        __PRETTY_FUNCTION__ = "bool CPythonInvoker::execute(const std::string&, std::vector<std::__cxx11::basic_string<wchar_t> >&)"
#17 0x0000000000d5c64b in CPythonInvoker::execute (this=0x3bf31e0, script=..., arguments=...) at /home/docker/LibreELEC.tv/build.LibreELEC-x11.x86_64-11.0-devel-mg-debug/build/kodi-20.0rc2-Nexus/xbmc/interfaces/python/PythonInvoker.cpp:140
        w_arguments = {<std::_Vector_base<std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> >, std::allocator<std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> > > >> = {_M_impl = {<std::allocator<std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> > >> = {<std::__new_allocator<std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> > >> = {<No data fields>}, <No data fields>}, <std::_Vector_base<std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> >, std::allocator<std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> > > >::_Vector_impl_data> = {_M_start = 0x7f1324047810, _M_finish = 0x7f1324047830, _M_end_of_storage = 0x7f1324047830}, <No data fields>}}, <No data fields>}
#18 0x00000000015aedf4 in ILanguageInvoker::Execute (this=this@entry=0x3bf31e0, script=..., arguments=...) at /home/docker/LibreELEC.tv/build.LibreELEC-x11.x86_64-11.0-devel-mg-debug/build/kodi-20.0rc2-Nexus/xbmc/interfaces/generic/ILanguageInvoker.cpp:29
No locals.
#19 0x0000000000d5ca9b in CPythonInvoker::Execute (this=0x3bf31e0, script=..., arguments=...) at /home/docker/LibreELEC.tv/build.LibreELEC-x11.x86_64-11.0-devel-mg-debug/build/kodi-20.0rc2-Nexus/xbmc/interfaces/python/PythonInvoker.cpp:128
No locals.
#20 0x00000000015af31c in CLanguageInvokerThread::Process (this=0x3ba5c10) at /home/docker/LibreELEC.tv/build.LibreELEC-x11.x86_64-11.0-devel-mg-debug/build/kodi-20.0rc2-Nexus/xbmc/interfaces/generic/LanguageInvokerThread.cpp:107
        lckdl = {_M_device = 0x3ba5e70, _M_owns = true}
#21 0x000000000101d4ec in CThread::Action (this=this@entry=0x3ba5c38) at /home/docker/LibreELEC.tv/build.LibreELEC-x11.x86_64-11.0-devel-mg-debug/build/kodi-20.0rc2-Nexus/xbmc/threads/Thread.cpp:267
No locals.
#22 0x000000000101d807 in operator() (__closure=<optimized out>, pThread=0x3ba5c38, promise=...) at /home/docker/LibreELEC.tv/build.LibreELEC-x11.x86_64-11.0-devel-mg-debug/build/kodi-20.0rc2-Nexus/xbmc/threads/Thread.cpp:138
        name = {static npos = 18446744073709551615, _M_dataplus = {<std::allocator<char>> = {<std::__new_allocator<char>> = {<No data fields>}, <No data fields>}, _M_p = 0x7f13220129d0 "LanguageInvoker"}, _M_string_length = 15, {_M_local_buf = "LanguageInvoker", _M_allocated_capacity = 7306916077306274124}}
        autodelete = false
        ss = <incomplete type>
        id = {static npos = 18446744073709551615, _M_dataplus = {<std::allocator<char>> = {<std::__new_allocator<char>> = {<No data fields>}, <No data fields>}, _M_p = 0x7f13220129f0 "139720151611072"}, _M_string_length = 15, {_M_local_buf = "139720151611072", _M_allocated_capacity = 3832897750101996337}}
        __FUNCTION__ = "operator()"
#23 0x000000000101d9f4 in std::__invoke_impl<void, CThread::Create(bool)::<lambda(CThread*, std::promise<bool>)>, CThread*, std::promise<bool> >(std::__invoke_other, struct {...} &&) (__f=...) at /home/docker/LibreELEC.tv/build.LibreELEC-x11.x86_64-11.0-devel-mg-debug/toolchain/x86_64-libreelec-linux-gnu/include/c++/12.2.0/bits/invoke.h:61
No locals.
#24 0x000000000101da2d in std::__invoke<CThread::Create(bool)::<lambda(CThread*, std::promise<bool>)>, CThread*, std::promise<bool> > (__fn=...) at /home/docker/LibreELEC.tv/build.LibreELEC-x11.x86_64-11.0-devel-mg-debug/toolchain/x86_64-libreelec-linux-gnu/include/c++/12.2.0/bits/invoke.h:96
No locals.
#25 std::thread::_Invoker<std::tuple<CThread::Create(bool)::<lambda(CThread*, std::promise<bool>)>, CThread*, std::promise<bool> > >::_M_invoke<0, 1, 2> (this=<optimized out>) at /home/docker/LibreELEC.tv/build.LibreELEC-x11.x86_64-11.0-devel-mg-debug/toolchain/x86_64-libreelec-linux-gnu/include/c++/12.2.0/bits/std_thread.h:252
No locals.
#26 std::thread::_Invoker<std::tuple<CThread::Create(bool)::<lambda(CThread*, std::promise<bool>)>, CThread*, std::promise<bool> > >::operator() (this=<optimized out>) at /home/docker/LibreELEC.tv/build.LibreELEC-x11.x86_64-11.0-devel-mg-debug/toolchain/x86_64-libreelec-linux-gnu/include/c++/12.2.0/bits/std_thread.h:259
No locals.
#27 std::thread::_State_impl<std::thread::_Invoker<std::tuple<CThread::Create(bool)::<lambda(CThread*, std::promise<bool>)>, CThread*, std::promise<bool> > > >::_M_run(void) (this=<optimized out>) at /home/docker/LibreELEC.tv/build.LibreELEC-x11.x86_64-11.0-devel-mg-debug/toolchain/x86_64-libreelec-linux-gnu/include/c++/12.2.0/bits/std_thread.h:210
No locals.
#28 0x00007f137f1e1403 in ?? () from /usr/lib/libstdc++.so.6
No symbol table info available.
#29 0x00007f137f3a92c0 in ?? () from /usr/lib/libc.so.6
No symbol table info available.
#30 0x00007f137f4227cc in ?? () from /usr/lib/libc.so.6
No symbol table info available.
rax            0x7f13242a8110      139720187871504
rbx            0x7f13242102b0      139720187249328
rcx            0x0                 0
rdx            0x7f1350519f5a      139720928632666
rsi            0x7f135051edc0      139720928652736
rdi            0x0                 0
rbp            0x1e1e4e0           0x1e1e4e0 <_Py_NoneStruct>
rsp            0x7f1322012108      0x7f1322012108
r8             0x0                 0
r9             0x7f13242ac260      139720187888224
r10            0x200f422ed6206fb3  2310137902792732595
r11            0x202               514
r12            0x0                 0
r13            0x0                 0
r14            0x0                 0
r15            0x7f1381ed8a70      139721760934512
rip            0x0                 0x0
eflags         0x10202             [ IF RF ]
cs             0x33                51
ss             0x2b                43
ds             0x0                 0
es             0x0                 0
fs             0x0                 0
gs             0x0                 0

