list_repr not safe against concurrent mutation #74957

pitrou · 2017-06-26T19:56:59Z

BPO	30774
Nosy	@rhettinger, @pitrou, @serhiy-storchaka, @iritkatriel
Files	siglist.py

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = None
created_at = <Date 2017-06-26.19:56:58.992>
labels = ['3.10', '3.9', 'type-crash', '3.11']
title = 'list_repr not safe against concurrent mutation'
updated_at = <Date 2021-10-18.10:01:47.948>
user = 'https://github.com/pitrou'

bugs.python.org fields:

activity = <Date 2021-10-18.10:01:47.948>
actor = 'vstinner'
assignee = 'none'
closed = False
closed_date = None
closer = None
components = []
creation = <Date 2017-06-26.19:56:58.992>
creator = 'pitrou'
dependencies = []
files = ['46975']
hgrepos = []
issue_num = 30774
keywords = []
message_count = 4.0
messages = ['296936', '296938', '321410', '404148']
nosy_count = 4.0
nosy_names = ['rhettinger', 'pitrou', 'serhiy.storchaka', 'iritkatriel']
pr_nums = []
priority = 'normal'
resolution = None
stage = None
status = 'open'
superseder = None
type = 'crash'
url = 'https://bugs.python.org/issue30774'
versions = ['Python 3.9', 'Python 3.10', 'Python 3.11']

pitrou · 2017-06-26T19:56:59Z

list_repr() is careful to fetch the list size on each iteration. However, it seems that the list size may be mutated just after by concurrent code, perhaps in _PyUnicodeWriter_WriteASCIIString() or Py_EnterRecursiveCall().

I witnessed this with a signal handler that shrank a list while printing a list from a loop in the main code path.

gdb excerpt:

Program received signal SIGSEGV, Segmentation fault.
0x00000000004a17d6 in PyObject_Repr (v=<unknown at remote 0x7ffff6044670>) at Objects/object.c:485
485 res = (*v->ob_type->tp_repr)(v);

(gdb) bt
#0 0x00000000004a17d6 in PyObject_Repr (v=<unknown at remote 0x7ffff6044670>) at Objects/object.c:485
#1 0x000000000047eef3 in list_repr (v=0x7ffff68e1d08) at Objects/listobject.c:373
[...]

(gdb) frame 1
#1 0x000000000047eef3 in list_repr (v=0x7ffff68e1d08) at Objects/listobject.c:373
373 s = PyObject_Repr(v->ob_item[i]);
(gdb) p v
$2 = (PyListObject *) 0x7ffff68e1d08
(gdb) p i
$3 = 19
(gdb) p v->ob_item[18]
$12 = <float at remote 0x7ffff6044628>
(gdb) p v->ob_item[19]
$13 = <unknown at remote 0x7ffff6044670>
(gdb) p ((PyVarObject*)(v))->ob_size
$14 = 19

pitrou · 2017-06-26T20:06:42Z

Attaching reproducer script. I don't know if that is worth fixing.

serhiy-storchaka · 2018-07-11T06:37:57Z

Is it possible to reproduce this issue without involving signal handlers?

iritkatriel · 2021-10-17T21:49:39Z

Reproduced on 3.11.

pitrou added 3.7 (EOL) end of life type-crash A hard crash of the interpreter, possibly with a core dump labels Jun 26, 2017

iritkatriel added 3.9 only security fixes 3.10 only security fixes 3.11 only security fixes and removed 3.7 (EOL) end of life labels Oct 17, 2021

ezio-melotti transferred this issue from another repository Apr 10, 2022

AlexWaygood removed the 3.9 only security fixes label Jul 10, 2022

iritkatriel added the interpreter-core (Objects, Python, Grammar, and Parser dirs) label Nov 27, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

list_repr not safe against concurrent mutation #74957

list_repr not safe against concurrent mutation #74957

pitrou commented Jun 26, 2017

pitrou commented Jun 26, 2017

pitrou commented Jun 26, 2017

serhiy-storchaka commented Jul 11, 2018

iritkatriel commented Oct 17, 2021

list_repr not safe against concurrent mutation #74957

list_repr not safe against concurrent mutation #74957

Comments

pitrou commented Jun 26, 2017

pitrou commented Jun 26, 2017

pitrou commented Jun 26, 2017

serhiy-storchaka commented Jul 11, 2018

iritkatriel commented Oct 17, 2021