Message 357169 - Python tracker

Message357169

Author	pconnell
Recipients	Johan Dahlin, db3l, emilyemorehouse, eric.snow, koobs, nascheme, ncoghlan, pconnell, pmpp, serhiy.storchaka, shprotx, steve.dower, vstinner, yselivanov
Date	2019-11-21.13:48:28
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1574344109.21.0.479934626407.issue33608@roundup.psfhosted.org>
In-reply-to

Content
Based on Victor's info from https://bugs.python.org/issue36114#msg337090 I believe the crash is essentially what's reproduced in the attached program. From the root of a (built) cpython clone run: gcc -c -o fini_crash.o -IInclude -I. fini_crash.c && gcc -o fini_crash fini_crash.o libpython3.9.a -lcrypt -lpthread -ldl -lutil -lm && ./fini_crash The output should be: MAIN: allow other thread to execute OTHER: acquired GIL OTHER: released GIL MAIN: interpreter finalized OTHER: attempt to acquire GIL...crash! [1] 266749 segmentation fault (core dumped) ./fini_crash And running it through valgrind: $ valgrind --suppressions=Misc/valgrind-python.supp fini_crash -- COMMAND -- 13:4[12/5973] ==266836== Memcheck, a memory error detector ==266836== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==266836== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info ==266836== Command: fini_crash ==266836== MAIN: allow other thread to execute OTHER: acquired GIL OTHER: released GIL MAIN: interpreter finalized OTHER: attempt to acquire GIL...crash! ==266836== Thread 2: ==266836== Invalid read of size 8 ==266836== at 0x15607D: PyEval_RestoreThread (ceval.c:389) ==266836== by 0x15479F: evil_main (in /home/phconnel/dev/cpython/fini_crash) ==266836== by 0x48B94CE: start_thread (in /usr/lib/libpthread-2.30.so) ==266836== by 0x4B232D2: clone (in /usr/lib/libc-2.30.so) ==266836== Address 0x4d17270 is 16 bytes inside a block of size 264 free'd ==266836== at 0x48399AB: free (vg_replace_malloc.c:540) ==266836== by 0x1773FF: tstate_delete_common (pystate.c:829) ==266836== by 0x1773FF: _PyThreadState_Delete (pystate.c:848) ==266836== by 0x1773FF: zapthreads (pystate.c:311) ==266836== by 0x1773FF: PyInterpreterState_Delete (pystate.c:321) ==266836== by 0x174920: finalize_interp_delete (pylifecycle.c:1242) ==266836== by 0x174920: Py_FinalizeEx.part.0 (pylifecycle.c:1400) ==266836== by 0x15487B: main (in /home/phconnel/dev/cpython/fini_crash) ==266836== Block was alloc'd at ==266836== at 0x483877F: malloc (vg_replace_malloc.c:309) ==266836== by 0x178D7C: new_threadstate (pystate.c:557) ==266836== by 0x178D7C: PyThreadState_New (pystate.c:629) ==266836== by 0x178D7C: PyGILState_Ensure (pystate.c:1288) ==266836== by 0x154759: evil_main (in /home/phconnel/dev/cpython/fini_crash) ==266836== by 0x48B94CE: start_thread (in /usr/lib/libpthread-2.30.so) ==266836== by 0x4B232D2: clone (in /usr/lib/libc-2.30.so) ==266836== ==266836== Invalid read of size 8 ==266836== at 0x156081: PyEval_RestoreThread (ceval.c:389) ==266836== by 0x15479F: evil_main (in /home/phconnel/dev/cpython/fini_crash) ==266836== by 0x48B94CE: start_thread (in /usr/lib/libpthread-2.30.so) ==266836== by 0x4B232D2: clone (in /usr/lib/libc-2.30.so) ==266836== Address 0x4c3a0f0 is 16 bytes inside a block of size 2,960 free'd ==266836== at 0x48399AB: free (vg_replace_malloc.c:540) ==266836== by 0x174920: finalize_interp_delete (pylifecycle.c:1242) ==266836== by 0x174920: Py_FinalizeEx.part.0 (pylifecycle.c:1400) ==266836== by 0x15487B: main (in /home/phconnel/dev/cpython/fini_crash) ==266836== Block was alloc'd at ==266836== at 0x483877F: malloc (vg_replace_malloc.c:309) ==266836== by 0x177153: PyInterpreterState_New (pystate.c:205) ==266836== by 0x1732BF: pycore_create_interpreter (pylifecycle.c:526) ==266836== by 0x1732BF: pyinit_config.constprop.0 (pylifecycle.c:695) ==266836== by 0x1766B7: pyinit_core (pylifecycle.c:879) ==266836== by 0x1766B7: Py_InitializeFromConfig (pylifecycle.c:1055) ==266836== by 0x1766B7: Py_InitializeEx (pylifecycle.c:1093) ==266836== by 0x154801: main (in /home/phconnel/dev/cpython/fini_crash) ==266836==

Content

Based on Victor's info from https://bugs.python.org/issue36114#msg337090 I believe the crash is essentially what's reproduced in the attached program.

