pybloomfiltermmap stack overflow crash on startup - Mac OSX blocker

[andypaxo]

I have just installed w3af and it crashes as soon as it starts up. Details below... I can provide more information if needed.

Installation steps:
Cloned latest w3af from github
Installed dependencies using MacPorts & pip
(Replaced py27-distribute with py27-setuptools in mac.py as the former is deprecated)

Running either the GUI or the console application produces the following crash:

Process:         Python [59681]
Path:            /opt/local/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
Identifier:      Python
Version:         ??? (???)
Code Type:       X86-64 (Native)
Parent Process:  bash [58148]

Date/Time:       2013-07-04 14:38:00.419 -0600
OS Version:      Mac OS X 10.7.5 (11G63)
Report Version:  9

Interval Since Last Report:          541678 sec
Crashes Since Last Report:           10
Per-App Crashes Since Last Report:   6
Anonymous UUID:                      A1EF6DC0-D48D-49AB-837A-DB25EA220090

Crashed Thread:  0  Dispatch queue: com.apple.main-thread

Exception Type:  EXC_CRASH (SIGABRT)
Exception Codes: 0x0000000000000000, 0x0000000000000000

Application Specific Information:
[59681] stack overflow
objc[59681]: garbage collection is OFF

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   libsystem_kernel.dylib          0x00007fff8fa05ce2 __pthread_kill + 10
1   libsystem_c.dylib               0x00007fff8a3b77d2 pthread_kill + 95
2   libsystem_c.dylib               0x00007fff8a3a8b4a __abort + 159
3   libsystem_c.dylib               0x00007fff8a3a5070 __stack_chk_fail + 223
4   pybloomfilter.so                0x00000001085677b8 _hash_long + 152
5   pybloomfilter.so                0x000000010857113c __pyx_pw_13pybloomfilter_11BloomFilter_21add + 508 (bloomfilter.h:76)
6   org.python.python               0x00000001078b6acf PyEval_EvalFrameEx + 9455
7   org.python.python               0x00000001078b4596 PyEval_EvalCodeEx + 1990
8   org.python.python               0x00000001078b3dc6 PyEval_EvalCode + 54
9   org.python.python               0x00000001078cdd81 PyImport_ExecCodeModuleEx + 241
10  org.python.python               0x00000001078d0df3 load_source_module + 1235
11  org.python.python               0x00000001078d1854 import_submodule + 340
12  org.python.python               0x00000001078d13dc load_next + 268
13  org.python.python               0x00000001078cf32f PyImport_ImportModuleLevel + 1199
14  org.python.python               0x00000001078af758 builtin___import__ + 136
15  org.python.python               0x00000001078258b1 PyObject_Call + 97
16  org.python.python               0x00000001078bb338 PyEval_CallObjectWithKeywords + 168
17  org.python.python               0x00000001078b88f2 PyEval_EvalFrameEx + 17170
18  org.python.python               0x00000001078b4596 PyEval_EvalCodeEx + 1990
19  org.python.python               0x00000001078b3dc6 PyEval_EvalCode + 54
20  org.python.python               0x00000001078cdd81 PyImport_ExecCodeModuleEx + 241
21  org.python.python               0x00000001078d0df3 load_source_module + 1235
22  org.python.python               0x00000001078d1854 import_submodule + 340
23  org.python.python               0x00000001078d13dc load_next + 268
24  org.python.python               0x00000001078cf32f PyImport_ImportModuleLevel + 1199
25  org.python.python               0x00000001078af758 builtin___import__ + 136
26  org.python.python               0x00000001078258b1 PyObject_Call + 97
27  org.python.python               0x00000001078bb338 PyEval_CallObjectWithKeywords + 168
28  org.python.python               0x00000001078b88f2 PyEval_EvalFrameEx + 17170
29  org.python.python               0x00000001078b4596 PyEval_EvalCodeEx + 1990
30  org.python.python               0x00000001078b3dc6 PyEval_EvalCode + 54
31  org.python.python               0x00000001078cdd81 PyImport_ExecCodeModuleEx + 241
32  org.python.python               0x00000001078d0df3 load_source_module + 1235
33  org.python.python               0x00000001078d1854 import_submodule + 340
34  org.python.python               0x00000001078d13dc load_next + 268
35  org.python.python               0x00000001078cf32f PyImport_ImportModuleLevel + 1199
36  org.python.python               0x00000001078af758 builtin___import__ + 136
37  org.python.python               0x00000001078258b1 PyObject_Call + 97
