Long String crash libreadline in built-in function input() of Python
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
readline5 (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
In input() of Python(CPython), it calls rl_callback_
System: Ubuntu 16.04
Step to Reproduce:
-------
Python 3.9.2 (default, Mar 12 2021, 15:08:35)
[GCC 7.5.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> input([1,2]*10000)
*** Error in `/home/
======= Backtrace: =========
/lib/x86_
/lib/x86_
/lib/x86_
/lib/x86_
/lib/x86_
/lib/x86_
/lib/x86_
/home/xxm/
/home/xxm/
/home/xxm/
/home/xxm/
/home/xxm/
/home/xxm/
/home/xxm/
/home/xxm/
/home/xxm/
/home/xxm/
/home/xxm/
/home/xxm/
/home/xxm/
/lib/x86_
/home/xxm/
======= Memory map: ========
00400000-00762000 r-xp 00000000 08:07 7740578 /home/xxm/
00961000-00962000 r--p 00361000 08:07 7740578 /home/xxm/
00962000-0099a000 rw-p 00362000 08:07 7740578 /home/xxm/
0099a000-009be000 rw-p 00000000 00:00 0
012dc000-013ce000 rw-p 00000000 00:00 0 [heap]
7f713c000000-
7f713c021000-
7f71439b5000-
7f71439cc000-
7f7143bcb000-
7f7143bcc000-
7f7143bf0000-
7f714407b000-
7f71440a0000-
7f714429f000-
7f71442a3000-
7f71442a4000-
7f7144464000-
7f7144664000-
7f7144668000-
7f714466a000-
7f714466e000-
7f71446ab000-
7f71448ab000-
7f71448ad000-
7f71448b3000-
7f71448b4000-
7f71449bc000-
7f7144bbb000-
7f7144bbc000-
7f7144bbd000-
7f7144bbf000-
7f7144dbe000-
7f7144dbf000-
7f7144dc0000-
7f7144dc3000-
7f7144fc2000-
7f7144fc3000-
7f7144fc4000-
7f7144fdc000-
7f71451db000-
7f71451dc000-
7f71451dd000-
7f71451e1000-
7f7145210000-
7f71453fe000-
7f71453ff000-
7f7145406000-
7f7145407000-
7f7145408000-
7ffefb5a0000-
7ffefb5de000-
7ffefb5e1000-
ffffffffff60000
Aborted (core dumped)
Testing with gdb
-------
$ gdb ./python
(gdb) run
Python 3.10.0a6+ (heads/
>>> input([1,2]*10000)
realloc(): invalid next size
Program received signal SIGABRT, Aborted.
0x00007ffff7c629d5 in raise () from /lib64/libc.so.6
Missing separate debuginfos, use: dnf debuginfo-install libxcrypt-
(gdb) where
#0 0x00007ffff7c629d5 in raise () from /lib64/libc.so.6
#1 0x00007ffff7c4b8a4 in abort () from /lib64/libc.so.6
#2 0x00007ffff7ca5177 in __libc_message () from /lib64/libc.so.6
#3 0x00007ffff7cace6c in malloc_printerr () from /lib64/libc.so.6
#4 0x00007ffff7cb111c in _int_realloc () from /lib64/libc.so.6
#5 0x00007ffff7cb22a6 in realloc () from /lib64/libc.so.6
#6 0x00007fffea4c9dc2 in xrealloc () from /lib64/
#7 0x00007fffea4bb7ab in rl_redisplay () from /lib64/
#8 0x00007fffea4a5727 in readline_
#9 0x00007fffea4c7489 in _rl_callback_
#10 0x00007ffff7fbdb68 in readline_
prompt=0xba9b40 "[1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1"..., signal=
#11 0x00007ffff7fbde06 in call_readline (sys_stdin=
prompt=0xba9b40 "[1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1"...) at /home/vstinner/
#12 0x000000000071f7b3 in PyOS_Readline (sys_stdin=
prompt=0xba9b40 "[1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1"...) at Parser/
#13 0x000000000069d23c in builtin_input_impl (module=<module at remote 0x7fffea69d590>,
prompt=[1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, ...(truncated)) at Python/
#14 0x0000000000699156 in builtin_input (module=<module at remote 0x7fffea69d590>, args=0x7fffea62
...
-------
Testing with valgrind
$ PYTHONMALLOC=
>>> input([1,2]*10000)
[1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, (...)
Erreur de segmentation (core dumped)
$ cat valgrind.log
==8025== Memcheck, a memory error detector
==8025== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==8025== Using Valgrind-3.16.1 and LibVEX; rerun with -h for copyright info
==8025== Command: ./python
==8025== Parent PID: 7434
==8025==
==8025== Invalid write of size 4
==8025== at 0x1297C410: rl_redisplay (display.c:865)
==8025== by 0x12967726: readline_
==8025== by 0x12989488: _rl_callback_
==8025== by 0x4854B67: readline_
==8025== by 0x4854E05: call_readline (readline.c:1396)
==8025== by 0x71F7B2: PyOS_Readline (myreadline.c:393)
==8025== by 0x69D23B: builtin_input_impl (bltinmodule.
==8025== by 0x699155: builtin_input (bltinmodule.
==8025== by 0x6635B2: cfunction_
==8025== by 0x50D168: _PyObject_
==8025== by 0x50D1C7: PyObject_Vectorcall (abstract.h:123)
==8025== by 0x525A14: call_function (ceval.c:5931)
==8025== Address 0x4e5ef00 is 0 bytes after a block of size 1,024 alloc'd
==8025== at 0x4839809: malloc (vg_replace_
==8025== by 0x1298B7DC: xmalloc (xmalloc.c:59)
==8025== by 0x12974F1C: init_line_
==8025== by 0x1297D856: rl_redisplay (display.c:680)
==8025== by 0x12967726: readline_
==8025== by 0x12989488: _rl_callback_
==8025== by 0x4854B67: readline_
==8025== by 0x4854E05: call_readline (readline.c:1396)
==8025== by 0x71F7B2: PyOS_Readline (myreadline.c:393)
==8025== by 0x6281D0: tok_nextc (tokenizer.c:894)
==8025== by 0x6298E5: tok_get (tokenizer.c:1236)
==8025== by 0x62B285: PyTokenizer_Get (tokenizer.c:1895)
==8025==
==8025== Invalid write of size 4
==8025== at 0x1297C425: rl_redisplay (display.c:862)
==8025== by 0x12967726: readline_
==8025== by 0x12989488: _rl_callback_
==8025== by 0x4854B67: readline_
==8025== by 0x4854E05: call_readline (readline.c:1396)
==8025== by 0x71F7B2: PyOS_Readline (myreadline.c:393)
==8025== by 0x69D23B: builtin_input_impl (bltinmodule.
==8025== by 0x699155: builtin_input (bltinmodule.
==8025== by 0x6635B2: cfunction_
==8025== by 0x50D168: _PyObject_
==8025== by 0x50D1C7: PyObject_Vectorcall (abstract.h:123)
==8025== by 0x525A14: call_function (ceval.c:5931)
==8025== Address 0x4e5ef04 is 4 bytes after a block of size 1,024 alloc'd
==8025== at 0x4839809: malloc (vg_replace_
==8025== by 0x1298B7DC: xmalloc (xmalloc.c:59)
==8025== by 0x12974F1C: init_line_
==8025== by 0x1297D856: rl_redisplay (display.c:680)
==8025== by 0x12967726: readline_
==8025== by 0x12989488: _rl_callback_
==8025== by 0x4854B67: readline_
==8025== by 0x4854E05: call_readline (readline.c:1396)
==8025== by 0x71F7B2: PyOS_Readline (myreadline.c:393)
==8025== by 0x6281D0: tok_nextc (tokenizer.c:894)
==8025== by 0x6298E5: tok_get (tokenizer.c:1236)
==8025== by 0x62B285: PyTokenizer_Get (tokenizer.c:1895)
==8025==
==8025== Conditional jump or move depends on uninitialised value(s)
==8025== at 0x1297AF01: update_line (display.c:1897)
==8025== by 0x1297C8A4: rl_redisplay (display.c:1154)
==8025== by 0x12967726: readline_
==8025== by 0x12989488: _rl_callback_
==8025== by 0x4854B67: readline_
==8025== by 0x4854E05: call_readline (readline.c:1396)
==8025== by 0x71F7B2: PyOS_Readline (myreadline.c:393)
==8025== by 0x69D23B: builtin_input_impl (bltinmodule.
