Issue23022
This issue tracker has been migrated to GitHub,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2014-12-10 09:43 by sys, last changed 2022-04-11 14:58 by admin. This issue is now closed.
Messages (2) | |||
---|---|---|---|
msg232417 - (view) | Author: (sys) | Date: 2014-12-10 09:43 | |
Line 27-29 trigger use-after-free. ================================================================= ==18203== ERROR: AddressSanitizer: heap-use-after-free on address 0x60080003b2e0 at pc 0x5e844f bp 0x7ffff5351750 sp 0x7ffff5351748 READ of size 4 at 0x60080003b2e0 thread T0 #0 0x5e844e in find_maxchar_surrogates ./cpython/Objects/unicodeobject.c:1428 #1 0x5ed62e in PyUnicode_FromUnicode ./cpython/Objects/unicodeobject.c:1822 #2 0x5f57cd in PyUnicode_FromWideChar ./cpython/Objects/unicodeobject.c:2311 #3 0x7f4ebbd00976 in Z_get /media/truecrypt1/bounty/cpython/Modules/_ctypes/cfield.c:1429 #4 0x7f4ebbcde48b in PyCData_get /media/truecrypt1/bounty/cpython/Modules/_ctypes/_ctypes.c:2756 #5 0x7f4ebbcf90b8 in PyCField_get /media/truecrypt1/bounty/cpython/Modules/_ctypes/cfield.c:230 #6 0x56ff34 in _PyObject_GenericGetAttrWithDict ./cpython/Objects/object.c:1059 #7 0x5704ee in PyObject_GenericGetAttr ./cpython/Objects/object.c:1119 #8 0x56f169 in PyObject_GetAttr ./cpython/Objects/object.c:889 #9 0x70ef2d in PyEval_EvalFrameEx ./cpython/Python/ceval.c:2442 #10 0x723c20 in fast_function ./cpython/Python/ceval.c:4368 #11 0x7234ea in call_function ./cpython/Python/ceval.c:4294 #12 0x715433 in PyEval_EvalFrameEx ./cpython/Python/ceval.c:2860 #13 0x71e164 in _PyEval_EvalCodeWithName ./cpython/Python/ceval.c:3610 #14 0x71e354 in PyEval_EvalCodeEx ./cpython/Python/ceval.c:3631 #15 0x6f7af3 in PyEval_EvalCode ./cpython/Python/ceval.c:773 #16 0x42ea99 in run_mod ./cpython/Python/pythonrun.c:968 #17 0x42e69f in PyRun_FileExFlags ./cpython/Python/pythonrun.c:921 #18 0x42b456 in PyRun_SimpleFileExFlags ./cpython/Python/pythonrun.c:394 #19 0x429ac3 in PyRun_AnyFileExFlags ./cpython/Python/pythonrun.c:80 #20 0x45624b in run_file ./cpython/Modules/main.c:318 #21 0x457717 in Py_Main ./cpython/Modules/main.c:767 #22 0x41b845 in main ./cpython/./Programs/python.c:69 #23 0x7f4ebc741ed4 in __libc_start_main ??:? #24 0x41b438 in _start /glibc-tmp-c47113ea580c02d806fd2bb53621c6f5/glibc-2.20/csu/../sysdeps/x86_64/start.S:122 0x60080003b2e0 is located 16 bytes inside of 37-byte region [0x60080003b2d0,0x60080003b2f5) freed by thread T0 here: #0 0x7f4ebd41d34a in __interceptor_free ??:? #1 0x41b9b5 in _PyMem_RawFree ./cpython/Objects/obmalloc.c:90 #2 0x41f4aa in _PyMem_DebugFree ./cpython/Objects/obmalloc.c:1892 #3 0x41c3db in PyMem_Free ./cpython/Objects/obmalloc.c:349 #4 0x502f7a in float_repr ./cpython/Objects/floatobject.c:275 #5 0x56d68a in PyObject_Str ./cpython/Objects/object.c:535 #6 0x500926 in PyFile_WriteObject ./cpython/Objects/fileobject.c:141 #7 0x6efe19 in builtin_print ./cpython/Python/bltinmodule.c:2243 #8 0x564fb5 in PyCFunction_Call ./cpython/Objects/methodobject.c:100 #9 0x72310c in call_function ./cpython/Python/ceval.c:4269 (discriminator 2) #10 0x715433 in PyEval_EvalFrameEx ./cpython/Python/ceval.c:2860 #11 0x723c20 in fast_function ./cpython/Python/ceval.c:4368 #12 0x7234ea in call_function ./cpython/Python/ceval.c:4294 #13 0x715433 in PyEval_EvalFrameEx ./cpython/Python/ceval.c:2860 #14 0x71e164 in _PyEval_EvalCodeWithName ./cpython/Python/ceval.c:3610 #15 0x71e354 in PyEval_EvalCodeEx ./cpython/Python/ceval.c:3631 #16 0x6f7af3 in PyEval_EvalCode ./cpython/Python/ceval.c:773 #17 0x42ea99 in run_mod ./cpython/Python/pythonrun.c:968 #18 0x42e69f in PyRun_FileExFlags ./cpython/Python/pythonrun.c:921 #19 0x42b456 in PyRun_SimpleFileExFlags ./cpython/Python/pythonrun.c:394 #20 0x429ac3 in PyRun_AnyFileExFlags ./cpython/Python/pythonrun.c:80 #21 0x45624b in run_file ./cpython/Modules/main.c:318 #22 0x457717 in Py_Main ./cpython/Modules/main.c:767 #23 0x41b845 in main ./cpython/./Programs/python.c:69 #24 0x7f4ebc741ed4 in __libc_start_main ??:? previously allocated by thread T0 here: #0 0x7f4ebd41d42a in malloc ??:? #1 0x41b918 in _PyMem_RawMalloc ./cpython/Objects/obmalloc.c:62 #2 0x41efe9 in _PyMem_DebugAlloc ./cpython/Objects/obmalloc.c:1838 #3 0x41f29e in _PyMem_DebugMalloc ./cpython/Objects/obmalloc.c:1861 #4 0x41c256 in PyMem_Malloc ./cpython/Objects/obmalloc.c:325 #5 0x78b7c0 in format_float_short ./cpython/Python/pystrtod.c:1094 #6 0x78c224 in PyOS_double_to_string ./cpython/Python/pystrtod.c:1231 #7 0x502ecb in float_repr ./cpython/Objects/floatobject.c:268 #8 0x56d68a in PyObject_Str ./cpython/Objects/object.c:535 #9 0x500926 in PyFile_WriteObject ./cpython/Objects/fileobject.c:141 #10 0x6efe19 in builtin_print ./cpython/Python/bltinmodule.c:2243 #11 0x564fb5 in PyCFunction_Call ./cpython/Objects/methodobject.c:100 #12 0x72310c in call_function ./cpython/Python/ceval.c:4269 (discriminator 2) #13 0x715433 in PyEval_EvalFrameEx ./cpython/Python/ceval.c:2860 #14 0x723c20 in fast_function ./cpython/Python/ceval.c:4368 #15 0x7234ea in call_function ./cpython/Python/ceval.c:4294 #16 0x715433 in PyEval_EvalFrameEx ./cpython/Python/ceval.c:2860 #17 0x71e164 in _PyEval_EvalCodeWithName ./cpython/Python/ceval.c:3610 #18 0x71e354 in PyEval_EvalCodeEx ./cpython/Python/ceval.c:3631 #19 0x6f7af3 in PyEval_EvalCode ./cpython/Python/ceval.c:773 #20 0x42ea99 in run_mod ./cpython/Python/pythonrun.c:968 #21 0x42e69f in PyRun_FileExFlags ./cpython/Python/pythonrun.c:921 #22 0x42b456 in PyRun_SimpleFileExFlags ./cpython/Python/pythonrun.c:394 #23 0x429ac3 in PyRun_AnyFileExFlags ./cpython/Python/pythonrun.c:80 #24 0x45624b in run_file ./cpython/Modules/main.c:318 #25 0x457717 in Py_Main ./cpython/Modules/main.c:767 #26 0x41b845 in main ./cpython/./Programs/python.c:69 #27 0x7f4ebc741ed4 in __libc_start_main ??:? Shadow bytes around the buggy address: 0x0c017ffff600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c017ffff610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c017ffff620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c017ffff630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c017ffff640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c017ffff650: fa fa fa fa fa fa fa fa fa fa fd fd[fd]fd fd fa 0x0c017ffff660: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa 0x0c017ffff670: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa 0x0c017ffff680: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd 0x0c017ffff690: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 04 0x0c017ffff6a0: fa fa 00 00 00 00 00 04 fa fa fd fd fd fd fd fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap righ redzone: fb Freed Heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 ASan internal: fe ==18203== ABORTING |
|||
msg232470 - (view) | Author: STINNER Victor (vstinner) * | Date: 2014-12-11 11:36 | |
Your code is strange. It exchanges pointer between processes if I understand correctly: class Berbagi(ctypes.Structure): _fields_ = [('a', ctypes.c_wchar_p), ('b', ctypes.c_double) ] nilai = multiprocessing.Array(Berbagi, [Berbagi() for x in range(9)] ) You must not do that. Instead, Berbagi.a must be an array of c_wchar characters with a fixed size. Try for example: class Berbagi(ctypes.Structure): _fields_ = [('a', ctypes.c_wchar * 10), ('b', ctypes.c_double) ] Note: I'm not sure that ctypes is the most efficient module to serialize data, but maybe you have to use ctypes for a reason not explained in your issue. The bug is in your code, not in Python. |
History | |||
---|---|---|---|
Date | User | Action | Args |
2022-04-11 14:58:10 | admin | set | github: 67211 |
2014-12-11 11:57:06 | sys | set | files: - repro.py |
2014-12-11 11:36:51 | vstinner | set | nosy:
+ pitrou |
2014-12-11 11:36:40 | vstinner | set | status: open -> closed resolution: not a bug messages: + msg232470 |
2014-12-11 10:54:43 | pitrou | set | nosy:
+ vstinner |
2014-12-10 09:44:08 | sys | set | hgrepos: - hgrepo284 |
2014-12-10 09:43:38 | sys | create |