38  org.python.python               0x00000001078bb338 PyEval_CallObjectWithKeywords + 168
39  org.python.python               0x00000001078b88f2 PyEval_EvalFrameEx + 17170
40  org.python.python               0x00000001078b4596 PyEval_EvalCodeEx + 1990
41  org.python.python               0x00000001078b3dc6 PyEval_EvalCode + 54
42  org.python.python               0x00000001078cdd81 PyImport_ExecCodeModuleEx + 241
43  org.python.python               0x00000001078d0df3 load_source_module + 1235
44  org.python.python               0x00000001078d1854 import_submodule + 340
45  org.python.python               0x00000001078d13dc load_next + 268
46  org.python.python               0x00000001078cf32f PyImport_ImportModuleLevel + 1199
47  org.python.python               0x00000001078af758 builtin___import__ + 136
48  org.python.python               0x00000001078258b1 PyObject_Call + 97
49  org.python.python               0x00000001078bb338 PyEval_CallObjectWithKeywords + 168
50  org.python.python               0x00000001078b88f2 PyEval_EvalFrameEx + 17170
51  org.python.python               0x00000001078b4596 PyEval_EvalCodeEx + 1990
52  org.python.python               0x00000001078b3dc6 PyEval_EvalCode + 54
53  org.python.python               0x00000001078cdd81 PyImport_ExecCodeModuleEx + 241
54  org.python.python               0x00000001078d0df3 load_source_module + 1235
55  org.python.python               0x00000001078d1854 import_submodule + 340
56  org.python.python               0x00000001078d13dc load_next + 268
57  org.python.python               0x00000001078cf32f PyImport_ImportModuleLevel + 1199
58  org.python.python               0x00000001078af758 builtin___import__ + 136
59  org.python.python               0x00000001078258b1 PyObject_Call + 97
60  org.python.python               0x00000001078bb338 PyEval_CallObjectWithKeywords + 168
61  org.python.python               0x00000001078b88f2 PyEval_EvalFrameEx + 17170
62  org.python.python               0x00000001078b4596 PyEval_EvalCodeEx + 1990
63  org.python.python               0x00000001078b3dc6 PyEval_EvalCode + 54
64  org.python.python               0x00000001078cdd81 PyImport_ExecCodeModuleEx + 241
65  org.python.python               0x00000001078d0df3 load_source_module + 1235
66  org.python.python               0x00000001078d1854 import_submodule + 340
67  org.python.python               0x00000001078d13dc load_next + 268
68  org.python.python               0x00000001078cf32f PyImport_ImportModuleLevel + 1199
69  org.python.python               0x00000001078af758 builtin___import__ + 136
70  org.python.python               0x00000001078258b1 PyObject_Call + 97
71  org.python.python               0x00000001078bb338 PyEval_CallObjectWithKeywords + 168
72  org.python.python               0x00000001078b88f2 PyEval_EvalFrameEx + 17170
73  org.python.python               0x00000001078b4596 PyEval_EvalCodeEx + 1990
74  org.python.python               0x00000001078b3dc6 PyEval_EvalCode + 54
75  org.python.python               0x00000001078dae3e PyRun_FileExFlags + 174
76  org.python.python               0x00000001078da9a0 PyRun_SimpleFileExFlags + 768
77  org.python.python               0x00000001078ee7a8 Py_Main + 2952
78  org.python.python               0x000000010780ff24 0x10780f000 + 3876

[andresriancho]

(Replaced py27-distribute with py27-setuptools in mac.py as the former is deprecated)

Just today I asked in out mailing list about the potential replacement of setuptools in mac.py. Do you think it should be applied to w3af's source?

__pyx_pw_13pybloomfilter_11BloomFilter_21add + 508 (bloomfilter.h:76)

The very ugly crash that should never happen (and it's the first time I see something similar) seems to be because of something in bloomfilter. As you can see in that code, we have different filter implementations and we try to use the most efficient first.

The problem seems to be near (kind of guessing):

    try:
        bf = CMmapFilter(1000, 0.01, temp_file)
        bf.add(1)
        assert 1 in bf
        assert 2 not in bf
    except:
        WrappedBloomFilter = FileSeekFilter
    else:
        WrappedBloomFilter = CMmapFilter

Where that except doesn't (of course) catch errors at the C level.

Try to change that file to force it to use WrappedBloomFilter = FileSeekFilter and let me know how it goes.

