Ubuntu
boost1.58 package

boost::python::exec_file exits with: Error in `python': double free or corruption

Bug #1600345 reported by jepler
22
This bug affects 4 people
Affects Status Importance Assigned to Milestone
boost1.58 (Ubuntu)
Confirmed
High
Unassigned

Bug Description

I have distilled a test program (module) for the problem:
~~~~
#include <boost/python.hpp>

BOOST_PYTHON_MODULE(execfile_bug) {
    boost::python::def("execfile", boost::python::exec_file);
}
~~~~

I build and run the test like so:
~~~~
$ g++ -fPIC -I /usr/include/python2.7 -shared -o execfile_bug.so execfile_bug.c -lboost_python
$ python -c 'import execfile_bug; execfile_bug.execfile("/dev/null", {}, {})'
~~~~

The full error, which is printed by the linux C library when it detects the double-free condition:
~~~~
*** Error in `python': double free or corruption (!prev): 0x0000000001aaae70 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x77725)[0x7fe3c9e6b725]
/lib/x86_64-linux-gnu/libc.so.6(+0x7ff4a)[0x7fe3c9e73f4a]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7fe3c9e77abc]
/lib/x86_64-linux-gnu/libc.so.6(fclose+0x103)[0x7fe3c9e61313]
python[0x505456]
/usr/lib/x86_64-linux-gnu/libboost_python-py27.so.1.58.0(_ZN5boost6python9exec_fileENS0_3strENS0_3api6objectES3_+0xe8)[0x7fe3c8d897e8]
./execfile_bug.so(_ZN5boost6python6detail6invokeINS0_15to_python_valueIRKNS0_3api6objectEEEPFS5_NS0_3strES5_S5_ENS0_15arg_from_pythonIS9_EENSC_IS5_EESE_EEP7_objectNS1_11invoke_tag_ILb0ELb0EEERKT_RT0_RT1_RT2_RT3_+0x81)[0x7fe3c8fa6da1]
./execfile_bug.so(_ZN5boost6python6detail12caller_arityILj3EE4implIPFNS0_3api6objectENS0_3strES6_S6_ENS0_21default_call_policiesENS_3mpl7vector4IS6_S7_S6_S6_EEEclEP7_objectSG_+0x174)[0x7fe3c8fa6a80]
./execfile_bug.so(_ZN5boost6python7objects23caller_py_function_implINS0_6detail6callerIPFNS0_3api6objectENS0_3strES6_S6_ENS0_21default_call_policiesENS_3mpl7vector4IS6_S7_S6_S6_EEEEEclEP7_objectSH_+0x2f)[0x7fe3c8fa68e1]
/usr/lib/x86_64-linux-gnu/libboost_python-py27.so.1.58.0(_ZNK5boost6python7objects8function4callEP7_objectS4_+0x26d)[0x7fe3c8d7c5cd]
/usr/lib/x86_64-linux-gnu/libboost_python-py27.so.1.58.0(+0x297c8)[0x7fe3c8d7c7c8]
/usr/lib/x86_64-linux-gnu/libboost_python-py27.so.1.58.0(_ZN5boost6python21handle_exception_implENS_9function0IvEE+0x73)[0x7fe3c8d84613]
/usr/lib/x86_64-linux-gnu/libboost_python-py27.so.1.58.0(+0x26999)[0x7fe3c8d79999]
python(PyObject_Call+0x43)[0x4b1153]
python(PyEval_EvalFrameEx+0x5f0a)[0x4ca5ca]
python(PyEval_EvalCodeEx+0x255)[0x4c2e05]
python(PyEval_EvalCode+0x19)[0x4c2ba9]
python(PyRun_StringFlags+0x76)[0x51f196]
python(PyRun_SimpleStringFlags+0x3c)[0x51fe4c]
python(Py_Main+0x3d4)[0x49ded4]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7fe3c9e14830]
python(_start+0x29)[0x49da19]
======= Memory map: ========
00400000-006e7000 r-xp 00000000 fd:01 407584 /usr/bin/python2.7
008e6000-008e8000 r--p 002e6000 fd:01 407584 /usr/bin/python2.7
008e8000-0095f000 rw-p 002e8000 fd:01 407584 /usr/bin/python2.7
0095f000-00982000 rw-p 00000000 00:00 0
01a23000-01b0b000 rw-p 00000000 00:00 0 [heap]
7fe3c4000000-7fe3c4021000 rw-p 00000000 00:00 0
7fe3c4021000-7fe3c8000000 ---p 00000000 00:00 0
7fe3c87bb000-7fe3c87d1000 r-xp 00000000 fd:01 261189 /lib/x86_64-linux-gnu/libgcc_s.so.1
7fe3c87d1000-7fe3c89d0000 ---p 00016000 fd:01 261189 /lib/x86_64-linux-gnu/libgcc_s.so.1
7fe3c89d0000-7fe3c89d1000 rw-p 00015000 fd:01 261189 /lib/x86_64-linux-gnu/libgcc_s.so.1
7fe3c89d1000-7fe3c8b43000 r-xp 00000000 fd:01 393473 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21
7fe3c8b43000-7fe3c8d43000 ---p 00172000 fd:01 393473 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21
7fe3c8d43000-7fe3c8d4d000 r--p 00172000 fd:01 393473 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21
