Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Segfaults when accessing module state in tp_dealloc (itertools teedataobject clear) #115874

New issue
Copy link
New issue
Copy link
Closed
Closed
Segfaults when accessing module state in tp_dealloc (itertools teedataobject clear)#115874
Copy link
Assignees
brandtbucher
Labels
3.12only security fixesonly security fixes3.13bugs and security fixesbugs and security fixestype-crashA hard crash of the interpreter, possibly with a core dumpA hard crash of the interpreter, possibly with a core dump
@em9797b

Description

@em9797b
em9797b
opened on Feb 24, 2024
Issue body actions

Crash report

What happened?

from dataclasses import dataclass
from itertools import tee
from typing import Optional


# if we remove @dataclass, then no segfault
@dataclass
class SomeDataClass:
    pass


class SomeClass:

    # if we remove Optional, then no segfault
    _value: Optional[SomeDataClass]

    def __init__(self, it):
        self._it = it

    def prepare_segfault(self):
        (lhs, _) = tee(self._it)
        # if we don't assign lhs to self._it, then no segfault
        self._it = lhs


# if some_object isn't bound at the top-level scope, then no segfault
some_object = SomeClass(iter("testing"))
some_object.prepare_segfault()

Running the file from the terminal with python3.12 minimal.py is sufficient. When the interpreter exits, it segfaults.
Crash does not occur in python 3.8-3.11, but does occur in 3.12 and 3.13. Crash not observed on Windows with 3.12.

Backtrace:

#0  0x00007fc2c1a72e01 in teedataobject_clear (tdo=tdo@entry=0x7fc2b3ed2040) at /usr/src/debug/python3.12-3.12.1-2.fc39.x86_64/Modules/itertoolsmodule.c:836
#1  0x00007fc2c1a72d49 in teedataobject_dealloc (tdo=0x7fc2b3ed2040) at /usr/src/debug/python3.12-3.12.1-2.fc39.x86_64/Modules/itertoolsmodule.c:845
#2  0x00007fc2c1b06a0e in Py_DECREF (op=<optimized out>) at /usr/src/debug/python3.12-3.12.1-2.fc39.x86_64/Include/object.h:706
#3  tee_clear (to=to@entry=0x7fc2b3c13b00) at /usr/src/debug/python3.12-3.12.1-2.fc39.x86_64/Modules/itertoolsmodule.c:1050
#4  0x00007fc2c1b069ac in tee_dealloc (to=0x7fc2b3c13b00) at /usr/src/debug/python3.12-3.12.1-2.fc39.x86_64/Modules/itertoolsmodule.c:1059
#5  0x00007fc2c1a390d8 in _Py_Dealloc (op=<optimized out>) at /usr/src/debug/python3.12-3.12.1-2.fc39.x86_64/Objects/object.c:2608
#6  Py_DECREF (op=<optimized out>) at /usr/src/debug/python3.12-3.12.1-2.fc39.x86_64/Include/object.h:706
#7  Py_XDECREF (op=<optimized out>) at /usr/src/debug/python3.12-3.12.1-2.fc39.x86_64/Include/object.h:799
#8  _PyObject_FreeInstanceAttributes (self=0x7fc2b3daf1d0) at /usr/src/debug/python3.12-3.12.1-2.fc39.x86_64/Objects/dictobject.c:5571
#9  subtype_dealloc (self=0x7fc2b3daf1d0) at /usr/src/debug/python3.12-3.12.1-2.fc39.x86_64/Objects/typeobject.c:2017
#10 0x00007fc2c19f5440 in _Py_Dealloc (op=<optimized out>) at /usr/src/debug/python3.12-3.12.1-2.fc39.x86_64/Objects/object.c:2625
#11 Py_DECREF (op=<optimized out>) at /usr/src/debug/python3.12-3.12.1-2.fc39.x86_64/Include/object.h:706
#12 Py_XDECREF (op=<optimized out>) at /usr/src/debug/python3.12-3.12.1-2.fc39.x86_64/Include/object.h:799
#13 free_keys_object (interp=0x7fc2c1df0d48 <_PyRuntime+76392>, keys=0x7fc2b3d7a100) at /usr/src/debug/python3.12-3.12.1-2.fc39.x86_64/Objects/dictobject.c:673
#14 0x00007fc2c1aa72bd in dict_tp_clear (op=<optimized out>) at /usr/src/debug/python3.12-3.12.1-2.fc39.x86_64/Objects/dictobject.c:3564
#15 0x00007fc2c1a02cfa in delete_garbage (old=0x7fc2c1df0e00 <_PyRuntime+76576>, collectable=0x7ffcdfc26270, gcstate=0x7fc2c1df0db8 <_PyRuntime+76504>, tstate=0x7fc2c1e4e668 <_PyRuntime+459656>)
    at /usr/src/debug/python3.12-3.12.1-2.fc39.x86_64/Modules/gcmodule.c:1029
#16 gc_collect_main (tstate=0x7fc2c1e4e668 <_PyRuntime+459656>, generation=generation@entry=2, n_collected=n_collected@entry=0x0, n_uncollectable=n_uncollectable@entry=0x0, nofail=nofail@entry=1)
    at /usr/src/debug/python3.12-3.12.1-2.fc39.x86_64/Modules/gcmodule.c:1303
#17 0x00007fc2c1abe201 in _PyGC_CollectNoFail (tstate=<optimized out>) at /usr/src/debug/python3.12-3.12.1-2.fc39.x86_64/Modules/gcmodule.c:2135
#18 0x00007fc2c1aaacda in Py_FinalizeEx () at /usr/src/debug/python3.12-3.12.1-2.fc39.x86_64/Python/pylifecycle.c:1889
#19 0x00007fc2c1ab96c9 in Py_RunMain () at /usr/src/debug/python3.12-3.12.1-2.fc39.x86_64/Modules/main.c:711
#20 0x00007fc2c1a74f5c in Py_BytesMain (argc=<optimized out>, argv=<optimized out>) at /usr/src/debug/python3.12-3.12.1-2.fc39.x86_64/Modules/main.c:763
#21 0x00007fc2c164614a in __libc_start_call_main (main=main@entry=0x56033de41160 <main>, argc=argc@entry=2, argv=argv@entry=0x7ffcdfc26698) at ../sysdeps/nptl/libc_start_call_main.h:58
#22 0x00007fc2c164620b in __libc_start_main_impl (main=0x56033de41160 <main>, argc=2, argv=0x7ffcdfc26698, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffcdfc26688)
    at ../csu/libc-start.c:360
#23 0x000056033de41095 in _start ()

CPython versions tested on:

3.12

Operating systems tested on:

Linux

Output from running 'python -VV' on the command line:

Python 3.12.1 (main, Dec 18 2023, 00:00:00) [GCC 13.2.1 20231205 (Red Hat 13.2.1-6)]

Linked PRs

Metadata

Metadata

Assignees

Labels

3.12only security fixesonly security fixes3.13bugs and security fixesbugs and security fixestype-crashA hard crash of the interpreter, possibly with a core dumpA hard crash of the interpreter, possibly with a core dump

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions
    Morty Proxy This is a proxified and sanitized view of the page, visit original site.