[andypaxo]

Seems that you've found the issue. I tried simply replacing the entire block of code above with WrappedBloomFilter = FileSeekFilter in my local copy of the application and now it works correctly. I'm afraid I'm not familiar enough with Python in general or w3af in particular to contribute a guess as to how this should be fixed.

I did struggle getting everything installed correctly, so the problem may be in my Python installation. I'll have to try this again, starting with a cleaner machine. I should mention that I'm running this on Mac OSX.

Regarding the py27-distribute issue... it seems there are several people with this problem. I found the workaround for that on a mailing list post by someone else running up against this issue a few days ago. (Looks like the workaround was provided by you.. so thanks again!)

[andresriancho]

Seems that you've found the issue. I tried simply replacing the entire block of code above with WrappedBloomFilter = FileSeekFilter in my local copy of the application and now it works correctly. I'm afraid I'm not familiar enough with Python in general or w3af in particular to contribute a guess as to how this should be fixed.

Well, that's good to know. I'll leave this open and try to think about a solution that's not very ugly.

Regarding the py27-distribute issue... it seems there are several people with this problem. I found the workaround for that on a mailing list post by someone else running up against this issue a few days ago. (Looks like the workaround was provided by you.. so thanks again!)

All right, so I changed it in the repo: 9465520 , ceb1ccf

[andypaxo]

Hey, thanks a lot for the help!

[floyd-fuh]

Had the same problem, so confirmed for my Mac OSX system, workaround seems to work for this issue.

[andresriancho]

axiak/pybloomfiltermmap#34

[andresriancho]

By that I mean... we reported the issue upstream and are waiting for a solution. If you get that crash you could:

• Apply the workaround
• Send us a pull request (that only changes things for mac) so we can merge it

[andresriancho]

@axiak released a new version of pybloomfiltermmap at pypi. Could you guys see if it works for you on MAC?

cd w3af
git pull
git checkout feature/module
git status # make sure you don't have any local changes
pip install --upgrade pybloomfiltermmap
./w3af_console # run a scan

[andresriancho]

It seems that @axiak's version of pybloomfiltermmap has installation issues 👎
axiak/pybloomfiltermmap#48

[andresriancho]

@axiak closed axiak/pybloomfiltermmap#34 , which was our original bug report for Mac OSX. It was closed without any comment (fixed? ignored?) and can't test without MAC OSX :(

[andresriancho]

Well, after upgrading to 0.3.14 (which is supposed to fix the MAC issue) the scalable bloom filter break:

pablo@eulogia:~/pch/w3af$ nosetests w3af/core/data/bloomfilter/tests/
...........FFF............FFF................................
======================================================================
FAIL: test_bloom_int (w3af.core.data.bloomfilter.tests.test_cmmap_bloom.TestCMmapBloomfilterLarge)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/pablo/PycharmProjects/w3af/w3af/core/controllers/tests/pylint_plugins/decorator.py", line 38, in test_only_subclass
    return meth(self, *args, **kwds)
  File "/home/pablo/PycharmProjects/w3af/w3af/core/data/bloomfilter/tests/generic_filter_test.py", line 61, in test_bloom_int
    self.assertNotIn(r, self.filter)
AssertionError: 26794 unexpectedly found in <BloomFilter capacity: 20000, error: 0.001, num_hashes: 9>

======================================================================
FAIL: test_bloom_string (w3af.core.data.bloomfilter.tests.test_cmmap_bloom.TestCMmapBloomfilterLarge)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/pablo/PycharmProjects/w3af/w3af/core/controllers/tests/pylint_plugins/decorator.py", line 38, in test_only_subclass
    return meth(self, *args, **kwds)
  File "/home/pablo/PycharmProjects/w3af/w3af/core/data/bloomfilter/tests/generic_filter_test.py", line 79, in test_bloom_string
    self.assertNotIn(saved_str[::-1], self.filter)
AssertionError: 'ViMcxIVqABeKvjRgYVtYxpbmycISEQtKXACvbmwQ' unexpectedly found in <BloomFilter capacity: 20000, error: 0.001, num_hashes: 9>

======================================================================
FAIL: test_bloom_url_objects (w3af.core.data.bloomfilter.tests.test_cmmap_bloom.TestCMmapBloomfilterLarge)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/pablo/PycharmProjects/w3af/w3af/core/controllers/tests/pylint_plugins/decorator.py", line 38, in test_only_subclass
    return meth(self, *args, **kwds)
  File "/home/pablo/PycharmProjects/w3af/w3af/core/data/bloomfilter/tests/generic_filter_test.py", line 95, in test_bloom_url_objects
    self.assertNotIn(url_char, self.filter)
AssertionError: <URL for "http://moth/index20076.html"> unexpectedly found in <BloomFilter capacity: 20000, error: 0.001, num_hashes: 9>