7fe3c8d4d000-7fe3c8d4f000 rw-p 0017c000 fd:01 393473 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21
7fe3c8d4f000-7fe3c8d53000 rw-p 00000000 00:00 0
7fe3c8d53000-7fe3c8d9c000 r-xp 00000000 fd:01 408020 /usr/lib/x86_64-linux-gnu/libboost_python-py27.so.1.58.0
7fe3c8d9c000-7fe3c8f9c000 ---p 00049000 fd:01 408020 /usr/lib/x86_64-linux-gnu/libboost_python-py27.so.1.58.0
7fe3c8f9c000-7fe3c8f9d000 r--p 00049000 fd:01 408020 /usr/lib/x86_64-linux-gnu/libboost_python-py27.so.1.58.0
7fe3c8f9d000-7fe3c8f9f000 rw-p 0004a000 fd:01 408020 /usr/lib/x86_64-linux-gnu/libboost_python-py27.so.1.58.0
7fe3c8f9f000-7fe3c8fa9000 r-xp 00000000 fd:01 130575 /root/execfile_bug.so
7fe3c8fa9000-7fe3c91a8000 ---p 0000a000 fd:01 130575 /root/execfile_bug.so
7fe3c91a8000-7fe3c91a9000 r--p 00009000 fd:01 130575 /root/execfile_bug.so
7fe3c91a9000-7fe3c91aa000 rw-p 0000a000 fd:01 130575 /root/execfile_bug.so
7fe3c91aa000-7fe3c94ca000 r--p 00000000 fd:01 391836 /usr/lib/locale/locale-archive
7fe3c94ca000-7fe3c95d2000 r-xp 00000000 fd:01 261160 /lib/x86_64-linux-gnu/libm-2.23.so
7fe3c95d2000-7fe3c97d1000 ---p 00108000 fd:01 261160 /lib/x86_64-linux-gnu/libm-2.23.so
7fe3c97d1000-7fe3c97d2000 r--p 00107000 fd:01 261160 /lib/x86_64-linux-gnu/libm-2.23.so
7fe3c97d2000-7fe3c97d3000 rw-p 00108000 fd:01 261160 /lib/x86_64-linux-gnu/libm-2.23.so
7fe3c97d3000-7fe3c97ec000 r-xp 00000000 fd:01 261351 /lib/x86_64-linux-gnu/libz.so.1.2.8
7fe3c97ec000-7fe3c99eb000 ---p 00019000 fd:01 261351 /lib/x86_64-linux-gnu/libz.so.1.2.8
7fe3c99eb000-7fe3c99ec000 r--p 00018000 fd:01 261351 /lib/x86_64-linux-gnu/libz.so.1.2.8
7fe3c99ec000-7fe3c99ed000 rw-p 00019000 fd:01 261351 /lib/x86_64-linux-gnu/libz.so.1.2.8
7fe3c99ed000-7fe3c99ef000 r-xp 00000000 fd:01 261162 /lib/x86_64-linux-gnu/libutil-2.23.so
7fe3c99ef000-7fe3c9bee000 ---p 00002000 fd:01 261162 /lib/x86_64-linux-gnu/libutil-2.23.so
7fe3c9bee000-7fe3c9bef000 r--p 00001000 fd:01 261162 /lib/x86_64-linux-gnu/libutil-2.23.so
7fe3c9bef000-7fe3c9bf0000 rw-p 00002000 fd:01 261162 /lib/x86_64-linux-gnu/libutil-2.23.so
7fe3c9bf0000-7fe3c9bf3000 r-xp 00000000 fd:01 261169 /lib/x86_64-linux-gnu/libdl-2.23.so
7fe3c9bf3000-7fe3c9df2000 ---p 00003000 fd:01 261169 /lib/x86_64-linux-gnu/libdl-2.23.so
7fe3c9df2000-7fe3c9df3000 r--p 00002000 fd:01 261169 /lib/x86_64-linux-gnu/libdl-2.23.so
7fe3c9df3000-7fe3c9df4000 rw-p 00003000 fd:01 261169 /lib/x86_64-linux-gnu/libdl-2.23.so
7fe3c9df4000-7fe3c9fb4000 r-xp 00000000 fd:01 261168 /lib/x86_64-linux-gnu/libc-2.23.so
7fe3c9fb4000-7fe3ca1b3000 ---p 001c0000 fd:01 261168 /lib/x86_64-linux-gnu/libc-2.23.so
7fe3ca1b3000-7fe3ca1b7000 r--p 001bf000 fd:01 261168 /lib/x86_64-linux-gnu/libc-2.23.so
7fe3ca1b7000-7fe3ca1b9000 rw-p 001c3000 fd:01 261168 /lib/x86_64-linux-gnu/libc-2.23.so
7fe3ca1b9000-7fe3ca1bd000 rw-p 00000000 00:00 0
7fe3ca1bd000-7fe3ca1d5000 r-xp 00000000 fd:01 261167 /lib/x86_64-linux-gnu/libpthread-2.23.so
7fe3ca1d5000-7fe3ca3d4000 ---p 00018000 fd:01 261167 /lib/x86_64-linux-gnu/libpthread-2.23.so
7fe3ca3d4000-7fe3ca3d5000 r--p 00017000 fd:01 261167 /lib/x86_64-linux-gnu/libpthread-2.23.so
7fe3ca3d5000-7fe3ca3d6000 rw-p 00018000 fd:01 261167 /lib/x86_64-linux-gnu/libpthread-2.23.so
7fe3ca3d6000-7fe3ca3da000 rw-p 00000000 00:00 0
7fe3ca3da000-7fe3ca400000 r-xp 00000000 fd:01 261164 /lib/x86_64-linux-gnu/ld-2.23.so
7fe3ca481000-7fe3ca5f7000 rw-p 00000000 00:00 0
7fe3ca5fc000-7fe3ca5ff000 rw-p 00000000 00:00 0
7fe3ca5ff000-7fe3ca600000 r--p 00025000 fd:01 261164 /lib/x86_64-linux-gnu/ld-2.23.so
7fe3ca600000-7fe3ca601000 rw-p 00026000 fd:01 261164 /lib/x86_64-linux-gnu/ld-2.23.so
7fe3ca601000-7fe3ca602000 rw-p 00000000 00:00 0
7ffc6a792000-7ffc6a7b3000 rw-p 00000000 00:00 0 [stack]
7ffc6a7df000-7ffc6a7e1000 r--p 00000000 00:00 0 [vvar]
7ffc6a7e1000-7ffc6a7e3000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
~~~~

I believe this may be fixed upstream in version 1.59.0. I think it was introduced at https://github.com/boostorg/python/commit/fe24ab9dd5440562e27422cd38f7de03356bfd16

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: libboost-python1.58.0 1.58.0+dfsg-5ubuntu3.1
ProcVersionSignature: Ubuntu 4.4.0-28.47-generic 4.4.13
Uname: Linux 4.4.0-28-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.1
Architecture: amd64
Date: Fri Jul 8 15:15:50 2016
Dependencies:
 gcc-5-base 5.3.1-14ubuntu2.1
 gcc-6-base 6.0.1-0ubuntu1
 libc6 2.23-0ubuntu3
 libgcc1 1:6.0.1-0ubuntu1
 libstdc++6 5.3.1-14ubuntu2.1
ProcEnviron:
 TERM=xterm-256color
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: boost1.58
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
jepler (jepler) wrote :
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in boost1.58 (Ubuntu):
status: New → Confirmed
Revision history for this message
Matthias (codereader) wrote :

Got the same problem, it's reproducible using a small test program which tries to run a Python script using boost::python::exec_file(). I can post a test program if needed, but I'm quite sure the problem doesn't exist in newer boost::python versions than 1.58.

Alberto Salvia Novella (es20490446e)
Changed in boost1.58 (Ubuntu):
importance: Undecided → High
Sebastian Szwed (sebaszw)
no longer affects: boost
Revision history for this message
Alessandro Ambrosano (aambrosano) wrote :

Bug is still present, and it seems to affect the original boost 1.58 as well.

The bug is fixed from boost 1.59 on, and cherry-picking from boost 1.59 solved the issue for me.

This is the patch I used:
https://github.com/aambrosano/boost.python/commit/b90b05fdd9a9f7e239e91fe45fead8afdb113987.diff

Alessandro Ambrosano (aambrosano)
summary: - boost::python::execfile exits with: Error in `python': double free or
+ boost::python::exec_file exits with: Error in `python': double free or
corruption
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.