Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Segfault deallocating a ContextVar built with str subclass #132002

Closed
devdanzin opened this issue Apr 2, 2025 · 1 comment
Closed

Segfault deallocating a ContextVar built with str subclass #132002

devdanzin opened this issue Apr 2, 2025 · 1 comment
Assignees
@sobolevn
Labels
3.12 bugs and security fixes 3.13 bugs and security fixes 3.14 new features, bugs and security fixes extension-modules C modules in the Modules dir type-crash A hard crash of the interpreter, possibly with a core dump

Comments

@devdanzin
Copy link
Contributor

devdanzin commented Apr 2, 2025
edited by bedevere-app bot
Loading

Crash report

What happened?

Creating a ContextVar with an instance of a subclass of str leads to a segfault during its deallocation:

from _contextvars import ContextVar

class weird_str(str):
    def __eq__(self, other):
        pass

ContextVar(weird_str())

Backtrace:

Program received signal SIGSEGV, Segmentation fault.
contextvar_tp_clear (op=op@entry=<_contextvars.ContextVar at remote 0x7ffff7ac7150>) at Python/context.c:935
935         Py_CLEAR(self->var_name);
(gdb) bt
#0  contextvar_tp_clear (op=op@entry=<_contextvars.ContextVar at remote 0x7ffff7ac7150>) at Python/context.c:935
#1  0x000055555587e395 in contextvar_tp_dealloc (self=<_contextvars.ContextVar at remote 0x7ffff7ac7150>) at Python/context.c:958
#2  0x00005555556ffa08 in _Py_Dealloc (op=op@entry=<_contextvars.ContextVar at remote 0x7ffff7ac7150>) at Objects/object.c:3021
#3  0x000055555587e672 in Py_DECREF (op=<_contextvars.ContextVar at remote 0x7ffff7ac7150>, lineno=883,
    filename=0x555555a49efe "Python/context.c") at ./Include/refcount.h:416
#4  contextvar_new (name=<weird_str() at remote 0x7ffff7bc7260>, def=0x0) at Python/context.c:883
#5  0x000055555587e6fe in contextvar_tp_new (type=<optimized out>, args=<optimized out>, kwds=<optimized out>)
    at Python/context.c:928
#6  0x000055555574692f in type_call (self=<type at remote 0x555555bff380>, args=(<weird_str() at remote 0x7ffff7bc7260>,), kwds=0x0)
    at Objects/typeobject.c:2244
#7  0x000055555567b9a7 in _PyObject_MakeTpCall (tstate=tstate@entry=0x555555c69558 <_PyRuntime+330424>,
    callable=callable@entry=<type at remote 0x555555bff380>, args=args@entry=0x7fffffffd7c8, nargs=<optimized out>,
    keywords=keywords@entry=0x0) at Objects/call.c:242
#8  0x000055555567bdc8 in _PyObject_VectorcallTstate (tstate=0x555555c69558 <_PyRuntime+330424>,
    callable=<type at remote 0x555555bff380>, args=0x7fffffffd7c8, nargsf=<optimized out>, kwnames=0x0)
    at ./Include/internal/pycore_call.h:167
#9  0x000055555567bdf4 in PyObject_Vectorcall (callable=callable@entry=<type at remote 0x555555bff380>,
    args=args@entry=0x7fffffffd7c8, nargsf=<optimized out>, kwnames=kwnames@entry=0x0) at Objects/call.c:327
#10 0x000055555582f4c0 in _PyEval_EvalFrameDefault (tstate=tstate@entry=0x555555c69558 <_PyRuntime+330424>,
    frame=frame@entry=0x7ffff7fb0020, throwflag=throwflag@entry=0) at Python/generated_cases.c.h:1366
#11 0x000055555585cd69 in _PyEval_EvalFrame (throwflag=0, frame=0x7ffff7fb0020, tstate=0x555555c69558 <_PyRuntime+330424>)
    at ./Include/internal/pycore_ceval.h:119

Found using fusil by @vstinner.

CPython versions tested on:

CPython main branch

Operating systems tested on:

Linux, Windows

Output from running 'python -VV' on the command line:

Python 3.14.0a6+ (heads/main:be2d2181e62, Mar 31 2025, 07:30:17) [GCC 11.4.0]

Linked PRs
@devdanzin devdanzin added the type-crash A hard crash of the interpreter, possibly with a core dump label Apr 2, 2025
@sobolevn
Copy link
Member

sobolevn commented Apr 2, 2025

I know what happens. Thanks for the report!

@sobolevn sobolevn self-assigned this Apr 2, 2025
sobolevn added a commit to sobolevn/cpython that referenced this issue Apr 2, 2025
@sobolevn
pythongh-132002: Fix crash of ContextVar on unhashable str subtype
37ae65a
@bedevere-app bedevere-app bot mentioned this issue Apr 2, 2025
Merged
@ZeroIntensity ZeroIntensity added extension-modules C modules in the Modules dir 3.12 bugs and security fixes 3.13 bugs and security fixes 3.14 new features, bugs and security fixes labels Apr 2, 2025
sobolevn added a commit that referenced this issue Apr 2, 2025
@sobolevn
gh-132002: Fix crash of ContextVar on unhashable str subtype (#13…
ab2a3dd 
…2003)
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Apr 2, 2025
@sobolevn @miss-islington
pythongh-132002: Fix crash of ContextVar on unhashable str subtype (
27c1e4b 
pythonGH-132003)

(cherry picked from commit ab2a3dd)

Co-authored-by: sobolevn <[email protected]>
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Apr 2, 2025
@sobolevn @miss-islington
pythongh-132002: Fix crash of ContextVar on unhashable str subtype (
af14176 
pythonGH-132003)

(cherry picked from commit ab2a3dd)

Co-authored-by: sobolevn <[email protected]>
This was referenced Apr 2, 2025
Merged
Merged
sobolevn added a commit that referenced this issue Apr 2, 2025
@miss-islington @sobolevn
[3.12] gh-132002: Fix crash of ContextVar on unhashable str subty…
b3cf1f2 
…pe (GH-132003) (#132008)

gh-132002: Fix crash of `ContextVar` on unhashable `str` subtype (GH-132003)
(cherry picked from commit ab2a3dd)

Co-authored-by: sobolevn <[email protected]>
sobolevn added a commit that referenced this issue Apr 2, 2025
@miss-islington @sobolevn
[3.13] gh-132002: Fix crash of ContextVar on unhashable str subty…
57e4f08 
…pe (GH-132003) (#132007)

gh-132002: Fix crash of `ContextVar` on unhashable `str` subtype (GH-132003)
(cherry picked from commit ab2a3dd)

Co-authored-by: sobolevn <[email protected]>
@sobolevn sobolevn closed this as completed Apr 2, 2025
sobolevn added a commit to sobolevn/cpython that referenced this issue Apr 2, 2025
@sobolevn
pythongh-132002: Fix crash on invalid CALL_LIST_APPEND deoptimization
58fd6ea
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sobolevn sobolevn

Labels
3.12 bugs and security fixes 3.13 bugs and security fixes 3.14 new features, bugs and security fixes extension-modules C modules in the Modules dir type-crash A hard crash of the interpreter, possibly with a core dump
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sobolevn @ZeroIntensity @devdanzin