X Tutup
Skip to content

Use-after-free in Counter.update via re-entrant __add__ #143004

New issue
New issue
Closed
Closed
Use-after-free in Counter.update via re-entrant __add__#143004
Labels
3.13bugs and security fixes3.14bugs and security fixes3.15new features, bugs and security fixesextension-modulesC modules in the Modules dirtype-bugAn unexpected behavior, bug, or errortype-crashA hard crash of the interpreter, possibly with a core dump
@jackfromeast

Description

@jackfromeast
jackfromeast
opened on Dec 20, 2025

What happened?

A custom __add__ can clear the Counter while _collections__count_elements holds a pointer to the cached count, so PyNumber_Add dereferences the freed object and triggers a use-after-free during the fast dict path.

Proof of Concept:

from collections import Counter

class Evil(int):
    def __new__(cls):
        return int.__new__(cls, 0)

    def __add__(self, other):
        # Re-entrant mutation: wipe out the mapping while PyNumber_Add still has
        # a live reference to this Evil instance.
        global cnt
        cnt.clear()
        return NotImplemented

    def __radd__(self, other):
        return 0

cnt = Counter()
key = object()
cnt[key] = Evil()
cnt.update([key])

Affected Versions:

Details
Python Version Status Exit Code
Python 3.9.24+ (heads/3.9:111bbc15b26, Oct 27 2025, 21:34:13) ASAN 1
Python 3.10.19+ (heads/3.10:014261980b1, Oct 27 2025, 21:19:00) [Clang 18.1.3 (1ubuntu1)] ASAN 1
Python 3.11.14+ (heads/3.11:88f3f5b5f11, Oct 27 2025, 21:20:35) [Clang 18.1.3 (1ubuntu1)] ASAN 1
Python 3.12.12+ (heads/3.12:8cb2092bd8c, Oct 27 2025, 21:27:07) [Clang 18.1.3 (1ubuntu1)] ASAN 1
Python 3.13.9+ (heads/3.13:9c8eade20c6, Oct 27 2025, 21:28:49) [Clang 18.1.3 (1ubuntu1)] ASAN 1
Python 3.14.0+ (heads/3.14:2e216728038, Oct 27 2025, 21:30:55) [Clang 18.1.3 (1ubuntu1)] ASAN 1
Python 3.15.0a1+ (heads/main:f5394c257ce, Oct 27 2025, 21:32:37) [Clang 18.1.3 (1ubuntu1)] ASAN 1

Vulnerable Code:

Details 
static PyObject *
_collections__count_elements_impl(PyObject *module, PyObject *mapping,
                                  PyObject *iterable)
/*[clinic end generated code: output=7e0c1789636b3d8f input=e79fad04534a0b45]*/
{
    PyObject *it, *oldval;
    PyObject *newval = NULL;
    PyObject *key = NULL;
    PyObject *bound_get = NULL;
    PyObject *mapping_get;
    PyObject *dict_get;
    PyObject *mapping_setitem;
    PyObject *dict_setitem;
    PyObject *one = _PyLong_GetOne();  // borrowed reference

    /* ... */

    if (mapping_get != NULL && mapping_get == dict_get &&
        mapping_setitem != NULL && mapping_setitem == dict_setitem &&
        PyDict_Check(mapping))
    {
        while (1) {
            /* Fast path advantages:
                   1. Eliminate double hashing
                      (by re-using the same hash for both the get and set)
                   2. Avoid argument overhead of PyObject_CallFunctionObjArgs
                      (argument tuple creation and parsing)
                   3. Avoid indirection through a bound method object
                      (creates another argument tuple)
                   4. Avoid initial increment from zero
                      (reuse an existing one-object instead)
            */
            Py_hash_t hash;

            key = PyIter_Next(it);
            if (key == NULL)
                break;

            hash = _PyObject_HashFast(key);
            if (hash == -1) {
                goto done;
            }

            /* Get a borrowed ptr: oldval */
            oldval = _PyDict_GetItem_KnownHash(mapping, key, hash);
            if (oldval == NULL) {
                if (PyErr_Occurred())
                    goto done;
                if (_PyDict_SetItem_KnownHash(mapping, key, one, hash) < 0)
                    goto done;
            } else {
                newval = PyNumber_Add(oldval, one);
                if (newval == NULL)
                    goto done;
                if (_PyDict_SetItem_KnownHash(mapping, key, newval, hash) < 0)
                    goto done;
                Py_CLEAR(newval);
            }
            Py_DECREF(key);
        }
    }
    /* ... */

