Python 3.13 refcounting related memory corruption
Phil Thompson
phil at riverbankcomputing.com
Wed May 29 16:10:17 BST 2024
On 28/05/2024 22:50, Florian Bruhin wrote:
>> On 28/05/2024 17:04, Florian Bruhin wrote:
>> >> Unfortunately I've not been able to extract a minimal example by any
>> >> means. The best I could get is getting it down to running 11 test
>> >> files
>> >> in qutebrowser, with almost 2000 test cases. If I remove any of those
>> >> files, the bug doesn't trigger anymore.
>> >
>> > I've been able to reduce this to a minimal example now, which is
>> > attached and (at least for me) crashes reliably with Python 3.13.
>> >
>> > Florian
>>
>> I can't get it to crash on either macOS or Linux.
>
> I was only trying the minimal example with ASan enabled, i.e. with
> CPython built with:
>
> $ export CC="/usr/bin/clang -fsanitize=address"
> $ ./configure --with-address-sanitizer --without-pymalloc
> --with-pydebug
>
> The attached revised example seems to crash more reliably with a
> vanilla
> CPython.
>
> If that doesn't work, try with PYTHONMALLOC=malloc (no Python rebuild
> needed).
>
> If that still doesn't work, rebuild Python as above, or try under
> valgrind:
>
> PYTHONMALLOC=malloc valgrind python3.13 py313_crash_v2.py
>
> Florian
This crashes reliably for me on vanilla macOS.
The PyQt code that triggers the crash is the
qpycore_PyObject_FromQString() function. Base on that I *think* the
following (similar) code would also trigger it...
PyObject *obj;
int kind;
void *data;
obj = PyUnicode_New(1, 127);
kind = PyUnicode_KIND(obj);
data = PyUnicode_DATA(obj);
PyUnicode_WRITE(kind, data, 0, (Py_UCS4)'A');
If the length is initialised to 0 (rather than 1) and there is no call
to PyUnicode_WRITE() then there is no crash.
Phil
More information about the PyQt
mailing list