Pablo Galindo Salgado <[email protected]> added the comment:
Ok, I got a crash under the address sanitizer using ref.py:
./python lel.py
exit
Cycle.__del__
Cycle.__del__
=================================================================
==77503==ERROR: AddressSanitizer: heap-use-after-free on address 0x61900005a638
at pc 0x55a491f59376 bp 0x7fff8b27cd10 sp 0x7fff8b27cd00
READ of size 8 at 0x61900005a638 thread T0
#0 0x55a491f59375 in subtype_dealloc Objects/typeobject.c:1456
#1 0x55a491ebb5e4 in _Py_DECREF Include/object.h:500
#2 0x55a491ebb5e4 in _Py_XDECREF Include/object.h:567
#3 0x55a491ebb5e4 in list_dealloc Objects/listobject.c:342
#4 0x55a491eebe44 in _Py_DECREF Include/object.h:500
#5 0x55a491eebe44 in _Py_XDECREF Include/object.h:567
#6 0x55a491eebe44 in dict_dealloc Objects/dictobject.c:2068
#7 0x55a492305eec in _Py_DECREF Include/object.h:500
#8 0x55a492305eec in ast_dealloc Python/Python-ast.c:764
#9 0x55a491f59065 in subtype_dealloc Objects/typeobject.c:1450
#10 0x55a491eebe44 in _Py_DECREF Include/object.h:500
#11 0x55a491eebe44 in _Py_XDECREF Include/object.h:567
#12 0x55a491eebe44 in dict_dealloc Objects/dictobject.c:2068
#13 0x55a492305eec in _Py_DECREF Include/object.h:500
#14 0x55a492305eec in ast_dealloc Python/Python-ast.c:764
#15 0x55a491f59065 in subtype_dealloc Objects/typeobject.c:1450
#16 0x55a491ebb5e4 in _Py_DECREF Include/object.h:500
#17 0x55a491ebb5e4 in _Py_XDECREF Include/object.h:567
#18 0x55a491ebb5e4 in list_dealloc Objects/listobject.c:342
#19 0x55a491eebe44 in _Py_DECREF Include/object.h:500
#20 0x55a491eebe44 in _Py_XDECREF Include/object.h:567
#21 0x55a491eebe44 in dict_dealloc Objects/dictobject.c:2068
#22 0x55a492305e1f in _Py_DECREF Include/object.h:500
#23 0x55a492305e1f in ast_clear Python/Python-ast.c:782
#24 0x55a49216367b in delete_garbage Modules/gcmodule.c:1017
#25 0x55a49216367b in gc_collect_main Modules/gcmodule.c:1300
#26 0x55a492165fe5 in _PyGC_CollectNoFail Modules/gcmodule.c:2123
#27 0x55a492105745 in interpreter_clear Python/pystate.c:326
#28 0x55a4920f5565 in finalize_interp_clear Python/pylifecycle.c:1634
#29 0x55a4920fa882 in Py_FinalizeEx Python/pylifecycle.c:1812
#30 0x55a491e72870 in Py_RunMain Modules/main.c:668
#31 0x55a491e72870 in pymain_main Modules/main.c:696
#32 0x55a491e72870 in Py_BytesMain Modules/main.c:720
#33 0x7f772d82eb24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)
#34 0x55a491e6ec2d in _start
(/home/pablogsal/github/python/master/python+0x174c2d)
0x61900005a638 is located 184 bytes inside of 944-byte region
[0x61900005a580,0x61900005a930)
freed by thread T0 here:
#0 0x7f772dbfaf19 in __interceptor_free
/build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:127
#1 0x55a491f5466e in type_dealloc Objects/typeobject.c:4041
#2 0x55a491f59065 in subtype_dealloc Objects/typeobject.c:1450
#3 0x55a491ebb5e4 in _Py_DECREF Include/object.h:500
#4 0x55a491ebb5e4 in _Py_XDECREF Include/object.h:567
#5 0x55a491ebb5e4 in list_dealloc Objects/listobject.c:342
#6 0x55a491eebe44 in _Py_DECREF Include/object.h:500
#7 0x55a491eebe44 in _Py_XDECREF Include/object.h:567
#8 0x55a491eebe44 in dict_dealloc Objects/dictobject.c:2068
#9 0x55a492305eec in _Py_DECREF Include/object.h:500
#10 0x55a492305eec in ast_dealloc Python/Python-ast.c:764