Sanitizer Output:

Details 
=================================================================
==1346475==ERROR: AddressSanitizer: heap-use-after-free on address 0x5060000f2988 at pc 0x5d9d2b2debac bp 0x7ffc822fd970 sp 0x7ffc822fd968
READ of size 8 at 0x5060000f2988 thread T0
    #0 0x5d9d2b2debab in _Py_TYPE /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/./Include/object.h:277:20
    #1 0x5d9d2b2debab in slot_nb_add /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Objects/typeobject.c:10401:1
    #2 0x5d9d2b12cffb in binary_op1 /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Objects/abstract.c:966:13
    #3 0x5d9d2b12ccf3 in PyNumber_Add /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Objects/abstract.c:1132:24
    #4 0x5d9d2b66e7ff in _collections__count_elements_impl /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/./Modules/_collectionsmodule.c:2580:26
    #5 0x5d9d2b66e7ff in _collections__count_elements /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/./Modules/clinic/_collectionsmodule.c.h:593:20
    #6 0x5d9d2b16aa3b in _PyObject_VectorcallTstate /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/./Include/internal/pycore_call.h:169:11
    #7 0x5d9d2b16aa3b in PyObject_Vectorcall /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Objects/call.c:327:12
    #8 0x5d9d2b451837 in _PyEval_EvalFrameDefault /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Python/generated_cases.c.h:1620:35
    #9 0x5d9d2b4323bb in _PyEval_EvalFrame /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/./Include/internal/pycore_ceval.h:121:16
    #10 0x5d9d2b4323bb in _PyEval_Vector /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Python/ceval.c:2005:12
    #11 0x5d9d2b4323bb in PyEval_EvalCode /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Python/ceval.c:888:21
    #12 0x5d9d2b589370 in run_eval_code_obj /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Python/pythonrun.c:1365:12
    #13 0x5d9d2b589370 in run_mod /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Python/pythonrun.c:1459:19
    #14 0x5d9d2b58343c in pyrun_file /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Python/pythonrun.c:1293:15
    #15 0x5d9d2b58343c in _PyRun_SimpleFileObject /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Python/pythonrun.c:521:13
    #16 0x5d9d2b582b05 in _PyRun_AnyFileObject /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Python/pythonrun.c:81:15
    #17 0x5d9d2b5eafe5 in pymain_run_file_obj /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Modules/main.c:410:15
    #18 0x5d9d2b5eafe5 in pymain_run_file /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Modules/main.c:429:15
    #19 0x5d9d2b5e999d in pymain_run_python /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Modules/main.c:691:21
    #20 0x5d9d2b5e999d in Py_RunMain /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Modules/main.c:772:5
    #21 0x5d9d2b5ea451 in pymain_main /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Modules/main.c:802:12
    #22 0x5d9d2b5ea5c3 in Py_BytesMain /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Modules/main.c:826:12
    #23 0x71acc2c2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #24 0x71acc2c2a28a in __libc_start_main csu/../csu/libc-start.c:360:3
    #25 0x5d9d2af9a104 in _start (/home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/python+0x1c7104) (BuildId: 5de9d2fcbcd44bfc1b0fe256566d49ad35ca1d56)

0x5060000f2988 is located 40 bytes inside of 64-byte region [0x5060000f2960,0x5060000f29a0)
freed by thread T0 here:
    #0 0x5d9d2b034cba in free (/home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/python+0x261cba) (BuildId: 5de9d2fcbcd44bfc1b0fe256566d49ad35ca1d56)
    #1 0x5d9d2b2b408b in subtype_dealloc /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Objects/typeobject.c:2853:5
    #2 0x5d9d2b256ce1 in _Py_Dealloc /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Objects/object.c:3200:5
    #3 0x5d9d2b4e8e45 in Py_DECREF_MORTAL /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/./Include/internal/pycore_object.h:482:9
    #4 0x5d9d2b4e8e45 in PyStackRef_XCLOSE /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/./Include/internal/pycore_stackref.h:827:9
    #5 0x5d9d2b4e8e45 in _PyFrame_ClearLocals /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Python/frame.c:101:9
    #6 0x5d9d2b4e8e45 in _PyFrame_ClearExceptCode /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Python/frame.c:126:5
    #7 0x5d9d2b4651a9 in clear_thread_frame /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Python/ceval.c:1830:5
    #8 0x5d9d2b4651a9 in _PyEval_FrameClearAndPop /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Python/ceval.c:1854:9
    #9 0x5d9d2b44acf3 in _PyEval_EvalFrameDefault /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Python/generated_cases.c.h:10403:13
    #10 0x5d9d2b432a14 in _PyEval_EvalFrame /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/./Include/internal/pycore_ceval.h:121:16
    #11 0x5d9d2b432a14 in _PyEval_Vector /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Python/ceval.c:2005:12
    #12 0x5d9d2b2e77e2 in _PyObject_VectorcallTstate /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/./Include/internal/pycore_call.h:169:11
    #13 0x5d9d2b2e77e2 in vectorcall_unbound /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Objects/typeobject.c:3034:12
    #14 0x5d9d2b2e77e2 in vectorcall_maybe /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Objects/typeobject.c:3131:24
    #15 0x5d9d2b2de8b4 in slot_nb_add /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Objects/typeobject.c:10401:1
    #16 0x5d9d2b12cffb in binary_op1 /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Objects/abstract.c:966:13
    #17 0x5d9d2b12ccf3 in PyNumber_Add /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Objects/abstract.c:1132:24
    #18 0x5d9d2b66e7ff in _collections__count_elements_impl /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/./Modules/_collectionsmodule.c:2580:26
    #19 0x5d9d2b66e7ff in _collections__count_elements /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/./Modules/clinic/_collectionsmodule.c.h:593:20
    #20 0x5d9d2b16aa3b in _PyObject_VectorcallTstate /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/./Include/internal/pycore_call.h:169:11
    #21 0x5d9d2b16aa3b in PyObject_Vectorcall /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Objects/call.c:327:12
    #22 0x5d9d2b451837 in _PyEval_EvalFrameDefault /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Python/generated_cases.c.h:1620:35
    #23 0x5d9d2b4323bb in _PyEval_EvalFrame /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/./Include/internal/pycore_ceval.h:121:16
    #24 0x5d9d2b4323bb in _PyEval_Vector /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Python/ceval.c:2005:12
    #25 0x5d9d2b4323bb in PyEval_EvalCode /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Python/ceval.c:888:21
    #26 0x5d9d2b589370 in run_eval_code_obj /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Python/pythonrun.c:1365:12
    #27 0x5d9d2b589370 in run_mod /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Python/pythonrun.c:1459:19
    #28 0x5d9d2b58343c in pyrun_file /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Python/pythonrun.c:1293:15
    #29 0x5d9d2b58343c in _PyRun_SimpleFileObject /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Python/pythonrun.c:521:13
    #30 0x5d9d2b582b05 in _PyRun_AnyFileObject /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Python/pythonrun.c:81:15
    #31 0x5d9d2b5eafe5 in pymain_run_file_obj /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Modules/main.c:410:15
    #32 0x5d9d2b5eafe5 in pymain_run_file /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Modules/main.c:429:15
    #33 0x5d9d2b5e999d in pymain_run_python /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Modules/main.c:691:21
    #34 0x5d9d2b5e999d in Py_RunMain /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Modules/main.c:772:5
    #35 0x5d9d2b5ea451 in pymain_main /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Modules/main.c:802:12
    #36 0x5d9d2b5ea5c3 in Py_BytesMain /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Modules/main.c:826:12
    #37 0x71acc2c2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #38 0x71acc2c2a28a in __libc_start_main csu/../csu/libc-start.c:360:3
    #39 0x5d9d2af9a104 in _start (/home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/python+0x1c7104) (BuildId: 5de9d2fcbcd44bfc1b0fe256566d49ad35ca1d56)

