Bug#1009739: python3.10 breaks yade autopkgtest on i386: Segmentation fault

Bernhard Übelacker bernhardu at mailbox.org
Sun May 22 21:49:09 BST 2022 

Dear Maintainer,
just tried to see if I can find some more information.
I was able to reproduce the issue and got the stack below.

I debugged a little back and forth and guess the issue
is related to the way a PyLongObject stores its value in
the ob_digit array.

Unfortunately boost looks like it expects a pointer to be
stored in "ob_digit" having just one element.
But in my example the value 0x9e56f420 takes up three elements,
looks like because PyLong_SHIFT is 15 bits at i386.
This conversation takes place in function PyLong_FromLong.

Therefore the third digit of ob_digit occupies the memory
that is also used for the "name" member, therefore got a
value != 0, and is tried to be destroyed and segfaults there.

Maybe someone with more detailed Python knowledge can confirm
this being a bug in boost placing the name member of
boost::python::objects::enum_object after the base_object
and therefore base_object having "ob_digit" just one element?


Following bug reports in yade and boost might be related to this issue:
   https://gitlab.com/yade-dev/trunk/-/issues/239
   https://github.com/boostorg/python/issues/312

Kind regards,
Bernhard



Thread 1 received signal SIGSEGV, Segmentation fault.
_Py_XDECREF (op=<unknown at remote 0x1>) at /usr/include/python3.10/object.h:567
567             Py_DECREF(op);
1: x/i $pc
=> 0xb70dfd7b <boost::python::objects::enum_dealloc(boost::python::objects::enum_object*)+27>:  subl   $0x1,(%eax)
(rr) bt 15
#0  _Py_XDECREF (op=<unknown at remote 0x1>) at /usr/include/python3.10/object.h:567
#1  boost::python::objects::enum_dealloc (self=0x9e56f410) at libs/python/src/object/enum.cpp:40
#2  0x0058bd56 in subtype_dealloc (self=<EnumClass_BlinkHighlight at remote 0x9e56f410>) at ../Objects/typeobject.c:1458
#3  0xb71137f9 in _Py_DECREF (op=<optimized out>) at /usr/include/python3.10/object.h:500
#4  boost::python::api::object_base::~object_base (this=0xbfd170a8, __in_chrg=<optimized out>) at /usr/include/boost/python/object_core.hpp:423
#5  0xb3e0d4b8 in boost::python::api::object::~object (this=0xbfd170a8, __in_chrg=<optimized out>) at /usr/include/boost/python/object_core.hpp:238
#6  yade::ArbitraryEnum_from_python<yade::OpenGLRenderer::BlinkHighlight>::setArbitraryEnum (arg=..., col=@0xbfd17250: yade::OpenGLRenderer::BlinkHighlight::NEVER) at ./lib/serialization/EnumSupport.hpp:76
#7  0xb3e0ef75 in yade::ArbitraryEnum_from_python<yade::OpenGLRenderer::BlinkHighlight>::convertible (obj_ptr=<optimized out>) at ./lib/serialization/EnumSupport.hpp:92
#8  0xb70dd5bd in boost::python::converter::rvalue_from_python_stage1 (source='NEVER', converters=...) at libs/python/src/converter/from_python.cpp:54
#9  0xb3e03337 in boost::python::converter::arg_rvalue_from_python<yade::OpenGLRenderer::BlinkHighlight const&>::arg_rvalue_from_python (obj='NEVER', this=0xbfd1733c) at /usr/include/boost/python/converter/arg_from_python.hpp:296
#10 boost::python::arg_from_python<yade::OpenGLRenderer::BlinkHighlight const&>::arg_from_python (source='NEVER', this=0xbfd1733c) at /usr/include/boost/python/arg_from_python.hpp:70
#11 boost::python::detail::caller_arity<2u>::impl<boost::python::detail::member<yade::OpenGLRenderer::BlinkHighlight, yade::OpenGLRenderer>, boost::python::return_value_policy<boost::python::return_by_value, boost::python::default_call_policies>, boost::mpl::vector3<void, yade::OpenGLRenderer&, yade::OpenGLRenderer::BlinkHighlight const&> >::operator() (args_=<optimized out>, this=<optimized out>) at /usr/include/boost/preprocessor/iteration/detail/local.hpp:37
#12 boost::python::objects::caller_py_function_impl<boost::python::detail::caller<boost::python::detail::member<yade::OpenGLRenderer::BlinkHighlight, yade::OpenGLRenderer>, boost::python::return_value_policy<boost::python::return_by_value, boost::python::default_call_policies>, boost::mpl::vector3<void, yade::OpenGLRenderer&, yade::OpenGLRenderer::BlinkHighlight const&> > >::operator() (this=0x2175a10, args=(<OpenGLRenderer at remote 0xa20a15c8>, 'NEVER'), kw=0x0) at /usr/include/boost/python/object/py_function.hpp:38
#13 0xb70e6974 in boost::python::objects::py_function::operator() (kw=0x0, args=(<OpenGLRenderer at remote 0xa20a15c8>, 'NEVER'), this=0x21759e8) at ./boost/python/object/py_function.hpp:147
#14 boost::python::objects::function::call (this=0x21759e0, args=<optimized out>, keywords=<optimized out>) at libs/python/src/object/function.cpp:221
(More stack frames follow...)

