Message 238139 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	michaelg
Recipients	gvanrossum, karamanolev, michaelg, r-englund, vstinner, yselivanov
Date	2015-03-15.10:13:29
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1426414409.96.0.919433317858.issue23187@psf.upfronthosting.co.za>
In-reply-to

Content
OK, I caught the crash with a debug build of Python 3.4.3. I have a core dump and even the process itself still alive in memory. I can provide any information you need. I can also explain how to debug a core dump with Visual Studio, if necessary. This time the crash was here: static void update_refs(PyGC_Head containers) { PyGC_Head gc = containers->gc.gc_next; for (; gc != containers; gc = gc->gc.gc_next) { assert(_PyGCHead_REFS(gc) == GC_REACHABLE); _PyGCHead_SET_REFS(gc, Py_REFCNT(FROM_GC(gc))); /* Python's cyclic gc should never see an incoming refcount * of 0: if something decref'ed to 0, it should have been * deallocated immediately at that time. * Possible cause (if the assert triggers): a tp_dealloc * routine left a gc-aware object tracked during its teardown * phase, and did something-- or allowed something to happen -- * that called back into Python. gc can trigger then, and may * see the still-tracked dying object. Before this assert * was added, such mistakes went on to allow gc to try to * delete the object again. In a debug build, that caused * a mysterious segfault, when _Py_ForgetReference tried * to remove the object from the doubly-linked list of all * objects a second time. In a release build, an actual * double deallocation occurred, which leads to corruption * of the allocator's internal bookkeeping pointers. That's * so serious that maybe this should be a release-build * check instead of an assert? / ------> assert(_PyGCHead_REFS(gc) != 0); <------- crash } } In the calling frame I can see that update_refs() is called with a PyGC_Head object whose gc_refs is 0, and according to the paragraph above that shouldn't happen. A screenshot is attached. Stack trace: msvcr100d.dll!_NMSG_WRITE(int rterrnum=10) Line 217 msvcr100d.dll!abort() Line 71 msvcr100d.dll!_wassert(const wchar_t expr=0x0000000063220618, const wchar_t * filename=0x00000000632205e0, unsigned int lineno=364) Line 153 python34_d.dll!update_refs(_gc_head * containers=0x000000006338cfc0) Line 364 + 0x2b bytes python34_d.dll!collect(int generation=0, __int64 * n_collected=0x000000012beee530, __int64 * n_uncollectable=0x000000012beee520, int nofail=0) Line 969 python34_d.dll!collect_with_callback(int generation=0) Line 1140 + 0x16 bytes python34_d.dll!collect_generations() Line 1163 + 0x9 bytes python34_d.dll!_PyObject_GC_Malloc(unsigned __int64 basicsize=56) Line 1739 python34_d.dll!_PyObject_GC_New(_typeobject * tp=0x00000000633ce280) Line 1748 + 0xe bytes python34_d.dll!PyList_New(__int64 size=0) Line 159 + 0xc bytes python34_d.dll!PyEval_EvalFrameEx(_frame * f=0x000000010f387658, int throwflag=3) Line 2347 + 0x8 bytes python34_d.dll!fast_function(_object * func=0x0000000000000003, _object * * * pp_stack=0x0000000129e69948, int n=737077536, int na=1661137695, int nk=0) Line 4335 python34_d.dll!call_function(_object * * * pp_stack=0x000000012beee919, int oparg=131) Line 4263 python34_d.dll!PyEval_EvalFrameEx(_frame * f=0x000000011c077528, int throwflag=3) Line 2840 python34_d.dll!fast_function(_object * func=0x0000000000000003, _object * * * pp_stack=0x0000000089a53190, int n=737078048, int na=1661137695, int nk=0) Line 4335 python34_d.dll!call_function(_object * * * pp_stack=0x000000012beeeb19, int oparg=131) Line 4263 python34_d.dll!PyEval_EvalFrameEx(_frame * f=0x000000010369f2a8, int throwflag=0) Line 2840 python34_d.dll!PyEval_EvalCodeEx(_object * _co=0x0000000100000002, _object * globals=0x0000000100000002, _object * locals=0x000000001fa5e218, _object * * args=0x0000000000730088, int argcount=2, _object * * kws=0x0000000000730080, int kwcount=0, _object * * defs=0x0000000000000000, int defcount=0, _object * kwdefs=0x0000000000000000, _object * closure=0x0000000000000000) Line 3588 + 0xf bytes python34_d.dll!function_call(_object * func=0x0000000003c10058, _object * arg=0x000000001fa5e218, _object * kw=0x00000001296360c8) Line 638 + 0x8a bytes python34_d.dll!PyObject_Call(_object * func=0x0000000003c10058, _object * arg=0x000000001fa5e218, _object * kw=0x00000001296360c8) Line 2040 + 0x13 bytes python34_d.dll!ext_do_call(_object * func=0x00000000c42c25a0, _object * * * pp_stack=0x000000012beeee49, int flags=62980184, int na=1, int nk=0) Line 4561 + 0xe bytes python34_d.dll!PyEval_EvalFrameEx(_frame * f=0x00000000fa4eab18, int throwflag=1) Line 2880 python34_d.dll!fast_function(_object * func=0x0000000000000001, _object * * * pp_stack=0x000000003b42f398, int n=737079376, int na=1661137695, int nk=0) Line 4335 python34_d.dll!call_function(_object * * * pp_stack=0x000000012beef049, int oparg=131) Line 4263 python34_d.dll!PyEval_EvalFrameEx(_frame * f=0x000000010f38ec28, int throwflag=0) Line 2840 python34_d.dll!PyEval_EvalCodeEx(_object * _co=0x0000000100000002, _object * globals=0x0000000100000002, _object * locals=0x000000012a1e5d78, _object * * args=0x0000000000730088, int argcount=2, _object * * kws=0x0000000000730080, int kwcount=0, _object * * defs=0x0000000000000000, int defcount=0, _object * kwdefs=0x0000000000000000, _object * closure=0x0000000000000000) Line 3588 + 0xf bytes python34_d.dll!function_call(_object * func=0x00000000036d2d48, _object * arg=0x000000012a1e5d78, _object * kw=0x000000012a1f1918) Line 638 + 0x8a bytes python34_d.dll!PyObject_Call(_object * func=0x00000000036d2d48, _object * arg=0x000000012a1e5d78, _object * kw=0x000000012a1f1918) Line 2040 + 0x13 bytes python34_d.dll!ext_do_call(_object * func=0x00000000033f6040, _object * * * pp_stack=0x000000012beef379, int flags=57486664, int na=0, int nk=0) Line 4561 + 0xe bytes python34_d.dll!PyEval_EvalFrameEx(_frame * f=0x000000010f80f118, int throwflag=1) Line 2880 python34_d.dll!fast_function(_object * func=0x0000000000000001, _object * * * pp_stack=0x000000012a1ee878, int n=737080704, int na=1661137695, int nk=0) Line 4335 python34_d.dll!call_function(_object * * * pp_stack=0x000000012beef579, int oparg=131) Line 4263 python34_d.dll!PyEval_EvalFrameEx(_frame * f=0x000000010f1c8b98, int throwflag=1) Line 2840 python34_d.dll!fast_function(_object * func=0x0000000000000001, _object * * * pp_stack=0x000000012a1ee878, int n=737081216, int na=1661137695, int nk=0) Line 4335 python34_d.dll!call_function(_object * * * pp_stack=0x000000012beef779, int oparg=131) Line 4263 python34_d.dll!PyEval_EvalFrameEx(_frame * f=0x000000010f80ee88, int throwflag=0) Line 2840 python34_d.dll!PyEval_EvalCodeEx(_object * _co=0x0000000000000001, _object * globals=0x0000000100000001, _object * locals=0x0000000000730058, _object * * args=0x0000000000000000, int argcount=1, _object * * kws=0x0000000000000000, int kwcount=0, _object * * defs=0x0000000000000000, int defcount=0, _object * kwdefs=0x0000000000000000, _object * closure=0x0000000000000000) Line 3588 + 0xf bytes python34_d.dll!function_call(_object * func=0x0000000003404058, _object * arg=0x000000012a1ee058, _object * kw=0x0000000000000000) Line 638 + 0x8a bytes python34_d.dll!PyObject_Call(_object * func=0x0000000003404058, _object * arg=0x000000012a1ee058, _object * kw=0x0000000000000000) Line 2040 + 0x13 bytes python34_d.dll!method_call(_object * func=0x0000000003404058, _object * arg=0x000000012a1ee058, _object * kw=0x0000000000000000) Line 347 + 0x1d bytes python34_d.dll!PyObject_Call(_object * func=0x0000000003826fa8, _object * arg=0x0000000000730058, _object * kw=0x0000000000000000) Line 2040 + 0x13 bytes python34_d.dll!PyEval_CallObjectWithKeywords(_object * func=0x0000000000000000, _object * arg=0x0000000000000000, _object * kw=0x0000000000000000) Line 4115 python34_d.dll!t_bootstrap(void * boot_raw=0x00000000e2e0df70) Line 1000 + 0x20 bytes python34_d.dll!bootstrap(void * call=0x000000000070ef20) Line 176 msvcr100d.dll!_callthreadstartex() Line 314 + 0x17 bytes msvcr100d.dll!_threadstartex(void * ptd=0x000000007be2d110) Line 297 kernel32.dll!0000000076eb5a4d() [Frames below may be incorrect and/or missing, no symbols loaded for kernel32.dll] ntdll.dll!00000000775aba01()

OK, I caught the crash with a debug build of Python 3.4.3.

I have a core dump and even the process itself still alive in memory. I can provide any information you need. I can also explain how to debug a core dump with Visual Studio, if necessary.

This time the crash was here:

static void
update_refs(PyGC_Head *containers)
{
    PyGC_Head *gc = containers->gc.gc_next;
    for (; gc != containers; gc = gc->gc.gc_next) {
        assert(_PyGCHead_REFS(gc) == GC_REACHABLE);
        _PyGCHead_SET_REFS(gc, Py_REFCNT(FROM_GC(gc)));
        /* Python's cyclic gc should never see an incoming refcount
         * of 0:  if something decref'ed to 0, it should have been
         * deallocated immediately at that time.
         * Possible cause (if the assert triggers):  a tp_dealloc
         * routine left a gc-aware object tracked during its teardown
         * phase, and did something-- or allowed something to happen --
         * that called back into Python.  gc can trigger then, and may
         * see the still-tracked dying object.  Before this assert
         * was added, such mistakes went on to allow gc to try to
         * delete the object again.  In a debug build, that caused
         * a mysterious segfault, when _Py_ForgetReference tried
         * to remove the object from the doubly-linked list of all
         * objects a second time.  In a release build, an actual
         * double deallocation occurred, which leads to corruption
         * of the allocator's internal bookkeeping pointers.  That's
         * so serious that maybe this should be a release-build
         * check instead of an assert?
         */
------> assert(_PyGCHead_REFS(gc) != 0); <------- crash
    }
}

In the calling frame I can see that update_refs() is called with a PyGC_Head object whose gc_refs is 0, and according to the paragraph above that shouldn't happen. A screenshot is attached.