======================================================================
FAIL: test_bloom_int (w3af.core.data.bloomfilter.tests.test_scalable_bloom.TestScalableBloomFilterLargeCmmap)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/pablo/PycharmProjects/w3af/w3af/core/controllers/tests/pylint_plugins/decorator.py", line 38, in test_only_subclass
    return meth(self, *args, **kwds)
  File "/home/pablo/PycharmProjects/w3af/w3af/core/data/bloomfilter/tests/generic_filter_test.py", line 61, in test_bloom_int
    self.assertNotIn(r, self.filter)
AssertionError: 22472 unexpectedly found in <w3af.core.data.bloomfilter.scalable_bloom.ScalableBloomFilter object at 0x3258ad0>

======================================================================
FAIL: test_bloom_string (w3af.core.data.bloomfilter.tests.test_scalable_bloom.TestScalableBloomFilterLargeCmmap)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/pablo/PycharmProjects/w3af/w3af/core/controllers/tests/pylint_plugins/decorator.py", line 38, in test_only_subclass
    return meth(self, *args, **kwds)
  File "/home/pablo/PycharmProjects/w3af/w3af/core/data/bloomfilter/tests/generic_filter_test.py", line 79, in test_bloom_string
    self.assertNotIn(saved_str[::-1], self.filter)
AssertionError: 'kcgJhOFSTurBYeSsNenhJsXWKmnUeTfsUnyzXbEw' unexpectedly found in <w3af.core.data.bloomfilter.scalable_bloom.ScalableBloomFilter object at 0x3258bd0>

======================================================================
FAIL: test_bloom_url_objects (w3af.core.data.bloomfilter.tests.test_scalable_bloom.TestScalableBloomFilterLargeCmmap)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/pablo/PycharmProjects/w3af/w3af/core/controllers/tests/pylint_plugins/decorator.py", line 38, in test_only_subclass
    return meth(self, *args, **kwds)
  File "/home/pablo/PycharmProjects/w3af/w3af/core/data/bloomfilter/tests/generic_filter_test.py", line 95, in test_bloom_url_objects
    self.assertNotIn(url_char, self.filter)
AssertionError: <URL for "http://moth/index20167.html"> unexpectedly found in <w3af.core.data.bloomfilter.scalable_bloom.ScalableBloomFilter object at 0x3258cd0>

----------------------------------------------------------------------
Ran 61 tests in 28.329s

FAILED (failures=6)
pablo@eulogia:~/pch/w3af$ find . -name *bloom*^C
pablo@eulogia:~/pch/w3af$ sudo pip install pybloomfiltermmap==0.3.11
[sudo] password for pablo: 
Downloading/unpacking pybloomfiltermmap==0.3.11
  Downloading pybloomfiltermmap-0.3.11.tar.gz (435kB): 435kB downloaded
  Running setup.py egg_info for package pybloomfiltermmap
    info: Building from C

Installing collected packages: pybloomfiltermmap
  Found existing installation: pybloomfiltermmap 0.3.14
    Uninstalling pybloomfiltermmap:
      Successfully uninstalled pybloomfiltermmap
  Running setup.py install for pybloomfiltermmap
    info: Building from C
    building 'pybloomfilter' extension
    gcc -pthread -fno-strict-aliasing -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -fPIC -I/usr/include/python2.7 -c src/mmapbitarray.c -o build/temp.linux-x86_64-2.7/src/mmapbitarray.o
    gcc -pthread -fno-strict-aliasing -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -fPIC -I/usr/include/python2.7 -c src/bloomfilter.c -o build/temp.linux-x86_64-2.7/src/bloomfilter.o
    gcc -pthread -fno-strict-aliasing -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -fPIC -I/usr/include/python2.7 -c src/md5.c -o build/temp.linux-x86_64-2.7/src/md5.o
    gcc -pthread -fno-strict-aliasing -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -fPIC -I/usr/include/python2.7 -c src/primetester.c -o build/temp.linux-x86_64-2.7/src/primetester.o
    gcc -pthread -fno-strict-aliasing -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -fPIC -I/usr/include/python2.7 -c src/pybloomfilter.c -o build/temp.linux-x86_64-2.7/src/pybloomfilter.o
    In file included from src/pybloomfilter.c:255:0:
    /usr/include/python2.7/pythread.h:5:1: warning: ‘always_inline’ attribute ignored [-Wattributes]
    gcc -pthread -shared -Wl,-O1 -Wl,-Bsymbolic-functions -Wl,-Bsymbolic-functions -Wl,-z,relro build/temp.linux-x86_64-2.7/src/mmapbitarray.o build/temp.linux-x86_64-2.7/src/bloomfilter.o build/temp.linux-x86_64-2.7/src/md5.o build/temp.linux-x86_64-2.7/src/primetester.o build/temp.linux-x86_64-2.7/src/pybloomfilter.o -lcrypto -o build/lib.linux-x86_64-2.7/pybloomfilter.so