(rr) print/x $eax
$1 = 0x1
(rr) print op
$2 = <unknown at remote 0x1>

(rr) print self
$3 = (boost::python::objects::enum_object *) 0x9e56f410
(rr) print *self
$4 = {base_object = {ob_base = {ob_base = {ob_refcnt = 0, ob_type = 0xb71b0b38}, ob_size = -3}, ob_digit = {3056}}, name = <unknown at remote 0x1>}
(rr) print sizeof(*self)
$5 = 20
(rr) print *self->base_object->ob_base->ob_base->ob_type
$6 = {ob_base = {ob_base = {ob_refcnt = 6, ob_type = 0x9ce9a0 <PyType_Type>}, ob_size = 0}, tp_name = 0xb7207578 "EnumClass_BlinkHighlight", tp_basicsize = 20, tp_itemsize = 2, tp_dealloc = 0x58ba60 <subtype_dealloc>, tp_vectorcall_offset = 0, tp_getattr = 0x0, tp_setattr = 0x0, tp_as_async = 0xb71b0c04, tp_repr = 0xb70dfde0 <boost::python::objects::enum_repr(PyObject*)>, tp_as_number = 0xb71b0c14, tp_as_sequence = 0xb71b0cb0, tp_as_mapping = 0xb71b0ca4, tp_hash = 0x547e00 <long_hash>, tp_call = 0x0, tp_str = 0xb70dfdb0 <boost::python::objects::enum_str(PyObject*)>, tp_getattro = 0x574a40 <PyObject_GenericGetAttr>, tp_setattro = 0x54bbd0 <PyObject_GenericSetAttr>, tp_as_buffer = 0xb71b0cd8, tp_flags = 21517824, tp_doc = 0x0, tp_traverse = 0x58e3c0 <subtype_traverse>, tp_clear = 0x5ee3e0 <subtype_clear>, tp_richcompare = 0x583830 <long_richcompare>, tp_weaklistoffset = 0, tp_iter = 0x0, tp_iternext = 0x4f7c0b <_PyObject_NextNotImplemented>, tp_methods = 0x0, tp_members = 0xb71b0cf4, tp_getset = 0x0, tp_base = 0xb7106020 <boost::python::objects::enum_type_object>, tp_dict = {'__slots__': (), 'values': {0: <EnumClass_BlinkHighlight at remote 0xb71ae5a8>, 1: <EnumClass_BlinkHighlight at remote 0xb71ae648>, 2: <EnumClass_BlinkHighlight at remote 0xb71ae8e8>}, 'names': {'NEVER': <...>, 'NORMAL': <...>, 'WEAK': <...>}, '__module__': 'yade', '__doc__': None, 'NEVER': <...>, 'NORMAL': <...>, 'WEAK': <...>}, tp_descr_get = 0x0, tp_descr_set = 0x0, tp_dictoffset = 0, tp_init = 0x573340 <object_init>, tp_alloc = 0x546810 <PyType_GenericAlloc>, tp_new = 0x5a1da0 <long_new>, tp_free = 0x548280 <PyObject_GC_Del>, tp_is_gc = 0x0, tp_bases = (<type at remote 0xb7106020>,), tp_mro = (<type at remote 0xb71b0b38>, <type at remote 0xb7106020>, <type at remote 0x9ce620>, <type at remote 0x9ce8c0>), tp_cache = 0x0, tp_subclasses = 0x0, tp_weaklist = <weakref at remote 0xb71a6168>, tp_del = 0x0, tp_version_tag = 1031, tp_finalize = 0x0, tp_vectorcall = 0x0}

