Segfault when compiling many conditional expressions

[snordhausen]

BPO	32368
Nosy	@tiran, @serhiy-storchaka, @snordhausen

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2018-02-06.16:44:22.085>
created_at = <Date 2017-12-18.16:29:23.985>
labels = ['interpreter-core', '3.7', 'type-crash']
title = 'Segfault when compiling many conditional expressions'
updated_at = <Date 2018-02-06.16:44:22.084>
user = 'https://github.com/snordhausen'

bugs.python.org fields:

activity = <Date 2018-02-06.16:44:22.084>
actor = 'snordhausen'
assignee = 'none'
closed = True
closed_date = <Date 2018-02-06.16:44:22.085>
closer = 'snordhausen'
components = ['Interpreter Core']
creation = <Date 2017-12-18.16:29:23.985>
creator = 'snordhausen'
dependencies = []
files = []
hgrepos = []
issue_num = 32368
keywords = []
message_count = 6.0
messages = ['308573', '308575', '308576', '308577', '308634', '311732']
nosy_count = 3.0
nosy_names = ['christian.heimes', 'serhiy.storchaka', 'snordhausen']
pr_nums = []
priority = 'normal'
resolution = 'duplicate'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'crash'
url = 'https://bugs.python.org/issue32368'
versions = ['Python 2.7', 'Python 3.6', 'Python 3.7']

[snordhausen]

The following code reproducibly segfaults in version 2.7.13, 3.6.3 and the current git master (3.7.0a3+):

code = "42 if True else 43\n" * 200000
compile(code, "foobar", "exec")

This issue was originally found because the Jinja templating engine internally produces large tuples with many conditional expressions, thus triggering this bug (see pallets/jinja#784 ).

[tiran]

Looks like 174,565 stack frames are a bit too much :)

(gdb) bt
#0 dfs (c=0x7fffffffcbe0, b=0x7fffea076d60, a=0x7fffffffcb50) at Python/compile.c:4903
#1 0x00000000004e47a2 in dfs (c=0x7fffffffcbe0, b=0x7fffea076db0, a=0x7fffffffcb50) at Python/compile.c:4903
#2 0x00000000004e47a2 in dfs (c=0x7fffffffcbe0, b=0x7fffea076cc0, a=0x7fffffffcb50) at Python/compile.c:4903
#3 0x00000000004e47a2 in dfs (c=0x7fffffffcbe0, b=0x7fffea076d10, a=0x7fffffffcb50) at Python/compile.c:4903
#4 0x00000000004e47a2 in dfs (c=0x7fffffffcbe0, b=0x7fffea076c20, a=0x7fffffffcb50) at Python/compile.c:4903
#5 0x00000000004e47a2 in dfs (c=0x7fffffffcbe0, b=0x7fffea076c70, a=0x7fffffffcb50) at Python/compile.c:4903
#6 0x00000000004e47a2 in dfs (c=0x7fffffffcbe0, b=0x7fffea076b80, a=0x7fffffffcb50) at Python/compile.c:4903
#7 0x00000000004e47a2 in dfs (c=0x7fffffffcbe0, b=0x7fffea076bd0, a=0x7fffffffcb50) at Python/compile.c:4903
#8 0x00000000004e47a2 in dfs (c=0x7fffffffcbe0, b=0x7fffea076ae0, a=0x7fffffffcb50) at Python/compile.c:4903
#9 0x00000000004e47a2 in dfs (c=0x7fffffffcbe0, b=0x7fffea076b30, a=0x7fffffffcb50) at Python/compile.c:4903
#10 0x00000000004e47a2 in dfs (c=0x7fffffffcbe0, b=0x7fffea076a40, a=0x7fffffffcb50) at Python/compile.c:4903
#11 0x00000000004e47a2 in dfs (c=0x7fffffffcbe0, b=0x7fffea076a90, a=0x7fffffffcb50) at Python/compile.c:4903
#12 0x00000000004e47a2 in dfs (c=0x7fffffffcbe0, b=0x7fffea0769a0, a=0x7fffffffcb50) at Python/compile.c:4903
#13 0x00000000004e47a2 in dfs (c=0x7fffffffcbe0, b=0x7fffea0769f0, a=0x7fffffffcb50) at Python/compile.c:4903
#14 0x00000000004e47a2 in dfs (c=0x7fffffffcbe0, b=0x7fffea076900, a=0x7fffffffcb50) at Python/compile.c:4903

(gdb) bt -50
...
bpo-174562 0x00000000004e47a2 in dfs (c=0x7fffffffcbe0, b=0x7ffff04609a0, a=0x7fffffffcb50) at Python/compile.c:4903
bpo-174563 0x00000000004e47a2 in dfs (c=0x7fffffffcbe0, b=0x7ffff04609f0, a=0x7fffffffcb50) at Python/compile.c:4903
bpo-174564 0x00000000004e47a2 in dfs (c=0x7fffffffcbe0, b=0x7ffff0460900, a=0x7fffffffcb50) at Python/compile.c:4903
bpo-174565 0x00000000004e47a2 in dfs (c=0x7fffffffcbe0, b=0x7ffff0460950, a=0x7fffffffcb50) at Python/compile.c:4903
bpo-174566 0x00000000004e47a2 in dfs (c=c@entry=0x7fffffffcbe0, b=b@entry=0x7ffff04608b0, a=a@entry=0x7fffffffcb50) at Python/compile.c:4903
bpo-174567 0x00000000004e9844 in assemble (c=c@entry=0x7fffffffcbe0, addNone=<optimized out>) at Python/compile.c:5411
bpo-174568 0x00000000004ed809 in compiler_mod (c=c@entry=0x7fffffffcbe0, mod=mod@entry=0x3523788) at Python/compile.c:1494
bpo-174569 0x00000000004eda33 in PyAST_CompileObject (mod=0x3523788, filename=filename@entry='foobar', flags=flags@entry=0x7fffffffccb4, optimize=optimize@entry=-1, arena=arena@entry=0x7ffff0466f40)
at Python/compile.c:345
bpo-174570 0x000000000050fcaa in Py_CompileStringObject (
str=0x7fffef9d1070 "42 if True else 43\n42 if True else 43\n42 if True else 43\n42 if True else 43\n42 if True else 43\n42 if True else 43\n42 if True else 43\n42 if True else 43\n42 if True else 43\n42 if True else 43\n42 if True"..., filename=filename@entry='foobar', start=start@entry=257, flags=flags@entry=0x7fffffffccb4, optimize=optimize@entry=-1) at Python/pythonrun.c:1098
bpo-174571 0x00000000004d2146 in builtin_compile_impl (module=module@entry=<module at remote 0x7ffff7f5b658>,

[serhiy-storchaka]

Duplicate of bpo-31113?

[tiran]

I think so, too.

[snordhausen]

I tried out PR 3015 of Serhiy and this fixes the segfaults. So it seems to be a duplicate.

As for backporting the fix: Is this a 'reliable' segfault (i.e. it always segfaults when the limit is exceeded) or could there be some silent data corruption? If data can be corrupted, I'd consider this bug very serious, otherwise it's a rather small annoyance.

[snordhausen]

The fix for https://bugs.python.org/issue31113 also fixed this issue.