Stack trace:

msvcr100d.dll!_NMSG_WRITE(int rterrnum=10)  Line 217
msvcr100d.dll!abort()  Line 71
msvcr100d.dll!_wassert(const wchar_t * expr=0x0000000063220618, const wchar_t * filename=0x00000000632205e0, unsigned int lineno=364)  Line 153
python34_d.dll!update_refs(_gc_head * containers=0x000000006338cfc0)  Line 364 + 0x2b bytes
python34_d.dll!collect(int generation=0, __int64 * n_collected=0x000000012beee530, __int64 * n_uncollectable=0x000000012beee520, int nofail=0)  Line 969
python34_d.dll!collect_with_callback(int generation=0)  Line 1140 + 0x16 bytes
python34_d.dll!collect_generations()  Line 1163 + 0x9 bytes
python34_d.dll!_PyObject_GC_Malloc(unsigned __int64 basicsize=56)  Line 1739
python34_d.dll!_PyObject_GC_New(_typeobject * tp=0x00000000633ce280)  Line 1748 + 0xe bytes
python34_d.dll!PyList_New(__int64 size=0)  Line 159 + 0xc bytes
python34_d.dll!PyEval_EvalFrameEx(_frame * f=0x000000010f387658, int throwflag=3)  Line 2347 + 0x8 bytes
python34_d.dll!fast_function(_object * func=0x0000000000000003, _object * * * pp_stack=0x0000000129e69948, int n=737077536, int na=1661137695, int nk=0)  Line 4335
python34_d.dll!call_function(_object * * * pp_stack=0x000000012beee919, int oparg=131)  Line 4263
python34_d.dll!PyEval_EvalFrameEx(_frame * f=0x000000011c077528, int throwflag=3)  Line 2840
python34_d.dll!fast_function(_object * func=0x0000000000000003, _object * * * pp_stack=0x0000000089a53190, int n=737078048, int na=1661137695, int nk=0)  Line 4335
python34_d.dll!call_function(_object * * * pp_stack=0x000000012beeeb19, int oparg=131)  Line 4263
python34_d.dll!PyEval_EvalFrameEx(_frame * f=0x000000010369f2a8, int throwflag=0)  Line 2840
python34_d.dll!PyEval_EvalCodeEx(_object * _co=0x0000000100000002, _object * globals=0x0000000100000002, _object * locals=0x000000001fa5e218, _object * * args=0x0000000000730088, int argcount=2, _object * * kws=0x0000000000730080, int kwcount=0, _object * * defs=0x0000000000000000, int defcount=0, _object * kwdefs=0x0000000000000000, _object * closure=0x0000000000000000)  Line 3588 + 0xf bytes
python34_d.dll!function_call(_object * func=0x0000000003c10058, _object * arg=0x000000001fa5e218, _object * kw=0x00000001296360c8)  Line 638 + 0x8a bytes
python34_d.dll!PyObject_Call(_object * func=0x0000000003c10058, _object * arg=0x000000001fa5e218, _object * kw=0x00000001296360c8)  Line 2040 + 0x13 bytes
python34_d.dll!ext_do_call(_object * func=0x00000000c42c25a0, _object * * * pp_stack=0x000000012beeee49, int flags=62980184, int na=1, int nk=0)  Line 4561 + 0xe bytes
python34_d.dll!PyEval_EvalFrameEx(_frame * f=0x00000000fa4eab18, int throwflag=1)  Line 2880
python34_d.dll!fast_function(_object * func=0x0000000000000001, _object * * * pp_stack=0x000000003b42f398, int n=737079376, int na=1661137695, int nk=0)  Line 4335
python34_d.dll!call_function(_object * * * pp_stack=0x000000012beef049, int oparg=131)  Line 4263
python34_d.dll!PyEval_EvalFrameEx(_frame * f=0x000000010f38ec28, int throwflag=0)  Line 2840
python34_d.dll!PyEval_EvalCodeEx(_object * _co=0x0000000100000002, _object * globals=0x0000000100000002, _object * locals=0x000000012a1e5d78, _object * * args=0x0000000000730088, int argcount=2, _object * * kws=0x0000000000730080, int kwcount=0, _object * * defs=0x0000000000000000, int defcount=0, _object * kwdefs=0x0000000000000000, _object * closure=0x0000000000000000)  Line 3588 + 0xf bytes