(rr) x/5xw self
0x9e56f410:     0x00000000      0xb71b0b38      0xfffffffd      0x43520bf0
0x9e56f420:     0x00000001

(rr) ptype /o self
type = struct boost::python::objects::enum_object {
/*      0      |      16 */    PyLongObject base_object;
/*     16      |       4 */    PyObject *name;

                                /* total size (bytes):   20 */
                              } *

(rr) ptype /o PyLongObject
type = struct _longobject {
/*      0      |      12 */    PyVarObject ob_base;
/*     12      |       2 */    digit ob_digit[1];
/* XXX  2-byte padding   */

                                /* total size (bytes):   16 */
                              }

(rr) print/x self->base_object->ob_digit[0]
$7 = 0xbf0
(rr) print/x self->base_object->ob_digit[1]
$8 = 0x4352
(rr) print/x self->base_object->ob_digit[2]
$9 = 0x1

(rr) print &self->base_object->ob_digit[2]
$10 = (digit *) 0x9e56f420
(rr) print &self->name
$11 = (PyObject **) 0x9e56f420








(rr) bt 15
#0  PyLong_FromLong (ival=-1638468592) at ../Objects/longobject.c:44
#1  0xb70e00e2 in boost::python::converter::arg_to_python<long>::arg_to_python (x=<optimized out>, this=0xbfd16fc4) at ./boost/python/converter/builtin_converters.hpp:123
#2  boost::python::call<boost::python::api::object, long> (a0=@0xbfd16ff4: -1638468592, a0=@0xbfd16ff4: -1638468592, callable=<type at remote 0xb71b0b38>) at ./boost/python/call.hpp:65
#3  boost::python::api::object_operators<boost::python::api::object>::operator()<long> (a0=@0xbfd16ff4: -1638468592, this=<synthetic pointer>) at ./boost/python/object_call.hpp:19
#4  boost::python::objects::enum_base::to_python (type_=0xb71b0b38, x=-1638468592) at libs/python/src/object/enum.cpp:249
#5  0xb3dfdd25 in boost::python::enum_<yade::OpenGLRenderer::BlinkHighlight>::to_python (x=0xbfd17250) at /usr/include/boost/python/enum.hpp:54
#6  0xb70ee5bd in boost::python::converter::detail::arg_to_python_base::arg_to_python_base (this=0xbfd170d4, source=0xbfd17250, converters=...) at libs/python/src/converter/arg_to_python_base.cpp:23
#7  0xb3e0ca48 in boost::python::converter::detail::value_arg_to_python<yade::OpenGLRenderer::BlinkHighlight>::value_arg_to_python (x=@0xbfd17250: (unknown: 0x9e56f410), this=0xbfd170d4) at /usr/include/boost/python/converter/arg_to_python.hpp:204
#8  boost::python::converter::arg_to_python<yade::OpenGLRenderer::BlinkHighlight>::arg_to_python (x=@0xbfd17250: (unknown: 0x9e56f410), this=0xbfd170d4) at /usr/include/boost/python/converter/arg_to_python.hpp:252
#9  boost::python::api::object_initializer_impl<false, false>::get<yade::OpenGLRenderer::BlinkHighlight> (x=@0xbfd17250: (unknown: 0x9e56f410)) at /usr/include/boost/python/object_core.hpp:289
#10 boost::python::api::object_base_initializer<yade::OpenGLRenderer::BlinkHighlight> (x=@0xbfd17250: (unknown: 0x9e56f410)) at /usr/include/boost/python/object_core.hpp:232
#11 boost::python::api::object::object<yade::OpenGLRenderer::BlinkHighlight> (x=@0xbfd17250: (unknown: 0x9e56f410), this=0xbfd170a8) at /usr/include/boost/python/object_core.hpp:247
#12 yade::ArbitraryEnum_from_python<yade::OpenGLRenderer::BlinkHighlight>::setArbitraryEnum (arg=..., col=@0xbfd17250: (unknown: 0x9e56f410)) at ./lib/serialization/EnumSupport.hpp:51
#13 0xb3e0ef75 in yade::ArbitraryEnum_from_python<yade::OpenGLRenderer::BlinkHighlight>::convertible (obj_ptr=<optimized out>) at ./lib/serialization/EnumSupport.hpp:92
#14 0xb70dd5bd in boost::python::converter::rvalue_from_python_stage1 (source='NEVER', converters=...) at libs/python/src/converter/from_python.cpp:54
(More stack frames follow...)

(rr) print/x ival
$180 = 0x9e56f410

More information about the debian-science-maintainers mailing list