This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author methane
Recipients fenrrir, jonash, methane, vstinner
Date 2018-07-13.09:42:16
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1531474936.28.0.56676864532.issue34087@psf.upfronthosting.co.za>
In-reply-to
Content 
I received two core files ("core" and "core.23") from fenrrir, thank you.
But I can't investigate well, sorry.
I think someone breaks memory, and SEGV happened later.
I need to reproduce it on my machine...

In core.23, SEGV happens in kill() syscall.  I can't get how it can happened.

(gdb) bt 10
#0  0x00007ffff6c10187 in kill () at ../sysdeps/unix/syscall-template.S:78
#1  0x0000555555778f71 in os_kill_impl (module=<optimized out>, signal=<optimized out>, pid=<optimized out>) at ../Modules/posixmodule.c:6749
#2  os_kill (module=<optimized out>, args=<optimized out>, nargs=<optimized out>) at ../Modules/clinic/posixmodule.c.h:2672
#3  0x00005555555dd4ba in _PyMethodDef_RawFastCallKeywords (kwnames=0x0, nargs=140737353236984, args=0x7ffff7ee7e60, self=<module at remote 0x7ffff7f221d8>,
    method=0x555555c007a0 <posix_methods+1920>) at ../Objects/call.c:651


In "core", SEGV happens in pymalloc. Pool is broken and I suppose some buffer overflow breaks the pool, but I'm not sure.

#0  pymalloc_alloc (ptr_p=ptr_p@entry=0x7fffee81a640, nbytes=40, ctx=<optimized out>) at ../Objects/obmalloc.c:1398
#1  0x000055555562ed78 in pymalloc_alloc (ctx=<optimized out>, nbytes=40, ptr_p=0x7fffee81a640) at ../Objects/obmalloc.c:1565
#2  _PyObject_Malloc (ctx=<optimized out>, nbytes=40) at ../Objects/obmalloc.c:1555
#3  0x000055555561d5d5 in new_dict_with_shared_keys (keys=0x7ffff4e4c2d0) at ../Objects/dictobject.c:607
#4  _PyObjectDict_SetItem (tp=tp@entry=0x555555e8b338, dictptr=0x7fffedfe4250, key=key@entry='s', value=value@entry='\n  <h3>') at ../Objects/dictobject.c:4311
#5  0x000055555562b2d4 in _PyObject_GenericSetAttrWithDict (dict=0x0, value='\n  <h3>', name='s', obj=<TextNode at remote 0x7fffedfe4240>) at ../Objects/object.c:1319
#6  PyObject_GenericSetAttr (obj=<TextNode at remote 0x7fffedfe4240>, name='s', value='\n  <h3>') at ../Objects/object.c:1341
#7  0x000055555562a09f in PyObject_SetAttr (v=v@entry=<TextNode at remote 0x7fffedfe4240>, name=<optimized out>, value=value@entry='\n  <h3>') at ../Objects/object.c:978
#8  0x00005555555c67d8 in _PyEval_EvalFrameDefault (f=<optimized out>, throwflag=<optimized out>) at ../Python/ceval.c:2002
#9  0x00005555555c1787 in function_code_fastcall (co=co@entry=0x7ffff4e90930, args=<optimized out>, args@entry=0x7fffee81a930, nargs=2,
    globals=globals@entry={'__name__': 'django.template.base', '__doc__': "\nThis is the Django template system...
../Objects/call.c:283

(gdb) p pool
$1 = (poolp) 0x7fffee861000
(gdb) p bp
$2 = (block *) 0x7a672f <error: Cannot access memory at address 0x7a672f>
(gdb) p *pool
$3 = {ref = {_padding = 0x2c <error: Cannot access memory at address 0x2c>, count = 44}, freeblock = 0x7a672f <error: Cannot access memory at address 0x7a672f>,
  nextpool = 0x555555ba1fd0 <usedpools+48>, prevpool = 0x555555ba1fd0 <usedpools+48>, arenaindex = 170, szidx = 4, nextoffset = 1768, maxnextoffset = 4056}
(gdb) p *(pool->nextpool)
$4 = {ref = {_padding = 0x7fffeec2a000 "}", count = 4005732352}, freeblock = 0x7fffeea8e000 "\006", nextpool = 0x7fffee861000, prevpool = 0x7fffee861000, arenaindex = 4004200448,
  szidx = 32767, nextoffset = 4004200448, maxnextoffset = 32767}
History
Date User Action Args
2018-07-13 09:42:16methanesetrecipients: + methane, vstinner, fenrrir, jonash
2018-07-13 09:42:16methanesetmessageid: <1531474936.28.0.56676864532.issue34087@psf.upfronthosting.co.za>
2018-07-13 09:42:16methanelinkissue34087 messages
2018-07-13 09:42:16methanecreate