python34_d.dll!function_call(_object * func=0x00000000036d2d48, _object * arg=0x000000012a1e5d78, _object * kw=0x000000012a1f1918)  Line 638 + 0x8a bytes
python34_d.dll!PyObject_Call(_object * func=0x00000000036d2d48, _object * arg=0x000000012a1e5d78, _object * kw=0x000000012a1f1918)  Line 2040 + 0x13 bytes
python34_d.dll!ext_do_call(_object * func=0x00000000033f6040, _object * * * pp_stack=0x000000012beef379, int flags=57486664, int na=0, int nk=0)  Line 4561 + 0xe bytes
python34_d.dll!PyEval_EvalFrameEx(_frame * f=0x000000010f80f118, int throwflag=1)  Line 2880
python34_d.dll!fast_function(_object * func=0x0000000000000001, _object * * * pp_stack=0x000000012a1ee878, int n=737080704, int na=1661137695, int nk=0)  Line 4335
python34_d.dll!call_function(_object * * * pp_stack=0x000000012beef579, int oparg=131)  Line 4263
python34_d.dll!PyEval_EvalFrameEx(_frame * f=0x000000010f1c8b98, int throwflag=1)  Line 2840
python34_d.dll!fast_function(_object * func=0x0000000000000001, _object * * * pp_stack=0x000000012a1ee878, int n=737081216, int na=1661137695, int nk=0)  Line 4335
python34_d.dll!call_function(_object * * * pp_stack=0x000000012beef779, int oparg=131)  Line 4263
python34_d.dll!PyEval_EvalFrameEx(_frame * f=0x000000010f80ee88, int throwflag=0)  Line 2840
python34_d.dll!PyEval_EvalCodeEx(_object * _co=0x0000000000000001, _object * globals=0x0000000100000001, _object * locals=0x0000000000730058, _object * * args=0x0000000000000000, int argcount=1, _object * * kws=0x0000000000000000, int kwcount=0, _object * * defs=0x0000000000000000, int defcount=0, _object * kwdefs=0x0000000000000000, _object * closure=0x0000000000000000)  Line 3588 + 0xf bytes
python34_d.dll!function_call(_object * func=0x0000000003404058, _object * arg=0x000000012a1ee058, _object * kw=0x0000000000000000)  Line 638 + 0x8a bytes
python34_d.dll!PyObject_Call(_object * func=0x0000000003404058, _object * arg=0x000000012a1ee058, _object * kw=0x0000000000000000)  Line 2040 + 0x13 bytes
python34_d.dll!method_call(_object * func=0x0000000003404058, _object * arg=0x000000012a1ee058, _object * kw=0x0000000000000000)  Line 347 + 0x1d bytes
python34_d.dll!PyObject_Call(_object * func=0x0000000003826fa8, _object * arg=0x0000000000730058, _object * kw=0x0000000000000000)  Line 2040 + 0x13 bytes
python34_d.dll!PyEval_CallObjectWithKeywords(_object * func=0x0000000000000000, _object * arg=0x0000000000000000, _object * kw=0x0000000000000000)  Line 4115
python34_d.dll!t_bootstrap(void * boot_raw=0x00000000e2e0df70)  Line 1000 + 0x20 bytes
python34_d.dll!bootstrap(void * call=0x000000000070ef20)  Line 176
msvcr100d.dll!_callthreadstartex()  Line 314 + 0x17 bytes
msvcr100d.dll!_threadstartex(void * ptd=0x000000007be2d110)  Line 297
kernel32.dll!0000000076eb5a4d()
[Frames below may be incorrect and/or missing, no symbols loaded for kernel32.dll]
ntdll.dll!00000000775aba01()

History
Date	User	Action	Args
2015-03-15 10:13:30	michaelg	set	recipients: + michaelg, gvanrossum, vstinner, yselivanov, karamanolev, r-englund
2015-03-15 10:13:29	michaelg	set	messageid: <1426414409.96.0.919433317858.issue23187@psf.upfronthosting.co.za>
2015-03-15 10:13:29	michaelg	link	issue23187 messages
2015-03-15 10:13:29	michaelg	create