Your environment

• CPython versions tested on: 3.11.1
• Operating system and architecture: LibreELEC 11 nightly x86_64

Conclusion

With #24061 the expat_CAPI is allocated on the heap but _elementtree.c is still using a static reference to a may be already freed structure.

Reverting #24061 solves the issue for me. A true fix from someone with more cpython experience should move *expat_capi to the heap too.

Linked PRs

• gh-100689: Revert "bpo-41798: pyexpat: Allocate the expat_CAPI on the… #100745
• [3.11] gh-100689: Revert "bpo-41798: pyexpat: Allocate the expat_CAPI on the heap memory (GH-24061)" (GH-100745) #100846
• [3.10] gh-100689: Revert "bpo-41798: pyexpat: Allocate the expat_CAPI on the heap memory (GH-24061)" (GH-100745) #100847

[sobolevn]

Looks like that this comment is not exactly right:

/* The PyExpat_CAPI structure is an immutable dispatch table, so it can be
 * cached globally without being in per-module state.
 */

And it should also go to per-module state (elementtreestate).

Also related: #99221
CC @erlend-aasland

[erlend-aasland]

Yes, we should definitely isolate _elementtree; that might mitigate this issue in 3.12. I'll try to break my PR up in more manageable chunks.

[kumaraditya303]

This affects 3.11 too so I suggest to revert that PR which caused this and fix this properly in 3.12. cc RM @pablogsal

[pablogsal]

Doesn't #24061 also affect 3.10?

In any case, for maintained branches, the best would be to revert the PR unless someone sees something that may break for external users.

[erlend-aasland]

Yes, this affects 3.10 as well.

[sobolevn]

I've opened a PR with the revert: #100745