global-buffer-overflow in test_opt.py

[adoxalim]

Crash report

What happened?

Hello when building cpython with address sanitizer test_opt.py crashed with a global-buffer-overflow, I will add build flags, reduced code that causes crash.

https://github.com/python/cpython/blob/main/Lib/test/test_capi/test_opt.py

./configure CFLAGS="-fsanitize=address -g" LDFLAGS="-fsanitize=address" CXXFLAGS="-fsanitize=address -g”
make
make test

After this you can reproduce it just by running following scripts reduced from test_opt.py

import contextlib
import textwrap
import unittest

from test.support import import_helper


_testinternalcapi = import_helper.import_module("_testinternalcapi")

@contextlib.contextmanager
def temporary_optimizer(opt):
 _testinternalcapi.set_optimizer(opt)

class TestOptimizerAPI(unittest.TestCase):
 def test_long_loop(self):
 ns ={}
 exec(textwrap.dedent(""), ns)
 opt = _testinternalcapi.new_counter_optimizer()
 with temporary_optimizer(opt):
 return

if __name__ == "__main__":
 unittest.main()

Stack trace will be:

==24730==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0001056cb7b8 at pc 0x000105054760 bp 0x00016b1af940 sp 0x00016b1af938
READ of size 8 at 0x0001056cb7b8 thread T0
 #0 0x10505475c in visit_decref gc.c:531
 #1 0x1050aebf4 in executor_traverse optimizer.c:392
 #2 0x105054358 in deduce_unreachable gc.c:1162
 #3 0x105052690 in gc_collect_region gc.c:1509
 #4 0x10504fa08 in _PyGC_Collect gc.c:1815
 #5 0x105131e20 in gc_collect gcmodule.c.h:140
 #6 0x104df22f8 in cfunction_vectorcall_FASTCALL_KEYWORDS methodobject.c:441
 #7 0x104d2c244 in PyObject_Vectorcall call.c:327
 #8 0x104fd576c in _PyEval_EvalFrameDefault generated_cases.c.h:813
 #9 0x104d327c4 in method_vectorcall classobject.c:92
 #10 0x104d2c030 in _PyVectorcall_Call call.c:273
 #11 0x104fd4c04 in _PyEval_EvalFrameDefault generated_cases.c.h:1267
 #12 0x104d2abf8 in _PyObject_VectorcallDictTstate call.c:135
 #13 0x104d2d0dc in _PyObject_Call_Prepend call.c:504
 #14 0x104e6f70c in slot_tp_call typeobject.c:9225
 #15 0x104d2afcc in _PyObject_MakeTpCall call.c:242
 #16 0x104fd576c in _PyEval_EvalFrameDefault generated_cases.c.h:813
 #17 0x104d327c4 in method_vectorcall classobject.c:92
 #18 0x104d2c030 in _PyVectorcall_Call call.c:273
 #19 0x104fd4c04 in _PyEval_EvalFrameDefault generated_cases.c.h:1267
 #20 0x104d2abf8 in _PyObject_VectorcallDictTstate call.c:135
 #21 0x104d2d0dc in _PyObject_Call_Prepend call.c:504
 #22 0x104e6f70c in slot_tp_call typeobject.c:9225
 #23 0x104d2afcc in _PyObject_MakeTpCall call.c:242
 #24 0x104fd576c in _PyEval_EvalFrameDefault generated_cases.c.h:813
 #25 0x104d327c4 in method_vectorcall classobject.c:92
 #26 0x104d2c030 in _PyVectorcall_Call call.c:273
 #27 0x104fd4c04 in _PyEval_EvalFrameDefault generated_cases.c.h:1267
 #28 0x104d2abf8 in _PyObject_VectorcallDictTstate call.c:135
 #29 0x104d2d0dc in _PyObject_Call_Prepend call.c:504
 #30 0x104e6f70c in slot_tp_call typeobject.c:9225
 #31 0x104d2afcc in _PyObject_MakeTpCall call.c:242
 #32 0x104fd576c in _PyEval_EvalFrameDefault generated_cases.c.h:813
 #33 0x104d2abf8 in _PyObject_VectorcallDictTstate call.c:135
 #34 0x104d2d0dc in _PyObject_Call_Prepend call.c:504
 #35 0x104e724e8 in slot_tp_init typeobject.c:9469
 #36 0x104e633e8 in type_call typeobject.c:1854
 #37 0x104d2afcc in _PyObject_MakeTpCall call.c:242
 #38 0x104fd576c in _PyEval_EvalFrameDefault generated_cases.c.h:813
 #39 0x104fb425c in PyEval_EvalCode ceval.c:601
 #40 0x1050ddcb8 in run_mod pythonrun.c:1376
 #41 0x1050d98e8 in _PyRun_SimpleFileObject pythonrun.c:461
 #42 0x1050d8f7c in _PyRun_AnyFileObject pythonrun.c:77
 #43 0x10512f140 in Py_RunMain main.c:707
 #44 0x10512ff80 in pymain_main main.c:737
 #45 0x1051304a0 in Py_BytesMain main.c:761
 #46 0x18f5a60dc (<unknown module>)

0x0001056cb7b8 is located 8 bytes before global variable 'COLD_EXITS' defined in 'Python/optimizer.c' (0x1056cb7c0) of size 27200
0x0001056cb7b8 is located 23 bytes after global variable 'cold_exits_initialized' defined in 'Python/optimizer.c' (0x1056cb7a0) of size 1
SUMMARY: AddressSanitizer: global-buffer-overflow gc.c:531 in visit_decref
Shadow bytes around the buggy address:
 0x0001056cb500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 0x0001056cb580: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
 0x0001056cb600: f9 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9 00 00 00 00
 0x0001056cb680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 0x0001056cb700: 00 00 00 00 00 00 00 00 00 00 00 02 f9 f9 f9 f9
=>0x0001056cb780: 00 f9 f9 f9 01 f9 f9[f9]00 00 00 00 00 00 00 00
 0x0001056cb800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 0x0001056cb880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 0x0001056cb900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 0x0001056cb980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 0x0001056cba00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
 Addressable: 00
 Partially addressable: 01 02 03 04 05 06 07 
 Heap left redzone: fa
 Freed heap region: fd
 Stack left redzone: f1
 Stack mid redzone: f2
 Stack right redzone: f3
 Stack after return: f5
 Stack use after scope: f8
 Global redzone: f9
 Global init order: f6
 Poisoned by user: f7
 Container overflow: fc
 Array cookie: ac
 Intra object redzone: bb
 ASan internal: fe
 Left alloca redzone: ca
 Right alloca redzone: cb
==24730==ABORTING
zsh: abort```

### CPython versions tested on:

3.12

### Operating systems tested on:

macOS

### Output from running 'python -VV' on the command line:

Python 3.12.3 (main, Apr 9 2024, 08:09:14) [Clang 15.0.0 (clang-1500.3.9.4)]

<!-- gh-linked-prs -->
### Linked PRs
* gh-118117
<!-- /gh-linked-prs -->

[gvanrossum]

As I wrote in the duplicate issue (sorry about that), I've bisected it to 7b21403: GH-112354: Initial implementation of warm up on exits and trace-stitching (GH-114142).

Also, I nearly have a fix.

[nineteendo]

The code block isn't terminated.