Skip to content

Segfault calling sys.remote_exec(0, None) #134064

New issue
New issue
Closed
Closed
Segfault calling sys.remote_exec(0, None)#134064
Labels
3.14bugs and security fixes3.15new features, bugs and security fixesinterpreter-core(Objects, Python, Grammar, and Parser dirs)type-crashA hard crash of the interpreter, possibly with a core dump
@devdanzin

Description

@devdanzin
devdanzin
opened on May 15, 2025

Crash report

What happened?

The following code segfaults ASAN builds and aborts/segfaults on non-ASAN debug builds on main:

import sys

sys.remote_exec(0, None)

Backtrace ASAN debug free-threading:

Program received signal SIGSEGV, Segmentation fault.
0x0000555555f86705 in _Py_TYPE (ob=0x0) at ./Include/object.h:270
270             return ob->ob_type;

#0  0x0000555555f86705 in _Py_TYPE (ob=0x0) at ./Include/object.h:270
#1  PyBytes_AS_STRING (op=0x0) at ./Include/cpython/bytesobject.h:25
#2  sys_remote_exec_impl (module=module@entry=<module at remote 0x7fffb4259d20>, pid=pid@entry=0, script=<optimized out>)
    at ./Python/sysmodule.c:2491
#3  0x0000555555f86c65 in sys_remote_exec (module=<optimized out>, args=0x7fffffffafc8, nargs=<optimized out>, kwnames=0x0)
    at ./Python/clinic/sysmodule.c.h:1614
#4  0x0000555555ad4921 in cfunction_vectorcall_FASTCALL_KEYWORDS (func=<built-in method remote_exec of module object at remote 0x7fffb4259d20>,
    args=0x7fffffffafc8, nargsf=<optimized out>, kwnames=0x0) at Objects/methodobject.c:466
#5  0x00005555559956f0 in _PyObject_VectorcallTstate (tstate=0x555556755e40 <_PyRuntime+362048>,
    callable=<built-in method remote_exec of module object at remote 0x7fffb4259d20>, args=0x7fffffffafc8, nargsf=9223372036854775810, kwnames=0x0)
    at ./Include/internal/pycore_call.h:169
#6  0x000055555599584b in PyObject_Vectorcall (callable=callable@entry=<built-in method remote_exec of module object at remote 0x7fffb4259d20>,
    args=args@entry=0x7fffffffafc8, nargsf=<optimized out>, kwnames=kwnames@entry=0x0) at Objects/call.c:327
#7  0x0000555555d870fb in _PyEval_EvalFrameDefault (tstate=tstate@entry=0x555556755e40 <_PyRuntime+362048>, frame=frame@entry=0x629000005840,
    throwflag=throwflag@entry=0) at Python/generated_cases.c.h:1619
#8  0x0000555555de915d in _PyEval_EvalFrame (throwflag=0, frame=0x629000005840, tstate=0x555556755e40 <_PyRuntime+362048>)
    at ./Include/internal/pycore_ceval.h:119

Backtrace ASAN release gilful:

Program received signal SIGSEGV, Segmentation fault.
0x0000555555977807 in _PyFreeList_PopNoStats (fl=<optimized out>) at ./Include/internal/pycore_freelist.h:79
79              fl->freelist = *(void **)obj;

