[issue3242] Segfault in PyFile_SoftSpace/PyEval_EvalFrameEx with sys.stdout reassigned

Brodie Rao report at bugs.python.org
Mon Jun 30 08:04:27 CEST 2008


New submission from Brodie Rao <junk at dackz.net>:

Running the attached script - which reassigns sys.stdout to an object 
that proxies sys.stdout, and eventually reassigns it back to the 
original object - using Apple's distribution of Python 2.5.1 on an x86 
machine, I get the following crash:

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x000000007d312298
Crashed Thread:  0

Thread 0 Crashed:
0   ???                             0x00025d33 0 + 154931
1   org.python.python               0x001381c1 PyFloat_FromString + 6196
2   org.python.python               0x001381c1 PyFloat_FromString + 6196
3   org.python.python               0x0014cdce _PyTrash_destroy_chain + 
89
4   org.python.python               0x00198bd3 PyErr_Clear + 34
5   org.python.python               0x00132938 PyFile_SoftSpace + 117
6   org.python.python               0x0018b273 PyEval_EvalFrameEx + 7497
7   org.python.python               0x0018f45b PyEval_EvalCodeEx + 1638
8   org.python.python               0x0018f548 PyEval_EvalCode + 87
9   org.python.python               0x001a69ec PyErr_Display + 1896
10  org.python.python               0x001a7016 PyRun_FileExFlags + 135
11  org.python.python               0x001a8982 PyRun_SimpleFileExFlags + 
421
12  org.python.python               0x001b3c03 Py_Main + 3095
13  org.python.pythonapp            0x00001fca 0x1000 + 4042

During the process of whittling down the script to a test case, I 
experienced other kinds of crashes, or no crash at all. For each 
iteration of the script, the outcome was always the same, i.e. never 
inconsistent between runs.

All the various crashes I've encountered:

   :Assertion failed: (gc->gc.gc_refs != 0), function visit_decref, file 
Modules
/gcmodule.c, line 276.

   Assertion failed: (pool->ref.count > 0), function PyObject_Free, file 
Objects
/obmalloc.c, line 929.

   [1]    33289 illegal hardware instruction  python crash.py

   [1]    33352 floating point exception  python crash.py

   [1]    33502 segmentation fault  python crash.py

   [1]    34303 bus error  python crash.py

Running this on a different machine running Debian Etch Linux x86 using 
Debian's Python 2.4 distribution, I get the following crash:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1209882400 (LWP 21471)]
0x080b9ffc in PyEval_EvalCodeEx ()
(gdb) bt
#0  0x080b9ffc in PyEval_EvalCodeEx ()
#1  0x08100b69 in PyClassMethod_New ()
#2  0x0805ad9c in PyObject_CallFunction ()
#3  0x08097594 in PyType_Ready ()
#4  0x080b79bf in PyEval_EvalFrame ()
#5  0x080ba755 in PyEval_EvalCodeEx ()
#6  0x08100b69 in PyClassMethod_New ()
#7  0x0805ad9c in PyObject_CallFunction ()
#8  0x08097594 in PyType_Ready ()
#9  0x080b79bf in PyEval_EvalFrame ()
#10 0x080ba755 in PyEval_EvalCodeEx ()
#11 0x08100b69 in PyClassMethod_New ()
#12 0x0805ad9c in PyObject_CallFunction ()
#13 0x08097594 in PyType_Ready ()
#14 0x080b79bf in PyEval_EvalFrame ()
[the same stack trace repeating over and over...]
#141 0x08100b69 in PyClassMethod_New ()
#142 0x0805ad9c in PyObject_CallFunction ()
#143 0x08097594 in PyType_Ready ()
#144 0x080b79bf in PyEval_EvalFrame ()
#145 0x080ba755 in PyEval_EvalCodeEx ()
#146 0x08100b69 in PyClassMethod_New ()
#147 0x0805ad9c in PyObject_CallFunction ()
#148 0x08097594 in PyType_Ready ()
#149 0x0807e5e9 in PyObject_GetAttrString ()
#150 0x08064f91 in PyFile_SoftSpace ()
#151 0x080b6420 in PyEval_EvalFrame ()
#152 0x080ba755 in PyEval_EvalCodeEx ()
#153 0x080ba7b9 in PyEval_EvalCode ()
#154 0x080dd167 in PyRun_FileExFlags ()
#155 0x080dd364 in PyRun_SimpleFileExFlags ()
#156 0x08055ba8 in Py_Main ()
#157 0x08055032 in main ()