==8025== by 0x699155: builtin_input (bltinmodule.
==8025== by 0x6635B2: cfunction_
==8025== by 0x50D168: _PyObject_
==8025== by 0x50D1C7: PyObject_Vectorcall (abstract.h:123)
==8025==
==8025== Conditional jump or move depends on uninitialised value(s)
==8025== at 0x1297AF0F: update_line (display.c:1921)
==8025== by 0x1297C8A4: rl_redisplay (display.c:1154)
==8025== by 0x12967726: readline_
==8025== by 0x12989488: _rl_callback_
==8025== by 0x4854B67: readline_
==8025== by 0x4854E05: call_readline (readline.c:1396)
==8025== by 0x71F7B2: PyOS_Readline (myreadline.c:393)
==8025== by 0x69D23B: builtin_input_impl (bltinmodule.
==8025== by 0x699155: builtin_input (bltinmodule.
==8025== by 0x6635B2: cfunction_
==8025== by 0x50D168: _PyObject_
==8025== by 0x50D1C7: PyObject_Vectorcall (abstract.h:123)
==8025==
==8025== Conditional jump or move depends on uninitialised value(s)
==8025== at 0x1297A8B2: UnknownInlinedFun (display.c:3144)
==8025== by 0x1297A8B2: update_line (display.c:2200)
==8025== by 0x1297C8A4: rl_redisplay (display.c:1154)
==8025== by 0x12967726: readline_
==8025== by 0x12989488: _rl_callback_
==8025== by 0x4854B67: readline_
==8025== by 0x4854E05: call_readline (readline.c:1396)
==8025== by 0x71F7B2: PyOS_Readline (myreadline.c:393)
==8025== by 0x69D23B: builtin_input_impl (bltinmodule.
==8025== by 0x699155: builtin_input (bltinmodule.
==8025== by 0x6635B2: cfunction_
==8025== by 0x50D168: _PyObject_
==8025== by 0x50D1C7: PyObject_Vectorcall (abstract.h:123)
==8025==
==8025== Conditional jump or move depends on uninitialised value(s)
==8025== at 0x483FC63: bcmp (vg_replace_
==8025== by 0x129794C9: update_line (display.c:1656)
==8025== by 0x1297C8A4: rl_redisplay (display.c:1154)
==8025== by 0x12967726: readline_
==8025== by 0x12989488: _rl_callback_
==8025== by 0x4854B67: readline_
==8025== by 0x4854E05: call_readline (readline.c:1396)
==8025== by 0x71F7B2: PyOS_Readline (myreadline.c:393)
==8025== by 0x69D23B: builtin_input_impl (bltinmodule.
==8025== by 0x699155: builtin_input (bltinmodule.
==8025== by 0x6635B2: cfunction_
==8025== by 0x50D168: _PyObject_
==8025==
==8025== Conditional jump or move depends on uninitialised value(s)
==8025== at 0x1297959C: update_line (display.c:1703)
==8025== by 0x1297C8A4: rl_redisplay (display.c:1154)
==8025== by 0x12967726: readline_
==8025== by 0x12989488: _rl_callback_
==8025== by 0x4854B67: readline_
==8025== by 0x4854E05: call_readline (readline.c:1396)
==8025== by 0x71F7B2: PyOS_Readline (myreadline.c:393)
==8025== by 0x69D23B: builtin_input_impl (bltinmodule.
==8025== by 0x699155: builtin_input (bltinmodule.
==8025== by 0x6635B2: cfunction_
==8025== by 0x50D168: _PyObject_
==8025== by 0x50D1C7: PyObject_Vectorcall (abstract.h:123)
==8025==
==8025== Conditional jump or move depends on uninitialised value(s)
==8025== at 0x1297AB9D: update_line (display.c:1704)
==8025== by 0x1297C8A4: rl_redisplay (display.c:1154)
==8025== by 0x12967726: readline_
==8025== by 0x12989488: _rl_callback_
==8025== by 0x4854B67: readline_
==8025== by 0x4854E05: call_readline (readline.c:1396)
==8025== by 0x71F7B2: PyOS_Readline (myreadline.c:393)
==8025== by 0x69D23B: builtin_input_impl (bltinmodule.