#0  0x0000555555977807 in _PyFreeList_PopNoStats (fl=<optimized out>) at ./Include/internal/pycore_freelist.h:79
#1  clear_freelist (dofree=<optimized out>, is_finalization=<optimized out>, freelist=<optimized out>) at Objects/object.c:903
#2  _PyObject_ClearFreeLists (freelists=0x555556276fc8 <_PyRuntime+101256>, is_finalization=is_finalization@entry=0) at Objects/object.c:950
#3  0x0000555555c45792 in _PyGC_ClearAllFreeLists (interp=<optimized out>) at Python/gc_gil.c:14
#4  0x0000555555c3f950 in gc_collect_full (stats=0x7fffffffd730, tstate=0x5555562ab2f8 <_PyRuntime+315064>) at Python/gc.c:1686
#5  _PyGC_Collect (tstate=<optimized out>, generation=generation@entry=2, reason=reason@entry=_Py_GC_REASON_SHUTDOWN) at Python/gc.c:2041
#6  0x0000555555c43c1e in _PyGC_CollectNoFail (tstate=tstate@entry=0x5555562ab2f8 <_PyRuntime+315064>) at Python/gc.c:2082
#7  0x0000555555ceb5fa in interpreter_clear (interp=<optimized out>, tstate=tstate@entry=0x5555562ab2f8 <_PyRuntime+315064>)
    at Python/pystate.c:920
#8  0x0000555555cec231 in _PyInterpreterState_Clear (tstate=tstate@entry=0x5555562ab2f8 <_PyRuntime+315064>) at Python/pystate.c:994
#9  0x0000555555cd843a in finalize_interp_clear (tstate=0x5555562ab2f8 <_PyRuntime+315064>) at Python/pylifecycle.c:1904
#10 0x0000555555ce27fb in _Py_Finalize (runtime=0x55555625e440 <_PyRuntime>) at Python/pylifecycle.c:2210
#11 0x0000555555ce2dbd in _Py_Finalize (runtime=0x55555625e440 <_PyRuntime>) at Python/pylifecycle.c:2252
#12 0x0000555555d74884 in Py_RunMain () at Modules/main.c:769
#13 pymain_main (args=0x7fffffffdc90) at Modules/main.c:797
#14 Py_BytesMain (argc=<optimized out>, argv=<optimized out>) at Modules/main.c:821
#15 0x00007ffff72ded90 in __libc_start_call_main (main=main@entry=0x5555556fd530 <main>, argc=argc@entry=2, argv=argv@entry=0x7fffffffdeb8)
    at ../sysdeps/nptl/libc_start_call_main.h:58
#16 0x00007ffff72dee40 in __libc_start_main_impl (main=0x5555556fd530 <main>, argc=2, argv=0x7fffffffdeb8, init=<optimized out>,
    fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdea8) at ../csu/libc-start.c:392
#17 0x000055555573f855 in _start ()

Backtrace debug:

./Python/sysmodule.c:2542: _Py_NegativeRefcount: Assertion failed: object has negative ref count
Enable tracemalloc to get the memory block allocation traceback

object address  : 0x7fffffffd4b0
object refcount : 4294956288
object type     : 0x55555591a387

Program received signal SIGSEGV, Segmentation fault.
__strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:74
74      ../sysdeps/x86_64/multiarch/strlen-avx2.S: No such file or directory.

