Message 302414 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	vstinner
Recipients	eli.bendersky, jkloth, scoder, serhiy.storchaka, vstinner
Date	2017-09-18.07:28:27
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1505719708.13.0.239296652096.issue31499@psf.upfronthosting.co.za>
In-reply-to

Content
The bug is at this line: Breakpoint 6, xmlparser_gc_clear (self=0x7ffff7e28c08) at /home/haypo/prog/python/master/Modules/_elementtree.c:3414 static int xmlparser_gc_clear(XMLParserObject *self) { EXPAT(ParserFree)(self->parser); // <--- HERE ... } This function calls XML_ParserFree() twice on the same parser object. The first call is fine and frees the memory. Since we now use Python memory allocators, XML_ParserFree() fills the freed memory with 0xDB byte pattern (when Python is in debug mode). The second XML_ParserFree() call uses freed memory (filled with 0xDB in debug mode). Call 1: a GC collection Breakpoint 6, xmlparser_gc_clear (self=0x7ffff7e28c08) at /home/haypo/prog/python/master/Modules/_elementtree.c:3414 (gdb) up #1 0x0000000000446636 in delete_garbage (collectable=0x7fffffffd9a0, old=0x9b8f90 <_PyRuntime+432>) at Modules/gcmodule.c:759 (gdb) up #2 0x0000000000446ade in collect (generation=2, n_collected=0x7fffffffda30, n_uncollectable=0x7fffffffda28, nofail=0) at Modules/gcmodule.c:911 (gdb) cont Continuing. Call 2: xmlparser_dealloc() Breakpoint 6, xmlparser_gc_clear (self=0x7ffff7e28c08) at /home/haypo/prog/python/master/Modules/_elementtree.c:3414 (gdb) up #1 0x00007ffff0038cb8 in xmlparser_dealloc (self=0x7ffff7e28c08) at /home/haypo/prog/python/master/Modules/_elementtree.c:3435 IMHO it's an obvious bug in Python. The question is more why/how the code didn't crash before? :-)

The bug is at this line:

Breakpoint 6, xmlparser_gc_clear (self=0x7ffff7e28c08) at /home/haypo/prog/python/master/Modules/_elementtree.c:3414


static int
xmlparser_gc_clear(XMLParserObject *self)
{
    EXPAT(ParserFree)(self->parser);   // <--- HERE
    ...
}

This function calls XML_ParserFree() twice on the same parser object. The first call is fine and frees the memory. Since we now use Python memory allocators, XML_ParserFree() fills the freed memory with 0xDB byte pattern (when Python is in debug mode).

The second XML_ParserFree() call uses freed memory (filled with 0xDB in debug mode).

Call 1: a GC collection

Breakpoint 6, xmlparser_gc_clear (self=0x7ffff7e28c08) at /home/haypo/prog/python/master/Modules/_elementtree.c:3414
(gdb) up
#1  0x0000000000446636 in delete_garbage (collectable=0x7fffffffd9a0, old=0x9b8f90 <_PyRuntime+432>) at Modules/gcmodule.c:759
(gdb) up
#2  0x0000000000446ade in collect (generation=2, n_collected=0x7fffffffda30, n_uncollectable=0x7fffffffda28, nofail=0) at Modules/gcmodule.c:911
(gdb) cont
Continuing.


Call 2: xmlparser_dealloc()

Breakpoint 6, xmlparser_gc_clear (self=0x7ffff7e28c08) at /home/haypo/prog/python/master/Modules/_elementtree.c:3414
(gdb) up
#1  0x00007ffff0038cb8 in xmlparser_dealloc (self=0x7ffff7e28c08) at /home/haypo/prog/python/master/Modules/_elementtree.c:3435


IMHO it's an obvious bug in Python. The question is more why/how the code didn't crash before? :-)

History
Date	User	Action	Args
2017-09-18 07:28:28	vstinner	set	recipients: + vstinner, scoder, jkloth, eli.bendersky, serhiy.storchaka
2017-09-18 07:28:28	vstinner	set	messageid: <1505719708.13.0.239296652096.issue31499@psf.upfronthosting.co.za>
2017-09-18 07:28:28	vstinner	link	issue31499 messages
2017-09-18 07:28:27	vstinner	create