==8025== by 0x699155: builtin_input (bltinmodule.
==8025== by 0x6635B2: cfunction_
==8025== by 0x50D168: _PyObject_
==8025== by 0x50D1C7: PyObject_Vectorcall (abstract.h:123)
==8025==
==8025== Use of uninitialised value of size 8
==8025== at 0x129795EA: update_line (display.c:1704)
==8025== by 0x1297C8A4: rl_redisplay (display.c:1154)
==8025== by 0x12967726: readline_
==8025== by 0x12989488: _rl_callback_
==8025== by 0x4854B67: readline_
==8025== by 0x4854E05: call_readline (readline.c:1396)
==8025== by 0x71F7B2: PyOS_Readline (myreadline.c:393)
==8025== by 0x69D23B: builtin_input_impl (bltinmodule.
==8025== by 0x699155: builtin_input (bltinmodule.
==8025== by 0x6635B2: cfunction_
==8025== by 0x50D168: _PyObject_
==8025== by 0x50D1C7: PyObject_Vectorcall (abstract.h:123)
==8025==
==8025== Invalid read of size 1
==8025== at 0x129795EA: update_line (display.c:1704)
==8025== by 0x1297C8A4: rl_redisplay (display.c:1154)
==8025== by 0x12967726: readline_
==8025== by 0x12989488: _rl_callback_
==8025== by 0x4854B67: readline_
==8025== by 0x4854E05: call_readline (readline.c:1396)
==8025== by 0x71F7B2: PyOS_Readline (myreadline.c:393)
==8025== by 0x69D23B: builtin_input_impl (bltinmodule.
==8025== by 0x699155: builtin_input (bltinmodule.
==8025== by 0x6635B2: cfunction_
==8025== by 0x50D168: _PyObject_
==8025== by 0x50D1C7: PyObject_Vectorcall (abstract.h:123)
==8025== Address 0xfffffffff2213d9d is not stack'd, malloc'd or (recently) free'd
==8025==
==8025==
==8025== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==8025== Access not within mapped region at address 0xFFFFFFFFF2213D9D
==8025== at 0x129795EA: update_line (display.c:1704)
==8025== by 0x1297C8A4: rl_redisplay (display.c:1154)
==8025== by 0x12967726: readline_
==8025== by 0x12989488: _rl_callback_
==8025== by 0x4854B67: readline_
==8025== by 0x4854E05: call_readline (readline.c:1396)
==8025== by 0x71F7B2: PyOS_Readline (myreadline.c:393)
==8025== by 0x69D23B: builtin_input_impl (bltinmodule.
==8025== by 0x699155: builtin_input (bltinmodule.
==8025== by 0x6635B2: cfunction_
==8025== by 0x50D168: _PyObject_
==8025== by 0x50D1C7: PyObject_Vectorcall (abstract.h:123)
==8025== If you believe this happened as a result of a stack
==8025== overflow in your program's main thread (unlikely but
==8025== possible), you can try to increase the size of the
==8025== main thread stack using the --main-stacksize= flag.
==8025== The main thread stack size used in this run was 8388608.
==8025==
==8025== HEAP SUMMARY:
==8025== in use at exit: 6,501,013 bytes in 73,176 blocks
==8025== total heap usage: 151,328 allocs, 78,152 frees, 30,639,455 bytes allocated
==8025==
==8025== LEAK SUMMARY:
==8025== definitely lost: 0 bytes in 0 blocks
==8025== indirectly lost: 0 bytes in 0 blocks
==8025== possibly lost: 5,168,429 bytes in 32,868 blocks
==8025== still reachable: 1,332,584 bytes in 40,308 blocks
==8025== suppressed: 0 bytes in 0 blocks
==8025== Rerun with --leak-check=full to see details of leaked memory
==8025==
==8025== Use --track-origins=yes to see where uninitialised values come from
==8025== For lists of detected and suppressed errors, rerun with: -s
==8025== ERROR SUMMARY: 125 errors from 10 contexts (suppressed: 0 from 0)