#0  __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:74
#1  0x00007ffff7d14d31 in __vfprintf_internal (s=s@entry=0x7fffffffb200, format=0x555555a0d163 "object type name: %s\n", ap=0x7fffffffd340,
    mode_flags=2) at ./stdio-common/vfprintf-internal.c:1517
#2  0x00007ffff7d15665 in buffered_vfprintf (s=0x7ffff7eb96a0 <_IO_2_1_stderr_>, format=format@entry=0x555555a0d163 "object type name: %s\n",
    args=args@entry=0x7fffffffd340, mode_flags=mode_flags@entry=2) at ./stdio-common/vfprintf-internal.c:2261
#3  0x00007ffff7d1465e in __vfprintf_internal (s=<optimized out>, format=0x555555a0d163 "object type name: %s\n", ap=ap@entry=0x7fffffffd340,
    mode_flags=mode_flags@entry=2) at ./stdio-common/vfprintf-internal.c:1236
#4  0x00007ffff7dd2d13 in ___fprintf_chk (fp=<optimized out>, flag=flag@entry=1, format=format@entry=0x555555a0d163 "object type name: %s\n")
    at ./debug/fprintf_chk.c:33
#5  0x000055555570cc1f in fprintf (__fmt=0x555555a0d163 "object type name: %s\n", __stream=<optimized out>)
    at /usr/include/x86_64-linux-gnu/bits/stdio2.h:105
#6  _PyObject_Dump (op=op@entry=<unknown at remote 0x7fffffffd4b0>) at Objects/object.c:733
#7  0x000055555570ce97 in _PyObject_AssertFailed (obj=obj@entry=<unknown at remote 0x7fffffffd4b0>, expr=expr@entry=0x0,
    msg=msg@entry=0x555555a0d1ee "object has negative ref count", file=file@entry=0x555555a855a7 "./Python/sysmodule.c", line=line@entry=2542,
    function=function@entry=0x555555a0d9f0 <__func__.63> "_Py_NegativeRefcount") at Objects/object.c:3061
#8  0x000055555570cfa3 in _Py_NegativeRefcount (filename=filename@entry=0x555555a855a7 "./Python/sysmodule.c", lineno=lineno@entry=2542,
    op=op@entry=<unknown at remote 0x7fffffffd4b0>) at Objects/object.c:272
#9  0x000055555591a290 in Py_DECREF (op=<unknown at remote 0x7fffffffd4b0>, lineno=2542, filename=0x555555a855a7 "./Python/sysmodule.c")
    at ./Include/refcount.h:407
#10 sys_remote_exec_impl (module=module@entry=<module at remote 0x7ffff7bec0b0>, pid=pid@entry=0, script=<optimized out>)
    at ./Python/sysmodule.c:2542
#11 0x000055555591a387 in sys_remote_exec (module=<module at remote 0x7ffff7bec0b0>, args=0x7fffffffd778, nargs=<optimized out>,
    kwnames=<optimized out>) at ./Python/clinic/sysmodule.c.h:1614
#12 0x0000555555704e2e in cfunction_vectorcall_FASTCALL_KEYWORDS (func=<built-in method remote_exec of module object at remote 0x7ffff7bec0b0>,
    args=0x7fffffffd778, nargsf=<optimized out>, kwnames=0x0) at Objects/methodobject.c:466
#13 0x00005555556840c2 in _PyObject_VectorcallTstate (tstate=0x555555c8e4a8 <_PyRuntime+331080>,
    callable=<built-in method remote_exec of module object at remote 0x7ffff7bec0b0>, args=0x7fffffffd778, nargsf=9223372036854775810, kwnames=0x0)
    at ./Include/internal/pycore_call.h:169
#14 0x00005555556841e1 in PyObject_Vectorcall (callable=callable@entry=<built-in method remote_exec of module object at remote 0x7ffff7bec0b0>,
    args=args@entry=0x7fffffffd778, nargsf=<optimized out>, kwnames=kwnames@entry=0x0) at Objects/call.c:327
#15 0x00005555558429a2 in _PyEval_EvalFrameDefault (tstate=tstate@entry=0x555555c8e4a8 <_PyRuntime+331080>, frame=frame@entry=0x7ffff7fb0020,
    throwflag=throwflag@entry=0) at Python/generated_cases.c.h:1619
#16 0x000055555586f62f in _PyEval_EvalFrame (throwflag=0, frame=0x7ffff7fb0020, tstate=0x555555c8e4a8 <_PyRuntime+331080>)
    at ./Include/internal/pycore_ceval.h:119

Found using fusil by @vstinner.

CPython versions tested on:

CPython main branch

Operating systems tested on:

Linux

Output from running 'python -VV' on the command line:

Python 3.15.0a0 (heads/main:52a7a22a6b8, May 15 2025, 16:27:02) [GCC 11.4.0]

Linked PRs

Metadata

Metadata

Assignees

No one assigned

    Labels

    3.14bugs and security fixes3.15new features, bugs and security fixesinterpreter-core(Objects, Python, Grammar, and Parser dirs)type-crashA hard crash of the interpreter, possibly with a core dump

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions