[issue30484] Garbage Collector can cause Segfault whilst iterating dictionary items

2017-10-26 Thread Berker Peksag 

Berker Peksag  added the comment:

PR 2248 (3.4) and PR 2396 (3.3) have been merged. I think this issue can be 
closed now.

--
nosy: +berker.peksag
resolution:  -> fixed
stage: patch review -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30484] Garbage Collector can cause Segfault whilst iterating dictionary items

2017-07-11 Thread Larry Hastings 

Larry Hastings added the comment:

Yes, and thank you for submitting the PR to backport it to 3.4!

(And thank you for backporting it to 3.3, too!)

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30484] Garbage Collector can cause Segfault whilst iterating dictionary items

2017-06-16 Thread Serhiy Storchaka 

Serhiy Storchaka added the comment:

Larry, does it worth to fix this issue in 3.4?

--
assignee:  -> larry

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30484] Garbage Collector can cause Segfault whilst iterating dictionary items

2017-06-16 Thread Serhiy Storchaka 

Serhiy Storchaka added the comment:

PR 2248 backports the issue27945 patch to 3.4. Seems it fixes this issue.

--
stage:  -> patch review

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30484] Garbage Collector can cause Segfault whilst iterating dictionary items

2017-06-16 Thread Serhiy Storchaka 

Changes by Serhiy Storchaka :


--
pull_requests: +2297

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30484] Garbage Collector can cause Segfault whilst iterating dictionary items

2017-05-30 Thread Serhiy Storchaka 

Serhiy Storchaka added the comment:

3.4 is open only for security fixes. Can this crash be considered a security 
issue? In that case I can backport the issue27945 patch to 3.4.

--
nosy: +larry, serhiy.storchaka
versions:  -Python 3.5, Python 3.6

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30484] Garbage Collector can cause Segfault whilst iterating dictionary items

2017-05-30 Thread Jim Wright 

Jim Wright added the comment:

Hi Jelle,

I think you're right about master; it looks like this very recent change:

https://github.com/python/cpython/pull/1657

could have fixed the issue, but I didn't find it whilst doing my original 
investigation of the issue on our side.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30484] Garbage Collector can cause Segfault whilst iterating dictionary items

2017-05-29 Thread Jelle Zijlstra 

Jelle Zijlstra added the comment:

I could reproduce this on 3.4, but not on 3.3, 2.7, or master.

--
nosy: +Jelle Zijlstra
versions: +Python 3.4

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30484] Garbage Collector can cause Segfault whilst iterating dictionary items

2017-05-26 Thread Jim Wright 

New submission from Jim Wright:

We discovered this issue whilst using h5py (HDF5 python library) under python 
3.5.2 on Ubuntu 16.04.2 x86_64.  The construct used is very dubious, and I will 
separately be raising an issue with the h5py team.  However I thought you might 
like to know there is a possible way to cause a segmentation violation using 
pure python.

There appears to be a new implementation of dictionaries in 3.6 vs 3.5, so I 
compiled up 3.6.1 and it also segfaults, but not so obviously related to the 
dictionary iteration (both stack traces are included below).

Regards, Jim.



$ cat segfault.py 
#!/usr/bin/python3

class CyclicObject:
def __init__(self, key, register):
self.key = key
self.self = self
self.register = register
self.register[self.key] = None

def __del__(self):
del self.register[self.key]

while True:
register = { }
objs = set([CyclicObject(i, register) for i in range(1)])

while len(objs) > 0:
objs.remove(next(iter(objs)))

try:
list(register.items())
except RuntimeError as err:
print(err)



$ python3 --version
Python 3.5.2

$ gdb --args python3 segfault.py
GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.04) 7.11.1

(gdb) r
Starting program: /usr/bin/python3 segfault.py
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
dictionary changed size during iteration
dictionary changed size during iteration
dictionary changed size during iteration

Program received signal SIGSEGV, Segmentation fault.
dictiter_iternextitem.lto_priv () at ../Objects/dictobject.c:3158
3158../Objects/dictobject.c: No such file or directory.

