[New-bugs-announce] [issue32629] PyImport_ImportModule occasionally cause access violation

Jack Branson report at bugs.python.org
Tue Jan 23 01:36:29 EST 2018 

New submission from Jack Branson <a1q123456 at gmail.com>:

I found that calling PyImport_ImportModule frequently may cause access violation error.

here is call stack:

00 0354f610 67d01605 00000001 00000020 0000007f python36!_PyObject_Alloc+0x5e [c:\build\cpython36\objects\obmalloc.c @ 1258]
01 (Inline) -------- -------- -------- -------- python36!PyObject_Malloc+0x18 [c:\build\cpython36\objects\obmalloc.c @ 479]
02 0354f638 67d18070 00000008 0000007f 67e541e0 python36!PyUnicode_New+0xf5 [c:\build\cpython36\objects\unicodeobject.c @ 1281]
03 0354f654 67d0963a 0354f69c 00000008 0000007f python36!_PyUnicodeWriter_PrepareInternal+0x60 [c:\build\cpython36\objects\unicodeobject.c @ 13534]
04 0354f6c0 67d02a66 67e541e0 00000008 00000000 python36!PyUnicode_DecodeUTF8Stateful+0xca [c:\build\cpython36\objects\unicodeobject.c @ 5034]
05 0354f6e4 67d59183 67e541e0 02a09db8 02a09de0 python36!PyUnicode_FromString+0x46 [c:\build\cpython36\objects\unicodeobject.c @ 2077]
06 (Inline) -------- -------- -------- -------- python36!PyImport_ImportModuleLevel+0xa [c:\build\cpython36\python\import.c @ 1652]
07 0354f704 67d5878f 02a09de0 02a09db8 02a09dd0 python36!PyImport_Import+0xe3 [c:\build\cpython36\python\import.c @ 1732]
08 0354f718 00478639 02a09dd0 7651129a 00000000 python36!PyImport_ImportModule+0x1f [c:\build\cpython36\python\import.c @ 1257]

pointer bp's value is 0x00000001, which is NULL + 1. In this case, `assert(bp != NULL)` will not let application crash for assert failure, and application will continue run until the line `pool->freeblock = *(block **)bp` which is defrencing bp, causes access violation.

0:009> .frame 0
00 0354f610 67d01605 python36!_PyObject_Alloc+0x5e [c:\build\cpython36\objects\obmalloc.c @ 1258]
0:009> r
eax=67ecfeb8 ebx=00000021 ecx=02a09000 edx=00000000 esi=00000001 edi=00000001
eip=67cdda4e esp=0354f5f8 ebp=0354f610 iopl=0         nv up ei pl nz na pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010207
python36!_PyObject_Alloc+0x5e:
67cdda4e 8b06            mov     eax,dword ptr [esi]  ds:002b:00000001=????????
0:009> dv
     use_calloc = 0n0
          nelem = 1
         elsize = <value unavailable>
         nbytes = 0x21
           pool = 0x02a09000
           size = 4
           next = 0x67ecfeb8
             bp = 0x00000001 "--- memory read error at address 0x00000001 ---"
         result = <value unavailable>
  usable_arenas = <value unavailable>


/*
             * There is a used pool for this size class.
             * Pick up the head block of its free list.
             */
            ++pool->ref.count;
            bp = pool->freeblock;
            assert(bp != NULL);
            if ((pool->freeblock = *(block **)bp) != NULL) {
                UNLOCK();
                if (use_calloc)
                    memset(bp, 0, nbytes);
                return (void *)bp;
            }
            /*

----------
components: ctypes
messages: 310471
nosy: Jack Branson
priority: normal
severity: normal
status: open
title: PyImport_ImportModule occasionally cause access violation
type: crash
versions: Python 3.6

_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue32629>
_______________________________________

More information about the New-bugs-announce mailing list