Closed
Description
Crash report
What happened?
Hello when building cpython with address sanitizer test_opt.py crashed with a global-buffer-overflow, I will add build flags, reduced code that causes crash.
https://github.com/python/cpython/blob/main/Lib/test/test_capi/test_opt.py
./configure CFLAGS="-fsanitize=address -g" LDFLAGS="-fsanitize=address" CXXFLAGS="-fsanitize=address -g”
make
make testAfter this you can reproduce it just by running following scripts reduced from test_opt.py
import contextlib
import textwrap
import unittest
from test.support import import_helper
_testinternalcapi = import_helper.import_module("_testinternalcapi")
@contextlib.contextmanager
def temporary_optimizer(opt):
_testinternalcapi.set_optimizer(opt)
class TestOptimizerAPI(unittest.TestCase):
def test_long_loop(self):
ns = {}
exec(textwrap.dedent(""), ns)
opt = _testinternalcapi.new_counter_optimizer()
with temporary_optimizer(opt):
return
if __name__ == "__main__":
unittest.main()Stack trace will be:
==24730==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0001056cb7b8 at pc 0x000105054760 bp 0x00016b1af940 sp 0x00016b1af938
READ of size 8 at 0x0001056cb7b8 thread T0
#0 0x10505475c in visit_decref gc.c:531
#1 0x1050aebf4 in executor_traverse optimizer.c:392
#2 0x105054358 in deduce_unreachable gc.c:1162
#3 0x105052690 in gc_collect_region gc.c:1509
#4 0x10504fa08 in _PyGC_Collect gc.c:1815
#5 0x105131e20 in gc_collect gcmodule.c.h:140
#6 0x104df22f8 in cfunction_vectorcall_FASTCALL_KEYWORDS methodobject.c:441
#7 0x104d2c244 in PyObject_Vectorcall call.c:327
#8 0x104fd576c in _PyEval_EvalFrameDefault generated_cases.c.h:813
#9 0x104d327c4 in method_vectorcall classobject.c:92
#10 0x104d2c030 in _PyVectorcall_Call call.c:273
#11 0x104fd4c04 in _PyEval_EvalFrameDefault generated_cases.c.h:1267
#12 0x104d2abf8 in _PyObject_VectorcallDictTstate call.c:135
#13 0x104d2d0dc in _PyObject_Call_Prepend call.c:504
#14 0x104e6f70c in slot_tp_call typeobject.c:9225
#15 0x104d2afcc in _PyObject_MakeTpCall call.c:242
#16 0x104fd576c in _PyEval_EvalFrameDefault generated_cases.c.h:813
#17 0x104d327c4 in method_vectorcall classobject.c:92
#18 0x104d2c030 in _PyVectorcall_Call call.c:273
#19 0x104fd4c04 in _PyEval_EvalFrameDefault generated_cases.c.h:1267
#20 0x104d2abf8 in _PyObject_VectorcallDictTstate call.c:135
#21 0x104d2d0dc in _PyObject_Call_Prepend call.c:504
#22 0x104e6f70c in slot_tp_call typeobject.c:9225
#23 0x104d2afcc in _PyObject_MakeTpCall call.c:242
#24 0x104fd576c in _PyEval_EvalFrameDefault generated_cases.c.h:813
#25 0x104d327c4 in method_vectorcall classobject.c:92
#26 0x104d2c030 in _PyVectorcall_Call call.c:273
#27 0x104fd4c04 in _PyEval_EvalFrameDefault generated_cases.c.h:1267
#28 0x104d2abf8 in _PyObject_VectorcallDictTstate call.c:135
#29 0x104d2d0dc in _PyObject_Call_Prepend call.c:504
#30 0x104e6f70c in slot_tp_call typeobject.c:9225
#31 0x104d2afcc in _PyObject_MakeTpCall call.c:242
#32 0x104fd576c in _PyEval_EvalFrameDefault generated_cases.c.h:813
#33 0x104d2abf8 in _PyObject_VectorcallDictTstate call.c:135
#34 0x104d2d0dc in _PyObject_Call_Prepend call.c:504
#35 0x104e724e8 in slot_tp_init typeobject.c:9469
#36 0x104e633e8 in type_call typeobject.c:1854
#37 0x104d2afcc in _PyObject_MakeTpCall call.c:242
#38 0x104fd576c in _PyEval_EvalFrameDefault generated_cases.c.h:813
#39 0x104fb425c in PyEval_EvalCode ceval.c:601
#40 0x1050ddcb8 in run_mod pythonrun.c:1376
#41 0x1050d98e8 in _PyRun_SimpleFileObject pythonrun.c:461
#42 0x1050d8f7c in _PyRun_AnyFileObject pythonrun.c:77
#43 0x10512f140 in Py_RunMain main.c:707
#44 0x10512ff80 in pymain_main main.c:737
#45 0x1051304a0 in Py_BytesMain main.c:761
#46 0x18f5a60dc (<unknown module>)
0x0001056cb7b8 is located 8 bytes before global variable 'COLD_EXITS' defined in 'Python/optimizer.c' (0x1056cb7c0) of size 27200
0x0001056cb7b8 is located 23 bytes after global variable 'cold_exits_initialized' defined in 'Python/optimizer.c' (0x1056cb7a0) of size 1
SUMMARY: AddressSanitizer: global-buffer-overflow gc.c:531 in visit_decref
Shadow bytes around the buggy address:
0x0001056cb500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0001056cb580: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
0x0001056cb600: f9 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9 00 00 00 00
0x0001056cb680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0001056cb700: 00 00 00 00 00 00 00 00 00 00 00 02 f9 f9 f9 f9
=>0x0001056cb780: 00 f9 f9 f9 01 f9 f9[f9]00 00 00 00 00 00 00 00
0x0001056cb800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0001056cb880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0001056cb900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0001056cb980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0001056cba00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==24730==ABORTING
zsh: abort```
### CPython versions tested on:
3.12
### Operating systems tested on:
macOS
### Output from running 'python -VV' on the command line:
Python 3.12.3 (main, Apr 9 2024, 08:09:14) [Clang 15.0.0 (clang-1500.3.9.4)]
<!-- gh-linked-prs -->
### Linked PRs
* gh-118117
<!-- /gh-linked-prs -->