Hi,
I am currently hitting http://bugs.python.org/issue13992.
I have a scenario that reproduces the bug after 1 to 2 hours (intensive
sqlalchemy and threading). I get the same stack trace as described in the
bug.
After spending quite a bit of time trying to understand what could go wrong
in the C extensions I use, and not finding anything interesting, I decided
to try to find the problem with gdb. The stacktrace I have seems to mean
that we are trying to double free something in the frame_dealloc method.
See
(gdb) bt
#0 0x000000000046479f in _Py_ForgetReference (op=0x4dc7bc0) at
Objects/object.c:2222
#1 0x0000000000464810 in _Py_Dealloc (op=0x4dc7bc0) at
Objects/object.c:2242
#2 0x0000000000559a68 in frame_dealloc (f=0x4997ab0) at
Objects/frameobject.c:458
#3 0x000000000046481d in _Py_Dealloc (op=0x4997ab0) at
Objects/object.c:2243
and info in the bug report. Since the frame dealloc method is bracketed
with Py_TRASHCAN_SAFE_{BEGIN|END} macros, and they deal with memory
management, I had a closer look at those.
I compiled cpython without this trashcan management (replaced the macros by
two noops) and reran my scenario and it seems it is not segfaulting anymore.
I then had a closer look at the PyTrash_destroy_chain method (in object.c).
Here is what I think it does :
for each PyObject in the _PyTrash_delete_later linked list do :
set delete_nesting to 1 (it was 0 when the method was called) so that we
don't call destroy_chain again.
call deallocator for the object
set delete_nesting back to 1.
The thing is that this deallocator (from what I understood) is also
bracketed with Py_TRASHCAN macros. It could potentially cause a long
deallocation chain, that will be added to the _PyTrash_delete_later linked
list (if it's bigger than the PyTrash_UNWIND_LEVEL). If that happens, it
seems that the _PyTrash_delete_later list is going to contain twice the
same object, which could in turn cause the double free ?
Note that I am really not sure about this. What I am now almost sure about
is that my segfault goes away if I bypass the trashcan mechanism.
I am currently trying to set the unwind level to something like 5 and get a
quicker way to reproduce the bug, but I didn't manage to yet. I am
definitely available for help if needed.
Thanks,
Manu
_______________________________________________
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe:
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
