Message 303457 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	serhiy.storchaka
Recipients	davin, serhiy.storchaka, vstinner
Date	2017-10-01.12:02:13
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1506859334.23.0.213398074469.issue31626@psf.upfronthosting.co.za>
In-reply-to

Content
There several bugs in the memory allocator. Incorrectly detected the case when realloc() resizes a memory block in-place. Wrong address is used for filling the extra memory with DEADBYTE. - if (q == oldq && nbytes < original_nbytes) { + if (q == oldq - 2SST && nbytes < original_nbytes) { / shrinking: mark old extra memory dead / - memset(q + nbytes, DEADBYTE, original_nbytes - nbytes); + memset(q + 2SST + nbytes, DEADBYTE, original_nbytes - nbytes); } But fixing this exposes other problem. _PyMem_DebugRawRealloc() is called recursively. _PyMem_DebugRawRealloc calls api->alloc.realloc which is _PyMem_DebugRawRealloc. There are two nested debug allocators. The block is nested in other block, both have their own header and footer. \|header1\|header2\|------------------------------\|footer2\|footer1\| _PyMem_DebugRawRealloc fills the extra memory with DEADBYTE. \|header\|---------------------------..unused..\|footer\| \|header\|---------------------------\|footer\|XXXXXXXXX\| But in case of nested _PyMem_DebugRawRealloc's, the outer one (which reallocates the inner block), overwrites the footer of the outer block. \|header1\|header2\|--------------------..unused..\|footer2\|footer1\| \|header1\|header2\|--------------------..unused\|footer1\|XXXXXXXXX\| after inner realloc \|header1\|header2\|--------------------\|footer2\|YYYYYYYYY\|XXXXXXX\| after outher realloc XXX are DEADBYTEs written by the inner allocator, YYY are DEADBYTEs written by the outer allocator.

There several bugs in the memory allocator.

Incorrectly detected the case when realloc() resizes a memory block in-place. Wrong address is used for filling the extra memory with DEADBYTE.

-    if (q == oldq && nbytes < original_nbytes) {
+    if (q == oldq - 2*SST && nbytes < original_nbytes) {
         /* shrinking:  mark old extra memory dead */
-        memset(q + nbytes, DEADBYTE, original_nbytes - nbytes);
+        memset(q + 2*SST + nbytes, DEADBYTE, original_nbytes - nbytes);
     }

But fixing this exposes other problem. _PyMem_DebugRawRealloc() is called recursively. _PyMem_DebugRawRealloc calls api->alloc.realloc which is _PyMem_DebugRawRealloc. There are two nested debug allocators. The block is nested in other block, both have their own header and footer.

|header1|header2|------------------------------|footer2|footer1|

_PyMem_DebugRawRealloc fills the extra memory with DEADBYTE.

|header|---------------------------..unused..|footer|
|header|---------------------------|footer|XXXXXXXXX|

But in case of nested _PyMem_DebugRawRealloc's, the outer one (which reallocates the inner block), overwrites the footer of the outer block.

|header1|header2|--------------------..unused..|footer2|footer1|
|header1|header2|--------------------..unused|footer1|XXXXXXXXX| after inner realloc
|header1|header2|--------------------|footer2|YYYYYYYYY|XXXXXXX| after outher realloc

XXX are DEADBYTEs written by the inner allocator, YYY are DEADBYTEs written by the outer allocator.

History
Date	User	Action	Args
2017-10-01 12:02:14	serhiy.storchaka	set	recipients: + serhiy.storchaka, vstinner, davin
2017-10-01 12:02:14	serhiy.storchaka	set	messageid: <1506859334.23.0.213398074469.issue31626@psf.upfronthosting.co.za>
2017-10-01 12:02:14	serhiy.storchaka	link	issue31626 messages
2017-10-01 12:02:13	serhiy.storchaka	create