From the root of a (built) cpython clone run:

gcc -c -o fini_crash.o -IInclude -I. fini_crash.c && gcc -o fini_crash fini_crash.o libpython3.9.a -lcrypt -lpthread -ldl -lutil -lm && ./fini_crash

The output should be:

MAIN: allow other thread to execute                                                                                    
OTHER: acquired GIL                                                                                                    
OTHER: released GIL                                                                                                    
MAIN: interpreter finalized
OTHER: attempt to acquire GIL...crash!
[1]    266749 segmentation fault (core dumped)  ./fini_crash

And running it through valgrind:

$ valgrind --suppressions=Misc/valgrind-python.supp fini_crash                                                                                                                 -- COMMAND -- 13:4[12/5973]
==266836== Memcheck, a memory error detector
==266836== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==266836== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
==266836== Command: fini_crash                    
==266836==                                            
MAIN: allow other thread to execute                       
OTHER: acquired GIL                                
OTHER: released GIL                                                                                                    
MAIN: interpreter finalized
OTHER: attempt to acquire GIL...crash!                                                                                 
==266836== Thread 2:                                                                                                   
==266836== Invalid read of size 8                                                                                      
==266836==    at 0x15607D: PyEval_RestoreThread (ceval.c:389)                                                                                                                                                                                  
==266836==    by 0x15479F: evil_main (in /home/phconnel/dev/cpython/fini_crash)
==266836==    by 0x48B94CE: start_thread (in /usr/lib/libpthread-2.30.so)
==266836==    by 0x4B232D2: clone (in /usr/lib/libc-2.30.so)
==266836==  Address 0x4d17270 is 16 bytes inside a block of size 264 free'd
==266836==    at 0x48399AB: free (vg_replace_malloc.c:540)
==266836==    by 0x1773FF: tstate_delete_common (pystate.c:829)
==266836==    by 0x1773FF: _PyThreadState_Delete (pystate.c:848)
==266836==    by 0x1773FF: zapthreads (pystate.c:311)
==266836==    by 0x1773FF: PyInterpreterState_Delete (pystate.c:321)
==266836==    by 0x174920: finalize_interp_delete (pylifecycle.c:1242)
==266836==    by 0x174920: Py_FinalizeEx.part.0 (pylifecycle.c:1400)
==266836==    by 0x15487B: main (in /home/phconnel/dev/cpython/fini_crash)
==266836==  Block was alloc'd at
==266836==    at 0x483877F: malloc (vg_replace_malloc.c:309)
==266836==    by 0x178D7C: new_threadstate (pystate.c:557)
==266836==    by 0x178D7C: PyThreadState_New (pystate.c:629)
==266836==    by 0x178D7C: PyGILState_Ensure (pystate.c:1288)
==266836==    by 0x154759: evil_main (in /home/phconnel/dev/cpython/fini_crash)
==266836==    by 0x48B94CE: start_thread (in /usr/lib/libpthread-2.30.so)
==266836==    by 0x4B232D2: clone (in /usr/lib/libc-2.30.so)
==266836== 
==266836== Invalid read of size 8
==266836==    at 0x156081: PyEval_RestoreThread (ceval.c:389)
==266836==    by 0x15479F: evil_main (in /home/phconnel/dev/cpython/fini_crash)
==266836==    by 0x48B94CE: start_thread (in /usr/lib/libpthread-2.30.so)
==266836==    by 0x4B232D2: clone (in /usr/lib/libc-2.30.so)
==266836==  Address 0x4c3a0f0 is 16 bytes inside a block of size 2,960 free'd
==266836==    at 0x48399AB: free (vg_replace_malloc.c:540)
==266836==    by 0x174920: finalize_interp_delete (pylifecycle.c:1242)
==266836==    by 0x174920: Py_FinalizeEx.part.0 (pylifecycle.c:1400)
==266836==    by 0x15487B: main (in /home/phconnel/dev/cpython/fini_crash)
==266836==  Block was alloc'd at
==266836==    at 0x483877F: malloc (vg_replace_malloc.c:309)
==266836==    by 0x177153: PyInterpreterState_New (pystate.c:205)
==266836==    by 0x1732BF: pycore_create_interpreter (pylifecycle.c:526)
==266836==    by 0x1732BF: pyinit_config.constprop.0 (pylifecycle.c:695)
==266836==    by 0x1766B7: pyinit_core (pylifecycle.c:879)
==266836==    by 0x1766B7: Py_InitializeFromConfig (pylifecycle.c:1055)
==266836==    by 0x1766B7: Py_InitializeEx (pylifecycle.c:1093)
==266836==    by 0x154801: main (in /home/phconnel/dev/cpython/fini_crash)
==266836==

History
Date	User	Action	Args
2019-11-21 13:48:29	pconnell	set	recipients: + pconnell, nascheme, db3l, ncoghlan, vstinner, pmpp, eric.snow, serhiy.storchaka, yselivanov, koobs, steve.dower, emilyemorehouse, Johan Dahlin, shprotx
2019-11-21 13:48:29	pconnell	set	messageid: <1574344109.21.0.479934626407.issue33608@roundup.psfhosted.org>
2019-11-21 13:48:29	pconnell	link	issue33608 messages
2019-11-21 13:48:28	pconnell	create