Skip to content

_lsprof.Profiler._creturn_callback() segfaults #126220

New issue
New issue
Closed
Closed
_lsprof.Profiler._creturn_callback() segfaults#126220
Assignees
sobolevn
Labels
3.12only security fixes3.13bugs and security fixes3.14bugs and security fixesextension-modulesC modules in the Modules dirtype-crashA hard crash of the interpreter, possibly with a core dump
@devdanzin

Description

@devdanzin
devdanzin
opened on Oct 31, 2024

Crash report

What happened?

It's possible to crash Python by simply calling the ._creturn_callback() or the ._ccall_callback() methods of the Profiler class in either _lsprof or cProfile.

from _lsprof import Profiler Profiler()._creturn_callback() Profiler()._ccall_callback()

Backtrace looks like:

Program received signal SIGSEGV, Segmentation fault. get_cfunc_from_callable (callable=0x0, self_arg=0x7ffff7bff710, missing=0x555555c53b80 <_PyInstrumentation_MISSING>) at ./Modules/_lsprof.c:628 628 if (PyCFunction_Check(callable)) { (gdb) bt #0 get_cfunc_from_callable (callable=0x0, self_arg=0x7ffff7bff710, missing=0x555555c53b80 <_PyInstrumentation_MISSING>) at ./Modules/_lsprof.c:628 #1 0x00007ffff79dd610 in creturn_callback (self=0x7ffff7a91050, args=<optimized out>, size=<optimized out>) at ./Modules/_lsprof.c:676 #2 0x000055555568f4b9 in method_vectorcall_FASTCALL (func=0x7ffff7aba630, args=0x7ffff7fb0078, nargsf=<optimized out>, kwnames=<optimized out>) at Objects/descrobject.c:401 #3 0x000055555567ba55 in _PyObject_VectorcallTstate (tstate=0x555555cbbc70 <_PyRuntime+329232>, callable=0x7ffff7aba630, args=0x7ffff7fb0078, nargsf=9223372036854775809, kwnames=0x0) at ./Include/internal/pycore_call.h:167 #4 0x000055555567bb74 in PyObject_Vectorcall (callable=callable@entry=0x7ffff7aba630, args=args@entry=0x7ffff7fb0078, nargsf=<optimized out>, kwnames=kwnames@entry=0x0) at Objects/call.c:327 #5 0x0000555555827d24 in _PyEval_EvalFrameDefault ( tstate=tstate@entry=0x555555cbbc70 <_PyRuntime+329232>, frame=0x7ffff7fb0020, throwflag=throwflag@entry=0) at Python/generated_cases.c.h:955 #6 0x0000555555852fb7 in _PyEval_EvalFrame (throwflag=0, frame=<optimized out>, tstate=0x555555cbbc70 <_PyRuntime+329232>) at ./Include/internal/pycore_ceval.h:116 #7 _PyEval_Vector (tstate=tstate@entry=0x555555cbbc70 <_PyRuntime+329232>, func=func@entry=0x7ffff7a46450, locals=locals@entry=0x7ffff7a55df0, args=args@entry=0x0, argcount=argcount@entry=0, kwnames=kwnames@entry=0x0) at Python/ceval.c:1886 #8 0x0000555555853096 in PyEval_EvalCode (co=co@entry=0x7ffff7a58630, globals=globals@entry=0x7ffff7a55df0, locals=locals@entry=0x7ffff7a55df0) at Python/ceval.c:662 #9 0x00005555559251f4 in run_eval_code_obj (tstate=tstate@entry=0x555555cbbc70 <_PyRuntime+329232>, co=co@entry=0x7ffff7a58630, globals=globals@entry=0x7ffff7a55df0, locals=locals@entry=0x7ffff7a55df0) at Python/pythonrun.c:1338

Found using fusil by @vstinner.

CPython versions tested on:

CPython main branch

Operating systems tested on:

Linux, Windows

Output from running 'python -VV' on the command line:

No response

Linked PRs

Metadata

Metadata

Assignees

Labels

3.12only security fixes3.13bugs and security fixes3.14bugs and security fixesextension-modulesC modules in the Modules dirtype-crashA hard crash of the interpreter, possibly with a core dump

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions