Skip to content

Cannot safely Py_EndInterpreter in 3.14b1 #134144

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
b-pass opened this issue May 17, 2025 · 6 comments · Fixed by #134145
Closed

Cannot safely Py_EndInterpreter in 3.14b1 #134144

b-pass opened this issue May 17, 2025 · 6 comments · Fixed by #134145
Labels
3.14 bugs and security fixes 3.15 new features, bugs and security fixes interpreter-core (Objects, Python, Grammar, and Parser dirs) topic-subinterpreters type-crash A hard crash of the interpreter, possibly with a core dump

Comments

@b-pass
Copy link
Contributor

b-pass commented May 17, 2025
edited by bedevere-app bot
Loading

Crash report

What happened?

Stack trace:

#0  tstate_delete_common.constprop.0 (tstate=tstate@entry=0x555555666ca0, release_gil=0) at ../Python/pystate.c:1854
#1  0x00007ffff78cd341 in zapthreads (interp=0x7ffff74c8010) at ../Python/pystate.c:1915
#2  PyInterpreterState_Delete (interp=0x7ffff74c8010) at ../Python/pystate.c:1016
#3  0x00005555555552ef in main () at repro.c:16

(note the address passed to tstate_delete_common is definitely corrupt, and not the address of any PyThreadState created in this program)

This was triggered by creating a new PyThreeadState for the interpreter, switching to it, deleting an old thread state for the same interpreter, and then calling Py_EndInterpreter (on the new thread state).

repro.c:

#include <Python.h>

int main()
{
        Py_Initialize();

        PyThreadState *orig = NULL;
        PyInterpreterConfig cfg =  _PyInterpreterConfig_INIT;
        Py_NewInterpreterFromConfig(&orig, &cfg);

        PyThreadState *temp = PyThreadState_New(orig->interp);
        PyThreadState_Swap(temp);
        PyThreadState_Clear(orig);
        PyThreadState_Delete(orig);
        Py_EndInterpreter(temp);

        Py_Finalize();
}

Compiled with $ gcc -O1 -ggdb repro.cpp -I/usr/include/python3.14 -lpython3.14

CPython versions tested on:

3.14

Operating systems tested on:

Linux

Output from running 'python -VV' on the command line:

Python 3.14.0b1 (main, May 8 2025, 08:57:13) [GCC 13.3.0]

Linked PRs
@b-pass b-pass added the type-crash A hard crash of the interpreter, possibly with a core dump label May 17, 2025
@ZeroIntensity
Copy link
Member

@ericsnowcurrently This is the zapthreads problem that I was talking about yesterday.

I'm pretty sure #128640 will fix this.

@ZeroIntensity ZeroIntensity added 3.14 bugs and security fixes 3.15 new features, bugs and security fixes labels May 17, 2025
This was referenced May 17, 2025
Merged
Draft
@b-pass
Copy link
Contributor Author

b-pass commented May 17, 2025
edited
Loading

I updated the example code to a complete compilable description, this crashes for me. Using deadsnakes repo on ubuntu 24.04, which is 3.14.b1.

@ZeroIntensity
Copy link
Member

Huh, that repro looks wrong. PyThreadState_Delete cannot be called with a thread state that is attached.

@b-pass
Copy link
Contributor Author

b-pass commented May 17, 2025

Huh, that repro looks wrong. PyThreadState_Delete cannot be called with a thread state that is attached.

Does the PyThreadState_Swap not detach it?

@ZeroIntensity
Copy link
Member

Oh wait, I see that you delete orig, not temp.

@picnixz picnixz added the interpreter-core (Objects, Python, Grammar, and Parser dirs) label May 17, 2025
@b-pass
Copy link
Contributor Author

b-pass commented May 18, 2025
edited
Loading

If it matters, the reason I am doing it this way is that in 3.12 you can't actually delete (via PyThreadState_Delete) the first PyThreadState of the interpreter ... it looks to me like it never gets zero'd out (because it is the one that has storage inside the interpreterstate) so it causes an abort when it is subsequently reallocated. :( So you have to leave that one allocated. This is fixed in 3.13+

kumaraditya303 pushed a commit that referenced this issue May 18, 2025
@b-pass
gh-134144: Fix use-after-free in zapthreads() (#134145)
f2de1e6
@github-project-automation github-project-automation bot moved this from Todo to Done in Subinterpreters May 18, 2025
miss-islington pushed a commit to miss-islington/cpython that referenced this issue May 18, 2025
@b-pass @miss-islington
pythongh-134144: Fix use-after-free in zapthreads() (pythonGH-134145)
91712d2 
(cherry picked from commit f2de1e6)

Co-authored-by: b-pass <[email protected]>
@bedevere-app bedevere-app bot mentioned this issue May 18, 2025
Merged
kumaraditya303 pushed a commit that referenced this issue May 18, 2025
@miss-islington @b-pass
[3.14] gh-134144: Fix use-after-free in zapthreads() (GH-134145) (#13…
bb5f92a 
…4182)

gh-134144: Fix use-after-free in zapthreads() (GH-134145)
(cherry picked from commit f2de1e6)

Co-authored-by: b-pass <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3.14 bugs and security fixes 3.15 new features, bugs and security fixes interpreter-core (Objects, Python, Grammar, and Parser dirs) topic-subinterpreters type-crash A hard crash of the interpreter, possibly with a core dump
Projects
Subinterpreters
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

gh-134144: Fix use-after-free in zapthreads() b-pass/cpython
3 participants
@b-pass @picnixz @ZeroIntensity