#11 0x55a491f59065 in subtype_dealloc Objects/typeobject.c:1450
#12 0x55a491eebe44 in _Py_DECREF Include/object.h:500
#13 0x55a491eebe44 in _Py_XDECREF Include/object.h:567
#14 0x55a491eebe44 in dict_dealloc Objects/dictobject.c:2068
#15 0x55a492305eec in _Py_DECREF Include/object.h:500
#16 0x55a492305eec in ast_dealloc Python/Python-ast.c:764
#17 0x55a491f59065 in subtype_dealloc Objects/typeobject.c:1450
#18 0x55a491ebb5e4 in _Py_DECREF Include/object.h:500
#19 0x55a491ebb5e4 in _Py_XDECREF Include/object.h:567
#20 0x55a491ebb5e4 in list_dealloc Objects/listobject.c:342
#21 0x55a491eebe44 in _Py_DECREF Include/object.h:500
#22 0x55a491eebe44 in _Py_XDECREF Include/object.h:567
#23 0x55a491eebe44 in dict_dealloc Objects/dictobject.c:2068
#24 0x55a492305e1f in _Py_DECREF Include/object.h:500
#25 0x55a492305e1f in ast_clear Python/Python-ast.c:782
#26 0x55a49216367b in delete_garbage Modules/gcmodule.c:1017
#27 0x55a49216367b in gc_collect_main Modules/gcmodule.c:1300
#28 0x55a492165fe5 in _PyGC_CollectNoFail Modules/gcmodule.c:2123
#29 0x55a492105745 in interpreter_clear Python/pystate.c:326
#30 0x55a4920f5565 in finalize_interp_clear Python/pylifecycle.c:1634
#31 0x55a4920fa882 in Py_FinalizeEx Python/pylifecycle.c:1812
#32 0x55a491e72870 in Py_RunMain Modules/main.c:668
#33 0x55a491e72870 in pymain_main Modules/main.c:696
#34 0x55a491e72870 in Py_BytesMain Modules/main.c:720
#35 0x7f772d82eb24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)
previously allocated by thread T0 here:
#0 0x7f772dbfb279 in __interceptor_malloc
/build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x55a4921667b5 in _PyObject_GC_Alloc Modules/gcmodule.c:2250
#2 0x55a4921667b5 in _PyObject_GC_Malloc Modules/gcmodule.c:2277
#3 0x55a491f56986 in PyType_GenericAlloc Objects/typeobject.c:1160
#4 0x55a491f866ea in type_new_alloc Objects/typeobject.c:2732
#5 0x55a491f866ea in type_new_init Objects/typeobject.c:3144
#6 0x55a491f866ea in type_new_impl Objects/typeobject.c:3167
#7 0x55a491f866ea in type_new Objects/typeobject.c:3312
#8 0x55a491f5b377 in type_call Objects/typeobject.c:1127
#9 0x55a491e92ad8 in _PyObject_MakeTpCall Objects/call.c:215
#10 0x55a491e93f33 in _PyObject_VectorcallTstate
Include/cpython/abstract.h:114
#11 0x55a491e93f33 in _PyObject_CallFunctionVa Objects/call.c:485
#12 0x55a491e973af in PyObject_CallFunction Objects/call.c:507
#13 0x55a49230623b in make_type Python/Python-ast.c:935
#14 0x55a49231d15f in init_types Python/Python-ast.c:1735
#15 0x55a49231edaf in get_ast_state Python/Python-ast.c:19
#16 0x55a49231edaf in astmodule_exec Python/Python-ast.c:10795
#17 0x55a491f1c866 in PyModule_ExecDef Objects/moduleobject.c:407
#18 0x55a4920bddf2 in _imp_exec_builtin
(/home/pablogsal/github/python/master/python+0x3c3df2)
#19 0x55a492303267 in cfunction_vectorcall_O Objects/methodobject.c:512
#20 0x55a491e94d69 in PyVectorcall_Call Objects/call.c:255
#21 0x55a491e58b83 in do_call_core Python/ceval.c:5937
#22 0x55a491e58b83 in _PyEval_EvalFrameDefault Python/ceval.c:4278
#23 0x55a492050e77 in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
#24 0x55a492050e77 in _PyEval_Vector Python/ceval.c:5069
#25 0x55a491e617da in _PyObject_VectorcallTstate
Include/cpython/abstract.h:114
