Closed
Description
Crash report
What happened?
From: https://oss-fuzz.com/testcase-detail/5876542813569024
Introduced in: 29a1a6e...43cd7aa
>>> s = open("reproducer.txt").read()
>>> ast.literal_eval(s)
=================================================================
==11615==ERROR: AddressSanitizer: heap-use-after-free on address 0x62f000046410 at pc 0x000100fa9760 bp 0x00016f290780 sp 0x00016f290778
READ of size 8 at 0x62f000046410 thread T0
#0 0x100fa975c in Py_DECREF refcount.h:342
#1 0x100fc9c88 in dictkeys_decref dictobject.c:458
#2 0x100fb8db8 in dict_dealloc dictobject.c:3199
#3 0x1010235bc in _Py_Dealloc object.c:2893
#4 0x1012659e4 in ast_dealloc Python-ast.c:5052
#5 0x1010b4ffc in subtype_dealloc typeobject.c:2572
#6 0x1010235bc in _Py_Dealloc object.c:2893
#7 0x101267c00 in ast_repr_max_depth Python-ast.c
#8 0x101017744 in PyObject_Repr object.c:694
#9 0x101317d70 in _PyEval_EvalFrameDefault generated_cases.c.h:3248
#10 0x1012f2bf0 in _PyObject_VectorcallTstate pycore_call.h:167
#11 0x1012eeef8 in map_next bltinmodule.c:1442
#12 0x100e5f368 in iternext abstract.c:2874
#13 0x100e5aef8 in PyIter_Next abstract.c:2924
#14 0x10108c200 in set_update_iterable_lock_held setobject.c:971
#15 0x1010804ac in make_new_set setobject.c:1095
#16 0x100ea92cc in _PyObject_VectorcallTstate pycore_call.h:167
#17 0x10132e20c in _PyEval_EvalFrameDefault generated_cases.c.h:921
#18 0x1013029d8 in PyEval_EvalCode ceval.c:647
#19 0x1012f7b68 in builtin_exec bltinmodule.c.h:556
#20 0x10131ccd8 in _PyEval_EvalFrameDefault generated_cases.c.h:1451
#21 0x1013029d8 in PyEval_EvalCode ceval.c:647
#22 0x1012f7b68 in builtin_exec bltinmodule.c.h:556
#23 0x101004360 in cfunction_vectorcall_FASTCALL_KEYWORDS methodobject.c:441
#24 0x100ea92cc in _PyObject_VectorcallTstate pycore_call.h:167
#25 0x10132e20c in _PyEval_EvalFrameDefault generated_cases.c.h:921
#26 0x100eabb64 in _PyVectorcall_Call call.c:273
#27 0x1015e1fe0 in pymain_run_module main.c:349
#28 0x1015e3048 in pymain_run_stdin main.c:574
#29 0x1015e07fc in Py_RunMain main.c:775
#30 0x1015e1894 in pymain_main main.c:805
#31 0x1015e1c30 in Py_BytesMain main.c:829
#32 0x19bf60270 (<unknown module>)
0x62f000046410 is located 16 bytes inside of 49104-byte region [0x62f000046400,0x62f0000523d0)
freed by thread T0 here:
#0 0x102b84d40 in free+0x98 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x54d40)
#1 0x1010235bc in _Py_Dealloc object.c:2893
#2 0x101267c00 in ast_repr_max_depth Python-ast.c
#3 0x1012675e0 in ast_repr_max_depth Python-ast.c:5799
#4 0x101017744 in PyObject_Repr object.c:694
#5 0x101317d70 in _PyEval_EvalFrameDefault generated_cases.c.h:3248
#6 0x1012f2bf0 in _PyObject_VectorcallTstate pycore_call.h:167
#7 0x1012eeef8 in map_next bltinmodule.c:1442
#8 0x100e5f368 in iternext abstract.c:2874
#9 0x100e5aef8 in PyIter_Next abstract.c:2924
#10 0x10108c200 in set_update_iterable_lock_held setobject.c:971
#11 0x1010804ac in make_new_set setobject.c:1095
#12 0x100ea92cc in _PyObject_VectorcallTstate pycore_call.h:167
#13 0x10132e20c in _PyEval_EvalFrameDefault generated_cases.c.h:921
#14 0x1013029d8 in PyEval_EvalCode ceval.c:647
#15 0x1012f7b68 in builtin_exec bltinmodule.c.h:556
#16 0x10131ccd8 in _PyEval_EvalFrameDefault generated_cases.c.h:1451
#17 0x1013029d8 in PyEval_EvalCode ceval.c:647