(gdb) bt
#0  dictiter_iternextitem.lto_priv () at ../Objects/dictobject.c:3158
#1  0x0059f024 in listextend.lto_priv () at ../Objects/listobject.c:855
#2  0x0058fd1c in list_init.lto_priv () at ../Objects/listobject.c:2314
#3  0x0055d17c in type_call.lto_priv () at ../Objects/typeobject.c:905
#4  0x005b7167 in PyObject_Call () at ../Objects/abstract.c:2165
#5  0x00528d06 in do_call (nk=, na=, 
pp_stack=0x7fffd9b0, func=) at ../Python/ceval.c:4936
#6  call_function (oparg=, pp_stack=0x7fffd9b0) at 
../Python/ceval.c:4732
#7  PyEval_EvalFrameEx () at ../Python/ceval.c:3236
#8  0x0052d2e3 in _PyEval_EvalCodeWithName () at ../Python/ceval.c:4018
#9  0x0052dfdf in PyEval_EvalCodeEx () at ../Python/ceval.c:4039
#10 PyEval_EvalCode (co=, globals=, 
locals=) at ../Python/ceval.c:777
#11 0x005fd2c2 in run_mod () at ../Python/pythonrun.c:976
#12 0x005ff76a in PyRun_FileExFlags () at ../Python/pythonrun.c:929
#13 0x005ff95c in PyRun_SimpleFileExFlags () at 
../Python/pythonrun.c:396
#14 0x0063e7d6 in run_file (p_cf=0x7fffdc20, filename=0xa73280 
L"segfault.py", fp=0xad19a0) at ../Modules/main.c:318
#15 Py_Main () at ../Modules/main.c:768
#16 0x004cfe41 in main () at ../Programs/python.c:65
#17 0x77811830 in __libc_start_main (main=0x4cfd60 , argc=2, 
argv=0x7fffde38, init=, fini=, 
rtld_fini=, 
stack_end=0x7fffde28) at ../csu/libc-start.c:291
#18 0x005d5f29 in _start ()



$ ./python --version
Python 3.6.1

$ gdb --args ./python ./segfault.py 
GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.04) 7.11.1

(gdb) r
Starting program: ./python ./segfault.py
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
dictionary changed size during iteration
dictionary changed size during iteration
dictionary changed size during iteration
dictionary changed size during iteration
dictionary changed size during iteration

Program received signal SIGSEGV, Segmentation fault.
_PyObject_Alloc (ctx=0x0, elsize=28, nelem=1, use_calloc=0) at 
Objects/obmalloc.c:1258
1258if ((pool->freeblock = *(block **)bp) != NULL) {

(gdb) bt
#0  _PyObject_Alloc (ctx=0x0, elsize=28, nelem=1, use_calloc=0) at 
Objects/obmalloc.c:1258
#1  _PyObject_Malloc (ctx=0x0, nbytes=28) at Objects/obmalloc.c:1437
#2  0x00490732 in _PyLong_New (size=1) at Objects/longobject.c:196
#3  PyLong_FromLong (ival=) at Objects/longobject.c:254
#4  0x00542fda in _PyEval_EvalFrameDefault (f=, 
throwflag=) at Python/ceval.c:3060
#5  0x0053d671 in PyEval_EvalFrameEx (throwflag=0, f=0x77fa1648) at 
Python/ceval.c:718
#6  _PyFunction_FastCall (co=, args=, nargs=1, 
globals=globals@entry=0x77f452d0) at Python/ceval.c:4880
#7  0x0053e521 in fast_function (kwnames=0x0, nargs=, 
stack=, func=0x77eae510) at Python/ceval.c:4915
#8  call_function (pp_stack=pp_stack@entry=0x7fffd920, oparg=oparg@entry=1, 
kwnames=kwnames@entry=0x0) at Python/ceval.c:4819
#9  0x00542c17 in _PyEval_EvalFrameDefault (f=, 
throwflag=) at Python/ceval.c:3284
#10 0x0053e015 in PyEval_EvalFrameEx (throwflag=0, f=