Using Debian's distribution of Python 2.5, I didn't see any crashes.

Using the distribution of Python 2.6b1 from python.org on Mac OS X 10.5 
(x86), I saw the same crash:

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: 13 at address: 0x0000bea0
0x001b7e50 in ?? ()
(gdb) bt
#0  0x001b7e50 in ?? ()
#1  0x0002bea1 in frame_dealloc (f=0x21db20) at 
Objects/frameobject.c:417
#2  0x0002bf55 in frame_dealloc (f=0x21f220) at 
Objects/frameobject.c:425
#3  0x0002bf55 in frame_dealloc (f=0x21f380) at 
Objects/frameobject.c:425
#4  0x000466db in _PyTrash_destroy_chain () at Objects/object.c:2223
#5  0x000b2dd2 in PyErr_Clear () at Python/errors.c:239
#6  0x00024235 in PyFile_SoftSpace (f=0x3645b0, newflag=0) at 
Objects/fileobject.c:2141
#7  0x000a11e4 in PyEval_EvalFrameEx (f=0x202f20, throwflag=0) at 
Python/ceval.c:1622
#8  0x000a45ea in PyEval_EvalCodeEx (co=0x33e968, globals=0x1b7e40, 
locals=0x1b7e40, args=0x0, argcount=0, kws=0x0, kwcount=0, defs=0x0, 
defcount=0, closure=0x0) at Python/ceval.c:2880
#9  0x000a46f7 in PyEval_EvalCode (co=0x21eddc, globals=0x21eddc, 
locals=0x21eddc) at Python/ceval.c:495
#10 0x000c99d3 in PyRun_FileExFlags (fp=0xa0125de0, filename=0xbffff0ec 
"/Users/brodie/Documents/Code/py-crash/crash5.py", start=257, 
globals=0x1b7e40, locals=0x1b7e40, closeit=1, flags=0xbfffef5c) at 
Python/pythonrun.c:1300
#11 0x000c9e53 in PyRun_SimpleFileExFlags (fp=<value temporarily 
unavailable, due to optimizations>, filename=0xbffff0ec 
"/Users/brodie/Documents/Code/py-crash/crash5.py", closeit=1, 
flags=0xbfffef5c) at Python/pythonrun.c:896
#12 0x000da844 in Py_Main (argc=1, argv=0xbfffefdc) at 
Modules/main.c:575
#13 0x00001c3c in _start ()
#14 0x00001b69 in start ()

I should note that I reduced the test case as much as I possibly could, 
and the actual compiled source seems to affect the crash. I.e., if I 
remove one of the unused imports, it doesn't crash; if I remove the 
unused function foo(), it doesn't crash; if I change the "height" 
variable passed to wrap_output(), it doesn't crash; if I remove the 
reassignment of buf[0] in flush(), it doesn't crash.

I'm not sure if these crashes are due to an error in the script, or if 
the script should even be capable of crashing Python in this manner.

----------
files: crash5.py
messages: 68993
nosy: brodierao
severity: normal
status: open
title: Segfault in PyFile_SoftSpace/PyEval_EvalFrameEx with sys.stdout reassigned
type: crash
Added file: http://bugs.python.org/file10782/crash5.py

_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue3242>
_______________________________________


More information about the Python-bugs-list mailing list