Python 3.13 refcounting related memory corruption

Phil Thompson phil at riverbankcomputing.com
Wed May 29 16:10:17 BST 2024


On 28/05/2024 22:50, Florian Bruhin wrote:
>> On 28/05/2024 17:04, Florian Bruhin wrote:
>> >> Unfortunately I've not been able to extract a minimal example by any
>> >> means. The best I could get is getting it down to running 11 test
>> >> files
>> >> in qutebrowser, with almost 2000 test cases. If I remove any of those
>> >> files, the bug doesn't trigger anymore.
>> >
>> > I've been able to reduce this to a minimal example now, which is
>> > attached and (at least for me) crashes reliably with Python 3.13.
>> >
>> > Florian
>> 
>> I can't get it to crash on either macOS or Linux.
> 
> I was only trying the minimal example with ASan enabled, i.e. with
> CPython built with:
> 
>     $ export CC="/usr/bin/clang -fsanitize=address"
>     $ ./configure --with-address-sanitizer  --without-pymalloc 
> --with-pydebug
> 
> The attached revised example seems to crash more reliably with a 
> vanilla
> CPython.
> 
> If that doesn't work, try with PYTHONMALLOC=malloc (no Python rebuild
> needed).
> 
> If that still doesn't work, rebuild Python as above, or try under
> valgrind:
> 
>     PYTHONMALLOC=malloc valgrind python3.13 py313_crash_v2.py
> 
> Florian

This crashes reliably for me on vanilla macOS.

The PyQt code that triggers the crash is the 
qpycore_PyObject_FromQString() function. Base on that I *think* the 
following (similar) code would also trigger it...

PyObject *obj;
int kind;
void *data;

obj = PyUnicode_New(1, 127);
kind = PyUnicode_KIND(obj);
data = PyUnicode_DATA(obj);

PyUnicode_WRITE(kind, data, 0, (Py_UCS4)'A');

If the length is initialised to 0 (rather than 1) and there is no call 
to PyUnicode_WRITE() then there is no crash.

Phil


More information about the PyQt mailing list