previously allocated by thread T0 here:
    #0 0x5d9d2b034f53 in malloc (/home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/python+0x261f53) (BuildId: 5de9d2fcbcd44bfc1b0fe256566d49ad35ca1d56)
    #1 0x5d9d2b2af2f4 in _PyObject_MallocWithType /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/./Include/internal/pycore_object_alloc.h:46:17
    #2 0x5d9d2b2af2f4 in _PyType_AllocNoTrack /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Objects/typeobject.c:2505:19
    #3 0x5d9d2b2aef8d in PyType_GenericAlloc /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Objects/typeobject.c:2536:21
    #4 0x5d9d2b208ff8 in long_subtype_new /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Objects/longobject.c:6048:30
    #5 0x5d9d2b208ff8 in long_new_impl /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Objects/longobject.c:5987:16
    #6 0x5d9d2b1f9c85 in long_new /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Objects/clinic/longobject.c.h:69:20
    #7 0x5d9d2b2cbab7 in tp_new_wrapper /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Objects/typeobject.c:10148:11
    #8 0x5d9d2b243c44 in cfunction_call /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Objects/methodobject.c:564:18
    #9 0x5d9d2b1697b2 in _PyObject_MakeTpCall /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Objects/call.c:242:18
    #10 0x5d9d2b451837 in _PyEval_EvalFrameDefault /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Python/generated_cases.c.h:1620:35
    #11 0x5d9d2b432a14 in _PyEval_EvalFrame /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/./Include/internal/pycore_ceval.h:121:16
    #12 0x5d9d2b432a14 in _PyEval_Vector /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Python/ceval.c:2005:12
    #13 0x5d9d2b1693ca in _PyObject_VectorcallDictTstate /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Objects/call.c:135:15
    #14 0x5d9d2b16b52a in _PyObject_Call_Prepend /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Objects/call.c:504:24
    #15 0x5d9d2b2cbcdd in slot_tp_new /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Objects/typeobject.c:10860:14
    #16 0x5d9d2b2b8a9b in type_call /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Objects/typeobject.c:2449:11
    #17 0x5d9d2b1697b2 in _PyObject_MakeTpCall /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Objects/call.c:242:18
    #18 0x5d9d2b451837 in _PyEval_EvalFrameDefault /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Python/generated_cases.c.h:1620:35
    #19 0x5d9d2b4323bb in _PyEval_EvalFrame /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/./Include/internal/pycore_ceval.h:121:16
    #20 0x5d9d2b4323bb in _PyEval_Vector /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Python/ceval.c:2005:12
    #21 0x5d9d2b4323bb in PyEval_EvalCode /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Python/ceval.c:888:21
    #22 0x5d9d2b589370 in run_eval_code_obj /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Python/pythonrun.c:1365:12
    #23 0x5d9d2b589370 in run_mod /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Python/pythonrun.c:1459:19
    #24 0x5d9d2b58343c in pyrun_file /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Python/pythonrun.c:1293:15
    #25 0x5d9d2b58343c in _PyRun_SimpleFileObject /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Python/pythonrun.c:521:13
    #26 0x5d9d2b582b05 in _PyRun_AnyFileObject /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Python/pythonrun.c:81:15
    #27 0x5d9d2b5eafe5 in pymain_run_file_obj /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Modules/main.c:410:15
    #28 0x5d9d2b5eafe5 in pymain_run_file /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Modules/main.c:429:15
    #29 0x5d9d2b5e999d in pymain_run_python /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Modules/main.c:691:21
    #30 0x5d9d2b5e999d in Py_RunMain /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Modules/main.c:772:5
    #31 0x5d9d2b5ea451 in pymain_main /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Modules/main.c:802:12
    #32 0x5d9d2b5ea5c3 in Py_BytesMain /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/Modules/main.c:826:12
    #33 0x71acc2c2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #34 0x71acc2c2a28a in __libc_start_main csu/../csu/libc-start.c:360:3
    #35 0x5d9d2af9a104 in _start (/home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/python+0x1c7104) (BuildId: 5de9d2fcbcd44bfc1b0fe256566d49ad35ca1d56)

SUMMARY: AddressSanitizer: heap-use-after-free /home/jackfromeast/Desktop/entropy/tasks/reproducexx/targets/cpython-main/./Include/object.h:277:20 in _Py_TYPE
Shadow bytes around the buggy address:
  0x5060000f2700: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
  0x5060000f2780: 00 00 00 00 00 00 00 00 fa fa fa fa fd fd fd fd
  0x5060000f2800: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00 00
  0x5060000f2880: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
  0x5060000f2900: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
=>0x5060000f2980: fd[fd]fd fd fa fa fa fa 00 00 00 00 00 00 00 00
  0x5060000f2a00: fa fa fa fa 00 00 00 00 00 00 07 fa fa fa fa fa
  0x5060000f2a80: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
  0x5060000f2b00: 00 00 07 fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x5060000f2b80: fa fa fa fa 00 00 00 00 00 00 07 fa fa fa fa fa
  0x5060000f2c00: 00 00 00 00 00 00 07 fa fa fa fa fa 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1346475==ABORTING

Linked PRs

Metadata

Metadata

Assignees

No one assigned

    Labels

    3.13bugs and security fixes3.14bugs and security fixes3.15new features, bugs and security fixesextension-modulesC modules in the Modules dirtype-bugAn unexpected behavior, bug, or errortype-crashA hard crash of the interpreter, possibly with a core dump

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      X Tutup