#26 0x55a491e617da in PyObject_Vectorcall Include/cpython/abstract.h:123
#27 0x55a491e617da in call_function Python/ceval.c:5885
#28 0x55a491e617da in _PyEval_EvalFrameDefault Python/ceval.c:4214
#29 0x55a492050e77 in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
#30 0x55a492050e77 in _PyEval_Vector Python/ceval.c:5069
#31 0x55a491e692fd in _PyObject_VectorcallTstate
Include/cpython/abstract.h:114
#32 0x55a491e692fd in PyObject_Vectorcall Include/cpython/abstract.h:123
#33 0x55a491e692fd in call_function Python/ceval.c:5885
#34 0x55a491e692fd in _PyEval_EvalFrameDefault Python/ceval.c:4182
#35 0x55a492050e77 in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
#36 0x55a492050e77 in _PyEval_Vector Python/ceval.c:5069
#37 0x55a491e617da in _PyObject_VectorcallTstate
Include/cpython/abstract.h:114
#38 0x55a491e617da in PyObject_Vectorcall Include/cpython/abstract.h:123
#39 0x55a491e617da in call_function Python/ceval.c:5885
#40 0x55a491e617da in _PyEval_EvalFrameDefault Python/ceval.c:4214
#41 0x55a492050e77 in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
#42 0x55a492050e77 in _PyEval_Vector Python/ceval.c:5069
#43 0x55a491e617da in _PyObject_VectorcallTstate
Include/cpython/abstract.h:114
#44 0x55a491e617da in PyObject_Vectorcall Include/cpython/abstract.h:123
#45 0x55a491e617da in call_function Python/ceval.c:5885
#46 0x55a491e617da in _PyEval_EvalFrameDefault Python/ceval.c:4214
#47 0x55a492050e77 in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
#48 0x55a492050e77 in _PyEval_Vector Python/ceval.c:5069
#49 0x55a491e93a05 in _PyObject_VectorcallTstate
Include/cpython/abstract.h:114
#50 0x55a491e93a05 in object_vacall Objects/call.c:734
#51 0x55a491e99424 in _PyObject_CallMethodIdObjArgs Objects/call.c:825
#52 0x55a4920c27f7 in import_find_and_load Python/import.c:1499
#53 0x55a4920c27f7 in PyImport_ImportModuleLevelObject Python/import.c:1600
#54 0x55a491e68ac5 in import_name Python/ceval.c:6010
#55 0x55a491e68ac5 in _PyEval_EvalFrameDefault Python/ceval.c:3701
#56 0x55a49205077f in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
#57 0x55a49205077f in _PyEval_Vector Python/ceval.c:5069
#58 0x55a49205077f in PyEval_EvalCode Python/ceval.c:1135
SUMMARY: AddressSanitizer: heap-use-after-free Objects/typeobject.c:1456 in
subtype_dealloc
Shadow bytes around the buggy address:
0x0c3280003470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3280003480: 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa fa
0x0c3280003490: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c32800034a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c32800034b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c32800034c0: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd
0x0c32800034d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c32800034e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c32800034f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3280003500: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3280003510: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==77503==ABORTING
----------
_______________________________________
Python tracker <[email protected]>
<https://bugs.python.org/issue44184>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
