global-buffer-overflow in test_opt.py

[adoxalim]

Crash report

What happened?

Hello when building cpython with address sanitizer test_opt.py crashed with a global-buffer-overflow, I will add build flags, reduced code that causes crash.

https://github.com/python/cpython/blob/main/Lib/test/test_capi/test_opt.py

./configure CFLAGS="-fsanitize=address -g" LDFLAGS="-fsanitize=address" CXXFLAGS="-fsanitize=address -g”
make
make test

After this you can reproduce it just by running following scripts reduced from test_opt.py

import contextlib
import textwrap
import unittest

from test.support import import_helper


_testinternalcapi = import_helper.import_module("_testinternalcapi")

@contextlib.contextmanager
def temporary_optimizer(opt):
    _testinternalcapi.set_optimizer(opt)

class TestOptimizerAPI(unittest.TestCase):
    def test_long_loop(self):
        ns = {}
        exec(textwrap.dedent(""), ns)
        opt = _testinternalcapi.new_counter_optimizer()
        with temporary_optimizer(opt):
            return

if __name__ == "__main__":
    unittest.main()

Stack trace will be:

==24730==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0001056cb7b8 at pc 0x000105054760 bp 0x00016b1af940 sp 0x00016b1af938
READ of size 8 at 0x0001056cb7b8 thread T0
    #0 0x10505475c in visit_decref gc.c:531
    #1 0x1050aebf4 in executor_traverse optimizer.c:392
    #2 0x105054358 in deduce_unreachable gc.c:1162
    #3 0x105052690 in gc_collect_region gc.c:1509
    #4 0x10504fa08 in _PyGC_Collect gc.c:1815
    #5 0x105131e20 in gc_collect gcmodule.c.h:140
    #6 0x104df22f8 in cfunction_vectorcall_FASTCALL_KEYWORDS methodobject.c:441
    #7 0x104d2c244 in PyObject_Vectorcall call.c:327
    #8 0x104fd576c in _PyEval_EvalFrameDefault generated_cases.c.h:813
    #9 0x104d327c4 in method_vectorcall classobject.c:92
    #10 0x104d2c030 in _PyVectorcall_Call call.c:273
    #11 0x104fd4c04 in _PyEval_EvalFrameDefault generated_cases.c.h:1267
    #12 0x104d2abf8 in _PyObject_VectorcallDictTstate call.c:135
    #13 0x104d2d0dc in _PyObject_Call_Prepend call.c:504
    #14 0x104e6f70c in slot_tp_call typeobject.c:9225
    #15 0x104d2afcc in _PyObject_MakeTpCall call.c:242
    #16 0x104fd576c in _PyEval_EvalFrameDefault generated_cases.c.h:813
    #17 0x104d327c4 in method_vectorcall classobject.c:92
    #18 0x104d2c030 in _PyVectorcall_Call call.c:273
    #19 0x104fd4c04 in _PyEval_EvalFrameDefault generated_cases.c.h:1267
    #20 0x104d2abf8 in _PyObject_VectorcallDictTstate call.c:135
    #21 0x104d2d0dc in _PyObject_Call_Prepend call.c:504
    #22 0x104e6f70c in slot_tp_call typeobject.c:9225
    #23 0x104d2afcc in _PyObject_MakeTpCall call.c:242
    #24 0x104fd576c in _PyEval_EvalFrameDefault generated_cases.c.h:813
    #25 0x104d327c4 in method_vectorcall classobject.c:92
    #26 0x104d2c030 in _PyVectorcall_Call call.c:273
    #27 0x104fd4c04 in _PyEval_EvalFrameDefault generated_cases.c.h:1267
    #28 0x104d2abf8 in _PyObject_VectorcallDictTstate call.c:135
    #29 0x104d2d0dc in _PyObject_Call_Prepend call.c:504
    #30 0x104e6f70c in slot_tp_call typeobject.c:9225
    #31 0x104d2afcc in _PyObject_MakeTpCall call.c:242
    #32 0x104fd576c in _PyEval_EvalFrameDefault generated_cases.c.h:813
    #33 0x104d2abf8 in _PyObject_VectorcallDictTstate call.c:135
    #34 0x104d2d0dc in _PyObject_Call_Prepend call.c:504
    #35 0x104e724e8 in slot_tp_init typeobject.c:9469
    #36 0x104e633e8 in type_call typeobject.c:1854
    #37 0x104d2afcc in _PyObject_MakeTpCall call.c:242
    #38 0x104fd576c in _PyEval_EvalFrameDefault generated_cases.c.h:813
    #39 0x104fb425c in PyEval_EvalCode ceval.c:601
    #40 0x1050ddcb8 in run_mod pythonrun.c:1376
    #41 0x1050d98e8 in _PyRun_SimpleFileObject pythonrun.c:461
    #42 0x1050d8f7c in _PyRun_AnyFileObject pythonrun.c:77
    #43 0x10512f140 in Py_RunMain main.c:707
    #44 0x10512ff80 in pymain_main main.c:737
    #45 0x1051304a0 in Py_BytesMain main.c:761
    #46 0x18f5a60dc  (<unknown module>)

0x0001056cb7b8 is located 8 bytes before global variable 'COLD_EXITS' defined in 'Python/optimizer.c' (0x1056cb7c0) of size 27200
0x0001056cb7b8 is located 23 bytes after global variable 'cold_exits_initialized' defined in 'Python/optimizer.c' (0x1056cb7a0) of size 1
SUMMARY: AddressSanitizer: global-buffer-overflow gc.c:531 in visit_decref
Shadow bytes around the buggy address:
  0x0001056cb500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0001056cb580: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
  0x0001056cb600: f9 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9 00 00 00 00
  0x0001056cb680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0001056cb700: 00 00 00 00 00 00 00 00 00 00 00 02 f9 f9 f9 f9
=>0x0001056cb780: 00 f9 f9 f9 01 f9 f9[f9]00 00 00 00 00 00 00 00
  0x0001056cb800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0001056cb880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0001056cb900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0001056cb980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0001056cba00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==24730==ABORTING
zsh: abort```

### CPython versions tested on:

3.12

### Operating systems tested on:

macOS

### Output from running 'python -VV' on the command line:

Python 3.12.3 (main, Apr  9 2024, 08:09:14) [Clang 15.0.0 (clang-1500.3.9.4)]

<!-- gh-linked-prs -->
### Linked PRs
* gh-118117
<!-- /gh-linked-prs -->

[gvanrossum]

As I wrote in the duplicate issue (sorry about that), I've bisected it to 7b21403: GH-112354: Initial implementation of warm up on exits and trace-stitching (GH-114142).

Also, I nearly have a fix.

[nineteendo]

The code block isn't terminated.