Successfully installed pybloomfiltermmap
Cleaning up...
pablo@eulogia:~/pch/w3af$ nosetests w3af/core/data/bloomfilter/tests/
.............................................................
----------------------------------------------------------------------
Ran 61 tests in 33.906s

OK
pablo@eulogia:~/pch/w3af$ 

[axiak]

I don't know too much about those tests, but those look to me like it's testing against false positives? bloom filters will have false positives.

[andresriancho]

Yes, agreed on the FP, but... they always PASS on 0.3.11 and always fail on 0.3.14 . So there is either something wrong with pybloomfiltermmap OR my wrapper to make ScalableBloomfilters. I'll research more later and report a but to you if needed.

Thanks!

[andresriancho]

This test fails and I'm not doing any scalable bloom filter, just testing the 0.3.14:

pablo@eulogia:~/pch/w3af$ nosetests w3af/core/data/bloomfilter/tests/test_cmmap_bloom.py:TestCMmapBloomfilterLarge.test_bloom_int
F
======================================================================
FAIL: test_bloom_int (w3af.core.data.bloomfilter.tests.test_cmmap_bloom.TestCMmapBloomfilterLarge)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/pablo/PycharmProjects/w3af/w3af/core/controllers/tests/pylint_plugins/decorator.py", line 38, in test_only_subclass
    return meth(self, *args, **kwds)
  File "/home/pablo/PycharmProjects/w3af/w3af/core/data/bloomfilter/tests/generic_filter_test.py", line 61, in test_bloom_int
    self.assertNotIn(r, self.filter)
AssertionError: 26794 unexpectedly found in <BloomFilter capacity: 20000, error: 0.001, num_hashes: 9>

----------------------------------------------------------------------
Ran 1 test in 0.031s

FAILED (failures=1)
pablo@eulogia:~/pch/w3af$ 

This is the test that fails:

    @only_if_subclass
    def test_bloom_int(self):
        for i in xrange(0, self.CAPACITY):
            self.filter.add(i)

        for i in xrange(0, self.CAPACITY):
            self.assertIn(i, self.filter)

        for i in xrange(0, self.CAPACITY / 2):
            r = random.randint(self.CAPACITY, self.CAPACITY * 2)
            self.assertNotIn(r, self.filter)

Test starts to PASS if in test_cmmap_bloom.py I set ERROR_RATE = 0.00001.

All this only occurs with 0.3.14, 0.3.11 is working flawlessly (at least for these tests). What seems to be going on is that the hashing function for the bloom filter in 14 doesn't have a very random distribution => false positives are more likely.

Will read the latest commits for the pybloomfiltermmap project to investigate.

[andresriancho]

Suspect: axiak/pybloomfiltermmap@a06bb1b

[axiak]

It's true I changed the hash function, but the error bounds are now much more correct (the tests indicate random input is very close to the error rate). Previously there were issues so I completely erred on the side of too exact.

[andresriancho]

MurmurHash3 is platform dependent, documenting that I'm using 64bit for these tests.

[axiak]

Who uses 32-bit?

[andresriancho]

Could you ping me on GTalk / IRC?
andres.riancho@gmail.com
__apr__ on #w3af @ freenode

It will be easier to chat for 10min than to exchange 20 messages over here :)

[andresriancho]

Maybe I can better test all this with my own mac in the cloud 👍
http://www.macincloud.com/

[andresriancho]

Failed to install Mac OSX on virtualbox using http://www.macbreaker.com/2012/07/mountain-lion-virtualbox.html , won't be able to debug myself, so the plan is now:

• Change the code so it doesn't use pybloomfiltermmap in macosx
• Change the requirements for macosx
• Add a big disclaimer pointing to this bug and Broken macosx intel package axiak/pybloomfiltermmap#50 to allow mac users to contribute

[andresriancho]

Workaround: DONE. Changing severity to 3 since now Mac users can run w3af and this issue is just a performance thing.