[Python-Dev] RE: [Zope-Coders] core dump in Zope 2.7 test suite
Tim Peters
tim at zope.com
Tue Sep 16 12:58:21 EDT 2003
[Jeremy Hylton]
>>> I disabled the KEEPALIVE_SIZE_LIMIT, as you suggested, and that also
>>> fixed the problem.
[Tim
>> We don't know why, though, nor do we have a small test case, right?
[Jeremy]
> Not a small test case, no, but I have boiled it down a bit. If you
> run the tests from a Zope checkout on the Zope-2_7-branch, you can
> provoke the crash with "test.py Template."
Sorry, I cannot. I tried a fresh Zope-2_7-branch, on Windows, with
released Python 2.3, release build
current CVS Python, release build
current CVS Python, debug build
"test.py Template" gave the same result in all cases: 77 tests run, 1
failure (AssertionError: HTML Output Changed) in checkStringExpressions.
But note that Py_UNICODE is unsigned short on this box, and reading a trash
one of those as an index isn't nearly as likely to reach into unmapped
memory as on a box where you get 4 bytes of trash.
>> ...
>> On second thought, the test could be correct even if it does read up
>> heap trash: the
>>
>> unicode_latin1[unicode->str[0]] == unicode
>>
>> part is a very strong condition. If str[0] does contain heap trash,
>> it can't pass, but it could cause Purify (etc) to whine about reading
>> uninitialized memory. If we don't care about that,
> It could also cause a segmentation violation depending on the value of
> the stack trash it reads. At least, that's what appears to be going
> wrong.
Right, I meant the condition is very strong *if* the unicode->str[0] part is
known to lie in range(256). unicode_latin1 is statically declared to
contain 256 elements, so if the trash index is in range(256) then the index
resolves to legitimate memory.
>> unicode->length == 1 &&
>> (unsigned int)unicode->str[0] < 256U &&
>> unicode_latin1[unicode->str[0]] == unicode
>> would be a safe and correct guard.
> That sounds better.
To worm around something that shouldn't happen at all, sure <wink>.
>> Still, it doesn't look to me like the code *expected* that str could
>> contain uninitialized heap trash at this point, so I'd like someone
>> who thinks they understand this code to think about how that could
>> happen (it apparently is happening, so "beats me" isn't good enough
>> <wink>).
> I certainly don't understand the code yet.
Me neither, but offhand didn't see anything glaringly wrong. If some
internal Unicode operation decided to allocate a short Unicode string, but
freed it before filling in any of the string bytes, I suppose the keepalive
optimization would retain a Unicode object with uninitialized str space on
the unicode free list. A subsequent _PyUnicode_New could grab that and try
to boost its ->str size. That could explain it.
More information about the Python-Dev
mailing list