#18 0x1012f7b68 in builtin_exec bltinmodule.c.h:556
#19 0x101004360 in cfunction_vectorcall_FASTCALL_KEYWORDS methodobject.c:441
#20 0x100ea92cc in _PyObject_VectorcallTstate pycore_call.h:167
#21 0x10132e20c in _PyEval_EvalFrameDefault generated_cases.c.h:921
#22 0x100eabb64 in _PyVectorcall_Call call.c:273
#23 0x1015e1fe0 in pymain_run_module main.c:349
#24 0x1015e3048 in pymain_run_stdin main.c:574
#25 0x1015e07fc in Py_RunMain main.c:775
#26 0x1015e1894 in pymain_main main.c:805
#27 0x1015e1c30 in Py_BytesMain main.c:829
#28 0x19bf60270 (<unknown module>)
previously allocated by thread T0 here:
#0 0x102b84c04 in malloc+0x94 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x54c04)
#1 0x10105eb7c in _PyMem_DebugRawAlloc obmalloc.c:2699
#2 0x100f75aa8 in _PyLong_New longobject.c:157
#3 0x100f95138 in long_from_binary_base longobject.c:2586
#4 0x100f84a30 in PyLong_FromString longobject.c:3052
#5 0x100b78d78 in parsenumber_raw pegen.c
#6 0x100b75984 in _PyPegen_number_token pegen.c:704
#7 0x100c037a4 in atom_rule parser.c:14845
#8 0x100bfa8c4 in primary_rule parser.c:14262
#9 0x100bf8068 in await_primary_rule parser.c:14216
#10 0x100bf625c in power_rule parser.c:14092
#11 0x100bf1a14 in factor_rule parser.c:14042
#12 0x100bedfe8 in term_raw parser.c:13883
#13 0x100bec1f8 in term_rule parser.c:13626
#14 0x100be69e8 in sum_rule parser.c:13458
#15 0x100be3e04 in shift_expr_rule parser.c:13278
#16 0x100be19c4 in bitwise_and_rule parser.c:13156
#17 0x100bdfb48 in bitwise_xor_rule parser.c:13034
#18 0x100bd9084 in bitwise_or_rule parser.c:12912
#19 0x100c30b5c in comparison_rule parser.c:12152
#20 0x100c2f660 in inversion_rule parser.c:12103
#21 0x100c2bc80 in conjunction_rule parser.c:11980
#22 0x100c10584 in disjunction_rule parser.c:11892
#23 0x100bd34ac in expression_rule parser.c:11180
#24 0x100cb0914 in kvpair_rule parser.c:16890
#25 0x100caed4c in double_starred_kvpair_rule parser.c:16850
#26 0x100ca9890 in double_starred_kvpairs_rule parser.c:16778
#27 0x100c82d0c in _tmp_96_rule parser.c:31587
#28 0x100c04c18 in atom_rule parser.c:14908
#29 0x100bfa8c4 in primary_rule parser.c:14262
SUMMARY: AddressSanitizer: heap-use-after-free refcount.h:342 in Py_DECREF
Shadow bytes around the buggy address:
0x62f000046180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x62f000046200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x62f000046280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x62f000046300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x62f000046380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x62f000046400: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
0x62f000046480: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x62f000046500: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x62f000046580: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x62f000046600: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x62f000046680: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==11615==ABORTING
fish: Job 1, './python.exe' terminated by signal SIGABRT (Abort)
~/p/cpython ❯❯❯
CPython versions tested on:
CPython main branch
Operating systems tested on:
No response
Output from running 'python -VV' on the command line:
No response
Linked PRs
Metadata
Metadata
Assignees
Labels
Projects
Status
Done